[SecurityRatty] tag: certifications

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Do we need a farm system in the security industry?

Mon, 21 Jul 2008 12:17:30 +0000

Just read a good article by Lisa Vaas on Computerworld titles "When security staffers fail up". The article talks about some of the challenges that are faced by companies trying to provide proper security. While one of the issues is "bundled badness" which I will talk about later, the bigger problem that Lisa writes about is the profile of our security administrators. It is a familiar story I am afraid. Security people don't do a good job of "humanizing" themselves. Their peers don't understand what they are trying to accomplish and too often we speak in geek terms and try to dictate how people conduct business. As a result we are the "people in the way".

The next thing Lisa hits on is the obsession with certifications. Too many people think having a CISSP is the be all and end all of security. First of all, you can't hire enough of them and many of them don't have the practical business experience to take it to the next level. Than there is the security "prima donna". They just think they are smarter than everyone else and too many tasks are below them as to elementary. We have all met these types before as well.

Quickly on the "bundled badness" thing. Lisa rightfully points out that in spite of Mike Rothman's feelings to the contrary, though CIO and CFO types like to buy the bundle and get the jack of all trades suite cheaper than buying best of breeds individually, at the end of the day it is hurting our security. If you are really serious about securing the environment there is a world of difference between buying the bundle of goodness versus best in class tools.

Ultimately though, what are we to do about getting better security pros in the workplace? Do we need to change the certification process? Should companies have a different profile of who they hire for security positions. Do we need to develop some sort of farm system where security pros can cut their teeth and learn their craft, like the guilds and apprentices of yesteryear? The construction industry used to work like that. Maybe we should consider it too?

Career expertise: Broad trumps focused

Wed, 09 Jul 2008 09:00:00 +0000

Multiple certifications or complementary degrees builds knowledge that can turbocharge a security professional's career.

Security Certification Rules Could Shake Up IT Mgmt

Thu, 26 Jun 2008 08:33:17 +0000

This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers.

Hmm.

From GCN:

“This is a change we have not faced in the IT security industry before,” he added.

The closest parallel has been in the Defense Department, which anticipated OMB’s reaction in this area. DOD’s Directive 8570 on information assurance, approved in December 2005, requires all of the department’s information assurance workers to obtain an accredited commercial certification in computer security. DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

“If OMB issues a similar requirement, it’s going to throw the supply and demand curve even more out of balance,” he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification requires five years’ experience. “You don’t mint them out of college,” he said.

OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market.

A picture is worth a thousand words.

It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much.

On the face of it this is a good idea.

Like all good intentions, they make great paving stones on the road to hell.

Article Link

Art vs. Science

Fri, 20 Jun 2008 16:56:38 +0000

I was just reading Dre’s post, R.I.P. CISSP, over at the tssci security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGovern’s blog (James is the project leader):

As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business executives, yet I am also equally passionate that security professionals should also have the capability to sit down at a keyboard and actually do something as opposed to just talking about [it].

I agree wholeheartedly with this sentiment, and I believe the project goals are noble. So I went to read the latest OPCP draft proposal to see how they planned to tackle this admittedly difficult problem. What did I find? It’s just another test, with questions in a dozen or so broad categories. Far more specialized that CISSP, with topics that are more relevant to application security, but ultimately, still just a test.

The comment I once made about security educators/trainers is relevant here. Whatever questions end up on the OPCP test, these educators could probably answer most of them correctly without even studying. They lecture day in and day out about these topics. They have heard obscure questions and are prepared to answer them. And yet, many of them do not have any practical field experience.

A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that while much of it can be done methodically, there is a certain amount of skill and intuition that only comes from practical experience. You learn to recognize that “gut feel” when something is amiss. He became rather incensed and, in effect, told me I was full of it. This customer went on to institute a rigid, mechanical internal process for web app pen testing that was highly inefficient and, ultimately, still relied mostly on a couple bright people on the team who were in tune with both the art and the science.

Certifications only test the science.

Data integration certifications: Finding the value

Fri, 20 Jun 2008 13:00:32 +0000

Learn two instances when data integration certifications are most valuable -- and find out an easy way to increase their equity.

NISTS FISMA Pase IIWho Certifies Those who Certify the Certifiers?

Tue, 17 Jun 2008 17:22:09 +0000

Check out this slideshow and this workshop paper from 2006 on some ideas that NIST and a fairly large advisory panel have put together about certification of C&A service providers. I’ve heard about this for several years now, and it’s been fairly much on a hiatus since 2006, but it’s starting to get some eartime lately.

