To be a master strategist, you must possess these qualities
Why The Adversary Never Sleeps Even During Holidays
Holidays are probably the best time for the adversary after your money or resources to find easy prey. Unfortunately, during a time of increased threats and viruses, burglaries, etc…most people probably 80% will be less vigilant and alert.
Don’t Let Your Guard Down
I know it’s the Holidays and you may not like to hear this but…stay on your guard! Yes truly enjoy the holidays but also build security, alertness and vigilance into it as well. If you do you’ll stay more secure.
Stay On Your Guard Smartly
I’m not saying be paranoid nor let anything ruin your holiday…if you do that then the enemy has won! Instead, just keep an awareness and a security part of your holiday routine and you will be doing more than most people, and will probably reduce your risk and also make the adversary pick an easier target.
Things you can do to stay vigilant, secure and deter criminals:
Stay secure during the holidays and don’t let your guard down! Happy Holidays!
Why should you learn and master strategy?
Learning strategy is important for many reasons:
This can apply to any strategy, whether one for relationships, communicating and of course in staying secure.
In this article, I’ll talk about 4 Antivirus Programs I Tested
I’ll examine and assess various anti-virus and anti-spyware/anti-malware programs. While describing these programs, I’ll focus on my experience with each of them, in general, as well as on specific things such as what I feel best meets my personal needs and why, the features I liked or disliked and why, as well as any types of virus or malware incidents I’ve had and any lessons I’ve learned.
My approach will be utilizing a matrix to chart out and compare my experiences. I’ll conclude with how I think the best means are for conveying my lessons learned to others most effectively.
The first thing I’d like to mention with regards to using any of these programs is that for corporate use, most are often limited to a single vendor and that I think that this is not the most effective approach to the anti-virus or anti-malware approach. Before I even scanned and used any of these programs, my initial thoughts were always to use several different programs, because the simple fact is they were created by different people.
Different people think differently and their products may also be different as a result. More emphasis and programming may have occurred in one area, and less in another. This may create better strengths in one area such as detection or elimination but weaker in other areas such as frequency of updates or thoroughness of scans and other capabilities.
I have actually used these programs and could’ve included a several others I’ve used and tested but didn’t want this matrix to get larger than it already is. Every program I included, in general, satisfied me for simplicity and design usability as well as intuitive features. My goal was to include what I believed to be the top few for each type of product, anti-virus and anti-spyware.
Antivirus Product Vendor
Avast
General Description
Antivirus-only Freeware
Likes
Avast, of all antivirus programs, is the most thorough and in-depth antivirus scanner that even goes into DOS mode and scans the computer in a way when it reboots the system that all viruses will be caught. I had to use Avast in the past when I did not have an antivirus program available or when a friend didn’t have one and had an infected machine and needed an antivirus program. Best of all, it’s free, has been free for a long time and hopefully will continue to be free, and yet still remain high quality!
Dislikes
The disadvantage for this thoroughness is of course the length of time it takes, perhaps twice as long as the average antivirus scanner. Also, it’s antivirus-only and one has to wonder if it will catch other things such as spyware, adware, malware, ghost programs, trojans, worms, etc. I’ve found that what one will catch in one area is not what one will catch in another area.
Misc Notes and Lessons Learned
Reviews which I’ve seen have been very high for Avast. In addition, Avast seems to do a good job keeping up with its signature files.
Antivirus Product Vendor
Norton (Symantec)
General Description
Norton seems to be a well-accepted reliable industry standard and is used by several large companies in the private sector and government. I like the fact that Norton has a strong reputation and a lot on the line to be one of the best since it has so many important customers and seeks to be a leader.
Likes
Norton seems to be a well-accepted reliable industry standard and is used by several large companies in the private sector and government. I like the fact that Norton has a strong reputation and a lot on the line to be one of the best since it has so many important customers and seeks to be a leader.
Dislikes
I have used Norton on a home PC however and it seems to take up a lot of processing power overhead as well as sometimes have conflicts with other programs. The number of problems I encountered, couples with the fact that I de-installed and reinstalled it more than once and still wasn’t fixed, especially for a mature vendor and version, made we wonder. In fact, I couldn’t pull up the interface after installing it. My wife ended up de-installing it and installing the competitor McAfee program for free from Comcast and McAfee found a virus!
