Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

You are certified but are your qualified? Become qualified today.
FITSI the certification program for the federal workforce

Rated #1 Training

Library of Documents

Forum Postings

CISSP's Blogs

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 1436
Comments: 33

Top10 Links

Top10 Downloads

Who's Online

There are currently, 74 guest(s) and 13 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Training Classes Calendar

Test of Widget

 

The CCCure Family of Portals is strictly supported by our Sponsors below and Donations.

Core Impact your compliance best friend Top Training for Top Results, delivered by Security University

FITSP the Federal Government Certification
Home of CORE Impact
Click Here to visit.		 List of Classes
Register for a class		 CLICK HERE
to get more details

Calendar of Upcoming Classes and Events


Great supplements to help you reach your certification goals


Today's Most In-Demand Certifications
Posted by boss on Monday, 26 July 2010 @ 12:00:40 EDT (54 reads)
Topic JOBS

cdupuis writes "

Original article on the great Certification Magazine website at: http://www.certmag.com/read.php?in=3950

An industry-recognized certification can provide you with a competitive edge whether you’re looking for a new position or trying to advance within your current firm. However, the biggest challenge when it comes to earning a professional designation is often determining which one to pursue.

Here are the four most in-demand certifications, according to Robert Half Technology’s staffing and recruiting professionals across the United States:

Certified Information Systems Security Professional (CISSP): Offered by the International Information Systems Security Certification Consortium (ISC)², this vendor-neutral information security accreditation covers 10 domains, including access control, cryptography, operations security, and security architecture and design. To earn a CISSP, you must meet certain experience requirements and achieve a scaled score of 700 or greater on the CISSP exam. The credential also must be renewed every three years. According to CIOs polled for the latest “Robert Half Technology IT Hiring Index and Skills Report,” the second most challenging functional area to fill is security, increasing the appeal of job candidates with a CISSP designation.

Microsoft Certified Systems Engineer (MCSE): This certification focuses on the design and implementation of these particular infrastructures. It’s recommended that you have one to two years of experience working with network systems before pursuing the accreditation. Earning the MCSE certification demonstrates a commitment to professional development because you must have a wide range of knowledge and pass seven exams to obtain it.

Although the MCSE designation is in particularly high demand, job candidates who have earned any Microsoft certification have an edge in the job market. Because of the ubiquity of Microsoft applications, accreditations that demonstrate your knowledge of these technologies will continue to be sought by employers.

Project Management Professional (PMP): If you want to validate your project management abilities, this credential, offered by the Project Management Institute (PMI), may be for you. You must have between three and five years of project management experience to take the exam, and the certification must be maintained by earning 60 Professional Development Units over a three-year period. The increasing complexity of IT projects, and the need to involve individuals from all over the organization in these engagements, has led to the demand for verifiable project management skills.

Cisco Certified Network Associate (CCNA): This vendor-specific accreditation authenticates the bearer’s ability to administer medium-size route and switched Cisco networks. To earn the certification, you can either pass the 640-802 CCNA exam or both the 640-822 Interconnecting Cisco Networking Devices Part 1 (ICND1) and 640-816 ICND2 exams. The CCNA designation is valid for three years, after which you must pass one of various possible exams to renew it.

Fifty-eight percent of CIOs polled for the “Hiring Index” ranked network administration as the technical skill set in greatest demand within their IT departments, further demonstrating the marketability of professionals with the CCNA credential.

Although earning one of the above certifications could be advantageous for your career, that doesn’t mean doing so is the necessarily the best move for you to make. Before pursuing any professional designation, you must ask yourself the following questions:

•    Which certification is right for me? Take into account your experience, current position and future professional goals. For instance, if you have a project management background and want to further your career in that area, a PMP certification could be extremely valuable. However, if you have no networking experience, it’s unlikely that a CCNA accreditation will boost your marketability. It’s important to understand that a certification can’t take the place of experience. Rather, it is best used to support relevant experience you already possess.

•    How much time and money are involved? Between books, study aids, training courses and exams, there will be costs involved. But there may be ways to reduce these expenses. If you’re currently employed, your company may offer financial assistance with your education. If you’re unemployed, you might consider registering with an IT staffing firm, some of which offer free training courses, test preparation and sample exams.

The time commitment can vary dramatically depending on the designation you are pursuing. The MCSE certification requires you to take seven exams, for instance, while the CCNA designation will perhaps only require one. Also keep in mind that some credentials require ongoing study to remain valid.

•    How much of an impact will a certification have on my career? This question is hard to answer. According to the “Robert Half Technology 2010 Salary Guide ,” a credential can increase starting salary by up to 10 percent. But not all certifications are created equal. Those less in demand may not boost your compensation at all or increase your appeal to potential employers by any noticeable amount. You may want to consult members of your professional network, especially those who have earned a certification you hope to obtain, or an IT recruiter for additional insight.

Dave Willmer is executive director of Robert Half Technology, a provider of IT professionals for initiatives ranging from e-business development and multiplatform systems integration to network security and technical support. He can be reached at editor@certmag.com

Original article on the great Certification Magazine website at: http://www.certmag.com/read.php?in=3950

"

(comments? | Score: 0)


Kobil SmartCard Reader hacked
Posted by boss on Monday, 07 June 2010 @ 07:58:47 EDT (408 reads)
Topic Cryptography

cdupuis writes "

No broken seals:  A Windows tool allows unsigned firmware to be installed.

A vulnerability in smartcard readers made by vendor Kobil[1] allows intruders to install specially crafted firmware without opening the sealed housing. Attackers could exploit this to read PINs such as those used for digital document signatures or to display forged data on-screen. To prevent such intrusions from happening, smartcard readers are usually subjected to a special security check before they are approved. Several leading institutions had tested the Kobil readers and confirmed that they complied with the strict German Signature Law (SigG) including the German Federal Office for Information Security (BSI). The German Central Credit Committee (Zentraler Kreditausschuss, ZKA) also approved the TriB@nk device for use with the "Geldkarte" application, and Secoder, the successor of HBCI, for home banking.

In its report on the affected Kobil devices, EMV-TriCAP Reader, SecOVID Reader III and KAAN TriB@nk, the BSI found[2] (German language link): "A firmware signature verification which uses the asymmetric ECDSA algorithm and a bit length of 192 guarantees firmware integrity and authenticity when loading new firmware into the chip card reader." This means it should be impossible to install firmware that does not have a vendor signature.

The reader's boot loader is responsible for checking the signature. A hacker using the name Colibri has managed to bypass the signature check by replacing the reader's boot loader with a specially crafted boot loader. The hacker introduced individual flash memory blocks in the wrong order, so that the memory contained some parts of the crafted boot loader and some parts of Kobil's signed boot loader – which was eventually accepted by the device. However, the crafted boot loader's signature check function was disabled, which allowed the hacker to flash arbitrary firmware onto the reader via USB. Colibri informed Kobil about the problem and released a fascinating and detailed report[3] (German language link) about the hack, as well as a Windows tool and firmware updates for reproducing the issue. Using this information, The H's associates at heise Security successfully managed to inject specially crafted firmware into a "Kaan Trib@nk" smartcard reader (version 79.22).

At the end of April, Kobil released[4] security update 79.23 for the Kaan TriB@nk to close the hole(s). According to Kobil's Head of Product Management and Development, Markus Tak, the update is also designed to prevent attackers from randomly updating memory blocks in the future.


