Thursday, October 25, 2007

Community SANS Boston 2007 day 4

I'm blogging live from Community SANS Boston 2007.

Today we finished up the Crypto domain, and completed Operations Security. Loads of great comments from class. We discussed fairness (and legality) in regards to internet history searches. Many of us had been in the position where a manger will say "John Doe is wasting time on the internet: show me a history of his internet usage."

I believe that you don't use technology to solve a personnel problem. If an employee is 'wasting time' on the internet, they could be wasting time in other ways, such as on the phone, long breaks, playing games, etc. It's not a technology problem; it's a management problem.

If you were to discipline 'John' for non-business internet usage, you should ask yourself: how many other employees use the internet just as much (or more) for non business purposes? Are you holding them to the same level of scrutiny as you are holding John? If not, you may have legal issues.

Nick brought in a few books today, including the aformentioned The Code Book by Simon Singh. Also the classics The Cuckoo's Egg by Clifford Stoll, and The Art of Deception by Kevin Mitnick.

The Code Book opens with the Story of Mary Queen of Scots: she was executed for attempting to overthrow the British throne, and implement Catholic rule in Britain. Often left out of the history books is the fact that cryptanalysis lead to her death: Queen Elizabeth was hesitant to execute her cousin, until the proof of treason was revealed when Mary's encrypted letters were decrypted.

Wednesday, October 24, 2007

Community SANS Boston 2007 day 3

I'm blogging live from Community SANS Boston 2007. Right now the Red Sox are on, and winning game 1 of the World Series 6-1.

We started on the Crypto domain today; my favorite domain. The history of crypto is fascinating: the course of history has changed due to crypto. I recommended The Codebreakers by David Kahn to my students; it is a fantastic history of crypto, up through the late 1960s. The story of the Japanese Purple Machine is fascinating. Cracking the purple machine saved untold thousands of lives, shaved years off World War II in the Pacific theater, lead to a decisive victory in the Battle of Midway Island, and changed the course of the war.

Miguel, one of my students, recommended The Code Book by Simon Singh, and Cryptonomicon by Neal Stephenson. I have added them to my Amazon list.

Monday, October 22, 2007

Community SANS Boston 2007 day 1

Community SANS Boston 2007 began today; I thought day 1 went very well.

Mike, a gentleman who attended my Incident Handling/Hacker Techniques class last year, decided to pursue the CISSP® certification and attended this class. After earning his GCIH last year, he was promoted and now heads up a security team at his company. He decided it was time to round out his information security management knowledge. It's always great to see repeat students!

We have a great cross-section of industries represented in class, including some military and financial folks.

We covered the Access Control Systems & Methodology today. A universal point that came up today: access control is hard, and often thankless. We often see a litany of access requests, with many folks clearly requesting more access than is required. Users can be quite vocal when access is denied or limited, and we never hear "Great job on access control today! You really nailed it!!"

A few questions from today:

Q: Are the questions on the CISSP® in domain order, or randomized?
A: The questions are in random order.

Q: What are the new CISSP® experience requirements as of Oct 1st, 2007?
A: (ISC)2 now requires 5 years of experience in two or more domains in the Common Body of Knowledge (and you may subtract 1 year with a 4-year degree). This is a change from the old rules, which required 4 years of experience in one of the domains in the Common Body of Knowledge. See the new CISSP® experience requirements.

As an FYI, the next CISSP® @Home starts in January.