Misc Notes and Lessons Learned
Reputable firms aren’t always good for home PC use, especially when their focus is obviously more on their corporate customers using the “corporate edition” !
Antivirus Product Vendor
F-Secure
General Description
Comprehensive security solution trialware (anti spyware, heuristic scanning, intrusion prevention, popup blocker, parental control, internet shield firewall, antivirus)
Likes
F-secure has heuristic scanning and while it does take up some overhead, it actually is well worth it. Through its heuristic scanning, my computer was saved from two viruses and trojan and this trial version has proved its worth. In addition, the various other comprehensive solutions
Dislikes
I think the overhead, and also the time it takes to load initially are two concerns. One has to wonder while the program is loading, if the computer is connected as a DSL or Cable-modem, so that hackers can actually get into the PC and insert a Trojan or piece of malware or perform a registry hack before F-Secure loads to prevent it!
Misc Notes and Lessons Learned
What I liked the most about this one is that for a year it was free, and this one is sure to hook the average user for the thoroughness and up-to-date things such as intrusion prevention and a top-notch firewall which it provides.
Antivirus Product Vendor
Guardian Security
General Description
Inexpensive yet comprehensive security solution trialware (anti spyware, popup blocker, Internet Shield firewall, antivirus, data encryption, data transport,
Likes
I like guardian for its price versus the comprehensive security solution it provides. This company and its solutions definitely have potential and are worth looking at. When I used the antivirus it did a very through job.
Dislikes
When I de-installed and later tried to reinstall the suite, I couldn’t use the antivirus because I lost the product key and had to re-register it but couldn’t. While this is my fault, I didn’t know it would do that and the company should have included a warning that this would happen. Also, the maturity of this program still needs to grow, as with any new solution.
Misc Notes and Lessons Learned
Companies that are relatively new, like this one, sometimes do a typical thing. First, they either offer their products for free or they undercharge for them to hook new people into the deal. Then over time or after the initial subscription service expires, they increase their price. While this is not necessarily wrong, the result is sometimes that people end up with a $50 solution after one year when it cost only $20 previously.
And there you have 4 Antivirus programs compared. I hope this was helpful.
Security is entirely based on trust
If you feel like you can trust the bank with your money, that’s where you keep it. If you feel like you can trust a mega corporation (like Enron) then you’ll keep all of your trust (stocks) there. If you feel like you can trust your relatives, you may give them the key to your place. The point is, all of our decisions are based on trust.
If a Naked Man comes along and offers you his shirt, beware!
In other words, if someone promises something they can’t deliver, you can’t trust them. We see such promises every day. Many kids have their trust in parents and adults spoiled when promises aren’t kept.
Trust-Based Security
If I can’t trust you, I give you no access to anything important of mine
If I can trust you slightly, I give you access only in areas and only in ways I think I can trust you
If I can trust you greatly, you’ll have greater access
If I trust you completely, then you’ll have the most access
Levels of Trust are Not Carved in Stone
Trust is dynamic, as it should be. The mistake people make is failing to realize the dynamic nature of trust and the constant need to re-verify it from time to time. If someone was once trustworthy but something makes them change, then they may no longer be trusted regardless of other factors which come into play such as friendliness.
The master social engineer is the friendliest bloke in the world…all the while scheming whilst disguised as a bottle of Guinness
Those out to bamboozle others gain trust by their kindness, consideration and apparent dedication. Then once they have the access they need, they violate their trust for their gain and before they’re caught, they’ve escaped with what they were after.
Social Engineers are opportunists…
A social engineer is, in my words, “a master manipulator of trust-based social relationship techniques in order to quickly and effectively gain the maximum amount of trust in the minimum amount of time with the least bit of effort”.
If they can tailcoat or piggyback their way in, they will. They’re like rats…first looking for the easiest route…but don’t underestimate their persistence…if there isn’t an easy way in and the need is bad enough and/or the reward is great enough…they’ll chew through concrete to get what they’re after!
When Trust Becomes Untrustworthy
The person who had trust established but later becomes untrustworthy may have been after something all along or they may have eventually become convinced to go after it for whatever reasons, at some point (when guards are let down, or if something becomes appealing or if a sudden need arises or a discovery is made). Some are out to exploit such vulnerabilities and always look for such opportunities while others discover them or become discovered and used as pawns to get inside.
