Four years verified security experience. An intimidating test. A waiting period that made me lose more hair. This was my CISSP experience. When I took the CISSP it was bubble sheet/Scan Tron. Eight hours for 500 questions from 10 domains ranging from Physical Security to arcane Data Classification used by the military around the time War Games came out. It is to use an oft used descriptor, a mile wide and an inch deep.
I sat for the test in March of 2006. I self studied. It was, to say the least, intense. Did I make it more intense than I needed to? Probably. I tend to over engineer about anything I can. Usually you can judge your level of study and adequacy of your methods by your test score. Trouble is, you don't see that in the CISSP. To the person, everyone I have talked to has the same comment "When I walked out, I had no idea if I had passed or bombed it!" When I took it, I had no computerized option, bubble sheet and #2 pencils only. It took 3 weeks to find out if I passed the test. At least that was via email. Then started the background validation. That was another 3 weeks. How did they tell me I passed? I got an envelope with Ryan D Gregory, CISSP on it. Saw it for the first time. This was a cert I had wanted since the day I heard about it. Something I sacrificed for, prepped for and lost a lot of sleep to. Needless to say, I wept like I was watching Rudy.
One of the questions I get asked most often is what materials I used to study. It's important to stop here and note my study process. Like everything I do, there is a process.
As a rule, I have 3 forms of all of the study materials on any exam. I have a primary book. This is the one I read from, mark up, etc. I use it for the entire study session. I have a second source, typically the "next best" version. I do this as people have different writing styles. They use different analogies. They use a different tone and assume different levels of skill and background. If I am baffled by a concept in book 1, I go to book 2 and read it there. I also tend to take the chapter and content tests out of the second book, rather than the first. More on that later. Third, I have an Exam Cram type book. One of those skinny, packed with questions, pump and dump type texts. I certify to build my knowledge, renew my understandings, validate I am still mostly sane, and then the letters after my name. Considering the price of most exams, and the fact that a lot of employers only pay for your first attempt, the test is ultimately fairly important. Below are the modern versions of the books I used. I have suggested them for the last 7 years, as well as my study methods and am proud to say the folks I have coached have passed the first time through!
First and foremost, the Shon Harris All-In-One Guide is a must. This is the Golden Book. I have known some folks that have used only this resource and passed.
Next is good old Sybex. Sybex have been around a dogs age and I have used them since my NT4 MCSE prep. They are consistently mediocre, but always a good secondary text. They employ good writers, have a very clean look and feel, and it's another "voice" to read the text.
Finally, a good Exam Cram guide for cramming, after chapter testing, and the bare bones answers.
I'm fortunate enough to be a moderate test taker. I'm extremely fortunate enough to have had a class on another topic taught by my friend and true instructor, ''KC" Keith Charles. KC taught me study tips that I use to this day, and share with anyone studying for a cert. I've developed a project style preparation system as well. I tend to put together a project plan for everything I do. A friend once joked that I can't refill my water bottle without a plan, process and system. So, here it goes:
- Set a date and work back. If you are paper and penciling it, this is pretty easy. If you are computer basing it, set the date and build your study plan backwards from that date.
- Set study times. You're busy. I'm busy. Congress is busy. Get over it, set a specific time. Lock yourself in a room. If you dig music and can have it without being distracted, rock that.
- I really like to read a chapter or concept in one book, then test on it from the end of the chapter in another book. I do this method until I am hitting in the 80% range, recursively study until I hit that number. I then test in the primary source and the tertiary. Once it's solid, it's solid. It goes in the memory bank until the final week or two before the test. Then I do the whole mugilla, chapter by chapter test. I will sometimes challenge myself to go back x chapters at the end of a session on an entirely different topic. With such a theoretical test as the CISSP, this can be a great game to play on yourself.
- Read the exam objectives. Highlight the areas that are going to be troublesome. Print those, have them somewhere you can see while you study. Review and check off what you are comfortable with.
- Have a plan for what you will study each session. "I will finish this malarky about the Orange Books tonight". "I will finally be able to explain Elliptical Curve Cryptography to my dog by the end of this session".
