Tuesday, January 7, 2014

Passing the Certified Information Systems Security Professional (CISSP) exam.

Wishing all my readers, friends and acquaintances,  A VERY HAPPY & PROSPEROUS 2014!

During my middle and high school years, I used to bicycle everyday to class, passing in front of a military base. One bold sign over there, always caught my attention. It said,

THE MORE YOU SWEAT IN PEACE, THE LESS YOU BLEED IN WAR.

This caption is very appropriate for preparing and passing the Certified Information Systems Security Professional (CISSP) exam. The outcome of the exam is directly proportional to the effort & strategy you put into it.

Every aspirant has their own baseline knowledge, preparation methodology, "Me time" and/or "We time" to prepare for the exam. Of the ten domains that constitute the CISSP curriculum, I was well-versed in four, had intermediate knowledge in another three and basic knowledge in the remaining. Unfortunately for me, the ones in which I had the least knowledge were the toughest ones in the CISSP curriculum. They were Cryptography and Application Security. So getting out of my comfort zone and attacking head-on with with information gap, was my first task.

My sincere advice to all CISSP aspirants - 

  1. Don't underestimate the difficulty of the exam. But equally important, don't underestimate your own capability to prepare for the exam and pass it. Don't let the preparation and the test itself overwhelm you.
  2. Read, understand and explain to yourself in words not mentioned in books (like you were teaching someone else or the mirror!) will help you get a good grasp on what you had learned & what is not clear.
  3. This is a long drawn race, ranging from 2 to 6 months, depending on your background, available time and capability. There are no quick fixes, instant gratifications and short-cuts.
To make this reading informative and interesting, I have listed the remaining tasks as bullet points in their sequential order. They are as follows:
  1. Reviewed the contents of the curriculum listed on (ISC)2 site, clearly defining what I had to do to pass this exam. I did this 4 months in advance.
  2. Joined the Houston chapter of Information Systems Security Association (ISSA), who was getting ready to conduct a group study for aspirants of the CISSP certification.
  3. ISSA conducted 13 classes aimed at preparing us CISSP aspirants in Fall, 2013. Each class was focused on one domain and was taught by experts in those domains. The balance 3 classes were for exam preparation strategies and the likes.
  4. My main sources of study material were as follows. Reviewing them over and over again helped me solidify my knowledge base on what I already knew and thoroughly understand what I didn't:
    • Shon Harris' CISSP All-in-One 6th edition.
    • Shon Harris' CISSP Exam Simulator - The audio podcasts were highly beneficial during my daily 3 hour commute to and from work.
    • Wikipedia.
    • TechTarget.
    • Google - I always searched for material on terms I came across, to get another person's perspective.
  5. To set the goal to study and pass the CISSP exam, I scheduled it nearly 3 months in advance paying the exam fee of $ 599.00. The threat of losing that money if I didn't pass, was incentive enough for me to prepare and take the exam seriously. I also scheduled my exam date one month after the last group-study class to assimilate all that I learnt in the classes and on my own.
  6. To thoroughly experience the test, I practiced using the following test simulators:
    • Total Tester - This was in the CD that came with the Shon Harris book. This has 1,000+ sample questions in all the domains.
    • CCCure Quizzer - I paid $ 49.95 to get access to 1,000+ questions in all the domains.
    • CISSP Exam Practice - I paid $ 59.00 to get access to 1,000+ questions in all the domains.
  7. What initially seemed like "I got it" by simply reading, seemed to prove otherwise when I took the mock tests.
  8. My calculation was - Between what I know from professional experience, what I learn from Shon Harris' materials, group study and these 3,000+ sample questions, I should be able to pass the CISSP exam in the first attempt. So I began preparing in real earnest from the first group study class, with the exam date firmly set in my mind.
  9. Every group study class was scheduled for Tuesday night. Each week, one domain was covered. My groundwork for each Tuesday's class was three-fold:
    • From Sunday morning to Tuesday evening before the class, I performed a short-study using the Shon Harris material relating to the domain that was going to be taught in the upcoming Tuesday night class.
