Art of Information Security

Art of Information Security endorses Dan Houser for (ISC)² Board of Directors

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.

Passion

Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor - as a “giver” - to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting - a professional roundtable that attracts practitioners from across the state.

Governance and Guidance 

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs. 

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²: https://webportal.isc2.org/custom/votenow.aspx

Cheers, Erik

The problem with most video surveillance is that it is not actively monitored. It is recorded so that events can be reconstructed at a later date. While this may prove to be an effective deterrent in many situations, this does limit the effectiveness (and the cost of operation) of the surveillance system.

Of course, a major problem with that approach is that the “persons of interest” are long gone by the time the video shows that “yep, you can definitely see some guy cutting off that lock and stealing that…”.

Another problem is that unless the equipment is being checked on a regular basis, it may be defeated (or just broken) for a long time before any problems are identified.

In the photo to the right, an NYC artist William Lamson, has created an interesting photo of hacking (or blocking) a security camera with a helium balloon. This is such a simple and inexpensive attack on the video surveillance camera that I am shocked I haven’t seen this before. I am also certain that the appearance of this in a TV or movie plot is imminent. It would have been pretty simple to use two balloons to block the camera without providing the nice tether to “fix” the problem.

Digital photography is a hobby of mine, and I have a mild obsession for photographing physical security faux pas (which to date has not resulted in any ‘Imperial Entanglements’ ). So I am going to use Mr. Lamson’s photo to kick off a new category (and series) on Art of Information Security, called “Security faux pas” - stay tuned…

Cheers, Erik

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

• Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
• Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

• Do I meet the spirit, and not just the letter, of the experience requirements ?
• Has there been sufficient diversity in my experience ?

Five Step Approach to CISA or CISSP Exam Preparation

1. Perform an initial benchmark and assessment of your readiness
2. Read a “survey” level preparation guide cover to cover
3. Perform a secondary benchmark, and compare your readiness
4. Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
5. Re-benchmark, and repeat targeted reviews until ready

Countdown to Black-Hat COFEE Device Begins !

The Seattle Times is reporting today that Microsoft has developed the ultimate hacker tool for Windows. Of course, MS doesn’t consider it a hacker tool, they describe it as a computer forensics tool. Here is a quote from the article:

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Of course, on the one hand MS has developed a forensic tool for use by authorized law enforcement agents. They have also produced a compelling proof of concept that their operating system’s security can be soundly defeated anytime an attacker has physical access. And they have also created a treasure trove of exploits to be reverse engineered.

It is well documented that cybercrime is not only big business, but that it is highly organized. The fact that, in the cybercrime underworld, there are markets for stolen data, toolkits (such as the Rock Phish Kit), and services (such as renting time on Botnets) is a strong demonstration of how organized (and profitable) cybercrime is. Microsoft has now defined a new Holy Grail for those organizations to pursue. The CSI/FBI computer crime report consistently demonstrates how significant the Insider Threat is, and clones of the COFEE will make those individuals that much more dangerous.

Also, the reverse engineering of one of these devices would certainly be of great value to the black hat community, and do potentially long term harm to desktop security. The fact that there are 150 exploit functions on the device written by Microsoft’s own, with their privileged knowledge, makes this device worth its weight in gold (or perhaps plutonium).

Given the number of governments that have been accused of either participating with or shielding cyber criminals, it is only a matter of time before these devices are reverse engineered and duplicated. Of course, it may not be necessary for the black hat community to acquire one to reverse engineer it. Many countries require public documentation of how evidence is collected and preserved. So it may only be a matter of time before Microsoft finds itself providing direct testimony, as other forensic product companies have done, on the exact workings of COFEE.

- Erik