Bad Control

The vendor has a policy: checks that are numbered less than 1500 are not accepted.

The clerk tells me to just ask my bank to put a higher number on my checks and send me some new ones.

The control was put in place years ago, to reduce the possibility of fraud from an outdated attack method (does anyone even commit check fraud anymore?). The vendor obviously knows the control is easy to overcome, and only actually prevents legitimate transactions.

This is not a good control.

First person to guess the vendor correctly gets a free copy, your choice, of one of my books. Put your guess in the Comments to this post.

Letting Off Steam

            Valve is a company that makes computer/video games; they also run the Steam game distribution platform, which is an online store/licensing portal that sells games made by other companies. This week, Valve announced it would no longer curate titles on Steam, and allow any game producer to host any title in the store, for sale to the public (with the notable exceptions of games that contain illegal content and those are “straight up trolling”). [You can read the announcement at: https://store.steampowered.com/news/]

            This is fascinating, and definitely a reaction to recent public attention focused on one game that Valve took off the Steam platform (and simultaneously banned the game producer), a first-person shooter that simulated mass murder at a school, called Active Shooter. While I’m not sure how that game would run afoul of this new policy (is Active Shooter straight up trolling or illegal content? if neither, why is it still banned?), it seems very interesting to me that Valve chose to modify their approach to hosting titles as a result.

            I am a gamer. And I am interested in maximizing free speech. Valve’s decision therefore delights me greatly. Opponents of Valve’s decision (including writers from disparate sources, such as game review websites and Forbes) kind of puzzle me, and somewhat infuriate me. Their arguments seem to constitute two lines of thought: 

1) By allowing anything, Valve is taking a political stance that endorses everything.

2) By allowing anything, the online store will be swamped with material customers don’t want, such as games that include topics that bother some people, including racial bias, violence, and sexuality. Customers won’t be able to find what they want, because of all the material they don’t want; this will be particularly disturbing to sensitive customers who are offended by those topics.

            Trying to make sense of these criticisms, I draw these two conclusions:

1) I can’t possibly understand why the political stance of “allowing everything” is ugly or wrong: the entire purpose of having a free society (much less a free online store) is so that conflicting ideas and perspectives are allowed to exist (and maybe flourish)....even if most of us don’t particularly like them. Having freedom so that we can all like the same things isn’t freedom, it’s a sheep farm.

2) I don’t think the people saying this A) are gamers and B) understand how the Internet works. To explain in detail:

            A) Gaming is a participatory mode of entertainment unlike any other form of mass media: books, movies, music are all projections of the creators (writers, directors, musicians, singers) at the audience in a unilateral communication; the audience does not communicate with the artist or influence the art. (The notable exception: choose-your-own-adventure books, where outcomes are decided by readers.) In gaming, the player must take part in the activity in order to determine progress/outcome. The artist(s) can present content, but the game doesn’t actually do anything unless the player is utilizing it-- a game without a player is a title screen, and no different from wall art. In terms of recreation, this makes gaming more akin to, say, sports, than literature (with the obvious advantage that gaming does not favor only those with the biological birthright biases of ability, size, speed, etc.).

            So in order to be “affected” by a game (no matter how sensitive you are), you have to actually play the game...which is a conscious choice, and includes the option of stopping at any time. You, the player (or potential player), have full control over whether any selection from that medium, any game, affects you, personally. You have no control over whether someone else can play it or if they are affected, and nobody else has control over whether you play it or are affected. You. You alone are in charge. Compare this to, say, the television turned to full volume in the airport waiting areas: I have no choice, as an audience member, to voluntarily not participate: if I want to isolate myself from that communication, I have to take active steps (using headphones/earplugs, purposefully not looking in that direction) to insulate myself from the message.

            Gamers understand this, and relish it-- it is one of the great joys of games. There are many thousands of games I have never played, nor ever will-- those do not affect me in any way, much the same way the millions of sandwiches eaten by other people only affect those people, and not me. There is food on this planet I do not like, and would probably cause me intestinal distress: I don’t have to eat that food, and can choose not to.

            Now, is it possible that the title of a particular game offends someone, and just seeing it on a screen bothers someone? Or that hundreds of these titles, listed together, scrolling across a screen, might be distressing to a viewer? Like, if every title in a list of hundreds contained racial/religious epithets, or swear words?