    • From Wednesday morning through Saturday afternoon, I continued to study in detail on the same domain taught the previous Tuesday.
    • On Saturday night, I took 3 mock exams of 50 questions each on the domain just learnt and from the 3 sample question sources listed above.
    • From Sunday morning, I repeated the above 3 steps.
  10. As I read the material, heard the podcasts and attempted mock questions, I made notes in Microsoft Word on information from each domain that I didn't grasp. These notes helped me focus on my weak points and work to convert them to matter I became fully conversant with.
  11. After the last group study class, I increased the number of mock questions I took, from 150 per week to 300 and ultimately 750 questions per day in the last week. CCCure has the option to choose only questions that I incorrectly answered previously, as the basis for the next mock exam. All the exam tools provided clear descriptions on the answers and I studied them with rapt attention. I initially answered my mock questions at the rate of 90 seconds per quiz and ended up answering in 20 seconds. This strenuous preparation helped me develop high levels of concentration, fast responses and the ability to answer tough quizzes for 10 hours per day.
  12. On the evening before the exam, I stopped studying by 6:00 PM and went to bed by 8:00 PM for a lengthy 9 hour sleep. That sleep helped me go to the exam the next day, fully rested, fresh and relaxed.
The following bullet points highlight my observations and experiences on the day of the exam, which I intentionally chose to split from the above:
  1. A quiet (no radio, podcast or music) drive to the exam venue brought me there 30 minutes prior to the scheduled time.
  2. While there was an anxiety factor, my hard work over the past 3-4 months and results of mock exams had instilled a good degree of self-confidence that I was ready for any type of questions. The anxiety factor helped me stay alert and focused throughout the exam.
  3. What surprised me about the exam was the sheer number of situation questions, where at least 2 answers seemed like they were correct. I initially felt that I wasn't mentally prepared to deal with that many; but my good foundation solidified since the start of the first class, carried me through.
  4. When doing the previously mentioned tests from CCCure, Total Tester and CISSP Exam Practice; I could easily & quickly tell from which domain almost every question was. Not so quickly & confidentially in the exam.
  5. There were many questions that didn't seem to be from the CISSP curriculum and I was not sure if I guessed them correct. I didn't let that hurt my confidence, believing that they were the 25 beta questions, which are put in there on purpose by the examination board.
  6. I read every question and every possible answer, word to word. When 2 of 4 answers seemed to be correct, I leveraged what I had learned and proper reasoning to select the most accurate answer.
  7. Time is a very important factor in this exam. I kept an eye on the time, to cruise along at a stead pace. I didn't do that initially and took 1 hour to complete the first 30 questions. Then I started using the "Flag" to mark questions to be revisited later. That brought me on track.
  8. Short breaks are very essential in this 6 hour exam. I took short breaks of no more then 5 minutes to get away, enough to relax my mind. I took 2 breaks, each time after completing 100 questions.
  9. As much as I teach my kids to "double-check" after every test, I just didn't have the time or the mental energy to go through all 250 questions. So I only double-checked those questions which I had flagged before, since those were the ones whose answers I wasn't 100% confident of.
  10. My very frequent and high number of 50 to 100 to 250-question practice exams, didn't fry my brain by the end of the actual exam.
After finally electronically submitting my exam, there was 3 minutes of uncertainty and anxiety since I would know if I passed or failed only at the triage and not on the computer screen where I took my exam. My heart beat like crazy when I saw I passed. I read it over & over again just to be sure. I even read it out to my wife just to be double-sure. I then sat in the car for 5 minutes just to calm down before starting the drive back home.

My hard work, smart preparation strategy, razor-sharp focus on the end goal, re-prioritizing my life for these 3-4 months, all helped me achieve my objective of passing the CISSP exam before Christmas 2013.

