Monday, July 24, 2017

CISSP vs SSCP Certification


Offered by
Length of the exam
6 hours
3 hours
Number of questions
Question Format
Multiple choice + Drag & Drop + Hotspot Questions
Multiple Choice Questions
Passing Grade
700 out of 1000
700 out of 1000
Exam Availability
English, French, German, Brazilian Portuguese, Spanish,
Japanese, Simplified Chinese, Korean, Visually impaired
English, Japanese, and Brazilian Portuguese
Testing Center
Number of Domains
Domains ( Weightage)
1. Security and Risk Management (16%)
2. Asset Security (10%)
3. Security Engineering (12%)
4. Communications and Network Security (12%)
5. Identity and Access Management (13%)
6. Security Assessment and Testing (11%)
7. Security Operations (16%)
8. Software Development Security (10%)
1. Access Controls (16%)
2. Security Operations and Administration (17%)
3. Risk Identification, Monitoring, and Analysis (12%)
4. Incident Response and Recovery (13%)
5. Cryptography (9%)
6. Network and Communications Security (16%)
7. Systems and Application Security (17%)
Experience Requirement
Candidates must have a minimum of 5 years cumulative paid full-time work experience in 2 or more of the 8 domains of the CISSP CBK. Earning a 4-year college degree or regional equivalent or an additional credential from the (ISC) ² approved list will waive 1 year of the required experience. Only a 1-year experience exemption is granted for education.
Candidates must have a minimum of 1 year cumulative paid full-time work experience in 1 or more of the 7 domains of the SSCP CBK.
CISSP was the first credential in the field of information security to meet the stringent requirements of ANSI/
ISO/IEC Standard 17024.
SSCP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
599 USD
250 USD
Gold Standard
Less Known
Resources to study

Sunday, July 16, 2017

[Opinion] Will Machine Learning in Cyber Security open a Pandora’s Box?

Machine Learning is the buzz word nowadays. Huge numbers of courses on machine learning have mushroomed online and companies are running after professionals who are an expert in that. As per Udacity, which has developed a course on machine learning in collaboration with Google defines it as “Machine learning represents a key evolution in the fields of computer science, data analysis, software engineering, and artificial intelligence.”

Wiki, however, explains it in a better manner rather than just throwing jargons. It says that machine learning gives "computers the ability to learn without being explicitly programmed.” Much understandable!! In simpler terms, computers start learning processes and develop a deduction capability rather than just perform what it is programmed to do.

When such machines are made to learn to defend our networks and organizations from an information security point of view,  good and bad things will happen. Read on....

According to an article published in Techcrunch, “The darker side of machine learning” gives us a glimpse of how a facial recognition app used in Russia can be used to identify who has a profile on, the social media platform known as “Russian Facebook”. Your privacy goes for a toss with applications such as Findface and no extra points for guessing that it is a simple application of machine learning.

The Threat Detection Business

The cyber security business is of billions of dollar and there is no doubt as to why cyber security startups are able to raise millions of dollars quickly as compared to others. Machine learning and AI is being explored to its full potential according to an article published in Computerworld UK. The article titled “Machine learning in cyber security: what is it and what do you need to know?” gives an interesting understanding of how vendors of the security business across the world are jumping the bandwagon and in order to outdo each other, are trying to come out with products based on machine learning.

“Many Eyes” is what the CSO at Vectra Networks calls it and says “You can use machines to observe the network continuously in real time, and correlate that across hundreds of millions, to trillions, of events on a daily basis.

“A traditional approach from a security practitioner perspective is to take logs, drop them into some central database, and then, offline, mine that data for events that we have a feeling might be there,” he says. "What machine learning offers is that all of the work can be done in real time, live in a network wire and without that human oversight.”

Thanks to the article, we get to know the thoughts of Andrew Gardner, senior director of machine learning at Symantec, explains that where machine learning will really help is in scale and automation. Think of the difference, he says, between two humans playing chess and two computers playing chess. And the computers can play each other at very high speeds.

"One thing that's useful for is it allows us to do predictive testing,” he says. "We can, in a sandbox, use AI machine learning in the same way that an attacker might do, to predict and explore possible exploits on a scale that humans just can't achieve.”

