The most common question which has been asked again and again is how do we stop social engineering. Is there any solution to stop social engineering, and the answer is always the same Educate People.
If we go with the definition of Social engineering according to wikipedia which is "In criminal activity, social engineering is the art of manipulating people into performing disclosure actions or divulging confidential information."
If we take a close look at the definition then Social Engineering is an Activity or Activities performed by an individual to get a desired result. Different types of activities may be carried out by different social engineers. But the desired result of all social engineers are more or less the same.
Let us consider a cricket match. A bowler balls with the probability that he is going to get a wicket. But its uncertain whether he is going to get a wicket or be hit for a six, but he tries his best to get a wicket, that’s his main goal. Similarly the batsmen are also uncertain what type of ball is going to come to him. But to face the uncertainty the batsmen takes all the probability (like guarding the wicket, going back foot or front foot will hitting the ball) into account. So the greater the number of probabilities taken into count by the batsmen it become easy for the batsmen to face the uncertainty. We can consider the bowler as a Social Engineer or Hacker who what to break through and the bats man being the one who is defending the social engineer at that particular time. Social engineers using all uncertain methods to break into. A Security Officer taking all the probabilities into account facing the uncertainty.
What mathematicians call probability is the mathematical theory we use to describe and quantify uncertainty. So we can safely say that
probability = uncertainty
or probability is directly proportional to uncertainty.
So with the increase in probability the uncertainty also increases. So if we are able to decrease or minimize probability we can minimize uncertainty.
The Security Officers need to imagine and study the possible uncertainties. I have knowingly used the term imagine. It is said if you want to catch a criminal you have to think and act like a criminal. The same applies here also.
Click on Comments below to leave your opinion and feedback
OWASP Hartford: February 2009 (Open Web Application Security Project) Posted by boss on Tuesday, 09 December 2008 @ 09:33:32 EST (299 reads) TopicOWASP
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
This event will be of special interest to software developers and architects within your organization. We will be featuring Ramesh Nagappan of Sun, who is the author of several best selling books on SOA and most recently, the book: Core Security Patterns.
We will also have Mary Ruddy of Project Higgins who will provide guidance on incorporating identity into enterprise applications.
Fyodor Nmap Network Scanning Book Released! Posted by boss on Tuesday, 09 December 2008 @ 09:24:46 EST (397 reads) TopicVulnerabilities
NOTE FROM CLEMENT:
Nmap is really the mother of all port scanners. It can help you on the defensive side to identify ports that are currently open, new IP's that have just shown up in your production environment, ports that are either added, deleted, or modified on your hosts. Find what is happening to your servers as soon as changes manifest themselves. This is really a great tool for regular scanning and discovery of port and services that should or should not be on your servers. This book is written by Fyodor the author of Nmap, there is nobody else that knows Nmap better then Fyodor. I highly recommend it to all. See announcement below from Fyodor:
Nmap Hackers:
After promising you a book on Nmap for years, I'm delighted to finally announce the release of Nmap Network Scanning! It contains everything I've learned about network scanning from more than a decade of Nmap development, plus some bad jokes and (over Time Warner's written objections) pictures of Trinity hacking the Matrix :) . Here is the abstract:
Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.
The planned release date was January 1, but Amazon beat the deadline and is now shipping in time for Christmas! Imagine your loved one's surprise when she (or he) finds nearly 500 pages of port scanning bliss in her stocking!
You can find reviews, sample chapters, and a detailed summary at:
It is available on the International Amazon sites too, as well as other online retailers. Your local book store probably doesn't have it yet, but can likely order it for you.
About half of the content is available free online at http://nmap.org/book/toc.html . Chapters exclusive to the print edition include "Detecting and Subverting Firewalls and Intrusion Detection Systems", "Optimizing Nmap Performance", "Port Scanning Techniques and Algorithms", "Host Discovery (Ping Scanning)", and more.
If you enjoy the book, please help spread the word! While my previous books were published by Addison-Wesley and Syngress, this one was self-published. While that allowed me to post half the book online before it was even released, it also means I lose the marketing budget and clout of a major publisher. So if you like the book, please post a review to your blog/site/Amazon or tell your friends about it!