I wish All the very best to those determined to pass this exam in the Spring, Summer or Fall of 2014 or beyond. You, I and everyone hell bent on passing, most certainly will.

BEST OF LUCK!

- Mukund Hukeri.

Thursday, September 12, 2013

Gratifying community service opportunity to earn PDUs, volunteer hours & friends.

I am always looking to provide opportunities for my kids to improve their skill-sets, do a good deed, add a feather to their cap, etc. One of the benefits of this is spending quality time with them doing things that we all love.

Here is a truly worthwhile & gratifying opportunity for fellow project management professionals and high school students to earn their PDUs & volunteer hours respectively. Rebuilding Together Houston (RTH) is a non-profit organization helping financially-needy, aged and medically-challenged homeowners in Houston by repairing and renovating their homes at no cost. Each renovation project is managed by competent & professionally successful project managers. All the renovation work is done by volunteers, men & women from high-school students to management gurus.

My son and I volunteered last April for 2 Saturdays. Our feedback is as follows:
1. We thoroughly enjoyed father-son quality time working with fellow volunteers and using our hands & feet in place of iPad & X-Box.
2. Well worth the time invested upon seeing how we helped out someone who truly needed our support.
3. Enjoyed two days outdoors in the cool & sunny weather.
4. Networked & made friends with fellow professionals.

Rebuilding Together Houston is offering another opportunity on 2 Saturdays in October - 10/19/2013 & 10/26/2013. Volunteer teams are being formed. My son & I are in. Reach out to me if you would like to hear more details.

Friday, May 10, 2013

Essence & benefits of community service.

Philanthropy, courtesy, chivalry, conscience, even ulterior motives and many others are the driving forces behind the need to perform community service. The above apply to a single individual or an entire nation. No matter what the driving force, we all have, at some time or the other, voluntarily or involuntarily, performed and continue to perform community service.
In my experience, one of the end results has always been what I characterize as “My good deed for the day”. I walk away with a sense of purpose, accomplishment and fulfillment. Performing community service with a team of family, friends, temple or church goers, professional associations, adds a team spirit dimension making the task or project more valuable and fun. I am fortunate to have a teenage son who shares my values.

On Saturday, April 6th, 2013, my son and I worked with two organizations, Project Management Institute’s Houston chapter and Rebuilding Together Houston, to renovate the home of a financially and medically challenged and aging couple. My initial motivation was to have a sense of belonging at PMI Houston and get my son a certificate showing XX hours of community service. I was impressed meeting many of the stalwarts with impressive credentials, lifetime accomplishments and fascinating lifestyles.

Our team comprised of 10 members with a project manager, subject matter experts, while the rest of us were dedicated & enthusiastic volunteers. The project manager broke down the project into parallel & sequential tasks, with individuals & groups responsible for getting it done within a predefined time. Risks & safety issues initiated the first round of on-site discussions and became part of every conversation, till the very end. We split up into 4 groups, each one working on a task to be completed within a fixed duration. Some of the tasks included removing old & putting new boards, pressure-washing sides, fixing A/C unit, painting, caulking, landscaping, etc. To make the tasks more interesting, each group worked on different tasks at various sections of the project. The project manager effectively communicated with groups, shuffled & reassigned them when needed, updated the checklist of tasks and provided status reports periodically. In the end, we were delighted to see a home in much better shape than when we arrived first. No more rain water leaks, better cooling with A/C, flower beds, rose plants, and an aesthetically looking home.

My son and I talked to the owner of the house. She was very grateful for the volunteer service we provided. Her held-back tears, choked voice and a trembling handshake made us realize that we actually didn’t do her any favor. She did us a favor by giving us an opportunity to realize that we all have a hero inside us. This hero needs to be freed from our chains of greed, selfishness, ignorance and arrogance. This hero needs to be let out and breathe the fresh air of humility, community service, and appreciation for what we have. My personal take-away from community service, which I haven’t already stated above, can be listed as follows:
  1. Work on common goals and core values with people we occasionally interact.
  2. Learn and share new ideas outside our professional competencies.
  3. Acquire and improve skill-sets, both management and technical, we are short on or didn’t even know existed inside us.
  4. Quality time with our near and dear ones, while playing the role of a mentor, partner and team player.
  5. Social networking with both like-minded and diverse people, peers and role models.

