60 days to offer a solution or have one inflicted upon us

U.S. Presidents have always wanted to fix things; that is why they become presidents. Our current President has stated he wants the Department of Defense and other agencies to submit recommendations for US Cyber Security in 60 days. They will. But you will not like their solution. Let’s do something about it.

Here is the original document. Notice it is NOT an executive order yet.  This is also not the first time a president has made this stand. But let’s take it seriously.

What is the problem?

Right now we drive the internet like a car without seat-belts.  Unfortunately it’s not as simple as “Insert the metal fittings one into the other.” We can get close to lap-belts with steps below. It will take at least 4 years  to get real change. And then we can look at the 5-point harness of race cars.

The scope according to the document: assets, vulnerabilities,  adversaries,  and capabilities.

This is a good way to get answers, but those answers and questions will come from military thought leaders, not cyber security professionals. What is wrong with that? Replacing the concept of bullet with packet makes everything work right? You and I know that the physical concepts do not equate to virtual concepts. Many have suggested blocking or breaking the internet [SOPA/PIPA]. Many have said a central authority should have control over encryption [CLIPPER CHIP]. Telling people to be aware works for 5 minutes… well maybe 6. As proof I offer ALL password audits.

Every time people use concepts from the physical world and they push on one side of the cyber balloon, it only bulges on the other side, pushing the problem away not solving it. We must think differently.

Think in terms of:  What are achievable objectives? What will  people and corporations understand and support? What will do the most good? What do we have to work with now? What will work without breaking most of the internet? Over the next four week I will discuss these questions, but let’s start with the last one first.

What will work without breaking most of the internet?

Standards & Protocols that we already have.

  1. DNSSEC = Integrity of resolution
  2. IPv6 = identification of origin and possible privacy
  3. Certificates = Non-repudiation of  source or both people and devices

1. Say YES to fully implementing DNSSEC–  if you do, a few things happen: 1. Spam goes down dramatically. 2. Impersonation is much more difficult. 3. We can depend on resolution response.  DNSSEC resolution is quality resolution, but current DNS is very easy to attack and has a low quality of trust. Services offered by companies need to be trustworthy,;we need to know they are who they say they are. DNS is not trustworthy; DNSSEC is.

The ultimate goal would be DNSSEC reverse resolution for every end point (when you make a query, we know who is asking the question). We need to say NO to DNS. We can do this  technically: first implement DNSSEC for all resolution, then block all DNS. Impose filtering by all ISP’s, and corporate firewalls.

2. IPv6 only no IPv4- What makes V6 better? Location, Location, our ability to pinpoint LOCATION. What makes V4 bad? Spoofing of location. If we only used V6 we could know  where a computer, IOT, laptop, or mobile phone is located. If you know where it is, jurisdiction is established. Now we know where it is; we can hold someone accountable.

Sidebar- at this point, really technical people are screaming ‘you can still spoof, you can still move around’ – yes but… there is another…

Want a build a wall?  You can with internet routing tables. We know that routers route around failure; that is what makes the internet so resilient. That needs to change just a little. I am not in favor of breaking the Internet, but a lot of other countries do it. We are not saying don’t route, just don’t route attacker’s crap/spoofed packets. Do a little inspection.

The rest of the world may not use V6 – fine.  That means less trust; less trust means we should limit traffic and increase inspection.  If other countries play the V6 game, the U.S. can offer  “most favoured nation routing status. If you break the rules, “Embargo on.”

Choices for those Sanctuary ISP’s who want to facilitate illegal v4 packets?  I don’t mind if you do not want to play the same game, but don’t make us pay for your poor protocol choices. Your poor choice means you shoulder the routing burden and get less trust.

Side benefit of IPv6: it has an optional header for IPSEC.  IPSEC is for encryption/privacy. One of the key components of IPSEC is the ability to authenticate endpoints and people via certificates. Which leads me to…

3. Smiles everyone smiles… I mean CERTIFICATES FOR EVERYONE AND EVERYTHING: You want to control the Mirai botnet? If everyone and everything was issued a certificate (X.509) you know the device  or the person and you can either block or fix.

If your DVR is a part of Mirai, the ISP can block the one device and not everything you own. If you cannot get your favorite show, you will individually scream at the vendor who sold it. This places the responsibility back on the vendor who sold the poorly-secured device.  Oh, the vendor doesn’t want to issue certificates? Fine – but then you have less trust, less bandwidth and the ISP is in control. If the ISP issued the crappy device,  then (via certificates) we can attribute bad behavior, see a pattern, and hold them responsible.

We can control who issues certificates or their certificate practices with a little oversight. If we cannot control the CA, then we can control what root certificates we trust. More importantly we can take that trust away when entities hit the naughty list.

