CISSP Preparation – Books

Are you getting ready to take the CISSP exam?  Are you wondering where to start?  Are you wondering how you will know when you are really ready to take the exam?  I have some tips that I have found are very useful through my six years of teaching CISSP for (ISC)2.

Lets start with books.

I classify books available for preparing for this exam  into three categories.

Category 1 = Cliff Notes

Category 2 = Full prep guides

Category 3 = Expert books

Category 1 includes CISSP for Dummies and the Passport by Mike Myers.   The passport is currently out of print as I write but perhaps you can borrow one.  I recommend either of these books.  The basic difference between them is a style of writing.  The CISSP for Dummies book is entertaining to boot, but if you are going to be aggravated by funny quips such as the different hash algorithms being compared to the Jackson family then go with the Passport book.

I would recommend using these books as you start your studying, through to the last week before you take the exam.  When you first pick up this book I would take a walk through to start to identify the topics you are familiar with and those that you are not familiar with.  As you identify areas that you need to work on you can then migrate to a book out of Category 2.

Category 2 books include the Official guide from (ISC)2, the All-in-One Exam Guide by Shon Harris, as well as many others.  I recommend that you pick a book here that matches your reading style.  For example the Official guide is a bit long winded on topics and that works great for some people, but not for others.  Most people seem to work well with the All-in-One exam guide.

As you go through the list of topics in your Category 1 book and find things that you are less familiar with or not familiar with at all I would then recommend that you move to your Category 2 book to read more on that topic.  Some people do read their Category 2 book from cover to cover, a couple of times even, although most do not.  I find it to be most useful as a research aide.

Category 3 books include all of the real books out there on security.  These are the books that are written by a subject matter expert on their topic of knowledge.  If you are still left confused by Category 1 or 2 books, this is the place to turn for more detailed, or possibly, more accurate information.  ISC2 has a list of books that falls into this category.  My favorite cryptography books can be found here.

In general these books are too detailed for getting ready for the exam, although they could be very useful when you are looking for that additional information or clarification information for a specific project.

One other note regarding buying books, is that you don’t necessarily have to.  There is free information available on the web.  Just buyer beware you usually get what you pay for.  One place that many turn to is CCCure.  There are several study guides that people have put together and posted on this site. For the most part these are nice study guides and can save you some money.

Good luck and study hard.

More coming on CISSP practice questions.

Sexting

Whether you agree that this should be legally punished or not is not the issue for this moment.  The issue right now is that your teen could end up in trouble with the law.

Talk to your teens now.  Know what your teen is using their cell phone for now.

There is a growing trend with teens taking partially nude or nude photos of themselves with their cell phone and then sending them to others (boyfriend, girlfriend, etc.)  This is Child Pornography.  Child Pornography laws were probably not conceived with the idea of prosecuting the children, but their pictures are covered by the Child Pornography laws.

As a parent, aunt, uncle, grandparent you have the additional concern of your children sending partially nude or nude pics of themselves.  My guess is you don’t want them engaging in that activity.  Do you know what they are sending?  This is not likely to be something that the average teen would admit to the adults in their life.  If you dont know find out.  If they wont tell you be the parent and find out.

There is a reasonably priced device, and I am sure others exist out there other than this one, for viewing what is on the SIM card of their phone, which includes the deleted pictures and text messages which are not visible from the phone itself.    The Cell Phone Spy.

Whether you choose to spy on your childrens phones or not is your choice.  I simply recommend that you FIND OUT what they are doing with their phones before they get into more trouble than they can imagine.

PPP – An Overview

PPP – An Overview

 

Point to Point links are physical or logical direct connections between two endpoints.  These connections are often dial-up or T-1 /E-1 connections.  These connections allow the exchange of bits between two end devices, but do not manage the flow of data.  Imagine two people sending a file via a dial-up modem.  Now imagine that the file in question is a large 100KB data file.  A file that large on dial up is likely to take forever and the chances of there being no transmission errors during the entire duration of the transmission is very small.  Without a framing protocol the entire file would have to resent every time there was a single bit error on the line.  With framing, the missing bit can be detected and a single frame, or chunk, of the file can be re-transmitted to replace frame containing the errored bit.

 Synchronous Data Link Protocol was developed by IBM in 1975 and was designed to carry SNA (IBM proprietary) protocols.  HDLC was the follow on protocol developed by the International Organization for Standardization (ISO).  HDLC lacked the ability to identify the contained data type and was later modified by Cisco to include a type field used to designate the upper layer protocols within the frame.  Cisco’s HDLC is not compatible with standard HDLC.

Point to Point Protocol (PPP) (RFC 1661) is today’s standardized framing protocol of choice.  PPP includes provisions for carrying numerous upper layer protocols and PPP further included provisions for an OSI Layer 2 authentication.  The lower the layer of the OSI model that authentication takes place, the more secure the system.  As an analogy think about the means used to authenticate a caller on your phone.  You might have caller ID, or you may ask the caller’s identity directly after greetings are exchanged.   Either way, your process (dinner perhaps) was interrupted, your phone rang, and a connection was established between an unknown remote entity and yourself.  Now, imagine requiring people to authenticate before they could ring your phone, thereby eliminating the unwanted evening caller.   Often computer systems authenticate at the Application Layer after a TCP connection has been established.  This can allow an unauthenticated user to disrupt your CPU and potentially gain unwanted access to your PC.  PPP can require authentication prior to establishing any upper layer communications.