Precautions to take
Realize the dynamics of trust and re-verify trust from time to time
Don’t be surprised by facades that would otherwise fool you
Don’t let your guard down
Never give up the keys to the kingdom
Be ready for things and take action to stay secure! Remember… Trust but verify and…
In part 1 of this series “Trust But Verify As a Security Strategy”…
I touched on how trust but verify can be a good thing to check others as well as ourselves. In this article I’ll focus on how “trust but verify” should be used as a security strategy or method in other ways for our personal lives and our world, in business, etc.
I Trust You…But Not Very Much…
We always want to verify things that we put our trust in especially if we don’t know the true strength of something or its validity or trustworthiness.
For instance, would you trust
Barroom wisdom about marital advice?
A stranger’s advice about legal, medical or tax information?
No you would not. But why not? Because of trust, based on who is telling you, right? But what happens if they show us credentials such as ID card that shows (supposedly) they are who they say they are? We may be able to trust them but the chances are probably still low because such things can be easily forged. So we have to have more things to base our trust decision on before we actually trust.
But how about this…would you trust it
A friend’s advice about money?
A friend’s advice about legal, medical or tax information?
Here’s where people foul this up. The con man can be someone’s best friend in order to build trust, then once he has the trust, he can sabotage it if needed. But a friend even more so because of the level of trust we give a friend based on personal but not necessarily professional knowledge.
The mistake is when our friends are wrong and we make legal or tax mistakes based on either what we heard or what someone we thought was trustworthy said. So what should be the more cautious approach?
Trust but verify
Here are the key tenets to the “trust but verify” approach
1. Don’t assume authority, authenticity or validity, but instead have it proved in more than 1 way, perhaps in 2 or 3 ways and then cross checked by more of the same level of authority
2. Don’t just put trust in anything.
3. Trust valid and current source material not just any written document. There’s a big difference between a valid policy versus unsigned draft of a policy which is not yet valid or authoritative. There is a big difference between an outdated and an updated manual. This relates to the integrity of the source material. How reliable is it and is it old, corrupted, forged or what? Is it even the right document or does it not relate to what you seek?
4. You can still be friends, even best friends, but just know where you need to draw the line of trust for certain advice. Why? because even your best friend may not be best qualified to give you certain types of information or advice (do this without offending them of course!)
See how there is always a verification process before you can trust something for decisionmaking?
Trust but verify is the smart way to go!
A Bureaucracy Can Actually be a Vulnerability
How?
Because bureaucracies are inherently slow, cumbersome, and lack the necessary continuity to stay secure. They tend to have slips. They also tend to be driven by the personalities that rule them rather than by the processes that rule them. This is why a bureaucracy can have all of the best policies and procedures in the world but still fail in security. They can have all the working groups and committees and meetings about security but still be insecure. Why?
Because bureaucracies know how to make things look good on paper, and look for “documentation compliance” rather than true technical compliance. Sure organizations get tested for actual technical vulnerabilities. But it’s in the remediation of those vulnerabilities where the weaknesses lie, not in the skill of those testing.
What good is it if an organization undergoes a security vulnerability or penetration test and never fixes the issues or accepts too much risk? What controls are there to no longer accept risk or to curtail “risk creep” which is the acceptance of too much risk based on the acceptance of past risk? What controls ensure fixes are validated instead of pencil whipped?
Sacred Cows of Bureaucracies
A bureaucracy will never change and therefore its sacred cows will cause it to be vulnerable. Why? because those sacred cows are usually not messed with. They remain a critical entry point of threat, attack, exploitation and vulnerability.
Unless a bureaucracy changes its ways, it is inherently a vulnerability and the weaknesses it has will be exploited. If there is a known lax individual or a less vigilant department, that is surely the entry point for a threat to exploit. Just the sheer slowness and cumbersomeness of a bureaucracy will keep it vulnerable unless it really trims the fat, becomes lean and cuts out all unnecessary processes. Until this happens, any bureaucratic organization remains vulnerable.
How Difficult is the CISSP?
The CISSP is not easy. I’ve heard MCSE’s with 10-20 years have say it was the hardest test they’ve ever taken and was exhausting. Then again I’ve heard others say it wasn’t that bad. The certification isn’t to be taken lightly. What is critical so you don’t waste your time is that you MUST pass it the first time!
