How and Why to be a CISSP and CEH

advertisement
DISCLAMER: Some of the views and opinions expressed in this presentation are presenter’s alone, and may or may not reflect or align with
organization’s policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This
presentation may be freely distributed.
How To Make A Fortune in
INFOSEC (or S/W Development)
October 22, 2010
Kurt R. Schmeckpeper, CISSP, GCIH
DISCLAIMER
• The thoughts, statements, and ideas
presented here are not representative of
or claimed by Motorola or any past
employer, ASU and their faculty, or anyone
else you might meet, and they are in no
way responsible or liable for them.
Brief Professional Resume
• BSEE, MEE – Okla. State University - 1975
• NASA, Houston, Texas – 1975 to 1996
–
–
–
–
Space Shuttle – SW Developer & Flight Controller
Space Station (US & Russian) – System Design
Tomahawk Cruise Missile – SW Tester (St. Louis)
Apache Helicopter – System Tester (Mesa, AZ)
• Engineer, Motorola INC. – 1996 to present
–
–
–
–
Chandler Arizona, Basingstoke UK, Copenhagen DK
Iridium – SW Tester then Test Manager
Authentication Centre – Test Manager
Information Assurance System Designer & Analyst
Current Job Role
• Educator & System Designer
– Bringing the gospel of Information Assurance
and Computer/Network Security to the
masses
– Designing IA into our Private Radio Systems
that we sell to Government agencies.
– Consulting on IA with other Corporate Product
Teams
Brief Personal Resume
• Bay Area Comm. on Drugs & Alcohol
Abuse – Crisis Help Line: 1977-1980
– Volunteer, Trainer, Board of Directors
• Galveston Co. Fair & Rodeo: 1981-1996
– Computer Geek, Secretary, Treasurer, Board
of Directors
• Greater Corona Home Owners Assoc.:
2000-2004
– Contracts Mgr., Secretary, Board of Directors
How to Be Wealthy
Have Rich Parents
Marry a Rich Spouse
Win the Lottery
Become a Successful Black Hat
Work as a White Hat (this presentation)
YOU WILL MAKE YOUR OWN CAREER!
Others may help, but it’s ALL ON YOU!
What is INFOSEC (from ISC2)?
1)
2)
3)
4)
5)
6)
7)
8)
Access Controls
Telecommunications and Network Security
Information Security and Risk Management
Application Security
Cryptography
Security Architecture and Design
Operations Security
Business Continuity and Disaster Recovery
Planning
9) Legal, Regulations, Compliance and Investigations
10) Physical (Environmental) Security
Technical Skills You Should Have
• LEARN the Operating System
• LEARN the Coding Language
• LEARN Assembler & Shell Coding
– The Art of Assembly Language by Randall Hyde
– www.ollydbg.de (an Excellent Disassembler)
– www.safemode.org/files/zillion/shellcode/doc/
Writing_shellcode.html
• LEARN Metasploit www.metasploit.com
• Consider becoming Certified (CISSP or CEH)
Occupations using these skills
• Penetration Tester
• Incident Handler
• Secure Software Development & Test
– When you can Hack your own code, you
know that you have to make it more secure
• Cyber Warrior (DoD needs 3000+)
• Auditor
– Additional training in whatever standard you
are auditing against is required
What Else Should You Know?
• Learn English Grammar, Syntax, & Punctuation
– unless for a Foreign company, then substitute the “official”
language for English
• Learn Social Engineering
– How to Listen/Motivate/Evaluate People
• Pick a Technical Specialty or two
– But then become a Generalist
• Be as Technology Agnostic as Possible
– Don’t be a Fan boy or girl for any technology unless you are
going into SALES as a Career
• Learn PowerPoint and Public Speaking
– Join Toastmasters for the practice and the connections
If you want a MGMT career
• Learn some FINANCE stuff
– Start with an Engineering Economics textbook
– You don’t need to be an MBA
• Unless you aspire to be a CISO
• Learn some Project MGMT tools
– Microsoft Project is a good one
• Learn how to play Golf
• Learn about Cultures other than yours
Prior to & Post-Graduation
• If you know the job you want, go after it!