The interesting thing to me is the big question of certifying companies v/s individuals. I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.

This is the problem with certification and accreditation services as I see it today:

Security staffing shortage means lower priority: If you are an agency CISO and have 2 skilled people, where are you going to put them? Odds are, architecture, engineering, or some other high-payoff activity, meaning that C&A services are candidates for entry-level security staff.
Centralized v/s project-specific funding: Some agencies have a “stable” of C&A staff, if it’s done wrong, you end up with standardization and complete compliance but not real risk management. The opposite of this is where all the C&A activities are done on a per-project basis and huge repetition of effort ensues. Basic management technique is to blend the 2 approaches.
Crossover of personnel from “risk-avoidance” cultures: Taking people from compliance-centric roles such as legal and accounting and putting them into a risk-based culture is a sure recipe for failure, overspending, and frustration.
Accreditation is somewhat broken: Not a new concept–teaching business owners about IT security risk is always hard to do, even more so when they have to sign off on the risk.
C&A services are a commodity market: I covered this last week. This is pivotal, remember it for later.
Misinformation abounds: Because the NIST Risk Management Framework evolves so rapidly, what’s valid today is not the same that will be valid in 2 years.

So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like. NIST has 3 viable options:

Use Existing Certs: Require basic certification levels for role descriptions. DoD 8570.1M follows this approach. Individual-level certification would be CAP, CISSP, CG.*, CISA, etc. The company-level certification would be something like ITIL or CMMI.
Second-Party Credentialing: The industry creates a new certification program to satisfy NIST’s need without any input from NIST. Part of this has already happened with some of the certifications like CAP.
NIST-Sponsored Certification: NIST becomes the “owner” of the certification and commissions organizations to test each other.

Now just like DoD 8570.1M, I’m torn on this issue. On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard. On the other hand, introducing scarcity means that there will be even less people available to do the job. But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely: costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.

Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people. Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need. Alas, that’s a future blog post….

However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify? I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone. =)

Bookmark to:

How important are disaster recovery professional certifications to an enterprise data center?

Tue, 10 Jun 2008 13:18:07 +0000

Professional certifications for the data center are more than a piece of paper. The value of data center certifications for your business will be determined by the qualities of the certified person. Without the necessary soft skills for success, the certification may just be an acronym at the end of the person's name and title. But for a good leader, certification can provide greater efficiency and operability of an enterprise data center.

ITIL cert: Industry game changer

Wed, 14 May 2008 06:25:54 +0000

Can the new ITIL certifications turn IT from a "collection of cowboys" into a profession? They'd better, says an ITIL author.

Not a CISSP

Fri, 18 Apr 2008 10:36:41 +0000

One of my favorite pieces of swag from RSA was this “Not a CISSP” button that was pinned onto me by none other than Sinan Eren as I was chatting with Justine Aitel at the Immunity booth. Actually, there should have been a prize awarded just for finding the Immunity booth — they were subletting another vendor’s space for a few hours at a time, so one minute they’d be there and the next they were gone.

I digress. What inevitably happened once I started walking around with this button proudly displayed was that I would get one of two reactions. The first group — mostly current and former co-workers and acquaintances — understood the humor and got a good chuckle out of it. The second group would ponder for a bit and then ask, with some confusion, why I’d intentionally point out the fact that I’m not a CISSP. I’d give a brief answer and get back to talking about Veracode (we booth babes have responsibilities, you know).

So, why indeed? The long answer is that like many security certifications, it’s an ineffective measure of a security professional’s practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it’s exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I’ve encountered some very notable exceptions to this observation, but we’re playing by the 80/20 rule here.

There’s a good reason for this. The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it’s quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can’t apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly — you have cryptographic algorithms, site location principles, network security, and civil law on the same exam. I won’t even get into the complaints I’ve heard about the poorly-worded, overly simplistic exam questions or the ones that simply test one’s ability to memorize obscure facts.

I’m not claiming that there’s no value to holding the CISSP certification. It can’t hurt to have some exposure to business continuity planning, for example. The problem, as I stated in the beginning, is that the CISSP title is often interpreted as an indicator of practical abilities rather than a book-level understanding of security basics. These misaligned expectations can ultimately lead to bad hiring or staffing decisions.

Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper. Learn by doing, don’t “learn the test,” so to speak.

And that, in a nutshell, is why I love my “Not a CISSP” button.

By the way, here was my other favorite from RSA, thanks to WhiteHat. This one and “Samy is my hero” were the best out of a pretty clever selection… even though they forgot the semicolon after the single quote.