2021 CISSP Exam Changes Myth and Facts - Recorded Webinar

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this conference well now so to be here now talking about an exam that emphasizes all that csp stuff life is crazy y'all but just to begin this presentation i'd like to ask both prob and prashant to quickly turn off your speakers so you can't hear what i'm going to say next because i just want i just want to talk to the audience personally at a one-on-one level so if you guys can just close your ears and just not hear what i'm about to say take out your headphones whatever you need to do real quick this is just between me and the audience if you don't mind everyone you are in the presence of two people who define greatness while working together and getting this presentation ready i witnessed firsthand how they work at a professional level we got together we brainstormed ideas we talked about what questions to address how long the webinar should be what should be the structure the flow what we can say and do to truly provide the audience what they are looking for we're in different time zones i am in east coast florida time and they are in india standard time so when i'm waking up nice and fully rested these guys are just getting done with their professional work day and then jumping on a call very late in the evening they they never wavered for even one second professional you you have prob who who's there since day one with me when i started the facebook group in 2014 he is easily a part of the history of the study nelson theory cisp exam preparation facebook group and and i apologize he's not with me he's his own entity and his own powerful force in this industry he is an executive by day at infosec train he's not just a cisp instructor he's got employees he's got students he's got commerce to engage with daily he's got marketing teams that he has to oversee he's hiring people he's firing people and throughout all that prob is still working and making csp content like he's just started doing this thing and and prashant the quiet professional that he is i mean you don't need an inspiration you you are it and and prashanth the the quiet professional that he is he must have ice water running down his veins because i've never seen him stressed or nervous he has always had a positive attitude no matter the situation if if if you've watched his interviews or also being interviewed the guy is cool calm and but deep down he is i know he is a terrifyingly calculated csb assassin just remember he is the author of the memory palace as as prob said a free cisp document that i can personally attest took him months of hard work multiple edits and even to this day he edits the edits the book and in the middle of that as prop said again he wrote a pdf book called cirrus for the cc sp exam if you flip through the pages of those books it's just sometimes hard to imagine the amount of work that has gone into it and he's not just copying and pasting everything written are his original words it's a tremendous amount of dedication that prashan has provided out of no self-interest of his own to the information security sector all right but don't don't tell him i said all this i don't i don't i don't need them feeling too confident in in their work habits okay these two guys they'll be known as two of the greatest csb instructors to have ever lived all right guys you can uh you can stop list you can start listening now i'm i'm done talking i'm done talking though can you guys hear me again okay thanks thanks uh for this but uh we are not that much uh known for this the because we got our name we got i personally got my identification from the same group what we have is the ssp example and i believe prashanth and me got associated in the same group so you are the web of trust for us if i if i apply the cssp [Music] concept well and and here's the here's the thing right guys like just getting the css it's it well you guys having the cisp and everyone listening who has the cisp are getting it it's not about having that after your name or the paper i know that prob has a csp i know that prashan is a csp and this this way i know what they went through the dedication the discipline so i know that when i work with them they're going to have the same professionalism and discipline i know that because they they went through the same thing we did that that's what it really means right like you guys understand like that's that's what it really means everyone is here to have their questions answered about this most difficult and complex and confusing exam you aren't sure if you should buy the new books you aren't sure if you can still study the old books you may be very nervous about all the new cisp exam topics and most importantly of all you just want a little guidance and reassurance as whether you are prepared enough to take the exam now or wait to take the new exam these are all valid questions that prab prashan and i the triumvirate we understand that completely we've been where you've been and i remember props saying that you know he's took his exam more than once he had to and i remember prashant saying he's never wants to undergo the experience of the csp ever again we get what you're going through but let me say this you are taking right yeah you're playing it right now again this year yes yes amazing uh because i can see the difference in the change in 2015 and 2021 so i'm sure i'm going to write this exam this year again prashant and i will watch you from afar yeah we're not we're not taking that again uh so you guys are in the information security field you are already working in a difficult sector of information technology nothing is easy about what you do and as i've always said you should be proud of everything you have done so far including taking the time out of your lives to attend this webinar you should be proud even if you haven't taken the exam or if you've taken the exam and didn't pass the first time or if you want to take it again just think about the end goal one five or ten years from now it's not about a job or a higher salary or for those who i feel unfortunate for who has who's being forced by their employer to take the cisp so it kind of you know makes them look good or you have an underlying threat that if you don't get the cisp you won't have a job anymore these these are all temporary temporary problems temporary solution temporary issues the real goal is to build a discipline for from the csp that's going to stay with you forever focus on the long-term achievement and not the short-term difficulties because you will overcome all obstacles and you will overcome all difficulties just because you're attending this webinar and trying to learn more about a exam that barely any of our family or friends know right it's it's not it's not the end like this is this is not the end oh i took the exam and you're done it's it's the beginning and when when you want to accomplish it so bad and you want your dreams so badly you can't let anything get in your way not even these recent changes that will occur to the exam in may 2021 just a little bit more difficult in your lives is not going to discourage you at all because i know you have ruthless ambition and razor sharp cisp instincts just to get the job done whether in march in april or may or or beyond as as i usually state nobody in this group is going to help you accept you you are the best resource that you're going to have and i'll tell you the truth about these exam changes nothing is drastic is going to change um not since when the exam changed from 250 questions to the cat style or condensing the eight domains or the