Apparently there was some pent-up demand for the book, as it is currently the 11th best-selling computer book on Amazon. Maybe it will be even higher by the time you read this:
I'd like to thank the many people who helped make this book possible by reviewing drafts, contributing stories, brainstorming ideas, etc. In particular, I'd like to thank David Fifield, Raven Alder, Matt Baxter, Saurabh Bhasin, Mark Brewis, Ellen Colombo, Patrick Donnelly, Brandon Enright, Brian Hatch, Loren Heal, Lee "MadHat" Heath, Dan Henage, Tor Houghton, Doug Hoyte, Marius Huse Jacobsen, Kris Katterjohn, Eric Krosnes, Vlad Alexa Mancini, Michael Naef, Bill Pollock, David Pybus, Tyler Reguly, Chuck Sterling, Anders Thulin, Bennett Todd, Diman Todorov, and Catherine Tornabene!
And most importantly, I want to wish you all happy holidays!
CCCure/OISSG CISSP Workshops -- Middle East, Egypt, and India Grand Tour Posted by boss on Thursday, 04 December 2008 @ 11:52:41 EST (421 reads) TopicTraining News
CCCure in collaboration with OISSG is proud to announce our Middle East, India, and Egypt Grand Tour.
The tour will take place during the month of January and February 2009.
Many of our members and visitors have asked repetitively to have workshops that would be closer to their home, in their own country. We are now delivering on the promise that we have made to get some workshops closer to your location. This will save you a large amount of money as you do not have to pay for airfare, hotel fees, transportation fees, and other expenses associated with traveling to a emote training location.
Each of the location will get an intensive 6 days of training that will help you master the complex topics of the ISC2 Common Body of Knowledge (CBK). Our passing rate talks by itself, more than 92% of our students have passed their exams on the first try. We even had a few classes with 100% passing rate.
All of the classes on this tour will be delivered by the world renowned instructor Clement Dupuis, CD. Clement is the Lead Security Instructor for Logical Security where he's working side by side with Shon Harris the famous author of the best CISSP book, the CISSP All In One, 4th Edition. Together they form an unbeatable team and they have put together the best CISSP training package that one can get. Clement is also the owner and maintainer of the CCCure web site which is the leading web site for CISSP in becoming. He has trained and assisted more CISSP's than any instructor in the world. There are over 75,000 members that have used the site to help them succeed in their studies.
If you country is not included in this tour, there is demand for the class at your location, and you would like to get local training, please do communicate with CCCure or the OISSG and we will be more than happy to help you in setting up a local delivery of this workshop in your Country or Town.
Visit the OISSG web site regularly as new classes are constantly added to our schedule.
For any questions related to the Middle East, Egypt, and India classes do call or email the OISSG now.
You can contact the OISSG at: Tel : +971 50 9498488 Email : registration@oissg.org
Below you have all of the classes being delivered in the USA by Logical Security.
The Logical Security offer is really unique and there is no other company that offers you as much as we do. We have taken the bull by the horn and we came out with a solution that is customized for your very specific needs and a solution that will allow you to finally master and passed the CISSP exam.
With the dreaded deadline approaching for the 8570 requirement, it is the best time to get your CISSP certification. Having the CISSP certification is also a differentiator that will allow you to be recognized as a true security professionals by your peers and clients as well. It can help you retain your job over non qualified people, it makes you a valued asset for your company.
For any questions related to the classes below, please contact our career counselors.
Clément Dupuis, CD CISSP, GCFW, GCIA, Security+, CEH, ECSA, LPT, CCSA, CCSE, MBNS, MBIS, MBHS, ACE ---------------------------------------------------------------------------------------------- In real life: Senior Security Instructor and System Analyst Logical Security >> Call me to get the best CISSP training << ---------------------------------------------------------------------------------------------- In Cyberspace: President/Security Evangelist/Chief Learning Officer (CLO) The CCCure Family of Portals ---------------------------------------------------------------------------------------------- Fax: 407 264 8396
Detecting Rootkits with Rkhunter Posted by boss on Tuesday, 02 December 2008 @ 14:44:21 EST (423 reads) TopicTraining News
Anonymous writes "
The Academy has decided to change the rotation of our videos. Instead of users having to wait to see a handful of videos on a weekly basis, we will be posting a 'video of the day' from Monday to Friday. We begin the video of the day with installing, updating and running rkhunter. Rkunter is a free rootkit detection utility that will check a local system for rootkits, backdoors and exploits by comparing SHA-1 hashes to an online database of known good hashes.
