Podcast Episode 2: Social Media, Targeted Ads, and the Illuminati

in

We had some really good responses to our first podcast episode, so we went and made another one. In this episode, we discuss what kind of personal information social media services harvest, use, and share with law enforcement, and how to recover your online data if you lose it accidentally. Also, the Illuminati. Because that’s our kind of weirdness.

Show Notes

The Facebook law enforcement portal: https://www.facebook.com/records/login/

Facebook’s guide for law enforcers using the portal: https://www.facebook.com/safety/groups/law/guidelines

A guide written by and for law enforcers using the Facebook portal: https://netzpolitik.org/wp-upload/2016/08/facebook-law-enforcement-portal-inofficial-manual.pdf

The Total Information Awareness program: https://en.wikipedia.org/wiki/Total_Information_Awareness

Podcast Trial - Episode 1

in

We’ve been threatening it for a long time, and we finally got our first podcast done. I say “we", but all the hard work was done by my partner, Robin Cabe. The working title is “Sensuous Sounds of INFOSEC,” because that’s damned funny.

Anyway, for the first episode, which is pretty short at 26 minutes, we just talked about getting into the field of IT security, and some advice and suggestions for starting your career.

Show Notes:

Terms:

Security architect: A person with a broad view of the security and technology in an organization’s environment, usually combining all possible aspects of the organization, including physical/system/network/software/personnel security, lines of business/operations, risk management, and governance, in a holistic way.

Online resources/groups to look at if you're interested in the field:

https://www.facebook.com/groups/InfoSec101/

https://www.reddit.com/r/cybersecurity/

https://www.reddit.com/r/security/

https://www.reddit.com/r/netsec/

https://www.reddit.com/r/privacy/

https://www.reddit.com/r/sysadmin/

https://www.reddit.com/r/CompTIA/

https://discord.gg/HyzFj94

Please feel free to ask questions/add feedback in the Comments section, and to offer suggestions of topics you’d like us to discuss in future episodes.

Recent CISSP Feedback

in

Got a note from a former student who tells us:

“ I sat for the exam this morning and I provisionally passed!!

This test was one of the hardest, most interesting exams I have ever taken.  It really does test your conceptual knowledge, as well as how you handle different situations at different levels.  There were some items on the exam that I was able to remember using your "Foot stomps" which really helped drill those concepts into my brain.

The best advice I can give is to just be confident that you know the material, and read the question, read the answers, then read the question again, and if you feel like you still cannot eliminate an answer or two....read the question again!  The questions are really not there to "trick" you.”

Really well said, and extremely useful. Thanks to Daniel Hill for sharing, and a big congratulations!

Fascination

in

I don’t know why, but I find scammers absolutely fascinating; the styles and methods of manipulation intrigue me, and I have to wonder how it works (or if it does— but some of it HAS to, otherwise scams wouldn’t exist).

I got this one the other day, via the Contact page on this website. Can you count the layers of meta? I mean, this is an information security site, and the scammer warns of scams, but explains that the sender (scammer) got scammed because they (the sender/scammer) wanted to hack their partner’s communications, and that the thing being sold (hacking services/felonies) is trustworthy. My mind melts when I think about it.

(I took out the scammer contact info, of course.)

“Beware of scammers i have been scammed 3 times because i was trying to know if my husband was cheating until i met this hacker named; ([scammer email address]) who helped me hack into my spouse phone for real this great hacker hacked into my spouse whats-app messages,Facebook messages.text messages,call logs,deleted text messages,bitcoin account and many more i was impressed with his job and he brought me results under 24 hours believe me he is real and his services are cheap and affordable.”

It’s a strictly prurient interest, but I am just addicted to wondering about the efficacy and rationale of scams.

And More CISSP Feedback

in

Another of my recent students recently took the test, and had a hard time with it. Here’s some personal insight:

”….unfortunately I did not pass my CISSP exam taken last Friday 30th Jan.

I received:

6 domain "near proficiency level" 

2 domains "below proficiency level".

My main sources were:

- Official online self-paced training course;

- CISSP official study guide 2018;

- CISSP official practice tests (totally not useful);

- Kelly Handerhan’s video on Cybrary.