- From KC, the power and virtue of NERVOUS NOTES. The nervous notes concept changed my testing life. The concept is simple. You are nervous when you sit for a test. Doesn't matter who you are, you've got a bit of agita. These notes affirm what you know, give you crib notes for what you don't. You write them over and over until it is muscle memory. It gives you a second applied sense from which to learn, adds some kinesthesia and drives it home in general. Details on how I use nervous notes:
- Take out an 8.5x11 sheet of paper at the beginning of your study session.
- Start making tables, charts, squiggles and notes on the stuff that you are having a hard time with. For me a good example was EAP types for my CWSP. Nice little table of type, security level, definition, etc.
- After your first session, take out the sheet and refine it, copy it by hand.
- Wash, rinse repeat.
- As test time gets closer, finish up the notes sheet. Make a gold image. Copy it before and after each session, at least once, if not a few times. Get to where you are NOT thinking as you write it out. You want to affirm what you know, give crib for what you struggle with and give yourself some time to breath before you hit the begin button or rip open the test book.
- Get an 8.5x11 sheet of paper at the test center. VUE will give you one and a pencil if you demand it, and you give them the paper back after.
So, that's what I did. Again, this may have, in fact probably was overkill preparation. All I know is that it worked for me and I got those 5 letters I had wanted for so long.
Links that will be useful:
THE site for studying, www.cccure.org. This site has incredible forums, user generated test questions and is the best place for discussing the stuff you are struggling with. I still troll this site as do many folks that already got the letters. When I can lend a hand I do.
More links to follow!
Apple Launch Party
An informal viewing party in Stephen's palatial suite kicked off the day. Consensus was a lackluster presentation Ina device we all knew was coming. A fun way to start the day, but kind if a let down. I'm a big Apple fan, writing this on an iPad and all. I can't stand the UI on a phone tough. It seems playschool on that form factor. Even though I use a Galaxy S3, pocket space is a premium and I'm just not excited about devices getting bigger. If I need a larger screen, I have my iPad. If I need bigger, I have my MacBook Air. I'd actually be happier with a smaller phone!
This time, I promise to keep updated on the goings on! If you don't know about the Tech Field Days, they are brought to us by Stephen Foskett and his Gestalt IT (http://techfieldday.com/event/wfd3/). Stephen is the classiest man in IT and a storage and all things Apple guru.
The idea is to bring in independent bloggers and give the event sponsors a chance to get feedback from people who use their products every day. We live Blog, live Tweet and stream the event. It is the one conference I look forward to. I get to sit with some of the smartest people in the industry and grill the vendors! The talent and knowledge assembled for these events has never failed to humble me. Check them out (and follow on Twitter/Check out the blogs) http://techfieldday.com/event/wfd3/
Check out the Stream below, starting Wednesday:
Great sponsors again this year!!
Everybody has a smart phone these days. Not everyone is a smart user. If you are a consumer, with a device that doesn't touch your corporate email, chances are your device is not secure. In the corporate space, Mobile Device Management is the tech du jour. If your corporate IT department hasn't sent some lockdown stuff to it, they will shortly. Huffington Post had a nice layman's article due to the recent mobile phone hacking in the UK at:
Below is an article from Huffington Post on securing your mobile. Fairly high level. I would add:
I'd at that if your device doesn't have a PIN lock, don't put crucial or sensitive information on it.
A basic password lock screen will block a lot of attacks on your device, if you don't have physical control of it. Also enabling a pin on your voicemail blocks a long known issue with a lot of the wireless carriers in the US. Neither of these are going to stop a security professional, however. A couple tips:
Install a remote wipe utility - if you loose your phone, leave it in a taxi, etc. you can remove the data and wipe the device. Be sure you are using a backup app as well, so that you aren't re-entering contacts. iCloud or a Google account should do the trick if you are set to synchronize contacts.
Encrypt the data. Goto the App Store for your specific device and search encryption. Find something that encrypts the data while the device is locked. As a veteran security professional, I have a hard time getting through an encrypted device, one with just the screen locked is a piece of cake, with it tethered to my machine, with my tools (hence having physical control of the device as the article says). You can, alternately, find apps that encrypt the vital data, email, contacts, calendar, etc.
Don't use your ATM PIN. If you lose your purse, leave the phone somewhere with your wallet, etc and someone is able to determine your lock code, they will likely try it as your PIN.
