Its hard to believe that three years have passed since I got my CISSP certification. It renewal time. I sent off my annual payment to ISC2 and I’m well past the minimum required Continuing Professional Education credits (CPEs).
Here’s a link to an interesting blog entry, Do you Still Value your CISSP.I love the opening story.
Archive for June 2008
CISSP Renewed
Over Logging
We had a big storm roll through on Wednesday afternoon. About 6 hours later I lost my cable modem connection. Since the storm was long over, I’m guessing the power backup at the cable modem head end ran out.
I was pretty fortunate compared to some people at work didn’t have any power at home. The power was still out Friday so I borrowed a EVDO card just in case. That turned out to be unnecessary as my cable modem came backup at 4pm.
Today I read this story on the front page of Saturday’s Washington Post about one families travails from not having a internet connection (oh yeah, they lost power as well.
“Bethesda eighth-grader Jacob Rasch could not do his history homework assignment on the Compromise of 1877 on Thursday because, he said, he couldn’t look it up on Wikipedia. ”
Wow, that’s right up there with “my dog ate my homework.” Doesn’t he have a textbook? Doesn’t he have an encyclopedia? How about a CD ROM Encyclopedia. How about a library.
“His mother could not e-mail health forms so Jacob can play baseball in high school this fall because severe thunderstorms that rolled through the Washington region this week took down the family’s power and their Internet connection.”
Oh the humanity.
“And his father couldn’t fix the generator outside the house because he couldn’t visit HowTo.com to find out how to clean the carburetor so that the generator would spring to life and power, among other things, the wireless router to their computer network”
Look on the brightside, at least he didn’t accidentally kill them with carbon monoxide.
So the Rasch family packed a laptop Thursday evening and moved to a hotel, where they could log on and feel plugged in. .
I thought about heading over to Wegmans, Panera or McDonalds for some free wifi, but decided I could go an evening without Internet. If I were out of power, I admit like these guys I might go somewhere else for a hot shower, but for Internet…these people would fit in with the South Park episode linked.
“We couldn’t connect to the outside world without the power and the Internet,” Jacob Rasch said. “We had no idea what was going on.”
Better upgrade your disaster readiness kit to include a radio with batteries and a hand crank.
Now this does make me think that replacing my land line with VOIP or a cell might be a bad idea if I want 100% uptime.
Flash still not patched
Ryan Naraine took at look at the Google Analytics for a couple sites and notes that those visitors aren’t patching their flash.
I’m seeing the same types of thing he’s seeing when I look in the Google Analytics report for www.infosecblog.org.
Nearly 30% report that they are running unpatched Flash 9.0 r115.
You’d think if you were at a security blog, reading about Flash updates, that you might want to check if your Flash is up to date.
I’m a little surprised to hear people say that Adobe doesn’t have a Flash update mechanism. Until I killed the updater in our environment, users where prompted to update if one was available at the time they accessed a Flash applet.
At Shmoocon, one of the sessions discussed passive vulnerability fingerprinting like this. If you don’t have the ability to do authenticated scans on your look for opportunities like this to gather version information from the logs.
Corporate Fantasyland
Twice today I read “enterprises do this” statements that made me laugh.
Over at SANS the handler wrote “Corporates typically block outbound FTP” while describing Yahoo phishing that had FTP downloaded malware.
Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in corporate environments where “new software is rarely installed.”
I’ve been looking for reliable statistics about what percentage of companies currently allow a significant percentage of employees to have local administrator rights. When I see statements like the above I wonder if our policies which were once one of the more restrictive are now comparitively lax. Or is it that the authors are merely stating what they wish were true.
