cissp CISSP training Certified Information Systems Security Professional

Viruses and Digital Signatures

Posted by cdupuis — 2010-03-06T08:29:21-05:00

Recently, Symantec received some malicious files which appeared to be signed by “Adobe Systems Incorporated”. On closer inspection, however, it was seen that the signature was just a ruse used by the malware author to give an air of legitimacy to the files. Virus writers are getting smarter and going that extra mile to digitally sign their files. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked.

Although the files are signed, they are signed using an unauthenticated CA (Certificate Authority) which is masquerading as Verisign. A CA is a trusted third party that issues and signs the certificate and vouches for the authenticity of the file. Each CA should be registered and therefore recognized globally as a trusted signer. The signature on the certificate is verified by the signer’s public key.

What the malware authors have tried here is to create their own CA and attempt to use it to sign these malicious files. They chose a misleading name for their CA, namely "Verisign", but their private key used for signing will obviously be different from the authentic Verisign CA key. Therefore this renders their CA untrustworthy so that, while the file still has a valid signature, it is not from the real Verisign CA.

Also, although the file is correctly signed by a company called "Adobe Systems Incorporated," that company has been certified by their fake Verisign CA and therefore has no meaning or relation to the real "Adobe Systems Incorporated."

Shown below are the real and fake Verisign CA signed files. On the left you can see that the certificate chain is not trusted all the way to the root where as on the right side (a real Adobe file) the certification chain is trusted up to the root.

On Windows machines with User Access Control enabled, a warning similar to the one shown below will be displayed (warning that the publisher is unknown).

So, in a nutshell, creating “authentic-looking” certificates to make malicious files look legitimate is a trick which virus writers are employing to challenge today’s sophisticated security mechanisms. We have written about certificates being abused previously. The following blog article has more information: Phishing Toolkits Attacks are Abusing SSL Certificates.

So, play safe, and check the authenticity of the signature whenever one is present.

See original article on the Symantec Blog at: http://www.symantec.com/connect/blogs/viruses-and-digital-signatures

SQL Injection and Parameter Manipulation video clips

Posted by cdupuis — 2010-03-03T11:17:55-05:00

NOTE FROM CLEMENT:
These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering. It is not for the purpose to learn everything there is to know about the subject, that would take weeks, the goal is to educate people and developers on the issue. They are great because of their short length and I like the animations as well. One picture is worth a thousand words they say. In this case on minute of video clip is worth 10 minutes of talks. I will most certainly use them in some of my classes. Job well done. Clement

One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).

The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk.

At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier.
We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.

We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.

We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.

Please feel free to use the clips freely.

The clips can be found at:

SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1

Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1

Yours,

Maty Siman, CISSP
CTO
Checkmarx

NATO CISSP Study Group in Brussels

Posted by magian — 2010-02-23T19:20:02-05:00

We are starting a NATO-wide CISSP Study Group at NATO HQ in Brussels, Belgium.

Anybody interested in joining needs to be able to access the HQ compound.

If you are interested, please respond to smortimer (at) magiansystems (dot) com.

Anyone studying in Kansas City for the Aug 7th test?

Posted by wpeterson — 2010-02-18T20:18:19-05:00

I am looking for study partners for the CISSP Exam in Kansas City, Kansas City, KS on Aug 07, 2010. I have a full time job, so this would need to be done in the evening or weekends. We could possibly meet by phone weekly or bi-weekly. If you are interested, please respond to wpeterson@techie.com.

Thanks,
Wendy

Join SecurityVibes and exchange information with your peers!

Posted by — 2010-02-16T09:44:44-05:00

DLP, Cybercrime, Vulnerabilities, Malware, Compliance, Cloud Security... How does this relate to you? Want to share your opinion? Interested in knowing what your peers have experienced?

Easy, ask for an invite today and join SecurityVibes!

Security Vibes is an online community for CSOs to exchange information, share thoughts and opinions and learn from your peers. With 100 existing UK members, as well as similar active communities in France and the US, we are looking to increase the number of participants by inviting CIO and CSO level executives to join this exclusive community. Security Vibes is the first closed community dedicated to infosec professionals. It operates under strict Chatham House rules and a strict no-vendors policy, which means that members can share views and insights amongst those with similar interests and concerns in complete confidence.