            Maybe that would be bothersome to someone...or maybe it would inure that person to those words, causing those words to lose power. But that’s not really here nor there, because we go to point....

            ....B) The Internet is the best shopping market ever devised. I can find almost anything I could possibly want, in a moment, without the trouble of leaving my couch. Steam makes full use of Internet possibilities, allowing a shopper to search for particular terms (or filter out particular terms), see only titles that are preferred, or limit content in any number of ways. So not only does a gamer not have to play a particular game (or genre of games), but the gamer does not even have to see a given title or type of title.

            Those that complain Steam will be overwhelmed with undesirable games, making it difficult for shoppers to find the games they (the shoppers) like, don’t really want to shop. Because that’s what shopping is: making a choice from among options. The complainers want someone else to make the choice for them (and for all gamers) by limiting the possible options. I find that sad; when an adult wants to forego the power of their own choices, they limit themselves (and when they want to impose it on everyone, they’re limiting all of us).

            Might Steam get inundated with cheap, callous, crass games made by halfhearted or greedy developers less concerned with quality gameplaying experiences than turning a quick buck? Might that make it harder for a shopper to find the gems hidden in piles of dross? Possibly. But that same description could be used for major production houses right now, easily. And sifting through a bunch of crap to find a treasure is one of the great joys of one of my favorite shopping formats: the flea market. I have found some items of great value (both relative and financial) for amazing prices at flea markets...and I have spent hours in flea markets where I’ve seen nothing but crap and not made a single purpose. Did the latter experience harm me in any way? You could argue I lost the value of those hours, but that would be predicated on the assumption I didn’t receive enjoyment and entertainment value from those hours

            I assure you, I did.

            Finally, just to offer a couple thoughts on the public outrage over the specific game that started the whole conversation: Active Shooter. I am not sure why the idea of a simulation that mimics a tragedy, or where the player can pretend to be an awful person, or where entertainment is derived from violence is something to revile. I and my friends have pretended to be Nazis, done faux atrocities, and taken pleasure in murder for decades...and those were just board/tabletop games: Axis and Allies, Dungeons and Dragons, and Clue. Oddly, it has never meant that I actually want to invade Poland, slaughter hobgoblinoid people, or would take delight at a dinner party in which someone was bludgeoned to death with a heavy plumbing tool.

Anatomy Of A Troubleshooting Session

- I wake up. Sit down at laptop, quickly notice there are aberrant issues with the keyboard: certain keys do not work, but the rest do.

- I freeze all my work/open resources. Immediately start searching for info about malware that attacks only specific keyboard keys.

- Reboot.

- Do a quickscan. No hits.

- Look over my restore points, just to make sure I still have my current data.

- Check hardware drivers, make sure they are all up to date.

- Search for more info about malware, particularly for certain apps (browser/Office). Spend a good half-hour reading about funky viruses.

- Girlfriend wakes up. I tell her that some of the keys on my keyboard aren't working. She has no tech background whatsoever.

- "Dog hair?" she asks.

- Take out the can of compressed air, spray beneath keyboard.

Dammit. Problem solved.

Advice for Job Applicants

From my brilliant friend George J. Silowash:

"Pro Tip of the day: If you are applying for jobs to multiple organizations, be sure the "Track Changes" feature is turned off in MS Word, or, at least sanitize your document before sending it out to a perspective employer. If you don't, I am one click away from learning where you have applied to. Digital Forensics 001 folks. (No, this was not me, I am not looking for a job.) "

Read and heed. Also, this is good advice for those posting RFPs, too.

Ditching the ALE

At this point in my career, I deliver a lot of certification prep content, through teaching and writing. And I see certain things that were included at the outset of the industry as guidelines and suggestions that just aren't applicable anymore (or at least, not applicable in the same way as when they were proposed). My primary customer is ISC2, for the CISSP and CCSP certs, but I've taught ISACA and CompTIA certification prep courses in the past, and many of them suffer from the same problems. While I can't say for certainty exactly why all the major INFOSEC certifications suffer from the same blind spots, I can guess: most of the test writers have the same training in the same fundamental concepts, get the same certifications (from multiple vendors), and have received that content from their predecessors, and will pass it to the next generation in kind.