Combine these three.

You have the start of a solution that places the burden on the vendors; they can then choose to push that cost on to an informed customer. If we use crappy devices with none of these  security  features, the receiving end has the choice to reject us. More next week…

Things will break along the way.

Yes this will break a lot of older applications and IOT. Breaking means fixing. This fixing will direct money to solving the cyber security problem in a very narrow focus.

The Federal government is good at imposing a public safety like seat-belts. These are safety measures, it will reduce cyber-death but not eliminate it. People need choice (not to wear seat-belts) But the government should make sure seat-belts are there.

So if you do not want to use these cyber security tools, fine.  Ignore them at your own risk. For military, government, and large commercial entities, these 3 should be the cyber law.

Your turn.

This is an outline of a solution that I will expand upon with your help below. Now it is your turn to add to the solution. You have a few key technology tools to convert to regulatory tools that don’t break the internet. You have a few tools that allow for privacy. You have a few tools for guiding net neutrality with responsibility.  Now it is your responsibility to tell someone. Someone at the DOD, your legislator, your President.

More to come.

My next 4 weeks will be spent discussing:

  • What will most people understand and get behind?
  • What are achievable objectives?
  • What will do the most good?
  • What do we have to work with now?


Don’t understand what we are talking about? Come to class.

CISSP / CEH / Cloud Security and others. Ask for a free seat.

Cybersecurity for email is getting better?


I am whining, crying, and stomping my feet about how bad cyber security is.  Last week Google publish some really great information about what’s going on email security. That’s not to say that Spam is going away anytime soon but, we have a fighting chance.

These are the main topics for Wednesday night


What you doin?

Take a look at these four core protocols and see if any of these are implemented in your organization. One of   the reasons why we changed providers recently was to get more of these protocols in place.

  • DKIM
  • SPF

How you doin?

I really like the Google transparency report on what domains are safer. ( the link is below) It tells us a lot about who we should trust. So when we asked the question, we’ve got good data to back it up.

What else can you do?

  • Spam Traps
  • Global Volume data
  • Message composition data
  • Complaint reports
  • Compromised Host lists
  • Domain Blacklists
  • Safelists

If you like to talk about this more we will see you at 6:15 PM Central time on Wednesday @ https://vmlt.adobeconnect.com/pdih-wed


Class start dates

CISSP – December 5

Cloud Security – December 12

PMP – December 12

Incident Response – December 5


Another New Cloud Certification?

Before we get started

Our CEH class is starting May 11. It runs for 10 weeks, twice per week at night (7PM-8PM CEN). WE are going to  discuss CEH on May 8. If you know anyone who is interested, please have them contact me dean.bushmiller@gmail.com

CCSP new to ISC Cloud Certification

I know ISC2 or CSA told you about this if you were at RSA. But if you missed it, here we go. With the proliferation of cloud certifications, ISC is jumping into the game. Since everything is being shoved into the cloud, we might want to learn a little cloud. We might need to prove we know the cloud from a security perspective.

Real cloud, real fun!

We will talk about the CCSP this Thursday night 6:30PM CEN for 30 minutes. (see below)

OOPS! 3 Certifications with the same name

Overlap was bound to happen with over 2300 different information technology certifications as of today.  This time it is a BIG overlap. CISCO’s CCSP is about security also. There is a third certification in the medical industry. I think this might muddle the marketing message for ISC because CISCO has much more market power. For those of you following along from a legal perspective, ISC cannot claim a strong trademark.

What name might be better?

  • Certified Safety Professionals (CSP)
  • SolarWinds Certified Professional (SCP)
  • Certified Cloud Computing Security Professional (CCCSP)

What is different about this CCSP?

Not much. The exam outline combines most of the CSA and CompTIA material and sprinkles in the ISC management topics. The point of choosing the CCSP will be the value of it as it grows. I don’t know if it IS more valuable, but I bet you it will show up on the resume blender / headhunter sites as a “must have” by July 22.

What about the other cloud certifications?

There are a lot. Last count 20 vendors with 87 certifications. There are a bunch of top 10 lists out there. I chose the following before the cloud certification market glut:

  • CSA’s Certificate of Cloud Security Knowledge is a Certificate not a certification. Pure security; great test.
  • EXIN Cloud computing foundations: European organization using this as a way to blend ITIL.
  • CompTIA Cloud Essentials: basic simple cloud concepts.

The Exam

150 questions with 25 seed questions in 4 hours. I am scheduling my exam for the earliest possible date: July 23. Look for my post on that date to see if I am crying or flying high. If I fail I will be sad to light $549 on fire.

What should you read to prepare?