The Rkhunter video, along with every video of the day, will be posted to the 'Featured Videos' section of the website on a weekly basis. They will be moved to the 'Directory' at the end of the week to make room for the following week.
Thank you all for your on-going support and recommendations.
Eric's Cole, SecureAnchor Newsletter November 2008, Vol 11, Issue 2 Posted by boss on Friday, 28 November 2008 @ 22:42:24 EST (547 reads) TopicSecureAnchor
Security in the News Your source for up to date security headlines
Apparent Chinese hackers were able to intrude on the White House network and intercept emails between government officials. They were able to do so for brief periods of time before each iteration of systems patching against the intrusions. In this attack, only the unclassified network was breached.
An official said, "We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organizations."
The official said this resembles the classic "grains of sand" approach that Chinese intelligence uses, which involves gathering and examining large amounts of low-level intelligence in order to find some good intelligence.
American defense contractors have warned that their systems have been compromised, asserting that the Chinese are looking for intelligence about weapons research.
The National Cyber Investigative Joint Task Force (NCIJTF), a unit established in 2007 to handle cyber security, alerted the computer security teams to the attacks.
The official explained, "For a short period of time, they successfully breach a wall, and then you rebuild the wall... it is not as if they have continued access. It is a constant [game of] cat and mouse."
Executive branch computer security types are concerned because of the Chinese hackers' ability to pull off a major attack on the Pentagon's unclassified email network. The Pentagon security professionals had to take the system off for days to repair the systems.
U.S. security professionals were finally able to persuade the powers that be that using wireless devices, such as Blackberries, in Russia and China was not a good idea.
Sami Saydjari, head of the Cyber Defense Agency, a private computer security company, said, "There is no doubt that foreign governments are actively targeting cyber space not only for sensitive information but to influence our most sensitive processes such as the U.S. presidential election. This underscores the need for President-elect Obama to take leadership in the cyber space race that is well under way."
A "foreign entity" was responsible for hacking the presidential campaigns' computers repeatedly over the summer.
The cyber attacks are the subject of a federal investigation, and the motive behind the attacks appears to have been the need to steal information on the candidates' policy positions.
Originally, the Obama computer security staff believed that a virus was responsible for various computer behaviors, but the FBI informed them the problem was worse than that.
An FBI agent told the Obama staffers that, "You have a problem way bigger than what you understand. You have been compromised and a serious amount of files have been loaded off your system."
The McCain camp had undergone a similar attack.
Innocent Britons Might be Able to Get Their DNA out of the Database
The House of Lords in Great Britain voted 161 to 150 to amend the Counter-Terrorism Bill to allow innocent people to apply to have their DNA removed from a database.
Baroness Hanham's amendment was, according to her, an attempt to get people to debate the issue. She said, "There is no transparency in the current situation and the dice are severely loaded against innocent people being able to ensure that their most personal details are not kept indefinitely following their exclusion, either by a court or following a decision that there is no reason for them to be involved further in any inquiry."
It gets funnier. The way things are done now, if a person is innocent, and therefore the DNA has no apparent use for the purpose for which it is collected, the person could go to the police and ask that it be destroyed. Baroness Hanham said, "the initial response to a request of destruction is an automatic refusal." The police guidelines recommend that those so applying are to be automatically refused, although the chiefs of police have the discretion of destroying the DNA (which is no longer useful or necessary as evidence because the person was innocent) in "exceptional" cases. (It is up to the reader to guess whether money changes hands or if there is a component involving connections and favors exchanged in those "exceptional" cases.)
The Baroness summarized by saying, "The balance at present is not in favor of the innocent."