– Otherwise, search until you see an appealing job
• If your job hunt is not immediately successful,
consider volunteering at a Charity or Hacker
Space, while you keep looking
– Or consider getting a Masters Degree
– Or consider the Armed Forces
• Keep learning new skills & practicing old ones
Your First Job
•
•
•
•
Lower rungs of the tech or mgmt ladder
Unpaid Overtime is Expected
When offered company training – take it
Expect to make Mistakes
– Learn from them
• Be friendly to the Admin Asst (Boss’ Secretary)
• Do your Job well before you Volunteer to take on
new jobs – unless your boss asks you to take it
Your First Job (continued)
• Sign up for:
– ALL the Health & Life Insurance they offer
• It’s the cheapest you will ever buy
– 401-K
• at least to get the full company match
– Savings Plans or Company Stock Plan
• as much as you can afford
Your First Job Attitudes
• Read the HR Policies & LIVE Them!!!!
– Acceptable Computer Use Policy
– Information Classification & Handling
– Cultural Diversity Policy
– Be Pro-Active in reporting violations of these
policies (however discuss it with the person
first, they may have been ignorant)
• HR exists to protect the company first and
you second.
Your First Job Attitudes
• Identify your internal/external Customers
– It’s all about Customer Service
• Your Boss and co-workers
• Companies/Groups you deliver to
– “If I received this product, would I be
Happy/Satisfied with it?”
• Don’t date co-workers, customers, or
competitors
– Not a hard & fast rule, but it makes your life
go smoother.
How to Present to MGMT
• It will probably be in Powerpoint
– NO Animations
• Only people that like animations are being trained or they are
in SALES
• Problem Statement
– Clear, Concise, and Why
• Possible Solutions (the no more than 4 Best)
– Again, Concise, with Pros and Cons, and Cost
• Your Recommendation (Optional)
First Job After Work Activities
• Have Fun – with some caution
• Volunteer – Expands your network & Social
Circle
• Learn a new Skill/Hobby
– Doesn’t have to be a work-related skill
• Woodworking, Plumbing, Computer Repair
• Dancing, Golf, Bartending, Foreign Language
• LIVE WITHIN YOUR MEANS!!!!
– Make a Budget and stick to it.
– Save for Retirement
A Word About Social Networking
• Social or Business Related (Personal)
–
–
–
–
–
Facebook – Limit what you post & your network
MySpace – see Facebook
Linked-In – Strictly for Business & Work-related stuff
Plaxo – Avoid – Check out their Privacy policy
Naymz – Avoid – Check out their Privacy policy
• Don’t “friend” any boss or co-workers on Facebook or
MySpace (it’s just a bad idea), Linked-In is OK.
• Keep your Work Life and After-Work Life as far apart as
possible.
How To Get Promoted
1)
Do Your Job Very Well (and know the promotion
requirements)
•
2)
Exceed your Boss’ Expectations!
Make Your Boss Look Good
•
3)
When they get promoted, they will be looking for a
replacement
Transfer to Another Job
•
Repeat 1) & 2) above
If your Boss won’t cooperate, go to his Boss
4)
•
5)
But make sure you are solid on 1) & 2) above as you may
have to do 3)
Live Long Enough
•
Sometimes it’s just a matter of being in the right place at the
right time and knowing the right people
First MGMT Job
•
When you exceed Technically, you will probably be promoted to Supervisor
– This is not a BAD Thing, although it will take you a while to realize it.
–
Alternatively, if you are Totally Exceptional Technically, you may want to quit and hire yourself
out as an Independent Contractor. This pays VERY, VERY well, but you will be paying the
Full Cost of your Benefits Package including both sides of Social Security, remember to save
money to pay your Taxes.
•
95% of the comic strip Dilbert by Scott Adams is REAL LIFE!
