Journey To CISSP: A look at how to get the world-wide recognized security certificate

Journey To CISSP: A look at how to get the world-wide recognized security certificate

Tweet This

 

A little background
Security has been part of my duties since 2003, when I started working for a mortgage company as an analyst.  At this mortgage company I was responsible for the entire network and development of their pipeline management application.  Within the last couple years I’ve been thinking about taking a class to go in more depth regarding security, but decide on where I wanted to start.

Last week I saw an article about CISSP.  I figured that if I was going to take a class to learn more about security, I may as well take one that would lead to a certificate to show that I had the knowledge.  CISSP is recognized world wide, with classes and test in almost every country.  The requirements are managed by the (ISC)2, focusing on concepts and methods, rather than applications and techniques.

Classes
I first started looking for classes in my area.  Stockton didn’t offer any classes.  I ended up finding a class in San Francisco and Sacramento, and called them to check on pricing and scheduling.  The Sacramento company didn’t offer the class any more, and the San Francisco company was too expensive, with the cost being over $4000.  Within continued investigation I discovered several other class offerings in the $3000-$4000 range.  Since I can’t afford to pay this myself, I decided to get a book.

All in one CISSP Exam Guide
I started out at Barnes and Nobles website, thinking that I would find the best book and run over to the local store to get it immediately.  After settling on a book published in November of 2009, I looked it up on Amazon.com to check on reviews.  Later I found that most people were going with the “All in One CISSP Exam Guide” by Shon Harris.  The latest book was just published in January of 2010 and people seem to be raving about how great of a read it is, and how they were able to pass the exam on their first try.  The Fifth Edition of the All-in-One CISSP Exam Guide seemed like the best book of choice.  Now I just need to wait for it to arrive.

Get IT Expediter by eMail

Tweet This

Attacks On Twitter, Facebook Shutdown Result Of Massive Attack On One Person

DDoS Attacks On Twitter, Facebook Result Of Massive Attack On One Person
Originally Posted on Successful Thinkers Meetup by Josh Shackelford

Tweet This

It’s been a while since I’ve posted anything, and for those that know me, you understand some of the crazy things I’ve been going through and working on.  Recently there has been some outages on Twitter, Facebook, LiveJournal and some other social giants.  Many of us were wondering what was the cause of this  massive outage / attack.  Below is an article from DarkReading that explains how why so many people had to go without their social addiction for a few hours.

Botnet attack takes aim at pro-Georgian blogger and leaves collateral damage on social networking sites

Aug 07, 2009

By Kelly Jackson Higgins
DarkReading

It turns out yesterday's major distributed denial-of-service (DDoS) attacks that shut down Twitter for hours and disrupted Facebook and LiveJournal came out of a targeted attack waged against one individual with accounts on all of the sites.

A pro-Georgian blogger called "Cyxymu" was apparently the intended target of the massive DDoS that knocked down Twitter and caused major slowdowns on Facebook and LiveJournal when a botnet apparently blasted waves of traffic at his accounts on the sites simultaneously in an effort to shut down his communiques.

Cyxymu tweeted yesterday on his Twitter profile that the attackers were "Russian KGB." The blogger, who later unmasked himself to CNN as "George," 34, of Tbilisi, Georgia, told the cable giant that his recent blog posts may have triggered the attacks. One post, he told CNN, discussed "how Russia was preparing military aggression (sic) against Georgia, how they were training soldiers and mobilizing military equipment, what kind of provocations were carried out by the separatists prior to the war," according to the CNN report. He also said the attacks were timed to coincide with the one-year anniversary of the Russia-Georgia conflict.

As of this morning, Cyxymu's LiveJournal site was still down.

Various reports attributed the attack to an email spam run gone wild, but security experts dismissed that theory, saying it had to be a coordinated attack from bots. "There's no way that simply spamming out email containing the links would generate that kind of traffic to the social networking sites. There simply wouldn't be enough people who would click on the links to create a DDoS," says Graham Cluley, senior technology consultant for Sophos. "So this must have been a 'traditional' DDoS attack from compromised computers [that] could hammer the Websites with multiple requests every few seconds."

Twitter acknowledged it was working with other services on "what appears to be a single, massively coordinated attack. As to the motivation behind this event, we prefer not to speculate." It said no user data was compromised.

Facebook confirmed the attacks were going after one person: "Yesterday's attack appears to be directed at an individual who has a presence on a number of sites, rather than the sites themselves. Specifically, the person is an activist blogger and a botnet was directed to request his pages at such a rate that it impacted service for other users. We've isolated the issue and almost all of our users are able to enjoy the normal Facebook experience," the company said in a statement.

Meanwhile, Facebook's chief security officer, Max Kelly, is quoted in another report: "It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," he told CNET.