Exam was very strange. 

I was not prepared as in other my successfully certifications (itil expert, prince2 pract, cobit etc etc) where my score was always much higher than the minimum required to pass, but I think that even if I had studied more, not much would have changed (i.e. cissp exam not passed).

Questions were using terminology not used in official materials.

Sometimes I was not able to understand the real meaning of the question.

I noticed that after 100 questions, they become more difficult and longer, long time to read the question and answers and then I was stopped after 180 minutes at around 120/130 questions and I was sure to have not passed the exam.

After question number 100 my hope was to be stopped since exam did not seem to me so bad.”

Sad to hear, and I’m hoping the experience was not too discouraging. Best of luck to everyone studying at the moment, and those who are going to take the test.

More CISSP Exam Feedback

in

One of my recent students, Buddy Lott, shared some of his feedback about his recent exam experience. Thanks, Buddy!

I got to question 99 in about 1.5 to 2 hours. Was settling in for another 20 or 30 questions with plenty of time. I don’t think I had more than 5 more questions  when I got the “Test over” screen.  It scared the crap out of me. I was sure I had failed.   I don’t know exactly how many questions I had to answer. Then I had to wait for the check out procedures to get the results and discovered I had passed. It felt like forever.


I felt like the test was pretty challenging. I have no idea which questions I got the right or wrong but lots of the questions I felt had answers that were very similar or the correct answer depended on how much you read into the question. I had to make a focused effort to not read too much into the question while making sure I was paying attention to the details that were there.


Plus … I had to make sure I answered some of the questions based on the the book/class and not what my experience is/was.




Thanks again.


Leslie Lott

buddy_lott@outlook.com

www.linkedin.com/in/leslielott/

Excellent CAP Review

in

Brad Lee is a driving force in the reddit community for ISC2-related material; he’s created entire subreddits and discord families to engage in cooperation and advice for candidates of all certifications. He’s also just a generally cool and nice person.

He recently took —and passed— the CAP exam. He said it was all right to share this digest here at the blog. Thanks, Brad, and congrats!

“I am happy to say that I have now passed the (ISC)² Certified Authorization Professional exam!!! This was a long day coming, and I'm so glad that the pressure is FINALLY OVER!! WOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHHHHOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!

 

Now I would like to thank all of those out there that have contributed as much as they could to the help with studying for this exam. So many people have helped me in my journey, and I would like for those people to get the praises they deserve. After I created this (ISC²) CAP Reddit channel on May 29, 2019, I decided to reach out to those in the Reddit community as well as the ISC2 forums for advice, materials, etc. I, just like many others, had realized that there was a HUUUUUGGGGEEEE lack of official resources for this certification!!!! Why is that?? I have no idea! This is a very obscure and less-talked-about certification out of all (ISC)² certs. And I don't see too many people taking the exam, either. I have been working as a Security Control Assessor in Risk Management for over a year, so I do have a comprehensive understanding of the RMF. On my team, I was usually the one who sent out Security Control Assessment Plans, conducted Risk Assessments, generated Security Assessment Reports, and created a Plan of Action and Milestones for weakness remediation.

 

Over the summer, I decided that I would start a study group for (ISC)² CAP. This was a long time coming, but highly needed!!! I spoke to people on Reddit and (ISC)² Forums that were interested in taking the exam, and asked if they could join my group. Those that obliged came aboard and we started. Now it was rocky at first, as many of us were afraid that the exam was based on NIST SP 800-37 Revision 2 and not NIST SP 800-37 Revision 1. Plus, with the lack of official resources for this exam compared to other (ISC)² exams, some were even reluctant to take it. Some postponed their exams til' next year. We all had very busy schedules to begin with. Also, some people like to study for certs by themselves, which is fine. And they don't want to share their experiences about certs, either.... which is also fine. But NOT ME! I want it all, baby!!!! I want the smoke, even if that means me getting burned.

