Tuesday, November 11, 2008

GCIH Conquered!

My best score yet! A 97% on the GCIH exam!

I think that having taken the GCFW less than a month before certainly helped since both courses have a lot of overlapped. I certainly questioned having taken them both that close together, but it ultimately worked out really well.

Now I am studying for the rest of the requirements for the GSE-C platinum level exam. I want to reach that before taking a break and keeping my focus on that while it remains fresh in my head is a good idea.

I don't currently face any deadlines though, since I haven't paid for the challenges yet though. Ironically, not having that pressure can make it more challenging to keep things at a high priority. I am going to finish the other two (G7799 and GSNA) this year though, if at all possible!

I plan on working on the gold papers after I clear those out of the way. I have already started the shell of one (on secure development). I figure I can find someplace to publish it if the topic isn't accepted. One key thing will be limiting myself to just 4 papers. :)

Brad

Brad

Tuesday, November 4, 2008

How to Learn it All?

The biggest challenge I am facing now is that I am trying to learn everything, a definite impossibility. I have gotten a big urge to know many different useful things, but I only have so many hours in the day. Balancing this all out is turning out to be a serious challenge!

I would rather have this challenge than one of apathy though, so I will keep working it. Ironically, it can be frustrating at times.

Brad

Saturday, November 1, 2008

I have been listening through the OWASP 2008 session videos recently and some of it is downright scary. I would have to agree with Ed Skoudis, a SANS instructor, who noted in a class I listened through (SEC 504) that this is the Golden Age of Hacking. The OWASP video was talking about a new phishing engine someone was creating. While this could be great for testing, it has a lot of things that would make it a powerful tool in the hands of script kiddies and even those with more experience.

It is kind of like the Metasploit Framework. It is a powerful tool for doing harm on systems, but it can also be used to test your own systems for possible vulnerabilities. I am not a pen tester, so perhaps these tools scare me even more. Still, it is better to know what is out there than to have the only tools circulate with only the bad guys knowing what is going on.

Brad

Tuesday, October 28, 2008

Another SANS Certification Complete!

I forgot to post earlier, but earlier this month I completed my GIAC GCFW certification. I am currently aiming at the GSE-C (and possibly the GSE), so this is one step along the way. Now I am jamming the GCIH material in my head that I had in a Community SANS even earlier this year.

BTW, I will be leading a mentored SEC 401 (GSEC) class in the Dallas area starting in December. Check the SANS sight for more details if you are interested in attending. You will get my focused attention over a 10 week period to help you learn a wide range of great basic security information! The course really does live up to its Security Basics title.

I recommend it even if you can't take it from me. :)

Brad

OWASP 2008 New York Conference Online

OWASP recently published the full set of videos, accessible via their website at http://www.owasp.tv. I didn't get to attend this year, but I have enjoyed listening to a few of the sessions so far. One was a bit slow, but overall I am glad I can listen to them at no cost! They are posted in both Flash and iPod (mp4) format.

I highly recommend watching or listening to them, with the latter probably being the best. You do miss the slides, but a talking head is not all that entertaining.

Brad

OCC Builletin on Application Security

The US Office of the Comptroller of the Currency recently released a bulletin on application security: http://occ.treas.gov/ftp/bulletin/2008-16.html. It is written more in business language than in tech speak, so it may be good in running by your business counterparts.

One drawback is that is aimed at financial institution, but the points it makes are applicable to any company writing/using custom applications!

Brad

Saturday, June 21, 2008

I Don't Want to Be an Auditor!

Audits are fun things. I have been sitting in on parts of an audit to meet government requirements for the past two weeks and it has reinforced that I don't really want to go over to that side of the fence.

In some ways, it is funny watching the process, as some auditors find ways to make black and white rules to evaluate somewhat vague requirements. I had thought PCI requirements were vague at one point, but these have even more areas where they could use clarity. At least we have the auditor's notes version with the PCI standard, but these were missing even that.

It does demonstrate that sometimes such audits are needed to get the necessary pressure to do all the right things. Getting strong security in place is a big challenge in many areas. No one wants to be insecure, but people often don't realize it until they have the shortcomings put forth so clearly.

An unfortunate part of this is that the requirements being evaluated are not always clear. While auditors deal with the black and white I mentioned above, the requirements don't always clarify exactly what should be covered by the audit, no matter how much the auditor may want it to be cut and dried.

It is ironic that I plan on achieving my GIAC GSE-Complaince in light of this, but I still plan on pursing that. Hopefully having some solid audit knowledge will help me be an even stronger information security professional.

Sunday, June 15, 2008

SANS SEC 401 Mentored Class in Dallas!

It is official! I will be mentoring a SANS SEC 401 class this fall in Dallas.

The official information is at http://www.sans.org/mentor/details.php?nid=13229

It is a great class to get a solid overview of the basics of security. I highly recommend it!

Ironically, I would prefer the 6 day class since that is a better way to get the massive amounts of information. That said, this format is great for anyone who cannot afford 6 work days (really 5) or who wants to get the information in an even more compact format. You will have to do a lot of studying on your own, but you will get an outstanding mentor (me!) and lots of great material.

Do let me know if you want to sign up. I hope to post a special link for that soon. Mention that I "referred you" if you sign up based on this post or some other contact with me. :)

Thursday, February 7, 2008

SANS Security Essentials Mentored in Dallas?

I have been approved to be a SANS mentor for the SEC 401 - Security Essentials class. I am working on setting up my first session in the Dallas area sometime later this year.

I will setup a way soon to let me know if you would be interested going through the course with me over a 10 week period (2 hours one night per week).

Keep your eyes here for ways to indicate your interest!

Brad

Tuesday, January 8, 2008

Another One Down!

I decided to tackle the GIAC/GPCI after passing my GSEC last fall. This was partially because I have been working on PCI issues for the last year and a half and partially because I am considering trying for the GIAC/GSE-Compliance Platinum cert sometime in the future. This is complicated by the fact that all the costs will be born by me, but I figure it may be worth it if it helps me get a lot better.

Well, after waiting for the holiday break (and then wasting it), I took the test last Saturday and passed with a very good score. I even got one technically incorrect question updated (though I didn't get the credit back). Not a bad cert, though a few questions were certainly tricky.

I do think this cert might have been dropped, so this might have been a waste, but I am going to keep my eyes open and see.

I plan on passing the CISSP next, but I think I need to learn a bit more first. I have enough experience related to security, but I want the breadth of knowledge that requires.