ten domains to the eight domains or the last exam update in in 2018 the same questions always come up from future cisps new books or no can i study the old books is the exam focus going to shift should i wait or take it later so by the end of this video i hope you feel a lot better and comfortable to march forward and take the exam equipped with the newfound knowledge and again there's not a lot of changes i'll we'll explain all that as we progress along okay so if uh if proven prashant give me the green light we can begin he did yep yep yep we can go ahead okay can we still use our old csp books the answer is yes a hundred percent you can and you should even if you also buy the newer books i'll explain that statement uh later on uh just look at all these look at all these csv books some of these are 500 to a thousand pages long i'm sure everyone is more than familiar with all these books let me let me ask you that especially that orange one right guys you guys you guys know what that orange one is right right right let me ask you this what industry or certification have you seen where books this large this voluminous have been written then in one or three years those books were completely obsolete and new ones are written for a completely new exam none that i can think of i was uh i was studying for my ccna last year and i was still using the old ccna books from 2014 to learn and refresh myself about about ospf bgp and and routing in general those kinds of things suddenly don't just drastically change so for the csp exam let me show you something else some some hard evidence of what we're talking about with this question of using old csv books everybody likes uh evidence when proving a point right i mean without some sort of hard undeniable evidence in this webinar then we're just some guys expressing their opinion we're just some guy making a csp video with absolutely no evidence of what we're talking about and that's not going to fly with you guys the triumvirate has to prove ourselves and we know we can't just go by our names alone we're going to show you some facts to better help you make a judgment on what to do for the may 2021 exam and we're going to do that by using a comparison of three different cisp books all written years apart from each other and during a time when the csv exam has undergone multiple changes we're going to look at the sean harris third edition the sean harris 7th edition and the sean harris 8th edition i hope to show you through these books that any changes to the csv books are slight if there are any over over these years this is the uh this is the third edition sean harris book right now we are on the 8th edition so this book is from the year 2000 2005. that's uh that's how many years ago um let's see my math is not my strongest skill so bear with me here uh it's 20 21 now and this book is from 2005. i have trouble subtracting from odd numbers so i'll just pretend it's 20 20 still so 20 20 minus 2005 that's 15 and then add one more and for 20 20 16 years this book is 16 years old can you guys confirm my math that's correct right it's very difficult for me very difficult that's correct that's quantitative risk this is country you've got quantitative gotcha i i i think i need a calculator but i'm glad you guys are here i'm glad you guys are here uh so check out this process about developing a business continuity plan from the third edition sean harris all-in-one csp book it has seven blocks filled with quick bullet points of some of the components of each step of the bcp drp plan standard stuff right we start with a plan statement continue to the business impact analysis then identify recovery controls then move to test the bcp drp plan and then finally maintain the bcp drp these are the general steps of the bcp drp in in any book i always get the question from members about what are the official steps of the bcp drp or the sdlc or change management or configuration management and the answer is there are no official steps just get to know the general steps and you'll be fine okay everyone sees this image and absorbed it into their memory right just like you're absorbing everything else into your memory while studying seven boxes seven general steps of the bcp drp in the all-in-one sean harris third edition book from 16 years ago now let's take a look at to see if the same image exists on the seventh edition of the sean harris book now we're leaping past four previous editions this is the seventh edition and take a look same image same text just about right it's the same thing the third edition and the seventh edition have no general or drastic differences and these two books are four editions apart within a span of around a decade i mean the the first block says continuity plan statement in the previous third edition and on the seventh edition it says continuation policy that's that's pretty much it very slight almost unnoticeable change these changes aren't going to rock the very foundation of the cisp exam in may 2021 it's it's just not so at this point what do you think is going to happen when we look at the 8th edition 8th edition book the same graphic exists through all three books if you and if you really notice there aren't really any differences you will find more things that are the same than those that are different so in conclusion to everyone who's who's wondering can you use the old books feel free to use your old csp books they are still relevant i mean i'm i'm reading a uh investment book written in the 1970s and it still holds the same concepts of how to invest today and this isn't just some book that i'm reading this is a book that the greatest disciple of this book was warren buffett the the billionaire investor aside from some notables about how inflation should offset purchasing bonds versus continuing to invest in common stocks this book is pretty solid for investing even today and i'll get to why i'm even talking about this here's what must be understood and this will help you for the exam as well concepts and fundamental knowledge do not change quickly methods and strategies for business continuity and disaster recovery is not going to suddenly and drastically change every three years which by the way uh every three years is when the csp exam is updated so if the new changes are this year in 2021 and the next changes are uh oh math uh so if the new change if it's the year 2021 and the changes are every three years let's see i'm gonna pretend it's 2020 at 3 20 23 plus 1 24. the next changes are in 20 24 if you guys can verify my math one more time pretty sure that's right so correct okay good great 2024 i think i got that right so the fundamental concepts of bcpdrp software development lifecycle incident response data classification network security they're not going to change to a completely different way of doing things every three years personally if they did uh proven i and prashant would be out of business that we just we would have to redo everything so it's not going to happen it didn't happen i would like to add here one more important thing when it comes to bcp and risk management even today the cbk fourth edition of adam cbk fourth edition green book they have a fifth fifth edition also which is a cbk but still that cbk fourth edition of 2015 still it is used for a 2018 to 22 device labels so by end of the day bcp risk management is a common topic which is testable from last 12 years so it doesn't matter like you know version is change but by end of the day the base of cssp which is called as a security and risk management and bcp which is driven by the cia it is always there in the exam no matter they change