Of course, there are those who disagree with this. One of those is Lord West of Spithead. He explained that just because someone's DNA is in the police database doesn't mean the person is guilty of anything. He said the destruction of the sample (after the information represented in the sample had been entered into the database) was sufficient.
The Baroness said, "Those who are innocent should not be on any database. They should not be under the eye of the law of this country. They are innocent. They have no truck with the law and their DNA should not [be] passed to Europe for whatever reason simply because it is a chunk of information that the police hold."
In the meantime, destroying samples but not database records, has resulted in a DNA database which holds the record for being the world's largest. As of June 30, the database contains 4,503,186 records. On March 31, the database had the records of 857,366 people who did not have a criminal record on the Police National Computer. .
City of Los Angeles Traffic Signal Hackers Plead Out
The City of Los Angeles suffered an inside hack from two of their traffic engineers. Gabriel Murillo, 39, and Kartik Patel, 36, each pleaded guilty to a felony count of illegally accessing a city computer in August 2006.
A city union action was coming up and these two geniuses decided that messing up the traffic signals would somehow help the union's case, or something.
Once they accessed the city computer, they stopped communications to the signal boxes controlling traffic lights for four of the city's busiest intersections. Then, using stolen supervisor credentials, they reprogrammed the signal boxes and then locked out access for other managers. The city worked for four days to fix the problem.
Under terms of the plea agreements, they must pay restitution, do 120 days or 240 hours of community service, and then, if they complete that within a year, they can have their crimes reduced to a misdemeanor.
Adobe Releases Patch for Flaw
Older versions of Adobe Reader are vulnerable to exploit due to a flaw allowing attackers to craft a .pdf file which runs special JavaScript content.
The flaw affects Adobe Reader 8, which was replaced by Adobe Reader 9 in June. Core Security warns that many users are running older versions of the software and should be alert to the problem.
Adobe's patch fixes the flaw in versions 8.1.2 and previous, but if the user is unable to apply the patch, disabling JavaScript functionality should be sufficient to serve as a workaround.
MySpace, YouTube and Piracy
MySpace and YouTube had been subjected to a barrage of "takedown" notices-notices that ordered them to take copyright infringing video clips that users would have uploaded.
A new strategy to embed advertising into those clips will allow copyright holders to make money off the content. The technology adds the advertising to the clips which are uploaded.
Jeff Berman, president of sales and marketing at MySpace, said, "This is a game-changer. We're going from a world of no to a world of yes while protecting the rights of the copyright holder."
Auditude, an American startup, can essentially identify the videos uniquely, analyzing TV and online footage.
YouTube already has implemented a system which allows users to remove infringing content or ad advertising. 90 percent of the users go with the advertising.
Possible Passport Fraud Reported by State Department
Thieves were able to breach database security in the D.C. area and obtain confidential, personally identifiable information of almost 400 passport applicants.
The scheme came to light due to a lucky break, as police had stopped a car for (possibly) illegal window tinting and they smelled marijuana. The officers searched the car for drugs but found instead that the 24-year old driver had 21 credit cards in names other than his, and printouts of eight passport applications. With incredible investigative insight, the detectives were able to ascertain that four of the names on passport applications matched names on the credit cards.
The driver, Lieutenant Q. Harris Jr. was arrested. He told the police that he worked with confederates at the State Department and the U.S. Postal Service. The investigators called American Express and the operator there told the officers that some of the cards were recently used and had fraud alerts placed on them.
The passport applicants who had their information stolen were alerted and Florence Fultz of the State Department's Passport Services division urged applicants whose information had been compromised to "thoroughly review bank and credit card statements and obtain a copy of your personal credit card history." The letter with this warning also told recipients that the government would provide monitoring of their credit report for a year and reimburse lost wages and out-of-pocket expenses from identity theft. Also, a special watch would be placed on the person's information to send notification if another similar passport application was made.
This problem is the latest of a series of problems for the State Department since the RFID passports have been in use, including unauthorized access to passport records by contractors and a lack of responsiveness in attempting to issue passports once the new cross-border travel initiatives were implemented.
In July, the State Department's inspector general found a lack of controls throughout the system, and that the personal data of 127 million Americans was held by the department which displayed "a general lack of policies, procedures, guidance and training."
