Cybr101 class page for week of Oct 10

You need a central page for login and accessing resources.

Copy and past this URL to your local operating system’s note pad:

http://vmlt.adobeconnect.com/cybr101-#/?guestname=STUDENT

Please adjust each time the new room slide is shown.

Your cases will be put up in the room but they are here for ease of use.

This will be deleted at the end of the week- so get your free VMLT.com account before we end.

INSERT CASES HERE

 

60 days to offer a solution or have one inflicted upon us

U.S. Presidents have always wanted to fix things; that is why they become presidents. Our current President has stated he wants the Department of Defense and other agencies to submit recommendations for US Cyber Security in 60 days. They will. But you will not like their solution. Let’s do something about it.

Here is the original document. Notice it is NOT an executive order yet.  This is also not the first time a president has made this stand. But let’s take it seriously.

What is the problem?

Right now we drive the internet like a car without seat-belts.  Unfortunately it’s not as simple as “Insert the metal fittings one into the other.” We can get close to lap-belts with steps below. It will take at least 4 years  to get real change. And then we can look at the 5-point harness of race cars.

The scope according to the document: assets, vulnerabilities,  adversaries,  and capabilities.

This is a good way to get answers, but those answers and questions will come from military thought leaders, not cyber security professionals. What is wrong with that? Replacing the concept of bullet with packet makes everything work right? You and I know that the physical concepts do not equate to virtual concepts. Many have suggested blocking or breaking the internet [SOPA/PIPA]. Many have said a central authority should have control over encryption [CLIPPER CHIP]. Telling people to be aware works for 5 minutes… well maybe 6. As proof I offer ALL password audits.

Every time people use concepts from the physical world and they push on one side of the cyber balloon, it only bulges on the other side, pushing the problem away not solving it. We must think differently.

Think in terms of:  What are achievable objectives? What will  people and corporations understand and support? What will do the most good? What do we have to work with now? What will work without breaking most of the internet? Over the next four week I will discuss these questions, but let’s start with the last one first.

What will work without breaking most of the internet?

Standards & Protocols that we already have.

  1. DNSSEC = Integrity of resolution
  2. IPv6 = identification of origin and possible privacy
  3. Certificates = Non-repudiation of  source or both people and devices

1. Say YES to fully implementing DNSSEC–  if you do, a few things happen: 1. Spam goes down dramatically. 2. Impersonation is much more difficult. 3. We can depend on resolution response.  DNSSEC resolution is quality resolution, but current DNS is very easy to attack and has a low quality of trust. Services offered by companies need to be trustworthy,;we need to know they are who they say they are. DNS is not trustworthy; DNSSEC is.

The ultimate goal would be DNSSEC reverse resolution for every end point (when you make a query, we know who is asking the question). We need to say NO to DNS. We can do this  technically: first implement DNSSEC for all resolution, then block all DNS. Impose filtering by all ISP’s, and corporate firewalls.

2. IPv6 only no IPv4- What makes V6 better? Location, Location, our ability to pinpoint LOCATION. What makes V4 bad? Spoofing of location. If we only used V6 we could know  where a computer, IOT, laptop, or mobile phone is located. If you know where it is, jurisdiction is established. Now we know where it is; we can hold someone accountable.

Sidebar- at this point, really technical people are screaming ‘you can still spoof, you can still move around’ – yes but… there is another…

Want a build a wall?  You can with internet routing tables. We know that routers route around failure; that is what makes the internet so resilient. That needs to change just a little. I am not in favor of breaking the Internet, but a lot of other countries do it. We are not saying don’t route, just don’t route attacker’s crap/spoofed packets. Do a little inspection.

The rest of the world may not use V6 – fine.  That means less trust; less trust means we should limit traffic and increase inspection.  If other countries play the V6 game, the U.S. can offer  “most favoured nation routing status. If you break the rules, “Embargo on.”

Choices for those Sanctuary ISP’s who want to facilitate illegal v4 packets?  I don’t mind if you do not want to play the same game, but don’t make us pay for your poor protocol choices. Your poor choice means you shoulder the routing burden and get less trust.