anything and they found the content of cbk fourth edition is better than fifth edition even the cybex and i have seen people who cleared the exam even based on fourth edition which is published in 2015 2016. i'll i'll definitely thank you that was that was awesome prop great insight i'll agree with you there i i like the fourth edition better than the fifth edition for sure so if you know if as prob said these things stay the same if they changed it would make this investing book useless too and let me let me let me explain that because the stock market heavily depends on the stability of the big tech companies the dow jones s p 500 are reflected of big tech like apple and microsoft and google if the security concepts that we're studying and the security concept of those tech companies changed every three years then they're gonna have to make spend a lot of money internally not to mention the risk of continuously changing their security infrastructure and posture they may not bring in as much revenue as they do now their stock will go down and the stock market itself will retreat back thousands of points big changes in big tech that cost money to accomplish could make the stock market as a whole fall back because companies and their value and their stock price are driven by not only their earnings but also the money they have to spend on operating expenses and and if there are big security changes every three years then these companies are going to be spending more and bringing in less revenue this will in turn have an impact on the us and global stock market it's all a long about way to say that you can still use your old csp books the us economy actually demands in a way in a deep level that csb exam constants remain remain the same with any changes being slight it's just more cost effective that way the evolution of security technology and conducting business business does not change slowly it takes decades even generations to the point that if you want to notice a change you will have to either be just born or on the verge of retiring sure the technology that we're learning about today is not going to be the security that our kids will learn but the underlying fundamental will will most likely stay the same and it is those pieces of fundamental security knowledge which we have to learn for the cisp exam because those concepts are not going to change feel free to use your current books but you know make sure they're not from you know three editions back or something like that at least try to be current with the latest editions of each book and uh prague pointed out the other day the new books aren't even available right prob actually um this is what the comparison uh in 2025 2015 uh in 2018 when the syllabus was changed the book was actually introduced in 2019 so i'm not sure like if there's a change in the slaves like we have a change in slavers from 2021 may we are expecting the book to be arrived i believe by august or september this is what pattern we have seen in past 10 years so i'm sure the la the old book like cybex or instructor edition or cbk will still be valid yeah otherwise there'll be a rush for all these authors to release it before may i don't see any kind of rush it's still the same now you can see 2018 when the syllabus was changed still people were using the cbk fourth edition for the six months so seven months and the cbk fifth edition was introduced in 2019 so even after one year of the launch the book was there but from the ic square the cybex was already launched so i'm expecting like this is what i see in the pattern from last 10 years so i believe this is the same pattern we can see this here also so still the old book is still valid i believe wow 10 years you've been doing this prob nice wow okay uh 10 years of knowledge right there um let's take a look at the next most common question which we kind of already just went over do we have to buy the new books whenever they come out uh because we don't want to tell you how to spend your money this is a personal decision but i think most people would be better off with the new books if they can afford to get them i mean you know these these books aren't cheap uh they're cybex the sean harris i think they break like 40 or 50 or something like that it it's a it's a lot of money i don't care what part of the world you live in you could be a wealthy businessman from singapore or a system administrator from bangalore or a full-time developer in paris fifty dollars is a lot of money for an information security book if you can afford it go for it otherwise you should be okay with the old books as we as we just said but let us let us give you some pro pros and cons of each and you can decide some pros uh reading the old books even after you buy the new books is a good way to see how the old things were done and how the new way is currently being done observing the evolution of a technology as it overtakes each of its advancements of its predecessors is a fantastic learning tool that's the reason why the cryptography chapter of security of domain three security engineering goes into the history of cryptography caesar cipher cyto cipher one time pad alan turing world war ii stuff it's important and to understand the history of cryptography in order to understand the future of it with topics like quantum computing or artificial intelligence right to understand the new cisp exam topics it really helps to know the old topics that's also really the mark of a security professional if you know the current trend but also if you know why the current trend is the current trend and why it's no longer the older trend okay if you have your old books and the new editions of them read them both ju just to see how they compare just to just to note the differences it's it's a good thing another good thing about using our old books is that suppose we have the 8th edition sean harris book right that's in your possession and after the start of the new exam the ninth edition comes out in a few months and it talks about how it will address all the new topics and you're like well gee all i have is the eighth edition and my financial situation isn't really making it possible for me to buy the ninth edition or where i live the book isn't even supposed to be released yet in this situation what it does to make the future certified information system security professional do is become more resourceful and trust me as a security professional your organization's not going to spend money on what you want all the time you are going to have to be resourceful at some point and in turn if you save the company money the organization may even reward you for being resourceful so if you have the old books and are unable to get the new books you are now armed with two things the old books and the knowledge that there are new topics in the new book even though you don't have the new book in your possession prashant do you want to go into how to be more resourceful for with the cisp just to just to make sure that what you can do if you don't have the books absolutely thank you luke so it is very important because right now we don't know we might not have an insight from where we have to pick up the topics because they are not covered into cybex or sean harris or cbk where exactly we're gonna pick it up so number one internet is the wonderful resource whatever the topic first of all try to figure try to download the examination outline to identify what is the delta what is the change that we're going to expect in 2021 have an underlying topic and probably we're going to share the presentation uh later on the recording of it and you would be able