So be sure you’re ABSOLUTELY COMMITTED in advance and stay committed. Realize the seriousness of this commitment, this is not just another ticket punching cert, it is THE cert if any are to be had with as much breadth and depth for info systems security and it integrates so much useful knowledge for any IT professional.
To prepare for the CISSP, these are in ranked order as I see it…
1. First understand the material and concepts not just definitions.
2. Understand CISSP test taking strategies best practices
- Read My article about CISSP Test Taking strategy (coming soon)
3. Understand other important details about the CISSP test questions themselves
- Read this article with some great CISSP preparation and exam taking strategies
4. Watch the FREE CISSP Shon Harris security videos and use the other resources I talked about in my previous post
5. Shon Harris All In One Guide
6. Do the free practice tests 1-2 times found at cccure.org once you register
7. Don’t worry, just do all of the above, and you should pass…
8. Get a good night’s rest FOR SURE!
9. Eat breakfast/meal beforehand but not overfull, just enough to prevent getting starved
10 Join a study group if necessary
How to Cram for the CISSP
If all else fails and you have to cram for the CISSP (not recommended) and/or you need the BEST RESOURCES to prepare for this:
I’ve repeatedly heard these 2 praised the most for CISSP preparation. But you have to study long and hard and understand the concepts and material. This is not just rote memorization, it’s a concept level understanding that’s tested. It will probably make the SATs and other tests look like a cake walk. Good luck!
CISSP - The Basics of Certified Information Systems Security Professional and The Best Strategy for Learning the 10 Domains of the CISSP Common Body of Knowledge
Free CISSP Online Training Shon Harris Videos & Exam Prep
SearchSecurity.com has done an absolutely fantastic job of providing FREE online CISSP training of the 10 domains using FREE ONLINE CISSP SHON HARRIS VIDEOS !!!
Shon Harris wrote probably the best single and definitive guide on CISSP common body of knowledge (the 10 domains) and if you do not study or do anything else, BUY Shon Harris’ All In One CISSP Exam Guide (it’s worth every penny!) Just be sure it’s the most current edition!
But there’s more for Great and FREE resources below…
The 10 CISSP Domains you will be tested on include:
For all the Free CISSP Domain Videos by Shon Harris, I’ve listed the triad of available resources below!
Also at SearchSecurity.com, they provide free cliff note type of essentials and summaries of the 10 domains as well, and to top it off, they provide FREE quizzes to prepare you for the CISSP examination with 15 test questions for each domain. Add all of this to your study arsenal to prepare for the long and grueling CISSP!
Free and outstanding CISSP Online training - what more could you ask for?!
Note these videos are a bit older and dated, but I dare say according to the 80-20 rule, 80% should still be up to date and these are worth a great overview and beats spending hundreds or even thousands of dollars on courses.
I DO HIGHLY RECOMMEND that you buy at least the most current edition of Shon Harris’ Book ALL-In-ONE CISSP Exam Guide and read it cover to cover. It’s a must read to prepare for the exam, and if you read it last, and do all of the exam questions and quick tip reviews found in the book, as well as the practice questions found on the CD, you will stand a better chance at passing the CISSP exam.
CISSP Domain 1 - Information Security and Risk Management (formerly Security management Practices)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 2 - Access Control
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com:
CISSP Domain 3 - Cryptography
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 4 - Security Architecture and Design (formerly Security Models and Architecture)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 5 - Telecommunications and Network Security
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 6 - Application Security (formerly Applications and Systems Development)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 7 - Business Continuity and Disaster Recovery Planning (formerly Business Continuity)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 8 - Legal, Regulations, Compliance and Investigations (formerly Laws, Investigations and Ethics)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 9 - Physical and Environmental Security (formerly Physical Security)
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
CISSP Domain 10 - Operations Security
Free CISSP Cliff Notes & Essentials Review by SearchSecurity.com
Free Shon Harris CISSP Videos - Cost Free Online Training
Free CISSP Practice Test / Practice Exam Questions by SearchSecurity.com
More Great CISSP Resources to Help You Study and Prep for the Exam!
The CCCure Website also offers free online CISSP practice test questions if you register (then just go to the CISSP link in the menu tab at the top of the page after registering and start taking the quizzes. Questions for this one only appear one at a time.
