I noticed this week that a site out there is using wp-o-matic to present my work as his own information security blog.
Some people incorrectly think that a RSS feed is a permanent license to do whatever you want with content. Its not. While it doesn’t look like it, I do spend a lot of time on posts trying to make them semi-literate. Reposting withing credit or link-back steals my Google juice. Without attribution they are clearly plagiarizing my work. Not cool.
I think that presenting my work as his own is a violation of the CISSP ethics.
I may need to put a footer on each post in the RSS feed. “This post and more like it are available at Roger’s Infosec Blog www.infosecblog.org”
If you’re interested in learning more about your rights as a blogger regarding plagiarism check out CopyScape
This post is not about the people who have asked and the people who do link back. I appreciate that you like my work and provide some traffic back my way.
Posts tagged ‘CISSP’
A Little Respect Regarding Reblogging
CISSP Renewed
Its hard to believe that three years have passed since I got my CISSP certification. It renewal time. I sent off my annual payment to ISC2 and I’m well past the minimum required Continuing Professional Education credits (CPEs).
Here’s a link to an interesting blog entry, Do you Still Value your CISSP.I love the opening story.
How to be an InfoSec Guru
Occasionally people ask how I got where I am. I’ve been meaning to add an ‘about me’ but haven’t gotten around to it. A question earlier this week reminded me that this post was sitting in my draft folder.
A lot of people are sniffing after information security because they think they smell the green. They see CISSP average salary $93k and they think they deserve some of that cash. It was the same thing with Windows Systems Administrators. People who should be driving a beer truck are instead studying for their MCSE because the ad said they’d make $70 doing that. The flood of paper MCSEs just about destroyed the market for being a Windows Sysadmin, and I would guess led directly to some of the security desasters that have occurred in the past 6 years.
So if you’re in it for the money, move on. Go train to be an Oracle DBA or something. If you dont truely love the Information Security than dont waste your time. Its a lot of hard work, and just speaking for me the salary quotes you see are really high.
There is a common debate on which is best. Experience, education or certifications. I read an article about 5 years ago that would answer “all of the above”. The article argued that these things are the foundation of a solid career. So pick one and work at it. That’s the best way to get ahead.
Another article I read recently on this subject is by Roberta Bragg in Redmond Magazine “How to be a security babe” You may need to digg it out of the Google cache.
Gartner: Security Leadership belongs to CxO
http://software.silicon.com/security/0,39024655,39152300,00.htm
IT departments should not be calling the shots on security, according to Jay Heiser, research VP at Gartner Research. Instead, companies need to take a business-oriented, risk-management approach. Stepping back from technical details allows a company’s IT practices to be forward-looking, aligned with the core business, and provide better return on investment. Zurich Financial Services halved its IT costs by outsourcing the commodity aspects of IT and security and focusing on policy rather than the technical aspects of the firewall. Heiser says that IT training is not enough anymore, but the job of managing IT risk requires a business school background majoring in risk management.
I would agree that risk management is an important part of computer security. You need to decide what is important. What it would cost if damaged. What it would cost to repair, what it would cost to protect. That is a business decision, not a techie decision. However, if you remove the decision from the IT department itself, or remove it from the CIO or CSO then there is a communications gulf that becomes difficult to cross.
It has always been the security techs job to explain what the problem is, how it will effect business, and what it will cost to fix. Was I.T. training alone ever enough?
In the same venue, there is an article in SC Magazine that say the next generation of security experts will need to be business savvy as much as they are technically knowledgeable. “take your best and brightest security people and teach them more about business rather than worrying about getting them CISSPs and CISMs.”
Soft skills are essential. But that doesn’t mean you can just take a suit and turn him into a Information Security professional. At the same time, unless you want to get relegated to the basement (like I.T pre-2000) you need to have the interpersonal skills, you need to be able to explain security issues, you need to be able to communicate with your manager, your director and your CIO and relate why this is important.
Passed
I got word on saturday that I passed the CISSP exam that I too last week. All that is left now is getting a current CISSP to sign the form verifying my experience and also writing up a resume to turn in for this. Once this is sent in, there may be an audit. I should officially be a CISSP soon. Its nice to have passed the major hurdle of the test itself.
Beware of Education Scams
I’ve been wondering about what the University of Fairfax is. Diploma Mill or what. They’ve been sponsoring some CISSP study sessions locally and some CISSP webcasts that I watched. They offer a PhD in Information Systems concentrating in Information Assurance.
