Category Archives: security

Can I use a CISSP book to study for SSCP?

Can I use a CISSP book to study for SSCP? That’s a good question, and a good idea, but I don’t recommend it anymore.

SSCP covers less ground and goes into more depth than CISSP does. SSCP is designed for hands-on security operations types. CISSPs tend to be policy types and/or managers. You’ll do better with a post-2015 SSCP guide, such as SSCP Systems Security Certified Practitioner All-in-One Exam Guide, Second Edition. You might as well get a used copy to save money.

That said, if you know the material, you can pass it using old books. I passed CISSP with old, dated books because the new books weren’t ready yet. I relied on work experience to close the gaps. Work experience is just as important as book knowledge. Perhaps more so. I’ve worked with people with lots of book knowledge who couldn’t solve the problems they encountered on the job. You can’t fake your way through operations.

If you have an old CISSP book from before 2015, read the seven relevant domains from the CISSP book: Access Control; Cryptography; Malicious Code and Activity; Monitoring and Analysis; Networks and Communications; Risk, Response and Recovery; and Security Operations and Administration. Anything that’s fair game in those domains for CISSP always was fair for SSCP too.

When you vote, use a paper ballot

I don't mean this image figuratively. Fill out a paper ballot and drop it in the box.
I don’t mean this image figuratively. Fill out a paper ballot and drop it in the box.

Tomorrow is election day. When you vote, use a paper ballot. Paper ballots aren’t flawless either, but they are the less flawed of the two options we have.

So remember two things tomorrow. Go vote. And ask for paper.

How DDoS attacks work

Yesterday, half the Internet was broken. I knew something was wrong when I couldn’t get into Salesforce to check on a support ticket for my biggest customer. Another member of my team sent us a warning that a big DDoS attack was happening, and not to count on being able to issue very many quotes today. So what, exactly, is a DDoS attack and how do DDoS attacks work?

I suppose there’s another question to ask too: What can you do to avoid being part of the problem? We’ll save that for the end.

Continue reading How DDoS attacks work

CISSP continuing education

Besides work experience, I probably get more questions about CISSP continuing education than anything else CISSP-related. Fortunately, keeping your CISSP can be a lot cheaper and easier than getting it in the first place was.

CISSP continuing education is measured in CPEs. You get one CPE per hour of “study.” Study is a pretty loose term. If you’re learning about security, you can probably find a way to make it count. You need to get 40 CPEs per year.

Continue reading CISSP continuing education

Does HTTPS matter? Yes. Here’s why.

“Does HTTPS matter?” a friend of a friend asked. “I heard it does. Is that still true?” Yes, yes, and yes. Here’s why.

HTTP connections are unencrypted. HTTPS connections are encrypted. You can tell when you’re using HTTPS because the URLs start with https:// instead of http://, and your location bar will have a lock in it. Encryption is good.

Continue reading Does HTTPS matter? Yes. Here’s why.