This is London... and Estonia.

One more story to prove that the credit card industry is still very vulnerable (and as a result, we are too).

http://www.thisislondon.co.uk/news/article-23395784-details/Britain's+biggest+credit+card+fraudsters+jailed+for+over+five+years+each/article.do

When the PCI standard will be a norm for every company that processes and stores credit card numbers? And how many new government regulations are required to make the online shopping safe? There are so many new technologies and solutions to improve the safety of the online transactions (like "use once" credit card numbers) ... so, when can we say that the online shopping is relatively safe? Why the adoption of new technologies is so slow?

Reading weekly SANS e-mails, I see more and more cases when the online crooks are getting jailed. However, killing several roaches does not destroy their colony. The online theft became an attractive business, and the story above proves it. Want to get the lifestyle of the kings? Steele or buy several credit card numbers, and enjoy your travels in the first class seats!

The vulnerability of the corporate networks is an issue that was discussed 1000 times online, in the press, and even on TV. While the online security is important for every company that has connectivity to the Internet, the companies that process credit card transactions must have double security. The protection must cover wide range of attacks including the DoS.

I was not surprised to read about the latest DoS attack on the Estonia's government and non-government sites (banks, newspapers) by the Russian hackers when Estonia removed a Soviet war memorial statue in the capital city of Tallinn. Ethnic Russians protested the statue's removal with riots and protests broke out on April 27. If you don't know, in the middle of the 20th century the Russians occupied three Baltic countries and made them the tree Soviet Republics (of 15 total). Since then, there is a mix of Russians and Estonians, Litanies, and Latvians who had to co-exist together for more than 60 years quietly hating each other. Since the republics became the separate countries again (after the fall of the Soviet Union), the nationalists in those countries began the movement for the clean country. Even the well respected people who contributed a lot for the prosperity of the countries were dismissed and forgotten only because they were Russian descent.

While I can understand the basis for that hate, I don't approve any nationalists who do separate people only by their nationality. There are thousands of decent people who have a different descent but take pride to be a part of the country, and contribute as much as they can; and there are some that hate the country they live in, ignore the traditions, and even plot the disasters. Then, I would weed them out.

It relates not only to those 3 Baltic countries but to the U.S. as well. Who knows how many Al-Qaeda cells are hidden inside of our country? Who knows how the sophisticated equipment and advanced skills in the cyber security will be used? We are the same vulnerable as Estonians not only from outside but from inside...

Old Topic but still viable (my comments)

I have been reading the article "Certifieable" at http://www.darkreading.com/document.asp?doc_id=123606. Below is a link to my comments.

http://www.darkreading.com/boards/messages.asp?thread_id=155877&msg_id=144822&t=true#msg_144822

Kaspersky published the tutorial about keyloggers

I found a good article about keylogger software from Kaspersky.com. It is a "must" for security professionals and can be useful to educate the end-users. It is written by a russian computer professional, the Deputy Director of the company's Research and Development team. The article is very detailed and, beyound the treats, suggests the countermeasures:

How they work and how to detect them (Part 1)

The article has the following chapters:

Why keyloggers are a threat
How cyber criminals use keyloggers
Increased use of keyloggers by cyber criminals
Keylogger construction
How keyloggers spread
Protection from keyloggers

The second part is coming soon.

The Cyber INsecurity and hackers

If you had no chance to read the newest document from a ground-breaking Congressional hearing, it's worth reading:
http://homeland.house.gov/SiteDocuments/20070419153038-21091.pdf
This is an outstanding document that confirms that our Government is still quite rusty on IT security. Some of the statements in this document are quite troubled: "We don't know the scope of our networks," said subcommittee chairman Langevin, "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
The purpose of this hearing was to afford House members the opportunity to understand how deeply federal systems have been penetrated and what the Department of Homeland Security and others are doing to stop the compromises.
(thanks to Alan Paler from SANS who shared this information)

Let me tell you one story (a good add-on to this article).
Some days ago, I began working for one of the divisions in the Government organization (I am skipping the real name). I came across the Division Director's laptop that is frequently used outside of an agency’s headquarter. As you know, in order to configure the laptop for any program, you have to have the administrator's privileges. I have been told that the password on this laptop is the word "password".

Being in the security field for more than 8 years, I felt obligated to remind all division employees the importance of the strong passwords. So, I found an excellent article on the web about that topic, and sent to all employees. Particularly, the article stated that the password word "password" can be cracked in 0.5 sec. You won't believe what happened after. My team leader said that the "boss" was not happy about it, and "suggested" (you know what it does mean) not to post the information of that content anymore.

