[SecurityRatty] tag: exams

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Stokes County Schools laptop missing after Spring Break

Mon, 21 Apr 2008 09:13:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/14/08

Organization:
Stokes County Schools

Contractor/Consultant/Branch:
West Stokes High School
South Stokes High School
North Stokes High School

Victims:
Students

Number Affected:
400 - 800

Types of Data:
"names, test scores and Social Security numbers"

Breach Description:
"STOKES COUNTY, N.C. -- A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said."

Reference URL:
WXII Channel 12

Report Credit:
WXII Channel 12 News

Response:
From the online source cited above:

STOKES COUNTY, N.C. -- A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said.
[Evan] This is the third breach affecting secondary schools in April alone. The others were 'Breach affects "every student enrolled at Joliet West High School"' and 'Students breach Williamsville Central School District security'.

The school system sent home a letter to parents last week notifying them of the theft, which affected between 400 to 800 students at West, South and North Stokes high schools.

"Wednesday after we returned from our spring break, a teacher notified us that she had misplaced (the) laptop computer," said school system superintendent Dr. Stewart Hobbs.
[Evan] This is one of the reasons why laptop computers required extra care and control.

The computer was used for scoring exams in the career and technical courses, the school system said.
[Evan] What I don't fully understand is why Social Security numbers are necessary to score exams?

And though the computer contained personal information, Hobbs said he doesn't think the information can be accessed.

"All information stored on the computer is protected by two separate security systems, each of which requires a password," the letter stated.
[Evan] Two "separate security systems"? What does this mean? I assume that one "security system" is the Windows logon password, but what is the other?

"Any time any type of computer, especially if it has student information that's missing, this is of importance to us," Hobbs said.

Commentary:
The facts surrounding this breach are scarce. It seems as though the school uses Social Security numbers as student identifiers as opposed to self-generated IDs. If true, then this is a poor choice. We could speculate on other matters such as laptop encryption, physical security, and other information security issues, but it would only be speculation. The point of the matter is that we have another unnecessary exposure of personal information.

Past Breaches:
Unknown

MCSE Course.Dont Be Left Behind

Sun, 17 Feb 2008 20:43:00 +0000

To start afresh, MCSE course or Microsoft Certified Systems Engineer certification is the best-known and premier Microsoft certification. It is specifically designed for those IT professionals who are intelligent enough to comprehend specific business requirements for information systems solutions, and design and implement the infrastructure required based on Microsoft server software.

As a matter of fact, this certification---a credential in huge demand---qualifies to be one of the best-performing and widely acknowledged technical certifications in IT industry. It can make a huge difference to your career.

Now that we have entered 2008, we can state that since year 2007 this certification is available in two major varied product lines---Windows 2000 and Windows Server 2003. Both these product lines require a distinct and exclusive set of exams. But in 2008, MCSE is all set to be retired and replaced with a brand new certification that Microsoft is soon going to adopt. New top-notch certifications are MCITP Server Administrator and MCITP Enterprise Administrator.

But as of now, all the individuals who manage to earn this prestigious certification prove themselves to be worthy enough of leading business organizations in the successful design, implementation and administration of most advanced Microsoft Windows platform and Microsoft server products.

The brighter prospects of MCSE certification are enticing a large population of dynamic IT professionals who want to put their best foot forward at any point of their career. These advantages are enumerated as follows:
MCSE certifications are among the most specialized certifications available.
This certification gives software professionals reward, respect and recognition for their expertise in Microsoft products and technologies.
On the successful acquisition of this certification, there is a remarkable increase in the salary of the certificate holders.
MCSE's reported average annual income is in the range $57,000 - $59,000 according to various surveys.
MCSE if coupled with certifications like Cisco CCNA further provides a salary hike of 4.17% on an average.
MCSE provides better job satisfaction and job security.

One of the most important ways for job candidates to distinguish themselves and stand out from their less qualified peers is to seek out a widely recognized industry certification like the Microsoft Certified Systems Engineer (MCSE) credential. MCSE certification proves to be an effective tool for IT professionals in convincing the HR managers that having earned such a prestigious credential they are well-deserving for the job.

Sensitive Milwaukee County information posted to Web

Wed, 13 Feb 2008 14:06:24 +0000

Technorati Tag: Security Breach

Date Reported:
2/11/08

Organization:
Milwaukee County (Wisconsin, USA)

Contractor/Consultant/Branch:
Citizens for Responsible Government Network

Victims:
Persons involved with the county

Number Affected:
Unknown

Types of Data:
"patient and legal records"

Breach Description:
Milwaukee County officials released a copy of their "county spending database" to the activist group Citizens for Responsible Government Network that contained sensitive personal information belonging to various persons who had contact with the county. Citizens for Responsible Government Network agreed to remove the confidential information at the request of county officials, but the information had been posted for as many as six (6) days.