to have a complete list of the delta that we have figured out try to pick up the topics and try to do a bit of research on internet it is going to be really useful to look out for the references from nist because nist normally publishes uh the various uh special publications on let's say zero trust or privacy by design or something like that another thing is going to come really handy is your experience a lot of organizations are shifting towards these latest technologies which are being included in in the cssp uh 2021. so for example containers most of the organizations are moving towards the operating system virtualization which is containers so we in case someone has a real hands-on practice on identifying the security issues related to containers that will be really resourceful or try to find out the free matrices like a csa cloud security alliance version 4 has a complete insight on containers or b like zero trust architecture zero trust has been a new buzzword although it has been into the industry for more than a decade now but you can easily find out a complete special publication from nist and there are various white papers which have been published by multiple organizations on zero trust so we have the knowledge of the in abundance everywhere we just have to pick the right one which suits best for us just like find out uh any kind of a video on youtube a lot of people might not be able to have an interpretation uh by reading the things they would understand much better in an audio and visual way so youtube is a best friend so we have plenty of resources around pick up the topic try to search on the internet and you will be given multiple resources because like we always know we need to understand cssp at a very high level right what exactly we need to understand from a management perspective so understanding the basics would be just good enough to get a context of what exactly could be relevant from the examination perspective i would like to add one point here like you know there is a lot of hype regarding you know shall we go for the exam after may and all that you will be surprised to know that if you go by the domain one of the news labels there's no change if you actually review the course outline there is no change in the domain one so actually you can preshan it is i personally believe the major changes happen in the domain three okay and some part of a domain seven which is part of your next slide so and always remember one thing security and risk management is a driving factor for any cssp exam if you talk about cssp sslp which i personally experience or isap exam security and risk management is always a base for all the domains so if you can see the domain one itself there's no change there's no change in the domain one so you can able to relate the logic now question is why cs why ic square change this labels definitely as a part of code effect code of ethics if you can if you apply code of ethics or canon of ic square the fourth can we say that the person must be up to date with the new knowledge right prashanth luke the fourth of the ic square say that the person must be up to date with the new topics and for that reason only ic square has update the course outline because they have to now after co-wait people are working from home there's no respect for privacy there's no respect for compliance definitely bcp will be the testable topic because that post covet impact going to be assessed by the security consultant and that will be testable in the cssp exam so this is how the cssp exam basically test your thought process test your risk advisory skills and all that so i personally believe there is a hype we just created and based on that we just driving all this you know elements and everything over to you guys you guys heard that right prop said and you know we've looked over the syllabus our only resource to know what are the new topics is only provided by the isu squared syllabus there's not really anything else because that's all we really have to go by no major changes in domain one and domain one is the most important domain because everything done in domain one the policies the standards the baselines the the procedures all of these dictate how the rest of the domains will go so there's and that's a great thing that there's no changes in domain one because that means the fundamentals haven't changed and you guys heard what prashant said right that was very very uh insightful in that that if if there's a new topic that's called containerization don't spend your whole day trying to learn about containerization when the real knowledge comes from knowing the high level methods of applying and using containerization the risk involved the counter measures the vulnerabilities that's what you're supposed to really learn you got guys like me prob prashant thor wence wu joe barnes and others who are always scouring the web or anything else to see and figure out what the new csp topics are and i've said it before there has never been a better time to pass your cisp exam than now there are more books more practice questions more csv instructors around to help you and i'll keep it real with all of you too yeah we do it to keep everyone informed but as csb instructors sometimes we also want to be the first to give it to you plain and simple you can call it greed pride honor is trying to be the first to get it out there with trying to be the first to market and i think sometimes that's when we make an error and hype it up so much as props said that everyone expects these grand changes when when you actually look at it it's not that it's not that much i find myself doing that too but over the years doing the cisp thing i found it's just best to wait until all the information is out instead of just pushing out the preliminary information you as a future cisp we'll find the information on the new csp topics even without buying the new edition book you will find it due to your own ingenuity and resourcefulness because you aren't leaving anything to chance you aren't leaving any stone unturned on your journey to pass this high level and expensive exam okay so even if you're unable to buy the new edition books you should be okay with the old one given that it's not really old editions quite yet and any new topic you want to learn more about people like us will provide the information over the internet over the course of time trust trust us and for cons can't really think of any cons except for fear of missing out if you have the type of personality that just has to know everything or know that you just can't take it if you don't get the new books then by all means get the new book when it comes out don't put on added stress to an already stressful time if you're going to be crushed under the weight of your own curiosity get the new book don't do that to yourself all right that uh that parlays into our next question which is probably why everyone's attending this webinar what are the new topics of the 2021 csb exam if you cannot again if you cannot afford to buy the new books then prop prashan and i will always be here to provide you the topics as we learn them but as for now these are the ones that we have seen and we're not going to go over all of them because again we don't know everything about them and this webinar would take eight hours to go through everything but here is just a good section that you can screenshot or will provide the list prashant talked about containerization some of the very new topics that pops out right away are something called serverless no idea what that means i gotta learn it containerization no idea what that means to me i gotta