David L. Farquhar, computer security professional, train hobbyist, and landlord
As a vulnerability management professional, I talk about vulnerability scanning best practices a lot. There’s a lot more to vulnerability management than just scanning, but if you don’t get scanning right, the rest of the program suffers.
I’m going to talk about a lot of technical controls here, but don’t forget the nontechnical side. People and processes have to support all technology.
Someone asked me to compare Security+ vs CISSP, particularly the difficulty. I’m glad to oblige. I have both certifications.
Let’s start by looking at a couple of hypothetical questions. Don’t expect to see either of these on the test; I’m making them up as I go. But don’t be surprised if you see something similar.
A dictionary attack is a common way to steal a password. Here’s how a dictionary attack works, in layperson’s terms. More importantly, here’s how to beat the attack.
A dictionary attack is a much more efficient alternative to brute force hacking, but it requires a local copy of the user database to work. That usually means stealing the database first, if a bad guy is doing it. But nothing stops a company from doing a dictionary attack on its own user accounts to make sure people aren’t using insecure passwords. It’s unusual, but not unheard of.
SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it. So let’s look at SSCP vs CISSP.
CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.
So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.
The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more
This week Cnet interviewed Phil Lapsley, the author of Exploding the Phone, a book about the early history of phone phreaking.
Phone phreaking is absolutely fair game for the CISSP exam. I couldn’t tell you anymore how many phone phreaking questions I had to answer, but let me just say I’m glad I’d read those pages in the CBK about phone phreaking.
I ran into a former supervisor from many years ago at the local Home Depot this evening. We had a pleasant discussion. It reminded me of a question I asked, right around the time he and I last talked. I asked whether it’s better to be a consultant or an employee.
Here’s what I would say to my 2005 self if I could, somehow. I present it here since I know someone else must have the same question.
The CISSP exam (and any other (ISC)² exam) asks a few ethical questions. This question isn’t quite clear-cut enough for the test, I don’t think. But if you’re wondering what the test is like, this actually isn’t a bad thing to work through. My ethical questions on the test were more clear-cut than this, but the security questions weren’t.
Infoworld tells employers to quit sniveling about their workers not having enough skills and train them.
Sounds good. It worked in the organization where I work.
You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.
And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.