The Fear of the Unknown

Human beings always fear what they do not understand or know. We have gone to great lengths to understand and decipher every large or small thing in this world and others.
The vendors are trying to paint a rosy picture and they are adamant to prove that machine learning will be the panacea to all the problems. “Machines will be able to identify the unknown attacks and will be able to protect you from the unknown”.
The article at Computer world UK further highlights the point of Vectra's Gunter Ollman who warns that professional attackers are studying machine learning very closely – and many of them are already data scientists.

"This is no different from 10 years ago when behavioral learning systems came out that the bad guys invested their own time, and they found ways to detect and bypass the sandboxing technologies,” he says. "I expect we'll see that same level of thought and actions going into machine learning and artificial intelligence.”

Companies today want a one stop solution which is ready to defend them from the unknown. Why does everyone forget that the professional attackers use those same tools and mechanisms to create more sinister attacks? Are we ready for it?

The world is already grappling with new attacks every day. Are we truly ready for something which the vendors or machine learning enthusiasts tell us is going to solve all our problems rather and creating more difficult ones?

Wanna cry made a lot of people cry… the hospitals in the UK were the most affected. We, the governments, the cyber security professionals, CERTs etc. were not able to much about it other than just giving sermons as to your systems should be patched all the time. How that you should use the latest products and enable antivirus protection and so on…
We were not able to defend ourselves against these known attacks … are we really ready to defend us against the unknown?

Is Machine Learning the solution?

YES and NO. Why Yes? Because ultimately we will have to use it as the data points generated will be too huge to handle in coming years. We will have so complex mechanism and things in place that we would need machines to come to our rescue.

Why Not? As 451's Adrian Sanabria says “We know from experience that attacks will simulate what info sec vendors are doing. Machine learning models depend on a degree of likeness, so if attackers find a way to produce malware that looks significantly different from what models expect, machine learning-based detection methods could become ineffective overnight.

Rather than just jumping on the new buzzword and falling for slick marketing, it is important for us to push the software vendors to integrate security from the design phase and not patch it later on. We need professionals who can defend against the known attacks and software developers who design and integrate security into every aspect of the software.
Multiple layers of protection or onion security are the best bet today.
It is important that we understand and give time for machine learning to mature and then allow it to defend our networks…

What do you think about it?

Wednesday, July 12, 2017

Quick Tips for SSCP Exam

Let me say “All the best” to you, before I start giving you tips for the SSCP exam. These tips are not mandatory to follow, but will surely help you to manage and crack the exam.

Systems Security Certified Practitioner (SSCP) is a three-hour long exam which contains 125 questions. You can call this as the younger brother of CISSP. I gave this exam in July 2014 and passed in the first attempt.

You have to schedule an exam through (ISC)website which further takes you to booking the exam at a Pearson Vue center.
  1. Reach the exam center approximately 45 minutes in advance before your scheduled time. This will help you to settle down. Start early so as to reach early rather than waiting on the way thinking whether you will reach on time or not.
  2. When you will reach the Pearson Vue center, you will be given a set of instructions to read. These instructions are different from the NDA to be signed for the SSCP exam. In case you have any queries regarding the instructions, feel free to ask the proctors. They are friendly and helpful.
  3. Your photograph and palm scans will be taken before beginning the exam.
  4. Do not forget to carry two identification cards having signatures on both the proofs.
      Now, when your exam starts, do keep the following in mind. These tips will surely help you.

