Archive for the 'CISSP/ISC2' Category

Sep 13 2011

Hoping to affect change at the ISC2

Published by under CISSP/ISC2,Simple Security

It might just be a pipe dream to hope that these folks can make any significant change at the ISC2, but the fact that they’re trying is more than I’ve ever done.  Which is why I’m hoping you’ll throw a little support behind the five people Jack Daniel is highlighting who want to run for the Board.  Endorsing them simply puts them on the ballot, it does not mean you have to vote for them, it doesn’t mean any of them will actually get elected.  But it will hopefully send a message that whatever direction the ISC2 is currently headed in, and I certainly don’t know what direction that is, isn’t helping the general CISSP at all.

From Jack’s site:

Below are the five candidates I am aware of, in alphabetical order:

No responses yet

Aug 25 2011

Support Change at the ISC2

Published by under CISSP/ISC2

I’ve been a CISSP for close to a decade now.  And in that time, I’ve never really been happy with the way the ISC2 represents themselves, with the way they promote the the certificate and the way they support the CISSP community.  Basically, it’s been my opinion that the primary goal of the ISC2 has been self-promotion and the gathering of more people who have 5 more letters after their name.  Promoting the community, furthering security, making the world a better place have always seemed like secondary goals at best.  They do perform some good deeds, like the Safe & Secure Online Program, but even that sometimes comes off as more a PR effort than a real attempt to improve the security of the world overall.  If you’ve ever read the CISSP mailing list (which you have to be a CISSP to do), you’ll notice that there’s been a lot of time spent complaining about the disconnect between everything the Board of the ISC2 does and what the community would really like to see done on our behalf.  My opinions on the leadership is probably part of why the ISC2 labeled a small group of people, including me, as the ‘Certified Usual Suspects’.  I even have the hat to prove it.

I’ve seen a few attempts at joining the ISC2 Board of Directors over the last few years, but unluckily I’ve never heard of most of the people who apply.  And to make matters worse, it’s incredibly difficult to get a seat on the Board unless you’re endorsed by current members of the Board.  So when I see someone I know of who’s preparing to take a run at the windmill again, I’m more than willing to help by putting my support behind them.  This year, Wim Remes is running for the Board and I’m going to support him and hope other CISSP’s will consider backing him as well.  I don’t know him personally, but given the interactions I’ve had with him on-line and the endorsements he’s already received from people I trust, I’m willing to take a chance.

Support Wim Remes by sending an e-mail from your e-mail address registered with ISC2 mentioning your NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to

7 responses so far

Sep 18 2010

Logical fallacies in forums

Maybe it’s a little egotistical to reprint something you sent to a forum, but I thought I did a pretty good pointing out some of the fallacies I see all to often on forum mailing lists.  I doubt that I’ll actually influence the people most guilty of these fallacies, but the people who are borderline may be salvageable.

Good morning dear colleagues,

I wanted to take a moment to make everyone aware of a very useful site I found several years ago that’s helpful when getting involved in argumentation of any sort.  It is the Nizkor Project listing of logical fallacies.  I find it helps me a lot to be able to identify and call out specific logical fallacies, at least to myself, and it helps in forming the response to these logical fallacies.  As is often the case in online forums, the person guilty of the fallacies is either unaware of committing the fallacies in the first place or mistakes these fallacies for honest communication.  In either case, conversations with this sort of individual often devolves into appeals to emotion or ad hominem attacks.  I wanted to take some time this morning to point out a few of the fallacies that seem to be more common on this forum:

First, the ad hominem attack itself:
This is an attack on the person who’s making the argument rather than the argument itself, aka name calling.  This is also mirrored by the personal attack fallacy ( where the person claims that any argumentation is a personal attack against them.  This is also related to the appeal to pity, aka ‘They’re picking on me, therefore they must be wrong’

The second fallacy I often see is the red herring (  The answers that are sent to the forum have little or no relation to
the question that was asked.  This can be an innocent case of missing the point or it can be an example of purposefully leading the conversation away from the subject that was originally brought up.  If you see “you’re missing the point” in a reply, this is often the fallacy that was committed.

Another common fallacy on this forum is the appeal to authority (  We’re all experts of one level or another in this forum, otherwise we should never have been awarded our CISSP’s in the first place.  However, we sometimes try to falsely extend our authority in one area to cover areas that are tangential to our areas of expertise in was that are not appropriate.  Another example of this is citing vague articles or standards as supporting our cause when they really don’t have any direct bearing on the argument.  For example, just because Bruce Schneier is a respected author and cryptographer, he could not by any means be considered an expert on securing an Exchange server.  Another part of this fallacy that’s common is expecting that just because we hold certificates in certain disciplines, that we’re actually experts in that discipline.  A doctor who graduated at the bottom 5% of his class still graduated after all.

A final fallacy to think on, not because it’s especially common on the forum, but because it’s especially common in our lives in general is the appeal to common practice (  Everyone is doing it, so it can’t be that bad, can it?  This is a fallacy that should be avoided in every aspect of life, not just security.  As parents have been asking their kids for eons, “If every one of your friends jumped off a cliff, would you jump too?”.  Everyone has a firewall at the perimeter of their network; does that make a firewall a best practice or does that just mean that it’s what people are doing because everyone else is doing it?  It may be the best thing to do in your situation, but unless you evaluate it based on your circumstances rather than what others do, you’ll never know.

