I’ve been interested in infosec for several years now, and nearly every day I read at least a few infosec articles written by or about the people who I believe are doing the real security work today: Bruce Schneier, Dan Guido, Dino Dai Zovi, Charlie Miller, Moxie Marlinspike, etc. My day job has brought me tangentially in touch with this industry because my company specializes in security compliance (which is a useful, but overemphasized, approach to managing security on a large scale).

So I was quite disheartened to find that I was almost completely unprepared for the CISSP, because the CISSP contains very little real-world security knowledge. For example, in my day job as well as in my personal reading, I have never once encountered a situation where I needed to know the difference between a class A fire  and a class B fire. But there were at least 3 questions on my exam on this topic.

There are over a dozen questions on global compliance standards – not just current standards like COBIT, but also the history of standards such as COSO. The U.S. federal government is already experiencing a compliance crisis, so I have to question the efficacy of memorizing the color of the cover on the compliance manual.

The CISSP does cover a few worthwhile topics, such as the OSI 7 layer model and the TCP/IP 4 layer model. This is knowledge that a CISSP can actually use in day-to-day security. But these few high-points are still overly academic and fail to cover the real-world applicability of these issues. My review book (Shon Harris) is 1,237 pages long, yet it dedicates a scant 1.5 pages to SSL/TLS, which is the most widely used security technology in existence today. The book does put in a decent 7 pages on public key infrastructure (PKI) but fails to make the connection between PKI and SSL, the latter being the most significant usage of PKI in existence today. The combined 8.5 pages on PKI/SSL doesn’t mention anything of the ongoing SSL trust crisis or developing alternatives to the current system.

That the CISSP is divorced from reality is evidenced best by the exam itself. The exam is is conducted with pencil and paper, and grading for results takes – in their words – “4-6 weeks”. (My results came in closer to 3 weeks.) In 2012, the world’s preeminent IT security certification should not be paper-based. That is insane! (As a point of reference, my girlfriend recently took a nursing board exam that was entirely computer-based and was graded instantly after the exam was completed. She left with a copy of her passing score in hand.)

At the outset, I mentioned the names of 5 security researchers whom I highly respect. 0 of those 5 are CISSPs.

All of this brings me back to my original question: does the CISSP provide value for individuals, companies, or society?

Individuals: You may learn quite a bit by taking this exam, but it won’t teach you much practical knowledge. If practical knowledge is your goal, then this certification is not for you.

What about the career benefits, then? For individuals taking the exam, the CISSP may be beneficial, but the cost and overhead of the exam are considerable. The exam itself costs $550. Annual maintenance requires $85. CISSP training courses range between $3000 and $5000. The CISSP requires perhaps 100 hours of study as well as 40 hours of CPEs each year to maintain it. At $45 hour (a reasonable salary with benefits for an IT professional living in an urban market), that’s $4,500 opportunity cost spent on studying and another $1,800 per year on maintenance.

In order to break even on this certification over the next 5 years, a CISSP will need to earn an additional $2,800-$3,800 per year. If you have no prior qualifications for infosec work, this may be a feasible salary increase. But if you already have other credentials (experience or a degree), then the CISSP is difficult to cost-justify.

Companies: I don’t understand why companies are so keen on hiring CISSPs. I have worked with some CISSPs who were smart and savvy, and some CISSPs that could barely operate a computer. From my vantage point, the CISSP has absolutely no correlation with solid computer skills and knowledge. If companies are paying top dollar for CISSPs or – even worse – disqualifying solid candidates that are not CISSPs, then the CISSP is actually costing those companies lots of money.

Society: It may sound cheesy to ask if the CISSP benefits society, but I believe it’s fair game because the CISSP code of ethics explicitly requires us to:

Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

That’s deep… But does the CISSP live up to the standard that it sets out for its members?

Ultimately, I believe that it does not. The CISSP is a distraction. Candidates who obtain this certification may be misled into thinking that they possess useful knowledge as a result. Unfortunately, these same candidates will become the information security officers (ISO or ISSO) across the private sector and in government, and their warped understanding of information security will shade their opinions and agendas. (Perhaps this is one reason why the federal government is so concerned with compliance and so averse to penetration testing?)

My Gmail Inbox

My inbox showed a bunch of emails that appear to be from my account (“me” in the left column) and sent with no subject line between 3:36 AM and 3:40 AM. I was definitely not awake at that time, and I was definitely not sending e-mails.

I opened up one of these e-mails to see what the content was.

Example Message

What is this?

It’s a spam e-mail – sent from my account – to a number of people in my address book. Each of the other messages (15-20 in all) were similar except sent to other people in my address book. Each message contains a link to a web site that sells cheap pharmaceuticals, such as Viagra.

I had also received e-mail from people who were up earlier than myself and had written back to let me know that something weird was happening with my account.

What happened?

If you’ve ever been a victim of a scheme like this, you know that the feeling is similar to having your car or house broken into. You probably feel insecure, violated, and (in my case) angry.

In addition, my geek curiosity made me wonder how this possibly could have happened. I looked at the following evidence:

• These e-mails had my name and my e-mail address in the From: field.
  • This means the person who did this was either logged into my account, or else was good at forging e-mails to appear as if they were coming from my account.
• These e-mails were sent to people in my personal address book.
  • This is more evidence that the person was logged into my account.

