The Singularity is Near (for security) pt. 1

I’ve been reading Ray Kurzweil’s The Singularity is Near. Its been blowing my mind. Its a detailed account of how, when and why artificial intelligence will out do humanity (as it is now) in every way in about 20-30 years.

The book is the real deal. Its over 600 pages with 100 pages of notes. Its a college course and a 10 course meal.

The first thing you have to realize about Ray is that he is not some kook with a sci-fi idea. His ideas are NOT some sci-fi “original movie” trash cooked up by a team of ex-dungeon master, fanboy geeks. Kurzweil is a world class inventor who created the first omni-font optical character recognition system. He is the brains behind text to speech, and next generation of music synthesizers (the one that are able to sound like any instrument).

He is the father of the Law of Accelerating Returns that details about the exponential growth of technological progress and change.

So far, the most startling idea I’ve read in his book is something I read from a Vernor Vinge article a few years back. Eventually, computers will be sentient and a trillion times smarter than us. I’m not just being sarcastic and throughout ridiculous numbers (bajillion kajillion) to get an over inflated point across, I mean LITERALLY the will be a trillion times smarter. If you subscribe to the Howard Gardner theory of Multiple Intelligence computers will able to out do us on everyone of them (plus a plethora of some we don’t yet have the capacity to conceive of). If that doesn’t stir you.. how about this? They will eventually build systems (AI) smarter than themselves. That is when they will be so far beyond us that we (in our current capacity) will not be able to comprehend them fully.

Kurzweil is definitely not gloom and doom. He does not predict (for example) that the machines will send Arnold Schwarzenegger back to 1984 to kill Sarah Connors (Linda Hamilton is still safe). In fact, the book is about “when humans transcend biology”.

Now just think about that… “transcend biology”. It gets me thinking of some sort of “Ghost in the Shell” type world where most people are cybernetically enhanced in a hundred ways. Ghost in the Shell is among my favorite anime franchises because it goes to great lengths to describe its cybernetic world. The singularity is a reality in the world of Ghost in the Shell.

Its a world in which an AI can hack and/or possess anyone/thing with a cybernetic central nervous system. A world where the line between physical and virtual are blurred by visual enhancements and the definition of humanity must be expanded to allow people who are now 90% robotic.

What do I think the Singularity will mean to security? That is a bit of a ridiculous question. Its like asking.. if the sun explodes, what will happen to all the plants. The answer is the same thing that will happen to all of humanity. Perhaps the sun exploding is a bad analogy.. because I don’t think the Singularity will feel the sudden need to enslave all humanity, turn us into batteries and lock us in a matrix like virtual world. I think it will be more of a collaboration between super computer and abacus, Rancher and cattle, Shepard and sheep but not at all like master and slave (well at least not a BAD master). Those of us unwilling and/or unable to change will be like a novelty item, neo-Amish. The Singularity will hack us and herd us like consumer, technology dependent sheeple we have become. And we will do nothing but smile and enjoy our everyday prices.

Speaking of novelty, I can help but think of Terrence McKenna’s mention of an acceleration of everything in his Timewave Zero theory.

The graph shows at what times, but never at what locations, novelty is increasing or decreasing. According to the timewave graph, great periods of novelty occurred about 4 billion years ago when Earth was formed, 65 million years ago when dinosaurs were extinct and mammals expanded, about 10,000 years ago after the end of the ice age, around late 18th century when social and scientific revolutions progressed, during the sixties, around the time of 911, and with coming novelty periods in November 2008, October 2010, with the novelty progressing towards the infinity on 21st December 2012 - wiki

The rate of change is both inevitable and necessary to our nature.

Once again, security is a piss ant in relation to the upcoming changes predicted by these modern mathematical prophets, but I will say this lately things in the Certification & Accreditation world have been changing drastically every 6 months, with each changes bringing in a wave of rumor of yet MORE change. The current rate of change is keeping me very employed.

Popularity: 2% [?]

The Value of a (Ethical Hacker) Certification

Ok, I admit it. I have totally slacked off on getting that CEH certification. I’ve had the boot camp, I’ve amassed lots of great books and resources, I’ve even talked to some people who have passed it, but I still haven’t been consistent about studying. For a while I was pretty consistent. I read the Official Study Guide and started working on an Unofficial one.

Why don’t I have that cert yet? I suppose I just don’t feel I have a reason to have it. It would just be for show because I don’t really do pen testing. ’d like to, but in my job, I don’t usually have the opportunity to do it or reason to do it. I’ve already got the CISSP so I don’t need the CEH for some kind of prestige. Many hackers piss on certifications they are not impressed with them and are willing hurt anyone who flashes the credentials. The CISSP trumps most certification. The only real benefit for me getting it is that it would force me to get more familiar with tools like netcat and Snort which I don’t use enough. I am interested in cyber kung fu. Lately, I have been more drawn to the scientific and mathematical side of technology.. the side where the innovation are born, not just mastered. I’ve been sharpening up my math skills and plan on getting into Computer Science, Electrical Engineering or physics.

