Security+ vs CISSP

Someone asked me to compare Security+ vs CISSP, particularly the difficulty. I’m glad to oblige. I have both certifications.

Let’s start by looking at a couple of hypothetical questions. Don’t expect to see either of these on the test; I’m making them up as I go. But don’t be surprised if you see something similar.

Read more

SSCP vs CISSP

SSCP vs CISSP

SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it. So let’s look at SSCP vs CISSP.

CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.

Read more

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Phil Kerpen, net neutrality, and socialism: A post-mortem

I learned the hard way a few weeks ago how net neutrality can be equated with socialism, an argument that puzzles people who work on computer networks for a living and see networking as a big flow of electrons. I think it’s very important that we understand how this happens.

Here’s the tactic: Find a socialist who supports net neutrality. Anoint him the leader of the movement. Bingo, anyone who supports net neutrality follows him, and therefore is a communist.

Political lobbyist and Fox News contributor Phil Kerpen told me Robert W. McChesney was the leader of the net neutrality movement, and he sent me a quote in the form of a meme longer than the Third Epistle of St. John. Yet in a Google search for the key words from that quote, “net neutrality bring down media power structure,” I can’t find him. So then I tried Bing, where I found him quoted on a web site called sodahead.com, but I couldn’t find the primary source.

For the leader of a movement the size of net neutrality, he sure keeps a low profile. Google and Netflix are two multi-billion-dollar companies that support net neutrality. I’m sure it’s news to them that they’re taking orders from Robert W. McChesney. Read more

The phantom tech worker shortage

I saw a story yet again about the tech worker shortage, and the backlash against H1-B visas. Reading the comments on Slashdot, I increasingly got the feeling the shortage is a mirage. The people are out there, but the matchups with job openings aren’t happening.

My experience may be anecdotal, but it mirrors this. Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more

Deconstructing my conversation with “Computer Maintenance Department”

My tell-all about my encounter with “Computer Maintenance Department” was a little heavy on the jargon yesterday. It occurs to me that explaining what some of the terminology means, and the problem with their reasoning, may be helpful. I’ve also heard a few questions through various channels, and I think those are worth answering. Read more

Step 1 to landing a security job: Become conversant in security

So last week, I wrote about the difficulty of landing a security job and promised to explore it further.

And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more

Somebody just tried to hack me

Caller: “I calling from technical support. We found issue with your PC.”
Me: “What company are you with?”
Caller: “CSA is the name of my company.”
Me: “What’s our business relationship?”
Caller: “We found issue with your PC. Our technicians found your PC is running slow.”
Me: “Do you realize I wrote the book about PC performance? No, really, I wrote a book about it. I guarantee my computer is faster than yours. I also possess multiple security certifications.”
Caller: “Go on.”
Me: “You need to find someone else to social engineer.”

The caller stammered a little bit, tried to assure me it wasn’t a scam and wasn’t going to cost me money, then hung up.
Read more

“They were bored and wished they had a job.”

I was catching up on security podcasts this week, and a brief statement in one of them really grabbed me. The panel was talking about people who steal online gaming accounts, I think. The exact content isn’t terribly important–what’s very important is what this person found in the forums where the people who perform this nefarious activity hang out. What she found was that there was one common sentiment that almost everyone there expressed, frequently.

They were bored, and they wished they had a job.

There was about a 30-second exchange after that, but I don’t think it’s enough. Read more