learn it prashant might have more insight zero trust privacy by design cloud access security broker i think that's what it's called casb um there are some things you might see here that you've said hey i've been through my books i i know what that is uh and that's that's fine because scanning the 2018 syllabus and the 2019 syllabus i noticed that some things were on the old syllabus that are not on a new syllabus or some things were not on the old syllabus but are now in the new syllabus even though they're in our old books which means that there may have been there is now more emphasis on uh on those topics now there may have been lower emphasis topics before but now they have more emphasize now you to know more about compliance checks now you have to know more about risk-based access control or more about continuous delivery these are all these are all customer revenue oriented processes and topics well uh prob's gonna post this uh posters uh webinar on youtube and maybe in the bottom of the description um what do you say on youtube uh the link is in text is in the description or or or smash that smash that plus or smash that subscribe button smash that like button the smash smash everybody wants us to smash every button these days you know anything for a hit anything for a like a comment a follow whatever happened to a handshake either way we'll we'll post these lit we'll probably post the list in the description of the new topics if you if you guys need it do you guys have any to add about the new topics at all no i think it is wonderful it uh it might look honestly it might look a lot but it isn't you would see like uh the convergence protocol like fiber channel over ethernet or iscsi or wipe these all are the topics which have already been discussed in cybex i guess from 2015 it's just they are now being tested uh or probably they will be included as per the new examination outline okay so you have already have like sas static application security testing dashed or software uh defined security or impact of a quiet software these are the topics which have already been there in your textbooks right so just if they have been included in your a new examination offline it is it is not a much of a change so it might look like uh more in terms of a quantity it is just not uh honestly it is not a big bigger of a change so you guys can just uh need to just uh get rid of that fear in case if you have any what do you guys think is the thinking of the isc squared and adding topics that were already there but they're not in the but they're not in the textbook of the syllabus basically what i'm asking is what do you guys think that why are there some topics that no matter how much you study you're never going to see or why they switch around the topics even though they're old and new topics you you have any insight into that i think there's high level discussions going on where they just they make one small change and then they call that a giant change as it echoes through all the rest of the exams i i just i don't know why right yes it's true and i i got some kind of an inside just the way they are not testing the orange book or uh uh itsec these are the yeah which have been made obsolete eventually they might even like so des is is something is no one uses it it's just it's important to know the foundational concept of ds because it was one of the first algorithms from modern cryptography so yes we might need to know but again who knows they might not test on these things in future so something so because it is important and like we know that iec square code of ethics says that advance and protect info uh advance and protect the knowledge okay so it is very important that we keep on uh ourself and onto the edge of the knowledge making sure that we learn everything because technology is ever evolving and it is evolving as we speak so we need to make sure that we learn the new stuff which is coming in and take the foundational knowledge from something which has been a historical part of it i would like to add here the point an example like the newsletters what we have li-fi i don't know how many of you are aware about this topic li-fi li-fi is basically our new concept of uh wireless connections it is the extension of the wi-fi so this is the example like right now we are talking about more internet we're talking about the internet services now available at every house in every house the internet is there but now today 99 services are driving on the internet and we are expecting a good number of speed but there are come with it it comes with the several security elements and everything so li-fi is basically the extension of wi-fi and that's why you know the ic square expecting that okay the person must be uh good in the understanding of the li-fi and their associate security so this is how things are coming now let's take another example of orange book now orange book is limited to the us but common criteria is globally accepted standard right come on a one a country from india or country if you're talking about india bangladesh pakistan or europe anything they will not going to accept any product which is certified by any other countries us military standard or any military standards so the emerging of kind of a standard which is on global level like common criteria and other things definitely that will be testable in the exam because now the cssp has changing the mindset from not from a u.s centric standard but more from a global perspective that is why they are now talking about the csa which is a european parameter then gdpr again europe if they are definitely they're going towards the ccpa which is the california privacy act but now what i understood the parameter the pattern of css space now become more like a global centric instead of only u.s centric that is why now you can see the topics are more like a global level topics not a u.s centric and all that this is my observation regarding the orange book and common criteria correct me if i'm wrong no that's absolutely right um we always get asked do we have to know the u.s laws do we have to know the u.s standards and the answer is you know it's the cisp is an international exam so u.s laws are not going to apply everywhere else the only thing important to to learn is why those laws are created for what purpose and what for what security check is trying to solve and prevent just to just to add on li-fi zigbee if anybody is wondering is more is a personal area network wireless network it is it can be used for the internet of things so that's a protocol the internet of things can use the internet but if you're if you have a personal area network the protocol to use is zigbee so that's what zigbee is and that was in the old book this isn't a new topic i know that because i made a video on it so i specifically remember zigbee because first of all it's fun to say zigbee and i know it's it's an old old name it's not new but it's in the syllabus now it wasn't in the 2018 syllabus but it's in the 2019 syllabus even though it's an old topic so you got things like this going on being confusing and people think there's going to be a lot of changes but it's not the one that uh i am really excited to learn about is breach attack simulations which means what do you do from beginning to end so that's incident i'm thinking that's hardcore incident response right there what to do an adventure of ransomware from beginning beginning to end if everybody's good with this screen i'm going to go on to the next question is it a completely different exam the short answer is no it is the cat exam still the computer adaptive test for which you have