Side benefit of IPv6: it has an optional header for IPSEC.  IPSEC is for encryption/privacy. One of the key components of IPSEC is the ability to authenticate endpoints and people via certificates. Which leads me to…

3. Smiles everyone smiles… I mean CERTIFICATES FOR EVERYONE AND EVERYTHING: You want to control the Mirai botnet? If everyone and everything was issued a certificate (X.509) you know the device  or the person and you can either block or fix.

If your DVR is a part of Mirai, the ISP can block the one device and not everything you own. If you cannot get your favorite show, you will individually scream at the vendor who sold it. This places the responsibility back on the vendor who sold the poorly-secured device.  Oh, the vendor doesn’t want to issue certificates? Fine – but then you have less trust, less bandwidth and the ISP is in control. If the ISP issued the crappy device,  then (via certificates) we can attribute bad behavior, see a pattern, and hold them responsible.

We can control who issues certificates or their certificate practices with a little oversight. If we cannot control the CA, then we can control what root certificates we trust. More importantly we can take that trust away when entities hit the naughty list.

Combine these three.

You have the start of a solution that places the burden on the vendors; they can then choose to push that cost on to an informed customer. If we use crappy devices with none of these  security  features, the receiving end has the choice to reject us. More next week…

Things will break along the way.

Yes this will break a lot of older applications and IOT. Breaking means fixing. This fixing will direct money to solving the cyber security problem in a very narrow focus.

The Federal government is good at imposing a public safety like seat-belts. These are safety measures, it will reduce cyber-death but not eliminate it. People need choice (not to wear seat-belts) But the government should make sure seat-belts are there.

So if you do not want to use these cyber security tools, fine.  Ignore them at your own risk. For military, government, and large commercial entities, these 3 should be the cyber law.

Your turn.

This is an outline of a solution that I will expand upon with your help below. Now it is your turn to add to the solution. You have a few key technology tools to convert to regulatory tools that don’t break the internet. You have a few tools that allow for privacy. You have a few tools for guiding net neutrality with responsibility.  Now it is your responsibility to tell someone. Someone at the DOD, your legislator, your President.

More to come.

My next 4 weeks will be spent discussing:

  • What will most people understand and get behind?
  • What are achievable objectives?
  • What will do the most good?
  • What do we have to work with now?

Commercial:

Don’t understand what we are talking about? Come to class.

CISSP / CEH / Cloud Security and others. Ask for a free seat.

Juniper RSA and who else

We are not going to meet tonight, but we have some serious thinking to do for the new year. Have a great holiday. Wait, let the NSA spoil it for you.

Hey Wired, Stop it!

“Even if the NSA did not plant the backdoor,” and “culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA”- Wired Magazine

I am by no means a grammarian. But even I can see these sentences make your mind jump to a crappy conclusion. Wired magazine’s unclaim that the NSA planted the back door is a silly misleading shortening of the facts.

There are no “culprits”. This is a serious cascading problem. It is up to us to make our own decisions about this. Don’t think that this is an isolated incident. We are going to need to do some deep digging because of the tools each vendor uses in cryptography.  Let’s trace this from the NSA down to everyone who buys a product without reading.

Juniper

Juniper didn’t do anything that anybody else hasn’t done before them. They got caught trying to fix the problem. Security researchers reverse engineer patches all the time to figure out exactly what the flaw was after-the-fact. Yes, this does present some problems for the future of their code, but they are fixable.

Let’s trace this back to where it begins

  • NSA/RSA – compromised cryptographers
  • NIST – Government standards have choices
  • FIPS compliance – only in the interest of a select few
  • Security vendors – wanting to sell

NSA/RSA – compromised cryptographers

$10,000,000 to create a little flaw that no one will ever find. Well it turns out we found it. One of the key requirements for security professionals should be a high degree of ethics. What could be the rationale for giving up your ethics? If somebody came to you and said: “You can help your country by adjusting something so that your country can listen? Oh and we will pay you to do it.”  State-sponsored hacking is a regular thing.

“RSA allegedly accepted NSA cash to make the NSA-influenced flawed random bit generator the default in their popular encryption products back in 2004. In 2007 researchers from Microsoft demonstrated how dangerously easy it is to break Dual_EC_DRBG. But even after that demonstration, RSA never made a move to change the default generator in BSAFE.”- EFF

RSA said: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.” – RSA

RSA’s biggest customer is the the one who pays the most. – Dean

Bottom line: the cryptographers created weak encryption on purpose.

