David L. Farquhar, computer security professional, train hobbyist, and landlord
Let’s do something taboo today and talk about money. CISSP money. What exactly is realistic when it comes to CISSP salary expectations?
The average CISSP salary is somewhere around $120,000. That’s average, and CISSP covers a broad range of jobs, but keep that number in mind if someone offers you $54,000. I’ve seen $54,000 cited as the low end and that’s, frankly, ridiculously low.
I’ve had lots of discussions about imposter syndrome in both tech in general and cyber security specifically. I have thoughts.
I’ve advocated learning Python, and the best way to learn it is with a useful example. Here’s a very simple Python program that does something useful. It queries the Shodan API to tell you who owns an IP address.
What is DDoSing? A DDoS attack something every system administrator and security professional needs to be concerned about. You can expect to see this concept on certification tests and get questions about it in job interviews. So let’s look at the concept of DDoS, and why I think this is going to get worse before it gets better.
DDoS stands for Distributed Denial of Service. A DDoS attack is just the process of overwhelming a computer system with more traffic than it can handle, so that it can’t serve its intended purpose.
I do a lot of work pulling data from systems via API, then doing things with parts of that data, whether it means feeding it to another system or creating a report. Some of these data structures are huge and unwieldy. Here’s how to pretty print JSON in Python so you can make sense of those data structures and get on with your code–without using an online pretty print website and potentially exposing sensitive data.
While json.loads is the key to getting your JSON data into a Python data structure, there’s a corresponding json.dumps to print it back out. It doesn’t sound like it would pretty print, but that’s what it does.
I’m not sure any three words strike more fear into the hearts and minds of security analysts than the words “Qualys false positives.” Some number of false positives is unavoidable. But the perceived number of false positives is usually an order of magnitude larger than the real number of false positives. Here’s how to estimate how many you should have, how to investigate them, and break the gridlock.
Is Windows 7 safe to use? No. Next question? Alright, I guess I need to explain why, without being so dismissive.
Support for Windows 7 ended in January 2020, which means there have been no new security updates for Windows since. That means Windows 7 isn’t safe to use, even with a firewall and antivirus.
A former classmate told me his employer is making him take Kevin Mitnick’s security awareness training course. “Is he really the world’s most famous hacker?” he asked me. “And if he is, why should I trust a word he says?”
Those are excellent questions. I happen to have reviewed all of Kevin Mitnick’s various courses for a previous employer, so I’m familiar with them. And I had to take Kevin Mitnick Security Awareness Training this year myself. I don’t agree with the life decisions Kevin Mitnick made that landed him in prison, of course. But overall, I had only very minor objections to his training. Here’s why.
What is a phreaker in hacking or IT terms? Phreaking is largely obsolete and doesn’t happen much anymore, but it’s an important historical concept in computer security. While phreaking wasn’t the first form of hacking, it’s probably the first example of hacking in a modern sense.
Phreaking was hacking the phone system, usually to make long distance calls for free. Some people phreaked for the thrill of it, but many of them did it because they made more long distance calls than they could afford. Two famous phreakers from the 1970s were Steve Jobs and Steve Wozniak, the co-founders of Apple.
When I first started interviewing for security jobs, I remember some of the jargon confusing me. “Infosec” was one of those terms. Getting that first job is hard enough without getting your resume binned over not knowing the word infosec. So what is infosec, what does it stand for, and how do you talk intelligently about it?