The firmware can be replaced in just a few steps using a Windows tool. Although the hole was disclosed several weeks ago, publicly available information about this problem still remains sparse. While the German Federal Network Agency, being the responsible authority under section 3 of the German Signature Law (SigG), has issued a warning[5] (German language link) about the security hole on its web pages, the information so far doesn't seem to have reached the general user base.

When asked, the ZKA said that the vulnerability was not publicised because the issue affected a "limited group of customers" who were apparently informed directly by the vendor. Furthermore, the ZKA said that the applications for Geldkarte, HBCI and Secoder are not affected by the hole. However, the ZKA's press spokesperson was unable to explain why this should be the case.

Some savings banks have at least pointed out the problem on their web pages and recommend[6] (German language link) that users send their devices to Kobil, for an update. Potential residual risks reportedly make it advisable that users don't update the firmware themselves. In any case, the new firmware hasn't yet been certified. Kobil has not provided any updates for its EMV-TriCAP Reader and SecOVID Reader products, which are also affected.

Talking to heise Security, Colibri gave his hack an intermediate difficulty rating. The hacker said he has analysed devices as a hobby for years and considers other projects such as his analysis of the PowerVU encryption used in military transmissions much more difficult. Colibri said the most involved aspect of the hack was having to write a disassembler for the Toshiba processor used in Kobil's devices.

The vulnerabiltiy casts further bad light on security certifications for systems and software. Prof. Dr. Rainer W. Gerling, the Data Protection and IT Security Officer at the Max Planck Society for the Advancement of Science said in an interview with heise Security: "This hack shows that the quality of a certification depends on the creativity and imagination of the tester. This is a fundamental problem of certifications." It seems that the BSI testers were not the only ones who lacked imagination, because T-Systems also found[7] (German language link) in an independent test that the devices comply with the safe PIN entry requirements described in the German Signature Law and Signature Regulation.

URL of this Article:
http://www.h-online.com/security/news/item/Kobil-smartcard-reader-hacked-1014651.html

Links in this Article:
  [1] http://www.kobil.com/
  [2] https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/485368/publicationFile/29542/02096_pdf.pdf
  [3] http://colibri.net63.net/Smartcard-Reader-Hack.htm
  [4] http://www.kobil.com/index.php?id=1364&L=0
  [5] http://www.bundesnetzagentur.de/cln_1932/DE/Sachgebiete/QES/QES_node.html
  [6] https://www.sparkasse-kraichgau.de/privatkunden/konten_karten/online_mit_hbci/kaan/index.php
  [7] http://www.t-systems-zert.de/pdf/ein_02_sig_pro/zf_02219_d.pdf

"

(Read More... | Score: 0)


Hakin9 Magazine June edition has been released -- Get your copy now
Posted by boss on Tuesday, 01 June 2010 @ 08:33:42 EDT (488 reads)
Topic Hackers

cdupuis writes "

Hakin9 Hakin9 magazine JUNE Edition:

Is DDOS Still a Threat?  New issue of Hakin9 magazine already available!

Inside:

* Is DDOS Still a Threat?

* Jailbreaking and Penetrating with the Iphone 3G & 3GS

* Flash Memory Forensic Tools - part two

* Beginner’s Guide to Cybercrime -Understanding Attack Methodologies and a More Proactive Approach to Defense

* Pulling Kernel Forensic with Python

* More Secure PHP Server Side Source Encryption

* Securing Public Services Using Tariq

* Expert Says: Don't let the zombies take you down!

Download you copy now

Is DDOS Still a Threat?
Matt Jonkman Is DDOS, or Distributed Denial of Service, still a credible threat? Do we lay awake at night scared of when the next one might hit us? An obvious question perhaps, they are still a threat to most online enterprises. But they’re not the top of the news issues they once were. Expert Says...: Don’t let the zombies take you down! Ian Kilpatrick

Over the last year, the incidence of botnet (or zombie) attacks has been growing rapidly. Some service providers around the world have already begun to take action against botnets and there is increased interest from other service providers, and from companies, in dealing with this serious security threat.

Beginner’s Guide to Cybercrime – Understanding Attack Methodologies and a More Proactive Approach to Defense Gary Miliefsky How about why nothing with an IP address is secure and why traditional countermeasures such as firewalls, anti-virus and intrusion detection fail? Would you like to learn new methods to proactively defend against attacks? If so, you’ve come to the right place.

Jailbreaking and Penetrating with the Iphone 3G & 3GS Wardell Motley Today Smart phones are getting smarter and smarter. They are a far cry away from the Walkie-Talkie like devices from the the early 90's. Now a smart phone in the hands of skilled attacker can be used to help penetrate networks on the fly. No longer do you need to walk around with a bulky laptop to get the job done.

Flash Memory Forensic Tools - part two This second part is focused on advanced tests done on flash memory embedded in a Nokia mobile phone. Tests presented in this article are not for all as they require a well furbished lab; even that what we try to demonstrate here is that – when flash mobile forensic will leave its infancy – there are some issues forensic officers should take in consideration.

Download your copy now

Contacts Us
editors@hakin9.org
Editor-in-Chief Karolina Lesińska
karolina.lesinska@hakin9.org

"

(Read More... | Score: 0)


Lifelock ID Theft Protection worries after employee data leaked to Web
Posted by boss on Tuesday, 01 June 2010 @ 07:26:56 EDT (273 reads)
Topic

cdupuis writes "

This story appeared on Network World at
http://www.networkworld.com/news/2010/052610-lifelock-worries-after-employee-data.html

Lifelock worries after employee data leaked to Web

Identity theft protection company posts CEO's SS number, but not OK with employees data being in public

By Robert McMillan, IDG News Service
May 25, 2010 10:31 PM ET

It may be OK for identity theft protection vendor Lifelock to publish its CEO's Social Security number, but when it comes to other company employees, that's another story.

The company has asked the Phoenix New Times to remove a police report from its Web site after discovering that it contained a redacted Social Security number of Lifelock employee Tamika Jones. The number could be read by simply cutting and pasting the PDF document into another word processing program, a common problem with poorly-redacted documents.

Also in the police report: Jones's date of birth, address, phone number, and address.

"Yesterday, Christy O'Connor of LifeLock called New Times and asked us to remove the link to the PDF document," the New Times reporter Ray Stein wrote in a Tuesday story. "The smart-ass in us couldn't resist giving O'Connor, LifeLock's associate general counsel, some grief."

After Stein pointed out that Jones works for a company that promises to protect customers from identity theft, before it happens, the newspaper agreed to post a properly redacted version of the document on its Web site.

In an interview, Stein said that the fact that Lifelock had to call and ask for the document to be removed reflected badly on Lifelock's service. "I think this shows clearly that they know that it's got potential problems."

Stein has been a thorn in LifeLock's side for several years now. He's the reporter who in 2007 first raised questions about company founder Robert Maynard Jr., including a U.S. Federal Trade Commission [FTC] court injunction that prohibited him from selling credit improvement services. Maynard left the company after this story was published.

Last week, Stein reported that LifeLock CEO Todd Davis had been the victim of identity theft, at least 13 times. Davis is famous for publishing his Social Security number in LifeLock ads, saying that he's so confident in his service that he has no problem making the number public.

Apparently the document with Jones's information was improperly redacted by the Chandler, Arizona, police department

Unfortunately, the New Times had a redaction problem of its own. It neglected to remove the original version of the document, which was still downloadable from the Web Tuesday afternoon. This was news to Stein, who said he was looking into the matter.

