S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

Share

Western society is WEIRD [1]

(We have the OT indicator to say that something is off topic.  This isn’t, because ethics and sociology is part of our profession, but it is a fairly narrow area of interest for most.  We don’t have a subject-line indicator for that  :-)

This article, and the associated paper, are extremely interesting in many respects.  The challenge to whole fields of social factors (which are vital to proper management of security) has to be addressed.  We are undoubtedly designing systems based on a fundamentally flawed understanding of the one constant factor in our systems: people.

(I suppose that, as long as the only people we interact with are WEIRD [1] westerners, we are OK.  Maybe this is why we are flipping out at the thought of China?)

(I was particularly interested in the effects of culture on actual physical perception, which we have been taught is hard wired.)

[1] – WEIRD, in the context of the paper, stands for Western, Educated, Industrialized, Rich, and Democratic societies

Share

Read this book. If you have anything to do with security, read this book.

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition  :-)

Share

Secure Awareness mottoes and one-liners

From various forums, mailing lists, discussions and other sources (many of which exist only in my febrile imagination), herewith a bit of a compilation of mottoes that can be used as part of a security awareness campaign:

No-one in Africa wants to GIVE anyone their money or gold.

Microsoft/Google/a Russian oil magnate/VW/BMW/etc certainly does not want to GIVE anyone money/a car/etc.

A stunning Russian blonde DOES NOT want to marry you.

If it sounds too good to be true, IT IS.

A web site, Email message, IM or tweet that tells you you need to install security software IS LYING.

Just because it’s in a Google search result or an “ad by Google” does NOT mean it is safe.

If the options seem to be “Click OK/Run/Install” or “turn off the computer”, TURN OFF THE COMPUTER.

Did your friend really send you that message?

Is your friend really as smart about computer security as you think?
A. No    B. Not at all    C. Well and truly not    D. All the above

You didn’t win the Irish lottery.

Your bank doesn’t want you to change your password.

Don’t be Phish Phood.

Pwnly Phools Phall for Phishing.

Think, THINK every click.

Need extra money?  Want to work from home?  Getting a job from a spammer is NOT A GOOD IDEA!!!

When did you last make a backup?  Do you want to do [period of time] worth of work all over again?

Report the suspicious, not the strange.

If the bank thinks your online account has been hacked, they won’t warn you by email.

Being sociable doesn’t mean being totally open. Be careful what you disclose via social media.

If someone wants/offers to make something really easy for you, there is a way that can be used against you.

Hide your ‘cheese’ (get a router).

A patch a day keeps hackers away (keep your OS and apps up to date).

Always wear a helmet (install a firewall/antivirus package).

The great unknown ain’t so great (only use software you can trust).

Use sunscreen to prevent burns (lock down your OS and apps).

Make 007 jealous (learn to use additional security tools).

“Password” is not a password (use strong passwords).

Keep your skeletons in the closet (protect your personal data).

Don’t be a dork (be smart when you’re on-line).

Keep your dukes up (stay informed and vigilant).

Infosec is like a sewer: what you get out of it, depends on what you put into it.

 

Some are recently from the #InfosecMotherlyAdvice tag on Twitter:

Don’t click … it’ll get infected.

Don’t take cookies from strangers.

Idle systems are a botnet’s playground.

A backup in hand is worth two in the cloud.

While you’re connected to my network you’ll live by my firewall rule.

A backup a day keeps data loss away.

We’d better get you a bigger firewall – you’ll grow into it.

Close the security holes, you’re letting all our sensitive data out.

If your system gets compromised and crashes, don’t come emailing to me.

Always encrypt your data. you never know when you’ll have an accident.

If everybody else clicked on links in emails, would you do that too?

Either you’re inside the firewall, or outside the firewall! Don’t leave it open!

Install your patches if you want your security to grow up big and strong.

Don’t put that in your browser, you don’t know where it’s been.

Someday your bluescreen will freeze like that!

It’s all fun and games until someone loses sensitive data.

Only you can prevent Internet meltdowns.

Share

Comparison Review: AVAST! antiviral

PCAVAST7.RVW   20120727
Comparison Review

Company and product:

Company: ALWIL Software
Address: Trianon Office Bldg, Budejovicka 1518/13a, 140 00, Prague 4
Phone:   00 420 274 005 777
Fax:     00 420 274 005 888
Sales:   +42-2-782-25-47
Contact: Kristyna Maz nkov /Pavel Baudis/Michal Kovacic
Email:   mazankova@avast.com baudis@asw.cz
Other:   http://www.avast.com
Product: AVAST! antiviral

Summary: Multilayered Windows package

Cost: unknown

Rating (1-4, 1 = poor, 4 = very good)
“Friendliness”
Installation      3
Ease of use       4
Help systems      1
Compatibility           3
Company
Stability         3
Support           2
Documentation           1
Hardware required       3
Performance             3
Availability            3
Local Support           1

General Description:

Multilayered scanning, activity-monitoring, and change-detection software.  Network protection including Web and email monitoring.