Reference URL:
Milwaukee Journal Sentinel story
United Press International story

Report Credit:
Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Citizens for Responsible Government Network agreed to dump descriptions from some 6,900 bills that county officials feared included names of people who had court-ordered psychiatric exams, other patient service information and guardianship case details.

The information had been displayed on the group's Web site for six days, after CRG obtained a database on all county spending for the last two years.

CRG pulled a few hundred descriptions on court spending from its Web site over the weekend, after county Clerk of Court John Barrett complained about the release.

The group on Monday trashed thousands more county records CRG had displayed that came from the Sheriff's Department, the House of Correction, the district attorney's office, the Department of Health and Human Services, the Personnel Review Board and the Division of Economic and Community Development.

The county will supply the group with an edited version of the same county spending database, after department heads get a chance to better scrutinize the records, said Cynthia Archer, acting director of the county's Department of Administrative Services.

On Monday, Archer said she "questioned the wisdom" of Barrett's office forwarding confidential information included in its vendor database in response to a public record request by the group.
[Evan] What wisdom?

County Executive Scott Walker said he had not heard of any complaints from anyone whose confidential information was placed on the Internet for nearly a week.

Barrett said he was happy the records that identified court-ordered psychiatric exams and guardianship details were removed from the site but still worried about whether they had been found by any browsers. That type of information is generally confidential.
[Evan] I am not sure if this information was indexable by the various search engines, but it should definitely be explored and attended to, if necessary.

"Now I have to concern myself with whether we can put the toothpaste back into the tube," Barrett said.
[Evan] This is an excellent analogy. Once information (toothpaste) is disclosed, it is very difficult if not impossible to re-secure it (put it back in the tube).

Commentary:
The database is backup (without the confidential information it appears) here; milwaukeecounty.headquarters.com/search_mke.aspx

It was a really poor decision to send information without looking at it or considering sensitivity issues. I bet they wish they had a "do over".

ACLU ALERT:
Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin, said the county's sloppy handling of confidential information could expose it to a lawsuit for invasion of privacy.
[Evan] We need more lawsuits like we need a hole in the head.

"It seems like careless disrespect for the rights of individuals receiving service from the county," Ahmuty said.

Past Breaches:
Unknown

OpenCourseWare: Get Smart for Complex Event Processing!

Sun, 30 Dec 2007 03:22:05 +0000

Ready to move beyond the basics of event processing? Perhaps you would like to beef up your Java skills? The Basics of Signal Processing? Or maybe you are interested in Advanced Complexity Theory? Artificial Intelligence? Computer Language Engineering? Queueing Theory?

Well then, put your feet up, relax and click on over to the Department of Electrical Engineering and Computer Science at MIT OpenCourseWare (OCW) and enjoy their courses, freely available to anyone, anywhere.

MIT’s OCW program freely shares their lecture notes, exams, and other resources from more than 1800 courses spanning MIT’s entire curriculum, including many fields related to event processing. There are even RSS feeds on new courses as they hit the wire, so you don’t have to miss a thing! Also, check out the OSC Consortium.

Complex event processing is a multi-discipline approach for detecting both opportunities and threats in real-time cyberspace. Make it your New Years Resolution to review a few OCW lectures and help advance the state-of-the-art of CEP!

CCNP networking update

Fri, 02 Nov 2007 03:44:00 +0000

Cisco Certified Network Professional (CCNP) is an intermediate level certification for IT professionals who enable them to install, configure and troubleshoot local and wide area network for enterprise organizations. The boot camp is designed for IT Professionals with a minimum of one year networking experience.

Being a widely circulated and significant course, Cisco made some important modifications to its Cisco Certified Network Professional (CCNP) certification program, and the changes have taken effect recently. All the CCNP aspirants, it is important to know about these changes.
To earn CCNP certification, one has to go through two tracks of certification. One track offers four individual exams while the second one offering one consolidated exam and two individual exams. For CCNP exams, you must be CCNA qualified.

Cisco has added important subject material to each of these exams. The new syllabuses are completely different than that of the earlier one. With these changes the Cisco's focus has also been shifted. The emphasis has now shifted from the concept of remote access (usually dial-up) to security (usually VPNs for remote access and Internet security).

It is a great change and those who are not acquainted with all these changes may go awry with the choice of any networking course. To meet the need of the current market demand Cisco has introduced these changes.

Be updated with the changes that Cisco Certified networking courses has undergone.