NIST – Government standards have choices

“NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems” – from NIST

In the NIST special publication 800 – 90 the implementer has choices.  Dual_EC is one of 4 options programmers must choose from in their implementation. 800-90 REV 1 :”The previous Appendix A was removed; this appendix contained application-specific constants for the Dual_EC_DRBG.” But once the cat is out of the bag, it is too late. So that is not a solution. It is worse because we trust their process and their ethics.

What is supposed to happen is NIST puts the documents out for public comment. The public comment period needs to be reasonably long, especially when it comes to cryptography and cryptographic analysis. 800-90’s  period for public comment was too short.

NIST is not responsible for commercial entities and the advice that they give is up to us to verify.

FIPS compliance – only in the interest of a select few

NSA and RSA  give NIST options, FIPS says if we want to be compliant, we have to use this algorithm. NIST publishes the list of compliant vendors. The incestuousness continues. Designers of products will follow and agree blindly.

Security vendors – wanting to sell

If vendors want to sell products to government agencies, they must be FIPS compliant. The easy way to achieve this compliance is to use the open libraries that are approved by FIPS. One of those libraries is OpenSSL-FIPS. This particular library uses Dual_EC_DRBG. The FIPS 140-2 standards require using a DRBG.

The security vendors could be influenced directly or indirectly. Directly  – “if you want your product approved, we expect you to use FIPS-approved libraries.” Indirectly –  conferences, papers, advertisements, and free educational facilities all brainwash vendors and the public. Please insert your paranoid delusions here.

What could the security vendors do differently?

  1. They could follow the Waiver Procedure. I think this instance of Dual_EC use qualifies for exception? BUT this Waiver Procedure is too cumbersome. No vendor wants to fight, they want to make money!
  2. The security vendors do have a choice in the implementation. Use decent hardware generators for random numbers and ignore the standard. (I think this will be very difficult and costly.) Quick question: Hey Vendor, are you just saying you are secure or do you really mean it?

How far does this problem extend?

See you January 13, 2016

 

https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust

http://blogs.rsa.com/rsa-response/

http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html

Really geeky versions for crypto junkies

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html

Cybersecurity for email is getting better?

Normally

I am whining, crying, and stomping my feet about how bad cyber security is.  Last week Google publish some really great information about what’s going on email security. That’s not to say that Spam is going away anytime soon but, we have a fighting chance.

These are the main topics for Wednesday night

 

What you doin?

Take a look at these four core protocols and see if any of these are implemented in your organization. One of   the reasons why we changed providers recently was to get more of these protocols in place.

  • STARTTLS
  • DKIM
  • SPF
  • DMARC

How you doin?

I really like the Google transparency report on what domains are safer. ( the link is below) It tells us a lot about who we should trust. So when we asked the question, we’ve got good data to back it up.

What else can you do?

  • Spam Traps
  • Global Volume data
  • Message composition data
  • Complaint reports
  • Compromised Host lists
  • Domain Blacklists
  • Safelists

If you like to talk about this more we will see you at 6:15 PM Central time on Wednesday @ https://vmlt.adobeconnect.com/pdih-wed

—commercial—

Class start dates

CISSP – December 5

Cloud Security – December 12

PMP – December 12

Incident Response – December 5

http://www.google.com/transparencyreport/saferemail/?hl=en

If you think SOPA was bad TPP + CISA = SOL

Today is Blue Hair Wednesday – if you come tonight with blue hair and show yourself on camera- you win a prize.

Come talk with us tonight- it will be fun and informative.

  • https://vmlt.adobeconnect.com/pdih-wed
  • 10/21/2015 at 18:15 Central

Most information security professionals were against SOPA. Well if you didn’t like that, you’re really going to hate these two.

What are CISA & TTP?

Trans-Pacific Partnership Agreement (TPP)

There’s a lot of love about TPP, but I think these things are going to cause problems.

  • Journalists who report news like wiki-leaks are in trouble
  • Circumventing any security controls – more illegal than ever
  • Copyright fair use will be tightened until it squeaks
  • Internet service providers will be required to do more take down activities

Cybersecurity Information Sharing Act (CISA)

is a rewrite of the highly controversial Cyber Intelligence Sharing and Protection Act.