Neither of these points is conclusive. It is possible to forge e-mails, and it is also possible to guess somebody’s address book contacts based on publicly available information, such as what company you work at, who your Facebook friends are, etc.

Luckily, I am using Gmail, and Google provides a really easy way to see if somebody other than me logged into my account. At the bottom of Gmail, there is a little link that lets your view your login history. Here’s a picture of it, with a bright red arrow added since it’s so small you might miss it.

The Gmail Login History Link

You see it? It’s called Details. That link will show you when you logged in and where you logged in from.

When I clicked that link this morning, it showed me the following information:

My Login History Immediately After The Incident

The smoking gun is highlighted in light blue towards the middle. Somebody logged into my Gmail account from Slovakia at 3:52 AM.

I’ve never been to Slovakia. I don’t know anybody in Slovakia. I can not even point out Slovakia on a map. So now I know for certain that my account was definitely broken into.

How did they get my password?

I will never know how my password was stolen, but I can conjecture.

The average internet user will use the same username and password on multiple sites. This is a really bad idea, but people do it anyway. Some do not know better, and others [myself included] just get lazy. I have at least 150 separate user accounts on the websites that I visit. Remembering which password works with which site is hard, but if I use the same password for multiple accounts then it gets easier.

If I use my Gmail password on another website — let’s call it “W” — then anybody who knows my W password also knows my Gmail password. A bad guy might be able to figure out my W password in several different ways. (This list is roughly in order of the actual likelihood of any of these things actually happening. I.e., #1 is very common, while #4 is less common.)

• W may be a shill: a fake site set up to look like a real site, except when I try to log in there is no real site there, just a bad guy collecting user names and passwords.
• Bad guy may be an employee at W, and when nobody is looking he steals the password file.
• W may have a security vulnerability on their website, and bad guy is able to use that vulnerability to break in and steal their password file.
• Bad guy can eavesdrop on my internet connection, and if W does not use encryption, bad guy will able to see what my password is.

In any case, by re-using my password, I have let W’s bad security leak out into my other online accounts. This could be avoided very simply by using a different password on every single website.

Let me repeat: using a different password for each of your accounts means that if anybody steals an account password, you are limiting the damage to that one account and not letting it spread to your other accounts.

What should I do?

The irony of this story is that part of my job is to teach classes on how federal agencies respond to security incidents like this. The government requires security personnel to have a plan in place so that they can act quickly and with confidence. I, however, panicked and did not know what to do.

I didn’t have a plan in place, but in the aftermath of this incident, I put together an easy plan for handling a break in like this.

1. Change your password immediately.
2. Look at your login history to determine if and when somebody else logged into your account.
3. Gmail is capable of telling you if another person is currently logged into your account. If you see that the attacker is logged into your account right now, Gmail has a button to force them out. (Look at my login history screenshot above.)
4. Review your sent mail folder to see what content was sent out. Verify that nothing private or sensitive was sent to any of your contacts.
5. Send a message to the people in your address book to explain to them what happened. Ask them to delete the spam message and not to click on the link contained in the message.

So that’s what to do after something bad happens. Ideally you would never need to do that if you took good precautions. So here are some recommendations on how to avoid this type of break in.

1. Use good passwords: totally random; mixed case; letters, numbers and special characters; at least 10 letters long and ideally up to 50 letters long. (You can use a tool like this to help you come up with truly random passwords.)
2. Never use the same password for two different accounts.
3. Don’t use Internet Explorer ever, for any reason. Use Firefox, Chrome, or Safari.
4. Set up your computer to automatically install software updates on a daily basis.
5. If you use Windows, install both Anti-virus and Anti-spyware programs on your computer. Set them up to run every night while you’re sleeping, and set them up to automatically update themselves.

Remembering a bunch of really long, random passwords is impossible. I suggest you use a password manager to keep them straight. I personally use a commercial password manager for the Mac called 1Password. (I use it for all of my bank accounts. If I was using it for my Gmail account then this whole problem would have been avoided.) There is also a web-based password manager called Last Pass. And you can find many, many more by searching on Google.

Conclusion

Hopefully somebody will find this story informative and will change their own habits to better protect themselves. I intend to continue writing [shorter] articles on various topics that affect average, non-technical users, such as spyware, viruses, etc. If you have any questions in particular, please leave a comment or send me an e-mail.

Here’s how to do this on a Mac. (It’s a little tricky if you’re not used to used to running commands from the command line, but this is completely do-able if you follow the instructions carefully.)

Instructions

1. Run the “Terminal” program. (It’s in Applications, then Utilities.)

2. Type the following exactly and press Return: “EDITOR=nano crontab -e”

3. You should see a black bar across the top that says “GNU nano” in the top left.

4. Type the following and press Return: “45 9 * * 1-5 open http//www.marketwatch.com/myportfolio”

If you make any mistakes, you can use arrow keys and the delete key to fix it, but you won’t be able to edit using your mouse.

When you’ve got it right, press Control+o (that’s “o” as in “oscar”), then press Return, then press Control+x. You should see a mesage that says “installing new crontab”. If you see anything else, then something went wrong. Try repeating the steps above.

Variations

The example I showed will open the MarketWatch site every week day at 9:45. You can change the time by changing the 9 and the 45 in the example. You can also change the website address in the example to suit your own needs. If you really want to do something crazy, you’ll need to learn more about the program being used here, which is called cron.