three hours and probably a maximum of 150 questions you can go all the way up to 150 questions but if the cat algorithm determines you have shown what it takes to be a csp it may even stop you at a hundred your user experience may vary of course and another question is will the exam be more technical a question that many are painfully wishing is a solid no is the new may 2021 exam going to be more technical than high level the answer is we don't know nobody knows the contents of the real csp exam and even if they do they're not allowed to talk about it due to the nda so if you hear anyone talking about the details of the exam and what questions or what type of questions are on there then be your high grade full of integrity security professional self and extract yourself out of that conversation and change the subject or if you do what i do just tell them this discussion should not be taking place don't allow your integrity to waver for even a second no matter the circumstances we are security professionals even we can't give in even a little bit not not even an edge of complacency when it comes to our integrity because if we do that then then it's all over then then you can't trust anyone anymore and we'll just live in a world where we're suspicious of everyone you can make a difference just by maintaining your integrity and sooner or later someone is going to see that you are a professional and they they want to be just like you someone honest vigilant unwavering in their commitment to to this profession and sooner or later the whole world will be filled with nothing but professionals so is the new exam going to be more technical than the high level i'll just also i'll just say this the syllabus has shown more technical topics to understand that is for sure things like kerberos exploitation containerization past the hash all the technical elements are there but does that mean the new exam is going to be all around more technical the ise squared still calls the csp a certification for security practitioners managers and executives that's that's a direct quote from there from their website it doesn't say anything about the exam for network security engineers security architects or software program programmers it's a high level exam and i'll say one more thing you will have to know the technical knowledge especially from domain four network security not that you will not get specifically tested on the minutiae of technology but you may need it need to understand the technology in the context of the question to choose the correct answer like someone's talking about ospf oh that's a bad idea that's not a good example if someone's talking about vlans if the questions talk about vlans you got to know what a vlan is to even understand the question much less the choices you see what i'm saying you need to know the technical terminology in order to choose the high level answer okay uh let's look at the next question which is reschedule or take the exam this requires a thorough understanding of not just where you are as far as your studies but uh where you are at in your life um let's take a look at each month as we run up to may and we can just break down some ways to come up with your decision to take the exam soon or delay it in in may march checklist and this is really the time that a hard and confident decision has to be made on your part you are either going to take it soon or you're going to wait until until after may there are there are no other choices but here are just some of our checks to see if you should take it before the new exam or or later you have read the cybex three times cover to cover you've read the sean harris one time cover to cover excuse me you have taken a minimum of three thousand to five thousand practice questions you have an extensive resource of pdf notes most notably the memory palace and you've watched a minimum of 40 hours of csp videos do you guys have anything to add uh in and more to this checklist yeah uh the chords uh there's one two videos if you guys are planning to write planning to write this exam uh or uh in a month of march or april i would recommend you to review my two videos which i created on chords one on the chords topic and one is court's question it is highly recommended it's not about i'm doing myself endorsement of the video but i got a very good feedback about the responses of the videos the participant who wrote the exam so sock type and courts and courts questions these three videos you must recommend you must review before going for your exam definitely it will save your hundred dollars yeah definitely don't take a expensive practice exam which is what happens if you fail the first time no if you're taking the larry think like a manager question band week before the exam you're doing that you you you will save your 700 dollars i'm sure because larry that book will basically going to change the mindset how to think like a manager in a real exam larry greenblatt let's just give him a good good shout out know another and larry greenman these two video the larry greenman video is also very important because that that video is giving you the idea about how to eliminate the options and all that and week before the exam think like a manager luke hammond book did you mean kelly or larry earlier rob uh both actually galleon sounds good and of course if you're tired exhausted and just ready to do this just take it in march but what one thing i would like to add here is uh i have a couple of folks who don't even read the book they just went through the sessions and prashant mohan memory palace and leo cameron think like a manager and they still create the exam in a month so the thing like a manager and prashanth memory memory palace is i found the better than the actual book of cybex or whatever because to the point this is the feedback i am talking about so i really appreciate prashant for his work toward the memory palace me too and given all that it um a lot of good experience required beforehand you know to take on the exam and getting your due diligence as well in the uh month of april it's the same as march but this is with more intensity everything that i listed in march you have to do that but with much more intensity if you want to take it in april um let me say this if your whole life for the last few months from waking moment to sleeping late at night if the cisp has been your entire life for months then book that exam before may and don't waste all that effort just just do it if you feel like you're a halfway done and you could use some more practice questions to boost yourself from 3000 questions to at least 5 000 hold off on on the exam take it after me this way you can account for all the new topics while also studying the topics you you still have not gotten to yet and in may it is it's show time it's zero hour crossing the rubicon you gotta take the exam but uh instead of instead of us telling you what to do i just you know shot improv if you guys had not taken the exam and you were in and it's it's now march what would you guys do at this point and you've done everything you can what would you do would you wait for the new exam or would you would you take it right away can i go first okay thank you well honestly there are a lot of things and it's it's a a lot of things that happens psychologically as well what is something that i'm gonna get new in may 1st right and i'm a kind of a person personally who did not like a lot of change happening around my life so i would say that if i've spent quality of amount of time in learning things taking a lot of practice questions identifying where i'm actually lagging because