This leads to the possibility of stagnancy in content and approach. Which isn't terrible, for certain fundamental security concepts (say, defense-in-depth/layered approach/multiple redundant controls, or the use of two-person integrity), but there are other notions/ideas that are simply treated as sacrosanct in perpetuity, instead of being re-examined for validity, assessed as nonsense, and thrown onto the trash pile of history.

Today, I want to talk about one of the latter: the ALE formula.

If you don't what it is, consider yourself lucky. Then consider yourself unlucky, because if you're going to go get an INFOSEC cert, I can tell you for damn sure that it's going to be one of the things you're going to have to learn and memorize whether you like it or not.

Simply put, it's an approach to estimating the cost of a given type of negative impact as the result of security risk being realized. We teach INFOSEC practitioners that this value determination can be used to weigh the possible costs of controls to address a particular risk, and figure out whether or not to spend the money protecting against it.

Which is a good idea: spending too much on addressing a particular threat is just as bad as not spending enough...and, arguably, sometimes worse, because spending too much leaves you with a false sense of security and a lack of money, where not spending enough just means you have some of that risk left.

But the ALE formula is not really the best tool to accomplish this in our realm of INFOSEC, for many, many reasons. And we should stop requiring its use, and teaching it to newbies.

Why? Well, for starters, let's talk about the potential cost of a single type of incident, known in the formula as the SLE.

It's worth noting that the ALE formula works great in the physical security universe, where tangible assets can be mapped to specific losses. If I'm trying to secure a retail space selling goods that are of a particular size, shape, weight, and cost, I know some discrete, objective information about those assets. I know how many can be stolen at one time, by a single person picking them up and walking off with them. I know the amount (number and dollar value) of my inventory, based on another limiting factor: the footprint of my retail space and storage area. I know the various access points to get at my inventory: the doors/windows/loading areas. All these things can be defined and somewhat limited.

With electronic data as assets, all this numeric determination goes out the window (I mean, not the literal window, like tangible assets, but a metaphorical window, because the determination is impossible). I can't really know how many "data"s a person can steal at any given moment, because the size of files or objects or characters don't really have any meaning in the physical universe-- a flashstick that weighs less than an ounce can carry one file or a thousand files, and any given file can contain one character, or a million characters, and all of this fits inside one person's pocket, anyway (and that person doesn't need any exceptional muscles to carry even the heaviest flashstick).

So trying to determine the monetary impact of a single security event involving data is impossible, unlike the impact of a single security event involving physical assets. If someone steals one spoon in a retail environment, we know the cost of that spoon (and we actually know several costs: the wholesale cost we paid to get the spoon, the retail cost of what we would have realized in revenue if we sold that spoon, and the logistical cost of getting that spoon to the retail location)...but if someone steals a file, the value of the information in that file can vary wildly. A file might contain a photo of the user’s pet kitten (which is of value only to the user, and then only arguably at that, if the user has a copy of the photo), or it can contain the privacy data of the target organization’s entire customer base, and the relevant monetary impact can stretch into the range of millions of dollars, as the result of statutory damages assessed against the organization, or the loss of market share, or direct fraud on the part of the perpetrator using that information, and so on.

Sure, insurance companies in recent years have created various approaches to assigning value to data, but these are all just gibberish. Take, for instance, the idea of “average file cost”-- even if we were to determine the midpoint of value between the kitten photo and the customer list, that medium value would be meaningless when we suffered an actual loss: if we lost the kitten photo, and the insurance claim paid the amount of “average cost,” we’d be receiving far more in cash payout than the thing was worth, and if we lost the customer list the “average cost” claim payout would be far less than the damage we’d suffered. And what’s the size/value of an “average” file, anyway? How many files are there in a given business environment? The concept is absolutely pointless.

When the SLE is just a fictional construct, the entire ALE formula is ridiculous. We could use just this argument to eliminate the wretched thing from our industry. But there are even more reasons why ALE is stupid in the INFOSEC world-- and I’ll get to those in subsequent articles.

 

 

Screaming Mad At Social Media

Evidently, there are many people who are upset that social media sites (particularly Facebook) are able to access data that people give to them.

Yeah...read that a couple times, if it's puzzling. I am perplexed, too. It's as if those people are shocked that charities they donate to get to keep/sell the stuff that is donated.

