Engadget has a very helpful video – How-to: run Chrome OS as a virtual machine. The image they’ve used is from gdgt.

Another useful how to is at TechCrunch – Want To Try Out Google Chrome OS For Yourself? Here’s How. They’re running this Chrome image (downloaded from torrent) on Sun VirtualBox.

First I tried the image from gdgt on my Vmware Fusion, it booted ok but couldn’t detect the network and was impossible to login.

I then downloaded the image from torrent (used by TechCrunch), which detected the network but strangely didn’t let me login with my google account. I did create a new google account just to try this and to be on a safer side. After reading the comments on torrent site, I figured that you can login with user “mark” and password “chromeos”. Boom… that let me in!

The first impression after few minutes of mocking around was that this wasn’t anywhere like the one demoed by Google guys. No app menu and panels. It was just like a chrome browser in virtual machine. But after playing for a while and googling around. I figured that “Ctrl Alt t” takes you to the terminal – you can sudo with the same password “chromeos”.

After rebooting the Chrome OS from command line and re-logging in, the App Menu became available.

I could start the sshd

And remote login from my Mac

Personally, I think Chrome is trying to bring thin clients back in from of netbooks. Thin clients failed earlier because the networks were slow and “cloud” wasn’t there. But Chrome stands a chance as cloud is the future and it’s built with three very important goals in mind – Security, Speed and Reliability. Having said that, native softwares are absolutely must for it to succeed. Even iPhones need native apps!

As far as user experience is concerned, at the moment Chrome OS is nothing but a browser. If you want to experience the early Chrome OS – just install Chrome browser and browse your favorite sites . I’m sure this is going to change when Chrome OS is finally released for public next year.

First briefly about the company – Sourcerfire was founded by the author of Snort (an open source network intrusion prevention and detection system). Snort is the most popular and widely deployed IDS/IPS and has become the de facto standard for the industry.

So, why do we need Sourcefire (very expensive) if Snort is the best and free?

Right, Snort is the best and free out there but it’s implementation, management and maintenance is not a piece of cake for everyone; that’s where sourcefire comes into play. Sourcefire uses snort at it’s heart to utilize it’s powerful IDS/IPS techonology, with added benefit of plug-n-protect simplicity (the purpose-built appliance is easy to install, maintain and manage), and it comes with tons of extra features that make it very powerful. Sourcefire adds an Adaptive IPS and Enterprise Threat Management (ETM) on top of the Snort IPS. It is managed via user-friendly and intuitive web interface, of course you can always do your advanced config from the shell because it’s a snort installed in a linux box anyway.

Components of Sourcefire 3D System

Sourcefire 3D System is comprised of two appliances (Sourcefire Defense Center and Sourcefire 3D Sensor).

Sourcefire Defense Center (DC) is a centralized management console to manage the sensors, centralized event aggregation and sensor policy administration.

Sourcefire 3D Sensors are purpose-built network security appliances that passively aggregate network and user intelligence while defending the network against internal and external threats.

3D Sensor Modules

Each Sourcefire 3D Sensor is capable of running any combination of the following four software components (you need to buy them separately):

Sourcefire IPS (Intrusion Prevention System) it’s the mighty snort running in background, where you can use rules-based detection engine and utilize the acclaimed Vulnerability Research Team (VRT) to protect your network. The IPS component is included in the base system.

Sourcefire RNA (Real-time Network Awareness) passively monitors real-time network traffic and gathers network intelligence, it can detect operating systems, services, applications, protocols, and potential vulnerabilities that exist on your network. This is a very useful component of Sourcefire but you’ll need to buy the RNA license separately.

Sourcefire RUA (Real-time User Awareness) helps to identify the user identity and contact information, it pairs Active Directory and LDAP usernames with host IP addresses involved in security and compliance events. You’ll need to buy the RUA license separately.

Sourcefire NetFlow Analysis is an optional component of Sourcefire’s Network Behavior Analysis (NBA) solution. It gives additional insight to network threats by aggregating and analyzing NetFlow from routers and switches.

Sourcefire 3D System deployment with Master Defense Center

OK that was about sourcefire. Here’s how you go about getting certified.

Training Course

Sourcefire offers several instructor-led classroom training for Sourcfire 3D systems, out of which SF3D 360 Bundle is the one I took.