what are my weak areas that needs to be refreshed and done all the recommended uh things that people do or they suggest i'm not going to wait uh till may 1st just to take my call i'm gonna do it well before may 1st and give it my shot prob what about you i personally feel that this is just a reason we are giving or not giving this exam example like if if a person is preparing from the last one year i don't know what he going to bring change after introducing of our new slavers directly from i'm wrong prashanth luke if i'm preparing from last six months and i'm just giving a reason to myself yes in may the exam going to be changed and after that i'm going to do it i don't think that will have any much impact i will take a risk because i spend my six to seven months why should i basically going to revalidate all the topics again and then i will you know going to write in the month of me you nailed this the psychological impact and questions on that one sorry interrupt sorry true you nailed the psychological impact on that it's just another excuse right just another excuse to put this off and and not take it at all i personally feel 40 days a concrete plan is enough start with the cybex or cbk whatever you have so far today is also 19 february if you even book the exam uh for the april 25 26 whatever okay from today onwards make you you use cybex then cover the destination certification videos think like a manager week before the exam memory palace to the point cut to gut you know every day two hour that is enough but problem is that we heard from someone yes i spent my six months seven months that basically creates some kind of fear okay this guy has spent six months i have to spend a second everyone has their own way of preparation so that is the thing so it is my suggestion if i am there i am definitely going to write this exam before exam change over to you golden inside prop golden insight you know that that shows probs experience in the csp game he's he's seen it all he has seen and answered it all uh you guys want to go over some csv practice questions everybody loves doing that right can't get enough uh practice questions let's go over this one i'll do one and then sean how about how about you do one right after that we'll we'll make it quick uh we've already had 54 minutes here i don't want to keep people too long sure okay which choice encompasses the ability to reduce the time a malicious insider has to gain access to privileged accounts is it time to privilege elevation is it brokered access is it on demand accounts or is it just in time access what is the answer what is the answer to this csv practice question need a response to the chat box wait you did you leaked this question no i created this uh i created this question and i did post it on facebook uh a couple of months back everybody saying uh delta yep that's fine that means people have been listening and know what they're talking about that actually makes me happy that everybody got it right just in the correct answer is d just in time access encompasses all the other choices choice a b and c are forms of just in time access and just coincidentally just in time access is also a new topic in the may 2021 ise squared csp exam it is our obligation as csb instructors to provide a practice question regarding the new edition what is jit it's elevating the access privileges of a user for a specific period of time as in you don't get the access to the file server all the time you only get it when you need it it's a it's a pretty neat idea say a client dropped a file for you on the network shared location and you needed to retrieve it with regular standing access you can access it any time right the downside is that if your computer is compromised the attacker can act at any time as well with just-in-time access an attacker would have to specifically carry out a lateral move to the file server after compromise and for example only between 3 pm and 5 pm a compromise is still possible but you know but wow it reduces the chances greatly i find it an amazing security procedure and that you only get access for the amount of time that you need it for not all the time it seems obvious now but we haven't been doing that for the last 10 years information security innovators are are so smart i am i'm so proud to be in this industry around around such such brilliance for uh for timed privilege elevation it is a form of just in time access which increases a user's privileges and writes for a given time and removed when that time is over say you'll get the files from 3 p.m to 5 p.m i said that in the original just-in-time access explanation but this is the specific form the application of that time between 3 pm 5 pm for uh for choice b brokered access means a middle man or a middle interface like a server vault provides access to the user after a business justification is provided so not only are you on a time limit to access a resource you also have to provide a reason for accessing it pretty pretty awesome you know we're capable of solutions to every problem it seems like and for choice c on demand accounts user accounts are specifically provisioned to access a resource and then terminated or de-provisioned forever in our in our current day the the idea is you create a user account and that user account is open forever until the user leaves the company until there's a deep provisioning or termination process but with choice c it is a temporary provisioning uh an elegant solution for a more uh advanced age um there's any questions or anything prashant do you wanna do you wanna do your practice question we got one more sure yep we can we can do that let's just fly through all right so i'm going to read the question uh out for you which of the following options is not a characteristic of zero trust architecture option a ensuring granular and advanced access control is implemented option b micro segmentation of the network to increase security throughout obfuscation techniques limits the blast radius of the attack and aids in faster incident response and remediation option c employees who are working from home who are accessing augmentious network should authenticate using network access control that is knack and option d components of zero trust includes user application authentication device authentication and trust so you might want to give it a shot because considering zero trust is absolutely a new topic and fundamentally i'm going to explain with the reasoning as well that why do we think uh of one particular option is correct and why the rest options are not correct and it is totally perfect in case if you're not going to get in the first go see i read this in one of the study experiences and i think it was in the luke side that each and every wrong answer is going to make you closer to the right one so the right choice for this is option c so the fundamental concept of zero trust is you do not trust right because in order to make sure uh that a successful zero trust is implemented you not only validate or authenticate the external users but also the internal users well let's go one by one options what are the options we have option a ensuring granular and advanced access control is implemented making sure each and every devices users and each and every services which are being used in the sys in the organization they are properly authenticated so you must have heard about the or probably read in cssb which is attribute based access control right this is one of the common implementation in your xerocrust along with various other access control models like role-based access control option b micro segmentation the traditional