Pages

Friday, June 20, 2008

My reply to the Article about CISSP certification


I posted the reply to the Article about CISSP certification http://www.tssci-security.com/archives/2008/06/19/rip-cissp/#comment-7927 at TS/SCI Security.

Well, I have written an article in 2002 when the certification craziness was in its highest spot (http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf). If you spend 10 min to read the article you will understand my point regarding who particularly benefits from all 5000 existing certifications. It is still the case with some exceptions. I have been an employer and I am an employee, so I know both sides of job market. There are many cases when the certification is a big plus if you want to be hired for certain positions, and as much as I don't like certifications I have to admit that I have few including CISSP that I got last year.
While I was learning the material for about 4 months, I got my horizon expanded. I learned about risk management, disaster recovery strategies, and cryptography. I know for sure that I would never touch those topics otherwise. The CISSP certification is intended mostly for managers who plan the security and risk management within their firms. It is not in any way a substitution for hands-on experience. In fact (and many folks know it) the CISSP certification is about two inches in depth knowledge about 10 CBK domains but two miles wide (a little bit about everything). So, we are talking about generalists here, not hands-on professionals - if you are talking about hands-on knowledge, it has nothing to do with it.

Why it became a popular certification? Mostly due to the good marketing by the ISC(2) marketing team. They were able to penetrate the DoD to make CISSP a standard for any security professional. All other vendors including CompTIA failed to reach such a degree of popularity.
I passed the exam to prove something to myself, and currently I have no benefits of having it in addition to $500 exam, and $85 yearly fees. But you'd be surprised that my resume with the magic letters attracted many job recruiters. The CISSP certification may bring some benefits to job seekers.

Feel free to look for CISSP certification resources here: http://www.rtek2000.com/courses/CISSPresources.html

Thursday, June 19, 2008

The lost war in a progress…


It’s been said a lot about a war with hackers, virus creators, spammers, etc. The war that is in continuous mode – had some start dates but with a high degree of certainty will never have the end date until we use computers connected in the networks.

Unfortunately, we still have a reactive approach to the spyware/virus problems even if there were numerous advances in the anti-virus and anti-spyware technology that deal with sophisticated technique to cause you damage on your desktop or server.

I have recently updated my free AVG anti-virus program with the latest version 8.0. I don’t have a lot of disk space (total probably around 400GB) but the program took about 15 hrs to scan through my files. I was amazed with amount of discovered infected files, registry entries, cookies, etc. It would not surprise me if I’d not use the AVG or any other anti-spyware or anti-virus program before, but after upgrading to the latest version that includes all available protection (even the web links) and the amount of discovered vulnerabilities (keyloggers, Trojans) I was surprised with a level of detecting that was greatly improved with a new version. Of course, all the sophistication of the software comes with a price of being very slow. Agree that 15 hrs of scanning and slowing down the processor to 50% of its capacity is not the best feature of any anti-virus software.

With hundreds of new viruses and spyware program being created and purged in the net, the virus databases are swelling. It takes more and more time to compare each file on your system with thousands of known and possible infections. It is like to have a heavy armory on your body that becomes heavier every hour slowing you down in your quest to fight with an army of virus creators.

Recent news about utilizing the strong 1024-bit RSA encryption that is impossible to crack to screw up your desktop files is a proof of lost war in a progress. Look how shameless the enemy is. To encrypt your data files with 1024-bit encryption and to sell the private key to decrypt it is not something that can be taken easily (http://blogs.zdnet.com/security/?p=1251 ).

Imagine you have the reports or financial spreadsheet files and then suddenly you realize that you cannot open them. Instead of getting the files opened on the screen you are getting a popup message with an e-mail address where you have send money to buy the decryption software. No, you cannot find who the perpetrators are – believe me, they are the same smart to hide their identities as smart to write the software. What would you do?
Some of the folks mentioned that good backup is a protection against this vulnerability. But others properly argued that you usually never check if you can open EVERY file after you performed the backup. It means that you can overwrite them next day with encrypted file if you use the large capacity hard drives or tape to perform the backup operation. There is only one way to preserve the original files if you burn the CD/DVD and collect them day after day.

Something similar happened in a past. If you run Google search you may find the following links: http://www.jahewi.nl/malware/ransomware/ransomware.html, http://news.bbc.co.uk/2/hi/technology/5038330.stm.

Many folks put their two cents about this story. The one comment from Duncan I like I want to re-post here:
“*ransom note received composed of random letters clipped from newspaper*
"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"
..but seriously, folks, this starts to sound like some sort of weird 419 scam. They're not going to decrypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledygook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.”
I just hope that Duncan is right and the smart a%%$$ will be caught quickly.