 

Starting in August, my study group gathered many materials from boot camps, NIST's website, etc. We studied very, very HARD. We reviewed FIPS documents, Special Publications, many practice questions, cheat sheets, etc. In September, I started to watch (ISC)² CAP course videos on the FedVTE website because I could NOT find any instructive videos to watch for this certification. Some people have recommended this site for those interested in taking IT certifications. As I was watching the videos, I noticed that one of the professors teaching the course would always give candy to any of his students that answered his questions correctly. It wasn't until later on that I realized that professor was none other than Ben Malisow!!! I couldn't believe it was the same person, and after talking to him about it recently, I'm sure he wouldn't believe it, either lol. All of the professors did very well jobs in breaking down the CIARMF, as well as the SDLC. The CAP course was excellent. I will say that this is the BEST site to watch videos pertaining to the CAP certification. I learned the MOST from this online course and took down so many notes from it. It's not recent, but many of the concepts and guides are still EXTREMELY helpful. And even though the site requires a government email to sign up for access, it is VERY worth it.

 

 

 

As time went on, members of my group were taking the exam, one by one. From September to October, people from my study group were passing the CAP!!! This was interesting, and I was so happy!!! So far at the time, only four people had passed!! Now for me, I will say this. Everybody has their way of studying for exams, but me, I love to review practice questions to get myself in "test mode". Although I did purchase the material, I did NOT read the Official Guide to the ISC2 CAP CBK book. I glossed over the first couple of pages of the first chapter, but then ultimately decided to review other material. I felt that the book was outdated and focused on older standards and acts. And I did NOT take a boot camp, either. I did not see the need in me spending $2,700+ when I already had at least one year of Risk Management experience. Even if I did not, I STILL would not do it, but others are different. I did something similar like that once before. I took an self-study online course for another exam from a different vendor, and I paid an UNBELIEVABLE amount. My company was not paying for me, and I was not getting reimbursed, either.

 

In October, I still asked people online on what to expect from the CAP exam. Some (ISC)² professionals told me that the exam is pretty much all of NIST SP 800-37, no DIACAP,  DITSCAP, etc. I continued to go over the steps of the RMF and connect them to the SDLC. Later that month, one member of my study group panicked (as most of us would before we took our exams). He just wanted to get the exam over with, and I don't blame him!! He even hit the gym continuously just to relieve anxiety. He decided to schedule his exam on a Monday morning at 8:00AM, After he finished his exam, he came out and told us that he passed! Now, five people have passed so far. This was getting very interesting, as no one had failed yet.

 

It was November, and I STILL have not booked my exam, yet. I guess one factor of why I had not all this time was that I feared that that the exam would be updated with newer topics. Also, I have had TERRIBLE experiences before with booking (ISC)² exams in the past (cough cough SSCP cough cough). I will save that for a later story, but basically I did not want to go to a testing center with NO PARKING, and ARGUMENTATIVE PROCTORS that will embarrass you in front of everyone and prevent you from taking your exam!!! The CAP costs $599, so that's really not money you wanna be playing around with. Shortly thereafter the start of the month, another person from my study group decided to attempt the exam.... and she passed!!! Now it was time... for ME!! As the days went on, I was looking for the PERFECT date and time for my exam on Pearson. Sometimes, you just have to wait and see... a REALLY GOOD date will appear for you (probably you will see what you like late at night).. and it did!!! Friday, November 22 at 5:30 PM was SET!!!

 

Until my exam date, the only documents that I read for this exam were FIPS 199800-18800-30800-64, and 800-137. I glossed over the 800-37r1 at the beginning of my studies, but it was pretty much me understanding the RMF steps and tasks as well as the associated roles and responsibilities. Also, MAKE SURE you understand the connection between RMF and SDLC! I CANNOT STRESS THIS ENOUGH!!!!! It helped me tremendously.

