Category Archives: Certifications

My CISSP Experience

7
Posted by Skyler on January 1, 2011 – 3:22 pm
Filed under Certifications, CISSP, Reviews

After 4 months of studying, I took the CISSP exam on the 20th of November. Let me share with you my journey:

Preparation

I began with a very intense and structured study schedule (see my previous CISSP study post). After starting back up the last semester, and having a wave of testing assignments come up, I was forced to simplify my study plan. I used 3 primary sources:

  1. The Official (ISC)2 Guide to the CISSP CBK
  2. CISSP Study Guide (Syngress) by Eric Conrad
  3. CCCure.org

I spent the first couple months simply chewing through the official coursework. In retrospect, I think I might have been better prepared if I had used Shon Harris’ book instead of the offical book. Although the Offical Guide was full of great content, it was often hard to undertand and apply the principles. This is extremely detrimental to the CISSP candidate (for reasons I will explain further down). So although the content is supposed to be the most “unadulterated”, it perhaps was too cryptic for the average person to benefit from the most.

The Study Guide by Eric Conrad was fantastic! Although it did not go through the same breadth of topics as the Offical Guide, it covered nearly 95% of the topics, and emphasized what I found to be the most testable topics. I appreciated the simplicity of Conrads book and helped me to better understand topics that I had only partially understood from the Offical Guide. So the way I used the Conrad book was as follows. I would read the chapter of the official material, and then read the Conrad book’s corresponding chapter. After that finish those books, I read the Conrad book again, taking a page worths of notes from each chapter (see below for detail on the notes I took).

CCCure was amazing. The videos were fairly redundant for what I had read, but if you have time I would suggest watching all of those before starting any of the books. What I benefited from the most was the quizzes. I took nearly all of the quizzes possible (in sets of 25), and kept chart of those areas I struggled in most. I used these test results to help me identify what I needed to take notes on and study further when I reread Conrad’s book. I must say that the quizzes were the biggest help in solidifying my conceptual understanding of the CBK. I have to also mention how helpful Clement (the owner and operator of CCCure) was. He was quick to respond with emails, and had personal responses to my questions. He also sent me an amazing summary of BCP/DRP. Although you dont get to see your test results if you pass, I do believe that I didn’t miss a single BCP/DRP question because of that guide. There are also some amazing last minute review guides on the CCCure website that were of great assistance. I took one with me until the moment I walked in the door to the testing room.

Taking the Exam

The test day wasn’t too bad. I took it at the University of Utah in their medical building. There must have been 15-20 people in the testing session with me. I was by far the youngest, and was intimidated to find that many (much senior) candidates were taking the test for their 3rd and 4th time. At that moment I figured I would fail miserably; perhaps the experience would be a good was to prepare for my next time. Here is what I found about my experience:

  • Although you could bring food, and drink, I didn’t really need it. The proctor brought some water, but other than that I didn’t want to waste the time eating my snacks.
  • The time calculates down to actually a fairly short amount of time for each question. As a response, I decided that I would read through all the questions, filling in the questions I knew for sure, and skipping any question I had the least amount of doubt about.
  • When actually answering the questions, I used good ‘ol test taking skills. I would first identify the outlandish answer and scratch that off. Then I would Identify any other answers that were contradicting the remaining ones. From there I would scratch my first impression on what the correct answer was, and move on. When returning to those questions after my first pass through the exam, I found that my nerves were calmer, the questions seemed clearer, and the answers stood out more easily (whether they changed or not depended on my reading of the question, which I found I had often misread/misunderstood on the first reading).
  • I finished with about an hour to spare. I could have gone through the questions again, but I was so mentally exhausted I just wanted it to be done. After all, I wanted to avoid the second guessing that occurs during stressful tests.

