CISSP continuing education

Besides work experience, I probably get more questions about CISSP continuing education than anything else CISSP-related. Fortunately, keeping your CISSP can be a lot cheaper and easier than getting it in the first place was.

CISSP continuing education is measured in CPEs. You get one CPE per hour of “study.” Study is a pretty loose term. If you’re learning about security, you can probably find a way to make it count. You need to get 40 CPEs per year.

Read more

SSCP vs CISSP

SSCP vs CISSP

SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it. So let’s look at SSCP vs CISSP.

CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.

Read more

Cyber security podcasts I listen to

Yesterday, after reading a post in which I cautioned about a popular security podcast, someone asked me what cyber security podcasts I do listen to. I wrote this up a long time ago and never posted it for some reason, so now I’m correcting the oversight. Here’s my collection of the best of the best security podcasts.

These are the security podcasts I’ve been listening to for several years now and continue to recommend. Security podcasts are a good way to keep in touch with current issues, and also a good way to get continuing education.

Read more

A security professional fights back against tech support scammers

I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.

I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain. Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more

Step 1 to landing a security job: Become conversant in security

So last week, I wrote about the difficulty of landing a security job and promised to explore it further.

And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job. Read more

CPE opportunity: Exploding the Phone

This week Cnet interviewed Phil Lapsley, the author of Exploding the Phone, a book about the early history of phone phreaking.

Phone phreaking is absolutely fair game for the CISSP exam. I couldn’t tell you anymore how many phone phreaking questions I had to answer, but let me just say I’m glad I’d read those pages in the CBK about phone phreaking.

Read more

Did I violate my code of ethics?

The CISSP exam (and any other (ISC)² exam) asks a few ethical questions. This question isn’t quite clear-cut enough for the test, I don’t think. But if you’re wondering what the test is like, this actually isn’t a bad thing to work through. My ethical questions on the test were more clear-cut than this, but the security questions weren’t.

Read more

One road to the CISSP: Do SSCP first

As my crazy week wound down, I had a number of visitors, including someone who’s been on the fence about taking the CISSP. She wanted some advice. The (ISC)² Code of Ethics says to give generously of such things when asked, so we talked for about 30 minutes. Read more

How to pass CISSP: Test taking strategies

The CISSP is a 250-question, multiple-choice test. You have six hours to complete it. It’s not like any college final I ever took, though cramming all of finals week into a six-hour session is almost a fair comparison. If you’re wondering how to pass CISSP, I can’t guarantee my method, but I’m glad to share what worked for me.

Read more