Comparison of features and specifications

User Friendliness

Installation

The product is available as a commercial package, but also as a free download for home or non-commerecial use.  As previously noted in other reviews, this is highly desirable not simply as a marketing and promotional effort by the company, but because making malware protection available to the general public reduces the malware threat for the entire computing and network environment.  One important
aspect is that the free version, unlike some antivirus products which reduce available functions, appears to be complete.  Scanning, disinfection, network protection, reporting, and management functions all seem to be included in the free version, making Avast a highly recommended product among free downloads.

I downloaded the free version, and installed it with no problem.  It was compatible with Windows 7, as well as previous versions.  The basic installation and configuration provides realistic protection, even for completely naive users.

Ease of use

With ten basic, and a larger number of minor, functions now included in the program, the interface is no longer very easy to figure out.  For example, one of the first things I (as a specialist) need to do is to turn off scanning of my “zoo” directory.  I initially thought this might be under the large “Maintenance” button.  No, “maintenance” is reserved for upgrading and buying additional features.  I did finally find the function I wanted under a much smaller “Settings” tab.  However, as noted, most users will not require any additional functions, and need not worry about the operation of the program.  The default settings provide decent protection, and updating of signatures, and even the basic program, is almost automatic.  (The updates for the free version do push the user to “upgrade” to the commercial version, but it is not necessary.)

I located (eventually) some great functions in the program which I found very helpful.  Admittedly, I’m a very special case, since I research malware.  But I really appreciated the fact that not only could I turn scanning off for a particular directory (my “zoo”), and that I could pull programs out of the quarantine easily, but that I could also turn off individual network protection functions, very easily.  Not only could I turn them off, but I was presented with options to stop for 10 minutes, 1 hour, until the next reboot, or permanently.  Therefore, I could turn off the protection for a quick check, and not have to remember to turn it on again for regular work and browsing.

However, I cannot commend Avast for some of the reporting and logging functions.  Late in the review period it reported an “infected” page, but refused to tell me where/what it is.  In addition, recently Avast has been blocking some of my email, and the message that an email has been blocked is the only available information.

Help systems

Help is available onscreen, but it is not easy to find.  There is no help button on the main screen: you have to choose “? Support,” and then, from a list of six items choose the last one, “Program Help.”  (The standard Windows F1 key does bring up the help function.)  Most other help is only available online via the Web, although there is a downloadable PDF manual.

Compatibility

The system scores well in malware detection ratings from independent tests.  I have been running Avast for over a year, and have not seen a false positive in a scan of the computer system.  I have observed only one false positive blockage of “known good” Websites or email, although this is of some concern since it involved the updating of another malware package under test.

Company Stability

Avast has been operating (previously as Alwil Software) for over twenty years.  The program structure is thoughtful and shows mature development.

Company Support

As noted, most is via the Web.  Unfortunately, in the recent case of a false positive the company, even though I had alerted them to the details of both the review and the warning I had noted, there was no useful response.  I received email stating that someone would review the situation and get back to me, but there was no further response.

Documentation

The documentation available for download is primarily for installation and marketing.

System Requirements

The system should run on most extent Windows machines.

Performance

The antivirus system has minimal impact on the computer system.  When performing a full scan, there are other programs that run faster, but Avast runs very well unattended.

As noted above, the free version has complete and very useful functionality.

Local Support

None provided.

Support Requirements

Basic operation and scanning should be accessible to the novice or average user.

copyright Robert M. Slade, 1995, 2012   PCAVAST7.RVW   20120727

Share

“Feudal” and the young employee

In respect of Schneier’s article on “feudalism” in security (pledging “fealty” to a company/platform, and relying on the manufacturer/vendor to keep you safe), I’m sitting in a seminar for an ERP product from one of the “giants.”  The speaker has stressed that you need an “easy to use” system, since your young employees won’t attend or pay attention to training (on either systems or your business): they expect things to “just work.”

We’ve also just had a promo video from a company that uses the product.  Close to the ideal of a “virtual” company: head office is in one country, manufacturing in two more, and most of the user base shops online.  It is easy for the security professional to see that this is a situation fraught with peril: online access to vital business, manufacturing, and customer information, privacy issues with a diverse customer base, legal and privacy issues with multiple jurisdictions, and the list goes on.  This is not a situation where “plug and play” and turnkey systems are going to be able to address all the problems.

But, of course, the vendor position is just “Trust us.”

Share

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

Share

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

Share

More bad news for risk management

Overconfidence makes you successful in business.

Not just confidence, mind you, overconfidence.