Gosh there are soooo many great books. From where we sit, there are two different reading lists. The core 500 pages are from: ENISA, NIST, and CSA. These documents will give you a great foundation.

I went one step further: I picked the top 100 texts for AFTER the class and offer you access to all those books. I think this alone is worth the price of our course. It is really difficult to know it all.  You need a resource that is updated as new content comes out when you prepare for the next business cloud challenge problem. When I was in school we had math problems, not math challenges.

What should you do to prepare?

Get to the cloud, start setting things up and serving up content. My favorite activity when I taught Cloud last time was when we set up a free cloud server. This time around we are going to set up a few different providers and have the servers and clients talk to each other.

Our CCCSP course is three 4 for the price of one.

I taught these certifications ( not CCSP) as one course for the first time two years ago. This way we cover a more complete understanding of the concepts and make it about the learning — not just the exams. If you take it seriously we can offer you a plan to get the following certifications:

  • ISC’s CCSP
  • EXIN Cloud computing foundations
  • CompTIA Cloud Essentials
  • CSA’s CCSK


Real cloud, real fun! We will talk about the CCSP this Thursday night 6:30PM CEN for 30 minutes. To be invited, send me an email dean.bushmiller@gmail.com

We are ready for the CISSP 2015 exam, are you?

Past students: Have you been keeping up with your CPE’s? Come to class, free!

Classes starting soon:


PDIH – New CISSP domain details

I am really happy about the way our CISSP for 2015 has turned out. A few people have been reporting back that we match the new exam objectives. I knew we were on target, but 3 for 3 passes in the last week is “pat-on-the-back” good! (see disclaimer)

So what’s new… Pussycat?

The Asset Security domain is new to 2015. New content topics are: Privacy, Ownership, and setting controls based upon 800-53 and Risk Management Framework. More on these in a minute. Well… the name is new but some of the content is the same as before and that sameness gives us a hint as to what-the-heck they are talking about. For example, the topics of Classification and Data retention were a part of the “old” Operations Security domain.


I have a love-hate relationship with privacy in enterprise security.

  • Love: Some of the new laws are going in the right direction. Transmission of data in the clear will be a thing of the past.
  • Hate: The checkbox privacy officers (CPO) who only care about following the minimum are wasting money. Eventually they will get it right. Privacy questions on the exam have been as much a waste as the CPO position.


With the advent of BYOD (bring your own device), ownership has become unclear. In the past, the enterprise typically owned the device. Any data stored on the device was clearly marked as the organization’s information. We had this demarcation by virtue of a login message. Now that employee may choose any device; we must restrict access to the application or the data within the application. Ownership is a very specific term for ISC2; they tie this to the construct of risk owner.

800-53 Control process:

There are people who spend all their time mapping controls to the different families within that document. I’m glad to see that we are giving the virtual nod to the process itself and not just the list.

Risk Management Framework:

The new domain doesn’t specifically say “risk management framework” in this section. With the words like “baseline” and “tailoring” you know this is in a few of the documents available from NIST.


I know this is nothing new. But the emphasis is going to change within the context of the new exam. As the new item writers are presented with the new domains and topics, they will be forced to ask questions in these areas. As the newly certified people start talking with the old ones, we are going to need a translator.

In a raspy voice: “When I was a young whipper snapper, we only talked about risk… What‘s this framework nonsense?!”

 Up your game, Grandpa!

Those of us who have the certification need to start absorbing the new language. The next natural step would be to reach out and grab all those NIST documents. But there’s a problem with that strategy. If you try to read it all, you will drown. If you really have a business requirement, I suggest you reach out to Larry Elwood.

AS or KAS?

Asset Security, really? What a dumb name. What is an asset? What are type of assets are we talking about?  Since everything is an asset, I changed the domain name to reflect more of what we are talking about. Besides the TLA would have been what A$$? So I changed it to KAS –Knowledge Asset Security domain. More on the names next week.


  • Come to a free class test and see.
  • Wednesday Night 7PM Central
  • https://vmlt.adobeconnect.com/cissp-kas3
  • We are ready for the CISSP 2015 exam are you?
  • The course is now 50 sessions over 10 weeks.
  • You can do as much interactive as you want or if your schedule changes, flip to async mode.
  • Register and attend 1-hour orientation by Saturday April 11,2015.
  • Past students: Have you been keeping up with your CPE’s? Come to class, free!


New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. The new registration is automatic: https://store.expandingsecurity.com/


Expanding Security has not pulled information from the new ISC2 exam outline. We are not asking student to reveal confidential information about the exam. We do not cheat or compromise ethical agreements.

2015 CISSP domains confirmed and let us dig deeper

I got the news..

