CISSP Accelerated Development Course

I’ve just returned from an enjoyable week in the City (Moorgate, to be precise) attending the CISSP ADC run by IT Governance Ltd.

CISSP is a certification that I first thought about back in 2008, so returning to this is long-overdue. As an academic I’ve developed course elements that align closely to CISSP, so have always had some familiarity with the certification content.

It was good to see a familiar face as the instructor on this course, the same as for my CEH course in 2018. I booked the exam with ISC2 (at a Pearson Vue test centre) at the same time as the development course, leaving a gap of at least a month.

I’ll cover two aspects in this blog post: a bit the course and the logistics of getting there, and the CISSP certification itself and in particular some tips that I can see being useful for getting this certification if you are working in the industry.

Course and logistics

The course was at the ETC Venues Tenter House facility in Moorgate. This is the third course I’ve attended at Tenter House. The ETC facility in Moorgate is a very cost effective venue to choose for a training course. It’s right next to the Moorgate underground station on the Northern line, lunch is provided, and a great coffee machine make this a good deal.

This CISSP AD course at ETC Venues did not include accommodation costs, which has to be arranged separately, but with these factored in the total cost is far less than competitor “all inclusive” training packages for CISSP (or other certifications for that matter). The view over the City is also interesting.

The course delivery was excellent and the motivation in the group was maintained throughout the five-day course. We covered all eight domains and learned a lot about how to approach the exam.

The eight domains in the current version of CISSP are:

  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications & Network Security
  5. Identity & Access Management
  6. Security Assessment & Testing
  7. Security Operations
  8. Software Development Security

CISSP certification

Now turning to CISSP, and certifications in general, my experience can be sifted down to the following key observations:

  • Booking the exam after the course is the right approach to take. This was confirmed by comments and advice in the training course. The consensus seemed to be about a month or more between the end of the course and the exam.
  • You’re going to have to buy the books—there is no way of escaping it. Spending £100 or so on the popular textbooks is inevitable. You’ll want to identify the recommended text books for CISSP (I’ve provided a list at the end of this blog post).
  • Week-long training courses are intensive, and you’ll be battling your stamina to stay focused, keeping your eye on the ball. Only you can decide how to approach this, based on your learning style. Coffee is a compensating control I recommend!
  • The CISSP exam is heavily US-focused, and the question-bank has US-based questions that are confusing, based on our course quiz. These could be based on US legislation and the US government classifications scheme, for instance. This is not a great place to be (for UK candidates working in the British legal system), but you’ll have to devote revision time to make the best of it.
  • CISSP is reading-intensive. The full stack of preparation material is well over 1000 pages. If you’re not a natural reader, or comfortable with 1000+ pages of text book material, you’ll have to compensate using other revision methods or perhaps using a longer revision period. It’s not insurmountable, but worth bearing in mind and factoring into your plan.

That’s about it on this for now. I’ll try and put some further updates on this as I plough through the course material for CISSP, and hopefully a book review or two.

CISSP reading list

Here is my list of recommended text books for CISSP in decreasing priority order:

  1. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition, by Mike Chapple, 2018. I bought this book in advance of my course and it was also recommended as the course text book. All the indicators I have seen suggest this is the core text book for CISSP preparation, hence my “number 1” on this list.
  2. CISSP Official (ISC)2 Practice Tests, 2nd Edition, by Mike Chapple, 2018. This is the companion book to #1, and can be bought as a combi-deal through Amazon. Again this has been recommended to me several times, and appears to be a key focus area for CISSP candidates.
  3. Official (ISC)2 Guide to the CISSP CBK (ISC2 Press) by Adam Gordon, 2015. This is the “canon text” for the CISSP certification. I had an earlier copy of the Third Edition, which I found to be an average book insofar as security text books go. This newer version is a lot bulkier. The consensus is that fewer CISSP candidates end up buying this book. On the the course I took, this was recommended as the “desk book” in your workplace.
  4. CISSP Cert Guide by Troy McMillan, Sari Greene, and Robin Abernathy,  2018. I reviewed an earlier edition of this book (then by McMillan and Abernathy) for the publisher a few years back, and found it to be one of the better books out there. This is the newer version that I have not read, but have nothing to doubt it’s suitability.
  5. CISSP For Dummies, by Lawrence C. Miller, 2018. A few people have recommended this book to me. It’s easy to read and my intention is to use this as a casual reader book in the run up to the exam.

