Feeds:
Posts
Comments

Archive for the ‘CISSP’ Category

As I’ve said before, one of the main things I love about information security is the need to keep learning ~ the field keeps expanding, Big Bang-like and it behooves one to stretch themselves, out of their comfort zones and in new directions.

Friends of mine had been recommending I learn more about IT auditing, to gain a better perspective on how controls are applied, and why.  To that end, I took a three-day Certified Information Systems Auditor (CISA) training course from CertTest in early November.

Wow, that was pretty cool!  I learned a lot of new stuff and reviewed things like NIST SP-800-53 and ISO 27002 that I knew something about, but not in the same depth.  So, I’m now embarked on a study cruise towards the June 2010 CISA exam from ISACA.  Maybe I’ll work as an IT auditor, maybe not, but either way, I’ll know a lot more about the business side of the proverbial ‘house’ and it’s GRC drivers.

All this dovetails with my ongoing study of CobIT 4.1, NIST SP-800-53, and the ISO 27K series ~ I’m focused on becoming the best Governance, Risk Management & Compliance professional I can be!

If you have any helpful hints, suggestions, study advice, please ping me.

Shouts-out and props to Dave Cannon at CertTest for being an awesome and inspiring instructor!

And, I ate some Serious ‘Que at the Hard Eight in Irving TX with my CertTest classmates…

Later friends!

Advertisements

Read Full Post »

Ah Summer!

I recall the halcyon days of Summers past, when my teachers assigned reading lists, with the hope of broadening my mind and preventing recursive learning.  They needn’t have worried about me; I’m a compulsive book-a-holic and used to stalk the Bookmobile more frequently than the ice-cream truck…

This summer, besides the daily security reading via online newsletters, magazines, and blogs, I’ve added the following books:

I’ve finished the first and am marching through the second, saving the heavy-lifting tome for last.

I like the approach and arguments put forth by Adam Shostack and Andrew Stewart; we need a New School of thinking about information security, moving away from the FUD promulgated by many vendors and security practioners, and focused instead on objective measurement via empirical means and on multi-disciplinary thinking, particularly from the perspectives of economics, psychology, and sociology.

Following on that line of thought, I’m enjoying Andrew Jaquith’s book.  My academic training was in economic geography, statistics, and resource management, so I’ve been deeply immersed in data modeling and measurement before.  I’ve also done a fair amount of evaluation work, mostly post hoc.

I completely agree that we need better ways to measure information security risks; how to quantify and qualify them and how to present them cogently to our funding sources, i.e., management.

As Bruce Schneier said, “Security is not a product, it’s a process.” So too, is the collection, refinement and presentation of our empirical data to management.  You’ve got to have the ground truth if you want to make better decisions.

The last book is interesting to me, in light of the so-called North Korean ‘cyberwar’, the previous electronic adventures in the Republic of Georgia and Estonia, and the essential reality that the Internet and software is our primary infrastructure now, after concrete.  After I wade through this impressive work, it will take it’s place next to Sun Tzu and Carl von Clausewitz.

As the current Administration in Washington D.C. keeps shedding cybersecurity personnel the way our bodies slough-off skin, my hope is that the President might read this book and really put some impetus into finding and retaining a cybersecurity ‘czar’ who reports directly to the President, with sufficient funding, authority, and autonomy to make a difference!

Keep On Keepin’ On Folks…



Read Full Post »

One of the main reasons I love information security is that there’s always something new to learn, or re-learn.  I got started around 2001 when, working as a systems manager with a db full of SSNs, realized I needed to know more about breaking into my systems if I was going to defend them.  This led to some serious SANS Institute training, earning my CISSP cert, and having a great time swimming in a sea of knowledge!

So what do I do to keep up?  I read and re-read the monthly ISSA journals,  Secure Computing magazine, Information Security magazine, and the ISC2.org Journal of Information Security.  I joined ISACA earlier this year, so am adding their publications to my nightstand.  There are various and sundry email subscriptions like SearchSecurity, TechTarget, and Shadowserver.  The Association for Computing Machinery journal arrives quarterly.