The weirdest thing (in my opinion) is that the people most troubled by this astounding revelation are the very same people who constantly, willingly, submit information and open their online data stores to quiz apps that answer such profound questions as, "What sort of crustacaen am I???"

Luckily, for those people who are mad at FB and other social media sites, there is now a way to hurt them, legally. As of yesterday, all you have to do is copy and paste this text, over and over, into your feed (and the feeds of everyone you know on the target site(s)):

"I am willing to trade sexual favors for almost any amount of money. This site is hereby in violation of FOSTA for allowing me to post this."

Of course, I am worried that my blog is now in violation. Let's find out.

 

Fascinating Mentality

I am fascinated by the mentality of criminals. Mostly by how they can, in turns, be so clever and so dim in the same moment.

 

Like how how automated spam comments on message boards are constructed. These comments start with a fake response, then offer their pitch for their fraud. Example:

 

“I agree completely with Owen.

 

And I have been able to make money from home just by surfing the Internet. Check out how I did it: efihiwig.com/noofus.”

 

The thing that gets me is that using a script to spread these comments takes a certain level of sophistication. And, even if it’s being done manually (the comments added to message boards by copy-paste), it means that the scammers are knowledgeable enough to find message boards that permit unmoderated commenting, craft their spam messages, then insert them, hoping to snare victims. There’s a degree of understanding there, even if it’s just basic understanding of human nature and how to surf the Internet.

 

But it’s the naming that blows me away. That introductory bit --including a name in the first line, to pretend it’s a response to another, previous commenter-- is almost always so bizarre, because it uses names that almost never exist in real life, much less as a message board handle someone chose for themselves.

 

I mean-- who names their kid “Owen”?? And who, if they were named “Owen,” would use that as their username on a message board?

 

Because the level of sophistication it takes to Google “most popular English names” is far, far below the threshold of the cleverness demonstrated in the rest of the scam.

 

How can you be so efficient and determined to take someone’s money by fraud, but so very, very dumb when it comes to the simplest part of your scam?

 

The psychology of that mind, the thief who is both smart and impossibly dumb, is downright intriguing.

I Can't Believe This Just Occurred To Me...

...who gets your digital library when you're dead?

If I have tangible creative works, like hardcopy books, CDs, and yes, even vinyl albums, then I can give them to my heirs/assignees.

Can I do that with my Amazon video library? My iTunes music library? Any of the various ebooks I have floating around in the ether?

I have never read the entire ToS for any of these systems/vendors...so I don't recall if it was mentioned. Does anyone know? Please feel free to explain, in the Comments.

If we don't get a definitive answer in a couple weeks, I'll interview someone who might actually know (like an intellecutal property attorney), and post the results here.

But I am now fascinated by this topic.

Anatomy of a Nerding Session (or: How To Waste A Lot of Time And Get Distracted By Various Topics Tangentially Involved With What You Set Out To Do In The First Place)

1) I need to make a backup of my laptop hard drive. A full clone, so I can just hotswap it out if the drive I have in regular use dies suddenly. No big deal-- I've done this dozens of times before.

2) Order a new drive online; old drive is 1Tb, so I get a 2Tb replacement, just in case.

3) Wait one week. New drive arrives.

4) Hook up my Apricorn EZGig 3.0 housing and the new drive to the laptop. Run the EZGig software. Loves these products-- I've used Apricorn's stuff for almost 20 years. Wait six hours.

5) Come back to machine. See black screen. Move the cursor-- see the finish screen for the EZGig software. Press Exit...and the machine reboots. I wait through the sequence...boots clean. Check the new backup drive-- Windows asks me if I want to format this new, blank drive. Restrain self from crying.

6) Do Step 4 again. Same result. Try very hard not to cry.

7) Check all connections, gear, software. Go to Apricorn website and read the FAQ. Check the technical manual for troubleshooting tips. Go to online forums to see what other geeks have done in similar situations. Apricorn's site says the device may work better on large-drive backups if the copy device is run with its own power plug, instead of running off USB. Makes sense.

8) Check my previous (older) EZGig devices; none of the AC adapters fit.

9) Go online to order a new AC adapter for the backup device. Apricorn doesn't have this as an option. Try to call Apricorn to make a phone order. Christmas week. No answer for personal sales office.