Ms. Fultz alluded to that fact in her letter when it read, "We are thoroughly examining every aspect of our information security systems and procedures to safeguard against unauthorized access of passport records."
No State Department official was allowed to speak of the problem on the record, citing the status of the investigation as still being open. However, an anonymous leak in the form of a written statement said the department has "undertaken a number of immediate and long-term measures to significantly improve the protection of personally identifiable information to include mandatory audits, an enhanced monitoring list, improved training and a revamped reporting system. In addition, we have formed a working group to develop long-term systems solutions to improve the security of these records such as a tiered access system to all passport records." OK, so they are discovering role-based access control. This is a good thing.
Spam Email Contains 'Obama Trojan'
Immediately after the election, massive amounts of spam that promise clips of an "amazing" Obama speech, election news or interviews with Obama's advisors carry malware which can infect users' PCs. Vendors have differing descriptions of the attacks, which suggest that there may be more actors at work than a single source of the spam.
The number of spam emails filtered reached into the tens of millions on the first day. Spam is not the only delivery mechanism. A site in Slovenia offers an updated version of Flash, which of course contains the Trojan for download. Other vendor names for the Trojan(s) are "Possible_Crypt" and "Mal/Emogen-N."
Graham Cluley of Sophos wrote in his blog that some of the spam claim to be from the "American Government Official Website." He also wrote, "The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from news@president.com, have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour." Clicking on a news link takes the user to a page which can download a Trojan masked as a version of Adobe Flash 9, but actually contains the Trojan identified by Sophos as "Mal/Behav-027."
The emails touting the Obama speech take a user to the website on which 'Barack.Obama.exe' can be downloaded. A Websense spokesman explains what happens next: "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major anti-virus vendors are not detecting this threat."
Other variations use Time Magazine and La Republica (Peru) to give name recognition that might cause users to click on the bad links. Additionally, there is a 'BarackObama.exe' file on a compromised travel site. This one drops files called 'system.exe' and 'firewall.exe' onto the victim's system directory and unpacks and installs executables locally. The 'hosts' file is also modified.
Another variation has the user being told they need a new version of Flash to watch the video. The user will then download a file called 'adobe_flash.exe' is downloaded but is a Trojan with ASPack. According to Websense, "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers."
Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow.
End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits.
Sincerely,
Eric Cole Secure Anchor
Pointsec Protector provides a policy driven mechanism that secures an organization's sensitive information by controlling data that enters and exits a PC or server via removable media and I/O devices on any port (USB, Firewire, IDE, Bluetooth etc).
Are you???
An Enterprise businesses or government agency
In Banking/financial services, federal/local government, healthcare, business services, technology and/or manufacturing
In control of devices connecting to machines in your network
At Risk if Critical Data is lost
Do you Need to...
Reduce financial risk of lost or stolen data on personal devices connected to PCs or servers
Comply with regulatory mandates
Integrate into existing infrastructure
Reduce operating costs
Let us send you a FREE USB device which contains a discovery tool to detect that is your exposure to Data Loss. If you would like one just send us an e-mail at newsletter@secureanchor.com and we will send it right out.
NoticeBored Newsletter, December 2008, Securing your IT Gizmos Posted by boss on Friday, 28 November 2008 @ 22:27:17 EST (424 reads) TopicAwareness Info
Portable IT devices such as cellphones, PDAs, USB memory sticks, GPS units, iPods and laptops are a ubiquitous part of modern life but, unfortunately, they are also commonly involved in serious information security incidents. Information security risks can undermine the personal and business benefits of gizmos.
As new gizmos and hacks are appearing all the time, it’s important for information security professionals to be alert to the emerging security risks. The trends toward lower prices, digital technologies, device miniaturization, increased memory and CPU capacity, and longer battery life, are all too clear from the advertisements. Strangely enough, the security risks associated with portable IT and teleworking are not quite so obvious.
Will Santa be bringing you gizmos for Christmas?
Enjoy the free newsletter and do let in touch if we can interest you in becoming a customer for the remaining NoticeBored awareness materials.