A notice from management@isc2.org with the following link: http://blog.isc2.org/isc2_blog/2015/01/maintaining-the-relevancy-of-isc%C2%B2-certifications-cissp-and-sscp-credential-enhancements.html I think it is really cool how they finally got the squared symbol to show up and work in a link… But I digress.

Dean is trending?

Last week I guessed at the names based upon my reconnaissance, but any major dude could tell you the domain names. I have one bone to pick with one domain name: Asset Security. Isn’t everything asset security, the details seem to make me think it might be better to call it Knowledge Asset Security , Yeah that is it!  KAS. Let’s start a trend. Everyone call it Knowledge Asset Security. Your homework is you must tell two security friends. Tell them Dean sent you.

Effect of changing the domain names?

It is pretzel logic. ISC2 twisting the domain names around is not a big deal. Moving items in the Candidate Information Bulletin (CIB) from one heading to another does have a little impact on the market. This makes all the rookies run and get a new edition of the book. It makes the salesperson job easier. F.U.D. is a great way to sell to nonCISSPs. But for you and me in the Glamour Profession of security? Not much.

New material doesn’t make crappy teaching better.

Teaching security doesn’t change. Confidentiality will always be Confidentiality. To pass the exam you must know the outline of all the content (CBK), the weight on each section (totals from the constituent survey), and how the items on the exam are written. Most people do not pay attention to raw data. I do not have anything that any CISSP cannot get. There is no secret spy.  Teaching the wrong content, with the wrong emphasis, or just slamming slides will get you a lot of failures. But hey… you did your job reading slides. A lot of instructors tell the secrets of the test in their “special classes” Teaching the test is impossible. Only a fool would say that.

Adding new content has an effect.

This new content makes you King of the world for a short period of time. ISC2 needs this to keep relevant. They hide this content. Masking and protecting the Common body of knowledge is really the key. If you ask for the true copy of the Common body of knowledge you get a few stock answers:

  1. Here is a copy of the course objectives. ( not the CBK)
  2. Here is the Candidate Information Bulletin.  (Still not CBK)

Why not give the CBK out so everyone can study?

This would force ISC2 to make good content and to compete in an open market. They might have to actually teach security.  Trying to jam slides down the student’s throat is not teaching. How many domains per day? The official curriculum course is way off the deep end again.

Change of the guard

Expanding Security is this online training company who takes the students who have failed, all the people who cannot drink from a 2000 slide fire hydrant and we training them how to think like a security professional. As a side benefit they learn how to answer crappy questions the exam way.

Dirty Work

Here is the first installment of the details of one domain. By the way: you really don’t care what domain the material is in, you need to know the concepts and how to apply them. You need to know what is new to the exam. I did the dirty work of staring the new stuff in these sub-topics.

  • Understand and apply concepts of confidentiality, integrity, and availability
  • Apply security governance principles through
  • *Compliance
  • Understand legal and regulatory issues that pertain to information security in a global context
  • Understand professional ethics
  • Develop and implement documented security policy, standards, procedures, and guidelines
  • *Understand business continuity requirements (why the hell is this here?)
  • Contribute to personnel security policies
  • Understand and apply risk management concepts
  • Understand and apply threat modeling
  • Integrate security risk considerations into acquisition strategy and practice
  • Establish and manage information security education, training, and awareness

This weeks game:

Can you tell me what song and single artist I referred to? If you are first you get a Caffeine Card.

  • Ready….
  • Set…
  • GO!


Now all I need is Green Earrings and a few more students. We started working on our new courses late in the summer 2014. We are ready before the 2015 exam. Next Saturday we have an orientation for new students.

Past students: Have you been keeping up with your CPE’s? Come to class, free!

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. Registration starts now with the 2014 prices. January 24, 2015 is the class start date.

For those of you who do not want our full course: we make it a subscription on our apple iPad app VMLT. The app will be $1 and require that you buy a subscription on our site to unlock most of the details and recordings. We will make it a free limited subscription to the first 100 people who download. The new material will be released slowly over the next 30 days.

Expanding Security Ethics

A better set of ethics

We start with ACM code of ethics and go further.

We found the Software engineering code of ethics .

It might sound unethical to adjust another organizations code of ethics. What do you think?