Membership is by invitation only and benefits of membership include: online discussion forums, access to cutting edge multi-media content and analysis such as videos, podcasts as well as real life networking events, called CSO Interchanges, where members can meet in person and swap ideas and learn from each other and hear from industry experts and fellow members.

CISSPs belonging to Security Vibes can also earn CPE credits for their significant SecurityVibes content contributions. In line with (ISC)2’s CPE Guidelines, CISSPs earn 10 CPE credits for their first published article and one additional credit for every subsequent hour spent posting content to the SecurityVibes.com site.

If you’d like to find out more about joining please visit the website at: http://www.securityvibes.com or to apply for membership at http://www.securityvibes.com/request_invite.php

The Rugged Software Manifesto

Posted by cdupuis — 2010-02-10T08:43:31-05:00

The three authors of the manifesto are Josh Corman, an analyst with The 451 Group; David Rice, formerly with the National Security Agency and author of Geekonomics, a book about the real cost of insecure software; and Jeff Williams, the chairman of OWASP, an organization focused on Web application security. The trio announced the project at the SANS Institure AppSec Conferenc in San Francisco Monday.

The Rugged Software Manifesto

I am rugged... and more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Official Announcement Document -

If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.

Visit their website at: http://www.ruggedsoftware.org/

Job Opportunity in Dubai for a Senior Incident Response Investigator

Posted by cdupuis — 2010-02-09T20:50:41-05:00

Subject: Date: From:

[htcia] Job Opportunity - Dubai

Tue, 9 Feb 2010 11:34:36 -0500

sanson@forwarddiscovery.com

All,

Forward Discovery has an immediate opening in Dubai, UAE for a Senior
Incident Response Investigator. The position requires thorough
knowledge of network technology as it relates to the response and
investigation of computer network incidents. Candidates should
possess a thorough and current knowledge of network threats and attack
vectors. Candidates should also possess current skills in computer
forensic analysis as it relates to network investigation and incident
response.

Additional skills and experience required include:

· Malware analysis

· CERT or Incident Response policy and procedure development

· Excellent written and oral communication skills

· Four-year degree, preferably in a related field

· Experience with Windows, Unix and Linux operating systems

· Experience in managing people and projects

· Log analysis in the detection and investigation of intrusions

· Experience working for telecommunications companies preferred

· Computer programming skills are preferred

· Certification in computer forensics is preferred

Compensation package will be dependent upon relevant experience but
will range from $100,000 to $150,000 plus housing allowance.

The POC for this position is Steve Anson at:
sanson@forwarddiscovery.com

More evidence of value of security certification -- Part 2 of 5

Posted by cdupuis — 2010-02-09T17:33:03-05:00

This story appeared on Network World at
http://www.networkworld.com/news/2010/020810-security-certification.html

More evidence of value of security certification

By M. E. Kabay, Network World
February 08, 2010 12:04 AM ET

This is the second of five articles discussing the benefits (if any) of security certifications in the job market. In the first article, a number of studies suggested that certifications do indeed improve prospects for hiring and higher salaries.

In this article, I conclude the review of recent studies and surveys with yet more encouraging news for holders of security certifications.

* * *

In June 2008, NetworkWorld writer Jon Brodkin pointed out that "Overall, the value of 164 IT certifications measured by Foote dropped 4.9% the past two years and 1.6% in the six-month period ending April 1 [2008]." However, Brodkin wrote, "Some certifications are bucking the trend and rising in value. IT security certifications rose 3.1% in value over the past two years and 1.2% in value in the last six months. Certain types of security skills are seeing dramatic growth. A 27% rise in value was measured for the Certified Information Security Manager designation, just in the past six months. In second place with a 25% rise in the last six months was the GIAC Security Expert cert."

In a follow-up article, Brodkin reported on a survey carried out for the International Information Systems Security Certification Consortium, (ISC)^2, which showed "that holders of the CISSP, SSCP or CAP certifications who work in the Americas and have at least five years experience earn [an average of] $102,376 per year – more than $21,000 higher than IT pros who also have five years experience but lack the certifications."

