Category Archives: Security

I PASSED THE CISSP EXAM!!!

I found out on December 20th that I actually PASSED the CISSP exam!  I can’t believe it, after a VERY long wait I am pleased to offer an example of an excerpt from an  email from (ISC)² offering congratulations:

CISSP Logo

I FINALLY passed the CISSP exam

Congratulations! We are pleased to inform you that you have passed the Certified Information Systems Security Professional (CISSP®) examination – the first step in becoming certified as a CISSP.

I am still in shock. I was not confident at all that I would pass! The test was pretty darn hard! It was the hardest test I have ever taken actually.  By far.  The wait was excruciating. The results took an abnormally long time. I guess there were a huge amount of people that took the exam on the same test date as I ( November 6, 2010) and it took a long while to grade. Six full weeks! I guess a lot of military personnel and contractors were trying to get certified before the end of the year, so the date became the last one before the end of the year (where one would get the results before the end of the year-although those that took it a week after me received their results before me) and thus was a very popular test date.

It was by far the best Christmas gift I received this year!

Merry Christmas everyone (fourth day of Christmas?)! Happy Holidays, and here’s to a very Happy New Year.

Blessings to you all.

I passed! WOO HOO!

Advertisements

The Door Exam: A CISSP Exam Analogy

Sectional-type overhead garage doors in the st...

The Garage Door Domain has its ups and downs

It has been about 10 days since I took the CISSP exam and still I am dreaming all things security. Literally dreaming, at night while I am trying to get restful sleep. This time I dreamed up an analogy to the whole CISSP preparation and exam that I think can be appreciated and found humorous.

The CISSP exam is like studying for a certification exam on doors.

Not everyone needs to be certified. If you just merely use doors, most likely you don’t need to be certified. But if you install doors-especially unusual doors, or if you wish to design doors-especially with specific purposes in mind, you may want to prepare and pass the door exam and get door certified.

Certification has advantages. Being door certified will tell the world that you are qualified on all things related to doors-hinges, knobs, the door-y part. Just by having the certification good things can happen to you, you may have more opportunities. The certification could open many new and exciting doors.

Experience is essential. Let’s say you’ve been studying one of the bodies of concentration, the garage door domain. Well, if you have installed a garage door before then you will be able to relate and bring something experiential to the exam. If you install garage doors for a living then you probably will have no problems with this domain. If you design garage doors, their installation and write documentation and are in charge of sales, well then you can consider yourself an expert on the garage door domain and you will have very little problems with this subject on the exam. Your experience will help you with questions regarding spring sizes and radio frequencies. You should memorize sizes and frequencies, but there won’t be any questions related to that on the final exam. The question on the final exam will be something like what is the worst type of garage doors opener to use around bombs. You won’t know the answer 100%, but your experience should help you narrow it down to an educated guess.

Some questions are designed to trick you. You have to immerse yourself into the (ISC)2 world. Let’s say you get a question from the farm door domain.

Barn

You have to know what color the barn door is supposed to be in the (ISC)2 farm.

The question is what color should a barn door be? You’ve narrowed the answers to “Red” and “Red & White”. Well, in reality a barn door can be whatever color the farmer wishes it to be, but you have to know what color the barn door is supposed to be in the (ISC)2 farm, er, I mean world. The question also may be negatively worded, like: The color of barn doors is essential to the function of the entire farm, not just the barn. Which of the following colors is the worst color to use on a barn door: A Red, B White, C, Black, D Brown. Of course the answer is brown. However, none of the practice tests will explain why the correct answer is most correct and the others are righter, just that D is the best answer. Shon Harris will have had a 3-minute segment on the color of barn doors which starts out, “Now, what is a barn door? We’ve talked about that before. The color of barn doors are essential to the function of the entire farm, not just the barn…” And some smart dude from India submitted the question. If he can get the color right then you should too. Duh. Moron.

Study deep. You may have a clear understanding between the different types of opaque doors used in residential, commercial, industrial and high-security settings both internal and external. You may understand the different types of glass used in internal sliding patio doors, external restaurant drive-thru doors, 1980 computer monitors, the 12-inch by 12 inch glass used in oatmeal factory doors, and the bullet-proof plastic used in jails. You may understand the purpose and the placement of the sticker that states: “THIS DOOR TO REMAIN UNLOCKED DURING BUSINESS HOURS’ and understand the history of why there was no business before the creation of the sticker. But the question on the final exam will be what is the best type of opaque material to use in airplane cockpit sliding doors while flying in areas that are highly populated with penguins. The answer will have to do with cold temperatures, the number of drinks served on a transatlantic flight and how many passengers breath through their nose. However, the answers will reflect this.

