I Passed the CISSP!

I just found out that I passed the CISSP exam I took several weeks ago!  I was surprised, but this turned out just like my CISM exam.  I thought I failed that too, but now I have the key information security certification under my belt to go with all the other hands on ones I have completed!

FIrst CISSP Attempt

I am often too much of a perfectionist and while I have passed several SANS certification tests and even ISACA's CISM test, I kept waiting to tackle the CISSP until I thought I knew enough. I finally decided to sign up for it a little more than a month ago, figuring I could retake it if needed. I suspect I will need to do so as several of the questions on the test were nothing like the material I jammed into my head in the last few weeks, in addition to all my hands-on time prior to that. I am annoyed that I even missed a PCI question that I should have known better on. Overall, a quite annoying test. Annoying in a different way than the CISM, but annoying nevertheless. I did feel I failed that when I took it, so perhaps the outcome will be better, but I won't know for a couple of weeks.

How Greedy and Stupid Can You Get?

I knew it before, but I am finally digging through the latest Shon Harris' CISSP book. Instead of going with the standard Confidentiality, Integrity and Availability, the book calls it Integrity, Confidentiality and Availability (ICA). I suppose this is so they can trademark the term. How stupid. I suppose we are going to see the CPT-PI soon (Control Protocol for Transport - Protocol Internet).... Some smart people in the security training business, but too worried about locking off their own material and not enough about producing excellence. I guess that's what happens when you become a bunch of prima donnas. I have seen similar stupidity in many places.

I attended the Dallas OWASP meeting earlier today. Charles Henderson from Trustwave was talking about their data breach report for 2010. Some notes I took with my comments: - Attackers are continually looking for the weakest link. Should be obvious, but we always need to keep this in mind. - Organized crime doesn't trust each other. This means they often use strong security in their own work. How ironic. - Attackers will normally try to use the existing infrastructure to get compromised data out of the organization and back to their control. - More targeted attacks today. Example given: Sally is pregnant. Attacker finds her direct reports, sends "baby pictures" about the time she is due. This is a very targeted phishing email. We still need to be very cautious, even with "expected" email. - Attacking requires customization today. Too many automated tools can find the "easy" stuff. - One wireless attack is to setup a wireless access point that a laptop with a hard connection to an internal network will automatically connect to. This could end up with a wireless connection directly into the "protected" network. I wasn't clear if the names of these potential WAPs can be learned from the traffic the laptop sends out or not. I will need to investigate this more. - The less you know about a device, the more you are likely to trust it. Very interesting. We will press "ok" the less certain we are. Scary.

Steganography Hits the Big Time

An attacker has to figure out how to get information out of machines they have compromised. DLP filters sometimes work against this, though merely sending the data out in some fashion has a strong chance of providing a warning of the compromise.

Thus attackers are staring to use steganography to get data out of compromised computers.

Scary.

Android Security Flaw

I recently had to adjust the settings on my Android phone to allow applications from "any source" so I could get some downloads from Amazon. While Amazon has complete instructions on how to do that and it frees me from only using the Android Store, why do I need to totally remove the limits to do so?

A better design would be to allow me to have a limited set of sites that could install applications on the phone, limiting installations to only those sites. Then I could add Amazon to the "approved list" and keep a lot more security without opening the barn door for anyone to walk in.

I would report this somewhere, but it is not clear at all where to do so. A search for "android feedback" just takes you to a Google page to give feedback on their market, without any ability to add comments. Not very helpful.