We have been using cryptography for 1000s of years.

Until recently, it has only been symmetric encryption where the 2 parties would have a pre-shared key.
In this video, I cover the history of cryptography at the level you need for the CISSP exam. Yes, this is very testable.

Remember, the CISSP exam is a management-level exam, you need the right point of view to pass the exam.

https://youtu.be/-KOGHeRDtxk

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we are going to talk about the history of cryptography and you might think, wait, what, how is that possibly relevant?
And it is relevant for two reasons.
First off, learning how something evolved and how it has been used over time can make you understand why we do some of the things we do today.
And secondly, and much more important, it’s on the exam.
This is something you might see in some of your questions, and it’s easy to learn.
It’s stuff you just need to memorize.
So these are easy win points.
Take them and be happy for them.
There are going to be plenty of questions on the exam that are convoluted, difficult, and where you end up having to pick the best of two possible right answers.
So the few times the exam is going to give you easy wins, take it.
We’re going to start out with the Spartan Scytale, and it is really just taking a piece of cloth and wrapping that cloth around a stick of a certain diameter and then writing your message.
Once you’re done writing the message, you remove it from the stick and then send it to the receiver.
Now, if someone else intercepts this message, they’re just going to see a long piece of cloth or parchment with letters that doesn’t make a lot of sense, even if for some reason they decide to wrap that around a stick, if that stick is not the exact same diameter, then it’s not going to line up and they can’t read the text.
Here, the stick of the same diameter is the shared secret that we use for our symmetric encryption.
Next up, we have Ceasar Cipher.
This is a substitution cipher.
Here we have our plain text message, and we then moved the letters a couple of rows over on the alphabet.
In the example you see over here on the right, you can see all the letters have moved three characters to the left.
So if our plain text message is “pass the exam”, moved three letters back, it would be “mxpp qeb buxj”, super super simple, but again, at the time, it was effective.
Next up, we have the Vigenère cipher.
It is a polyalphabetic cipher named after Blaise de Vigenère, a French cryptographer living in the 16th century.
If you look at the image over here on the right, you can see the English alphabet repeating both on the X and the Y axis.
And that square is called a Vigenère square, on both the X and the Y axis, the alphabet repeats 26 times.
On the X axis, you write the plaintext and then you write the key on the Y axis.
Here, let’s say our plaintext is “CISSP”, and the key is “Thor”.
That would make the ciphertext “VPGJI”.
When it was in active use, obviously both the key and the plaintext would be a lot longer.
But you get the idea right?
For the C, you go to the zero on the X axis and then you go down to the first of the key, that’s T, where they intersect, it’s a V, then you do that for the rest of the plaintext.
Now let’s take a look at cipher disks.
A cipher disk is two concentric disks with alphabets on them.
And concentric just means round.
One disk is bigger, the other is smaller.
If it is monoalphabetic or static, just like we looked at before, then T, for instance, will always be a D, but normally you would turn the inner disk, a certain number of letters in one direction after so many uses.
So for every five, 10, 20 letters, we might rotate the inner disk three spaces to the right.
Then we do another five letters in that position and then we rotate it again.
Which brings us to the Enigma.
Before and during the Second World War, Germany used the Enigma coding machine for all the secure communication.
They would encrypt it, then they would send it and then the receiver would decrypt it.
You may have seen the movie The Imitation Game, I personally thought it was an awesome movie.
If you haven’t seen it, go find it.
It’s the story about how a British group of scientists under the leadership of Alan Turing broke the Enigma encryption and how that would change the outcome of the war.
And to be fair here, there were multiple teams of people that broke the enigma.
On top of the team in the UK with Alan Turing, there was also a U.S. team of female scientists that broke the enigma as well.
You should also know there were two versions of the Enigma.
Early on before the Second World War, the Enigma had three rotors, that was broken by the Polish military when the Germans realized that.
The three rotor version was compromised.
They just added one more rotor, making it exponentially harder to break.
When it had three rotors, the options could be 26 x 26 x 26.
That gives us just over 17,500 different combinations.
When they added the fourth rotor that now changed the possible combinations to over 450,000.
So you can see what I mean when I say it was exponentially harder to break.
But as we know, it was eventually broken.
And if you have read up on it, if you have seen the movie, then, you know, they kept it a secret.
They only use the information for very, very critical targets.
If the Germans had started seeing unexplainable losses everywhere, then at some point they would figure out they were compromised.
By not acting on everything they decrypted, but only acting on the most important, they were able to conceal that they had broken the enigma.
And with the critical information they got, they were able to end the war years before it would have and saved millions of lives.
Which then brings us to Purple.
And Purple is the US name for a Japanese rotary based system very similar to the enigma.
And it was broken both by the US, the UK, and Russia.
It had three rotors, just like the Enigma did early on.
But as we know from the Enigma, three rotors was easy to break.
When Russia had broken the encryption and learned that Japan was not planning to attack Russia, they then moved the majority of their Eastern Front troops to Moscow to fight the Germans because they knew they were not a target.
They had decoded several messages saying Japan was going for Southeast Asia.
And with that we are done with this lecture.
We will finish up the history of cryptography in the next lecture.