10) Wait a week.

11) New Year's week. No answer.

12) Get in touch with personal sales the first week of January. VERY helpful sales rep; sees my customer history, only charges me seven bucks for the adapter, including shipping. Very cool.

13) Wait two days. Adapter arrives much earlier than expected.

14) Repeat Step 4, adding the adapter to the process. Wait six hours.

15) Same result. Honestly-- I didn’t cry.

16) Check everything over again. Realize I don’t have a USB 3.0 port on my ancient laptop. The EXGig 3.0 system uses USB 3.0. Maybe that’s the problem.

17) Repeat Step 4, this time with my older model EZGig 2.0 device. Wait six hours.

18) Same result. Not a tear, I swear.

19) Conclude it must be a problem with the size of the drives/data store in question. Go online and do multiple searches for variations of terms such as “large drive cloning problems.” Spend at least an hour. Find three or four products that might do the trick.

20) Choose a free product, EaseUS Todo Backup. Download it. Install and run it. Wait three hours.

21) Result: a copy failure notice that there are bad sectors on the original drive. Do not pull out any of my own hair.

22) Go online and do multiple searches for variations of terms such as “clone drive bad sectors.” Find three or four products that might do the trick.

23) Go to various public and industry social media sites. Make posts requesting input from colleagues/practitioners. Get very good feedback from multiple people (unprompted) about one of the products I had already found: SpinRite.

24) Confirm with many reports from industry workers online that SpinRite is a dandy solution. Check SpinRite’s website. Looks like a junior-high kid made it on MySpace in 1998. Buy it anyway. Download.

25) Have to run it from a boot disk. Have no idea if I have any blank CD/DVD-ROMs around. Have no idea if my CD/DVD evens works on the laptop. Go back online, learn how to make a bootable USB.

26) Go back online, relearn all about iso images.

27) Go back online, relearn all about the command line instructions for mounting a drive image.

28) Boot machine to the USB. Do all the steps that need to be done to run the software. Decide to run the software in an error-detection level first, before trying to copy the drive. Run the software. Wait two hours.

29) SpinRite detects no problems. Run the software at the level for copying the drive. Wait three hours.

30) SpinRite says it’s done. I check the destination drive-- Windows asks me if I want to format the new/blank drive. Still don’t cry. Really.

31) Go back online and ask for more input from crowdsources about cloning large drives with bad sectors. Everyone suggests Linux dd. Decide to try GNU ddRescue.

32) Spend at least an hour reading about how to use Linux again.

 

Still haven’t pulled the trigger on trying it. Utterly convinced I will wipe the drive. Have considered that the new drive is the one that’s broken-- don’t want to think about the hassle of returning/exchanging it.

Tell me I’m not alone in thinking (quite obviously wrongly) that doing this drive cloning myself is somehow saving me time/money over the option of sending the thing off to someone who does forensics professionally, and could do the task in their sleep. Also, that every new Step in a nerding process sends me down a rabbithole of investigation/study about some arcane topic I’ll probably never use again, and really don’t need to know about for any kind of regular use. And that the process of doing a nerding fix (in this case, cloning the drive for a future possible) is somehow less time-consuming than the process of just making a clean build of the OS on a new drive, reinstalling all my software, and creating/refamiliarizing the new drive with all my various accounts for various systems/sites.

Or just tell me I’m an idiot. Because I realize that’s probably much closer to the truth.

 

Contribute to CIS Controls List

If you're old like me, you remember it as the SANS Top 20, but now it's referred to as the CIS Critical Controls, and version 7.0 is being developed. CIS is looking for input from professionals, and opened the discussion for public commment, so feel free to chime in and give them your opinion.

Two ways to do it:

- Log in to their Workbench (requires registration, but it's free): https://workbench.cisecurity.org/

- Download a comment form: here

The Benefits of Late Adoption

Perhaps my greatest shortcoming as a nerd is my reluctance for early adoption of technology; I simply have no interest in the latest, bestest, newest, coolest gadgets on the market.

Yes, this can cause me to lag in my estimation of IT solutions. Yes, I am mocked (and rightly so) by students and colleagues when I tell them I still have an AOL email account. Yes, I am old and everybody should get off my lawn. But there is also an upside to late adoption:

- Huge cost savings. Huge. I can wait two years for the novelty of a thing to wear off, and get a much-reduced price when I get around to buying it. This is especially true in software, and especially especially true for games.