Don't use the last 4 of your Social Security number. You recite it, type it, give it out to your cable company, phone company, etc any time that you are verifying your account. Don't use your birthday, your wife's birthday, your husband's birthday, your kids birthday, your gay, nubile, Tanzanian sex toy's birthday or your mother's (especially if she is one of those already listed).
Be diligent. If it looks like something has changed on your device, change your lock code. Change it anyway. Like a password, change it every month or so. When you change the Brita Filter, shave your legs, get paid, whatever other event gets your attention every month or so.
Install an anti-malware app from the app store. It should look for known fake apps, spurious activity, and the like. Type in "security" or "malware" in the app store. Look for one well reviewed.
So, is a large distributed hacking group, fond of Guy Fawkes planning an attack on Facebook? It depends on who you ask. They are DE-centralized. They are like Occupy in that they do not have a governing body, bylaws, membership fees, or fancy lapel pins. They are a group of like minded hactivists declaring war on "the institution". Whether you agree with their methods and message or not, there is virtually no way for "a civilian" to confirm or deny a threat.
Being an information security wonk, my feeling is that there are elements that have targeted the social networks. I have recent first hand fishing and social engineering attempts in my inbox.
I received an email from Facebook about one of the people I most respect in my field and one of my closest and oldest friends. It looked legitimate enough that I forwarded it to him and said "is this for real"? I have to admit, I do more with making networks talk to each other than with securing what is ostensibly public knowledge, so I was not familiar with a peer based password reset on Facebook. I was sure to ask a few personal questions that only the friend would know came from me. I got back a resounding NO. Looking at the email on my mobile device, even with a fairly heavy background in securing and forensically proving data is from the implied source....It looked real.
So what do you do about it? Change your password. Soon and often. I know, passwords suck. I don't know half of mine and keep them in an encrypted file, forensically hidden from the world on my system. They are phrases, which are easier to remember, they are disguised as other data (addresses, tech papers, notes, emails, etc). The phrases are 8+ characters with punctuation. Mathematically, the number 8 makes a password an order of magnitude harder for a computer to crack. So something like "@Never gonna give you up, never gonna make you cry!@" is a great password. I would have to crack each word, individually, the punctuation, the non-dictionary words like "gonna", and assume you are using a 6 year old meme as a password. I'd also have to put the words in the correct order. Those that know me wouldn't try it on my system, as I find Rick Astley detestable. Those who know me really well would try it thinking I was being ironical.
Data on Facebook, regardless of your settings, is fair game. It is indexed, stored, backed up, screenshot, and stolen if it is quotable. If you've ever used hotel, coffee shop, the neighbor or your own wireless network without having to add a password, you are wide open. With a mobile device and nearly no technical knowledge, your Facebook, Twitter, Email and other "slightly secure" data can be compromised. It takes me about two minutes, including waiting for my machine to boot.
Access to your Facebook isn't the biggest concern. The fact that you re-use passwords is. Don't say you don't. You do. You also probably use words and phrases that can be found within inches of your desk or computer. Words and phrases of family, musicians or sports entities that you like. Chances are your kids names are somehow involved. Even those in the security game do it. A lot.
So, are you explicitly under attack? Hell if I know. Is Facebook under constant attack? Sure. All sites of any interest are. That's why I have a job. Is it under organized attack from a loosely organized group for political, social or financial gain? I couldn't say. Even if I knew. My suspicion is it's better to be safe than sorry. In my line of work, I see every attack vector and attack surface. Physical, administrative, competitive, political, social and just plain curiosity. In an age where you are living out loud, take some rudimentary precautions.
If you MUST reuse passwords, have levels of passwords. X password for banking, commerce, secret messages to the lonely housewife you had a crush on in high school. Use another for your social networking sites and other less critical and benign sites. Use as many as you can remember without it being a pain in the ass and getting in the way of your daily use.
Change your password occasionally. Do it when you change the Brita filter, or pay the electric bill. Make it a routine.
Use phrases, not words. Make it complex to guess, easy to remember. Don't use stuff anyone that reads your Facebook can guess.
Never click on an email needing you to "verify" you are who you say you are. Chances are it is bunk. Log into your account and check there. It should work for just about anything short of YOU resetting your password.