I haven’t decided whether I want to take the CEH because I want to do something that has more depth. I suppose I could complete the CEH, go through Computer Science and specialize in security/crypto/info assurance and follow in the foot steps of Bruce Schneier and Steve Gibson. In the beginning, certifications were definitely a step up, but I’m in a place now where they are just ornaments, flashy bobbles I could decorate my name with when I need an ego boost. If my wife and kids are giving me lip I can say, “don’t you know I am a CISSP, A+, B, C, D, E, F, G. You MUST respect my awesome test taking ability!”

I’ve said it before, I think certifications can be of great value. If you work for the Department of Defense in IT you pretty much MUST have one (per DoD 8570). Certifications can give you that extra edge against competing employees in the private sector. Problem arise when the IT certifications value is taken out of context. Like the 8570 which makes it mandatory to have a certain certification regardless of your experience and/or degrees. That is a bit much. Not everyone who passes the CISSP can configure a firewall properly. But perhaps thats the reason the DoD wants system specific certification.

Popularity: 3% [?]

uCertify Software - IT Certifications

Warning: Shameless promotion of a kick ass product!!

I recently got a chance to test drive uCertify’s IT certification software. I loaded the CY0-101, Security+ PrepKit. I must say I like the software and I am thinking of getting the MCSA from them (think I only have to take two test to complete it). It features the usual breakdown of how you performed in each of the tests objectives. It also has Flash cards that allow you to type in answers to key points on the test… I don’t recall seeing that feature on other certification software.

The pricing depends on the tests you get. But its in the double digits so its a cool little investment toward a bright future. For those of you who are serious about certifications you know that the software (such as transcender - aka the software that must not be named), boot camps and training material can cost 100’s or even 1000’s of dollars.

I think that software such as uCertify is a good start toward attaining a new cert (although you can never replace a solid year of experience).

As for the CY0-101.. I believe Security+ will be changing their objectives sometime in 2008. Hopefully, uCerty will keep up with that. Comptia sent me a few surveys about the change and a couple of co-workers that are being pushed to get the Security+ told me that they want to get it before it changes.

My honest opinion is that software like uCerts Prepkits are great for gauging your level of preparation. I also recommend that you use more than one gauge (particularly on the bigger tests such as CISSP).

Popularity: 5% [?]

DoD 8570.1 ISSEP coming?

Honestly, you probably could get away with a Security+ for a while (if your already in a govt security position) because the 8570.01M indicates the need for a Security+ at the very least at IAM 1.

But if your position actually requires you to take an IAM roles at the Field Operating Agency enlcave systems or some other MAJCOM equivalent level than you should go for the CISSP. The DoD is talking about requiring an **Information System Security Engineering Professional certification, ISSEP (a certification that actually requires the CISSP to even take the test) for enclave systems.

This table is taken straight from the DoD 8570.01M:

from tao security

More on the 8570:
http://iase.disa.mil/eta/index.html#8570training

**Notes: The 8570 FAQ mentions that “Future updates to the Manual will incorporate specialized elements of the IA workforce. Chapters on System Architecture and Engineering and Computer Network Defense Service Providers have been drafted and are currently entering the formal DoD staffing process.” I haven’t been able to find the new 8570 Draft that refers to ISSEP, ISSAP (specialized CISSP) but I’ve been seeing it in slides and at briefing for about a year now.

Here is what is being proposed. This would actually affect me (I may have to get an ISSEP or ISSAP). Security+ will not cut it if this passes in the next DoD 8570 Draft.

Chapter 10: Information Systems Security Architects/Engineers
Level IASAE I IASAE II IASAE III
Certs CISSP CISSP ISSEP
ISSAP
Chapter 11: CND Service Providers
Role CND Analyst CND
Infrastructure
Support CND Incident Responder CND
Auditor CND SP Manager
Certs GCIA MCSA Security
SSCP GCIH
CSIH CISA
GSNA CISSP-SSMP
CISM

Ref: www.disa.mil/conferences/2007/briefings/iatool_training.ppt (slide 19 from DISA Conference)

Popularity: 8% [?]

Which Security Certification Should I Get?

If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.

The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I did create the rules, I just hack them.

Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man’”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..

For average bastards like you and me, the CISSP is way to go.

I do agree with DMiessler and Mckeay:

“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge - not for testing whether or not you’d be qualified to actually do anything.” — dm

“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay

Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.

So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).

A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.

You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.

Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.

Serious Beginner
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.

Novice Security
After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.

The CISSP
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.

Now checks this out:

“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2

Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.

*NS-non sense

Popularity: 6% [?]

Certified Ethical Hacker Exam Prep (amazon review)

Found a good review of Mike Greggs book, Certified Ethical Hacker Exam Prep from Amazon reviewer, N. Rossino (NY) :

The previous poster did bring up a good point: this book will not teach you how to hack. It WILL help you pass the CEH exam. It lays a very good foundation, and the only reason I give it 4 stars was because it was lacking the detail and depth to be fully comprehensive.

