It seems like about once a month an aspiring coworker asks me how to get enough work experience to qualify for CISSP. I think this shows a misunderstanding of the requirement, so I’m going to try to clear it up.
You don’t have to get your five years of experience in one big lump. And that’s a good thing, because that would be hard to do. Sometimes you can get a security job without one and work your way toward it, but a lot of employers want you to come in with the certification already.
But that’s OK. As long as you’re doing something more than selling computers at retail, odds are you have some security experience that can count toward the requirement.
Continue reading Do I have enough experience for CISSP?
A commenter asked me last week if I really believe the lock in a web browser means something.
I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.
So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.
Continue reading How to use the lock in your web browser’s location bar
So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9.
The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Continue reading How to become an Info Assurance Analyst
I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.
I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain. Continue reading A security professional fights back against tech support scammers
IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.
Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.
I made that transition, largely by accident, so I’ll offer some advice. Continue reading IT jobs shortage? Slide over to security
Alistair Dabbs posted a nice, curmudgeony anti-social-media rant over at The Register. In part, he asked what Linkedin is good for, noting it’s never netted him a job or a useful contact.
I found his piece entertaining, so I thought I’d talk about how I use Linkedin, besides dodging recruiters who blindly type “cissp security clearance” or “security analyst st. louis” and message every single person who comes up. Continue reading What Linkedin is good for
I found a reference this week to Spritz, a promising smartphone/tablet app to help people read faster. Much faster. I tried the demo of the technology and could almost keep up with its 500 word-per-minute pace right away.
Now, I’ve always been a fairly fast reader, though I’ve never felt any need to have someone time my speed. I just know I read faster than most of my classmates did. But I know I don’t normally read anywhere near 500 words per minute. My typical blog posts are usually about 750 words, so that would be reading one of my posts in a minute and a half.
I’m interested in it, though, because I’ve resolved to read more this year. You can roughly estimate 100 pages at 25,000 words, so at 500 words per minute you could read a 200-page book in about an hour and 40 minutes.
I’m not sure I would want to rush through something really dense and technical at that rate–especially not something like the CISSP Common Body of Knowledge–but when the other choice is not reading at all, it’s obviously much better than that. And nothing says you have to pick one way of reading or the other. You can read a book quickly and come back and read the tougher parts more slowly. Some people say you shouldn’t read without taking notes; but running a book through Spritz is a fast way to find out if a book is worth sitting down and reading with a pad of paper–or, ahem, laptop with a word processor–next to it.
Details of how it will work are a bit sparse. Hopefully the app will be able to read your existing e-book library. If it exists as a walled garden where you have to buy books within the Spritz app, that seems like it would limit its usefulness to me. We’ll see. This is definitely a technology I want to track.
Last week, another Snowden leak surfaced that stated that the NSA is working on a quantum computer capable of breaking all known current encryption, trivially.
I didn’t find this shocking. Continue reading Why last week’s “news” of the NSA’s quantum computer project doesn’t bother me
What can you do about it? Continue reading Another day, another router backdoor
I had a search query about getting started in regulatory compliance, which I’ve written about before, but more from an organizational perspective. That won’t help you much from a career perspective.
I think most any CISSP will answer that question similarly, so I’ll take a stab at it. Continue reading How to get started in regulatory compliance