Security Vendors and ISO 17799 and ISO 27002

ISO-Logo

So it’s interesting, yesterday, I was in a vendor presentation about Building Automation Systems (BAS) and cabling systems.  On one of their slides, it talked about how their products meets the ISO standards (ISO 17799).  Since I’ve been studying for my CISSP, I was thinking that I should know that one, but it was a 17799 number and I thought the security standards were ISO 27000 series.  So,  I figure it would be a great reminder and a refresher to look it up.

After looking it up, here are the  facts to remember:

ISO 17799 = ISO 27002

ISO 17799 was renumbered in 2005 to ISO 27002 [1].

So that tells me that vendors just put numbers down to impress people, they really don’t know that it is an out of date standard and the standard  should have been supersede by ISO 27002.

References:

[1] E. Conrad, 11th Hour CISSP Study Guide, Syngress, Burlington, MA, 2011, pp 14.

 

CISSP Study Updates: vBookz vs. Voice Dream

I am 4 Chapters in to the Shon Harris’ CISSP all in one book, I’ve been getting 60% to 70% on the end of the chapter question answers on the first try.  Few initial thoughts are as follows.

The Shon Harris’ book is good with lots of material, but her writing style is very wordy and long winded and her humor is not really my style and isn’t that funny.   I feel sometimes that I know that there is a structure, but there are cases where it seems that we are just off to a tangent.   Don’t get me wrong, it was still relevant, but  just off to a tangent.  There are other times where I feel that the book has alot of repetition and not very efficient in the ways of communicating the 10 main domains.  But then again there are a lot of over lapping materials with in the 10 different domains.   With all that that said, there are a lot of great materials in the book and I think it will be a great reference book after I am done with the CISSP exam.

So this week, I was a bit behind on my reading… so I added 2 additional resources to help with my preparation.

1)  Because of how long it takes to get through Shon Harris’ book, I decided to try out Eric Conrad’s CISSP Study Guide.  I’ve already got the 11th hour study guide, but I thought I would give the regular study guide a go.

CAUTION: The domain numbers are different than the All-In-One Book.  all domains are covered, but the domain numbers are different.  So be careful when you talk about the domains just by itself.  Always refer to the actual domain name, for example Access Control Domain.

The initial thought is that the book is a lot thinner and not as wordy.I think it is a good supplement to my CISSP study.  So the current goal is use the All-in-One as the primary path and using the different supplementary resources to help me out.

2) CISSP Meet up

Last Thursday, I joined a CISSP meet up group to meet with a small group of folks to chat about CISSP and get me to be more focused on my studies.  It’s a very small group but they all seem to be very nice.  I hope we all pass in the near future.

3) So on an earlier post, I talked about using a text to speech app to help me get through the books.  Well, I have to say, after about 2 chapters with vBookz voice reader, I was very disappointed.  Here’s why.

  • Constant crashing and slow down on certain section of the pdf file.
  • Acronyms … it is very annoying how inconsistent vBookz reads acronyms… some time it reads as it sound, sometime it reads letter by letter, and sometime it even replace the acronym with a word. (e.g. CA vbookz will read California when in context CA was meaning  certificate authority.  Is there any ways to set how vbookz will read acronyms?  If it is all read as letters I would be fine with that… but it is just the inconsistency that is bothering to me and hard to understand.
  • split words. In my document there are alot of words that are split from line to line with – (dash). so for example the word “individuals” is split between two lines so it is now individu-als.  vBookz reads it as two word.  I can understand it most of the time but there are times where it doesn’t make sense.
  • bullets.  when vbookz reads a bullet list … it is just unbearable, small bullet..xyz ..small bullet … abc  .. small bullet etc… on and on …
  • Page numbers and Header and Footers… there is no way for vBookz to skip any text, so when you are listening to the page it will inject the next page’s header and number and continue to read on.  It’s pretty disruptive

vBookzvsVoice Dream App

So after emailing the author and looking around for alternatives, I decided to drop another $10 and try Voice dream app.  Oh my gosh, it was night and day!!!

I only wish I found this sooner.  This app actually took care of most of the concerns I had.