  • Requires (DNI),  (DHS),  (DOD), and (DOJ) to develop and promulgate procedures to promote:
  • (1) the timely sharing of classified and declassified cyber threat indicators
  • (2) the sharing of unclassified indicators with the public
  • (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.

These sound pretty good on the surface but…

The law is so broad that a bunch of unintended consequences will occur, such as:

  • Forced sharing between .gov and .com = international issues
  • Legislating protection and controls = audit will suck more
  • Big data becomes BIG BROTHER

Here are the articles

  • https://nakedsecurity.sophos.com/2015/10/16/google-facebook-amazon-et-al-join-forces-against-incoming-cybersecurity-law/
  • https://www.congress.gov/bill/114th-congress/senate-bill/754/text
  • https://www.eff.org/issues/tpp

If you want to see me with blue hair- show up tonight.

Dean

— commercial—

  • Larry – PMP – October 31
  • Dean – CISSP – October 31
  • Frank – CEHv9 – Nov 15
  • Don – Incident Response – Nov 15

PDIH – Salesforce XSS No big deal- Really?

Last week Adobe, Microsoft and Oracle all tripped over their proverbial patches. But the real news was the Salesforce.com cross-site scripting flaw that was revealed. Don’t worry… Salesforce patched the flaw two days before the security vendor released the information to the public.

The real problem as compared to other cross site scripting flaws is “it existed in a real Salesforce subdomain ‘admin.salesforce.com’ the chances are pretty high that any end user on the receiving end of a phishing email from that URL would not identify it as malicious, nor would  it have been detected by anti-phishing filters as being bogus.”

What does this mean to you and me?

In a regular environment that we own, we can do penetration testing, even basic scanning for vulnerabilities is allowed because we give ourselves permission to do it.

What about your contract for salesforce?

You do not have the right to do a penetration test. In fact your contract expressly forbids it.

What are you supposed to do?

This announces  the arrival of software as a service Full disclosure tracking. Organizations that sell us software as a service are not subject to the same requirements as locally installed, on premise software vendors. We’ve outsourced the risk and have no visibility into the process and we must rely on the vendor and their incident response process to inform us of the vulnerability. It becomes our responsibility the pay attention to the news: I guess it’s our job to create Google alerts for every piece of software as a service that we have a contract on.

If you like to talk about this more come join us Wednesday evening at 6 PM Central. Don’t forget this counts as one CPE?

http://vmlt.adobeconnect.com/ksa10003/

Want to read more?

https://www.elastica.net/salesforce-accounts-susceptible-to-hijacking-using-xss-flaw

… with Freedom Responsibility and Security for All.

Dean Bushmiller

—Commercial

CISSP orientation is in 2 weeks. https://store.expandingsecurity.com/product?catalog=CISSP-lol

RISK orientation is in 2 weeks. https://store.expandingsecurity.com/product?catalog=WOL-OG-RISK-101-M39

Another New Cloud Certification?

Before we get started

Our CEH class is starting May 11. It runs for 10 weeks, twice per week at night (7PM-8PM CEN). WE are going to  discuss CEH on May 8. If you know anyone who is interested, please have them contact me dean.bushmiller@gmail.com

CCSP new to ISC Cloud Certification

I know ISC2 or CSA told you about this if you were at RSA. But if you missed it, here we go. With the proliferation of cloud certifications, ISC is jumping into the game. Since everything is being shoved into the cloud, we might want to learn a little cloud. We might need to prove we know the cloud from a security perspective.

Real cloud, real fun!

We will talk about the CCSP this Thursday night 6:30PM CEN for 30 minutes. (see below)

OOPS! 3 Certifications with the same name

Overlap was bound to happen with over 2300 different information technology certifications as of today.  This time it is a BIG overlap. CISCO’s CCSP is about security also. There is a third certification in the medical industry. I think this might muddle the marketing message for ISC because CISCO has much more market power. For those of you following along from a legal perspective, ISC cannot claim a strong trademark.

What name might be better?

  • Certified Safety Professionals (CSP)
  • SolarWinds Certified Professional (SCP)
  • Certified Cloud Computing Security Professional (CCCSP)

What is different about this CCSP?

Not much. The exam outline combines most of the CSA and CompTIA material and sprinkles in the ISC management topics. The point of choosing the CCSP will be the value of it as it grows. I don’t know if it IS more valuable, but I bet you it will show up on the resume blender / headhunter sites as a “must have” by July 22.