  1. You will be greeted with an NDA before you begin the exam. Read the NDA – you have 5 minutes to do so. 
  2. Failure to accept this will forfeit your exam money and you will not be allowed to further move ahead in the exam.Post the successful acceptance of the NDA, your exam begins.
  3. You have a timer which shows 180 minutes you have for the examination and a “Flag for review” option whereby you can  flag the questions which you are unsure of at the moment for further review.
  4. Try to make a strategy to solve the 125 questions. 25 questions are reserved for research purposes. Hence you need to answer 100 questions in order to get a 70% score.
  5. I followed the following strategy. It is always better to follow your own plan basis your strengths and weaknesses.
  6. It is extremely important that you go through all the 125 questions at least once in around 1.5 hours. I glanced through all the questions and answered 90 questions in one go and took around 1.5 hours. I used the “Flag for review” option whole heartedly. 
  7. Although the three-hour long exam is not as strenuous as the CISSP exam, you still need to maintain your focus for three hours. 
  8. Remain calm, if you do not know the answer to a lot of questions in the first go, then flag them. This is perfectly normal. Don’t stress yourself.
  9. I used the next 1 hour to solve those questions which I had flagged for review or had left unanswered. The remaining 1/2 hour was focused on reviewing those questions which I was extremely unsure of or confused between two options as they both seemed likely.
  10. There is no negative marking in the exam. So it is recommended that you answer all the questions.
  11. As soon as the time is over, the exam automatically finishes and you are greeted with a message that the time has finished. You may call the proctor in case there is any issue which you face during the exam.
  12. You can collect the exam result from the main desk. Remember, you are never confident when you walk out from the exam hall to the main desk. 
  13. Most people I have met either discount the importance of the SSCP credential or don’t know about it. It is important to remember the fact that SSCP is no small feat in itself. You need to have a minimum of 1 year of experience in information security field. 
  14. SSCP does tell the world that you are interested in learning and having a basic knowledge of the concepts of information security. As a practitioner, this exam allows you to gain a holistic understanding of a lot of security concepts.

     If you reached here, let me thank you for reading this article. If you are preparing to give the exam; all the very best. If you have passed the exam and would like to share your tips with everyone, feel free to comment below. 
     Share this article across on your favourite social media platforms.

Monday, July 10, 2017

What is CIA?

The Three Pillars – CIA

Anything in Information security ultimately boils down to ensuring that either or all of three pillars is ensured. These three pillars are – Confidentiality, Integrity, and Availability.

It is thus extremely important that you understand the meaning of these terms. From an exam perspective, a lot many questions will be focused on identifying the following:
  1. Which of three pillars is violated?
  2. Which of the three pillars is ensured if a certain action is taken?
  3.  What will a certain control ensure to provide or protect?

Even from an organizational perspective, all the policies, procedures, standards and guidelines are made to ensure that the three pillars of information security are catered for.
So, let’s understand these concepts now.
Before I begin, let’s be very clear that I’m not going to write down the definitions provided by any agency or organization. You can get them in any book and they are mostly as clear as mud. It is important to study these definitions too, however, from an exam perspective, simple is the best.

The focus here is only to explain you the concepts in the simplest manner.

Confidentiality – “Unauthorized disclosure should not happen” – These five words are more than sufficient for you to answer any question.

Integrity- “Unauthorized modification should not happen”

Availability – “Information be available at the right time to the right people”

Now let’s apply the above definitions to a variety of scenarios. You’ll notice that these definitions work in every scenario.

Scenario: You have an account with ABC bank; you deposit a sum of 1000Rs into the bank. The bank clerk accesses your account and deposits the money. You have been issued a debit card having a PIN (personal identification number) which is to be kept secret. You now go shopping and try to use a debit card for spending 500Rs from your account. 

Try to answer the following questions now basis the definitions explained above:

Q1. The clerk tries to access your account and withdraws a sum of 200Rs from your account without your permission. Which of three pillars is violated?

Answer – Since unauthorized access has happened, confidentiality is violated.

Q2. When you access your account, you are not able to log in and check your balance. Which of the three pillars is affected in this case?

Answer – Since you are not able to access your account at the time you want, Availability is affected here.

 Q3. When you are finally able to log in, you notice that instead of 1000Rs as deposited, you only have 800Rs in your account. Which pillar has fallen?

Answer – The integrity of the account is questioned here as unauthorized modification has happened.

If you have understood the concepts above, now try to answer the following questions and mention your answers in the comments section below. Answers to these questions will follow in the next blog post.

Which of the three pillars will be affected in these scenarios?
Q1. The shopkeeper notices the PIN which you enter.
Q2. The server is not responding and you are not able to do the transaction.
Q3. The transaction stops mid-way and your account is debited, however, the merchant does not get the money.
Q4. You get a message from the bank citing that someone has hacked into your account.
Q5. You click on the link provided in the message and find that the bank’s site is not accessible.
Q6. You call up the bank and the bank resets your account password without your permission.

Sunday, July 9, 2017

[Opinion] Its High Time ….