NOTICE FROM CLEMENT: This is an article talking about very old attacks based on wave emanation. However, it is still very much a threat that could take place today. It is revisited to make people aware of the threat. See info below:
Hello,
An interesting article concerning the compromising of electrical emanations (TEMPEST) of wired keyboards:
NIST Released 2 Publications - 1 Federal Information Processing Standard (FIPS) and 1 Special Publication (SP), all links below point to NIST CSRC website - see below for details:
#1: FIPS Publication 180-3 Secure Hash Standard (SHS) has been released
The National Institute of Standards and Technology (NIST) is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 180-3, Secure Hash Standard (SHS), a revision of FIPS 180-2. The Federal Register Notice (FRN) of the approval is available here. The FIPS specifies five secure hash algorithms for use in computing a condensed representation, called a message digest, of electronic data. The five secure hash algorithms are used with other cryptographic algorithms, such as digital signature algorithms, keyed hash message authentication codes or in the generation of random numbers.
#2: NIST Releases Special Publication 800-68 Revision 1
Special Publication (SP) 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, has been published as final. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005.
CISSP Exam – Learning Above Technology & Understanding Security in Holistic Posted by boss on Friday, 21 November 2008 @ 11:00:25 EST (525 reads) TopicISC2 Org
For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2’s view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career – thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.
I have found that since I have written books and taught CISSP classes for many years, I understand the material at a much greater degree than I would have if I just studied and took the test and moved on with life.
The things that people complain about having to learn (Bell Lapadula, Biba, Clark-Wilson, etc.) are very beneficial to their understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security. Many technical people seem to think that learning anything above technology is a waste of their time. This is a common thought patterned because they are stuck in a realm that dictates that anyone who does not understand technology like they do are inferior. But companies are not in business to just have software and networks in place. The software, network, and systems are just some of the tools the company uses to support and further their business. So understanding things that are above technology, commonly referred to as soft skills, are actually more critical in the world of business – which is where we all live and work.
Although I am pretty disappointed with the way that the questions on the CISSP exam are worded (confusing, vague, subjective), I have a great appreciation for the actual Common Body of Knowledge CBK. I was a security consultant before I took the exam, and then I wrote books, and taught CISSP – and I am still a security consultant, but the difference in my knowledgebase and view on security has drastically changed.
I, like most people, focused on what security topics I was to perform in my specific job. At the time on-line banking was just coming to the market (yes I am that old) and I worked with programmers, software architects, project managers, analysts, and end customers – all focusing on on-line banking . I sure as hell was not interested in the different types of fire suppression, access control models, trusted computing base or anything outside of my domain of topics that I lived, worked and breathed in.
Part 1 of 5 extracted from an original article written by Shon Harris entitled:
The CISSP Exam is Out of Date, Irrelevant, and Subjective Busting through the Myths of the CISSP Exam
Earn CPE credits by viewing videos on The Academy Posted by boss on Thursday, 20 November 2008 @ 19:02:52 EST (558 reads) TopicTraining News
Anonymous writes "
With this update we're first demonstrating Astaro's content filtering and anti-portscan abilities. We continue by introducing our first Tenable Security Center videos. These are just the start of some very cool videos for this product. Wrapping things up for this update is a video on how you can use Tor to surf anonymously. I actually made a video about Tor for SearchSecurity a couple of months ago, but I had some users request that I include a Tor video on The Academy. Enjoy!
Just a quick reminder to any CISSP or SSCP certification holders - you can submit CPE credits for the videos that you view on The Academy.
New videos: Configuring & testing Astaro's IPS Anti-Portscan Content filtering with Astaro's Security Gateway Generating PDF reports with Tenable Security Center 3 Performing a scheduled credential scan with Tenable Security Center 3 & Nessus Performing a network process audit scan with Tenable Security Center 3 & Nessus Surfing anonymously using Tor
Thank you all for your on-going support and recommendations.
What are five things that ISC2 needs to do in order to improve the credibility of the CISSP credential?
CISSP is viewed as an introductory credential that covers the surface of the ten domains. What do you think ISC2 should do to make CISSP even better?
Fees? Transparency? Depth? Others?