For Expanding Security we propose the ethics standards: Take software engineering code of ethics in total and replace the word “software” with “security”, replace “Product” with “service”. Anything in yellow is added or struck

The short version of the code summarizes aspirations at a high level of the abstraction; the clauses that are included in the full version give examples and details of how these aspirations change the way we act as Security engineering professionals. Without the aspirations, the details can become legalistic and tedious; without the details, the aspirations can become high sounding but empty; together, the aspirations and the details form a cohesive code.
Security engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of Security a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, Security engineers shall adhere to the following Eight Principles:

1. PUBLIC – Security engineers shall act consistently with the public interest.
2. CLIENT AND EMPLOYER – Security engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest.
3. SERVICE – Security engineers shall ensure that their services and related modifications meet the highest professional standards possible.
4. JUDGMENT – Security engineers shall maintain integrity and independence in their professional judgment.
5. MANAGEMENT – Security engineering managers and leaders shall subscribe to and promote an ethical approach to the management of Security development and maintenance.
6. PROFESSION – Security engineers shall advance the integrity and reputation of the profession consistent with the public interest.
7. COLLEAGUES – Security engineers shall be fair to and supportive of their colleagues.
8. SELF – Security engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.

Security Engineering Code of Ethics and

Professional Practice

Computers have a central and growing role in commerce, industry, government, medicine, education, entertainment and society at large. Security engineers are those who contribute by direct participation or by teaching, to the analysis, specification, design, development, certification, maintenance and testing ofinformation systems. Because of their roles in developing systems, Security engineers have significant opportunities to do good or cause harm, to enable others to do good or cause harm, or to influence others to do good or cause harm. To ensure, as much as possible, that their efforts will be used for good, Security engineers must commit themselves to making Security engineering a beneficial and respected profession. In accordance with that commitment, Security engineers shall adhere to the following Code of Ethics and Professional Practice.
The Code contains eight Principles related to the behavior of and decisions made by professional Security engineers, including practitioners, educators, managers, supervisors and policy makers, as well as trainees and students of the profession. The Principles identify the ethically responsible relationships in which individuals, groups, and organizations participate and the primary obligations within these relationships. The Clauses of each Principle are illustrations of some of the obligations included in these relationships. These obligations are founded in the Security engineer’s humanity, in special care owed to people affected by the work of Security engineers, and the unique elements of the practice of Security engineering. The Code prescribes these as obligations of anyone claiming to be or aspiring to be a Security engineer.
It is not intended that the individual parts of the Code be used in isolation to justify errors of omission or commission. The list of Principles and Clauses is not exhaustive. The Clauses should not be read as separating the acceptable from the unacceptable in professional conduct in all practical situations. The Code is not a simple ethical algorithm that generates ethical decisions. In some situations standards may be in tension with each other or with standards from other sources. These situations require the Security engineer to use ethical judgment to act in a manner which is most consistent with the spirit of the Code of Ethics and Professional Practice, given the circumstances.
Ethical tensions can best be addressed by thoughtful consideration of fundamental principles, rather than blind reliance on detailed regulations. These Principles should influence Security engineers to consider broadly who is affected by their work; to examine if they and their colleagues are treating other human beings with due respect; to consider how the public, if reasonably well informed, would view their decisions; to analyze how the least empowered will be affected by their decisions; and to consider whether their acts would be judged worthy of the ideal professional working as a Security engineer. In all these judgments concern for the health, safety and welfare of the public is primary; that is, the “Public Interest” is central to this Code.
The dynamic and demanding context of Security engineering requires a code that is adaptable and relevant to new situations as they occur. However, even in this generality, the Code provides support for Security engineers and managers of Security engineers who need to take positive action in a specific case by documenting the ethical stance of the profession. The Code provides an ethical foundation to which individuals within teams and the team as a whole can appeal. The Code helps to define those actions that are ethically improper to request of a Security engineer or teams of Security engineers.
The Code is not simply for adjudicating the nature of questionable acts; it also has an important educational function. As this Code expresses the consensus of the profession on ethical issues, it is a means to educate both the public and aspiring professionals about the ethical obligations of all Security engineers.
Principle 1: PUBLIC
Security engineers shall act consistently with the public interest. In particular, Security engineers shall, as appropriate:

  • 1.01. Accept full responsibility for their own work.
  • 1.02. Moderate the interests of the Security engineer, the employer, the client and the users with the public good.
  • 1.03. Approve Security only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good.
  • 1.04. Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with Security or related documents.
  • 1.05. Cooperate in efforts to address matters of grave public concern caused by Security, its installation, maintenance, support or documentation.
  • 1.06. Be fair and avoid deception in all statements, particularly public ones, concerning Security or related documents, methods and tools.
  • 1.07. Consider issues of physical disabilities, allocation of resources, economic disadvantage and other factors that can diminish access to the benefits of Security.
  • 1.08. Be encouraged to volunteer professional skills to good causes and contribute to public education concerning the discipline.