The Exam

I must say that what I had heard about the exam worked it up to be some evil device only the devil himself could have created. In actuality, it is quite opposite. I cant give many details about the actual test, but I will say this:

  • It is very well written. However, it does use double negatives and other tricky wording. So if you have trouble with reading comprehension, you should take great care.
  • It is NOTHING like the CEH. The CEH is nearly all the memorization of facts. The CISSP was very different. It required more understanding of the concepts and principals. So dont go into the CISSP studying as if you are going to be regurgitating facts. Dont get me wrong, you need to know the facts (about protocols, encryption, etc), but questions will require the knowledge of facts within the application of principles.
  • Dont expect to find the answers to questions within other test questions. I read a post by someone saying that this was the case, but I seriously doubt that they actual took the test.

The Aftermath

Yes Yes, everyone has their aftermath story. Mine was like this: I was feeling great… until I got to the entry hall of the building we were in. There I saw one of the other candidates, and we asked how we felt we did. I guess I hadn’t read enough about the actual exam, because the fellow explained to me how the questions were weighted differently. You see, I was confident that I had answered over 75% of the questions correctly; very little doubt about it in fact. However, after that I was panicing that I had failed. As I explained to my wife, “I am sure I won the popular vote, but I may have been killed by the electoral college” (a little bit of political humor).

After weeks of waiting (probably because of the holiday season), I got my congratulations email at 6:30am the day before christmas eve.

If you have any questions, feel free to post them!

CISSP Passed!

5
Posted by Skyler on December 29, 2010 – 2:17 pm
Filed under Certifications, CISSP, News

Yup! I passed the CISSP! Wasn’t too bad. More on that to come!

CISSP Study Plan

0
Posted by Skyler on August 18, 2010 – 8:15 am
Filed under Certifications, CISSP

I am considering taking on the CISSP as my next certification. I am finishing up the ECSA (review to come), and I am already leveling my sights on the next target.

CISSP vs. eLearnSecurity

I was debating on what my next target should be. Seeing as the next semester starts up in 3 weeks, I was hesitant to commit myself to something too big, but still wanted a good goal. I had long been wanting to enroll in the eLearnSecurity Pro Pentesting Course, but for some reason I could never justify the cost. What I mean is that under threat of a new version, the obscurity and lack of credibility of the certification, and the fear that the course delivers less than it advertises, I am skeptical to invest in that course. Nevertheless, it still remains something I would like to try.

On the other hand, the CISSP still remains the defacto gold medal for Security professionals. Although not Penetration Testing focused, it is the top dog of the DoD 8570 and packs lots of credibility. The CISSP is no simple task, and (from what I have seen) yields an 80% failure rate. However, seeing as my past certification history has always resulted well due to good study, I believe I could do it.

So for those reasons I have decided to work for the CISSP rather than the eLearnSecurity course (eCPPT). If you think i am making a mistake in that choice, please share with me your comments.

So how do I prepare?

After much studying and researching, I figured out that my best choice for prep material would stem from 2 books.

  1. Official (ISC)2 Guide to the CISSP CBK, 2nd Edition by (ISC)2 Press)
  2. CISSP All-In-One Exam Guide 5th Edition by Shon Harris

These seem to be the best books to use. I will also use the Shon Harris exam mentor CBT, as well as the CCCure.org site and practice exams.

Spending at least 5-10 hours a week, I am wondering how soon I will be prepared. Earliest I could take the exam is November 20th, but more than likely Ill end up taking it in January (the exams are live, proctored exams that are scheduled in different regions at different times).

I think I might try to follow the outline of this fellows study plan.

If anyone has taken the CISSP or is preparing for it, please contact me. I would love to compare and discuss study helps and such!

[Review] Hacking By Numbers: Combat Edition by SensePost

3
Posted by Skyler on July 28, 2010 – 10:29 am
Filed under Certifications, Reviews

I just returned from the training portion of Black Hat in Las Vegas. This was my second Black Hat, and it was just as good as the first. I took the Combat edition of the Hacking By Numbers course, here is my review:

Review

The Hacking By Numbers courses are a series of trainings done by SensePost, a South African security company. The courses are presented as Cadet, Bootcamp, Web 2.0, Combat, and Chief of Staff editions. I had previously attended the Bootcamp edition (which reminds me, I need to write a review on that), which is the recommended pre-req for Combat edition.