Add in the Dunning-Kruger effect, and the Peter Principle, and you start to realize why all those huge banks keep failing …

Share

REVIEW: “Learning from the Octopus”, Rafe Sagarin

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Share

Not the bad news you thought you were reporting …

“The 2012 Norton Cybercrime Report, released Wednesday, says more than 46 per cent of Canadians have reported attempts by hackers to try to obtain personal data over the past 12 months,” according to the Vancouver Sun.

Well, since I see phishing every single day, and malware a few times times per week, what this survey is *really* saying is that 54% of Canadians don’t know what phishing and malware looks like.

(And you others don’t need to gloat: apparently the same figure holds globally …)

Kinda depressing …

Share

REVIEW: “Managing the Human Factor in Information Security”, David Lacey

BKMHFIIS.RVW   20120216

“Managing the Human Factor in Information Security”, David Lacey, 2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
%A   David Lacey
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2009
%G   978-0-470-72199-5 0-470-72199-5
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0470721995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   374 p.
%T   “Managing the Human Factor in Information Security”

The preface states that the intent of the book is to identify and explain the range of human, organizational, and social challenges when trying to manage security in the current information and communications environment.  It is hoped this material will help manage incidents, risks, and design, and assist with promoting security systems to employees and management.  A subsidiary aim is to leverage the use of social networking.

Some aspects of security are mentioned among the indiscriminate stories in chapter one.  Chapter two has more tales, with emphasis on risks, and different people you encounter.  Generic incident response and business continuity material is in chapter three.  When you know the risk management literature, you can see where the arguments in chapter four come from.  (Yes, Donn, we know quantitative risk analysis is impossible.)  The trouble is, Lacey makes all of them, and therefore comes to no conclusion.  Chapter five has some points to make about different types of people, and dealing with them.  Unfortunately, it’s hard to extract the useful bits from the larding of stories and verbiage.  (Given the haphazard nature of the content, making practical application would be even more difficult.)  Aspects of corporate culture are discussed, in an unstructured fashion, in chapter six.  Chapter seven notes a number of factors that have appeared in successful security awareness programs, but doesn’t fulfill the promise of helping the reader design them.  Chapter eight is about changing organizational attitudes, so it’s an (equally random) extension of chapter six.  It also adds some more items on training programs.  Chapter nine is about building business cases.  Generic advice on creating systems is provided in chapter ten.  Some even broader advice on management is in chapter eleven.  A collection of some points from throughout the book forms a “conclusion.”

There are good points in the book.  There are points that would be good in one situation, and bad in another.  There is little structure in the work to help you find useful material.  There are stories about people, but not a survey of human factors.  Lacey uses lots of aphorisms throughout the text.  I am reminded of the proverb that if you can tell good advice from bad advice, you don’t need any advice.

copyright, Robert M. Slade   2012     BKMHFIIS.RVW   20120216

Share

SMS Apple (malware) spam on Bell Mobility (Canada)

SMS spam on Bell seems to have suddenly jumped.  On Tuesday, both Gloria and I got spam saying we had won something from Apple.  Today, we both got similar spam.

Today’s message came “from” 240-393-8527.  It asked us to visit hxxp://www.apple.com.ca.llhf.net [1]

Neither F-Secure nor VirusTotal had anything to say about it, but it is safe to assume that the site is dangerous.  Avast now blocks it.

In trying to contact Bell about this, I noted that Bell’s Website “contact” page lists a “Chat with us” function that simply does nothing if agents are busy, and no means of contacing Bell via email.  “How to escalate a complaint” returns the same page, with the same lack of response from the agent button.  When I finally did reach an agent, “he” was pretty clueless about the whole situation.  I strongly suspected “he” was a rather simplistic program.

Having Given the agent the information above, his response was to ask “Samuel: I understand. Have you registered under apple newsletter list?”  He then asked for my name and phone number (which I had previously given him at the beginning of the session), and then told me “Samuel: I unfortunately cannot unsubscribe that spam for you from here as I see in your account.”  He offered to cut the SMS/texting function on my account.

That’s it.  That’s the only solution.  Bell doesn’t have any spam filtering on SMS, even when the spam is as obvious, egregious, and malicious as this one.  (Yes, they do have a spam filtering option, if you want to pay them an extra $5 per month.  Given the quality of support, I think I’ll give that a miss.)

[1] Note that this isn’t apple.com, the trailing “domains” override that.  This domain is listed to:

Domain Name ………………… llhf.net
Name Server ………………… ns5.myhostadmin.net
ns6.myhostadmin.net
Registrant Name …………….. jun wang
Registrant Organization ……… wang jun
Registrant Address ………….. shang hai shi xu hui qu
Registrant City …………….. shang hai
Registrant Province/State ……. SH
Registrant Postal Code ………. 200087
Registrant Country Code ……… cn
Registrant Phone Number ……… 02178861511
Registrant Fax ……………… 02178861511
Registrant Email ……………. yaobing349@hotmail.com

Share

Cloudy with a chance of hacking

Following closely upon the article/confession about cloud linked accounts and devices, and the ease of hacking them (with some interesting points about authentication systems):

I noticed, this morning, that the number of phishing messages, and specifically email account phishing, had, after a couple of relatively low months, suddenly jumped again.

