Training on Security+

I will be doing training on the Security+ for the ISSA-COS.  I'm
traing the Communcation Security portion of the test.  This is one
of my favorite sections. 

I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects. 

I'm excited about the training because I feel like I will really be
able to help people ace this test.  Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it. 

It really is just basic technical information security
stuff.   There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement. 

Don't sweat this test.  Especially if you've studied.

The ISSEP: Information System Security Engineering Professional (ISSEP) certification

 

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to.”

System Security Engineers tasks:
  Discover Information Protection Needs
  Define system Security Requirements
  Design System Security Architectures
  Develop Detailed Security Design
  Implement System Security
  Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
  System Security Engineering
  Certification and Accreditation
  Technical Managment
  U.S. Government Information Assurance Regulations 

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
http://www.nsa.gov
http://www.isc2.org

 

Taking the CISSP: part 1

I took the CISSP.  I really don’t know what to say about it aside from acknowledging that it was extremily difficult.  Andrew Briney’s article is the most accurate description of the CISSP test.  Briney says, “It’s a mystery wrapped in riddle inside an enigma.”

His other very true point:

The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers.  I feel like I’ve mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don’t study, I fail.  I’ve learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the “best” answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I’ve taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin’ comparison… NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs.  And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry.  With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I’d failed.  I started trying to think of ways I’d pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the “congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp. 

This is the best online CISSP resource I have found: http://www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

ASIS and ISSA join forces

Today I went to the ISSA luncheon.  The local ISSA chapter joined forces with an organization called A.S.I.S International (formerly American Society for Industrial Security). 

ASIS seems to be composed of a lot of physical security professionals (ie protecting critical infrastructure).  Where ISSA assists its members in attaining CISSP, forensics certs and the Security+, ASIS concentrates on  Certified Protection Professional (CPP),  Physical Security Professional (PSP), and   Professional Certified Investigator (PCI).  

With my background in physical security, I fit right into their world.  I plan on attending one of their meetings in the future. 

Between ASIS and ISSA members we filled an auditorium.  With that kind of networking something big is begining to happen in Colorado.

Todays presentation of a smart card readers system had a lot of cross over appeal for both information security professionals and physical security professionals alike.

Security+ vs. CISSP Part 1

I took the Security+ certification test.  I didn't read any books but I did read a lot of test questions, went to a seminar sponsored by my local ISSA chapter and I've got a few years experience in all the Security+ domains.  After studying hard for a few weeks, I don't think that the test was that hard.  If I had not been prepared then I can see how it might have been difficult as there are some pretty specific questions on things I did four years ago.

The Security+ is NOTHING compared to the CISSP.  I've yet to take the actual CISSP cert test, but as I've been studying it is VERY clear that these tests are from different planets.  It is like comparing the Comptia N+ to cisco's CCNP or CCIE… o.k. maybe not CCIE, but CCNP for sure.

I've been studying to take the CISSP on and off for about a year due to a fairly full plate.  I plan on taking the test in the next few months so I've started reading up on some practice questions.  My orginal plan was to get a Security+ cert so that I could prepare for the CISSP.  As I've been reading the practice questions on CISSP I'm finding that the Security+ is simply not robust enough to even come close to helping me study for the CISSP.

Once I take the actual CISSP I'll be able to make a better assessment, though.

One of the most helpful items I found on was a Security+ cheat sheet.  It is a very concentrated view of all five security+ domains and makes for a great study reference. 

 

Hacker Vs. Security Professional

Defcon.org, 29 – 31 July, Las Vegas, NV.  $80.00 admission @ Alexis Park 

Convention of hackers, crackers, programmers, security pros, black hats, white hat, gray hats the entire spectrum of security technology freaks converging on one location to discuss their favorite subject. 

Once a year I am encouraged to go to numerous Security Conferences most of which turn out to be usless infomercials where vendors a trying to sell there plug in security solutions.

There are very few that have really been of value.  Defcon is by FAR the best.  Since it is a hacker convetion I often have trouble convicing the Government of its worth.  It is good to know that FBI, CIA and possibly the NSA don't hold the same view as the Agencies I have worked for.

I can not stress the value of Defcon to Security Professionals enough.

Martin McKeay has a great site on Security issues.  We discussed what the word “hacker” conveys to most people. 

The original meaning of hacker was that of a technical savvy person creative enough to come up with work arounds, fixes and find vulnerabilities.  This is what hacking still means to me.  It is my personal oppinion that this is where you seperate the men from the boys.  Hacking, in the traditional sense of the word, is the true gauge of technical skill and understanding. 

These days the meaning of hacker, and hacking in general is used to address the activities of cybercriminals, or black hats.  Martin and I disagree with the direction that the concept is going. 

Unfortunately, his view is what most “security professionals” and the general public currently think of the whole concept of hacking, that is is criminal behavior.  That is ignorant.

But, no matter how you define hacking or hackers, it is the duty of ever one who calls themselves a security professional to know the practices and mind set of a hacker, criminal or otherwise.  It is like a detective or a profiler.  The best detectives, investigators and profilers have an understanding of why criminals do what they do.  In this same way, it is imperative that the Security Professional understand the techniques and mindset of every shade of hacker, black-white hat. 

Which investigator will understand a thief better, the one with a PHD in criminology or the investigator who used to be a thief?

If the security professional doesn't know how to exploit there own systems, how effect is that security professional… And if MOST security professionals can not exploit ANY system, what does it mean to be a system security professional? 