I try not to make the mistake of ad hominem attacks, I try to attack a person’s argument whenever possible.  This is not always possible as the number of fallacies in a response rise and overwhelm any content that may be contained in a response.  Rather than continue down a path of personal attacks and appeals to emotion, I try to bow out of the conversation at that point.  But I’m not perfect. Next time you send a reply to the list, take a few minutes to check your logic and see if you’re committing any of these common fallacies.  It will help make your point and increase your standing with your colleagues.  Failure to do so can hurt your standing in the community greatly.

Thank you,


No responses yet

Sep 09 2010

Just for fun, part 2

Published by under CISSP/ISC2,Humor

Here’s the CISSP Song by Rob Slade.  I’m not going to try to sing it, but I hope someone does.  And I hope that someone sends me the recording to play on the podcast.

Thanks Rob!

Lyrics by Rob Slade

Sung to the tune of “The Major General’s Song,” from
“Pirates of Penzance,” by Gilbert and Sullivan [1]

CISSP (solo):
I am a Certifiable Security Professional
I’ve countermeasures physical, administrative, technical
I know the ports of TCP and backdoors with malign intent
And survey risk analysis to prove the safeguards wisely spent
I’m very well acquainted, too, with matters of the blackhat crew
Attendance on the IRC phrack channel makes my colleagues stew
With viruses and zero days I’m teeming with a lot o’ news,
With many cheerful facts about the weaknesses in Usenet news

CIO Chorus:
With many cheerful facts about the weaknesses in Usenet news (etc.)

I’m very good at ACLs and mandatory access modes
I know the disassembled names of CPU compare opcodes
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

I know our mythic history, LaPadula, Biba, and Bell
I know the biometric facts, memorized CERs as well
I understand the lattice, roles, rules, and discretion base
And pseudorandomize my keys to maximize the address space
I’ve tokens, tickets, one-time passwords, smart cards and a kerberos
And Centralized Remote Authentication to remove the dross
I’m proof against the DoS, Man-in-the-Middle and brute force attacks
My proprietary off-the-shelf stuff’s licenced and it never cracks.

His proprietary off-the-shelf’s all licenced and it never cracks.

My audit logs are analysed, detect intrusions evey time
My legal counsel’s up to date with all the best computer crime
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

In fact when I know what is meant by “data link” and “twisted pair”
When I can tell a fibre optic cable from a trigger hair
When Internet Explorer I no longer use the Web to surf
Or let my users chat on IRC on all my network turf
When I have learnt that firewalls can filter out the packets bad
When I know that the guy with foreign bank accounts might be a cad
In short when I’ve a wee bit of professional paranoia
You’ll say a better CISSP has never addressed yuh.

You’ll say a better CISSP has never addressed yuh.

For my security training, managerial though it may be
Lacks practical direction and real-world applicability
But still, in matters physical, administrative, technical
I am the very model of an infosec professional!

But still, in matters physical, administrative, technical
He is the very model of an infosec professional!

2 responses so far

Mar 08 2010

RSAC2010: ISC2

Published by under CISSP/ISC2,Podcast

I’ve been a member of the International Information Systems Security Certification Consortium [(ISC)2] for nearly a decade; I passed my CISSP test in November of 2002 and don’t have to worry much about CPE’s until at least 2011.  So when I was offered an opportunity to talk to Hord Tipton, Executive Director of the (ISC)2, I didn’t hesitate to take them up on the offer.  We started off easy, talking about what’s new at the (ISC)2, and the Safe & Secure Online Program.  Then we moved on to the harder questions, like “What have you done for me lately?” and “What are you doing about people who shouldn’t be CISSP’s in the first place?”  The (ISC)2 is never going to make all of us who are certified happy, and that they are taking some steps to address concerns about unqualified practitioners, but it’d be nice if they were a little more public about it.  Oh, and you’ll hear at the end that the (ISC)2 definitely accepts listening to podcasts for CPE’s.  I forgot to ask about producing them.


One response so far

Jul 16 2007

You’ve got to appreciate truth in advertising

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: , ,

7 responses so far

Jul 10 2007

Using charities to test stolen cards

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

No responses yet

Sep 01 2006

The target was material for phishing attacks

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: , , ,

No responses yet

Jun 09 2006

I need some cheap USB thumb drives!

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: , ,

No responses yet

May 25 2006

Quoted for an article on SearchSecurity

Comments I made on my ComputerWorld blog were quoted today in an article on SearchSecurity about the Black Frog/Okopipi project.  After talking to one or two members of the project, I think I oversimplified the challenges Okopipi will be facing, but I’m still dubious abou the project.  It’s something that’s going to have to be handled with great care, and I’m not sure an open source project is the way to go.  Every unsubscribe link is going to have to be verified by a real person, not just a program, and I still see several ways spammers could turn this project to evil.  I don’t think this is reason enough not to at least try, but I don’t believe I’ll be participating in a distributed, P2P anti-spam solution any time soon.

Technorati Tags: , ,

No responses yet

Next »