I felt compelled to provide an answer to the question. Unfortunately the LinkedIn comment system does not allow for more than 4000 character which was not enough for my reply. So see my full comment below:
Good day James,
This is really a great question that should have been asked by ISC2 from their members and other people who are not members a VERY LONG time ago. However, I am not dreaming.
ISC2 has and still is unable to communicate efficiently. One day they are a member organization and the next day they are not. This communication problem is not something new, it has been reported at many occasions and by many people in the past. However, things does not seems to improve much over the years. We will see what 2009 reserves for us.
Here are a few things that ISC2 can do to make themselves more transparent and to improve the image of the CISSP certification:
1. START ACTING LIKE A CERTIFICATION BODY
The relation between ISC2 (the non profit side) and their training arm is dubious at best and as close as you can get to a conflict of interest without getting into one. When any certification body becomes a training entity often time that entity will loose their focus on what is the most important which is the certification itself.
Instead of having their sales people talk thrash about other people training offer they should start publishing a clear and transparent process on how a training institution can become a recognized training institution under ISC2 approbation process, the recognition should not be based on the fact they are using the ISC2 courseware and sharing profit with ISC2 but on a fair evaluation of the training material and an evaluation to see how it matches with the exam objectives and how well it is presented and delivered.
Unfortunately this does not exist and this is why it makes me sad that their sales people are talking thrash about other companies training material when they know nothing about their courseware and the delivery of the material. I am talking from a very recent experience that happened to me here. I can challenge any of the salesman at ISC2 to get out of their cubicle and they can sit in my class, then they can judge me and my training. Until then it does not reflect very well on them, if the only way you can sell seats in your classes is by talking trash about others, your courseware must be in dire need of updates.
EXAM AVAILABILITY
More transparency has to exists on that side as well. It is often time VERY HARD if not IMPOSSIBLE to get an exam schedule for the students that a training institution has in their classrooms. Even if the adequate number of students is there to justify running such an exam. Even if there are plenty of proctors that can supervise it for free. It does not make sense to face such rebuttal.
Denying or making access to the exam hard this way, only affect the students and the certification as a whole. It is time to stop playing games. Why is it possible for ISC2 to deliver exams when it is combined with their own training classes but not when it is a third party training class. It does not make sense and I cannot see the fair reason as to why some people are getting denied access to the exam.
Lately I receive dozens of messages from people in places such as India where exams are not regularly conducted and they were telling me that the exams coming up are sold out and they must wait until next year to attempt the exam. This is not what I call customer service.
If the number of registration and the demand justify having a second exam room for the exam then be it. Any other business that would act this way would loose their customers and this is what will happen if ISC2 does not start looking after their customers better. They are the sole choice today but that could change very quickly in the near future. THE FAMOUS COMMON BODY OF KNOWLEDGE
I have grown sick and tired over the years of hearing about the unseen CBK. Everyone refer to it but nobody has ever seen the official version of it published as a document by ISC2.
The current candidate information bulletin is totally useless as a tool to prepare for this exam. Why can't I get a good guide from ISC2 that will tell the student how to prepare for this exam and what are the exam objectives they will be tested against and to what depth they will be tested. The student need to know the details of each domains, not a few high level bullets as it is presented in the candidate bulletin.
It is time that ISC2 start offering copies of the CBK to anyone who wishes to get a copy for free as a PDF file. DHS has just released their EBK and they are doing the right thing. A secret CBK has no value as far as I am concerned.
The DHS CBK will be updated every two years. How much changes have you seen on the CISSP CBK in the past six years ????
NOBODY should have to register and then be harassed by the sales people in order to get a copy of the CBK. The CBK has to be publicly available to all in its entirety. WHY do you need to force people to register for a document that should be PUBLIC anyway. Collecting only the email address would be more than enough if you wish to let them know about updates.
I agree with keeping the master copy on the ISC2 site but it should not require registration. The only reason that registration is used at this moment is to pass the info to their sales people which allow them to talk thrash about other being UNOFFICIAL training. Considering there is no way to get somone courseware authorize then why are they using such tactics. CompTIA will certified courseware from other training entities and they have a well document process to do so. Why is ISC2 not doing the same thing. Thinking only them can produce quality courseware for the CBK is futile at best.