Reporting on the popularity of security certifications, Joan Goodchild of CSO Magazine wrote about a CompTIA survey that came out in late October 2009. The study of more than 1,500 IT workers found that many of them planned to pass certifications in security, ethical hacking and digital forensics.

Goodchild added …[M]ore companies are requiring IT security certification…. [T]he number of organizations where IT security certification is required has increased by half and is continuing to grow; 32% of employees were required to have certifications in 2008, compared to 20% in 2006.

Foote Partners maintains a database with constant updates to produce its annual "IT Skills and Certifications Pay Index." The latest edition (as of this writing in the first week of January 2010) includes "data collected through January 1, 2010." A 55-page PDF sample of the $2,500, 305 page quarterly report ($9,750 for a year's worth of reports) is available free online to illustrate the format of the report (most of the charts have been redacted to blanks).

Among the 201 specializations studied by Foote Partners, 34 certifications specifically involve security, auditing, forensics or penetration testing.

Founder David Foote, who also serves as Foote Partners' CEO & Chief Research Officer, was quoted in a Dec. 31, 2009 interview in a Bank Information Security podcast as saying that "Information security is the hot career option for professionals in 2010 and beyond." He was also interviewed back in August 2009 by Carolyn Gibney of SearchSecurity and said much the same thing: "Foote says there's reason for those in the security industry to be optimistic."

The Jan. 5, 2010 issue of the System Administration and Network Security (SANS) NewsBites started with the following assertion in an advertisement for the organization's courses:

The hottest security skills employers are seeking for 2010:

1. Red teaming/penetration testing (systems/networks and applications)
2. Forensics
3. Security essentials
4. Reverse engineering malware
5. Auditing networks and systems (hands-on testing)
6. Intrusion detection
7. Security management and leadership
8. Securing virtual systems
9. CISSP certification

Plus: Effective presentation skills for security professionals.

This last point is important: in addition to technical skills, communications and management skills are valuable to IA professionals. Recently Paul Dorey, chairman of the Institute of Information Security Professionals in Britain, was quoted as follows:

"We are entering a time when IT security people are going to have to move from being merely advisers to the business to real professionals whose views are listened to," he said. As IT supports every aspect of life, security breaches become potentially life-threatening or disastrous for their organisations. Just as bridge designers and structural engineers work to common and consistent standards and are therefore respected, he said, so security professionals should command the same level of respect.

For that to happen, security professionals need to communicate effectively with a wide range of disciplines – including audit, risk assessment and compliance, IT and engineering. "They need to be like chameleons to fit into those disciplines," he said. "You may not become an expert in them all, but you must at least don the facade. ... Get some mentoring to help you understand them."

In the next article in this five-part series, I'll look at the wider context of certification and licensing for a range of professionals in the United States and point to the efforts beginning in the early 2000s to force certification for IA officers in the U.S. Department of Defense.

Read more about security in Network World's Security section.

Stupid rebates for Stupid Clients

Posted by cdupuis — 2010-02-09T10:17:22-05:00

Rebates, Rebates, and Rebates.

Are they all great and fantastic for you as a customer? Not always for sure. I have received another one in my mailbox today and as I was reading it I asked myself: Do they really think that people are that stupid?

When I see advertising where they offer a FREE laptop, a free Kindle, rebate of $500 to the person you refer, or a gift card for referral I am always asking myself how can they offer such freebies? Then my brain come to it's senses and the response is: THERE IS NO FREEBIES -- YOU ARE PAYING FOR IT YOURSELF

You the customer have to pay for those freebies. If you look at the price of the classes associated with those freebies you will quickly realize that many vendors think that you are stupid and you cannot add 1 + 1. They are simply overcharging you and then they give you a gift to make it look OK.

If I overcharge you for my classes then I can offer freebies as well. However, I think this would be against my ethics. A company should simply give the best price they can while delivering quality training. If the only reason people attend such class is to get a freebie instead of getting great content and outstanding skills and knowledge it means your class does not have much to offer in the first place.

When classes are overpriced, you are the person who pays for those freebies that's for sure. Do look at the price before the freebie is being offered, the price is so outrageous that they can offer freebies and still charge you more and make more money than most vendors out there. You will quickly notice that there is no free lunch, you are the one that is paying for the freebie because the class price is way too high in the first place. There is no SPECIAL at all.