I am still waiting for the results of the exam. I feel pretty calm about it. Hopefully I got enough right to pass!

-Durk-

Security Software Review: KeePass Password Safe

Remember when you used to have passwords Post-It noted to your monitor?  Then you got all stealth and hid the sticky notes under your mouse pad?  Then graduated to a notebook locked up in a drawer?  And finally to a spreadsheet that has very little protection other than you have to hunt all over for it when you really need it?  Yeah, been there!  But that was “so 2009”.  We all struggle with password management, but I found an end-all, multi-security-layered solution:  KeePass Password Safe.

So here are the basic features, KeePass is FREE.  It is Open Source and OSI certified.  It is portable so it can be installed on a flash drive.  It uses real security-AES, Rijndael and the Twofish algorithms-to encrypt its password databases.  SHA-256 is used as password hash.  It has an auto-type feature.  It auto locks after a few minutes.  And it has a password generator feature!  Throw this all together and it is pretty sweet!

I installed the portable version on a USB drive and I used double authentication right away.  The program requires a master password (or one per database) and you can also create an encrypted file for the program to authenticate against.  I keep this key file on a different USB drive.  So already one must have both USB drives to use the program, a hacker would  have to brute-force the password and then figure out where the key file is to make the program usable.  I also saved a backup of the database and key file to a third USB drive that does not have the KeePass program on it.  Layered security.

First I simply added a few existing accounts to KeePass.  I use IE & Firefox at work.  I use tabs in each browser and have specific tabs open everyday in each browser.  Some are company Intranet pages and some are Internet websites.  You have to build your database in KeePass, but once you do it is very easy to use, once your mouse is at the login prompt you type a few keys (Ctrl+alt+whatever) and KeePass fires off its auto-login feature, login, tab, password, enter!  And Wham, you are logged in!  The script is customizable as well.  KeePass uses the title of the page to determine what account it should use.  KeePass also works with programs.

Have multiple Facebook accounts (hey, sometimes I just feel like a 14 year-old girl)?  No problem, highlight the account in KeePass and type Ctrl+C and the login and pass for the individual account is automatically used.  (I was kidding about the 14-year-old girl thing…really…)

I was one of the suckers who had a RockYou.com account that got hacked (I used to use it to store eBay pics)  And yep, the login and pass I used was pretty much the same one I used for everything!  To their credit they sent out several emails letting their users know what happened.  About this time I was testing the waters with KeePass, so I decided to step things up a bit.  I used the password-generator feature to not only create a password that was random, but it was whatever length I chose, and I had the option of mixing uppercase, lowercase, digits, underline, minus, space, special, brackets and even high ASCII characters!  How is this for ugly: Ì?:-Ôð?µg¤É;³$®7u?z??Êi¦×á_?Ñ? Or this:  붐>aG»q ?ÜT?ú-©Îç mvÀ/Reí$D?  So now I have a randomly-generated password that is ugly that I couldn’t remember it if I wanted to!  PERFECT!   KeePass saves the password as asterisks, but you can toggle to plain text if you actually wish to see the password.

The next step was to use the program as I signed up for new accounts, spideroak.com, snapfish.com, animoto.com, etc.  Yeah, I’ve been messing around with online storage and picture sharing lately, but I digress.  I don’t know the passwords to any of these new sites!  But I feel secure that they are safe in KeePass!

A bonus is that you start to get a feel for how secure websites really are.  Picturetrail.com limits passwords to 6 characters and only alphanumeric.  But zumodrive.com allows 20-characters and I was able to add brackets and special characters.

Lifehacker.com likes KeePass and wrote this article about KeePass plug-ins.

OK, yep, if I lose the USB drives I am kinda screwed-they are all on the same keyring (not smart).  But only until I get the backup db and file (maybe from a file sharing site?  Yes, after I use the “forgot password” button) and download the program again.  But then I will actually have a neat list of all the passwords that need to be changed, plus a password-generator to assist!

I encourage you to check out KeePass, ease into it and then THINK LAYERED SECURITY!