 

11/22/2019 I went to a BEAUTIFUL testing center that had AMPLE amount of parking and had the best staff of people!!!!! I couldn't believe my eyes. The proctors were very cool and were funny too haha. They knew all about (ISC)² madness lol. They asked me if I ever took CISSP before. I told them I did, which was even a CRAZIER exam!!! I went through the regular procedures, and it was no pressure at all!! I went in and sat at my seat. I quickly wrote down all the stuff I needed for memorization on my scratch sheet. After the 5 minute window, I started my exam. The exam mostly focused on roles (System Owners, Authorizing Officials, Security Control Assessors) responsibilities/tasks (RMF steps, SDLC), and the type of controls (common, system-specific, hybrid, compensating). There were a couple of DIFFICULT questions that could have any answer as correct. Now, 125 questions in 180 minutes is okay, but it comes to a point where you just say "Can be it over already??". Overall, my best method to handle all of the exam questions was to use the process of elimination. Once I finished, I did the closing procedures and then went to the front desk. I received my score report from the nice proctor, who had folded it in half. Once I saw the message, I fell to the floor..... I PASSED!!!!!! I was so HAPPY and it was a beautiful experience all the way around HAHAHAHAHAHAAH!!!!!!!!!!!!!!! It was waaaaaayyyy better than that wicked experience I had with SSCP at a specific testing center two months prior; a place with NO parking and a CURRAHHHHZZZYYY proctor trying to act tough and smart in front of everyone. I drove home relieved, and my study partners were extremely pleased afterwards.

 

I would like to shout-out some people who have helped me along in my journey: u/reed17purdueu/sanileou/Telemundou/super_user_anonymous, Pinaykutie, Moro, Kofi, Ben, Alfred, Kadir, Valentine, and Ben Malisow!!! I cannot thank you guys enough for the help and the long ride!! A job very well done!! I am willing to help anyone who plans on taking this certification in the near future. See you guys around!! On to the next one!!!”

 

Recent CCSP Feedback

in

Former student/recent CCSP candidate Jullie Essex had this to share:

“i was a student of your ccsp course during the orlando (isc)2 congress. i am pleased to report that i sat for the exam yesterday and passed.

thank-you for presenting the material. i also purchased “official (isc)2 practice tests” and “the official study guide” authored by you and mr. o’hara. both of these proved to be valuable resources.

the exam was not easy but it wasn’t any worse than the cissp. the topics you emphasized are still pertinent. there were some surprises, however i suspect those questions may have been part of the “25”.”

The 25 she refers to are the questions that aren’t scored on the exam, but are included to evaluate whether they should become actual test questions. Congrats, Julie! And good luck to everyone currently studying for the exam.

Recent CISSP Feedback

in

Mary Pat Esposito, a former student, recently passed the CISSP, and had this to say:

“I took the test yesterday and passed! 😉

 

Here’s the advice that helped me the most…

  • [Ben’s] “footstomps” helped filter the minutia out of the study guide. No RAID questions. Phew!

  • Kelly [Handerhan]’s video. The link was provided in the chat. She recommended selecting responses from a management perspective not a practitioner perspective.

  • Read the responses backward, forward, read the question over and over. You can’t go back so be sure you’ve taken the time to understand the question and the options"

Great info, Mary Pat— thanks! Congrats to you, and good luck to everyone taking the exam soon.

It IS Possible To Pass The CCSP With Only 10 Days of Preparation

in

One of my recent students shared their study/exam experience with me. I think it demonstrates some excellent insight:

”After sleeping on it, I wanted to give you some feedback after preparing for the test almost exclusively with materials written by you an/or delivered by you. First, thank you for putting these materials together, I wouldn't have been able to pass without them. I don't know how you could create material that would adequately prepare someone for that test. I got a 81 on the last "fresh" practice test I took, the second one in your example test book. The real exam was MUCH harder than any of the practice tests in any of your books. I felt I was pretty hosed after getting 5 questions into the real test, but stuck through it and was re-checking and changing answers right up until the very end. I feel like the preparation got me the right answer to about 1/2 of the questions, good test taking skills eliminated around 1/2 of the remaining wrong answers, and serious logical deduction got me over the edge.


Some examples would include:

The questions would not have been satisfied by just knowing what HIPAA is, but by knowing what a HIPAA BAA was and used for.

It wasn't just about what PCI-DSS was, but about how their rules effected security practitioners as detailed here https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Not only what a TPM is, but how it is utilized and appropriate use cases.