Lifelock representatives could not immediately be reached for comment.

The company says it has over 1.7 million customers, who pay for its identity theft protection services, but it's also had some serious credibility problems. Two months ago, the U.S. Federal Trade Commission fined lifelock US$12 million for deceptive advertising.

The IDG News Service is a Network World affiliate.

All contents copyright 1995-2010 Network World, Inc. 

"

(Read More... | 1 comment | Score: 0)


Melissa Hathaway's Nine Cybersecurity Bills to Watch
Posted by boss on Saturday, 29 May 2010 @ 11:10:07 EDT (538 reads)
Topic Law & Legalities

cdupuis writes "
NOTE FROM CLEMENT:
As seen on the great GovInfoSecurity web site at:
http://www.govinfosecurity.com/p_print.php?t=b&id=558

A nice report was created by Melissa Hathaway on current cybersecurity bills to watch.  It is definitively a nice high level overview of the many acts, laws, and bills related to cybersecurity.   Do get a copy of the report in PDF format.  You have the link below:

May 21, 2010 - Eric Chabrow
Melissa Hathaway probably knows more about what's going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.

Since leaving the White House last summer, Hathaway - who led President Obama's 60-day cyberspace review last year - has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.

Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.

Here are nine bills Hathaway characterized as "legislation to watch," along with her analysis of them:

  • Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. "One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government."
  • Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. "It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone."
  • International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country's level of information and communications technology utilization and development; assesses how each country's legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. "This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of 'bad behavior.'"
  • Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. "While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it's not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities."
  • FISMA II, S. 921 - also known as the United States Information and Communications Enhancement Act or U.S. ICE - updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.
  • Intelligence Authorization Act, HR 2071, strengthens America's intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. "It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction."
  • Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation's budget for R&D.
  • The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.
  • Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Hathaway concludes her report, calling on congressional leaders to set legislative priorities for cyberspace.

"

(Read More... | 6 comments | Score: 0)


Hakin9 Magazine is now FREE -- Get your copy NOW!
Posted by boss on Sunday, 16 May 2010 @ 14:57:18 EDT (515 reads)
Topic Hackers

cdupuis writes "
Hakin9

Download May issue of Hakin9 magazine today!

Inside:

  • Writing WIN32 shellcode with a C-compiler
  • Flash memory mobile forensic
  • Threat Modeling Basics
  • Pwning Embedded ADSL Routers
  • Firewalls for Beginners

Regulars:

  • ID Fraud Expert Says by Julian Evans: Identity Theft Protection Services – a new industry is born
  • Interview with:
    • Victor Julien, lead coder for the Open Information Security Foundation
    Ferruh Mavituna, web application penetration tester and security tool developer
  •  
    • Tool reviews: NTFS Mechanic, Active@ Undelete Professional, KonBoot v1.1

Download your copy now -- Click HERE

Pwning Embedded ADSL Routers
by Aditya K Sood
This paper sheds light on the hierarchical approach of pen testing and finding security related issues in the small embedded devices that are used for local area networks. The paper is restricted to not only testing but also discusses the kinds of software and firmware used and incessant vulnerabilities that should be scrutinized while setting up a local network.

Firewalls for Beginners
by Antonio Fanelli
Firewalls are often overlooked, but are actually one of the best deterrents against unauthorized accesses. Learn how to build a low-cost firewall with iptables. Whenever people ask me how they can be sure no one can have unauthorized remote access to their PC, my first answer is: disconnect your PC!

Writing WIN32 shellcode with a C-compiler
by Didier Stevens
Shellcode is hard to write. That is why I worked out the method presented here to generate WIN32 shellcode with a C-compiler. To fully benefit from the content of this article, you should have some experience writing WIN32 programs in C/C++ and WIN32 shellcode, and understand the differences between both approaches.

Flash memory mobile forensic
by Salvatore Fiorillo
This paper is an introduction to flash memory forensic with a special focus on completeness of evidences acquired from mobile phones. Moving through academic papers and industrial documents will be introduced the particular nature of non-volatile memories present in nowadays mobile phones; how they really work and which challenges they pose to forensic investigators.

Threat Modeling Basics
by Timothy Kulp
In the world of software, security is thrown into a system somewhere at the end of the project. For many developers adding security to a system is using a login with SSL/TLS; but sadly, these two are not the security silver bullet developers are led to believe.

Contacts Us

editors@hakin9.org
Editor-in-Chief
Karolina Lesińska
karolina.lesinska@hakin9.org
"

(Read More... | Score: 0)


TIPS and TRICKS to pass the exam and to start your study on the right foot
Posted by boss on Friday, 14 May 2010 @ 08:52:20 EDT (1248 reads)
Topic CISSP OSG INFO

cdupuis writes "

Greetings from Clement,

I would like to share with you some tips and tricks that I have collected over time.

To ensure success with your exam, you have to be reading and preparing from the moment you have read this message.   This message is to ensure your success on your CISSP exam..

BELOW YOU HAVE IMPORTANT TIPS AND TRICKS REGARDING THE CISSP EXAM -- PLEASE READ AND FOLLOW THOSE INSTRUCTIONS


STEP 1:  BECOME A MEMBER OF CCCURE.ORG

Get familiar with the www.cccure.org web site at http://www.cccure.org

To get started create an account at: 

http://www.cccure.org/modules.php?name=Your_Account&op=new_user

As you will see the site offers forums, web links, downloads, tutorials, quizzes, and tons of information related to becoming a CISSP. 


STEP 2: WATCH OUR FLASH BASED PRESENTATION ON HOW TO BECOME A CISSP

If you have not done so, listen to the CISSP Exam overview at:  

http://www.cccure.org/modules.php?name=Web_Links&l_op=viewlink&cid=167

See comments from previous students who have watched the presentation:

Wow, this is great. I wouldn't change a thing. I just wish I'd have seen this earlier than my 2.5 weeks before the exam. :-( Anyway, well done and thank you. It looks like you put a lot of work into this, and it is greatly appreciated.`

Viewing this Flash presentation is an absolute must for anyone considering pursuing the CISSP. Thanks Clement...

WOW! This site has been a wealth of information! I started self-study with Shon Harris' "ALL IN ONE" CISSP Exam Guide and after a few months I became discouraged. Ccure.org and most importantly Clement's flash tutorial for the introduction and overview of the CISSP exam has been a big encouragement. There was so much information with better outline and emphasis from the flash tutorial that I've revised my entire study plan and definitely concentrated my focus on key areas. Clement, thanks a bunch!


STEP 3: QUIZ, QUIZ, and more QUIZZES

A link to our QUIZ engine can be found on the main menu bar of the www.cccure.org website or you can visit:

http://www.cccure.org/modules.php?name=Web_Links&l_op=viewlink&cid=168

Ensure you take quizzes from the CCCure quiz engine as you complete the reading of each of the domains within the study book that you have bought.  The more quizzes you take the better you will do on the exam.

Within the quiz setting do use PRO level questions, closely related, and take at least 50 questions tests, and take multiple tests on each of the domains.  You should aim for 80% or above to feel good about passing the real exam.  As you will see the Common Body of Knowledge (CBK)  is VERY wide (20 miles wide, one inch deep)  and it will require a serious investment in time to reach this mark for all of the domains.