Security engineers shall act in a manner that is in the best interests of their client and employer, consistent with the public interest. In particular, Security engineers shall, as appropriate:

  • 2.01. Provide service in their areas of competence, being honest and forthright about any limitations of their experience and education.
  • 2.02. Not knowingly use Security that is obtained or retained either illegally or unethically.
  • 2.03. Use the property of a client or employer only in ways properly authorized, and with the client’s or employer’s knowledge and consent.
  • 2.04. Ensure that any document upon which they rely has been approved, when required, by someone authorized to approve it.
  • 2.05. Keep private any confidential information gained in their professional work, where such confidentiality is consistent with the public interest and consistent with the law.
  • 2.06. Identify, document, collect evidence and report to the client or the employer promptly if, in their opinion, a project is likely to fail, to prove too expensive, to violate intellectual property law, or otherwise to be problematic.
  • 2.07. Identify, document, and report significant issues of social concern, of which they are aware, in Security or related documents, to the employer or the client.
  • 2.08. Accept no outside work detrimental to the work they perform for their primary employer.
  • 2.09. Promote no interest adverse to their employer or client, unless a higher ethical concern is being compromised; in that case, inform the employer or another appropriate authority of the ethical concern.

Principle 3: SERVICE
Security engineers shall ensure that their services and related modifications meet the highest professional standards possible. In particular, Security engineers shall, as appropriate:

  • 3.01. Strive for high quality, acceptable cost and a reasonable schedule, ensuring significant tradeoffs are clear to and accepted by the employer and the client, and are available for consideration by the user and the public.
  • 3.02. Ensure proper and achievable goals and objectives for any project on which they work or propose.
  • 3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues related to work projects.
  • 3.04. Ensure that they are qualified for any project on which they work or propose to work by an appropriate combination of education and training, and experience.
  • 3.05. Ensure an appropriate method is used for any project on which they work or propose to work.
  • 3.06. Work to follow professional standards, when available, that are most appropriate for the task at hand, departing from these only when ethically or technically justified.
  • 3.07. Strive to fully understand the specifications for Security on which they work.
  • 3.08. Ensure that specifications for Security on which they work have been well documented, satisfy the users’ requirements and have the appropriate approvals.
  • 3.09. Ensure realistic quantitative estimates of cost, scheduling, personnel, quality and outcomes on any project on which they work or propose to work and provide an uncertainty assessment of these estimates.
  • 3.10. Ensure adequate testing , debugging, and review of Security and related documents on which they work.
  • 3.11. Ensure adequate documentation, including significant problems discovered and solutions adopted, for any project on which they work.
  • 3.12. Work to develop Security and related documents that respect the privacy of those who will be affected by that Security.
  • 3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
  • 3.14. Maintain the integrity of data, being sensitive to outdated or flawed occurrences.
  • 3.15 Treat all forms of Security maintenance with the same professionalism as new development.

Principle 4: JUDGMENT
Security engineers shall maintain integrity and independence in their professional judgment. In particular, Security engineers shall, as appropriate:

  • 4.01. Temper all technical judgments by the need to support and maintain human values.
  • 4.02 Only endorse documents either prepared under their supervision or within their areas of competence and with which they are in agreement.
  • 4.03. Maintain professional objectivity with respect to any Security or related documents they are asked to evaluate.
  • 4.04. Not engage in deceptive financial practices such as bribery, double billing, or other improper financial practices.
  • 4.05. Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped.
  • 4.06. Refuse to participate, as members or advisors, in a private, governmental or professional body concerned with Security related issues, in which they, their employers or their clients have undisclosed potential conflicts of interest.

Principle 5: MANAGEMENT
Security engineering managers and leaders shall subscribe to and promote an ethical approach to the management of Security development and maintenance. In particular, those managing or leading Security engineers shall, as appropriate:

  • 5.01 Ensure good management for any project on which they work, including effective procedures for promotion of quality and reduction of risk.
  • 5.02. Ensure that Security engineers are informed of standards before being held to them.
  • 5.03. Ensure that Security engineers know the employer’s policies and procedures for protecting passwords, files and information that is confidential to the employer or confidential to others.
  • 5.04. Assign work only after taking into account appropriate contributions of education and experience tempered with a desire to further that education and experience.
  • 5.05. Ensure realistic quantitative estimates of cost, scheduling, personnel, quality and outcomes on any project on which they work or propose to work, and provide an uncertainty assessment of these estimates.
  • 5.06. Attract potential Security engineers only by full and accurate description of the conditions of employment.
  • 5.07. Offer fair and just remuneration.
  • 5.08. Not unjustly prevent someone from taking a position for which that person is suitably qualified.
  • 5.09. Ensure that there is a fair agreement concerning ownership of any Security, processes, research, writing, or other intellectual property to which a Security engineer has contributed.
  • 5.10. Provide for due process in hearing charges of violation of an employer’s policy or of this Code.
  • 5.11. Not ask a Security engineer to do anything inconsistent with this Code.
  • 5.12. Not punish anyone for expressing ethical concerns about a project.

