Network Security Blog

It looks like the spammers have won the battle against Blue Security.  The company is closing down their service, having realized that their solution to spam isn’t going to do much more than create an ever-escalating war with the spammers.  I didn’t think an active, attack-back technology like Blue Security ever had much of a chance of being effective, but I’m still a little saddened to see them have to shut down the service.  On the other hand, give it a year or two and I’m sure some other company will try almost exactly the same thing. 

Technorati Tags: security, spam, Blue Security

Mikko at F-Secure had a good idea for fighting phishing.  A significant amount of phishing sites aren’t hosting the images they use, they’re directing the browser to download the real image from bank they’re imitating.  So what if the banks added some relatively simple code to instruct the web server to send a alternative image if they received a significant number of referals to the original image?  Using Mikko’s idea, the bank’s alternative image would include a stamp that would make it clear that the refering site was illegitimate and give the consumer a phone number to call.  The idea could be circumvented by smart phishers, but it would add one more hoop they’d have to jump through.  Even if it only stops the lazy phishers, that’s a couple more percentages of the total scams that wouldn’t work. 

Technorati Tags: security, phishing

I received an email about this yesterday from a reader, Vick.  There are accusations on the ‘Net that large parts of the Official (ISC)2 Guide to the CISSP Exam were plagiarized.  This isn’t a minor accusation, especially when it’s about a company like the (ISC)2 who subscribes to a code of ethics.  I wanted to see some form of verification before I said anything on the blog.  Well, I just got a link in the mail (Thanks Kevin).  The messageboard post lists a couple of articles that are available online and were lifted wholesale and put in the book.

Strictly speaking, I don’t think the onus for policing the content of the book really lies with the (ISC)2; they probably paid a publisher who commissioned a writer, or several writers, to write the book.   But that’s no excuse for this happening.  Plagarism may not be a crime, but it is a policy and ethics violation that looks bad for the writer, looks bad for the publisher and leaves the (ISC)2 with egg on their face. 

I don’t have a copy of the Guide, and I’m probably not going to go out and purchase one just to verify the accusations of plagiarism.  But if someone else who has a copy of the book would look at the articles mentioned and the pages in the Guide and do a comparison, I’d love to hear what you have to say.  I’m hoping that this is a misunderstanding and that the guide gives credit to the original authors in the bibliography.  If not, the (ISC)2 has some ‘splaining to do.

Technorati Tags: security, ISC2, ethics

I wrote about the (ISC)2 dinner and the study they released there.  The most annoying part was they under-ordered the dinner and I ended up having to go out and get my own dinner.  I ended up at some pretty good sushi (Sushi Zen), so it was okay in the end.

Last week I got an email from a reader asking if he should pursue the CISSP or CCSP. I promised to come up with a longer answer when I got the chance, but my spare time has been a little scarce lately. Instead, I’d like to hear from some of you out there about why you have chosen to pursue one cerification over another. If you have a different security-related cert you’re pursuing, why did you choose that one instead. Here’s the email that started this entry.

Hello Mr. McKeay,

My name is Tim Xxxxxx and I stumbled upon your BLOG (August 30, 2005 – CISSP vs. CCISP) this evening in my quest for some answers about CISSP vs. CCSP. I am a network analyst for a utility company, and I also have a side business doing wireless security consulting. My company as a bonus has given me the option of some training for an industry certification, I currently have my CCNA and Network+, and I am trying to find out what a better path to go would be, either CCSP or CISSP. I realize they are different test and it depends on each person job function, but if I want to broaden my knowledge in network security which one is going to be more informative? Any info or comments you could give would be much appreciated.

And here’s my answer:

Tim,

Martin

The CISSP and SSCP Open Study Guides Web site – (ISC)?? ANNOUNCES RETIREMENT OF CEO

Jim Duffy is retiring as President of the ISC^2. I’ve been a CISSP for 2.5 years now, I’ve met Mr. Duffy once and he seemed to be a nice guy, but dialogue with his constituency did not seem to be his strong point. When I met him, I brought up several points that were burning up the CISSP mailing list, and while he appeared to listen, I never got the impression that anything I was saying was actually being heard. He has done a lot of work for the ISC^2, and has taken it from a volunteer-led group to a professionally managed company, but I think it was at the expense of communication between the company and the people they serve. ISC^2 currently seems to be concentrating almost entirely on creating new CISSP’s rather than helping the ones that already exist. We’ll see if a new CEO changes this.