The quiz will help you two ways:  First by identifying things you DO NOT know and finding your weak domains.  Second it will help you memorize topics of the CBK.

I strongly recommend that you search the web or your study book for any questions that you have missed, this is how you will improve your knowledge and remember the key topics.  Every time you miss a question, do a cut and paste of the question into a word document.  This word document will become your OWN customize quiz containing question you did not know.  Later on in your studies you attempt those questions again and you ensure that you can answer them correctly.

Time permitting we will perform a quiz before each domain,  then we will perform two at the end of the domains (one by yourself and one as a group).


STEP 4:  BECOME A BOOK RAT

If you have not bought a good study book yet, today is the time to do it.  Do not procrastinate, get your study book right now.

There are many books available, some are better than others, you can see a short list of recommended books at:

http://www.cccure.org/modules.php?name=News&new_topic=76

Many people who have many years of experience prefer short and concise books such as the CISSP for Dummies.  Do not get thrown off by the title, it is a VERY good book.


STEP 5:  SUBSCRIBE TO OUR CISSP STUDENT INFO MAILING LIST

This mailing list is a series of auto responders that will send you about one message a day for about 10 days.

The messages contain tips and trick to pass your exam and general information about how to become a CISSP.

You can subscribe at:  http://www.cccure.info/subscription.html


STEP 6:  SUBSCRIBE TO OUR TWO WAY DISCUSSION LIST

This mailing list is a two way discussion list where you can post messages and get help from others who are studying for the CISSP exam.  The mailing list is moderated by our instructor Clement Dupuis and it is very well maintained.  Clement will quickly filter any message that are not CISSP related.

Subscribe at:  http://www.cccure.org/modules.php?name=News&file=article&sid=431


STEP 7:  VISIT THE CCCURE.ORG FORUMS FOR THE CISSP

The CCCure forums are one of the most dynamic community when it comes to getting answers to your questions quickly or finding more information about the CBK.

It is really worth a visit,  you will find the forums at:

http://www.cccure.org/modules.php?name=Forums&file=index&c=2

 

STEP 8:  VISIT THE CCCURE WEB STORE FOR SUPPLEMENTARY RESOURCES

Our webstore has grat resources that can assist you in passing the exam on the first try.

Some people learn best with Video Turorials, some prefer MP3 files, others prefer reading.  The website has resources for all learning abilities.  

Visit the CISSP Section at:  https://www.cccure.com/cart/categories/CISSP/



MAIN CAUSE OF EXAM FAILURE

Over the years we have identified some of the main reason WHY people fail their exam.  You have a list of the most common reasons below:

1.  They do not do any study seriously prior to taking their exam or attending a class
2.  They spend time answering emails or texting on their phone instead of studying seriously or listening to the instructor
3.  They spend time outside the class talking on their cell phone or attending conference calls
4.  They are doing remote administration or job related activities through a remote connection
5.  They underestimate the difficulty of the exam
6.  They study while watching the game or doing other activities

To ensure your success, you should not partake in any of the above activities which are detrimental to your ability of studying seriously while absorbin and remembering the key topics.


IMPORTANT:   Last but not least

Tel your boss, peers, and anyone close to you that you will be ignoring them for a week before taking your exam as you are studying to pass the exam.  Make sure they understand that you ARE NOT available for any of the normal company activities.  Your study week will require concentration throughout the day and even working at night as well.  Your spouse will become a CISSP widow for one week.  THIS IS YOUR PRIORITY and you must take it VERY SERIOUSLY.

Best regards

Clement
Site Owner and Maintainer

Clément Dupuis, CD
CISSP, GCFW, GCIA, QEH, QSA, Security+, CEH, ECSA, LPT, CCSA, CCSE, MBNS, MBIS, MBHS,  + dozen of others

"

(Read More... | Score: 0)


Job: Trainer with full scope polygraph needed, Herndon, VA, USA
Posted by boss on Friday, 14 May 2010 @ 05:12:46 EDT (439 reads)
Topic JOBS

cdupuis writes "

We are looking for a trainer with full scope polygraph for one of our project in Herndon, Virginia, USA. 

The job description is below:

Are you a talented Trainer that has experience with training and verification tools?  

Would you be interested in joining a dynamic and innovative team that will allow you to grow, learn and make up your own schedule?

We would like to get to know you. We offer the opportunity to work on projects of national importance and the chance to be on the front line providing input and suggestions in all aspects of the applications development life cycle to the other members of the technology group.

As a trusted partner of the Department of Defense, U.S. Government civilian and international agencies, as well as businesses throughout the world, FGM is an agile provider of technical solutions that enable mission-critical operations and decision-making.

As a company, we believe that FGM’s work force diversity creates a dynamic and interesting workplace. From your interview to your first day on the job and beyond, you’ll find that we do things differently. We foster a collaborative work environment whose success is dependent on creative thinking combined with superior problem-solving and analytical skills. Our customers depend on us for our expertise and knowledge and FGM depends on you to meet their demands.

FGM has been recognized as:

• Three-time award winner of The Washingtonian Magazine’s “Great Places to Work”

• Herndon Dulles Chamber of Commerce’s “Outstanding Large Business of the Year”

• ITRecruitmag.com’s “Top 50 Tech Places to Work”

We are currently seeking a motivated and cleared Knowledge manager/Tester candidate to join our National Security Solutions Team.

This position requires a skilled software engineer, who has the ability to work interface with technologists, analysts and the customer.    The position requires adaptability, the drive to work in a high pace environment and someone who enjoys a challenge.

Prefer experience using the following Training & Verification tools: Captivate, Adobe CS4 (Design Premium), MS Office Suite, Rally, Selenium IDE, Selenium Remote Control and Firefox (Firebug), SharePoint and potentially HP/QC, HP/QTP

General Requirements:

Trainer:

Conducts analyses, using Instructional Systems Design process, to evaluate customer technical training needs to determine appropriate training content, objectives, design. Conducts activities to develop, deliver and evaluate the technical training.

Training delivery will range from the most basic application overview to upper management to detailed Instructor Lead Training to analysts. 

Establishes processes for identifying training content and evaluating training effectiveness.

Uses specialized software technology to research, configure, maintain, update and develop new and existing media and materials.

Materials will range from Quick Reference Guides to Computer-Based Training.

Ensures accuracy and quality of training products.

Coaches and develops others.

Works under minimal direction.

V&V:

Position will also support verification and validation (V&V) testing for developed and legacy applications through the following activities:

Create verification plans; Generate, review, and coordinate test cases with V&V team peers and developers;

Conduct testing to include functional testing;

Coordinate report of test case results with developers;

Attend team meetings, and provide V&V activity status and burn-down information.

Support integration and end-of-sprint activities by identifying the test cases that were run and open discrepancy reports for the developed software.

Send your resume to:   Wenzel, Emanuela

"

(Read More... | 3 comments | Score: 0)


How young upstarts can get their big security break in 6 steps
Posted by boss on Monday, 26 April 2010 @ 22:16:05 EDT (547 reads)
Topic JOBS

cdupuis writes "
From: www.csoonline.com

How young upstarts can get their big security break in 6 steps Companies crave experience in their security staffers, dimming prospects for entry-level applicants. Bill Brenner on how a young upstart can break through. 

by Bill Brenner, Senior Editor, CSO
April 24, 2010

If you're young, breaking into the security industry can be hell.