If you’re on a shoe-string budget, get 1 & 2. If the budget extends a bit further, get 1, 2 & 3, and if cost is no obstacle get 1-5.

Communications and networking

The biggest difficulty in CISSP for many will be the networking-focused domain. Even if you’ve had some experience in networks, you’ll want to get the heavy artillery out to ensure you have the best preparation. Here are my recommended text books for networking, based off my final year lecturing in my academic roles (and in no particular order):

  • TCP/IP Protocol Suite (Mcgraw-hill Forouzan Networking) by Behrouz A Forouzan, 2009. A classic, and now somewhat dated, but it provides the most accessible presentation of networking material I’ve encountered.
  • Computer Networks (English) 5th Edition, by S. Tanenbaum Andrew and J. Wetherall David, 2010. Another of the canon texts for networking, this is a good all-rounder.
  • Computer Networks: A systems approach (4th ed) by Peterson and Bruce S. Davie, Morgan Kaufmann, 2007.
  • Computer Networking: A Top-Down Approach: International Edition Paperback by James F. Kurose and Keith W. Ross, 2012. On the more theoretical end, this is again a classic text in networking and one I’d recommend.

You can’t go wrong by looking up more detail on topics from these books on the Cisco site, which contains a significant amount of good quality information.

Filtering your IMAP mailbox from a client-side filter

With an increasing amount of email, I’ve found myself using query after query, often in the middle of conference calls, to find the information I need. Not the best situation, so I wanted to filter my email for specific senders into a dedicated folder on my mail provider.

Many moons ago I used to run fetchmail on a Linux host to pull email from a remote server. This time I didn’t want that complexity.

My email provider only provides filtering in their hosted spam filter, into a predefined Spam folder. Unfortunately any rules set in their webmail client do not operate server-side, as one might (naively) hope.

So I’ve settled on imapfilter for the time being. This a brief run through of getting this up and running on your kit.

First off, install the package:

# apt-get install imapfilter

Then in your standard user account, create the configuration file:

$ mkdir ~/.imapfilter && touch ~/.imapfilter/config.lua && pico -$ ~/.imapfilter/config.lua

Paste in this sample config (written in LUA), updating as indicated (square brackets):

options.subscribe = true
options.expunge = true
options.create = true
accountA = IMAP {
  server = "[server name here]",
  username = "[your user name here]",
  password = "[mailbox password here]",
  ssl = "tls1.2"
}
messages = accountA["INBOX"]:contain_from("joebloggs@example.com")
messages:move_messages(account1["INBOX/examplefolder"])

The last two lines operate the search and move functions. It is sensible to enforce TLS 1.2. This tool appears to handle certificates correctly.

Test it out:

$ imapfilter

You will get some standard output if it is working as expected. The last two lines should be duplicated (not great) for each filter rule, but there are some examples on the web of tiding this up.

If it works correctly (use some test data to start), then it is time to automate.

$ mdkir ~/bin; pico -$ ~/bin/mailmover

Copy the following into the script:

#!/bin/bash
cd ~/.imapfilter
imapfilter &> /dev/null

This is not strictly neccessary but is my preferred approach. Then add the entry to the user crontab:

$ crontab -e

Appending:

*/10 * * * * /home/[username]/bin/mailmover

This runs the script every ten minutes. And that’s it.

NB: I’m technically incorrect in my use of the term “mailbox” in this blog post. In the IMAP specification (RFC 3501), what we might think of as “folders” within a mailbox are termed “mailboxes” (in the terminology of the RFC, “remote message folders”).

NNB: The imapfilter manpage suggests using the string “auto” for the ssl directive, on the grounds that OpenSSL has discouraged the use of version-specific settings. If you’re willing to put the effort to maintain this parameter, I can see a strong advantage in doing precisely the opposite: explicitly specify the SSL/TLS version. If you’re keen to follow the manpage however, set this to “auto”.