 

Martins Comments:

I love the 'Hacks' books from O'reilly. They've probably done more to regain the original meaning of hack and hacker than all of the protests by security professional combined. I have 4 or 5 of the 'Hacks' books sitting on my work and home bookshelves. Have you checked out Make magazine? (http://www.makezine.com/)

I wish we could regain the original meaning of the word, but I fear it's a pointless battle. To the average Joe in America today, hackers will always and forever be the evil creators of viruses and trojans. Not that Joe could tell the difference between the two.

I don't know if you remember it, but last year the guy who wrote the Sasser and Netsky viruses was hired by a German AV company (http://www.enn.ie/news.html?code=9554015). I know at least one German CISSP who was very upset at this idea, and let them know it. I also seem to remember that his employment didn't last long, but I couldn't find a link to that news. So at least one company was willing to hire a hacker knowingly and publicly.

People don't want to have to worry about the complexity of the shade of a hacker. Black, gray or white hat, if you say you're a hacker, they assume you're after their bank account number. I'll stick with calling myself a Security Professional, rather than trying to borrow from the 'hacker mystique' for publicity.

Posted by Martin at June 1, 2005 01:15 PM

ME:

McKeay.. great blog,

I was at Barnes & Nobles the other day looking for Kyle Rankin's book, Knoppix Hacks and I noticed hacking is quite the buzz word. It seems every conceivable category of Information Technology now has a book followed by (or proceding) the words hack, hacking, hacker's guide ect. O'reily has a whole series on hacks (great books): http://www.oreilly.com/hacks/

There is even a book called, “Understanding God's Will: how the HACK the equation” — (Not from O'reily)

I believe the reason for this is because hacking is cool. Its like the new and very necessary quick fix tool among this era of information overload and technical bombardment.

Many of the most famous and infamous player in this new Information Age have been Hackers. Just to name a few: William H. Gates III, KBE, Blake Ross (19 year old creator of FireFox), Linus Trivalds, Klaus Knopper (creator of Knoppix), the Woz, Paul Allen, Kevin Mitnic, Jeff Moss (creator of Defcon), all the creators of Unix, Bill Joy…

The word hacker has been hi-jacked. Its real meaning has been… hacked. That is why I was over joyed when I was introduced to the Certified Ethical Hacker certification. I have yet to take the cert. I plan on using the CISSP to prepare me for it… it is difficult from what I've seen in the Sample tests. I hope this cert gains enough credibility to take the concept of the true hacker back in mind of the Business owners.

I went to Defcon in 2003 (11 I think) and I learned a lot there. For one thing, not all hackers are evil Sasser Worm creators or apart of the “Hang Up Team” (a truly, TWISTED bunch of Russian hackers). Many of the Hackers speaking were hackers in the original since of the word. In fact, they were do-gooders! They would find exploits and try and report them imediately to the owner of the software or hardware. The biggest problem was that they companies like Microsoft and Oracle would not listen to them. They are often refered to as Gray Hats. Almost like vigilantes, where as White Hats can be considered people like you and me (mercenaries working for companies), and Black Hats just cyber criminals.

I think the concept of what a hacker is is being transformed. Why a company would hire an Internationally know Black Hat and publicize it is, to me, not smart money. I bet it would even negatively effect the stock.

Why Information System Security Professionals Should Join the ISSA

I’ve finally stopped procrastinating and joined my local Information System Security Association, Colorado Springs Chapter (ISSA-COS).  A few of my co-workers have been encouraging me to join since last year.

 

Over the past year many of the benefits that they’ve enjoyed as member of the ISSA have spilled over on to me.  I
encourage all serious Information security professional to join because
the ISSA has their fingers on the pulse on all information security
events, jobs and seminars at discount prices.  

ISSA members are always up on the latest security events and seminars in town.  Just two months ago, an ISSA member invited me to attend an Certified Ethical Hacking course.  I actually had no idea that there was a “hacking certification” prior to her email.  I attended a free seminar with mile2 and loved it so much I decided to attend the whole course.  I was able to attend an Ethical Hacking Course which my company paid for.  I’ll be going for that cert. soon.

As an ISSA member you will have access to many information security jobs in the area and around the world.  Recently, one of my former co-workers (ISSA member) sent me information on an information security job in Baghdad.  For fear of being apart of a hostage reality show on Al Jazeera TV, I declined.  Would you decline a 300K/year job?  I must admit I think about it every now and then.  My co-worker actually took the job and is much braver than I am.

Discounts on events, seminars and training is another benefit of an ISSA member.  For
example, we are having a local Security+ training that will be held
this Saturday at Colorado Technical University and in May there will is
the SANS Rocky Mountain 2005 – Immersion Training which gives a price cut to all members. 

In my opinion, the best thing about the ISSA is the ability to network with like minded Information Security professionals.  In the local ISSA Chapter there is a meeting once a month with seminars and meetings that include speakers like Phil Zimmerman, creator of PGP and representatives from companies like 3Com’s, TippingPoint.

 

            If you are an information security professional, you should definitely sign up.  Membership is free for 90 days to give you feel for the association (attend a meeting with your 90-day membership).  It
is $99.00 a year for ISSA membership and an additional $25.00 for the
Colorado Springs ISSA division (each local chapter has its own annual
fee).  Don’t be like me and wait a year to join.  The networking is worth your weight in gold or at least 300K/year in an exotic location.

 

Join at http://www.ISSA.org

Building a Network:
Seth Godin has a good post about building a network.

1 2