The secret to this authentication lies in the fact that PPP is made of two families of protocols, Link Control Protocol (LCP) and Network Core Protocol (NCP).  LCP establishes and defines the Layer 2 connection, while NCP carries the upper layer protocols.

Prior to link establishment, both ends of the PPP link must send LCP packets and may require authentication.  The LCP packets negotiate such things as authentication requirements, encapsulation format, packet size, errors and link termination.  Once the parameters of the link have been established, NCP packets choose and configure at least one network layer protocol.  If PPP has been configured to require authentication – typically thru PAP, CHAP, or EAP – authentication success messages must be passed on the LCP link prior to passing of NCP packets. 

Personal Security part 1 – RFID Passports, Credit cards and badges

I have had two conversations in the last two days that reminded me of the world that I live in.  The world on the security informed and therefore the slightly paranoid.  So may I offer some of my paranoia to you…

I received my new US Passport yesterday.  There are no more choices with the US Passport, they all now come with a RFID chip embedded inside of them.  So today I ordered a new wallet to go along with my new passport.  Those two conversations were on this topic.  So here is the scoop…

Many of our credit cards and our new passports have RFID chips embedded in them.  The amount of information contained on these chips dose vary but what does not vary is the fact that it is information that we do not want to leave the safety of our wallets.  These chips likely contain your name, your address, your account number or passport number and so on.  There is both good and bad news with these wondrous new chips.

The good news: It is possible to move forward with technology in our daily lives.  You can purchase tasty treats from a vending machine by waving your credit card in front of it instead of fighting with the machine to get it to accept that last dollar bill in your wallet that is crumpled and torn.  Or pay for your groceries at the store by waving your credit card in front of the machine instead of dealing with the magnetic strip that just cant be read today.  (Have you ever had a store clerk place your credit card inside of a plastic bag and then run it through the reader – in the plastic bag?)  These problems go away when you introduce the RFID chips.  It is easier for Immigrations and Customs to spot faked passports now, shoot it is even harder for the bad guys to fake passports for that matter.

As with all good news, there is a flip side, the bad news.  Some of the companies producing cards with RFID chips have acted responsibly by trying to protect our information with encryption, while some have not.  Unfortunately even those companies that have tried to do good are up against some bad guys out there.  The bad guys that try just a little harder.  The bad guys that crack the encryption.

So what are we to do?  We can debate whether these RFID chips should be used or not but unfortunately that will not help us protect ourselves in the here and now.  So lets work on that instead.

There are plenty of instructions available to the hackers of the world, so lets protect ourselves!  The attack against these are now being referred to as the Johnny Carson attack  http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/

The first step is to figure out if you have any of these chips in your wallet.  You can usually see them when you look at your cards (to include your badges to get into the office as well).  They are usually gold or silver in color and only a few centimeters square, about half the size of a dime.  For the US passport, you cant see the chip, but when you received your passport they told you that it contained sensitive electronics.  If you don’t remember that paperwork it might be a time issue, these passport were issued within the last 2 or so years.  The other option with the passport is the weight and thickness of the cover.  The old passports were bendable, the new ones are not so.

The second step is to find out if there is a way to disable these chips.  If you are not in need of the convenience of flashing your credit card in front of a reader rather than through a reader I would suggest disabling.  One company that definitely allows you to disable these chips is American Express.  I would recommend checking your banks website or simply giving them a call for assistance.

The third step is to protect your information on these chips.  If it is a work badge, a Visa card, a Master card or your passport you may not have the choice of disabling them.  So the next step is to carry them in a secure wallet or holder.  There are many on the market now and they come in a variety of shapes, colors and styles.  I would highly recommend looking for a vendor that says that their wallet/holder is FIPS-201 compliant, otherwise you may only think you are protected.

Some of the options that I would recommend looking at are the following.  If these do not suit your style or need then I would recommend googling “RFID blocking FIPS wallet” or something to that effect.

For your work badge holder my recommendation would be http://www.idstronghold.com/content/products.

For your passport or credit cards there are two basic options.  The first option is a sleeve that the card/passport slides into and then you can place it in your regular wallet.  The second basic option is a new wallet.

The sleeves are generally cheaper than a whole new wallet, but which will work best for you is up to you.

For a sleeve you can look at http://www.idstronghold.com/content/products

If you are looking for a wallet the expensive, but nice looking wallets (men and womens) can be found at www.kenakai.com or check our http://www.difrwear.com/products.shtml (mens only)

Be safe

Password Storage

Lets start with Passwords… we all have ‘em… we all need ‘em… and they are out of control!  My preference for storing all of those passwords is a free little program from CounterPane called Password Safe.  It allows you to store all of your passwords in one safe, encrypted, location.  You must remember one password in order to access the safe, but once you are in you have all of your passwords nicely listed and arranged.  It also has the very nice feature of creating random passwords for you to increase the general strength of your passwords.

When you need to log into something simply open password safe, scroll down until you locate the one you need, double click on it and now you can simply paste it into the password box in your application.  Memory is cleared so it will not remain there for some nefarious thief to steal later.

Very very useful!  Kudos to CounterPane for making this and making it available to the general public for free.

You can download from here: http://passwordsafe.sourceforge.net/