Despite all of this, technically it is possible to pass the exam while only getting 45/125 questions correct. There were at least 3 questions where the correct answer was given elsewhere in the exam, or could be deduced from different questions. Test taking skills such as, if two options are the same you can eliminate both of them as options were indispensable. What it boils down to is that if you go into the exam only know 1/2 of the answers (around 1/2 of my answers were flagged after the first go round), find 2 or 3 answers elsewhere in the exam, and eliminate about 1/2 of the answer options in the remaining questions, you'll wind up with more than a passing score.


Thanks again for all your help.”


That student also followed up with:

”Here is some more material you are free to use.

How I passed the CCSP in 10 days and study plan.

Friday: Was offered a chance to fill in for someone who had to bail on the CCSP crash course.

Sunday: Received CCSP ISC2 Study Guide.

Sunday-Thursday: study/read/took  1 chapter practice test in morning and 1 in evening… about 2 hours a day.

Friday: Re-read/re-took the practice tests for the sections I struggled with. I found that I had gotten 85-95 on every chapter except chapters 7 and 11. Generally skimmed over materials again. Honestly I did this while waiting in line at an amusement park. Rides make great study breaks and ride lines make a good place to study.

Saturday-Sunday: ISC2 CCSP crash course.

Sunday: picked up official CCSP guide to the CCSP CBK at ISC2 book store. Re-read the sections I was struggling with (legal compliance). Took 1 of the official ISC2 practice tests while at airport/flying home… got an 81. Watched a couple 5 minute or shorter youtube videos on concepts I was weak on (REST vs SOAP)

Monday: Went to work, left early, studied outside test center for 2 hours… practiced my brain dump. They give you a grease pen and paper at the test center so you want to write down your [mnemonic] memory aids if you have any. Took the entire time. I flagged around ½ my questions on my first pass so I was not super confident, but after some serious thinking got it down to where I thought I passed. I think it is important to brush up on good test taking skills before taking something like this, and I think that tips like, “if 2 answers are essentially the same, they are both wrong” got me through. I have no idea how I really did, but I did pass. All in all it was an honest 30-40 hours of study and real application to pass.”

WOW— I am stunned and impressed by this accomplishment. I do NOT recommend that anyone try to cram for the test with such a limited timeframe…but it is evidently possible to pull off.

Tales From The Field

in

And now, the first installment of a feature I’m calling Tales From The Field, about INFOSEC practitioners on the job. This one from friend and colleague Matt Snoddy (https://www.linkedin.com/in/mattsnoddy/).

“The Bourbon Story

A few years back, my partner in our computer forensics company got a call from an attorney. It was a new case involving the Kentucky Distiller’s Association (KDA), which is the big governing body over the whisky distilleries that dot Kentucky’s landscape. The KDA has been around for a very long time, long before the current renaissance of bourbon, before computers, and even before Prohibition. Their offices reek of history, tobacco, leather and oak.

KDA needed some computer hard drives forensically imaged for the case, which is right up our alley. The imaging had to happen on-site at their office in Frankfort, so we packed up our gear in Lexington, made the half-hour drive up I-64, and arrived early for what was going to be a long day.

We arrived, took over their conference room, and settled in with extension cords running everywhere, notes taped to drives, and laptops whirring.

The KDA has a pretty straightforward office décor: If there’s a wall, put a picture of bourbon on it, and if there’s a flat surface, put a bottle of bourbon on it. A simple stroll from the front door to the conference room introduces the eyes to a feast of hundreds of bottles of bourbon, old and new, rare and common, all glorious. Surprisingly (or perhaps not), many bottles had been opened and sampled.

As we went through our day, things were running on target to be wrapped up about when they closed. About 3 PM, several of the staffers filtered into the conference room and heartily announced, “Happy hour!” and asked what I was drinking.

As a businessman and a polite Kentuckian of average breeding, of course, I accepted the three fingers of Woodford Reserve Rye neat that they poured me. It would be a social faux-pas to decline such hospitality.

After drinks all around and as hard drive imaging wrapped up, one of the staffers told me to make sure I took something from the goodie-closet before I left.