networking that we used to have it used to make sure that they have the firewalls then they have multiple other like you have then dmz and the internal network however with the help of micro segmentation after each and every layers within the organization any kind of a service or application is authenticated just to make sure that we do not have a complete or a flat network once any anyone gets inside let's take an option d first and then we're going to understand why option c is not correct uh sorry option c is not a characteristic of a zero trust so zero trust includes the components zero uh your user and application authentication device authentication and the trust so the traditional way of saying is trust but verify no longer exist there is no longer your perimeter security control and that is the reason option c is not one of the characteristic of his zero trust considering the device authentication is needed in your zero trust knack will definitely be used or probably in it can be incorporated in your zero trust but can does not fulfill the requirement considering it does not authenticate the devices due to the distance because you have your devices either inside into the core network or probably people are gonna access it from remote so the fundamental concept of zero trust you do not even trust the people accessing through vpns and zero trust assumes the malicious actors are within the internal act internal network as well so that is the reason your option c is the correct choice here awesome awesome explanation i learned i learned a lot in that one um that's it zero trust architecture uh trust but verify just in time access new csp topics not very big changes and uh thank you again proven prashant if there's any q a actually first thank you prompt rashaan and thank you most of all to those who have attended and allowing us to kind of use up some of your precious time um prada are we doing a q a and stuff rob yeah sure team if you have any questions you can just post your question in the chat box so any questions okay uh arun has a question so the exam is going to be going back to six hours no uh you must you must be thinking that since the uh i think there was an announcement about the yeah the the the csb exam is going to be an experiment that the csb exam is going to be taken from home at home exam and the cat exam is not going to be offered it's going to be the linear six hour exam for select people i think only united states um so yeah the the at-home test is going to be the six hour 250 questions test but there's a catch uh it's 250 questions that you have to answer every single one and you have six hours i don't know if you guys sat at a table or a chair for six hours using your brain but it is not easy it is not easy but and you and i think you can't even go back at this one so you really have to focus and use that so it's only available for remote testing it's more like a deterrence control they have applied right luke yes correct that way you're not just taking a quick exam and then you know just being done with it you gotta sit there the entire time so there's a small summary uh in news labels in domain one so any changes are there no there's no changes in the domain one in domain two there's any changes no there's no changes in the domain two in domain three zero trust privacy by design and anything is there in domain three uh luke you would like to add something of prashanth um well to answer all those questions i have a video on youtube called new csb exam changes and i literally go through everything from 2018 syllabus to 20 uh to the 2021 exam service like every single line i compare i don't leave anything out so if you want to see that on youtube we can put it in the link when this is published it's called uh new versus old csp exam changes and i go through every detail and you can you can just see it i don't remember all of it but as prop says that the changes are small and slight and any glaring ones i do identify in that video okay uh have you updated the the content with the newsletters do you wish to add some points here yes so memory palace memory palace has been updated with the most recent update of as for may 2021 i'm still to do a few few updates there but yes so far you can find topics like zero trust is there privacy by design is there trust by verify security by design is there and you also have a soar security orchestration and automation and response great look can we expect one session from you also because you are from a sword guy uh soar yeah uh in the future yeah we can maybe uh review as as we get more insight into the new topics maybe you can do a session on every single new topic and just go every single one if we need to that's great all right what about your person any assange left yep okay he's there i'm here proud prop just hooked me for another video in the future is what he just did in front of all these people that had to say yes we could do that no we could do that this is a good time right guys this is a fun time the three of us just kind of kind of just talking and exchanging ideas i is any i i minimize the window is anybody left in the audience or are we the only ones i'd say that's it try our best to bring more and more new content and i will request luke and prashant to be available for some alternate fridays to bring some new topics on a session so make sure our future students or clients or followers subscribers will get a new update about cssb this is our due care and due diligence prav is such an executive he's already thinking ahead uh okay prashanth do you want like any and uh and note something like that for our aspiring cssp students okay uh no pressure go ahead please sorry about that go ahead okay sure thank you so i'm just gonna add one thing uh or to summarize uh in the end if you think and honestly you might not have this kind of a sense that you are prepared or not but yes if you have taken or taken note on the checklist that luke was sharing earlier if you meet that criteria please do not wait for me to happen okay and in case if you're uh just starting it may the force be with you and i am confident anybody you attend this webinar or anybody watching this on youtube or anybody who is talking to prob me or prashant at any point if you've touched any of those things you will pass the csp exam that's great and week before the exam three resources make sure it is part of your list you can't think like a manager second is larry video and prashant memory palace as i said earlier i have seen couple of folks who cleared this exam purely based on the memory palace thing like a manager book and larry video and destination certification videos if you think if you think that okay you can able to you know you will be ready for the exam that will not be there till the last day of exam until there's a sheet in your hand so don't wait for the time okay i will be at ready and then i will write this exam it will not work in cssp so just believe in yourself and plan your exam before april or after sorry before may or after it's up to you but it is a life-changing certification that it is um i know after i got it i'm suddenly on a webinar with these two legends so it is indeed a life-changing certification okay okay thank you thank you thank you thank you all thank you guys thank you everyone thank you everyone see you next time again with the trio talks on cssb bye take care you
Info
Channel: Study Notes and Theory
Views: 4,231
Rating: 4.9207921 out of 5
Keywords:
Id: K2EE7mcaNoA
Channel Id: undefined
Length: 71min 29sec (4289 seconds)
Published: Tue Feb 23 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.