The Benefits of Late Adoption

January 16, 2018 by Ben Malisow in Blog Entry

Perhaps my greatest shortcoming as a nerd is my reluctance for early adoption of technology; I simply have no interest in the latest, bestest, newest, coolest gadgets on the market.

Yes, this can cause me to lag in my estimation of IT solutions. Yes, I am mocked (and rightly so) by students and colleagues when I tell them I still have an AOL email account. Yes, I am old and everybody should get off my lawn. But there is also an upside to late adoption:

- Huge cost savings. Huge. I can wait two years for the novelty of a thing to wear off, and get a much-reduced price when I get around to buying it. This is especially true in software, and especially especially true for games.

- I'm never involved in the proof of concept. Back when I was a young (read: stupid) man, I bought the first year-model of a new car. Within the first year of owning it, all the defects and design problems inherent in that model became quickly apparent, and there were multiple recalls. Waiting a while to buy a thing means that the first wave of customers have taken the brunt of field testing, and the thing is now ready for actual regular use.

- No false sense of security. The latest suite of products are often seen as inviolable, because they use the latest security protocols and tools; this can lead to sloppy practice and habits (like crafting and transmitting data with sensitive info, even when it could be avoided) because users feel a reliance and trust for the product. This puts them one zero-day exploit away from feeling very silly.

- Strangely enough, legacy platforms may be more secure in some ways than their new-fangled replacements...mainly because aggressors won't actually believe that those legacy products are still being used for viable purposes, and won't include legacy attack methods/gear in their toolkits. I mean, I really don't think the script-kiddies even know what AOL is, much less how to hack it. Sure, a dedicated adversary won't have a tough time getting the proper attack tools once they know a target is using a legacy system, but a dedicated adversary is going to get in eventually, regardless of the age of your platform.

- Utility/productivity is always a tradeoff with risk and security. The more I can do with a tool, the more I can lose. Losing a 256K flashstick in a hotel lobby will cause me a lot less damage than dropping a 2Tb flashstick. My old flipphone had no identifying data on it (other than some texts and a rudimentary Contacts list), in stark contrast to my smartphone (which, I think, has my DNA, cocktail preferences, innermost thoughts, and secret cookie cravings embedded in the BIOS).

No, I'm not saying that everyone should immediately regress to a Luddite position of rolling back three generations of tech in order to gain some slight advantage...but buying up the latest and greatest shiny boxes and zippy software is not the best choice, either.

My Favorite (and Least Favorite) Security Moment of 2017

January 12, 2018 by Ben Malisow in Blog Entry

I was preparing to teach a class in another city, and communicating via email with the POC at the client site. In addition to explaining about the location, parking, and so forth, the POC included this tidbit:

"Upon first entering the facility, you can pick up your security badger at the reception desk."

I have never, ever, been more disappointed by a typo.

CISSP CAT Format Feedback, Part 2

January 06, 2018 by Ben Malisow in Blog Entry

A second former student has reached out with some feedback...he passed, as well! Smart class, that.

Here's what he had to say (and he says he's glad to answer questions about the experience, too, and will be checking the blog Comments, so feel free to chime in):

"Since you probably haven't gotten much feedback about the CAT yet, I thought I would provide you with my preparation strategy and exam experience.

Here were the study materials I used and their usefulness (in no particular order):

Classroom notes - 10/10 - This is where I began my studying and it helped me tailor my studying to topics I was unfamiliar with.

The Official CBK CISSP text - 1/10 - I used it during class for subjects I had absolutely no familiarity with, but in general, there is too much information to internalize and lot of rabbit holes that the exam will simply not ask about. Not to mention it's unbearably dry.

Eric Conrad's 11th Hour CISSP Study Guide - 9/10 - Effectively a condensed version of the most important CISSP topics. There were a few areas that may require additional reading (i.e. RMFs) but in general, this is an excellent text reference.

Kelly Handerhan's Cybrary video series - 10/10 - This was by far the most useful resource I used. If I had the time, I would have watched the full series twice, taking copious notes. She also offers an excellent bit of advice about approaching the exam with a managerial mindset, rather than a troubleshooting or technical one.

Phil Martin's Simple CISSP - 10/10 - I found this book on Audible and listened to it during my commutes. The author narrates in a very slow, deliberate, and clear Texan drawl, clearly explaining even some of the most difficult subjects.

Sybex Test Questions - 5/10 - Compared to the actual exam, the practice questions in the Sybex bank are so-so. Many of them ask about details the exam couldn't care less about; many more of them are simply too easy and direct. (For example, the exam will never phrase a question such as "blah blah blah describes which security control/process"). There aren't enough "which of these is the BEST/MOST accurate," which is the entirety of the exam.