I asked what the goodie-closet was.

I was walked up a short hallway off the conference room to a full size kitchen pantry. She opened the door for me and inside, floor to ceiling, across shelves and shelves as far as the eye could see, was all manner of bourbon, probably a thousand bottles, some sealed in shipping boxes, some just freestanding like you’d find in a high end liquor store, waiting to be gifted to visitors. “All the distilleries send us several cases each year,” she explained. “We keep some of it and give the rest away.”

Well, with that kind of invitation, I carefully looked at all the shelves, looking for the wild unicorn of bourbon, Pappy Van Winkle.

“I don’t see any Pappy in here,” I joked.

“Oh, no, we’ll never have Pappy. This is the Distiller’s Association. Pappy is just a label. They put Buffalo Trace that comes from a certain corner of a warehouse in a certain bottle and call it Pappy. If you want some Buffalo, we have a couple of cases over there,” she helpfully pointed out. “But we’ll never have Pappy, unless they start distilling their own stuff again,” she gleefully explained, effectively thumbing her nose at all the new-money bourbon crazies.

“Ah! Well that explains that,” I said, as I reached for a bottle of Elijah Craig 23-year. “Thanks for the bourbon!”

I packed up my things and headed back to Lexington, new bottle of bourbon in tow, and hoping for another crack at their goodie-closet when and if they call again.

The Elijah Craig didn’t make it past the weekend, if my memory serves...”

--Matthew

Matthew Snoddy

Ditch One To Get The Other

in

In the INFOSEC realm, we often discuss the CIA Triad: Confidentiality, Integrity, and Availability; this is the basis and end goal of information security efforts.

It occurred to me the other day that we could get rid of one of the legs of the Triad in order to perfect another.

Without Confidentiality, we could have perfect Integrity.

If I gave up all privacy, I could be protected from all fraud. If I were to livestream my entire life, it wouldn’t matter that you could see my credit card number and PIN and whatever other credentials/authentication techniques I used; you could not use my payment methods in order to make unauthorized purchases, because my bank would also be able to confirm whether or not I, myself, had conducted those transactions— by watching the same livestream you took my payment info from.

In fact, we could (theoretically) do away with all systems-based payment methods, and revert to an older, historical model: trust-based methods. I wouldn’t need a credit card (or even a credit card number)— I could just say, “I agree to pay you X amount,” and that would suffice for my bank to pay you that amount. Not too long ago (150 years back or so), this was very close to how money and debts were conveyed: I would write a note to you, and sign it, as an instrument of payment or promise; you could present this to my bank for payment, or transfer it to someone else who was willing to purchase it (perhaps your own bank, or another person) on the assumption that they, themselves, could collect it from my bank.

Manual confirmation (a bank teller watching my livestream to confirm I’d promised payment) would be time-intensive at the moment…but I get the feeling this could be automated very quickly.

This idea intrigues me.

CCSP How-To: A Legit Cheat-Sheet

in

A recent CCSP test-taker posted a blog entry (and made a related Reddit post) about their own experience in studying for/taking the exam…it is incredibly detailed and thorough, and reads very well. When I teach test-prep classes, I try to convey a list of “foot-stompers”: those elements of the material that are crucial and which candidates should really drill down on for the exam…this blog entry seems like a perfect list of foot-stompers to me. Enjoy!

“Preparation Guide for ISC2 Certified Cloud Security Professional (CCSP) Certification” by Stanislas Quastana

https://stanislas.io/2018/07/12/preparation-guide-for-isc2-certified-cloud-security-professional-ccsp-certification/

CCSP Feedback From Today

in

Got this from a former student today:

”I certainly don't want to scare anyone who hasn't taken it yet but I thought it was fairly difficult. Moreso than the CISSP in my opinion. Some of the questions seemed pretty out of left field based on the material we studied. And I think as we all know, the wording and phrasing of the question is super key so you have to pay very close attention to that or you'll get tripped up. Can't emphasize that enough. 180min duration and I wrapped with 7mins left but that was after I went through and reviewed EVERY answer a second time and some three times.”

Good to know.