As part of my ongoing gap-analysis and searching for a new safe harbor, I work on learning more about my profession and focus on certain elements in it.  Among them:

Books I’ve been reading:

The first book is by Fyodor himself, so I had to give it a read and use it as a desktop reference.  The second is by Ed Skoudis & Tom Liston; I’d read it a few years ago, but turn to it for refreshers.

Then there are blogs!  Some of my favorites are:

I think if I don’t make time to keep reading and doing, I’ll fall behind – our industry is still young and growing fast as the threat horizons expand.  It’s hard to keep up, but I’m tryin’…

Peace y’all.

Read Full Post »

I was quite fortunate to attend this year’s RSA Conference.   I applied for, and was awarded one of the 24 ISC2.org scholarships to attend, so with that support, it was off to San Francisco for the week.

Like my last two years at RSA, what a fabulous experience it is!  If you aren’t a good networker though, it can be intimidating; the size of Moscone Center and the scope of it all are a bit of a head-rush.

I spent my time mostly between the Professional Development and Hacker Techniques sessions, with some time at the Innovation Sandbox, Crypto Commons and Peer2Peer sessions.

At the Innovation Sandbox, I ran into Dr. Hugh Thompson before his whiteboard session.  Hugh has opened the closing keynotes the past few years with his hilarious and informative ‘The Hugh Thompson Show‘.  After the IS presentations by innovative new companies, I saw him again and chatted him up.  We agreed to get together later in the week and cognate together, visit, hang, etc.,  Hugh was very gracious and gave me an hour of his time, sharing career growth insights, humorous anecdotes, and some ‘wisdom of the ages’.  We also LinkedIn.

I also ran into some of the local Seattle area security folks, which was cool, including David Matthews (City of Seattle), Frank Simorjay (Microsoft), and Dan Kaminsky from IOActive.

My favorite session presentation was Ed Skoudis and Johannes UllrichThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next‘.  ‘Pass-the-Hash, Super-flexible Pivoting, Wireless from compromised client into corporate, Problems with SSL, and VoIP systems among others.  I can’t wait to listen to the session recordings because it was SRO in the room and hard to take notes from the balcony…

I ran into Ed again at the CodeBreakers Bash and we chatted for a bit.  He’s always very approachable and open.  In 2004, I took his Incident handling and hacker Techniques course from the SANS Institute and loved it.

I spent some good time cruising the exhibition floor during lunchtime, vast and crowded.  The swag was tempting, but too much to tote back, so ‘travel lightly’ is always good advice at trade shows…  I did visit with some nice recruiters and focused a bit on GRC software vendors.

The first full day of the conference, it was 93 degrees Fahrenheit outside!  To quote from ‘Young Frankenstein‘ , that’s ‘Abby-Normal‘ for S.F. in April

Some have said that this year, RSA lacked sustenance.  I enjoyed it though.  The opening keynotes were a bit humdrum compared to past years, except for the Cryptographers Panel and Lieutenant General Keith B. Alexander from the NSA.  Melissa Hathaway on Wednesday looked at her notes and talked to us like we were members of the Press Corps – the general reaction I heard was like, ‘Lady, we’re smart security geeks, not journalists.  We don’t need to know that the Administration has been planning to do stuff, just tell US what it is!’ Yawners.

James Bamford’s talk on the NSA was very good.

The opening number rocked!

NB – open the keynote webcast page, then select Opening Ceremony, View Video Webcast, Opening Ceremony Performance

Read Full Post »

It’s been awhile since I wrote last…been busy with business and always climbing some new slope on the InfoSec Learning Curve.  In the meantime, I’ve been doing some personal gap analysis and working to fill-in the blanks as I find them, with help from other folks!

I attended SecureWorld in Seattle last October and have been enjoying the monthly ISSA meetings of the Puget Sound chapter.  I feel very fortunate to have met some incredibly talented people at these, including Russ McRee and Joel Scambray.  Shouts-out to these folks, Deanna Locke and Ravila Helen White for helping me re-orient my internal compass!  I’ve also been attending the Agora meetings held quarterly on the University of Washington campus and organized by the UW CISO, Kirk Bailey.  These colloquia are fabulous and bring together a few hundred local/regional infosec folks for a half-day of presentations and serious networking.

Stuff being studied – ISO 27001 and 27002 along with COBIT 4.1 as my interest in IT GRC grows.

Later…

Read Full Post »