Companies have either suffered a data security breach or live in fear of one. So when they're hiring new IT security personnel, they want years of experience. If you're fresh out of college, that's a problem.

Another problem is that security practitioners are control freaks by nature. They have to be, if you stop and think about it. They have a huge responsibility, and delegating some of the work to younger pups is a lot to expect.

But here's the problem: The future of information security is in the hands of the youth. That may seem a clichéd statement; so obvious it sounds stupid. But it's a fact.

This column isn't an invitation for young upstarts to cry and lament about the disadvantages they have. Instead, it's about a few things you can do to break through and make it in the industry. Think of it as suggestions for becoming a security rock star, which you almost have to be to make a difference these days.

This morning I'm at Security B-Sides Boston, listening to a talk from someone who is fighting this battle right now. Joseph Sokoly, a security analyst at NetBoundary, recently gave a talk at the Austin, Texas B-Sides event about the troubles of being young in the security industry. This time, he's in Boston giving an update on where his career trajectory has taken him in the weeks since then.

He has found that breaking into the security community is not nearly as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his talk. "Giving the talk in Austin helped me tremendously," Sokoly said. "It has opened doors. My being here is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again."

His Austin talk has also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with this summer's B-Sides Las Vegas event.

"Being proactive works. Put yourself out there and things will open up, but speaking doesn't have to be it. Use Twitter. Start blogging," Sokoly said. He's absolutely right.

His suggestion young security practitioners speak up and force others to take notice isn't a new concept. But it's advice that too few people take.

Instead, prospective employees try to let their raw technical ability do the talking. They get so bogged down on the technical that they ignore the cultural. It's unfair to be frozen out, especially if you're skills are well above someone who gets the job simply because they've been kicking around as employed security practitioners for five or more years. In other words, because they've simply managed to survive.

But life is always going to be unfair, so it's better to focus on ways to get ahead. In that spirit, here are some suggestions, which I've admittedly borrowed from Sokoly. Call this imitation that's meant to be a form of flattery, because what he said makes sense.

1. Learn how to write: Like it or not, writing is part of your job in the information age. You can't make a difference simply by knowing how to configure a NAC system or do penetration testing. You have to be able to tell colleagues, bosses and business partners what you are doing, in their language. You'll have to do this in board presentations and in reports. And if you really want to make a difference, you can share your experience by blogging. That gets you noticed, and in many cases will get you hired.

2. Learn How to Talk: The days of a security administrator holing up in a dark room shut off from the outside world is over. You have to be able to articulate what you're trying to do in the spoken world. This isn't just about learning how to be a good public speaker, though that is of high value. Learning to talk means learning to speak the language of those who decide how much budget you get for security or who gets hired.

3. Learn how to dress: This might sound weird, because most practitioners will dress according to the requirements of their employer. That could mean suit and tie, business casual, or something in between. But then there are times to dress to match the crowd you are in, particularly at security conferences. Business attire won't help you network in a crowd of hackers at ShmooCon or DEFCON. Dressing like a punk rocker won't cut it at a more C-level event.

4. Master social networking: You can be shy as can be and still be heard thanks to the world of social networking. Set yourself up on Twitter, Facebook and LinkedIn and share what you know. If you know what you're talking about, people will follow you, including prospective employers.

5. Learn to work with suits AND mohawks: One of the problems in security today is that the profession is split into two groups who don't communicate well: The executive-level suit and tie CSOs working for billion-dollar corporations or high-level government agencies, and the torn jeans-wearing, ear-pierced researchers. You can see the cultural chasm clearly when you go to a conference like ShmooCon and then something like CSO Perspectives. If you work on being able to communicate and work in both crowds, your stock will rise considerably.

6. Get to conferences: This one is easier said than done, because conferences cost money that you may not have. There are ways around that. Some companies will send interns to security events to get some real-world experience. If you blog, some conferences will give you a free press pass so long as you write about the conference in your blog. Then there are events like B-Sides, which is free and ongoing around the country. These events are full of knowledge. But just as importantly, these are places to meet people. The more people you meet, the more you know, and the more you know, the better your career prospects.

None of this is scientific advice, backed up with statistics and other data. It's my personal observation as a security journalist. I hope it helps.

©CXO Media Inc

"

(Read More... | 4 comments | Score: 0)


White House Updates Cybersecurity Orders - Stop wasting money and paper
Posted by boss on Sunday, 25 April 2010 @ 22:47:40 EDT (612 reads)
Topic Law & Legalities

Anonymous writes "

As seen on the great Infowarrior mailing list from Attrition.org:

White House Updates Cybersecurity Orders

The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials.

By J. Nicholas Hoover

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224500173

The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.

Many observers both inside and outside government have come to the conclusion that the government’s cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. “These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect,” federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.

The new policy outlines what Kundra described as a “significant departure” from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.

Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

The guidance takes a “three-tiered approach” to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies’ security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.

First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.

This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. “Capital can and should be used to invest in systems that will be actually enhancing security,” Kundra said.

Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can’t yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.

Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.

In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. “We recognize not all agencies perform the same mission and function,” Kundra said. “Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency.”

Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency’s security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).
_______________________________________________
Infowarrior mailing list
Infowarrior@attrition.org
https://attrition.org/mailman/listinfo/infowarrior

"

(Read More... | 5 comments | Score: 0)


IT Security Engineer, Full Time position
Posted by boss on Sunday, 11 April 2010 @ 22:18:37 EDT (818 reads)
Topic JOBS

cdupuis writes "

This is a full time, direct opportunity; Please no 3rd party recruiters or re-posting of this job description anywhere else.

Please make sure you include in your cover letter that you saw this posting on CCCURE.org so we may track the response. Thank you.

IT SECURITY ENGINEER

Salary negotiable

JOB SUMMARY
The IT Security Engineer performs highly technical information technology work dedicated to the engineering, monitoring, resolution and support of enterprise information and network security. The person in this position is responsible for researching, analyzing and troubleshooting information, data and network related security incidents and events. Work involves identifying, validating and reporting on security incidents and events based on enterprise policies and procedures; researching and reporting on advanced security related issues as well as making recommendations for improvements to infrastructure, systems architecture and enterprise policies; and performing forensic information security investigations involving any/all enterprise computers, computer systems and servers and networking infrastructure. Supporting and engineering responsibilities will include access to, and the handling of, confidential or sensitive data, materials, and enterprise information, involving all levels of the organization.

