Testing times

  • Article

Hello all

I am sorry that I haven’t blogged for a while. It has been a bit of a busy time. After developing all that training (and I would love to be able to say who the audience were but I really can’t), I was on the receiving end of some for a change.

It has been decided by the powers that be that accreditation is necessary for someone in my role. Ok, fair enough. I was offered the choice between all of the exams for MCSE+Security or CISSP. I enjoy exams rather less than root canal work so I went for the 1 rather than the many. In order to maximize my chances, I went on a weeklong cramming session in a training centre in central nowhere, Oxfordshire. A splendid Canadian called John Glover was teaching us and I am sure that he will not mind me saying that he has been around the block once or twice and knows where the bodies are buried.

The CISSP exam is 6 hours long and covers a massive range of topics including but by no means limited to:

Risk management

Continuity planning

Crisis management

Ethics

Law (and that is fun in a multinational)

Encryption

Access control

Telephone systems – no, really

International Standards

Physical Security

I have never had to consider what sort of barrier would be most effective against explosives and whether a fondness for gambling was in and of itself reason why someone should be denied a contract.

After the exam, I was sure that I had done a lot worse than the easy pass that I had in the mock and I was concerned that I had made a pig’s ear of it. The same was apparently true of pretty much everyone who has sat that exam so we shall see. If I have failed (a real possibility) then I will have publically revealed myself as a dope..

So, have I been busy learning about the latest malwares and controlling mass mailer worms rampaging through networks? Actually, no.

We are not getting that many reports of new infections and I have mostly been looking at some hacks against the application layer – typically SQL injection attacks. These still seem as popular as ever but the focus has changed a little. We used to see a lot of web defacement cases from script kiddies and these are still not uncommon but more recently, the bulk of these attacks seem to be targeting PII (Personally Identifiable Information) which can then be used for identity theft or inserting links to malware in the hope of compromising the clients who visit the legitimate website.

We have noticed a decrease in the number of malware cases coming to us over the last few months. I think that user awareness is a large factor; people are more reluctant to open strange executables. The anti-virus solutions are also getting better with updates often being daily. Whatever the reason, the business is changing.

Oh, there is also a small milestone to commemorate. According to Cenzic, Internet Explorer had the fewest reported vulnerabilities of any of the major web browsers. Firefox had 3 times as many and Opera nearly 4 times more that IE. Oh, and none of their top 10 vulnerabilities for the quarter were in MS products. That is the first time that has happened :-)

Until next time

Mark