What about the other cloud certifications?

There are a lot. Last count 20 vendors with 87 certifications. There are a bunch of top 10 lists out there. I chose the following before the cloud certification market glut:

  • CSA’s Certificate of Cloud Security Knowledge is a Certificate not a certification. Pure security; great test.
  • EXIN Cloud computing foundations: European organization using this as a way to blend ITIL.
  • CompTIA Cloud Essentials: basic simple cloud concepts.

The Exam

150 questions with 25 seed questions in 4 hours. I am scheduling my exam for the earliest possible date: July 23. Look for my post on that date to see if I am crying or flying high. If I fail I will be sad to light $549 on fire.

What should you read to prepare?

Gosh there are soooo many great books. From where we sit, there are two different reading lists. The core 500 pages are from: ENISA, NIST, and CSA. These documents will give you a great foundation.

I went one step further: I picked the top 100 texts for AFTER the class and offer you access to all those books. I think this alone is worth the price of our course. It is really difficult to know it all.  You need a resource that is updated as new content comes out when you prepare for the next business cloud challenge problem. When I was in school we had math problems, not math challenges.

What should you do to prepare?

Get to the cloud, start setting things up and serving up content. My favorite activity when I taught Cloud last time was when we set up a free cloud server. This time around we are going to set up a few different providers and have the servers and clients talk to each other.

Our CCCSP course is three 4 for the price of one.

I taught these certifications ( not CCSP) as one course for the first time two years ago. This way we cover a more complete understanding of the concepts and make it about the learning — not just the exams. If you take it seriously we can offer you a plan to get the following certifications:

  • ISC’s CCSP
  • EXIN Cloud computing foundations
  • CompTIA Cloud Essentials
  • CSA’s CCSK

[Commercial]

Real cloud, real fun! We will talk about the CCSP this Thursday night 6:30PM CEN for 30 minutes. To be invited, send me an email dean.bushmiller@gmail.com

We are ready for the CISSP 2015 exam, are you?

Past students: Have you been keeping up with your CPE’s? Come to class, free!

Classes starting soon:

 

PDIH – New CISSP domain details

I am really happy about the way our CISSP for 2015 has turned out. A few people have been reporting back that we match the new exam objectives. I knew we were on target, but 3 for 3 passes in the last week is “pat-on-the-back” good! (see disclaimer)

So what’s new… Pussycat?

The Asset Security domain is new to 2015. New content topics are: Privacy, Ownership, and setting controls based upon 800-53 and Risk Management Framework. More on these in a minute. Well… the name is new but some of the content is the same as before and that sameness gives us a hint as to what-the-heck they are talking about. For example, the topics of Classification and Data retention were a part of the “old” Operations Security domain.

Privacy:

I have a love-hate relationship with privacy in enterprise security.

  • Love: Some of the new laws are going in the right direction. Transmission of data in the clear will be a thing of the past.
  • Hate: The checkbox privacy officers (CPO) who only care about following the minimum are wasting money. Eventually they will get it right. Privacy questions on the exam have been as much a waste as the CPO position.

Ownership:

With the advent of BYOD (bring your own device), ownership has become unclear. In the past, the enterprise typically owned the device. Any data stored on the device was clearly marked as the organization’s information. We had this demarcation by virtue of a login message. Now that employee may choose any device; we must restrict access to the application or the data within the application. Ownership is a very specific term for ISC2; they tie this to the construct of risk owner.

800-53 Control process:

There are people who spend all their time mapping controls to the different families within that document. I’m glad to see that we are giving the virtual nod to the process itself and not just the list.

Risk Management Framework:

The new domain doesn’t specifically say “risk management framework” in this section. With the words like “baseline” and “tailoring” you know this is in a few of the documents available from NIST.

NOT NEW?

I know this is nothing new. But the emphasis is going to change within the context of the new exam. As the new item writers are presented with the new domains and topics, they will be forced to ask questions in these areas. As the newly certified people start talking with the old ones, we are going to need a translator.

In a raspy voice: “When I was a young whipper snapper, we only talked about risk… What‘s this framework nonsense?!”

 Up your game, Grandpa!