The Russians have a proverb that in a direct translation says that "the fish is getting rotted starting from the head". How the employees will take care about the password security if their general manager not only ignores it but even prosecutes it?!

I don't know what should happen beyond September 11 events that may shake people up to the degree that they will finally get the feeling of INsecurity if the passwords are NOT secure enough, if the networks are NOT protected enough, if the operating systems are NOT patched in a timely manner, and that the cyber flavor of terrorism is a real thing.

Entering the IT Security field

I have answered some career-related question in another blog @teachrepublic.com, and I feel that it's a good info to mirror into this blog, as well.

Common mistake
Being in the IT field for more than 15 years and teaching folks since 1993, I know quite a bit about the IT, and particularly about IT security. I began my journey in that field by taking the responsibility for managing one firewall. It was a good start. It gave me a lot of exposure to the IT security, forced me to read about various protocols in depth, concepts, and it forced me to learn UNIX. The common mistake is to start the career by taking the certification classes or exams. The concept "certification" is about certifying the skills you already have. So, my suggestion (if you really want to be a high-level professional), start with hands-on experience. If you want to know more about certifications, read my article published in 2002 that (some people believe) still has some value:http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf
Find the way to get some exposure to the security appliances (firewalls, proxy servers, content filters, IDS), software (basically the same but software-based), tools (scanners, packet capturing/analyzing, sniffers, etc), and as a “must” read the literature and security-related articles that will expand your horizon. Be a volunteer, find a mentor, or at least build a small network at home and play with the evaluation copies (or freeware) of various software utilities/programs/firewalls. Learn how to harden the OS or web server, etc. Build a Linux server and workstation. Talk to your management and express your interest to get more exposure/responsibilities to IT security. Show it as a potential benefit to your organization.

Another suggestion is not taking the short-term training classes but rather buying the multimedia-based self-training software with live instructors that present the topics you want to learn. There are many benefits (like repeating, stopping, portability, rewinding, pausing, etc). Some of the vendors also offer online mentoring in addition to the software. All this works fine if you have enough self-discipline. If you follow the path that I suggest, the certifications will be achieved easier and will add the value to your hands-on experience. Don’t forget that in the security field the employers are looking for real-world experience. So, the abbreviation letters after your last name will be more powerful if you have something in your resume that highlights your hands-on skills. I would not suggest the CISSP certification at all at this stage of your career. The CISSP certification is valuable when you have substantial experience (5-7 years) in the information security field. It is mostly designed for the management (or at least, senior-level) security professionals. That certification can give you more opportunities to get better paying job but at the right time. If some of the folks disagree with me I would forward them to the article above where I describe the dentist who just got certified.

If you still seriously consider CISSP as one of your choices, at least you can get more information and links about it here: http://www.800-security.com/corporate.html (this site also has a comprehensive Index of free IT security resources).
Best of luck in your career!

Money matters: SC Magazine Salary Survey 2007

http://scmagazine.com/us/news/article/650787/money-matters-sc-magazine-salary-survey-2007

Read this article if you consider yourself the IT security professional. very interesting...

I passed. Such a relief!

Such a relief!!!

Just yesterday I posted a new blog about waiting for the results for more than 10 days, and right after that I received the congratulation e-mail from the ISC(2) registrar. The next step in getting the CISSP certification is to submit the resume and the endorsement form.

Only those who were in my shoes can really appreciate the feelings after getting good news from ISC(2). Anyway, I promised to describe the exam and to share my experience and thoughts.

I. ABOUT THE EXAM.
I have been driving to Washington DC for HIPAA conference where the exam was scheduled. We had a large room with about 30 people who tried to pass the exam. I remember some suggestions to dress appropriately, so, I had my light jacket. In fact, it was not enough! I was sitting against the large door, and I got almost frozen out there sitting like in the wind tunnel with a wind across the room. The cup of coffee that I had before exam did not help. I was warming my palms in the thighs in a turn, one-by-one.

Well, I thought that 6 hrs is enough for several breaks. I wish!

I inserted the ear plugs and opened the booklet. The suggestion to quickly come through the entire test book and to answer the easy questions did not work for me. I found that there were about only 8-10% of the questions that can be answered quickly because the questions itself were short. The longer question, the more time you need to analyze what is actually asked and what is the catch (if any). In the end, when I finished my 250th question, I found that I spent more than 3.5 hrs. At this point I took a short break, and put my palms under the hot water in the restroom, had two chocolate cookies, had some warm-up exercises, and came back to my "refrigerator".