- I'm never involved in the proof of concept. Back when I was a young (read: stupid) man, I bought the first year-model of a new car. Within the first year of owning it, all the defects and design problems inherent in that model became quickly apparent, and there were multiple recalls. Waiting a while to buy a thing means that the first wave of customers have taken the brunt of field testing, and the thing is now ready for actual regular use.

- No false sense of security. The latest suite of products are often seen as inviolable, because they use the latest security protocols and tools; this can lead to sloppy practice and habits (like crafting and transmitting data with sensitive info, even when it could be avoided) because users feel a reliance and trust for the product. This puts them one zero-day exploit away from feeling very silly.

- Strangely enough, legacy platforms may be more secure in some ways than their new-fangled replacements...mainly because aggressors won't actually believe that those legacy products are still being used for viable purposes, and won't include legacy attack methods/gear in their toolkits. I mean, I really don't think the script-kiddies even know what AOL is, much less how to hack it. Sure, a dedicated adversary won't have a tough time getting the proper attack tools once they know a target is using a legacy system, but a dedicated adversary is going to get in eventually, regardless of the age of your platform.

- Utility/productivity is always a tradeoff with risk and security. The more I can do with a tool, the more I can lose. Losing a 256K flashstick in a hotel lobby will cause me a lot less damage than dropping a 2Tb flashstick. My old flipphone had no identifying data on it (other than some texts and a rudimentary Contacts list), in stark contrast to my smartphone (which, I think, has my DNA, cocktail preferences, innermost thoughts, and secret cookie cravings embedded in the BIOS).

No, I'm not saying that everyone should immediately regress to a Luddite position of rolling back three generations of tech in order to gain some slight advantage...but buying up the latest and greatest shiny boxes and zippy software is not the best choice, either.

 

 

My Favorite (and Least Favorite) Security Moment of 2017

I was preparing to teach a class in another city, and communicating via email with the POC at the client site. In addition to explaining about the location, parking, and so forth, the POC included this tidbit:

"Upon first entering the facility, you can pick up your security badger at the reception desk."

I have never, ever, been more disappointed by a typo.

CISSP CAT Format Feedback, Part 2

A second former student has reached out with some feedback...he passed, as well! Smart class, that.

Here's what he had to say (and he says he's glad to answer questions about the experience, too, and will be checking the blog Comments, so feel free to chime in):

"Since you probably haven't gotten much feedback about the CAT yet, I thought I would provide you with my preparation strategy and exam experience.

 

Here were the study materials I used and their usefulness (in no particular order):

 

Classroom notes - 10/10 - This is where I began my studying and it helped me tailor my studying to topics I was unfamiliar with.

The Official CBK CISSP text - 1/10 - I used it during class for subjects I had absolutely no familiarity with, but in general, there is too much information to internalize and lot of rabbit holes that the exam will simply not ask about. Not to mention it's unbearably dry.

Eric Conrad's 11th Hour CISSP Study Guide - 9/10 - Effectively a condensed version of the most important CISSP topics. There were a few areas that may require additional reading (i.e. RMFs) but in general, this is an excellent text reference.

Kelly Handerhan's Cybrary video series - 10/10 - This was by far the most useful resource I used. If I had the time, I would have watched the full series twice, taking copious notes. She also offers an excellent bit of advice about approaching the exam with a managerial mindset, rather than a troubleshooting or technical one.

Phil Martin's Simple CISSP - 10/10 - I found this book on Audible and listened to it during my commutes. The author narrates in a very slow, deliberate, and clear Texan drawl, clearly explaining even some of the most difficult subjects.

Sybex Test Questions - 5/10 - Compared to the actual exam, the practice questions in the Sybex bank are so-so. Many of them ask about details the exam couldn't care less about; many more of them are simply too easy and direct. (For example, the exam will never phrase a question such as "blah blah blah describes which security control/process"). There aren't enough "which of these is the BEST/MOST accurate," which is the entirety of the exam.