Here is the overview found on the Black Hat website:

This course is the flagship course of the established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. In the SensePost tradition, the solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures.

The “Capture the Flag” exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way. Students will have to deal with multiple firewalls, IDS devices and home spun red herrings in their quests to complete the challenge. During the exercises SensePost’s leading technical specialists will discuss possible attacks, possible alternatives and even possible defenses for the scenario in question.

The exercises range from simple layer one attacks to more complex attacks requiring combinations of web application vulnerabilities and TCP/IP covert channels. All tools, documentation and required reading material will be provided to the students.

Structure

The course is two-days in length, and is completely hands on. The instructor, Marco, did a fantastic job as a guide, rather than a lecturer. The entire course is a series of “pracs”, in which a different pen testing technique is exercised. It is important to note that these “pracs” were created based on real world assessments. After a 20 minute intro which primarily included pearls of wisdom gleaned from SensePost’s experience, we were thrown straight into the fray; just as advertised, this course was all hack.

For each “prac” you are given three things: the Objective, Recommended tools, and Obscure hints. The objective gives you the endpoint, as well as the end goal. Most of the end goals was to place yourself on a Wall of Fame (typical of CTF challenges). The recommended tools portion is meant to be a very basic hint if you had no idea where to start. The obscure hints were just that. They served a valuable purpose in the end learning objective of the course. After the completion of the “prac”, a review of the hints would show a clear reverse thinking process that would serve you well on a pen test if you were to internalize it.

As a hurdle would be overcome during a “prac”, the instructor would start giving assistance to those struggling. In some cases he would give further clues, but mostly he would help describe the underlying technology being used for those unfamiliar with it. This ensured that you could get the most out of the exercise by not getting hung-up on step-one. Otherwise you might end up missing out on the rest of the fun.

After each “prac”, the instructor would then poll the class on the methods they used to achieve the objective. I was amazed at his ability to instantly recreate and model a student’s method on multiple platforms. Unlike many trainings in which you can get board waiting for a demo to work, the instructor was in complete sync with the pace of the students, not going too fast, nor dragging on the time.

Content

The content was definitely the masterpiece of this training. Some trainings are simply over priced “script kiddie” tutorials that could be found on YouTube. However, HBN: Combat was nothing like this. Not once did I touch Nessus, Metasploit, or any other framework. I was pleasantly surprised at the small span of tools utilized during the whole process. Mostly it was a mixture of Wireshark, Nmap, some sort of inline proxy, and your CLI.

While speaking with one of the SensePost testers, he explained to me that one of the issues within the industry is the limited “sight” of the testers. So many pen tests are conducted by running Nessus, CANVAS, or some other vulnerability scanner, and dumping the report on their client. Even if they do go on to verify vulnerabilities, it is usually done using Metasploit, Impact or another exploitation framework. This obviously leaves many false positives, and even worse, false negatives. This is why HBN: Combat is so effective. The course is built upon the principle that no system is completely secure; you simply need to find the hole that takes real skill to discover.

In line with that principle, the exercises were highly technical, and very clever; they only required recognizing patterns and thinking outside the box. Some of my favorite practices involved doing:

  • IPS bypass
  • Protocol Reversing
  • Security measure bypassing
  • chained exploitation
  • system misconfiguration
  • Thick app attacks

Overall, I left the course feeling very well equipped and much better prepared.

Conclusion

This was a fantastic course! It was essentially two days of learning pen testing skills gleaned from real world assessments. I feel like I have a better understanding  of the underlying technology in common (and uncommon) implementations. There were very few (if any) technical issues, and the instructor was friendly, and a true expert; he demonstrated an exhaustive understanding of all technologies used. I highly recommend that everyone take this course. It will definetly widen your “sight” in your pen tests, while also teaching you awesome little tricks.

Visit SensePost’s webiste here!