How you approach the CISSP exam questions is critical for passing the CISSP exam.

You need to have the right approach, you need to learn to deconstruct the CISSP questions, pick the keywords and indicators, and manage your time.

Learn these and more in this tips and tricks video!
Get the full free “CISSP: How to study course” https://thorteaches.com/get

https://youtu.be/I-mOgc_3sNU

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we’re going to talk about how to approach the actual questions.
Read the entire question, take the time you need to completely read it, probably read it twice and then deconstruct it.
What are they really asking?
You need to find the keywords and you need to find the indicators.
Indicators are most, best, least, can, always.
And then the keywords is what is this question actually about?
That could be PKI or self directed or something like that.
And when I say deconstruct, boil it down to its essence, it might be a full paragraph of a question but really what they’re asking is the last 10 words.
If we look at this question, “Jane is the lead of our incident response team, they have proof hackers have gained access to some of our systems and they have successfully altered some of our customer information.
Jane reports that to Bob, the IT security manager, who should notified first?”
Not a super long question, but there’s still a ton of fluff.
The fact that Jane is the lead of our incident response team, doesn’t really matter.
That we have proof does, hackers have gained access to some of our systems, the fact that Jane reports it to Bob, who should Bob notify first.
So really, the question is, we have been attacked, they have compromised us, who do we notify first?
That’s it.
Then we look at the answer options, the data owner, the regulatory agencies that govern our sector, the IT security steering committee or the customers who are compromised.
Now, very likely we would talk to all of those.
We would inform them at some point.
The question is first, would we notify the data owner?
I would say probably.
How about the agency that governs our sector?
No, we have to notify them, but they’re definitely not first.
The IT Security Steering Committee again, no, we do need to notify them, but the data owner needs to know first, and then finally, the customers.
Maybe, I don’t know.
It depends on the laws, the regulations, how bad the breach was and many other things.
And this is a question I would say is easy or mid.
It’s,not a hard question, but for the purpose of showing you how to deconstruct questions, I think it works pretty well.
Now, I have heard from many students that use different techniques to make this better.
Some read the question once they look at the options and then pick the best answer, others read the answers first.
These are the four options I have.
Then they read the question and they kind of have in the back of their mind, these are the options.
Regardless of how you do it, I suggest reading the question at least once, preferably twice, deconstruct it, figure out what are they actually asking, and then go through the answer options and argue with yourself.
Sure, we need to let the IT Security steering committee know, but do we do that first?
No, we don’t.
We let the data owner know and so on.
Does the answer option that you pick meet all the requirements that the question poses?
We need to be both accurate and precise.
Here, they’re probably all right answers but what is the most right answer.
In this specific question you have four possible right answers.
But in many questions, you have two possible right answers and you have two distracters.
That means that you can eliminate one, maybe two of the answer options.
Some of them can be just completely they don’t match.
They ask about something in the OSI model and two of the answers have to do with fire suppression and PKI.
Those are easy to eliminate.
Some of them will also list things that we do, but in the wrong order or not appropriate in this situation.
So let’s say you have a question and you’re like, I think this is the answer but it could also be this.
Well then, look through the last options.
If you have no clue and you’re not sure on any of the four, well, then you have 25%.
If you can eliminate two of them now you have 50% chance of getting it right, then you do the internal dialogue.
You argue this is a better answer because of this and once you have gone through that, it is most likely the right answer.
Another way you could think through the question is, if we can only implement or do one thing, what would best solve the problem.
In this case, if you can only notify one thing, one person, one agency, one, whatever, which one should you choose.
Again, we get the same answer, the data owner, but it can in some cases help you to argue with yourself, this is a better answer because if I can only pick one, then I would choose this.
And now that we have talked about how to approach the questions, let’s finish this lecture out with talking about some more practical stuff.
It is perfectly normal when you start on your easy questions to score somewhere around 60%, perfectly normal.
It is what you should expect because you’re just starting out.
Even if you score 50%, it really doesn’t matter, those are just numbers.
Now, what you do after the test is really what matters.
This is where you restudy, you look at all the questions you had marked for review and all the questions you got wrong.
Then you restudy those areas until you can explain what it is, where we use it, how we use it, why we use it and when we use it.