Until this moment I was confident and relatively calm. However, when I began answering the most difficult questions, I caught myself that the time is running faster then I want. Then my confidence began evaporate as the level of stress did opposite. In the end, I had only about 7 min left before the deadline. I was able to review 3 questions that I marked as the most controversial, changed the answers, and said to myself: “Stop it now!” because my brain was quite overloaded and because there is no time to re-check all the answers again.

II. AFTER EXAM.
Right after the exam, when I went out to the Hilton's entrance hall I felt like a squeezed lemon. The thoughts about food (I did not eat anything but 2 cookies for entire day) went through but I could not say if I was hungry at all.

Instead of hitting any cafeteria, I got my car back ($25 valet parking), and drove home to Baltimore. It was funny because only 8 miles away from home I stopped at the restaurant and ordered a platter with crab cakes and a drink to relax. I felt that I need to eat something right away. Then I smoked outside the best cigar from my collection (I took it in advance). I deserved it! I got home safe and relaxed. :-)

OK, now some suggestions.

III. "10 RULES FOR SUCCESS"
I have developed the "10 Rules for Success", and I feel that some of them helped me to answer most of the questions properly (some of them were posted on the blogs, so I accommodated them for my own interpretation):

1. Read every question AND every answer word by word:
a. You can find a tricky question/answer that you can otherwise miss easily (I had two of them on exam)
b. You will understand better the difference in answers even if they are quite similar (I had 7-10 of those on exam).

2. Skip the long-text questions and the difficult questions and don't spend time on them right away, just put them aside so far.

3. If the question is to find the right answer, eliminate the wrong answers first. If the question is to find the wrong answer, mark all CORRECT answers, first.

4. Control your time, so you can define or change your exam taking strategy on-the-fly.

5. If you answered to the question but still unsure if you are correct, put a large question mark sign next to a question. When you have some time left before deadline, review them again (I have corrected 3 answers).

6. Make sure that you allocate at least 10-15 min for filling out the answers in the answers form.

7. Before the end, check if you filled out ALL answers (it's easy to miss one-two).

In addition:
8. Dress appropriately (bring a warm jacket or sweater just in a case).

9. Have at least 8 hrs of sleep at night before exam and arrive 25-30 min prior to the exam to read through your cram sheet.

10. You will need your confidence during exam. Build your confidence by learning as much as possible and passing the quizzes at the level at least 80%. If you don’t know the correct answer to some of the questions, it must not shake your confidence. Think like a manager of a large corporation and take your chance choosing one answer based on real-world situations.

IV. ABOUT THE EXAM QUESTIONS
 As I mentioned above, I had about 8-10% of easy questions. I also got some standard questions but idiotic answers (I am sorry, ISC2 folks) that had nothing to do with the reality. I assumed that they were in the pool of 25 questions that were not counted toward the exam result. Unfortunately, I cannot give you an example because of my obligations, but trust me that you are going to be puzzled with some of the answers.

I found that you have to know more about the current standards than about the old ones. For instance, I had a lot of questions about VPN and SSL, more than I could expect. I also was surprised by the number of questions about disaster recovery. I had a feeling that there were at least 20% of them!

I was quite familiar with the majority of the topics and I thought that I knew some of them pretty well. In spite of this, I had the questions about very familiar topics that "put me in the corner" and demonstrated that I could learn better…

V. HOW TO LEARN
I am not sure that my way of learning is good for everybody.
Many years ago I found that visual memory is better than anything else for learning the material. I used this concept when I trained students in the class. I used this concept when I was learning the domains. So, prepare as many tables/drawings/schematics as possible and be patient making a lot of notes because it helps to memorize visually. It will help you to classify the information!