The recent spate of cyber-attacks has served as an eye opener for many organizations and individuals. Organizations which were using unpatched software had no security teams, no incident response policy and procedures etc. clearly were the ones who had to bear the maximum brunt of such attacks. There were many who did not get affected as they took the right steps at the right time and gave due importance to security and security teams in their organization.

Lots of points mentioned below have been long debated in organizations. But it’s high time that they are taken seriously and religiously implemented.

CISO/CSO should be a part of Board Meetings

In most organizations, security is still considered an IT job. The CSO reports to either the CIO or admin head or some senior business person. The organizations mostly appoint a CSO just to ensure that regulatory compliances (in some countries) are taken care of. They are really not interested in considering security a business driver. In fact, a lot of business people consider security or security teams as a hindrance to their dreamy innovations and ideas which they want to roll out (without testing) in the blink of an eye.

It’s high time that the organizations realize that CSO should have appropriate representation in the board meetings and the CSO should report to the highest authority of the organization. The CEO should have the CSO/CISO on speed dial on his phone. The recent attacks and increasing number of data breaches are a testament to the fact that security is no longer an add-on or just a regulatory compliance to be taken care of. It is, in fact, the next enabler of business.

By making the CSO a part of board meetings, the organizations can show that they really care about security. It improves customer confidence and showcases the seriousness about security. However, it is really important that CSO is given a time slot in every meeting to apprise the board of the current risks the organization faces and funding required if any. Just making the CSO a mute spectator in every meeting is simply not going to help.

Security Representative in Customer Meetings

It is often seen in most organizations that business people keep themselves at the forefront when either meeting with a prospective customer or an active customer. They are always of the opinion that security people should work in the background and should show a glimpse of their faces only if the customer insists.

It’s high time that there is appropriate security representation when meeting a prospective customer or an active customer. Customers are more focused and interested in learning as to how can you keep their information secure than understanding what technology or language ( java/python / c etc.) is being used to make the product. By making a security representation when meeting a prospective customer, you can showcase how serious you are as an organization in keeping the customer’s data safe and secure.

It’s high time that organizations realize that the most important parameter of getting new business will not just be agility or cost optimizations but SECURITY.

Security is Business Enabler

Most of the business people you meet always crib as to how security patches, updates, tools etc. have made their systems slow. Their productivity gets hampered only because DLP, proxy, HIDS, firewalls etc. run in the background and they are not able to get the full potential from their systems and staff.

They are not able to give wings to their new ideas which got in their heads while brushing their teeth in the morning as the security teams reject their proposals because of security issues.

It's high time business owners realize that security is no longer a hindrance to their operations or ideas. Security is a business enabler and all the tools deployed and patch updates are done in order to ensure that bad elements are not able to wreak havoc on your systems by demanding a ransomware or do a data breach.

If you want new business, be rest assured, that you will get it only when security is in place. If you consider otherwise, I challenge you to get a contract where you mention securing customer data as “We will think about it” in the RFP.

Ensure and Evolve Security Everyday

Many organizations are of the opinion that a Policy that they made decades ago is going to save them from a data breach. Some think that we must buy the most expensive tools and countermeasures available in the market and we’ll be the most protected organization on this earth. Most organizations also have a deeply ingrained belief as to “Who will attack me?” as my organization is not doing any confidential work.

It’s high time that organizations, as well as individuals, realize and clearly understand this fact that everyone is a target. The hacker is not going to spare you just because you keep only songs or movies in your laptop and no confidential data. The ransomware is not going to spare blocking your organization’s system because you are only manufacturing chocolates or baby powder.

Information Security is not “Fit it, Forget it” or “I did that a year ago” kind of an activity. It’s something which you will have to practice religiously every day. Why? The answer is simple. Just like you brush every day because germs come up in your mouth every day, similarly, new attacks and threats emerge every minute and you need to constantly protect your organization from such threats. That means analyzing your threat profile, risk posture, controls and countermeasures every day.

Considering and making decisions on risk assessment done a year ago is similar to crossing a bridge (with valleys on both sides) with your eyes closed; hope you get the point! You are bound to get burnt if you are not making decisions on real-time data.

In conclusion, the only point to drive across is that it’s really high time that organizations and individuals start taking security seriously. Although businesses take huge time to set up and become successful yet it only takes a data breach to make them bite the dust and perish forever.

Don’t become history, practice security…….