Review: Certified Ethical Hacker (312-50)

1
Posted by Skyler on July 16, 2010 – 5:58 am
Filed under CEH, Certifications, Reviews

After 5 weeks of studying, I finally completed my CEH exam yesterday. I passed with a 90%. I am not permitted to go into too much detail about exact questions, but I can offer my thoughts. I have broken down my review into 3 categories meant to help security professionals decide on the certifications to take. The total score, or the individual scores can be used as a guide for selecting the correct certification for your career path.

Rating:

  1. Technicality (4/5) – The course requires a bit of knowledge regarding the underlying functions of networks, etc. Being able to read code, understand hex dumps/packet captures, and such is a definite must for truly understanding the content. The exam and course is aimed at professionals fairly new to security. Considering that, the amount of technical knowledge gleaned was quite good. I wouldn’t necessarily say fire hose in intensity, (although for some it could easily be that way), but more like a garden-hose-on-full-blast. Most of this is relating to the amount of tools you learn. However, much of the technical knowledge was still quite theoretical, since it was in general more focused on identifying/recognizing attacks or tools, rather than hands-on usage of the such. I give it a 4 our of 5 in technicality in context of its intended audience, yet its lack in more hands-on usage of the tools.
  2. Managerial (2/5) - The CEH is definitely directed to those looking to do the more technical aspect of Penetration Testing and security. However, it still does teach some managerial skills. Mostly they are just short rants about NDAs, Get-out-of-jail-free cards, and staying within scope. There is some policy creation that is emphasized when talking about social-engineering, but only because they test it from that aspect. I give it a 2 because there is some important information gleaned, although they never truly test or prepare on the actual Management topic; it simply occurs as a byproduct of everything else.
  3. Prestige (3/5) – This is the controversy! It comes down to this: DoD 8570 vs TestKing. Yes, the Department of Defense directorate 8570 includes the CEH as one of its recognized certifications. This makes it quite valuable! I dont think I need to say much about it. Its nice because the exam is so cheap, while most of the other 8570 certifications (save the CompTIA ones) are quite costly. Therefore, the CEH is nice because it enables unfunded individuals the opportunity to get a well recognized certification. Just for that I would give it a 5… except for one thing…Test Prep Questions. I used some test prep questions for my final preparation of the test. If I had just taken 5 weeks to memorize all of the answers in those prep questions, i probably would have gotten the same score. Thats right, probably 70-80% of the actual test questions were verbatim to those within test prep questions. What does this mean? well it means that if you are legitimately prepared for the test, this will give you the leg up to guarantee you pass! If you prepared well you will blast through the questions pretty easily. However, this also means that any schmo off the street can memorize the answers and pass the test with flying colors. Unfortunately the only real defense EC-Council has against this is it’s approval process for those wanting to take the test (self-testers need a waiver to take the test w/o attending a course). Some people dont think this is such a big deal. I consider it a big deal since one day I might find an employer who discounts my CEH as being worthless due to a bad experience with some idiot who passed the CEH without learning a thing. For this reason alone I would have given a rating of 1, or 2, except for whole DoD 8570 thing.

total: (9/15)

The Exam:

The examination was pretty good. It is 150 questions, and you are given 4 hours. I completed mine in in 2 hours. The reason it took so long was the length of some of the questions. A majority of the questions are paragraphs long in description, and many have diagrams/dumps to look at.There were some easy questions, and some hard ones; just like every other certification. However, I was surprised that I was not asked questions on certain things. For instance, nmap, virus/backdoors, and ICMP codes/types were strongly emphasized within my prep-material, however I did not have a single question relating to either of them. The reason for this is most likely the dynamic nature of how they generate your exam question set, as well as the huge scope of the course. The course covers so much information that it would require a much lengthier exam to cover it all. There were also a  few control questions. Control questions are very difficult questions, sometimes beyond the scope of the exam, that are scattered throughout the exam. Some say that they are ungraded and used for statistical analysis; I believe they are there to slow you down ;) The test seemed to do well at addressing the different questions from the angle of the hacker, as well as the administrator/investigator. This makes it a little tricky, but forces you to have a good understanding of the content.