Principle 6: PROFESSION
Security engineers shall advance the integrity and reputation of the profession consistent with the public interest. In particular, Security engineers shall, as appropriate:

  • 6.01. Help develop an organizational environment favorable to acting ethically.
  • 6.02. Promote public knowledge of Security engineering.
  • 6.03. Extend Security engineering knowledge by appropriate participation in professional organizations, meetings and publications.
  • 6.04. Support, as members of a profession, other Security engineers striving to follow this Code.
  • 6.05. Not promote their own interest at the expense of the profession, client or employer.
  • 6.06. Obey all laws governing their work, unless, in exceptional circumstances, such compliance is inconsistent with the public interest.
  • 6.07. Be accurate in stating the characteristics of Security on which they work, avoiding not only false claims but also claims that might reasonably be supposed to be speculative, vacuous, deceptive, misleading, or doubtful.
  • 6.08. Take responsibility for detecting, correcting, and reporting errors in Security and associated documents on which they work.
  • 6.09. Ensure that clients, employers, and supervisors know of the Security engineer’s commitment to this Code of ethics, and the subsequent ramifications of such commitment.
  • 6.10. Avoid associations with businesses and organizations which are in conflict with this code.
  • 6.11. Recognize that violations of this Code are inconsistent with being a professional Security engineer.
  • 6.12. Express concerns to the people involved when significant violations of this Code are detected unless this is impossible, counter-productive, or dangerous.
  • 6.13. Report significant violations of this Code to appropriate authorities when it is clear that consultation with people involved in these significant violations is impossible, counter- productive or dangerous.

Principle 7: COLLEAGUES
Security engineers shall be fair to and supportive of their colleagues. In particular, Security engineers shall, as appropriate:

  • 7.01. Encourage colleagues to adhere to this Code.
  • 7.02. Assist colleagues in professional development.
  • 7.03. Credit fully the work of others and refrain from taking undue credit.
  • 7.04. Review the work of others in an objective, candid, and properly-documented way.
  • 7.05. Give a fair hearing to the opinions, concerns, or complaints of a colleague.
  • 7.06. Assist colleagues in being fully aware of current standard work practices including policies and procedures for protecting passwords, files and other confidential information, and security measures in general.
  • 7.07. Not unfairly intervene in the career of any colleague; however, concern for the employer, the client or public interest may compel Security engineers, in good faith, to question the competence of a colleague.
  • 7.08. In situations outside of their own areas of competence, call upon the opinions of other professionals who have competence in that area.

Principle 8: SELF
Security engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. In particular, Security engineers shall continually endeavor to:

  • 8.01. Further their knowledge of developments in the analysis, specification, design, development, maintenance and testing of Security and related documents, together with the management of the development process.
  • 8.02. Improve their ability to create safe, reliable, and useful quality Security at reasonable cost and within a reasonable time.
  • 8.03. Improve their ability to produce accurate, informative, and well-written documentation.
  • 8.04. Improve their understanding of the Security and related documents on which they work and of the environment in which they will be used.
  • 8.05. Improve their knowledge of relevant standards and the law governing the Security and related documents on which they work.
  • 8.06 Improve their knowledge of this Code, its interpretation, and its application to their work.
  • 8.07 Not give unfair treatment to anyone because of any irrelevant prejudices.
  • 8.08. Not influence others to undertake any action that involves a breach of this Code.
  • 8.09. Recognize that personal violations of this Code are inconsistent with being a professional Security engineer.

Exclusive digital release of Blue Team Handbook


I was thinking about what I could do for you the faithful reader.  It came to me… I could get you something that is not available to anyone but you. Incident response (blue teaming) is a big part of a security professional’s job. We need a short, clear handbook that can help us get to the root of the incident and ensure that we don’t miss a step along the way.

Fast forward to Blue Team Handbook.

Don Murdoch thought there needed to be a Blue Team Handbook, an incident responder’s quick reference guide in the same style as the Red Team Field Manual, RTFM. Don started working on the Blue Team Handbook in February. It is a way to consolidate his knowledge for you from his incident responder class.  This 120-page print book will be available on amazon in two weeks for $12, but you can get it now for $1.98.

What do you get and how do you get it?

The book is only offered in digital form on our ipad app. The virtual book tour dates and content will be offered first and at a discount from Expanding Security. Get the VMLT app at https://itunes.apple.com/us/app/vmlt-training/id806436572?mt=8

Once you install VMLT, send me an email request for the discount code to Don’s book: Dean.Bushmiller@vmlt.com.