Sourcefire 3D™ 360 Bundle Includes:

• Instructor-led Training Sourcefire 3D™ (4 days)
• Sourcefire Certified Professional (SFCP) Certification Exam
• Sourcefire Guarantees
• CPE Credits 32 (for CISSPs)

Course Outline

• Sourcefire 3D System Sensor Deployment and Communications Architecture
• Sourcefire 3D System Overview & Product Installation
• Interface Navigation and Dashboard views
• Sensor Configuration and Management with the Defense Center
• Configuring Interface Sets and Detection Engines
• Administration, Maintenance and System Policy
• System Health Monitoring and Alerting
• Real-time User Awareness
• Adaptive Profiles
• User Account Management
• IPS & RNA Detection Policy Configuration
• Compliance Policy, White Lists and Host Attributes
• Event Analysis and Reporting
• End-Point Intelligence
• Flow Data Analysis and Network Profiling
• Nmap and Nessus Scanning
• Basic Rule Structure and Syntax
• IPS Features and Configuration
• Trouble Shooting and Behind-The-GUI Navigation and Architecture

Certification Exam

The following products and skill areas are assessed through this process:

• Intrusion Management System
• Intrusion Sensors
• Defense Center
• RNA Sensor
• Installation and Deployment
• Administration and Management
• Policy Configuration and Management
• Policy Non-compliance and Remediation
• User Administration and Management
• Reporting Creation and Management
• Effective and Performance Oriented Rule Writing

The certification exam itself consists of 200 multiple choice questions, which you’ll have to complete within 4 hours. Passing score is 75%, you’ll immediately know whether you pass or fail and if you pass the exam certificates are available online for you to print.

I found the instructor-led course very helpful. I have worked with snort before but this was my first introduction to Sourcerfire. After the 4 day course, you’ll have 60 days to prepare and take the exam. Every student is given a second attempt if a passing grade of 75% or better is not achieved on the first attempt.

To prepare for the exam, I went through the training material (page by page) one more time. I also had an access to sourcefire boxes installed in our office lab so, it was very useful. It’s an open book exam, you’ll have slightly more than a minute to answer each question, so you won’t have enough time to go through your materials during the exams. You’ll need to know your stuff to pass it, but having an access to sourcefire box at the time of exam will be very handy (for the user interface questions).

I’ve installed and tested it in my WinXP SP2 running on my MacBook Pro Vmware Fusion, and this is what I found.

Installation and usage
The installation is easy and straightforward. You just need to follow the on screen instruction. You’ll require: a domain administrator account, a smtp server address to send alerts via email and have to choose either Microsoft Access or MS SQL Server for the back-end database.

Scanning, Reporting and Patching
The user interface is intuitive and easy to use. After the scanning is completed, it gives a nice report of the scan (you can choose to scan a single computer, group or the whole network). In the first scan it let me know that my Office and Windows need some critical patches. If you expand each vulnerabilities then it’ll give the Microsoft ID, download link and the patch release date. You can apply the patch or choose to ignore it by right clicking on it. There’s a handy feature to mass deploy the Microsoft updates on selected computers or all computers in the network. Other notable features in patch deployment are:

- Custom Software deployment
- Uninstallation of Microsoft updates
- Detailed Patch Deployment log

Besides the vulnerabilities the scan reports on open tcp/udp ports, open shares, installed applications, password policies, groups and users (with their privilege, last logon and password age).

You can buy an extra ReportPack to create vulnerabilities scanning reports and system information reports for your managers and bosses. I think it would have been great to have this reporting built in to NSS.

Useful Tools
GFI LANguard NSS comes with very handy tools that a network/security admin uses every day

Conclusion
I’ve tried the GFI LANguard N.S.S 8 for few days and think that it is a very useful tool for network and security administrators. I liked the fact that it has all three useful tools i.e. network vulnerability scanning, patch management and auditing integrated into one. It’s also easy to use and manage. The lack of built-in ReportPack is the only down side of it. Here, I’ve just scratched few features of the product, if you’re interested you can try it for free with 30 days evaluation version before buying it.

Update: GFI have now included the ReportPack for free with GFI LANguard N.S.S. and all other ReportPack-powered software titles on top of the 45% price cut.

We’ve all watched/read so much about the iphone and it’s coolness that expectations were quite high. And I’ve to say that I was not disappointed. It’s really cool, slim and gorgeous. Most of the things work perfect. I think the keyboard is not an issue.

iPhone was launched today at 6:02pm in UK and could be bought in Apple Stores, O2 stores or Carphone Warehouse stores. You’ll have to sign 18 months contract with O2, which is the exclusive carrier in UK.

There’s one Carphone Warehouse store few blocks away from my house, so I went to check out at 6pm. Surprisingly there were just around 20 people queuing up. The store opened at 6:02 and everybody was let in. But there was a problem with carphone warehouse’s payment system. I’m not sure if the system was flooded by iPhone transaction or other technical issues. Anyway, it took more than half an hour just for the payment authorization. I was the first one to walk out of that store with the iPhone. They authorized the payment manually, bypassing the chip and pin (security system in UK’s bank cards).