Transcender Test Questions - 7/10 - This bank contains many more of the BEST/MOST accurate style questions, but still not enough to truly simulate the exam.  Fun fact: if you purchase the bank from Transcender, six months of access is $160, if you buy it through Cybrary (via the Kelly Handerhan videos, which are free), access is only $40. That's a useful bit of knowledge for the financially-minded."

 

Great stuff to know, and really glad he offered to share.

New Year, New CISSP Exam

Just in time for 2018, the CISSP exam from ISC2 has converted from standard multiple-choice format to a Computerized Adaptive Testing model for exams delivered in English (foreign-language versions of the test currently remain in the traditional format). This means that instead of the grueling 6-hour, 250-question test, CISSP candidates now face only 100 to 150 questions, in a maximum of three hours.

Depending on your success with multiple-choice tests, and your personal technique, the new experience could be either a massive boon or a ridiculous hurdle to get the certification.

I got my CISSP back when the test was in the traditional format...and done with pencil and paper. I have no clue how I'd do on the current version.

I have, however, received feedback from the first of my students to take the new version of the test: they passed! Their exam was also only 100 questions long (meaning the student demonstrated sufficient command of the material so that the testing engine didn't have to throw more questions at the student), and it took the student an hour to complete. Perhaps most interesting, this particular student is not an IT practitioner, but is familiar with the industry in other roles. Main impression? The student repeated what I always try to stress to anyone taking one of the certification tests: READ. THE. FULL. QUESTION. Make sure you read it completely, and understand what's being asked, and that you read all of the possible responses.

The exam is still being administered by PearsonVUE, and you can download the outline from ISC2's website.

Have you taken the exam in the new format? Please add some feedback about your experience in the Comments!

 

 

Is your personal information worth anything to you?

Back in 2004, I wrote an article about how various entities make money off transactions involving the personal information of customers and citizens (which, in some cases, such as the DMV in many US states, are the same group). [That article kinda predicted how access to personal data could be acquired rather easily by someone posing as a legit customer of third-party data verification services, like TML's TravelCheck...only about 18 months before Choicepoint was dinged by federal regulators for allowing exactly that kind of illicit disclosure to happen.] I suggested that private entities wouldn't start being serious about data security until customers started realizing the inherent value of their own personal information.

I was totally wrong about that. Private entities now engage in data security practices (or at least pretend to, by expending a modicum of effort and money), but not because of how their customers feel about personal privacy: instead, those private entities are much more concerned about regulatory compliance.

A lot has happened in the intervening 13 years since that first article, including many breaches of massive databases, revealing volumes of personal customer data. Customers have also become a lot more computer-friendly, and are using personal devices to conduct online shopping and ecommerce transactions at a rate that is vast compared to even a decade ago. They also claim to be extremely concerned about "privacy" (whatever that means, when individuals are asked in surveys on the topic), and have some awareness of threats like identity theft and hacking of personal accounts/files/assets and scams.

The weird part is, they don't behave as if they really understand the value of their own data...or as if they're truly frightened about any impact its loss would cause. The market share of companies like Target, Home Depot, TJ Maxx has not declined significantly, even though those entities have demonstrated that they aren't the best stewards of customer data. And experiments have demonstrated that individuals are likely to part with their own passwords in exchange for incentives as basic as candy bars.

I don't think this a shortcoming of the private sector, specifically; we know governments aren't any better at protecting information that's been entrusted to them. (And I, for one, have chosen to behave accordingly; even though I might shop at Home Depot and Target, I am not going to take any job with the US federal government that would require a security clearance, because the USG has proven that it is very good at losing my personal information.)

But customer/citizens/individuals just don't seem to care about if their data is protected, or how it is protected....even though those same individuals will say they care quite a bit.

So I have to ask...if people don't really care about the loss of their personal data (which we can tell from what they do, versus what they say), and the impact they experience from any actual loss is really pretty nominal (often more an inconvenience, and results in lost time, not lost assets), why do we have such a strict regulatory mandate in many jurisdictions? Why are there so many laws and standards in place to protect something that doesn't seem to really have much value?

It might be heresy to ask, but...are we at the point where "MORE SECURITY!!" is not actually the best approach, in terms of the interests of individuals? Does the cost of adding more and more protection to personal data raise the price of goods and services ultimately provided to individuals...and does that price increase go beyond what the average cost of a loss would be to each person?