  • It automatically joined all split words.
  • It has a pronunciation dictionary that let you set  how you want words or acronyms pronounced.
  • It let you skip text so things like headers and footers can be skipped
  • It lets you use RegEx to define the filter for things to skip … so now I can also skip all the page numbers!!
  • Bonus: it treats the document like an audio file.  It tells you how much time until the end and how much time was read already
  • Bonus: it can be controlled like an audio file with earphone remote, etc
  • Bonus: Works with dropbox and icloud

All in all it is a very well designed app and a WINNER between the two different apps.

However, it does have a few bugs in this version, which I communicated to the app author and he agreed to look into it.   I will update this blog, if I see my suggestions updated.

I think it was worth the $10 price tag for this app.  This voice reader app was  much more refined and well thought out voice reader app than vBookz.

So all in all… I am slowing moving along the certification studying process for CISSP and it is sticky and nasty.

Other certifications to be considered

I know that I am barely stared on my CISSP certification, but I am already looking at what will becoming up next.

As I stated from the beginning, I already started on my CWNA certification study as well, however, I will not continue full on with that certification until I complete my CISSP certification in November 2013.  Few other certifications that I am considering are the following.

1) PMP Certification – Project Management Professional (PMP)  from Project Management Institute

2) ITIL v3 Fundamental certification  –  Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

I believe these certs will add on the my credentials.  The CISSP should help on the ITIL cert since there are some similar domains.

Question of the Day for CWNA studies

Although, I sort of put my CWNA studies on the back burner because I am focusing fulling on the CISSP studies, I still trying to do some simple reviews on CWNA once a day.

The CWNP.com offers a really good Questions of the Day multiple choice quiz every day.  It is a new question every day to test your wireless knowledge.  Check out the link below.

http://www.cwnp.com/qotd/

Since the questions changes everyday, when I finish answering the question and get the correct answer, I use the clip to evernote extension in Chrome to keep a copy for future reference.  It is a great way to build up a free question library and a good way to keep your wireless knowledge fresh.

More study help and downloading flash streaming podcast as mp3s

So I am really bad at trying to stop looking for more ways to getting free training information and start studying more… so I will share what I’ve found.

I thinks these overview should not be your primary study material, but it is good to listen to refresh what you read or to get your feet wet on each one of the domains.

First more free video training.

Based on Shon Harris’s CISSP All-in-One book is a FREE 10 video overview for each domain by SearchSecurity.

http://searchsecurity.techtarget.com/feature/CISSP-Essentials-training-Domain-1-Security-Management-Practices

Just scroll to the bottom and click on the video.  You will need to provide a valid email address. Oh and also videos 6-10 are in the links in the comment of each video page.

 

Second, as I mentioned in my previous post, based on Eric Conrad’s CISSP study guide there is a 10 audio podcast.

http://booksite.syngress.com/companion/conrad/podcasts.php

So the problem with Eric Conrad’s CISSP audio podcast is that the audio files are streamed in a flash application and my iphone doesn’t support flash and most of your web plugins such as FVD downloader in Chrome extension doesn’t detect the audio files, so I can’t download it that way.  So since this is a security / hacking blog the following is a tip.

tl; dr.  USE rtmpdump

So how I found this solution is as follows:

1. In Chrome, I used inspect element and resources tab. Look under

podcast.php / XHR / mp3_playlistXML.xml

I found this

http://booksite.syngress.com/companion/conrad/mp3_playlistXML.xml

So each line in the xml fine shows the location of each file and it is streamed by RTMP

For example first podcast,

<videoname flvurl="rtmp://media.us.elsevierhealth.com/conrad_cissp_study_guide_mp3s/mp3:domain_01"desc="Podcast 1 - Domain 1"/>

2. So I found RTMPDump.  RTMP = Real Time Messaging Protocol

and in short

 rtmpdump -r "rtmp://media.us.elsevierhealth.com/conrad_cissp_study_guide_mp3s/mp3:domain_01" -o domain01.mp3

And repeat for all the other domains and mp3s.  There you go.  I hope it helps.

Access Control Authentication Factor based on Location

While I was listening to the Eric Conrad’s podcast, which by the way is another free CISSP resource, I learned something new that I thought was interesting.  When I was getting my masters in Information Assurance from ISU, when we talk about multi factor authentications, we always talked about 3 unique factors.