And since most people don’t have someone, they can talk to, talking to yourself works just as fine, explain the concept, all the intricacies, because when you’re able to explain something, you actually understand it.
Now, as you do more questions, you restudy more.
You’re obviously going to do better.
At some point, probably when you hit somewhere consistently, 80 to 85 percent% on the easy to mid questions that is an appropriate time to move to the hard ones.
And as mentioned, that is normally somewhere between 1500 and 3500 questions on the easy to mid.
Now, when you start on the hard questions, it’s going to feel like you’re starting over.
You’re all of a sudden going to score 60 percent or lower again.
Perfectly normal, nothing to worry about.
You do the exact same thing here, you take a test, you mark for review, you look at the ones you got wrong, and then you restudy.
You do also at some point have to start looking at time management.
Normally, I suggest it somewhere halfway in the mid to easy questions.
Let’s assume you get 150 questions on your exam.
That means with three hours you have 72 seconds per question.
And there might be questions where you spent two, three, four, five minutes on.
Well, then other questions you need to answer faster.
For the test engines where they have that timer, keep an eye on it and maybe set a pace saying, at 50 questions, I should have spent an hour.
At a hundred, two hours.
At 150, three hours.
Because I have talked to so many students that say, “I spent too much time on the first 50 questions.
I spent an hour and a half or two hours and then at some point I just started skimming over the question, answering really quickly and clicking next”, which at that point is completely fair.
You have to do that.
But if at all possible, let’s not get to that point.
Let’s learn the time management before you get to the exam.
And then when you sit in the exam and you can see you’re in question 42,
but you spent an hour and ten minutes already, you’re 75% sure that this is probably the right answer, well then choose that answer and move on.
And once you move on, once you click next, completely forget the question you just answered, you can’t go back and change the answer.
So put it out of your mind.
It’s not going to help anything if you keep obsessing about that one.
And then let’s talk about breaks, take them when you need them and preferably take them before you need them.
At this point, let’s say you’ve done 10 full, 100 to 150 question tests, then you probably also know when you’re going to hit the wall.
At one hour and 15, I’m just going to start staring blankly at the screen.
I’m going to read the same question five times and I still don’t understand it.
And it is less of a problem now because the test is shorter, but it is still a problem.
So if you know, at one hour and 15 minutes-ish, I hit the wall, well maybe take a break at one hour.
Either just close your eyes for 20 seconds, meditate, do whatever you can or get up, walk around, go to the bathroom if possible, eat some sugar, drink some caffeine, and then get back to the test.
The test does not stop.
If you take a ten minute break, you have ten minutes left for the exam.
If you take half an hour, well then half an hour.
That said, I still think they’re a good idea.
Reset your mind and back to the exam, and do as much of this as you can when you take practice tests to emulate what would actually happen on the exam.
Do the full test, three hours, lock yourself in a room, take the breaks but don’t let anything else distract you, because if you just take 50 questions here, 50 questions there, you don’t really know how your brain is going to react when you hit question 100 or 125.
And I think to finish this lecture out,I’m going to talk about what happens when you hit question 101.
Most students I talk to, when they don’t pass at 100 starts to panic, and saying don’t is obviously easier said than done, but don’t.
If the exam gives you question 101, that means you’re still in the game.
The exam engine has not yet predicted with 95% certainty that you pass or fail.
So in your preparation, mentally prepare to do 150 questions.
100 is the earliest point you can pass, 150 is the last.
Now from 100 to 150, as soon as the test engine can predict with 95% certainty that you fail or pass, well, then you fail or pass.
If it never gets to that point, well, then you go all the way to 150.
I hope all of this has helped you demystify the exams, help you figure out how to approach questions and how you can most effectively and efficiently prepare for your tests and pass your exam.
And with that, we’re done with this lecture.
I will see you in the next one.

I took my CISSP exam 10 years ago.
Back then the exam was paper based, the tests were sent in a lockbox to (ISC)², and it would take around 6 weeks to get your exam results.
I thought I had failed, so I kept studying, but 6 weeks later I got an email letting me know that I had passed. It was weirdly anti-climactic and yet awesome!

My Facebook post from 10 years ago 😀 

My “Congratulations” email.

Being CISSP certified has played a major role in landing every single job I have had since then. My other certifications have helped, but the CISSP really sets you apart from everyone else.

Now it is time for you to pass your CISSP exam.
To help with that I am having a 96-hour sale on Udemy and ThorTeaches.
Get 10% off on https://thorteaches.com/get, use the coupon “CISSP10YEARS” at checkout.
or
Get the lowest possible instructor prices on Udemy by using the embedded coupons here: https://thorteaches.com/udemy/