•
With Luck, you will be doing 50% MGMT/50% TECH
–
–
•
Your friendly & non-friendly co-workers may be reporting to you
–
•
But that rarely lasts two or three months, and then its 90% MGMT/10% TECH
Get over it, that’s the way LIFE is!!! Learn all you can.
You have to put some personal distance between you and them
You will have to evaluate/counsel/mentor/placate/motivate them
Thoughts on Certifications
• Passing a Certification exam says that:
– You have the minimum knowledge to be considered
for certification (at the time of the test) OR
– You are very good at taking tests.
• CISSP - www.isc2.org
– “A mile wide and two inches deep”
• SANS – www.sans.org
– MGMT & TECH – Hands On Tech
• CEH – various
– See Resource presentation at the end
Thank You For Your Time!
• Questions?
Resources
• How to protect your privacy (11 slides)
• IA Certifications – should I get one?
– Compare/Contrast CISSP & CEH
– Used with permission of the author
Should We Expect Privacy?
• http://www.theregister.co.uk/2008/10/07/symantec_thom
pson_privacy_bunk/
• “Consumers ought to accept that loss of privacy is the
price they pay for using internet service, according to
Symantec chief exec John Thompson.
• Echoing Scott McNealy's opinion that "you have no
privacy, get over it," the Symantec boss expressed
surprise that information such as IP addresses is
regarded as sensitive.”
So what do we do now? - 1
• Surf the web with a proxy server
– www.anonymizer.com
– www.torproject.org
– www.the-cloak.com
– www.megaproxy.com/freesurf/
• None of these have been evaluated by me
except analytically
So what do we do now? - 2
• Use encryption (your email & Hard Drive)
– www.truecrypt.org
– www.gnupg.org (Free PGP)
• Turn on/Install – scan and update weekly
– Firewall (Windows, ZoneAlarm is better)
• www.zonealarm.com
– Anti-Virus (AVG) –
• free.avg.com/download-avg-anti-virus-free-edition
– Anti-Spyware (SpyBot Search & Destroy)
• www.safer-networking.org/en/download/
So what do we do now? - 3
• Setup many email addresses
– Don’t use AOL or Hotmail
– GMAIL is OK, but it’s a target
– Use them for different purposes
– Use a private email address for your close
contacts
• Web Browsers
– Turn off scripting or use Firefox with NoScript
So what do we do now? - 4
• Keep all your software up to date!
• Get Secunia’s Personal Software
Inspector (PSI) – Its Free
– http://secunia.com/vulnerability_scanning/personal/
– Use IT!
• Be Careful Using Bluetooth!
– Google “Josh Wright Bluetooth Video”
– or www.ihackforsushi.com
Other Things To Be Careful About
• Internet Kiosks
• WiFi in Hotels, Airports, & Coffee Shops
– Never check bank balance or shop online
• ATMs (especially if it keeps your card)
• Shopping online
– Use One Credit Card with a low limit
– Don’t use a Debit Card
What Do I Do?
• All of the above plus:
– Separate computers for work, play, & “risky”
– One laptop is “disposable” and has a plug-in
wireless card that is only used for “risky”
– When installing Windows, I use a fake name
and company
– Otherwise I use Linux, which doesn’t need it
– I also use LiveCDs and Virtual Machines
What Else Can You Do?
• Educate yourself
– Learn your Computer, Operating System, and
programs
– Read the latest hacking literature at (you
might have to use Firefox instead of IE):
• www.defcon.org
• www.toorcon.org
• www.shmoocon.org
• Google Yourself Weekly!
“Risky” Work Defined
• WiFi in Hotels, Airports, & Coffee Shops
– Unless its work-related, then I use my work
laptop with two-factor authentication and a
VPN encrypted tunnel
• Checking the security of a neighbor (with
their permission, of course!)
Closing Thoughts - 1
• In the 2006 Census, there were 225,633,342
people in the US whose age was 18 years or
older.