And from the blog of Mikko Hypponen, chief research officer for F-Secure: "Whoever is behind this attack, they had significant bandwidth available. Our best guess is that these attacks were done by nationalistic Russian hackers who wanted to silence a visible online opponent. While doing that, they've only managed to attract more attention to Cyxymu and his message."

In addition to the DDoS attacks on Cyxymu's Twitter, Facebook, and LiveJournal accounts, Hypponen says the blogger's YouTube account was DDoS'ed, and he was also targeted by a so-called "Joe Job'"spamming attack with email purported to be from "George" and trying to lure users to his blog on LiveJournal.

Get IT Expediter by eMail

Tweet This

Originally Posted on Successful Thinkers Meetup by Josh Shackelford

Moving Forward, While Standing Still – Battling IT Security

Creating Security Policies in a Down Market
Originally Posted on Successful Thinkers Meetup by Josh Shackelford

Security is a big issue for all IT leaders. Whether your a CIO, CTO, IT Director, or an IT manager, you are constantly battling security. It can be very difficult to work on projects to move you forward, when you are constantly fighting to maintain a secure network.

New Sources of Attacks
US infrastructure remains vulnerable to cyber terrorism. While the US seems to behind as a country, many of our corporations practice much stricter polices than our governing agencies. Government agencies will always be targets, but more so by terrorists and other countries. These criminals are not the same criminals that we, as corporations, need to protect against. Don't get me wrong, we still need to be protected, but our focus needs to be on fraud, identity theft, financial theft, etc. Most of our attacks will be geared towards financial gain.

Jump Start your Policies
In a slower economy, often security takes a back seat to corporate priorities. Most projects are going to be focused on saving money or generating money, but security at a time like this is just as important, if not more important. We need to stay aware of the increased risks that are brought on my a recession. There are more qualified, intelligent people in circulation that are getting desperate for income. We need to watch out for threats from past employees, current employees, desperate unemployed, and the casual hacker who is just bored.

So how do you enhance security when your time is already so limited? Here are a couple of tips of increasing security, without having to spend too much time devising your own. When constructing security policies, take a look at Health Insurance Portability and Accountability Act. The SANS Security Policy Project and NIST are also great sources. While these policies might not work for you untouched, they give you a good place to start.

Rising Attacks
Attacks are on the rise. There are even reports of attacks on US power companies. We need to minimize our risks as much as possible and if you are on the internet, have eMail, eCommerce, or just a static website, you need protect yourself from these points of risk. Try starting with something as basic as a Web Agreement like, "By using this website, you agree to be bound by the terms of this agreement"

A well-drawn Web Wrap Agreement can help you to significantly reduce your legal risks. The most basic thing that you should put in every Terms and Conditions is a limitation of liability clause. So even if you get sued and lose, at least the maximum damage award against you is nominal. I'll typically limit damages to something like $50 to $100.

To further insulate you from the claims of users, have them agree that use of the site is at their own risk and that you disclaim all warranties. Also, include a clause making them liable to you if they upload things to the site like copyrighted or trademarked material that they don't have a right to use. This gives you some protection if a third party sues you for something posted to your site by a user. Try including a clause requiring that any lawsuit be filed in my client's home state, not the user's, to discourage getting sued over nonsense. Using the courts looks a whole lot less attractive as the mileage increases.

Be Proactive
Once you get sued, you can't require the other side to come to your home state if you didn't have the agreement already on the site. Don't be like the people that put in the burglar alarm after the burglary. A little preventive law is much cheaper and less stressful than crisis law. Try starting with some basics. Here are 10 steps to improve security within Internet Explorer. Don’t be hesitant on implementing new security practices, even if they seem dumb. Often people reserved when implementing simple security practices, as they now change is always met with resistance, and many people fear being hated. But even the SEC is has many basic security challenges to overcome, such as plain text passwords, or shared security accounts.

And if you’re still looking for an extra little oomph to get that financing for that security project that you just can’t get past… Try going back to some of your current vendors and ask for a discount. You might be surprised how many are willing to negotiate. Then try some scare tactics. Often security is on the back burner because decision makers aren’t aware of the true risks. Try looking into 5 things you can’t see on your network.

Move Forward
Even though you might think that your IT security is at a stand still, try working on some basic, free, and time optimized tasks. Some of these things might be new policies, such as the above mentioned password or data policies, or others might simply be applying new updates to your software. Software updates are often free, simple ways to maintain your security. Oh… and read about the updates. The holes they find and fill, might give you ideas about other holes that you need to fill in your own network and applications.

Get IT Expediter by eMail

Originally Posted on Successful Thinkers Meetup by Josh Shackelford