ESSENTIAL FUNCTIONS
• Monitors the physical and logical components of information systems and network security architectures for all technology environments including mainframe, server, desktop and mobile computing, as well as telecommunications, technical operations, and applications services.
• Provides direct feedback to the Director of IT Security or other officials regarding any/all concerns related to critical information and data security issues, policies and procedures, including recommendations and tentative plans for mitigation or resolution when applicable.
• Utilizes technologically advanced hardware and software tools to proactively monitor and analyze enterprise infrastructure in search of suspicious, malicious, illegal or fraudulent activity.
• Monitors compliance and assists in the implementation of security policies and procedures such as user authentication, security violation escalation, use of firewalls and encryption methodologies and overall handling, transfer and storage of data across the enterprise.
• Assists in the preparation of daily, weekly and monthly status reports on security matters in order to develop security risk analysis scenarios, metrics, mitigation strategies and response procedures.
• Assists in the enforcement of security policies and procedures by administering and monitoring data security profiles, reviewing security violation reports, investigating possible security exceptions and documenting security controls.
• Monitors vital technology security components including firewalls, gateways, filtering, intrusion detection, network access control, directory services, anti-virus and authentication services.
• Assists in the performance of audits and investigatory processes related to or in response to internal, external, or law-enforcement agency inquiries.
• Performs investigatory procedures involving computer workstations, end-user devices, enterprise servers, E-mail, Internet services, and electronic documents, including situations directly related to employee acceptable use and criminal violations.
• Responds as directed to law-enforcement or official agencies in the form of investigatory questioning, deposition or court testimony.
• Regularly monitors specialized, regional, national and global IT security agencies and services in order to keep apprised of current security threats and concerns.
• Assists in the management and oversight of network certificates and security related registrations.
• Manages various aspects of account administration for networks, systems and services including remote access, VPN and directory services.
• Assists in the monitoring, security and administration of enterprise wireless and WIFI networks.
• Assists in the response to internal, local, state or federal controls audits where information or data security is indicated.
• Assists in the engineering, implementation, management and administration of physical security strategies inclusive of access card, theft/intrusion, identity, and surveillance systems and services.
• Participates in the evaluation of products and/or procedures to enhance productivity and effectiveness of information security across the organization.
• Performs capacity and future growth planning of the enterprise security infrastructure, inclusive of hardware and software, to ensure a highly available, redundant, and adequate security environment at all times.
• Provides direct support and guidance to administrative and IT technical staff for security related issues.
• Educates IT and other District staff concerning security policies and provides guidance for internally developed/managed applications and systems as well as outsourced or application service provider engagements.
• Participates in the development and implementation of enterprise security strategies.
• Assists in the securing of enterprise networks, servers, and networking devices.
• Professionally and securely handles enterprise information, including confidential and sensitive data.
• Provides customer service and support at all levels of the organization.
• Maintains 24-hour per day, 7-day per week availability via mobile telephone or paging device(s) for response to emergency or related operational issues.
• Performs related work as required.

MINIMUM EDUCATION AND EXPERIENCE
Qualified candidates must have:

1a. Education equivalent to two years of college;
AND
1b. Four years of full-time, paid, professional technology experience with emphasis on information security, forensic investigatory processes and procedures, and the monitoring, analysis and auditing of IT security environments.
OR
2a. Education equivalent to two years of college;
AND
2b. Two years of full-time, paid, professional technology experience with emphasis on information security, forensic investigatory processes and procedures, and the monitoring, analysis and auditing of IT security environments;
AND
2c. Possession of an industry-recognized intermediate or advanced information technology security certification such as CompTIA Security+.
OR
3 Any equivalent combination of training and experience determined to be acceptable by the Office of Human Resources.

APPLICATION PROCEDURE
Interested applicants should email a current resume and cover letter detailing the extent to which they meet the above criteria to:
Kelly Aichele
Chief Information Office
Email: kaichele@philasd.org

Resumes must be received by close of business April 14th to be considered.

"

(Read More... | Score: 0)


ISC2 first exam to be delivered by VUE testing
Posted by boss on Wednesday, 07 April 2010 @ 14:48:19 EDT (650 reads)
Topic ISC2 Org

cdupuis writes "

Dear Valued Member,

We are proud to announce the availability of Computer-Based Testing (CBT) for the Certified Secure Software Lifecycle Professional (CSSLP) credential.

The CSSLP aims to stem the proliferation of software vulnerabilities by establishing best practices and validating an individual's competency in addressing security issues throughout the software lifecycle. Code-language neutral, it is applicable to analysts, developers, software engineers, software architects, project managers, software quality assurance testers, programmers and others involved in the software lifecycle.  For information on experience and other requirements to sit for the exam, please visit: www.isc2.org/csslp.

The CSSLP is the first (ISC)2 certification exam to make the transition from paper-and-pencil delivery and will be available at nearly 500 Pearson Professional Centers, Pearson VUE Authorized Test Center Selects and Pearson VUE Authorized Test Centers located on U.S. military installations around the world.

(ISC)2 will gradually phase in computer-based testing for all of its credential exams over the next three years. This decision was made based on the projected growth for the profession worldwide, which the most recent (ISC)2 Global Workforce Study ("GISWS") http://www.isc2.org/workforcestudy forecasted would increase to almost 2.7 million by 2012, representing a compound annual growth rate (CAGR) of 10 percent.
CBT also gives us the ability to enhance the convenience, security and fairness of the examination process.

Pearson VUE is the global leader in computer-based testing for information technology, academic, government and professional testing programs. To experience a demonstration and tutorial of the Pearson VUE's computer-based testing experience, please visit http://www.pearsonvue.com/ppc/

.

For more information about or to register for computer-based testing for the CSSLP, please review the frequently asked questions (FAQs) at: http://www.isc2.org/csslp-cbt-faqs.aspx. To review a Candidate Information Bulletin offering details about the exam process, please visit http://www.isc2.org/uploadedFiles/Downloads/CSSLP-CBT-Candidate-Information-Bulletin.pdf.

Our transition to CBT is an exciting opportunity for our candidates and a milestone for our credential programs! As always, we thank you for your support of this investment in (ISC)2's future.

Sincerely,

(ISC)2 Management
"

(Read More... | 10 comments | Score: 0)


SANS founder slams 'terribly damaging' US cyber security law
Posted by boss on Tuesday, 30 March 2010 @ 11:15:05 EDT (493 reads)
Topic Law & Legalities

cdupuis writes "

 

As seen at computerweekly.com at:
http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm?printerfriendly=true
Ian Grant
Thursday 25 March 2010 08:05

Federal guidelines on how to protect computer systems did just the opposite, a US congressional committee heard.

In a scathing attack on the Federal Information Security Management Act (Fisma), Alan Paller, founder of the Sans Institute, told the subcommittee on government management organisation and procurement, part of the committee on oversight and government reform, that Fisma slowed down every security process and took away key resources from projects that would allow agencies to act and react quickly to cyber attacks.

Paller welcomed government plans for continuous monitoring of IT systems. "This is the single most important element [of cyber security] you will write into the new law," he said.

'); //--> Paller said protecting IT systems was like an arms race. "Each time the defenders build a new wall, the attackers create new ways to scale that wall," he said.

He said four "terribly damaging" provisions in federal law had led to wasteful processes that slowed down US defences and "threw away billions of dollars that were acutely needed to protect systems".

The law required clear audit trails, but these had led to "reports that answered the wrong questions", said Paller.

"[They] rewarded ineffective behaviour and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw," he said.

Fisma had created and rewarded a culture of compliance rather than security," Paller said. Federal and state governments were "radically short of money", but they were forced to spend it on reporting rather than security, he said. "Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications," he said. "It is as if we paid the compliance staff at a hospital more than the surgeons.

"The four processes that had led to this situation were the federal information security controls and audit manual, the annual report implemented by federal CIOs and inspectors-general, the certification and accreditation report-writing process and the security controls assessment under Special Publications 800-53, Paller said.

"The people who wrote Fisma, and the people who set up these wasteful processes did not know, and do not know, how the attacks are being carried out and how the threat is changing, so they ask the wrong questions," Paller said.

He said the audit missed key steps in the Centre for Strategic and International Studies' Consensus Audit Guidelines. These steps were critical in the eyes of the National Security Agency, US-CERT, the Department of Energy Labs, the Department of Defense Cyber Crime Center, and forensic IT security specialists "who clean up after attacks and who actively penetrate systems on behalf of the nation".