– You will have your PII exposed
– With luck, you won’t lose any money
• A last quote from Symantec chief exec John
Thompson:
– "Businesses have a responsibility to protect sensitive
data. The public should not expect the government to
protect them."
Closing Thoughts - 2
• The odds of anyone trying to track you down are
low!
– There are trillions of pieces of information stored in
the ISPs and search engines of the world, so your
stuff is not easy to find.
• Your non-online Credit Card History is probably
more exciting than your web browsing
• However, if you run for political office, become a
political agitator or become very wealthy, all bets
are off!
DISCLAMER: Some of the views and opinions expressed in this presentation are presenter’s alone, and may or may not reflect or align with
organization’s policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This
presentation used with the author’s permission.
Information Assurance Forum
How and Why to be a CISSP and CEH
May 20th, 2010
Gedi Jomantas,
CISSP, CEH, CCNA, CCNP, CCSA, CCSE -> CBSA, AECDM, MCDMMM…
Outline
– Nothing matters but your resume
– Certifications and different schools of thought
– Not all certifications were created equal
– Certified Information Systems Security Professional - (CISSP®)
– Certified Ethical Hacker - (CEH)
– Certification value to you and your company
– Where do you go from here?
Nothing matters but your resume…
…well, not exactly…
…but when your career hits a brick wall….
…or…
Nothing matters but your resume…
….when the job winds change… the question is….
.... what will your sail look like?
Search “CISSP” Results:
Search “CEH” Results:
Dice.com - 1050
Dice.com - 40
Monster.com - 1000
Monster.com - 40
Courtesy: Johnklund.com, 123rf.com
Certifications and Different Schools of thought…
• Experience
–
–
–
–
20 years of government experience in secure systems engineering, certification and architecture
BS Business Admin/Mgt; BSEE; MS CS with a focus on Secure Systems Engineering
10 security related patents
NSA accreditations
vs. Certification?
• Complimentary, not a replacement!
–
• CISSP, CEH, CISA, etc.
Your buddy does, but HR rep may not know you…
• So you have the piece of paper, hung it on the wall…
• Certification vs. Professional Lifestyle
– Don’t get it for the sake of getting it….
– Conscientious choice to support your career’s direction
• Industry Participation
– Security professional community
– “Security professional” community
• Continuous Education
– Knowledge can get stale…
now what?
Not all certifications were created equal….
Orientation
• Management vs. Individual Contributor
• Policy Oriented vs. Technical
- CISM, CISA, CISSP, CEH, QSA, etc.
Concentration
• Security Domain
• Domain Segment
• Technology Area
• Industry Specific
• Vendor Specific
– Cisco, Microsoft, Nortel, RedHat, Solaris, etc.
• Provider specific
• ISC2, EC-Council, SANS, etc.
– GIAC, CEH, CISSP, etc.
Method
• Boot camp vs. Self study
• Classroom vs. CBT
• On-site, instructor led
Certified Information Systems Security Professional - CISSP®
Marketing Alert!
The Certification That Inspires Utmost Confidence
•
If you plan to build a career in information security – one of today’s most visible
professions – and if you have at least five full years of experience in information
security, then the CISSP® credential should be your next career goal.
•
The CISSP was the first credential in the field of information security, accredited
by the ANSI (American National Standards Institute) to ISO (International
Organization for Standardization) Standard 17024:2003.
•
CISSP certification is not only an objective measure of excellence, but a
globally recognized standard of achievement.