In summary the CBK is in dire needs of an update. It is time to get the OLD and OUTDATED topics that NOBODY uses today out and make room for some relevant and up to date content. There is so much happening in security every one year that doing updates only every 3 to 4 years is not enough.
CPE
The acronym CPE has become synonymous with Continuous Payment Econosystem
CPE should not mean $$$$
CPE activities should be offered to the members as a benefit and not as money making activities. Why can't we get online and live seminars for FREE? Whey can't I get a conference of great quality for FREE? If the Defcon, OWASP, and many other organizations that are MEMBER ORIENTED can do it, WHY can't ISC2 do the same?
If our organization had no money in the bank I would understand but with many millions in the bank it is time that some of this money be spent for the benefit of the members as it was gathered in the most part from the members. A couple of years ago there was over 15 millions in the bank. Today that number might even be higher. What for...
I need 20 CPE per year! WOW, what a challenge! Half of those can be obtained by subscribing to Security Magazines. Does this really prove my continuous education, most likely not.
The WHOLE CPE system has to be revised to add value to it, to show that the CPE submitted are in fact related to being a CISSP. Such a system would be very complex, would require human intervention, a random audit once in a while is not enough to keep the CPE as a valid gauge of one professional development.
WHAT METRIC DO THEY USE TO GAUGE SUCCESS
Over and over again I hear officials brag about having reach 50K members, 60K members, and even more today. What does this number prove if we as a group don't impact the security community and influence it.
Gauging success by the total number of people who have received their certification over the past 12 months is certainly NOT a valid matric. If I remember correctly this is how many of the well respected and valued certifications out there have lost their value.
You need to show more than number. You need to be look at as leaders and a community who is playing a very active role in all facets of security.
I am still waiting for an official at ISC2 to come out with some other metrics and the ability to demonstrate the impact that ISC2 has on the security community overall. What is the support that ISC2 has provided to their membership over the past 12 months. How they have helped "JOE the security guy" in his daily job after he became certified.
Start giving me significant metrics.
MAINTENANCE FEES
When I first got certified over ten years ago the maintenance fees were 85$ USD back then. I could understand that with 12 CISSP's in Canada it was necessary to charge that much money to keep the site up and running, to give me acces to the web submission form for my CPE's, etc... etc...
However, today we have over 60,000 members and I do not understand why I still have to pay the same price.
Normally offer and demand will drive prices down. Does ISC2 need to collect more than 5 Millions dollars in maintenance fees every year to give me that service today.
The certification world is the ONLY place where I have seen price that never get affected by the offer and demand. It is the only place where I have seen prices go up as there was more demand. Exams that used to be $250 are now over $500. WHY?
Considering the exams are being run by volonteers, considering the production cost per person for the exam greatly decreases as the number of exam offered increases, I fail to understand WHY it cost so much.
If really an organization was concerned about the good of the common wealth and improving security overall, they would also make all effort to ensure the certification path is accessible and affordable.
There is no need to pay that much for a certification. If at least people were still getting a nice wood mounted plaque with their certificate on it that would justify some of the cost. However the opposite happened, we are being charged more for less as the volume increases.
I must be in the wrong line of business....
CLEMENT WHY ARE YOU MAD?
First let me tell you that I am not mad at all, I am writing this with an ironic smile on my face, I am simply very disappointed to see how much energy is wasted on futility versus being used for us the members and us as a priority.
Will the points above change in the near future, I doubt it.
I think a new organization will see the light before we can turn the current organization around.
I know I am an idealistic with my sharing for free ideas but there are still people out there who REALLY believe in helping others and they also believe in doing it openly without money being their main objective.
Best regards to all
Thanks for reading my rant
Take care
Clement
P.S. PLEASE CLICK HEREOR ON THE comments LINK BELOW TO LET US KNOW YOUR OPINION AS WELL
Main Library Area 
COBIT© Standard 
Exam on December 21 in New York City
CISSP Workshops in Middle East, India, and Egypt
will be posted to the 'Featured Videos' section of the website on a weekly basis. They will be moved to the 'Directory' at the end of the week to make room for the following week.