Some online MSc programmes in CS and cyber worth thinking about

I thought I’d pick out a few online (distance learning) degrees in computer science and cyber security for those that may be thinking about getting employers to sponsor them.

University of Bath

First up, it’s the University of Bath. Although Bath is not as old as some other higher-ranking universities, it’s established itself as a good institution in a variety of metrics. Their MSc (Online) in Computer Science is worth looking at.

University of York

Next up, it’s the University of York also with an MSc (Online) in Computer Science. This university has established itself as a strong player, well-regarded in the HE sector, with involvement in a variety of research programmes.

University of Leicester

Third on the list is the University of Leicester with their MSc (Online) in Advanced Computer Science.

Liverpool and RHUL

On the cyber security front, consider:

If you’re considering other UK universities, a good starting point is the REF 2014 leaderboard searching on a department/subject area basis. You can find this at REF 2014.

Influential report indicates some US cyber degree programmes inadequate

Do cybersecurity graduates possess the skills employers need?

This is the captivating headline in a new report from the Centre for Strategic and International Studies (via SANS). Conventional wisdom, as I indicated in my previous blog post, is that universities have the early-career professional shortage addressed through new and innovative cyber security degree programmes. Only this report, from CSIS, suggests the picture is far from that.

They write: “An evaluation of U.S. cybersecurity workforce development initiatives must ask whether cybersecurity education and training programs are preparing students for the kinds of high-skilled technical roles that represent the most serious workforce shortage. The evidence suggests that the answer may be no.”

Adding: “According to cybersecurity practitioners, employers are dissatisfied because they perceive the graduates of these programs as lacking practical experience as well as an understanding of the fundamentals of computing and information security. As a result, many graduates require extensive on-the-job training before they can begin work. In addition, employers often find cybersecurity graduates lacking in essential soft skills like teamwork, problem-solving, and communication.”

My impression is that academia, faced with the incredibly challenging lack of interest in STEM programmes, has in some cases developed new softer programmes for cyber security that do not include classic subjects from traditional Software Engineering and Computer Science programmes. This is not particularly a failing of academia: the system is geared to encourage applicant uptake, and taking a step back, a dwindling HE sector is in no ones interest.

Moreover, the underlying lack of interest in STEM is a recognised national challenge. I’d also argue that it is as clear cut as the CSIS report suggests: there is a place for many different types of programme, both highly-technical and more holistic. What matters, I would suggest, is the quality of the programme.

This does suggest however that cyber security degree programmes may not be the solution as some have proposed. Perhaps one interpretation of some (not all) cyber programmes is that they encourage such a broad curriculum, they end up building up an understanding of fundamental computing topics top-down, rather than bottom-up (from first principles).

This creates problems when cyber security tasks get deep into the techncial weeds. The reality is that large swathes of cyber security are technical in nature, and this has to be recognised in degree programmes.

If this report is accurate, it also has some implications for recruitment in the cyber security sector. It also suggests there is more to do in linking cyber security programmes with STEM learning objectives. It also highlights the enduring value of computer science and software engineering programmes.

Of course, hiring is not solely about graduates and degrees. It’s about the skills of the applicant, inter-personal skills, on-the-job performance, and overall aptitute to the role.

Detecting unauthorised devices using NMAP

NMAP is a fairly handing security scanning tool, though it does have its idiosyncrasies.

The simple script (running from /root/macscan/macscan) below will use a “-sP” scan mode of NMAP to identify MAC addresses on the local network, and report any which are not previously known.

This assumes any device will respond to an ICMP “ping” packet, and all devices are within one network segment. This cannot be guaranteed. Changing the scan type to “-sn” will test with a combination: an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.

Passing “initialise” as a parameter to the script will “learn” the MAC addresses currently found on the network, and use this as the “approved list” for future detection scans.

If unauthorised detections are found, the “macmail.py” script will pull up the output from the script and mail a predefined mail account with details of the new detections. This is a simple mailer that interacts with a suitable MTA, such as that provided by your ISP.