He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. "Oversight must be focused on the effectiveness of the agencies' real time defences," he said. "Anything less continues to waste scarce resources and leaves us unacceptably vulnerable." he said.

 

"

(Read More... | 2 comments | Score: 0)


MatriXay 3.6 has been released
Posted by boss on Tuesday, 30 March 2010 @ 11:00:59 EDT (485 reads)
Topic Commercial Offering

DBAPPSecurity writes "

DBAPPSecurity web application scanner MatriXay 3.6 was released.
 
Web Application Vulnerabilities Scanner (MatriXay 3.6) not only has the remarkable scanning ability, but also provides powerful penetration testing functions and web Trojan detection.
 
MatriXay 1.0 was first released at the BlackHat Security Conference and Def-Con in August 2006; then in December 2007 , version 2.0 was released and it played an important role in Web security protection for the 2008 Olympic Games.

Released in 2009, MatriXay 3.0 not only has the remarkable scanning ability,but also provides powerful penetration testing tools and web Trojan detection.  Therefore it is appraised as “The Best Web Security Evaluation Tool”.  

MatriXay 3.6 was released recently:

Features:
  • In-depth Scan: risk-oriented in-depth scanning on web application can access to back-end database information and web application list.
  • Web Vulnerability Detection: detect all kinds of typical web vulnerabilities deeply (such as SQL injection, Xpath injection, XSS, the form around, form weak password, all kinds of CGL vulnerabilities.)
  • Web Trojan Detection: analyze a variety of linked Trojan automatically, effectively and intellectually; make an accurate analysis to the spreading Trojan virus type; make the position for web Trojan host.
  • Penetration Testing: make deep analysis to the target web application and implement sound attack to obtain direct evidence of system security threats by imitating the vulnerability discovery techniques and attack methods of the hacker to current vulnerability.
  • DB Audit: By fully simulating hijack attack through current weakness, to realize database Audit function,to obtain configuration information such as background database connection information, database name, database version, Data Dictionary etc.
  Benefits
  • Complete, in-depth and accurate assessment of web application vulnerabilities can effectively enhance the active defense capabilities.
  • Flexible and defined scanning working pattern
  • Deep and intellectual Scan Engine
  • Unique "evidence" model to ensure accurate and reliable results of the assessment
  • Baseline audit of more than 10 kinds of database
  • Complete risk assessment report
  • Risk assessment report can support all kinds of file formats and can fully customize the content
  • No third-party software support for installation and operation


 
More information, please check http://www.dbappsecurity.com/webscan.html

For Demo and free trial version, please check http://www.dbappsecurity.com/Download.html
 
Thanks

DBAPPSecurity  

"

(Read More... | 4 comments | Score: 0)


After CompTIA and ISC2 it is now SANS GIAC turn to require CMU's (CPE)
Posted by boss on Saturday, 20 March 2010 @ 22:18:24 EDT (635 reads)
Topic SANS

cdupuis writes "

NOTE FROM CLEMENT:

CPE's, CMU's, EPE's, and the list goes on and on.   It seems that most certification authorities are starting to require some form of continuous education in order to remain certified.   All of them have a very strong focus on their own certification program and they all charge some significant maintenance fees.  It is funny to see that doing your job and learning on the job would only give you a maximum of 12 CMU's for two years of practical work but a one week class of 30 hours of training will give you 30 hours.  Obviously something does not add up.

SANS used to hve a very combersome and demanding way of renewing their exam.  I am not sure what is the percentage that were renewing at the end of the 4 years but I would bet a cold beer that it must be very low because it was too demanding.

The SANS main site page claims to have 29,915 certified professionals as of this writing.  This is a very low number considering the total number of certifications they maintain.  Will these new options make it easier for SANS alumin to maintain their certification?  I would say YES for sure.  Not everyone can redo the whole testing every 4 years when you have multiple certifications to maintained all at once.

So they joined the club of other certification authority who are offering the option of taking more training with the certification body to renew a candidate certification.  SANS GIAC is already recognizing training from any other ISO 17024 certification bodies which help in giving each others more legitimacy to the whole ISO certification.  The certification of course if on the way that it is mananged and not on the quality or relevancy of the content alone.

I find it also very stange that only SANS related community activities are recognized versus any community activities.  There are MANY open source project related to security that are worthy of being supported and recognized for CMU's credits.

I must cut this message short and go work on my CPE's, CMU's, EPE's, or whatever the vendors will call it.

Talk to u later

Clement

Here is a copy of a message I have received as a SANS Alumni:

Maintenance Guidelines and Requirements

The GIAC program is making a major shift regarding our recertification approach. Instead of only offering a recertification exam, GIAC will allow individuals to maintain their credentials using a Certification Maintenance Units (CMUs) approach. This program change increases the options available to individuals. The new certification maintenance price is $399, due once every four years, at the time of registration.

Each GIAC certification remains valid for 4 years. The first 2 years you are certified requires no further action from you. After 2 years, the certification renewal process will begin with the ultimate goal being that you have demonstrated ongoing competency in the Information Assurance field. For each GIAC certification you need to acquire 36 CMUs (Certification Maintenance Units) after the two year mark and before your certification expires. Historically, you registered for your GIAC Recertification exam, received an updated set of course materials, and took your exam at a specified proctored site. This option is still available.

On March 1st, 2010, GIAC will begin to offer expanded certification maintenance options. Besides the existing method of retaking the standard certification exam, we will offer two main additional options. One alternative is for you to submit a published technical research paper, such as a GIAC Gold Paper. Another alternative is to take additional information assurance training courses, such as SANS training courses. There are also supplemental options described below that can be combined with any of the main options to help you reach the required 36 CMUs.

Below you will find information regarding each option, how the options can work together to meet the certification maintenance requirements, and the CMU breakdown for each option. Please pay close attention to the specific requirements of each option so you will be credited for the work you have accomplished and experience you have gained in the Information Assurance industry. All renewal options require a $399 certification maintenance fee, due once every four year period. This fee includes a current set of certification specific course materials should you choose to receive them. The updated course materials are available to you regardless of the renewal options you utilize and will aid you in keeping your skill set current. You are responsible for shipping fees.

If you have more than one certification expiring, you will receive a discount for any additional certifications that expire within two calendar years of the first. After the first $399 certification renewal, all additional certification renewals during this two calendar year period are $199 each.

All Certification renewal and application options will become available for registration in your portal account two years in advance of your certification expiration date.

Retaking the Standard Certification Exam

36 CMUs are awarded upon achieving a passing exam score.

  • Retaking and passing the certification exam must be completed after the two year mark of your certification to demonstrate ongoing competency.
  • You can reference your complete certification history through your portal account via the "Certification History" link in the exam engine. Earning CMUs via this option will require passing one proctored exam.
  • Once your registration and payment have been processed, your reference materials will be shipped to the address provided in your registration. You will then receive access to your two practice tests via the GIAC exam engine. This will allow you to keep current with the latest industry material, and prepare for your exam. You are not required to complete any additional training with this option - you are only required to pass the exam.
  • You will have four months from the date your registration is processed and payment received to complete your proctored certification exam.