Excessive convenience almost always = insecurity.  I have not linked any of my socmed accounts.  Facebook doesn’t have my Twitter account password, etc.  This is somewhat inconvenient, since I have to sign on to the different accounts in order to post things.  However, it does mean that, in the case of this type of story, I can just use it as an example and move on, rather than spending time changing the passwords on all my accounts.

Share

Sophos Threatsaurus

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

Share

REVIEW: “Eleventh Hour CISSP Study Guide”, Eric Conrad

BK11HCSG.RVW 20120210

“Eleventh Hour CISSP Study Guide”, Eric Conrad, 2011,
978-1-59749-566-0, U$24.95
%A Eric Conrad
%C 800 Hingham Street, Rockland, MA 02370
%D 2011
%G 978-1-59749-566-0 1-59749-566-2
%I Syngress Media, Inc.
%O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597495662/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597495662/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597495662/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 196 p.
%T “Eleventh Hour CISSP Study Guide”

“Eleventh Hour” would seem to imply that this is a last minute option.  I would not rely on this book as a last ditch option if you haven’t studied. It’s a reviewers dream (or nightmare): an embarrassment of riches in terms of errors. But I should keep this review to a reasonable size, so I’ll only mention a few illustrative goofs.

Chapter one addresses security management. The coverage of risk management is superficial, facile, and disjointed. The author adds extra factors into the CBK (Common Body of Knowledge). He stresses ”return on investment” without addressing the controversy over whether ”return on security investment” actually exists. There are some references based on the NIST (US National Institute of Standards and Technology) which are good, but insufficient. Each chapter ends with a list of the “Top Five Toughest Questions” for that domain. Usually one (20%) is flatly wrong, and the rest address trivia, missing the concepts and ramifications which are the real objectives of the CISSP examination.

Chapter two looks at access control. No, integrity concerns are not limited to authorization issues. “Counter-based synchronous dynamic token” makes no sense: both counter and dynamic obviate the need for synchronization. No, most keyboard dynamics systems would not measure pressure. In regard to cryptography, in chapter three, yes, CBC (Cipher Block Chaining) would propagate errors, which is why it is only used with self-correcting algorithms (which DES – Data Encryption Standard – is). And, yes, using ECB (Electronic Code Book) identical data blocks produce identical cipher blocks, but similar data blocks produce vastly dissimilar cipher blocks. (That is part of the measure of a good cipher algorithm.) Chapter five deals with physical security. If you can still find a soda/acid extinguisher don’t try to use it on burning liquids: it doesn’t produce much foam, mostly a simple stream of water. And merely because a CRT (Cathode Ray Tube) is analogue does not mean it is incompatible with digital devices such as CCD (Charge Coupled Device) cameras: until I got my first laptop, all the monitors for my (digital) computers were CRTs. Respecting architecture (chapter five), “open systems” refers to the use of standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use) is not a race condition, and does not require a change of state.  Polyinstantiation is not related to entity integrity. Chapter six reviews Business Continuity Planning: RPO (Recovery Point Objective) is the minimal level of operation the business needs to function, not the time taken to get there, and a hot site is not a mirror.

Studying telecommunications? It is the domain with the largest mass of information, and chapter seven is pathetically small: there is no mention of topologies, telephony, routing, and details of the protocols are scant to the point of being non-existent. The OSI (Open Systems Interconnection) model is a model, not a network protocol (although there is, also, an OSI suite of protocols), and can therefore be used to analyze any protocol suite. Neither ATM (Asynchronous Transfer Mode) nor Ethernet are restricted to the physical (which, in any case, does not deal with data, but with signals).

Chapter eight takes a stab at applications security. SDL (System Life Cycle) is not identical to SDLC (System Development Life Cycle) but contains it. The explanations in this domain are particularly poor, even by the low standards of this work. Similarly, the material on operations security, in chapter nine, is more random than in other chapters, and duplicates more content found elsewhere.

I was surprised to find that chapter ten, on law and investigations, wasn’t all that bad. There are still plenty of errors (no, only one of the four points given is one of the seven basics of the European Directives on privacy), but many of the base concepts are there, and presented reasonably. There is, however, almost nothing on management of investigations, and incident response isn’t even mentioned.

There are at least a dozen other options I’ve reviewed at http://victoria.tc.ca/techrev/mnbkscci.htm, and this actually isn’t the worst. But maybe I was a bit too hard at the beginning. You could use this book for a bit of last minute studying. If you can find at least one error per page, you are in good shape to write the exam.

copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210

Share