Those of us who have the certification need to start absorbing the new language. The next natural step would be to reach out and grab all those NIST documents. But there’s a problem with that strategy. If you try to read it all, you will drown. If you really have a business requirement, I suggest you reach out to Larry Elwood.

AS or KAS?

Asset Security, really? What a dumb name. What is an asset? What are type of assets are we talking about?  Since everything is an asset, I changed the domain name to reflect more of what we are talking about. Besides the TLA would have been what A$$? So I changed it to KAS –Knowledge Asset Security domain. More on the names next week.

[Commercial]

  • Come to a free class test and see.
  • Wednesday Night 7PM Central
  • https://vmlt.adobeconnect.com/cissp-kas3
  • We are ready for the CISSP 2015 exam are you?
  • The course is now 50 sessions over 10 weeks.
  • You can do as much interactive as you want or if your schedule changes, flip to async mode.
  • Register and attend 1-hour orientation by Saturday April 11,2015.
  • Past students: Have you been keeping up with your CPE’s? Come to class, free!

 

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. The new registration is automatic: https://store.expandingsecurity.com/

Disclaimer:

Expanding Security has not pulled information from the new ISC2 exam outline. We are not asking student to reveal confidential information about the exam. We do not cheat or compromise ethical agreements.

2015 CISSP domains confirmed and let us dig deeper

I got the news..

A notice from management@isc2.org with the following link: http://blog.isc2.org/isc2_blog/2015/01/maintaining-the-relevancy-of-isc%C2%B2-certifications-cissp-and-sscp-credential-enhancements.html I think it is really cool how they finally got the squared symbol to show up and work in a link… But I digress.

Dean is trending?

Last week I guessed at the names based upon my reconnaissance, but any major dude could tell you the domain names. I have one bone to pick with one domain name: Asset Security. Isn’t everything asset security, the details seem to make me think it might be better to call it Knowledge Asset Security , Yeah that is it!  KAS. Let’s start a trend. Everyone call it Knowledge Asset Security. Your homework is you must tell two security friends. Tell them Dean sent you.

Effect of changing the domain names?

It is pretzel logic. ISC2 twisting the domain names around is not a big deal. Moving items in the Candidate Information Bulletin (CIB) from one heading to another does have a little impact on the market. This makes all the rookies run and get a new edition of the book. It makes the salesperson job easier. F.U.D. is a great way to sell to nonCISSPs. But for you and me in the Glamour Profession of security? Not much.

New material doesn’t make crappy teaching better.

Teaching security doesn’t change. Confidentiality will always be Confidentiality. To pass the exam you must know the outline of all the content (CBK), the weight on each section (totals from the constituent survey), and how the items on the exam are written. Most people do not pay attention to raw data. I do not have anything that any CISSP cannot get. There is no secret spy.  Teaching the wrong content, with the wrong emphasis, or just slamming slides will get you a lot of failures. But hey… you did your job reading slides. A lot of instructors tell the secrets of the test in their “special classes” Teaching the test is impossible. Only a fool would say that.

Adding new content has an effect.

This new content makes you King of the world for a short period of time. ISC2 needs this to keep relevant. They hide this content. Masking and protecting the Common body of knowledge is really the key. If you ask for the true copy of the Common body of knowledge you get a few stock answers:

  1. Here is a copy of the course objectives. ( not the CBK)
  2. Here is the Candidate Information Bulletin.  (Still not CBK)

Why not give the CBK out so everyone can study?

This would force ISC2 to make good content and to compete in an open market. They might have to actually teach security.  Trying to jam slides down the student’s throat is not teaching. How many domains per day? The official curriculum course is way off the deep end again.

Change of the guard

Expanding Security is this online training company who takes the students who have failed, all the people who cannot drink from a 2000 slide fire hydrant and we training them how to think like a security professional. As a side benefit they learn how to answer crappy questions the exam way.

Dirty Work

Here is the first installment of the details of one domain. By the way: you really don’t care what domain the material is in, you need to know the concepts and how to apply them. You need to know what is new to the exam. I did the dirty work of staring the new stuff in these sub-topics.

