Vulnerability scanning best practices

As a vulnerability management professional, I talk about vulnerability scanning best practices a lot. There’s a lot more to vulnerability management than just scanning, but if you don’t get scanning right, the rest of the program suffers.

I’m going to talk about a lot of technical controls here, but don’t forget the nontechnical side. People and processes have to support all technology.

Read more

Security+ vs CISSP

Someone asked me to compare Security+ vs CISSP, particularly the difficulty. I’m glad to oblige. I have both certifications.

Let’s start by looking at a couple of hypothetical questions. Don’t expect to see either of these on the test; I’m making them up as I go. But don’t be surprised if you see something similar.

Read more

How a dictionary attack works

How a dictionary attack works

A dictionary attack is a common way to steal a password. Here’s how a dictionary attack works, in layperson’s terms. More importantly, here’s how to beat the attack.

A dictionary attack is a much more efficient alternative to brute force hacking, but it requires a local copy of the user database to work. That usually means stealing the database first, if a bad guy is doing it. But nothing stops a company from doing a dictionary attack on its own user accounts to make sure people aren’t using insecure passwords. It’s unusual, but not unheard of.

Read more

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

CPE opportunity: Exploding the Phone

This week Cnet interviewed Phil Lapsley, the author of Exploding the Phone, a book about the early history of phone phreaking.

Phone phreaking is absolutely fair game for the CISSP exam. I couldn’t tell you anymore how many phone phreaking questions I had to answer, but let me just say I’m glad I’d read those pages in the CBK about phone phreaking.

Read more

Is it better to be a consultant or an employee?

I ran into a former supervisor from many years ago at the local Home Depot this evening. We had a pleasant discussion. It reminded me of a question I asked, right around the time he and I last talked. I asked whether it’s better to be a consultant or an employee.

Here’s what I would say to my 2005 self if I could, somehow. I present it here since I know someone else must have the same question.

Read more

Open-source licenses, the CISSP, and the real world

You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.

And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.

Read more

WordPress Appliance - Powered by TurnKey Linux