I have broken down my review into 3 categories meant to help security professionals decide on the certifications to take. The total score, or the individual scores can be used as a guide for selecting the correct certification for your career path.

Comparison:

In comparison to the Security+, I would have to say that I enjoyed the CEH more. I tend to be a more technically oriented, and really enjoyed learning the PenTesting methodology and tools. However, the Security+ offered a great deal of managerial and policy information. I would definitely  say that the Security+ was easier than the CEH , simply because there was relatively less technical know-how required for it. The Security+ did serve as a great foundation for the CEH and made passing the CEH much much easier. I would recommend you attain both. Some topics covered in depth in the Security+ and not in the CEH include: Encryption, Access Control models, and policy creation. Another cert on this same level is the mile2 CPTEngineer. The course is advertised as being comparable to the CEH, but more hands-on. I have not taken that course, so I cant say much on it. If anyone has some input, I would be happy to include it.

Conclusion:

Im glad I got the CEH. However, immediately  after completing the test I felt the need to attain the next level of knowledge. I feel a whole lot more knowledgeable because of the CEH, but I still feel miles away from the end goal. A good certification as a starter.

CEH Preparation

3
Posted by Skyler on July 9, 2010 – 11:16 am
Filed under CEH, Certifications

I am scheduled to take the Certified Ethical Hacker certification exam (312-50) next week (wish me luck).

Overall I have enjoyed the self-study process. Here are a few pros/cons I have about the curriculum:

Pros:

  • Huge scope
  • Lots of specific examples and command descriptions.
  • Emphasizes the entire Pen Test process, not just the “popping a box” stuff.
  • Significant emphasis on policy.
  • A reasonable focus on underlying processes, not just ‘tutorials’.
  • Required me to improve my understanding of the TCP/IP (especially ICMP)

Cons:

  • Available curriculum can easily become dated. Tools you need to learn for the exam are probably useless by now.
  • Not sure exactly which tools are important to remember/study.
  • I was glad to be directed to the RFCs, but sometimes it was too much for little return.
  • Failed to discuss modern defenses that a Pen Tester would run into. (i.e. NAT)
  • Seemed stuck on buffer overflows and trojans/backdoors. Very little was put into newer attacks like XSS (none on XSRF), and SQL Injection.

In comparison to CompTIA’s Security+, I would say that the CEH is much more technical, hands down. Security+ emphasizes more on security theory, management, and policy; and not to forget, a TON of cryptography. CEH focuses much more on the actual testing. Some people might say that its pointless to get both. I would advise otherwise and encourage all those getting into the security field to achieve both certifications. With both you would be well prepared to follow either the management, or the technician track of the security field.

Overall I think the CEH certification is a good credential to have. It will build confidence in your skills as a Pen Tester, prepare you for the business aspect (opposed to just hacking), and make you more reputable to others (since it is now on DoD 8570). In no way do I think this certification would prepare you to “strike out on your own”. I feel like its a good Basic Training for those going into Pen Testing.

For those interested in pursuing the CEH, here was my Self Study Outline, and a few tips:

Study:

Week 1-4: Read through prep book, using Counter-Hack Reloaded as reference. I made about 400 note cards, and reviewed them everyday as I went. I spent about 1.5-2 hours a day reading, and was careful to make sure I did all recommended tasks.

Week 5: I spent an entire week reviewing my note cards, and memorizing everything I could.

Week 6: Do all the practice tests included with my study materials. Also used TestKing test bank, and whatever else I could get my hands on!

NOTE: I would like to mention that I have already been involved in security for some time before my CEH prep. I have the Security+, and have attended trainings at Black Hat. If you are brand new to the security world, I would recommend taking a significantly longer amount of time to prepare and understand the underlying technology.

Materials:

  1. ExamCram CEH Prep Guide (by Que)
  2. Counter-Hack Reloaded (by Ed Skoudis, the Grandmaster)
  3. Official EC-Council CEH Review Guide

I did use some other materials, although these were my primary ones. In a few days I will post a comparison of the materials and what I would advise.

Bad Behavior has blocked 275 access attempts in the last 7 days.