Don't use a password so complicated that you have to reset it every time you try to login.
Don't store passwords in your browser. See the Wall Street Journal this week and the study done by some big Information Security company that signs my paychecks.
Rocky Gregory, CISSP
Posts to follow presenters, watch us stream at you:
Thanks to @BlakeKrone for the embed!
Thanks to our dear friend, Mr. Mark Church, The Lad and I were able to see perhaps the greatest live show of my life. Not Desmond Dekker, Not The Who, Not Elvis Costello. Two people who inspire my research and love of my trade more than just about anyone. Mr. Jamie Heynaman and Mr. Adam Savage. Mythbusters live may have been the show to beat all shows.
I read that the they were coming and knew that TheBionicLad, lead cryptologyst for AlliedSkunkWorks had to see them. As the smartest 12 year old I have ever met, the lad needs intellectual stimulii. To say it was awarded would be a like saying "Jamie Like Small Boom". There was a contest for good seats, so I reached out to the social networks to ask people to sign us up. No one did. One very good friend told me he had a hook up though.
We showed up at the venue and saw the backstage door was open. I knew we were on the list but not will-call or backstage. I asked a very nice young lady what the process was. Hearing a deep booming grumble, Jr and I started to perk up. NO WAY. IT'S NOT HIM.
Up walks a charming man in a beret, white shirt, black undershirt and huge mustache. Thrusting his hand out he said "Adam is a little busy, can you come see us after the show"? Ummm...ok.
We were fairly helpless at even finding our tickets.....more to follow
Told you I work for the greatest infosec company in the world!!
Susan Vaillancourt Accuvant (603) 459-8906 email@example.com
Accuvant Joins the Microsoft SDL Pro Network
Denver – Jan. 16, 2012 – Accuvant, the only research-driven information security partner delivering alignment, clarity and confidence to enterprise and government clients, today announced that it has joined the Microsoft SDL Pro Network. As a consulting member of the network, the elite Accuvant LABS assessment and research team will provide specialized application security consulting services to help companies develop more secure applications through SDL technologies.
“Cyber-attacks are continuing to increase in number and complexity, and many are aimed at the application layer. Our significant first-hand experience has shown us that the Microsoft SDL process improves the security of code, and helps to protect organizations from malicious attacks aimed at applications,” said Jon Miller, director of Accuvant LABS. “Becoming part of the Microsoft SDL Pro Network is an honor that highlights the expertise of our people and our processes.”
“Accuvant LABS is comprised of some of the best and brightest minds in information security today,” said David Ladd, principal security group program manager, Microsoft. “We are extremely pleased that Accuvant LABS has joined the SDL Pro Network in an effort to help companies ensure security and privacy is an integral part of their software development activities.”
Accuvant LABS’ end-to-end SDL reviews can cover an entire product team or development organization in addition to individual services that address all phases of the SDL including:
- Training – Secure coding, including design analysis and threat modeling, as well as application security assessment.
- Requirements and Design – Threat modeling, architecture and design review, regulatory and risk analysis.
- Implementation – Tool selection and implementation support, coding standard development and secure code reviews.
- Verification – Dynamic application testing, which typically includes fuzz testing and attack surface reviews.
- Release – Final security review assessments and response plan development.
- Response – Response services, including attack analysis, vulnerability reverse
engineering, and code remediation.
Since 2002, Accuvant LABS has provided penetration testing, application and enterprise security assessments, vulnerability research and training to more than 2,000 clients across industry verticals. Experts from the team have won numerous awards and have
been featured in articles published by Ars Technica, Associated Press, SC Magazine, and New York Times, among others.
For more information about Accuvant and SDL, please visit
Accuvant is the only research-driven information security partner delivering alignment between IT security and business objectives, clarity to complex security challenges and confidence in complex security decisions.
Accuvant delivers these solutions through three practice areas: Accuvant LABS, Risk and Compliance Management and Solution Services. Based on our clients’ unique requirements, Accuvant assesses, architects and implements the policies, procedures and technologies that most efficiently and effectively protect valuable data assets.