Certified Information Systems Security Professional - CISSP®
• The CISSP® Domains Include:
• Access Controls
• Telecommunications and Network Security
• Information Security and Risk Management
• Application Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Compliance and Investigations
• Physical (Environmental) Security
http://www.isc2.org
• CISSP certification pre-requisites:
• Professional experience in two or more of the CISSP domains
• Minimum 5 years of experience in information security
• Complete the Candidate Agreement, attesting to the truth of his or her assertions
regarding professional experience and legally commit to adhere to the (ISC)2 Code of Ethics
• Successfully answer four questions regarding criminal history and related background
Certified Information Systems Security Professional - CISSP®
•
Additional CISSP Concentrations
–
Information Systems Security Architecture Professional (CISSP-ISSAP)
•
•
•
•
•
•
•
–
Information Systems Security Engineering Professional (CISSP-ISSEP)
•
•
•
•
•
–
The six domains of the CISSP-ISSAP CBK are:
Access Control Systems and Methodology
Communications & Network Security
Cryptography
Security Architecture Analysis
Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Physical Security Considerations
The four domains of the CISSP-ISSEP CBK® are:
Systems Security Engineering
Certification and Accreditation (C&A)
Technical Management
U.S. Government Information Assurance (IA) Governance (e.g., laws, regulations, policies, guidelines, standards)
Information Systems Security Management Professional (CISSP-ISSMP)
•
•
•
•
•
•
The five domains of the CISSP-ISSMP CBK are:
Security Management Practices
Systems Development Security
Security Compliance Management
Understand Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Law, Investigation, Forensics and Ethics
Certified Information Systems Security Professional - CISSP®
Getting a CISSP
Author: Kerry Thompson
think of it as a journey ...
Myth #1: A CISSP certification is easy
Well, some people may think that it is easy. Most people find it hard work: you need to have at least 3 years in IT security before you even apply for the
exam. You need to cover an extremely broad landscape of IT security - many areas, such as physical security, few people will have any experience in. And
you'll need to do a fair bit of reading and studying to get through that exam: 250 questions to answer in 6 hours isn't much fun.
Myth #2: Once you get it, just sit back and relax
No. Once you pass the exam you need to earn CPE credits in order to keep your certification. If you don't then you'll need to resit the exam after 3 years to
keep the certification. Getting CPEs is fairly straightforward: if you publish papers, attend seminars, do some presentations, and basically remain active in
the IT security arena then you should have no problem here. But it takes a little work: this isn't a get-it and forget-it sort of certification.
Myth #3: You'll get more money/better job/more recognition
In actual fact, you probably won't. I've found (at least here in New Zealand) that many employers and even employment agencies have no idea what a
CISSP is. They tend to think in terms of the product-certifications; you know, the Cisco CCNA and Checkpoint CCSE sort of thing. They have no idea that
you need 3 years of experience to get a CISSP, and they have no idea that it is an ongoing professional-level certification like a CPA (Chartered
Accountant). Ergo, you probably won't get a better job or more money from waving your CISSP certificate around.
So, why would you want a CISSP?
Its not easy to get, it takes maintenance, and may not gain you much. Why would you want to go through all that hassle? Here's
some good reasons:
•To expand your knowledge in security concepts and practices.
•To show a dedication to the security discipline.
•To meet a growing demand for security professionals, and to work in a thriving field.