  • Understand and apply concepts of confidentiality, integrity, and availability
  • Apply security governance principles through
  • *Compliance
  • Understand legal and regulatory issues that pertain to information security in a global context
  • Understand professional ethics
  • Develop and implement documented security policy, standards, procedures, and guidelines
  • *Understand business continuity requirements (why the hell is this here?)
  • Contribute to personnel security policies
  • Understand and apply risk management concepts
  • Understand and apply threat modeling
  • Integrate security risk considerations into acquisition strategy and practice
  • Establish and manage information security education, training, and awareness

This weeks game:

Can you tell me what song and single artist I referred to? If you are first you get a Caffeine Card.

  • Ready….
  • Set…
  • GO!

[Commercial]

Now all I need is Green Earrings and a few more students. We started working on our new courses late in the summer 2014. We are ready before the 2015 exam. Next Saturday we have an orientation for new students.

Past students: Have you been keeping up with your CPE’s? Come to class, free!

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. Registration starts now with the 2014 prices. January 24, 2015 is the class start date.

For those of you who do not want our full course: we make it a subscription on our apple iPad app VMLT. The app will be $1 and require that you buy a subscription on our site to unlock most of the details and recordings. We will make it a free limited subscription to the first 100 people who download. The new material will be released slowly over the next 30 days.

CISSP domains for 2015 crystalball

10 years ago when I first started teaching the CISSP, my first action was to go to ISC2 and download the common body of knowledge (CBK). I took the outline and detailed everything in it. Oh what a fool I was.

After becoming an official instructor, after authoring and project managing the official curriculum for two years, after going to item writing school at ISC2, and after talking to people on the “inside,” I realized all organizations are just as screwed up as everybody else out there. All the things that you think are wrong with your organization are also wrong with ISC2. My conclusion is/was: there is very little rhyme or reason how the common body of knowledge is related to the exam or the course. And in the recent past, the official curriculum course went way off the deep end.

 WHAT SHOULD WE DO?

Instead of whining and complaining about it: Figure out exactly how the system works and work around the system. Not to cheat the system but to ignore the flawed process that everybody else is using.

WHAT IS OLD IS NEW.

Once every few years, ISC2 rewrites and reorganizes the CBK and the course. You should see a big announcement early in 2015 from ISC2.  The press release will be something like: Only get curriculum from us because everybody else in the market doesn’t have a clue as to what’s going on and we know when they don’t blah blah blah…Well they did not count on us paying attention. We started working on our new course late summer 2014.

OH WE KNOW…

The new version of the common body of knowledge rearranges the names and the underlying materials. I see 8 domains, 50 major topics that are the same, and 14 new topics. The exam will take about 3-9 months to catch up to the CBK while questions are incorporated via the research method.

 WHY DO YOU CARE?

Here is the reason for writing my article. If you download the CBK from ISC2, you agree to use it for personal use only. Therefore I am publishing this outline here before it is on the ISC2 site. There is no secret here. I paid attention. I do have all the subtopics, but they are not listed here. If you want the full details, either wait for ISC2 in January 2015 or signup for our VMLT iPad app (see below).

I GIVE YOU THESE 10 no 8 Domains

I gave the domains a short three-letter acronyms because that is what every good technologist does. Here are the new domains mapped to the old domains. The mapping is not perfect and there are a great many details that make it wrong to say there is a one-to-one correspondence of old names to new names. I’m sure there are going to be slight adjustments to names and topics when they are released.

1. SRM- Security and Risk Management = InfoSEC governance risk; Compliance from law & some BCP

2. ATS – Asset Security = Partial Operations security

3. ENG – Security Engineering = Security architecture and design has a small part of Cryptography

4. CNS – Communication and Network Security = Telecommunications and network security

5. IAM – Identity and Access Management = Access control

6. ANT – Security Assessment and Testing = was part of law domain

7. OPS – Security Operations  = Physical security, Legal, regulations, investigations & disaster recovery

8. DEV – Software Development Security = Application security, but OWASP is in other domain

My only criticism of the new domain names: Do you think that we need the word “Security” in almost every domain name?

[Commercial]

Past students: Have you been keeping up with your CPE’s? Come to class, free!

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. Registration starts now with the 2014 prices. January 17, 2015 is the class start date.

For those of you who do not want our full course: we make it a subscription on our apple iPad app VMLT. The app will be $1 and require that you buy a subscription on our site to unlock most of the details and recordings. We will make it a free limited subscription to the first 100 people who download. The new material will be released slowly over the next 30 days.

Please don’t ask about Droid. The answer is NO unless you have a $100,000 and 6 months.