Since 2002, more than 3,900 organizations, including 65 of the Fortune 100 and 20 of the largest U.S. Federal Agencies, have trusted Accuvant with their security challenges. Headquartered in Denver, Accuvant has offices in 36 cities across the United States and Canada. For more information, please visit www.accuvant.com, follow us on Twitter: @Accuvant, or keep in touch via Facebook: http://tiny.cc/facebook553.
© 2011 Accuvant, Inc. All Rights Reserved. “Accuvant” is a registered trademark of Accuvant, Inc.
So, being a guy with a disability and an engineering focussed mind, I see problems with BIOtechnology everywhere I look. I've worked for and with most hospitals in Oregon, and been a customer of said far far too many times. I walk with a cane 30-50% of the time. Canes are stupid. It's a stick that you use not to fall. Like cavemen did. Wheel chairs, even the most advanced, are heavy, clumsy, demeaning and stupid. My canes are collapsable mostly, and can be deployed from my bag in a swift movement. This usually involves stopping, waiting for it to snap together then walking. It also requires what the BIOnicLadies call a MAN PURSE be with me at all times. My leg just doesn't cooperate a lot of the time. BIOtech is broken. We can do AMAZING things with these waves Mr. Hertz found for us, but we can start doing it smaller, faster and better. Just look at Dean Kamen's Luke Arm!!
I use the cane because my lower back is...as Patrick at Ptown scooters would say "a basket case, maybe good for some parts". My lumbar disks have caved in and broken. The last one down was removed and replaced with titanium. Being the last one, it takes the most pressure. If you imobilize it and you are prone to broken disks....you break disks. That hurts. My back looks something like this, if all of the lumbar disks were broken:
Sciatica is a refered pain from your back or spinal column that means the Sciatic nerve is pinched or otherwise inpinged. When your disks "bulge" or you get "slipped disk" it means that nerve is compromised. If you haven't has sciatica, I wouldn't recommend it. It's a lot like having a wild animal chewing on your leg. All the time. That hurts.
So how do we treat pain in the US? Chemicals. Chemicals are stupid. We have the most complicated machine ever (choose one, don't look on anyone else's paper) [created]/[invented]. Why on earth do we want to dump crap into it? Because we can't figure out the mechanics. Sometimes you need a lube job, sometimes an alignement. What FEW people remember, until someone has a heart attack is that though we are ugly bags of mostly water, we also need electricity. If done wrong, that hurts.
So, we know that pain from the lower extremities traverses the spinal cord using electricity. Why don't we just send a busy signal by attenuating the signal from pain into say...a pleasant and numb feeling? Well, we do. In fact, that is why I have a BIONIC butt! This technology is NOT stupid. It is not new either. It's been around 30 years in various forms. I personally went with mine because the company that makes my particular implant had Bionics in the name and they made my grandfather's cochlear implant. It is also the only fully wireless solution, which is why I really went with it. I charge my implant with a biscuit battery first charged on the wall, then taped to my side. It's "inductively charged", like your toothbrush, or a charging mat for your PDA. I change my stimulation level with a remote that looks like a garage door opener. The whole system, including the implanted battery, the leads that are sutured to my spinal column and the remote comprise a technology called NeuroModulation. This particular flavor is called a Spinal Cord Stimulator or SCS. Here is one of a dozen videos on it, until I make my own:
It's an amazing tech. Or it was 5 years ago when I got mine... Who is the worst candidate for an RF based pain implant? A wireless hacker. Or maybe the best candidate...hmm....
So, without going into much detail, the security is...lacking. It uses a VERY commonly used frequency and has only 1 way authentication. I have found that with an Arduino kit and 1/2 hour I can take over a stimulator. I don't have a live stimulator other than the one that's in me, but I can show that with it's remote controller, I can take over someone ELSE'S body. I don't hack my own body beyond RFID implants, punching my heavy bag and tattoos, so my POC lacks a live demo other than taking over with an unauthorized remote. Remember, the device doesn't "see pain" and stop it, it is just on or off at a particular frequency and amplitude.
Neuromodulation is GOOD. Taking 40% of someone's chronic pain away without drugs is GOOD. Having it relatively easy to compromise and change someone's level of pain is BAD. That tingling sensation can become insanely painful and crippling if over done. The programming is like the eye doctor, a vetruvian man on screen and a tablet with tingling moving around as a technician says "Number 2 or Number 3" to which setting effectively makes parts of your body tingle. Being able to move that sensation around without a trained neurologist and technician scares the bujhezus out of me, and I'm fairly technical. I love the tech, but the security needs a good hard look.