•To join a professional organization and to link up with like-minded individuals
http://windowsecurity.com/whitepapers/Getting-a-CISSP.html
Certified Information Systems Security Professional - CISSP®
Country
(Other)
Albania
Andorra
Angola
Antigua and Barbuda
Argentina
Aruba
Australia
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belgium
Belize
Bermuda
Bolivia
Bosnia and Herzegowina
Botswana
Brazil
Brunei Darussalam
Bulgaria
Cambodia
Cameroon
Canada
Cayman Islands
Chile
China
Colombia
Costa Rica
Croatia (Hrvatska)
Cuba
Cyprus
#
5
2
2
1
1
89
1
1,145
95
1
5
28
1
24
1
305
1
16
2
2
2
269
1
18
1
1
3,552
13
73
457
457
7
40
1
12
Country
Czech Republic
Denmark
Dominican Republic
Ecuador
Egypt
El Salvador
Estonia
Faroe Islands
Finland
France
France, Metropolitan
French Polynesia
Germany
Ghana
Gibraltar
Greece
Guam
Guatemala
Haiti
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iran
Iraq
Ireland
Israel
Italy
Jamaica
Japan
Jordan
Kazakhstan
Kenya
#
56
271
4
5
70
3
7
1
298
508
7
1
799
10
2
78
4
15
1
2
1,286
71
3
1,171
74
4
2
254
178
245
14
1,215
22
6
16
Country
Korea, Republic of
Kuwait
Latvia
Lebanon
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Malaysia
Malta
Mauritius
Mexico
Morocco
Namibia
Nepal
Netherlands
Netherlands Antilles
New Zealand
Nigeria
Norway
Oman
Pakistan
Panama
Paraguay
Peru
Philippines
Poland
Portugal
Puerto Rico
Qatar
Romania
Russian Federation
Saint Kitts and Nevis
Saint Lucia
#
2,479
38
11
15
1
9
38
16
8
221
9
13
263
2
1
1
1,058
4
147
115
121
10
94
12
1
12
59
175
44
23
47
55
149
1
2
Country
Saudi Arabia
Senegal
Serbia
Singapore
Slovakia
Slovenia
South Africa
Spain
Sri Lanka
Sudan
Suriname
Sweden
Switzerland
Taiwan
Tanzania
Thailand
Trinidad and Tobago
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom
United States
Uruguay
Venezuela
Viet Nam
Virgin Islands (British)
Virgin Islands (U.S.)
Yemen
Zambia
Zimbabwe
#
172
2
7
971
22
16
293
390
57
1
1
319
471
215
2
114
27
12
88
3
17
284
3,423
42,195
23
11
12
1
1
1
1
4
Certified Ethical Hacker - CEH
Certified Ethical Hacker - CEH
Certified Ethical Hacker - CEH
CEH Certification
• The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks
by attacking the system himself; all the while staying within legal limits.
• Catch a thief, by thinking like a thief Certified instructors will take you through practice exams and real world
case studies that prepare you to become the Security Professional your organization can depend on.
• What is an "Ethical Hacker"? The Ethical Hacker is an individual who is usually employed with the organization
and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the
same methods as a Hacker.
• Hacking is a felony in the United States and most other countries. When it is done by request and under a
contract between an Ethical Hacker and an organization, it is legal.
• The most important point is that an Ethical Hacker has authorization to probe the target
• The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a
vendor-neutral perspective
– Skills span across multiple domains: social engineering, in-depth technical expertise, vulnerability assessment, penetration
testing, principals of forensic analysis, etc.
• The CEH certification will fortify the application knowledge of security officers, auditors, security professionals,
site administrators, and anyone who is concerned about the integrity of the network infrastructure.
• A CEH is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities
in target systems and uses the same knowledge and tools as a malicious hacker.
Certified Ethical Hacker - CEH
Other CEH related certifications
• Advanced Ethical Hacker
• Certified Penetration Tester (CPT)
• Certified Expert Penetration Tester (CEPT)
• Certified Application Security Specialist (CASS)
• Certified SCADA Security Architect (CSSA)
• Certified Data Recovery Professional (CDRP)
• Certified Reverse Engineering Analyst (CREA)
• Certified Computer Forensics Examiner (CCFE)
• Etc…..
Certification value to you and your company
You:
• Opportunity
• Continuous Professional growth
Company:
• Market specific training requirements
• Mandatory certifications
•
DOD 8570 provides guidance and procedures for the training, certification, and management of all government
employees who conduct Information Assurance functions in assigned duty positions
•
DOD 8570 requires that anyone who has access to Information Technology system, must be certified with
one of the external certifications listed. This includes contractors and vendors by 2010
Where do you go from here?
– Assess your career objectives
» Remember, “nothing matters but your resume”… ;)
– Talk to a CISSP or CEH and decide if it is a right certification for you
– Discuss with your manager if a security certification is the right fit for you in
your current or future roles
– Understand how security certification aligns with your organizations
business goals
In conclusion...
Keep in mind…
sometimes, certification is nothing more than a
Download