#!/bin/bash
#macscan - uses nmap to scan an IP range
#   and detects non-matches to a whitelist
cd /root/macscan
if [[ $@ == **initialise** ]]
then
nmap -sP [IP address spec] -oN - > nm.stdout
grep "MAC Address" nm.stdout > pats.grep
echo "MAC scanner (re)initialised to present device list"
fi
nmap -sP [IP address spec] -oN - > nm.stdout
detections=$(grep "MAC Address" nm.stdout | grep -v -F -f pats.grep)
if [[ $detections ]]; then
echo "--------------------" > /root/macscan/detmail.txt
echo "Unknown MAC address detections " >> /root/macscan/detmail.txt
echo "--------------------" >> /root/macscan/detmail.txt
echo "" >> /root/macscan/detmail.txt
echo "${detections}" >> /root/macscan/detmail.txt
python macmail.py
fi

This can be scheduled using cron to frequently scan every 40 mins:

*/40 * * * * /root/macscan/macscan

This is a simple script and schedule that will not detect all unauthorised use, but assuming benign users some useful data can be gained.

OWASP Dorset Chapter – First Meeting in Bournemouth

I’ve been asked to share this update from the recently formed OWASP Dorset Chapter. I’d really recommend going along, if you’re an application developer and/or cyber security practitioner.

They also have an open Slot for Volunteer Speaker – seeking various topics related to Application Security/Cyber Security. Please contact Dan for more information, details below.

Link: https://www.meetup.com/OWASP-Dorset-Chapter/events/258226677/

Academic perspective: competitions and learning penetration testing

In a new direction for my blog, I’ve decided to occasionally take a look into the academic world to identify developments of interest that we can translate into the profession. Or, at the very least, be able to do a level of read-across and see if there are lessons to be learned.

My first paper in this series is written by Kevin Bock, George Hughey, and Dave Levin, from the University of Maryland, entitled “King of the Hill: A Novel Cybersecurity Competition for Teaching Penetration Testing” published in USENIX ASE-18, 2018.

Abstract

“Cybersecurity competitions are an effective and engaging way to provide students with hands-on experience with real-world security practices. Unfortunately, existing competitions are ill-suited in giving students experience in penetration testing, because they tend to lack three key aspects: (1) pivoting across multiple machines, (2) developing or implanting custom software, and (3) giving students enough time to prepare for a lively in-class competition. In this paper, we present the design, implementation, and an initial run of King of the Hill (KotH), an active learning cybersecurity competition designed to give students experience performing and defending against penetration testing. KotH competitions involve a sophisticated network topology that students must pivot through in order to reach high-value targets. When teams take control of a machine, they also take on the responsibility of running its critical services and defending it against other teams. Our preliminary results indicate that KotH gives students valuable and effective first-hand experience with problems  that professional penetration testers and network administrators face in real environments.”


King of the Hill: A Novel Cybersecurity Competition for Teaching Penetration Testing” published in USENIX ASE-18, 2018.

This paper makes a number of observations about existing approaches to competitions, and of these I think the first and third observations are most relevant.

The first observation is that existing competitions tend to not provide opportunities to pivot across multiple machines, which I agree with to some extent but not in all cases. I suppose I would generalise this somewhat to a broader observation that realistic network designs, and more importantly, realistic security architectures, should be used. Later on in the paper this definition comes across more clearly. This can potentially be graduated in levels of difficulty in the form of different scenarios.

Preparation is probably the most important observation in the paper in my mind – existing competitions tend to present challenges without any forewarning, and while this may serve an elitist goal of identifying the most talented, it does so at the cost of reducing opportunities for learning (i.e. learning before and after the event, not just after the event).

By proposing the realistic architectures principle as essential to a penetration testing competition, the authors make the useful observation that this tends to require a higher level of strategic thinking rather than a purely tactical plan.

The idea of attack and defend, as opposed to purely attack (and compromise) is a useful emphasis the paper also makes and the design of the game to require victors to continue to offer services to the network is an interesting one.

The addition of vulnerable high-scoring machines during the game is also interesting, and this promotes an emphasis on continuous scanning. This is of course unlikely to be an activity attackers will periodically do, but as the paper notes, it is very representative of the challenge faced by NOCs from a defensive perspective.

An automated score bot and point allocation policy (e.g. for non-respond to pings) provides the basis for capturing realistic tallies of team performance, and is a useful addition.

They also have some publicly available resources at https://koth.cs.umd.edu.