Do I have enough CISSP work experience?

It seems like about once a month an aspiring coworker asks me how to get enough CISSP work experience. I think this shows a misunderstanding of the requirement, so I’m going to try to clear it up.

You don’t have to get your five years of work experience in one big lump. And that’s a good thing, because that would be hard to do. Sometimes you can get a security job without a cert and work your way toward it, but a lot of employers want you to come in with the certification already.

But that’s OK. As long as you’re doing something more than selling computers at retail, odds are you have some security experience that can count toward the requirement.

Read more

Job hunting on your own vs. using a recruiter

A former coworker contacted me last week. He’d been employed in the same place for the last 16 or 17 years and he couldn’t remember how to look for a job. Who better to ask than a guy who’s changed jobs 9 times in the same timeframe? One obvious question to ask regards job hunting on your own vs. using a recruiter.

In fairness to myself, government contracting causes a lot of job-hopping. And in fairness to him, the game’s changed a lot since the last time he had to play. IT Recruiters existed back then, but back then when you wanted a new job, you found it yourself.

I still use both methods.

Read more

How to use the lock in your web browser’s location bar

How to use the lock in your web browser’s location bar

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Read more

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

A security professional fights back against tech support scammers

I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.

I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain. Read more

IT jobs shortage? Slide over to security

IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.

Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.

I made that transition, largely by accident, so I’ll offer some advice. Read more

What Linkedin is good for

Alistair Dabbs posted a nice, curmudgeony anti-social-media rant over at The Register. In part, he asked what Linkedin is good for, noting it’s never netted him a job or a useful contact.

I found his piece entertaining, so I thought I’d talk about how I use Linkedin, besides dodging recruiters who blindly type “cissp security clearance” or “security analyst st. louis” and message every single person who comes up. Read more

Spritz promises to revolutionize speed reading

I found a reference this week to Spritz, a promising smartphone/tablet app to help people read faster. Much faster. I tried the demo of the technology and could almost keep up with its 500 word-per-minute pace right away.

Now, I’ve always been a fairly fast reader, though I’ve never felt any need to have someone time my speed. I just know I read faster than most of my classmates did. But I know I don’t normally read anywhere near 500 words per minute. My typical blog posts are usually about 750 words, so that would be reading one of my posts in a minute and a half.

I’m interested in it, though, because I’ve resolved to read more this year. You can roughly estimate 100 pages at 25,000 words, so at 500 words per minute you could read a 200-page book in about an hour and 40 minutes.

I’m not sure I would want to rush through something really dense and technical at that rate–especially not something like the CISSP Common Body of Knowledge–but when the other choice is not reading at all, it’s obviously much better than that. And nothing says you have to pick one way of reading or the other. You can read a book quickly and come back and read the tougher parts more slowly. Some people say you shouldn’t read without taking notes; but running a book through Spritz is a fast way to find out if a book is worth sitting down and reading with a pad of paper–or, ahem, laptop with a word processor–next to it.

Details of how it will work are a bit sparse. Hopefully the app will be able to read your existing e-book library. If it exists as a walled garden where you have to buy books within the Spritz app, that seems like it would limit its usefulness to me. We’ll see. This is definitely a technology I want to track.