People frequently ask me how long to study for CISSP. Unfortunately it’s hard to give a set answer for that, but I can tell you how to figure out how long you need to study for it. That’s almost as good.
Don’t believe anyone who tells you they can get you ready in x number of days or weeks or even months. No one can know where you are relative to what you need to know to pass that test.
A CISSP is a professional certification. To attain CISSP, a professional must pass a six-hour, 250-question test and must have five years of professional experience doing work related to computer security. But after attaining the certification, what does a CISSP do?
An easy question on the test would involve what you have to be concerned about when running network cable through an HVAC duct. A medium-difficulty question might ask whether the CDMA or GSM standard for cell phones is more secure, and why. A hard question or series of questions would involve reading several pages of executive summary about a data breach and making recommendations to prevent it from happening again.
I got involved in a pair of conversations in the last week. One person complained that there’s a job shortage in information security but she can’t get one. Another complained there’s a job shortage in information security and he can’t find qualified candidates to fill them. In that spirit, here’s my advice on how to get a job in information security.
Many jobs require Security+, and even if a job doesn’t require it, having Security+ can help you break into your first security job. So how hard is Security+?
Even if you don’t work in security, but work with security, say, as a system administrator, having Security+ is helpful, as it can help you understand why a security analyst is asking for something. When you understand motive, then the relationship can move from following orders to something more collaborative, which is always a good thing.
I had an update on my system in a partially installed state. Our vulnerability scanner determined one file, MSO.dll, was still out of date. It recommended a patch to apply. Running it gave me an error message. Here’s what to do when Windows says the update is already installed on this system and refuses to let you do anything but click OK.
Because hey, from a security analyst’s point of view, this is anything but OK. I get questions about patches in a partially deployed state all the time, so I figured I’d write about it.
A watering hole attack is an indirect attack on a victim. Rather than directly attacking the victim’s network, the attacker attacks a web site that the victim’s employees are likely to visit. Then the attacker attacks the victim’s network, via its own workstations, from that web site. A former colleague asked me how you protect against watering hole attacks, and I thought this was a good exercise. So here are some strategies for watering hole attack prevention.