I had the following books/materials/resources:
1. Shon’s All-in-One (used 100%)
2. CISSP Passport (used 5%)
3. ISC(2) Official Exam Book (used 80% - very useful!)
4. Gold Edition of Kurtz (used 15%)
5. Audio Training CDs from PrepLogic (obviously not enough information – used in the beginning of the learning but later did not touch)
6. Shon Harris’ Solutions. CISSP course (used 90%)
7. CCCURE.ORG blog, Google search, many articles, and my Information Security Resources Index.
8. My own audio CDs (used 100%)

I began reading the Official book making some yellow marks. When I figured out that I have to memorize a lot of material, I switched to All-in-One book, and starting from the domain 1 began making the detailed notes in the notebook. At the end of each domain, without repeating the material, took the quizzes from the book and from the CCCURE.ORG web site. Made the notes what I have to repeat/re-learn. I used the Official book to understand some topics better. Then I took my PDA, and recorded the content of my notes to the WAV files (later, I converted them into the MP3 format). Then burned the CD with the files and listened to myself while driving in the car to and from work. By the way, the Shon Harris' CISSP Solution DVD set also includes the MP3 files (3 months subscription), so, it was very useful on its own.

I repeated the same with the rest of domains. At this point, I bought Shon Harris’ CISSP Solutions Training Course. The lectures are very good and easy to follow through, and the add-on graphics serve well in understanding the concepts. She also points to some of the concepts that you *must* know for the exam and she guarantees that the questions about those concepts will be there.

When I finished, I began preparing my own Cram-Sheet. Typing the extracts from the books and web sites helped me to visualize the concepts/standards/protocols. I drew the tables in many instances.

Repeated the quizzes again: for each domain (75 questions), then for 3 domains together (100 questions), and finally, the big one: all domains (250 questions). Three days before the exam, I prepared the final Cram-Sheet (only one two-sided page with extracted info) that I used right before the exam.

VI. ABOUT SOME PREPARATION TESTS
I found that some of the cccure.org quiz questions are outdated and have wrong answers. I submitted my corrections to the web master, and he confirmed that I was correct about them. Later, due to a time limitation I just ignored incorrect/outdated questions.

I have to note that I came across the TestKing’s preparation tests that I have downloaded from the web for free (even don’t remember from where). Most of the questions are stolen from ISC(2) book and other web sites and books. This company proves to be a biggest cheater (and I have the proof that they also cheat with search engines what is a case of unfair competition). I believe that Microsoft sued them, too.

I also used several questions from Boson that were for free. After all, the cccure.org quizzes better than any other (excluding Transcender’s that are still #1 even if they cost more than others).

Except two books that I got from eBay, practically all my resources were purchased on a good discount from RTEK 2000 web site. They sell them cheaper than CCCURE.ORG and obviously cheaper than the original software companies.

VII. END OF STORY
It took me 4 months of heavy-duty learning (especially last two months: every evening 2-2.5 hrs and every weekend 3-4 hrs). I took a day off right before the exam and mostly relaxed after taking 100 questions quiz in the morning.

I feel now that I could learn more and better but the goal is almost achieved (I still need to submit my resume and the Endorsement Form to ISC(2) for getting the CISSP certificate and final approval), and I am a happy camper!

Questions? Post in the comment!

Patiently waiting ... and wondering

I am in a waiting mode for the second week with no touching or reading any security-related articles. I was so "saturated" with it for the last 4 month while preapred myself for the CISSP certificatione exam, that now I decided to give a break to my brain.

Yes, I took a CISSP exam at the last day of March. I'll describe my experince later, after I'll get the feedback from ISC(2). I am waiting for the second week and wondering why does it take so long to let people know about their exam result? The answers to 250 questions are being submitted on the electronically-friendly form. All it takes is to scan the form and get the results. So, why people should wait for so long and feel somewhere between the sky and the ground? Do we deserve more quick results?

All systems to use "common secure configuration"

I just got the following message from Allan P. (SANS Security Institute)

"FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters."

Knowing that Shon Harris (Logical Security) also consulting for Air Force and has written many security-related books (not to count the training materials for CISSP certifications), I assume that she deserved also many kudos regarding this announcement.

Going for a Big one

I remember the time when the CISSP certification was criticized by my staff instructor who actually was one of the first who passed this "tough nut" exam. His argument was that the exam is out of real life of the security practitioners and geared toward the management staff only; that the exam tests the crazy collection of knowledge from various (not always related disciplines); that the exam tests not only the background but rather your ability to memorize huge number of abbreviations of IT protocols, technologies, law definitions, terms, etc. At that time, we developed our own security training course, and later, we liked more the SCNP exam as the one that checks the hands-on knowledge, the knowledge that really matter in the real world of the cyber war (I hope you agree that this war is a matter of a fact).

Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.

Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).

I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.

Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".

Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).

Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...

Wish me good luck and strength for 6 hours on March 31st!

I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.

Best to all of you (but spammers)!

The Cyberteacher