At Security University we currently have an offer for a two for one, our normal class price is already heavily discounted but if you come to the same class with one of your colleague you can split the cost of the class in two. This gives you an amazing class for a very low price. Do check it out, you will see that we do not use complicated scheme, we like to keep thing easy and straight forward. Simply come with a friend of a colleague and you pay half of the normal price which is already lower than most vendors out there. Check it out and you will not be disappointed. This is about $1300 per person which is a great deal considering that our faculty has only Security Instructors that are well known and that have dozens of years of experience on average. We don't hire people who reads slide to you. We hire the best and only the best. If your are really found on having a freebie, we can sell the class to you at $2695 and give you a kindle or a $100 gift card. :-(

At Security University we also believe in being a responsible community player as well. Over the next three CISSP classes we will deliver we have 16 student who had paid for classes with Vigilar Intense School but their money was lost due to the closing of Vigilar Intense School. We have offered free seats to those students to help them offset the losses they have suffered. This is what responsible organizations do to help the community. Ask the freebie givers out there how many seats they have given for free?

In closing, I just want to say: Do not be stupid and don't get lured into freebies that you pay yourself. Who cares about a Kindle that cost you three times the prices when you look at the price fo the class compared with what others are charging. Get your money worth, train more people, use your training budget adequately. This is what this is all about. Not about overprice classes with so called freebies.

Best regards to all

Clement Dupuis
Senior Security Instructor and Evangelist at Security University
(Very tired of vendors who thinks we are all stupid and hope we will fall pray of stupid rebates)

Official (ISC)2 Guide to the CISSP CBK, Second Edition

Posted by cdupuis — 2010-02-04T21:23:44-05:00

NOTE FROM CLEMENT:

The long awaited update to the Official ISC2 Study Guidewas finally released at the beginning of 2010. The first edition was severely criticized due to the many errors, contradiction, and mistakes that were in the book. It seems this version went through a lot more thorough Technical Editing process where CISSP's and the different authors have scrutinized each of the chapters to ensure accuracy. The book has gained more pages as well. The previous edition was filled with a lot of fluff such as appendixes, glossaries, etc... This one seems to be content oriented. I have not read through the whole book yet. If you did read through the whole book I would be VERY interested in getting your feedback. If you do find any errors, mistakes, or contradictions, I have created a new forum to post them and discuss them with others as well.

Visit the link below to give us feedback about the new book:

https://www.cccure.org/forum-6.html

If you do find any mistakes, visit the link below to contribute them to the forum reserved for that purpose:

https://www.cccure.org/forum-74.html

Product Description

With each new advance in connectivity and convenience comes a new wave of threats to privacy and security capable of destroying a company’s reputation, violating a consumer’s privacy, compromising intellectual property, and in some cases endangering personal safety. This is why it is essential for information security professionals to stay up to date with the latest advances in technology and the new security threats they create.

Recognized as one of the best tools available for the information security professional and especially for candidates studying for the (ISC)2 CISSP examination, the Official (ISC)2® Guide to the CISSP® CBK®, Second Edition has been updated and revised to reflect the latest developments in this ever-changing field. Endorsed by the (ISC)2, this book provides unrivaled preparation for the certification exam that is both up to date and authoritative. Compiled and reviewed by CISSPs and (ISC)2 members, the text provides an exhaustive review of the 10 current domains of the CBK—and the high-level topics contained in each domain.

Unique and exceptionally thorough, this edition includes a CD with over 200 sample questions, sample exams, and a full test simulation that provides the same number and types of questions with the same allotment of time allowed in the actual exam. It will even grade the exam, provide the correct answers, and identify areas where more study is needed.

Earning your CISSP is a deserving achievement that makes you a member of an elite network of professionals. This book not only provides you with the tools to effectively study for the exam, but also supplies you with ready access to best practices for implementing new technologies, dealing with current threats, incorporating new security tools, and managing the human factor of security—that will serve you well into your career.

The Official ISC2 Guide to the CISSP CBK Second Edition
Click Here to get your copy or more details