While the website did look like it is a real program rather than a diploma mill program, I was suspicious having not heard of them before. The next item that raised my suspicions was the statement “The University of Fairfax is certified by the State Council of Higher Education for Virginia to operate in the Commonwealth of Virginia.” When I looked at that State website it appeared more to be a registration of higher education programs rather than any endorsement or accreditation of the curriculum.
Next a quick google led to an AP story posted at WTOP. Apparently the guy running this school is banned from heading schools in Maryland because a school he lead shut down abruptly in the 90s leaving students and the government in the lurch. Not only that, but two men listed as faculty on the University of Fairfax web site told reporters they never taught a course there!
I found a Washington Post article that goes into some detail.
Makes me worry now about (ISC)^2. They are currently engaging in joint marketing with the University of Fairfax. Basically they are giving their name and reputation to this guy. What do they say about it. Marc Thompson, VP at (ISC)^2 says Berlin’s “heart is in the right place” in spite of his checkered past. That’s right taking millions to offer education courses and then folding up shop is just a mistake and shouldn’t preclude you from offering more education courses in the future according to (ISC)^2.
I can’t conclude that this is a diploma mill. But it sure seems shady. Whether looking for training or returning to school you need to verify the accreditation of the school and its instructors.
SANS Conference
I mentioned a few posts back that I was going to a local SANS conference.
We’re 2/3s of the way through the SANS – CISSP + S conference and its been a great experience. Because it is a prep course, by nature it avoids two of my main annoyances in training. No one is signed up for the class who doesn’t have a clue. (ISC)^2 has experience requirements associated with the CISSP so there is a lower threshold on the type of people who will be in the course.
Also because the course is about prepping for a test, there isnt’ a lot of debate and side issues. People recognize that there is (ISC)^2 world and then everything else.
Its a long day with a lot of tough material, but thus far its been very enjoyable. We return for the final two days next Thursday and Friday.
Off to a SANS Conf
Tomorrow I’m heading off to a SANS conference in Herndon VA. I’m taking a CISSP course from Eric Cole. Its not really the best time for this. SANS conferences are kind of like drinking from the firehose of knowledge. Actually it will be interesting to see if that is still my opinion. My last SANS conference was three years ago. Typcially I find that sources I once found informative become tired and pathetic when I return to them with more knowledge and experience. I cant got to techrepublic.com or labmice anymore for that reason. Hopefully I’ll still find SANS to be an incredible conference.
School is coming up on the end of the semester. I am already kind of stressed out. I’ve got a ton of things to do for cyrpto and databases. I dont need to be doing something so mentally rigorous during the day as well.
Now to top it off, I find that this program has “extended hours.” I cant be at this conference from 8am to 9pm. I’ve got stuff to do for school. I’m not sure if its a saving grace, or the last straw, but the conference is 6 days spread across three weeks. So its thurs/fri this week, tues/weds next week, and something else the week after that. At least it doesn’t ruin an enitre week worth of studying. Just a couple days.
I’m also stressing because I’m cutting out at 3pm tomorrow. I’m going to miss some training because I’m heading down to opening day with dad and my brothers. Opening day for the Nationals return to town is once in a lifetime. But it still bothers me to miss part of the training for it.
Here is the conference link for those interested: http://www.sans.org/cissp_dulles05
SearchSecurity CISSP Training
SearchSecurity.com has free CISSP training webcasts available for a limited time. It does require registration.
I watched the first class/domain over the weekend and though it was interesting. I came away with a few things to think about. The presentation is very rapid fire. There is way too much material in domain1 to fit into an hour. The presenter advised that this is an introduction to the material and is in no way adequate to prepare you for the exam.
GIAC Changes Coming
SANS is modifying the requirements for the GIAC Certification so seekers will no longer be required to write a written practical. In the past there has been a requirement of a practical as well as multiple tests.
The written practical was a great thing for the GIAC. Some certifications are seen as a paper certification, or a sign of a individuals ability to quickly cram information into short term memory. That was never the case with the GIAC because there is a written paper designed to contribute to the general security knowledgebase. Anyone could go read that paper online and get an idea of the writing skills and the security skills of the certificate holder. By changing this to a test only certification, the great differentiator of the GIAC is gone.
The problem with the certification is that not enough people are getting it. Hiring managers are placing emphasis on the CISSP cert or even the Security+ cert from Comptia. By making the bar lower, more people will have the certificate and a “critical mass” of certificate holders will ensure the future value of the certificate. That’s the theory anyway. I like it now where even though its not as well known, the ones who do know, have respect for it. With it being a test only cert now, not requiring people to actually view the course material, I fear it will be like the MCSE. If I see a bunch of high schoolers with a GIAC, I’m taking the certificate off my wall.