Transcender Test Questions - 7/10 - This bank contains many more of the BEST/MOST accurate style questions, but still not enough to truly simulate the exam. Fun fact: if you purchase the bank from Transcender, six months of access is $160, if you buy it through Cybrary (via the Kelly Handerhan videos, which are free), access is only $40. That's a useful bit of knowledge for the financially-minded."

Great stuff to know, and really glad he offered to share.

New Year, New CISSP Exam

January 01, 2018 by Ben Malisow in Blog Entry

Just in time for 2018, the CISSP exam from ISC2 has converted from standard multiple-choice format to a Computerized Adaptive Testing model for exams delivered in English (foreign-language versions of the test currently remain in the traditional format). This means that instead of the grueling 6-hour, 250-question test, CISSP candidates now face only 100 to 150 questions, in a maximum of three hours.

Depending on your success with multiple-choice tests, and your personal technique, the new experience could be either a massive boon or a ridiculous hurdle to get the certification.

I got my CISSP back when the test was in the traditional format...and done with pencil and paper. I have no clue how I'd do on the current version.

I have, however, received feedback from the first of my students to take the new version of the test: they passed! Their exam was also only 100 questions long (meaning the student demonstrated sufficient command of the material so that the testing engine didn't have to throw more questions at the student), and it took the student an hour to complete. Perhaps most interesting, this particular student is not an IT practitioner, but is familiar with the industry in other roles. Main impression? The student repeated what I always try to stress to anyone taking one of the certification tests: READ. THE. FULL. QUESTION. Make sure you read it completely, and understand what's being asked, and that you read all of the possible responses.

The exam is still being administered by PearsonVUE, and you can download the outline from ISC2's website.

Have you taken the exam in the new format? Please add some feedback about your experience in the Comments!

A Friendly Reminder....

December 27, 2017 by Ben Malisow in announcement, Blog Entry

....they are not "heightened security measures" if they've been happening for over 15 years.

Is your personal information worth anything to you?

December 17, 2017 by Ben Malisow in Blog Entry

Back in 2004, I wrote an article about how various entities make money off transactions involving the personal information of customers and citizens (which, in some cases, such as the DMV in many US states, are the same group). [That article kinda predicted how access to personal data could be acquired rather easily by someone posing as a legit customer of third-party data verification services, like TML's TravelCheck...only about 18 months before Choicepoint was dinged by federal regulators for allowing exactly that kind of illicit disclosure to happen.] I suggested that private entities wouldn't start being serious about data security until customers started realizing the inherent value of their own personal information.

I was totally wrong about that. Private entities now engage in data security practices (or at least pretend to, by expending a modicum of effort and money), but not because of how their customers feel about personal privacy: instead, those private entities are much more concerned about regulatory compliance.

A lot has happened in the intervening 13 years since that first article, including many breaches of massive databases, revealing volumes of personal customer data. Customers have also become a lot more computer-friendly, and are using personal devices to conduct online shopping and ecommerce transactions at a rate that is vast compared to even a decade ago. They also claim to be extremely concerned about "privacy" (whatever that means, when individuals are asked in surveys on the topic), and have some awareness of threats like identity theft and hacking of personal accounts/files/assets and scams.

The weird part is, they don't behave as if they really understand the value of their own data...or as if they're truly frightened about any impact its loss would cause. The market share of companies like Target, Home Depot, TJ Maxx has not declined significantly, even though those entities have demonstrated that they aren't the best stewards of customer data. And experiments have demonstrated that individuals are likely to part with their own passwords in exchange for incentives as basic as candy bars.

I don't think this a shortcoming of the private sector, specifically; we know governments aren't any better at protecting information that's been entrusted to them. (And I, for one, have chosen to behave accordingly; even though I might shop at Home Depot and Target, I am not going to take any job with the US federal government that would require a security clearance, because the USG has proven that it is very good at losing my personal information.)

But customer/citizens/individuals just don't seem to care about if their data is protected, or how it is protected....even though those same individuals will say they care quite a bit.

So I have to ask...if people don't really care about the loss of their personal data (which we can tell from what they do, versus what they say), and the impact they experience from any actual loss is really pretty nominal (often more an inconvenience, and results in lost time, not lost assets), why do we have such a strict regulatory mandate in many jurisdictions? Why are there so many laws and standards in place to protect something that doesn't seem to really have much value?

It might be heresy to ask, but...are we at the point where "MORE SECURITY!!" is not actually the best approach, in terms of the interests of individuals? Does the cost of adding more and more protection to personal data raise the price of goods and services ultimately provided to individuals...and does that price increase go beyond what the average cost of a loss would be to each person?