November 2007

The QuickTime 0day is out there and has gotten a lot of press this week. I've published an Update notification for Security Mike Members. Check out the Portal for instructions on how to deal with the issue. For the most part, the configurations shown in Security Mike's Guide protects against the QT attack, but there are exceptions.

Once again, thinking before you click is a good thing to do.

{ Comments on this entry are closed }

I’ve been meaning to write a post about passing the CISSP exam, but the time to do so has eluded me, until now.

I received the results of the CISSP exam on October 11th, four days after I took the test in New York City. Naturally, I was thrilled, and posted as such to the SCC. Wasting no time, I had my manager, who is a CISSP (among other certs), fill out the endorsement form. I promptly faxed the form, along with my resume, to (ISC)2. And then I waited.

According to the email, it was supposed to take 2-3 weeks for (ISC)2 to process my information and validate that I met the requirements for the certification. So after 3.5 weeks, with no other communication, I started to get concerned. After emailing support, I received the following response:

We apologize for the delay but our system has not been able to process any certificates for three weeks due to a very large upgrade. We expect to begin again this week. We ask that you give two weeks to actually receive your certificate. If you still do not receive it, please write back. Thank you for your patience.

So when did I receive word that I am officially a CISSP? November 15th, fully five weeks after the news that I passed the exam. And I didn’t receive my certificate until over a week later, November 24th.

I suppose it could be worse. A colleague of mine took the exam in mid-October in Florida, and he just received his exam results yesterday. While waiting five weeks for their verification process was annoying, waiting over four weeks just to get the exam results must be downright painful.

{ Comments on this entry are closed }

I am a big fan of computer based training – I think the potential for this is enormous especially for organizations that are looking to train large numbers of their staff. One obvious advantage is the ability to scale easily across many employees and many sites. But another important and perhaps overlooked advantage is the ability to help students really gain confidence over the material, understand their weak spots, consider areas that they need to work on and finally prepare for any certification goals. They can also be used to simulate the real exam and provide results that can then feedback into a study plan.

Recently a close friend, Mano Paul, launched Express Certifications, a training and certification company focused on developing innovative testing and training solutions, one of which is the new training portal focused on the CISSP and the SSCP exams. This site is the Official (ISC)² Practice Self Assessment provider and provides CISSP Practice Exams as well as SSCP Practice Exams. The main benefit this site provides is in helping you with gauging your readiness for the certification exam. One of the thing I like about it is that it targets not just the end result but also the preparation. The idea being you first assess yourself, figure out what areas you need to focus on, continue to work on those areas of weakness until you have perfected the material and then finally take the certification exam. And because the subscription to this site is not time limited, it allows you to prepare and give the exam at your own pace rather than allowing your preparatory material make the determination as to when you take the exam. One of the really cool things Mano has done with this site is to provide for rich reporting which can act as your personal study planner. Finally, it also simulates the experience of taking the real exam before you actually take it. Of course as you go through this entire process you can perform SWOT analysis and check your own personal readiness while watching all the time how you are trending towards your final goals.

There's also benefits to larger organizations attempting to certify some or all of their employees. The main thing perhaps is the ability to judge whether your employees are ready for the certification exam before investing in the cost of the exam itself. Further, even without the certification goals, the ability to view the competence levels of your employees in the different domains of security is in itself a great benefit for security teams. Finally, it is very competitively priced allowing both individuals and organizations to sign up at relatively low cost. In fact they offer corporate and affiliate that could provide advantages if signing up in volumes.

In any case, I am pretty excited by this offering and apparently so is perhaps one of the most discerning clients – the Department of Defense (DoD) - it uses this training portal to assess the readiness of their information assurance personnel as part of the 8570.1 directive. Good luck Mano J and good luck to all of you preparing for the CISSP / SSCP examinations. Hopefully this site can help with that endeavor.

For more details visit the site or use the contact information in the sidebar.

 

 

 

 

 

 

 

 

 

{ Comments on this entry are closed }

{ Comments on this entry are closed }

My little flirtation with blogging using the capabilities built into Security Mike's Portal didn't last too long. It turns out Blogger is really a great blogging platform and the stuff built into the Portal sucks. Sucks really bad.

Sorry for the little diversion. If you have subscribed to the Feedburner feed (either through RSS or email) you don't have to do anything. If you do check out the web page, once again set your phaser to stun and point it at Security Mike's Blog.

{ Comments on this entry are closed }

Another day, another Security Mike Update. This time Mozilla has updated the Firefox browser to 2.0.0.10 to address a pretty serious URI handling issue.

Step by step instructions are available on the Portal. Once you log in, hit PAGES, then SECURITY MIKE'S UPDATES, then PATCHES and you'll see the Update.

{ Comments on this entry are closed }

As mentioned in this post by PR aficionado Steve Rubel, the TinyURL service went down briefly, which potentially leaves lots of other services in the lurch.

Personally, I felt no pain because TinyURL was down. That's because I don't use it and I don't think you should either.

Why? Because it allows potential attackers to hide bad URLs. Indulge me for a second, if an attacker wanted to get you to click on a link and browse to a web page with malicious cargo, all they would have to do is send you a spam email with a TinyURL link.

Most people would just click on it and their machine would be compromised. But since you are reading Security Mike's Blog, you aren't most people. Thus, you'll get into the habit of not clicking on any obscured links - like TinyURL provides.

I know the TinyURLs are much prettier. Beauty is only skin deep - remember that.

{ Comments on this entry are closed }

As part of Security Mike's update service, subscribers get step-by-step instructions on how to apply the most recent patches from the major OS vendors.

Last week, Apple released a MASSIVE patch which updates the OS X operating system to version 10.4.11.

If you are a Security Mike member and have registered for the Portal, you can get detailed instructions at this link:
https://www.securitymike.com/site.php/spgs/read/apple-osx-update-nov-2007/

If not, you can subscribe at this link:
http://buy.securitymike.com

{ Comments on this entry are closed }

The TippingPoint 5000E no longer meets the evolving ICSA Labs network IPS certification testing criteria.(...)

{ Comments on this entry are closed }