A First-Hand Experience with CISSP CAT

Patrick Strijkers is a 43-year-old information risk security officer at a pension funds firm in the Netherlands. He works in the IT security department in security incident management. Patrick’s employer runs a job rotation program, allowing him to gain experience in a variety of roles, with his next position coming invulnerability management this September. He holds the following security certifications:

  • CompTIA Security+
  • CompTIA Network+
  • EC-Council Certified Ethical Hacker v8
  • EC-Council Certified Security Analyst v8
  • EC-Council Computer Hacking Forensics Investigator v8
  • Rapid7 Nexpose
  • Rapid7 Metasploit Pro

Patrick’s goal last year was to earn his CISSP certification. He attended a five-day boot camp course and studied for two and a half months before sitting for his exam on August 11 of 2017. At that time, the format of the CISSP exam was only available in the linear format

“After fighting through 250 questions over the course of 320 minutes – including two brief breaks to clear my mind – it was devastating to read the ‘Sorry, you failed’ exam notice,” said Patrick. He decided to take some time away from studying and waited to prepare for his next attempt until February of 2018. With his exam scheduled for April 20, Patrick began to dive back into the material, although at first he was not aware of the new CAT exam format.

“After finding out about the new format in the beginning of April, it got me a bit frightened of what to expect of it,” said Patrick. He was unsure of the number of questions he would be answering, as well as how the difficulty of the exam might be affected by the format change. “In the end, it didn’t stop me from taking the shot.”

The night before the exam, Patrick checked into a hotel near his testing site and recalls being nervous before this attempt, whereas his nerves were calm back in August. The biggest challenge he felt with the CAT format was not being able to mark questions to review, but Patrick found that his time management was excellent this time around, as he completed the exam (at 150 questions) with time to spare.

Upon finding out he had passed, Patrick said “The second I was notified I asked to please see the paper, as I couldn’t believe it. But yes, I did pass my CISSP exam.”

Congratulations to Patrick for reaching his goal of becoming a CISSP! Welcome to the (ISC)family!

[(ISC)² Blog]

Is it Time for a Cyber National Guard?

With more emerging risks and more data breaches, we continue to hear about the shortage of cybersecurity professionals with the necessary skills, knowledge and experience to protect our information technology infrastructure, especially in the government and public sector.

For instance, in the United States, we know that our federal, state, and local governments are communicating that our information technology infrastructure is outdated and vulnerable to cyberattacks. We also know they are currently trying to pass legislation that will modernize our information technology infrastructure to prevent future cyberattacks. Modernizing information technology infrastructure will help mitigate the risk for cyberattacks; however, you need skilled cybersecurity professionals to continuously identify and evaluate risks, design and implement controls, and assess and monitor the effectiveness of those controls. Just like our outdated technology, we have a shortage of skilled cybersecurity professionals across the government and public sector. How do we solve these problems in the most cost-effective way?

This is important to understand because it’s already difficult to find cybersecurity professionals with necessary credentials to protect information technology infrastructure in the private sector. It’s even more difficult to find these professionals in the government and public sector. Do we just continue to communicate the shortage? Or do we provide an opportunity for private sector cybersecurity professionals to serve their country?

Two members of the US House of Representatives, Ruben Gallego (D-Arizona) and William Hurd (R-Texas), have proposed a Cyber National Guard, which would be similar to the existing Army or Air National Guard. This reserve force would not complete boot camp or use guns in battle. Instead, this reserve force would be called to protect the country against cyber threats and strengthen our national security on the digital battlefield. These resources would identify and patch bugs, upgrade outdated systems to be compliant with policies, and audit and report on information technology infrastructure.

Just like the existing reserves of the National Guard, these cybersecurity professionals would commit to serve their country by volunteering their skills, knowledge, and experience to protect the country from malicious attacks or unintentional changes to the technology infrastructure that supports the government. In return, they would receive the same benefits that anyone serving in the National Guard would receive, including additional pay, tuition reimbursement and other financial benefits. The overarching reward for most of these individuals, though, would be the opportunity to serve their country.

It would be a time commitment both personally and professionally that potential participants would need to consider. However, it would be an opportunity to give back to the country. If former US President John F. Kennedy were around today, would he make the same call to action in the context of this current skills crisis: “Ask not what your country can do for you, but what you can do for your country”? I know that I would consider a Cyber National Guard to be my opportunity to give back to my country.

Michael Podemski, CISA, CISM, CRISC, CIPM, CIPT, Senior Manager, Risk Advisory Services at EY

[ISACA Now Blog]

Clarifying What Zero Trust Is – and Is Not

Last fall, I wrote about how people were beginning to understand the essence of Zero Trust.  Since then, there seems to have been an inflection point in industry’s embrace of Zero Trust, and now, even more people are advocating it, more vendors are posturing it as a go-to-market message, and more enterprises are moving towards adopting it.

However, as the concept gains popularity, I find that more people are mistaken about what it really is.

The Concept of Trust

One way to see if someone understands Zero Trust is to analyze how they talk about the word “trust.” If a pundit is trying to get you to a “trusted” state, then they don’t understand Zero Trust. The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether. The “trust” level is zero, hence Zero Trust. Simple!

Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system. It has no purpose in digital systems, such as networks. There is no use for “trust” in these systems, except to be used by malicious actors, who exploit “trust” for their own nefarious gain. The only thing that can happen to trust in a digital system is for it be exploited, and the only outcome for trust is some type of betrayal.

What typically confuses people is the anthropomorphization of the network that has happened over time. People and trust in the physical world is not the same as packets and vulnerabilities in a digital system. People are not on the network; packets are. Most people confuse the trustworthiness of human beings with the trustworthiness of packets. By depersonalizing packets, we can do what we need to do, which is inspect that packet and apply access control methodologies. This way, the packet only gets access to approved resources at the approved time – and all of that is logged and analyzed – so we can assess if there was an appropriate digital behavior.

So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word “trust” from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term “confidence” instead. Confidence can exist on a continuum. It’s an important distinction.

The old model of trying to create “trusted” digital systems has never worked to prevent breaches. As people mature their thinking around Zero Trust, it is imperative that they understand the most fundamental principle of the concept: trust is not the desired state; trust is the failure point you want to avoid.

[Palo Alto Networks Research Center]

English
Exit mobile version