Keep in mind, that this book is meant for people who do have an administration background and who happen to be pretty familiar with Linux and Windows. The book is written for that group of people because without that experience, you probably won’t have the experience necessary to be a CEH.

I happen to read all 3 books for the CEH that are listed on Amazon. The Sybex book, the EC-council book, and this book. By far, this book was the best out of the 3. The Sybex book was a waste of money as it wasn’t as good as this book and it had even less depth. The EC-council book had a bit more detail in some topics, although it lacked cohesion and was poor at presenting the thought behind it. I think this book and the EC-council book compliment each other, and give you a pretty good idea of what you actually need to know. I would start with this book and finish up with the EC-council book and/or courseware. My reasoning is that you should set the foundation first and this book does that.

Also, as with hacking, google is an excellent resource. These two books won’t be enough to fill all the holes, but the internet is a damned good filler.

In conclusion this book provides for pretty good preparation for the actual test, and is a comfortable read.

ABOUT THE TEST:

150 questions, you have 4 hours. I took only 2 and scored an 86%. 70% is passing. I studied for only two weeks, but have extensive background in the subject area.

The test is very specific, and you are expected to know the material in detail - NOT just concepts. The test is geared towards people with security experience, and the test questions are true to that purpose. It will be very difficult to pass if you:
1) Don’t know linux
2) Don’t understand Microsoft’s OS and operations
3) never actually used any of the hacking tools

Linux is not a MAJOR part of the test, but there are enough questions on linux command line operations to make a difference.

Keep in mind, just reading alone will not let you pass this test. It is very important that you try out the most popular and important tools (firsthand!). You will be asked about specific commands, and be expected to know them. Know nmap, snort, hping2, tracert and tcpdump down cold. Know the ICMP codes and types. The only way you learn this stuff is to actually practice it.

Popularity: 3% [?]

SC Magazine Awards 2007: Training Camp listed

Training Camp has been named a finalist in the SC Magazine Awards 2007 for the Best Professional Training Program category. According to SC Magazine, programs in this category are defined as those geared toward strengthening the expertise of IT security professionals, that provide educational programs, continued learning and certifications. 

Contact me to find out more about our award-nominated IT security Training Camps and why they’re the best of the best. Our IT security camps include:

-Official (ISC)² CISSP
-Official (ISC)² ISSEP
-Official (ISC)² SSCP
-Certified Ethical Hacker
-Forensics
-Licensed Penetration Tester
-CompTIA Security+
-CISA
-CISM

Popularity: 3% [?]

Security Certifications: DoD 8570

For Government workers doing any kind of computer security/information assurance, the new regulation, DOD 8570 is a very important document.

DOD 8570, Information Assurance Training, Certification and Workforce Management, requires that all government workers (active duty, govt civilian and contractors) doing security work have a security certification. The DoD is really trying to crack down on security.

Among the top security certification that you can get are the CISSP and the CISA

Getting the top certs and then further specializing could give you the edge. For example, CISSP with an CISA (auditor) would cover a lot of ground as would a CISA and an IDS/C&A/Architecture specialists. It would really kick ass to cover ALL ground. This would not be difficult. Not sure if each specialization would require further certifications.

Cost, Renown, Difficulty Comparisons:http://dmiessler.com/writing/infoseccerts/

Includes: GSEC, CISSP, CISA*note: GSEC is $800 and difficult

Security Certs and their levels according to 8570:http://taosecurity.blogspot.com/2006/01/dod-directive-8570.html

Tech level I-III & Management Level I-III*note: GSEC is Tech level II

Future Areas of IA Certification:

 

Certification and Accreditation

IDS and Analysts

Auditors

CND/SP members

IA architectures, engineers

NIST Slide on 8570 

(slide 10)On a recent FISC slide I saw Red team (pentesting/hacking) among these future specializations.

 

 

Popularity: 6% [?]

Written by elamb.security · Filed Under Certification, Certification/CISSP, Certification/Security+, Certification/Security+/Basic Cryptography/Crypto Algor, Main Digg 

Intricate Steps of How to Hack Into a Computer

July 20, 2006

Here is a huge map that pretty much shows you all possible ways to gain entrance into a system. From finding exploits and scanning ports to password cracking. It shows all the likely paths you can take to hack into a computer and/or test out it’s security.

read more | digg story

Popularity: 4% [?]

Written by elamb · Filed Under CEH, Certification, Howto, Main Digg, hackers, hacking 

Review: Certified Ethical Hacker (CEH) via Self Study

May 31, 2006

In his latest column for EH-Net, wireless hacking guru, Dan Hoffman, offers up his experience of attaining the CEH credential. Great read with fantastic advice for all you budding ethical hackers out there.

read more | digg story

Popularity: 4% [?]

Written by elamb.security · Filed Under CEH, Certification, DIGG, security, security testing 

Next Page »