I leave this blog with two slideshows posted on YouTube showing the work we group of volunteers performed on this project.
  1. Slide-show 1 of 2
  2. Slide-show 2 of 2

Wednesday, March 13, 2013

Challenges and success stories in the world of IT Management.


Sunday, August 19, 2012

Essence of IT collaboration in manufacturing sites.

At various stages of my career, I have seen the segregation of information technology management in manufacturing companies, in a wide variety of vertical markets. This is true even today in oil & gas, petro-chemicals and computer hardware manufacturing firms.

The primary purpose of this segregation was and is to maintain strict access controls, separation of duties, differing IT practices and skill sets. In this blog, I would like to share my observations and recommendations relating to this segregation and future collaboration.

Many manufacturing plants separate IT roles into two major groups – Those working in the Control System (CS) and those in the corporate or enterprise. The IT staff in both these teams report to different directors, C-level executives or vice-presidents. They rarely collaborate, occasionally communicate and hardly draw from each other’s expertise. Each IT team is a self-sufficient group working within their own budgets, resources, tasks and goals.

The separation of IT roles is primarily in the areas of Control System applications and equipment. The organizational structure is also different since IT, within in the Control System team, report to Control System managers, who ultimately report to the COO and not the CIO. The unique tasks and operations managed by IT within the Control System team are some of the following:
1.      Manage IT infrastructure and applications relevant to the Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) – Control and monitor industrial processes, collect and utilize historian data, interface with Programmable Logic Controllers (PLC), connect to sensors, perform Analog-to-Digital and Digital-to-Analog signal conversions, etc.
2.      Communication infrastructure – Connect and manage cables, wireless and interfaces such as repeaters, switches, routers, WAPs and firewalls that link the PLC farm, remote terminal units, RS-422/232 based equipment, and back-end application servers or databases to each other. A proper design and deployment will factor in scalability, redundancy, security through VLANs and Access Control Lists (ACLs), and others. Operational tasks include traffic monitoring for bandwidth threshold, drops in connections, and errors or data loss across interfaces.
3.      Security of Control Systems – Facilitate, test and monitor data traversing across the campus that is usually harsher than that in the corporate network. Perform penetration tests with varying degrees of intrusion on computer systems and networks to validate that security continues to be aligned with pre-set goals and levels.

In my view, the following common roles and tasks of both these groups can be collaborated to jointly take on the responsibilities of managing IT in the Control Systems and Enterprise:
1.      Back-end systems – Server hardware, OS, DB and common applications administration, security, X.500 directory, backup & restore, monitoring, maintenance, anti-virus deployment, patch management, and others.
2.      Front-end workstations and terminals – Hardware, OS and common applications management, authentication, helpdesk support, security, and imaging, among others.
3.      Networking gear – Monitoring, standardizes on hardware and design, patching, penetration tests, sharing of spares, etc.
4.      Backup & disaster recovery – Pooling of all site data into common backup targets, verification of data through granular restores and full system recovery, off-site transport of tapes through single reputed carrier, mock drills for disaster recovery at varying levels of outage, and others.
5.      Documentation – Documentation with varying levels of detail for the review and acceptance from different roles within the plant. Documenting policies, procedures, accountability and responsibilities assigned that need to be vetted and verified. Setting up chain of custody for shared responsibilities.

This is not an exhaustive list of shared and segregated tasks and operations by IT within the Control System and Enterprise sections. However, with convergence of data, equipment and services; IT resources can be optimally utilized for redundancy, shared services, added tasks and overall productivity.

Wednesday, May 18, 2011

Business considerations when selecting domain extensions for your web site.