Of course, my opinions are mostly based on reading the CISSP forums, which are admittedly biased and vocal. But the only other communications I’ve received from ISC^2 have either been telling me to pay my dues or asking me to sign up for expensive classes to get my education credits. Heck, I don’t even see too many of those any more, since my mail client classifies anything from them as spam. I’m waiting to see what direction a new CEO will take the ISC^2 in. The next few months should be interesting.

The CISSP receives international standardization

I hope this is good news. I’m not sure if it really means anything in the long run, but it sounds really nice in the short term. Will this force the ISC2 to solidify their processes and procedures?

Now, will someone explain to me what ISO/EIC 17024 is?

Training, certification or experience? A security dilemma.

I am beginning to hear this argument more and more. People are getting their CISSP certification without the required amount of experience, they are going to bootcamps, they are just passing the test on book knowledge. The certification I worked hard for is being cheapened, and I don’t like it. When I hear someone compare the CISSP to the MCSE, I cringe. I don’t want the CISSP to become just another piece of paper anyone can get! I want it to remain something that is an accomplishment and something to be proud of.

What can be done? First of all, the ISC2 can enforce the rules on experience as a security professional. I believe they are doing some verification of experience, but this needs to be stepped up. I’m seeing more and more anecdotal evidence that there are a lot of people out there who never should have been allowed to sit for the test in the first place. It’s one thing to not have security in your title, but feel you have the experience necessary. It’s completely different when your only security experience is the boot camp you sat in last week. I don’t know how people pass the test on a few days training, but that’s a different issue.

Second, I would like to see the ISC2 do more to further the public’s awareness of what the CISSP is intended to be, and more importantly, what it is not intended to be. The certificate is a benchmark of 10 domains of knowledge, and the holder is expected to have a general awareness of all 10 domains. They are not however supposed to be an expert in all 10 domains. In fact, the CISSP is aimed at management level personnel, and the holder may not be a technical expert in any of them. For example, I needed to spend a lot of time learning the basics of cryptography for the exam, but I still couldn’t set up a PKI infrastructure if my life depended on it.

The last thing I would like to see from the ISC2 is movement towards more clearly defined processes and policies. Optimally, I would like to see the organization get ISO9000 certified, but that may be too much to ask. There has been a lot of concern lately revolving around a survey sponsored by the ISC2, and I think many of the issues this has raised over this incident could be resolved by clearing up the policies. I don’t believe that policy and process are the solution to a problem in and of themselves, but when you have those documented it’s a lot easier to troubleshoot your issues. Ad hoc processes rarely work, in my opinion.

I’m proud of being a CISSP, and I want to remain that way. But I see that there is currently an assault on the validity of the certificate. Too many people are passing the test that shouldn’t have been allowed to sit for it in the first place. The ISC2 has had some management fumbles lately, and seems more concerned with the number of CISSP’s than the quality of the applicants. The original plan was for the CISSP to be the Gold Standard of security certificates. When I hear the CISSP compared to the MCSE, I feel that the standard has been tarnished. Time to break out the polish and regain some of that shine.

Security cert body gives lesson in insecurity

Oy vey! For a security organization, the ISC2 really dropped the ball on this one! What’s even worse is the lack of information on exactly what happened. There have been no press releases on the site, there have been no emails to the constituents (meaning CISSP’s, like myself) and if there was a snail mail letter sent out, I haven’t received it yet. I pay my dues to be a CISSP, and I deserve to know what happened.

What happened, you ask? Well, for the last couple of weeks the ISC2 has been asking all CISSP’s to fill out an online survey about our satisfaction with the certificate and the ISC2′s service to the community. Several members of the official CISSP forum, hosted by Yahoo (another issue here), expressed that the site we were being directed to was using http, not https, and therefore was not secure despite the ISC2′s assurances. Guess the nay-sayers were right. Unluckily I finally took the survey about 5 minutes before the news broke. I would definitely have changed some of my answers if I’d known about the intrusion.

Unluckily, or luckily, depending on your point of view, this intrusion does not fall under SB1386 here in California. SB1386 is mainly meant for sites that involve some sort of financial interaction, and only applies if financial information is involved. If there was any information about the credit card I used to renew my membership on this site, I will definitely be consulting with a lawyer in the near future. I have to hope for the best.

There is talk of a protest letter being sent to the ISC2 leadership and I for one will be signing the petition. The management has consistently ignored many of the concerns that CISSP’s bring up about the ISC2′s conduct, but this is beyond what can be ignored. I’ll send my own copy of the letter when it comes out, but I’ll leave it to someone who can express the outrage more articulately than I. If I wrote it right now, it would come out something like “Arrrrrggghhh! You idiots!!” Hardly an educated memo intent on communicating frustration.

Hopefully this gets resolved in a satisfactory manner soon.