  • Something you know (e.g. passwords, passcodes)
  • Something you have (e.g. key fobs, ID cards, key cards, tokens)
  • Something you are (e.g. biometrics such as finger print, DNA, retina or iris scan)

This is talked about very often in every IA/security text book, but Conrad talked about something that I thought about but not really think it is its own category that is the following.

  • Where you are located (e.g. gps location)

This is very interesting because for the first time in human history, we can actually track almost every user with the ubiquitous use of cellular phones by everyone.   This means that your location can be an authentication factor.

For example, if there is a location assigned for the computer or a device that you are trying to access and if you are trying to access that device.  The device will verify your location to see if you are in proximity of where it is and provide a second factor of authentication.  However, this should only be used as a second form of authentication and not as a primary means to authenticate.

What is interesting is that I’ve actually done research on this topic back in 2010.  I presented a short IEEE paper in Macau on Secondary User Authentication Based on Mobile Devices Location.

Now, I don’t completely agree that this should be it’s own factor of authentication, I believe it is a subset of “something you have”.  The reason is in order for you to have a location, you must have your cellphone or some sort of device that transmit or provides a location ability.  In that case it is no different than having a key fob or an ID card.

But it is still interesting to see that Conrad considered location as a factor of authentication.

 

Free CISSP Class from IT Masters and Charles Sturt University in Australia

Amazing!!!Watch Full Movie Online Streaming Online and Download

IT Masters and Charles Sturt University in Australia is offering, free, a six weeks online course designed to prepare students for the Certified Information Systems Security Professional (CISSP) Security Certification.  This type of course is typically around $1500 to  $3800 US.

The course will run over six weeks starting from Wednesday July, 17 2013 (tomorrow) with lectures via weekly 90 minute webinars from 12:30 -14:00 hours AEST (7:30 pm PDT) each Wednesday.  Because of the high demand they are also opening a second class from 15:00-16:30 AEST (10:00 pm PDT) .  The classes will be available for video download if you can’t make the actual class.   In addition, students will be asked to do a total of 10-12 hours of study between webinars.

So what are you waiting for?  Go register and see you in class!!!

Link: http://www.itmasters.edu.au/free-short-course-cissp-security/

CISSP Study Guides

The following are the two study guides that we are using as the bases for our study guide.  The current plan is to use the following as the primary text for our study group.watch full Lights Out 2016 filmwatch full Get Out film

The secondary references that we are using is as follows:

[Updated 2019-06-30 -with links to updated books]

About: Min

Hello My name is Min. I  received my bachelors in Electrical Engineering from Auburn University and my masters in Information Assurance from Iowa State University.  I am also a Washington State licensed Professional Engineering (PE) in Electrical Engineering.  I was a formerly Certified Cisco Network Associate (CCNA).  But all that is irrelevant…. since I am focused now more on learning challenges. Feel free to leave any comments.

Welcome to Certification Circus

This project or goal has been a long time coming.   After many years in the telecommunications and information security business, I finally decided to get back in to re-upping my certifications and improve my technical credibility.  This website will capture what I’ve learned each day and highlight some key points and tips to help myself and others who are also trying to get their certifications.

So the first two certifications that I am planning to obtain are the CWNA and the CISSPmovie Petak Umpet Minako 2017 streaming

CWNA (Certified Wireless Network Administrator)  – This seems like a strange certification to obtain, however, since I’ve been working in the wireless consultant business for over 6 years now, it is good to have some more detail on the 802.11 based wireless technology.   The good thing about this certification is that it is vendor neutral.   I find that vendor specific certifications are good but they are very limiting in opening up to the different options that are out there.  This certification is vendor neutral and talk more about the technology and best practices.  I know I will probably have a better explanation of this certification by the end of this process. The follow up to this certification is the CWNP (Certified Wireless Network Professional).

CWNA: Certified Wireless Network Administrator Official Study Guide: Exam PW0-105 ~$38

The second  certification that I am planning to start studying in the next few weeks is Certified Information Security Systems Professional (CISSP).

CISSP is another vendor neutral security based certification.  I think since I’ve got my MS in Information Assurance, the CISSP will galvanize my knowledge and high light my expertise.

CISSP All-in-One Exam Guide, 6th Edition by Shon Harris   ~$50

Welcome to Certification Circus!