Normally the digital version will be $12.99. For the first two weeks and the first 500 downloads, it will be $12 off the book price. As we pile in the content, the price will go up. The good news for you is early adopters will keep getting more content and deals.

Little help to Don?

Only YOU my faithful subscribers get this super deal. But you could help Don by spreading the word. If you forward this or post it, we will give them a 50% discount when they email us at bthb@vmlt.com .

Next week we will walk you thru how to get all the great print, audio and video content that is ONLY available from us.

Commercial: You could buy Don’s full incident response class http://www.expandingsecurity.com/product/niccs-course-incident-response/

If you buy the app and the book for $1.98 we will send you a $200 discount for the class starting in November.

Hope you are having a great Fall!

…with Freedom, Responsibility, and Security for All.


Instructor Training


You all have expressed a desire to work with us. All of the people before you have worked hard to make this system. As new better ideas come up we will add them to this page. Eventually this will be a starting place for inculcation.

Read NICCS & download the sheet .


Paperwork: non-compete , W-9, NDA all need to be sent to Helaine before she will send you a password.

You will need to request the password for each of these recordings below:

Search engine project overview

Opening of course project with financials. You need to request the spreadsheet  from Dean to follow along. Please use the left navigation to jump.

Starting of the course milestones.



Syllabus CISSP All

When class is in a blackout week we offer our enrolled students the master list of all of their materials.

Your process:

If you are brand new to the program or have forgotten how to do any of the tasks, review the orientation. Click here

Why we ask you to guess and be wrong: Click here

If you have lost your way on how to study: Click here

If you have more than a few weeks in the program:

  • Get out your Student tracking sheet.
  • You should have a few weeks checked off and a few things missing.
  • Look at the thing you consistently fail or ignore first.

If you are close to the end of the 10 weeks:

  • Remind yourself of the myths so you do not panic: Click here
  • Remember do not panic. Do not cram. Get a tan, not a sunburn.

Here are all syllabi from all domains. There is no order; they are all independent.

If you need help–

Stumble around through the syllabus steps for 120 seconds, then  ask. We are here for you.

Special Recording When you have finished all ten domains::

CISSP Exam Prep and Review by BJ


Painpill Shame on you NIST for DoS

The Painpill- because no one takes vitamins regularly. This is a weekly security discussion and sometimes rant with a commercial at the end for training.

Government shutdown, fiscal cliff…

Everyone is talking about the government shutdown. It is important. I don’t want to play the blame-game, but I do want to talk about what I feel is an unnecessary Denial of Service attack by NIST on all of us.

Let’s frame the conversation with a few questions?

  • If you go on vacation or a break, Do you turn off your web server or website?
  • If you cannot afford your power bill, do you light a neon sign that says “We’re Closed” ?
  • If you set up your website and find you cannot do updates, Do you tear the whole site down?

Everyone reading this would likely say NO to all the above. NIST said YES due to the government shutdown.

Why are SP800 documents important?

We all use the collective guidance of Special Publications to direct security decisions. For Expanding Security, we use Special Publications as part of classes.  I share their importance and always tell students to get a copy. These documents were created and paid for with U.S. tax dollars. Done.  Access to the documents should be… accessible no matter what current political problem is occurring.

Here’s the thing, it costs nothing to let a website run. Well OK it costs server time and electricity. So if you ran out of money, you would turn off the server. But NIST tore down the main page and put up a big fat FINGER to all of us. What do I mean?

The server doesn’t need to have a person feeding it data; there is no person on the other side of the server waiting to hand me my SP800-37.pdf.  The documents and pages once built do not need any support.

The correct way?

I would have total respect for NIST if they turned off the server because they ran out of funding.  But to leave it running and DoS people who need pages is just wrong. It goes against everything that information technology is about.

Hey NIST if it’s really about running out of money, turn off your server instead of flipping everybody off.


Helaine asked me to tell you about a few classes.

ISSAP class runs 50 minutes M – F, 7:05 pm Central time.  It’s only six weeks long, ending December 13, 2013.

If you are interested as a student of Expanding Security you can use the coupon code for this class. GetAPdone


Come to class and see what we do. Please adjust your time to Central timezone.

October 17, 2013 Thursday

ISSMP – Pen Testing: night 19:05 CST http://vmlt.adobeconnect.com/issmp_m_18/

CISSP – Patch Management: early 7:00 CST http://vmlt.adobeconnect.com/f_18/

CEH – Social Engineering: night 20:00 CST http://vmlt.adobeconnect.com/ceh09/

Instructions: Click the link at the right time, Choose Guest, Type your name, Turn on your speaker, HAVE FUN!

…with Freedom, Responsibility, and Security for All.

Dean Bushmiller