Published Technical Research Paper

36 CMUs

  • Research paper must be completed and published after the two year mark of your certification to demonstrate ongoing competency.
  • GIAC Gold Paper - The GIAC Gold program can be leveraged to apply towards your certification maintenance needs. To take part in the GIAC Gold program, from your portal account click on the "Certification History" link, then on the "Go Gold" link for the respective certification. You are responsible for the $299 Gold fee once your gold application has been approved. Within the gold program you will be working with a GIAC Gold Adviser to complete your research project.
  • Separate from the Gold Program, you are still responsible for the $399 GIAC Certification Maintenance fee to have a gold paper credited towards your CMUs and ongoing certification maintenance requirements.
  • Published Research within the Information Assurance industry - Submit proof of your published article from a peer reviewed journal, such as IEEE
  • Submit proof of approved and published Gold Paper

Completed Information Assurance Related Training

Up to 36 CMUs awarded

  • Training must be completed after the two year mark of your certification to demonstrate ongoing competency.
  • You are required to submit your Certificate of Completion for any training.
  • SANS 6 day course: 36 CMUs, SANS 1 day course: 6 CMUs
  • Credit does not apply for Self Study or purchased text books.
  • Qualifying 6 day Information Assurance course (non-SANS): 36 CMUs
  • Qualifying 1 day Information Assurance course (non-SANS): 6 CMUs
    • Any verifiable Information Assurance training course offered by ISC2 or ISACA counts per course day, minimum 6 contact hours per course day
    • You are required to submit proof of training (i.e. Certificate of Completion, CPEs, CEUs, reference your invoice, etc.)
    • To apply training for your certification renewal that is not referenced above, please see the Application for Alternative Accredited Certification Programs. This will provide information to help determine if the alternative training meets necessary requirements.
  • There is not a predetermined list of training courses that can be applied for credit to each certification. Specific courses topics are subject to approval based on relevancy to your certification, your current position and ongoing competency. Therefore, it is important that you clearly document the relevancy of the course topic to your position and how it aides in your ongoing competency related to your certification.

Documented Work Experience

12 CMUs (limit 12 CMUs per certification renewal)

  • Work experience documentation must be completed after the two year mark of your certification to demonstrate ongoing competency.
  • To qualify, you must have completed job duties utilizing actual Information Assurance experience within two of the previous four years.
  • You must provide verification from work supervisors and documentation of your job description and duties performed.

GIAC / SANS Community Participation

6 CMUs (limit 6 CMUs per certification renewal)

  • Community participation documentation must be completed after the two year mark of your certification to demonstrate ongoing competency.
  • Writing questions for GIAC or participating in GIAC job task analysis studies
  • Teaching a related and verifiable Information Assurance course
  • Acting as a Facilitator at a SANS conference
  • SANS mentor / virtual mentor
  • ISC Handlers

Examples

Here are some examples of how to use these options to your advantage to reach the full 36 CMUs requirement while also showing ongoing competency in the Information Assurance field.

Person A earned the GSEC on January 1, 2005. On February 1, 2007 s/he took the SEC610 SANS Malware course, a 4-day course, and is applying 24 CMUs from taking that course to renew GSEC. In addition s/he has documented work experience for two years as an incident handler and is applying 12 CMUs from that to renew GSEC. S/He now has the 36 CMUs needed.

Person B earned the GSEC but has recently moved into a management position and takes MGT512, a 5-day management course. They are applying 30 CMUs corresponding to the 5 days of trainings toward his/her GSEC renewal. S/He also has written exam questions for GIAC and is awarded 6 CMUs. S/He now has the 36 CMUs needed.

Please contact cert-renewal@giac.org with any questions, comments or concerns you may have regarding the certification renewal process.

Disclaimer

It is possible that GIAC will be unable to accept one or more of your submissions for credit towards your certification renewal. In order to ensure our certified professionals are sufficiently meeting GIAC standards of continuing education, we must adhere to certain ISO/IEC/ANSI 17024 guidelines and rules regarding ongoing competency:

  1. In order to count towards your certification renewal, submissions must demonstrate your ongoing information assurance competency throughout the course of your certified status. In order to ensure this, any renewal actions must have taken place in the latter 2 years of your certification period.
  2. We limit the types of training courses that can be accepted to those that can be verified as coming from an institution or training provider in conjunction with an ISO/IEC/ANSI 17024 accredited information assurance certification program. Currently ISC2 and ISACA training programs are accepted in addition to SANS Institute training. Click here for an application to allow for alternative ISO/IEC/ANSI 17024 accredited information assurance training courses to be submitted for approval.
  3. We limit the types of technical research papers and publications that are accepted towards certification maintenance as well. While publication at any level is certainly a commendable achievement, we only accept submissions that clearly demonstrate ongoing technical competency in the realm of information assurance via published technical articles from a peer reviewed journal, such as IEEE.
  4. Work experience and/or community involvement credits must meet established standards for technical relevance and be properly documented for verification and audit purposes.

We ask for your understanding and if you feel you need to discuss this further please do not hesitate to contact Stephen Northcutt, Chair GIAC Board of Directors, stephen@giac.org, 1+ (808) 823-1375

"

(Read More... | 7 comments | Score: 5)

Our Sponsors

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

USA

Security University

Security University

MIDDLE EAST

Dubai, Qatar, Kuwait, Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

Dublin, Ireland
ESPION

Best security training you can get in Ireland

AFRICA

Yaounde-Cameroun
GetSec

The best training one can get in Cameroon

Lagos, Nigeria
Digital Encode

The best security training in Lagos and Nigeria

Most Active Members

· 1: side_winder
Total points: 12209
· 2: Lopezco
Total points: 8506
· 3: cissp_newbie
Total points: 7593
· 4: cdupuis
Total points: 6632
· 5: mikeyoung_fla
Total points: 5490
· 6: Vladimir
Total points: 4611
· 7: MMM
Total points: 2969
· 8: damoose
Total points: 2814
· 9: webplu9
Total points: 2592
· 10: educk
Total points: 2334

Today's Big Story

There isn't a Biggest Story for Today, yet.

Random Headlines

Past Articles

Thursday, March 18
· ISC2 is looking for proctors for the Orlando 3/20/2010 exam
· SpywareAnalytics a forum for home user security
Tuesday, March 16
· Security Professionals: Build a career plan and make more money
· Study Group Wanted in Cincinnati, OH
Monday, March 15
· Twitter announce a new service to protect their users
Saturday, March 06
· Viruses and Digital Signatures
Wednesday, March 03
· SQL Injection and Parameter Manipulation video clips
Tuesday, February 23
· NATO CISSP Study Group in Brussels
Thursday, February 18
· Anyone studying in Kansas City for the Aug 7th test?
Tuesday, February 16
· Join SecurityVibes and exchange information with your peers!
Wednesday, February 10
· The Rugged Software Manifesto
Tuesday, February 09
· Job Opportunity in Dubai for a Senior Incident Response Investigator
· More evidence of value of security certification -- Part 2 of 5
· Stupid rebates for Stupid Clients
Thursday, February 04
· Official (ISC)2 Guide to the CISSP CBK, Second Edition
Wednesday, February 03
· IEEE Computing Now magazine -- Special issue on Biometric
Tuesday, February 02
· CISSP for Dummies 3rd Edition by Peter Gregory
· Where can I get the best price for the CISSP All In One 5th Edition?
· Get FREE copies of Hakin9 Magazine in PDF format
Monday, February 01
· Researchers criticise 3D Secure credit card authentication

Older Articles

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 1.05 Seconds