My next post will be on research I am conducting for improving the stimulation itself as well as more detail on the security issues.
SearchITChannel.com article quoting me on Biometrics!
Biometrics solutions still searching for identity in channel
The potential for biometrics technology as part of identity management solutions in certain niche applications continues to intrigue VARs and systems integrators, especially those involved in the health care industry.
More on biometrics
Biometric security technology: The safest types of biometric devices
Biometric authentication technology curbs microfinance org's losses
Electronic access control system and biometrics authentication
But actual deployments and service opportunities for IT solution providers have been slower to catch up. The low numbers are in spite of the inclusion of technologies such as fingerprint readers and palm-print scanners in notebook models from manufacturers including Fujitsu, Hewlett-Packard and Lenovo.
The slow uptick has a lot to do with cost, but it also highlights concerns about the “false positives” that fingerprint scanners or palm-print readers can sometimes yield, according to security VARs and systems integrators.
“There are a lot of things that can happen if a biometrics method fails,” said Michelle Drolet, CEO of Towerwall Inc., a security solution provider in Framingham, Mass. “If it doesn’t work, you can’t log on. What happens if a false positive occurs when you are on the road? Most people aren’t ready to deal with this.”
Many security solution providers have been watching biometrics technologies for years, as they seek viable methods of identity authentication.
Rocky Gregory, information security solutions engineer for Accuvant Inc., a Denver-based security solution provider, said that the health care sector is clamoring for credible secondary security authentication methods. That’s because solutions that require a health care professional to log on to a computer using a typed password are at odds with the physical requirements of some health care settings.
“We have to get to a secondary authentication system that is easy for the masses that puts us into a more secure environment,” Gregory said.
Types of biometrics validation systems
The most commonly understood and widely used biometrics authentication method is fingerprint scanning, although Gregory said there remains a “fine line between false positives and negatives.”
Other methods cited by solution providers and integrators evaluating this market are palm readers (think PalmSecure from Fujitsu Frontech North America) and retinal scanners, most often associated with military or government settings. RFID readers, in certain applications, could be considered security devices because they can track movement of, for example, a patient.
A forecast by Acuity Market Intelligencestates that commercial solutions that use biometrics could match public sector deployments by 2014. Overall, the market could generate $11 billion in 2017, compared with slightly north of $4 billion this year. That’s one reason some of the highly visible vendors in this segment are fine-tuning their channel partner programs.
Training for resellers
In mid-September, Fujitsu Frontech of Foothill Ranch, Calif., launched a new partner program, called PalmPartner, to train VARs and systems integrators on creating applications that build on the Fujitsu PalmSecure biometric technology. The thrust of the program is to help train VARs for specific, customer-focused applications, notably in health care.
Christer Bergman, vice president of the Fujitsu Frontech biometric solution group, said Fujitsu provides the reader and a simple software development kit that uses PalmSecure as the biometric engine. “We need to provide the technologies and then work closely with partners to get the sales and business developed,” Bergman said.
Today, the biggest installed based for PalmSecure is in health care settings. Recent implementations include a patient registration system for the New York University Langone Medical Center and a patient registration and records management system for the George Washington University Medical Center.
Health care security systems are also the top focus for BIO-key International Inc., a Wall, N.J.-based company that has invested in courting VARs and systems integrators as a sales and solution channel for its technologies.
Scott Mahnken, vice president of marketing for BIO-key, said the company’s technology is integrated with products from many of the top vendors supporting single-sign-on solutions including CA, IBM, Microsoft and Oracle. “People have been inconvenienced by passwords,” Mahnken said.“Hospitals, blood banks, they want to do this for compliance reasons, but they also want to do this to help tame administrative costs.”
Jim Russell, vice president of sales for Matrix Systems, a biometrics integrator in Miamisburg, Ohio, said another key selling point for biometrics solutions is convenience.
Doctors in surgery don’t want to have to carry proximity badges to enter certain secure areas, but fingerprints aren’t an option because of surgical gloves, so iris scans could work well, Russell said.