Choosing the right domain extension(s) for your business is a project that must be given sufficient attention, time and priority. After all, it is one of the important means to get potential customers and business partners to access the list of products and services you offer.

The most sought-after top-level domain extensions are .com, .net and .org. If you haven’t already registered your domain name, chances are that yourcompany.com/.net/.org domain will have already been registered to someone else. With the advent of several generic and country-code domain extensions (.co, .biz, .us, .info, .cc, .tv, .fm, .cn, .in, etc.), it is imperative companies not only choose one or more of the above-mentioned extensions, but also taken into account many of the following vital factors:
  1. Name of the domain – This should be as short as possible and preferably without hyphens or underscores. It should be clear enough for anyone to identify it with your company, products, services or nature of activity such as manufacturing, distribution, logistics, IT services, etc.
  2. Type of industry – generic top-level domains are available to suite any industry. They are .co (for those who missed .com), .biz, .us, .cc, etc. Domain extensions such as .tv and .fm are typically used by TV stations, multimedia firms and internet radio firms.
  3. Domestic and international reach – In a globalized world, it is essential to portray a global presence, even if it were only in cyberspace. I would recommend buying domain extensions in all countries (.cn for China, .in for India, .co.uk for England, etc.) where current and & prospective clients & business partners are based.
  4. Global competition – In continuation to point (3), it is essential to cover your bases through domain extensions in current and future business prospects. Absence of registering domain names in multiple countries can hurt the your company if the competition were to buy a domain with your company name on it.
  5. Current and prospective names of products and services – To keep in mindcater to the expansion into global markets, acquisitions, and mergers, diversification into multiple and sometimes unrelated products; domain names and extensions should be so accordingly registered, leaving no room opportunity for someone else to buying and parking that domain.
  6. Yourcompanysucks.com – It has become a trend for the competition, phishers and saboteurs to buy domains such as yourcompanysucks.com (see http://microsoftsucks.org), populate the website with rant, artificially drum up web traffic and attach this unwanted site to all popular search engines. These not only hurt your business image, but turn off genuine customers.
  7. Mistype your companyname – It is important to register at least top level domains with your company name mistyped (See goggle.com instead of google.com). These mistyped domains are usually targeted to siphon away your visitors through either offering competitive products and services or give your company a bad reputation by phishing or pushing malware to unsuspecting visitors.

There are other factors such as business strategy, goals and objectives for the next 3 to 5 years that also help decide the choice of domain extensions and names. The cost of registering domains is pretty cheap, especially when considering propagation of business opportunities, mitigating potential damage to company reputation, etc. All purchased domain extensions names can point to a single web site to and ensure an identical message is conveyed through the same server or hosted site.

Tuesday, May 17, 2011

Cloud Computing: Failures and lessons learned

Outages experienced by customers of major and minor Cloud Service Providers, over the past couple of years and especially in the past two weeks, have resulted in down times beyond those offered in Service Level Agreements (SLAs). While some have made headlines, many have gone unnoticed and unreported. IT executives, including those already embarked on the Cloud or intending to, are scrambling to find reliable means of capitalizing the benefits of Cloud while mitigating risks posed by them.


Hybrid Cloud infrastructure is the key to ensuring minimum disruption to business. Mission critical data should reside in both the Cloud and the company’s internal or co-located data centers. Access to this data should be provided through multiple routes, including Internet and WAN service providers, for both the customers and business partners. Technologies such as Continuous Data Replication/Protection should be deployed to replicate data needing high availability. SLAs from service providers and IT should be in sync and set realistic and acceptable expectations to the consumers. IT infrastructure should be designed, configured, deployed and thoroughly tested to validate the SLA. Mock drills with varying degrees of impact should be performed by teams including IT and representatives from different facets of the business.


As businesses venture into this relatively new medium of computing, expected hiccups are bound to occur that can violate the SLA. Over time, with proactive monitoring, testing and continuous improvement, a credible SLA can be enforced that is acceptable to the business.