Shon Harris’ official website logicalsecurity.com offers Free CISSP Preparation Practice Quizzes to prepare for the CISSP exam (you only need to register once, and then you have access to ALL of the practice test quizzes to prepare you for the CISSP exam)
CISSP Related White Papers can be found at this link at the Shon Harris website to learn the material you should know as a security professional
A Free sample CISSP Exam from yasna.com Click on start a new exam and after you finish click on the review. Use it several times.
Here’s another practice test resource with 50 CISSP Practice Test Questions to help you prepare for the exam courtesy of Certgear Systems
Here are 29 CISSP Practice questions courtesy of CCCure.org
Here are 50 Practice CISSP Questions and Answers courtesy of informit.com
Remember to visit the OFFICIAL CISSP Website (ISC)2 where you can find out exactly what you must do to obtain your CISSP certification credentials because there’s more to it than just taking a test. You must have:
If you don’t have a lot of background in CISSP or IT Security then I recommend also registering and getting free access to several online IT security videos from CBT Nuggets at this link.
Note (disclaimer): I do not necessarily endorse any of these organizations, individuals or links and only provide them as a courtesy to help others have access to resources I’ve come across online. I have no affiliation with any of these resources, and am not rersponsible for their success, failure, misuse or anything else. Use them, as with anything, at your own risk. I make no guarantees whatsoever as to their quality nor any guarantees they will help you pass the CISSP exam.
What does “trust but verify” mean?
Trust but verify means you allow something to occur or you allow a certain person to have something (instead of disallowing it)…but…because you either don’t trust
Or you have some info that definitely tells you to follow up and verify versus
…either way you decide to “trust but verify” anyhow…
Ways to Trust but Verify
Trust but verify is done in relation to 2 approaches or factors/considerations
Sometimes these are close in definition and can be used interchangeably…
You check on it after it occurs or after it was used (time-based verification)
This can be short, medium or long time intervals depending on level of trust you have and risk you’d want to take in terms of length of time (time interval) between a check. Time and frequency can go hand in hand. The next type shows how this can happen. However, time-based verification is not dependent on other activities or the amount of times such verifications inherently occur per se though they can be.
For instance, a security guard could check the perimeter once an hour every hour or once every two hours or once every 15 minutes. It depends of the likelihood of something bad happening withing a certain amount of time and it not being detected, or detected in time in an acceptable amount that allows for a response and minimal damage. If the perimeter can be breached in 1 minute not 1 hour than an hourly roving check is not enough, and a constant check is needed, or other measures to achieve better security.
You check on it at certain intervals while it is being used (frequency-based verification)
This can be random or it can be routine, scheduled or otherwise based on the level of trust and risk you’d want to take, for how often you risk allowing something occur. The consequences of such decisions must outweigh the inconvenience, cost or whatever else.
This frequency-based verification is based on your trust in the low risk of a selected interval compared with the damage that could occur if it’s not done right or responsibly and the time it takes to follow up on this.
A good example is a security guard who has to radio in every hour for a radio check. If an hour goes by and there was no radio check, then there would be another security guard or team dispatched to look into this. If the risk increases, the radio check may have to occur every 15 minutes (time based and frequency based are directly related in this one…one goes up, so does the other).
So trust but verify does mean to an extent or level that “there is no trust” but it could be for good reason and may save you doing it this way versus “trust, don’t verify” and get burned or make a mistake you can’t afford to make.
The bottom line with trust but verify as a security model
The bottom line is simply this - how much DO you trust and how much CAN you trust for what you plan on trusting and therefore…how often or when should you verify that is least risky? Example - if you don’t trust your own memory to set your alarm clock for the next morning, do you check it twice, once to see if you set it and once to see if you set it correctly (for am not pm)?
Does it matter if it was checked at 7pm or 8pm for these things? See how frequency-based and time-based can differ and come in handy as trust-but-verify security method for your life and yourself (to keep your tendencies and habits in check using specific actions and controls based on how much you trust or don’t trust yourself)?
Trust But Verify Yourself - You!
We are often our own worst enemy and often need this internal process to trust and verify against ourselves and our own actions (remember the alarm clock example?)! This can apply to many things in our lives and I will show you how more in part 2.