Activating iPhone with iTunes was a smooth and painless process. I am currently using Vodafone, and got the PAC code from them few days ago. PAC code is a special code to transfer your mobile number from one provider to another. My existing mobile number will be automatically transferred to my iPhone after 7 days, until then O2 has assigned me a temporary number. That was clever.

Played with most of its features, made several calls (quality is quite good) and tested the visual voice mail (which should be very useful). Synced my address book, music, podcasts, some photos and videos. iPod is excellent. Gmail and IMAP mails are easy to configure and work without any problem. Photos are very cool, flipping them, zooming in/out, resizing was fun. Google Maps will be very useful for me finding places in London, it loads pretty fast even on EDGE Network.

Only problems are the Wi-Fi connection and YouTube. I use a 128bit WEP HEX Key at home and couldn’t establish connection with my Access Point. Quick Google gave me this (seems to be a known issue) but using $ in front doesn’t solve the problem for me. For the YouTube Videos It says that it requires an EDGE or Wi-Fi connection.

I think these two problems can be fixed easily.

I’m just having a good time playing with it. You’ve to hold it and use it to really appreciate it. It was a nice Deepawali gift for myself!

ntop is a tool that shows network traffic usage. It is based on libpcap and when installed in a place where it can capture network traffic (hub or a mirrored port of a switch), it logs and reports information concerning IP and Fibre Channel traffic generated by each host in the network. ntop has a very rich and user-friendly web interface for reporting.

This is what ntop can do for you:

* Sort network traffic according to many protocols
* Show network traffic sorted according to various criteria
* Display traffic statistics
* Store on disk persistent traffic statistics in RRD format
* Identify the indentity (e.g. email address) of computer users
* Passively (i.e. withou sending probe packets) identify the host OS
* Show IP traffic distribution among the various protocols
* Analyse IP traffic and sort it according to the source/destination
* Display IP Traffic Subnet matrix (who’s talking to who?)
* Report IP protocol usage sorted by protocol type
* Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks)
* Produce RMON-like network traffic statistics

Installation
ntop is available for Linux/Unix, Windows and Mac OSX. Windows demo version with limited packet capability is freely available for download. If you want to use the Windows version on production environment, you either need to compile it by yourself or buy a binary version with updates and support. But Linux/Unix and Mac versions are freely available, both source and binary.

Installation of ntop is pretty straight forward, here I’m going to demonstrate a binary rpm installation in CentOS 5.x. We’ll use RPMForge repository for ntop installation, so first we need to upgrade our rpm to rpmforge.

Download the rpm and upgrade it.

# rpm -Uhv rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Install the dependencies

#yum install glib libpcap

Install ntop

# yum install ntop

Edit the config file /etc/ntop.conf, and comment out the setting to run in daemon mode

Change –daemon to # –daemon

Set to the network interface that you use for sniffing data

–interface eth1

Comment out the option for port 3001 for SSL

Change #–https-server 3001 to –https-server 3001

Run the ntop to set your password

# /usr/bin/ntop @/etc/ntop.conf -A

Edit the config file /etc/ntop.conf and set back to daemon mode

Change #–daemon to –daemon

Use chkconfig to make the service start on every reboot

# chkconfig ntop on

Start the service.

# service ntop start

That’s it, now you can use your web browser to access the ntop web interface. It has a lot of user-friendly reporting and admin options. Here’re few screenshots from the web interface of ntop.

Browse https://ip_address:3001 and you’ll see the Global Traffic Statics

Network Load Statics displays the network traffic history: last 10 minutes, last hour, current day and last month.

Active TCP/UDP session shows which client in the network is connected to which server, the information includes source/destination ip address/port numbers and duration of the connection.

Local Matrix, shows the amount of data exchanged between hosts in the local subnet.

Network Traffic All Protocols/All Hosts displays the amount of data sent/received by each local and remote hosts. After reviewing the data usage we can zoom in to the individual hosts for more detail.

The details of a single host, includes almost every detail you would like to know about this host.

* User enters pass-phrase to begin using the system. Browser retains the pass-phrase as a global variable.
* User requests a list of all data belonging to him.
* For each record, the system stores the associated user ID in plain-text, the record ID in plain form, and the record content only in encrypted form. (The message content is one or more database columns, each encrypted.) Thus, system is able to return a list of record IDs for this user.
* User selects one of the record IDs.
* System checks that this user ID is associated with the record ID, and returns the corresponding message content.
* Browser uses stored pass-phrase to decrypt the contents.

Ok, with that background if you’re ready to store your sensitive information online, here are few choices for you.

Halfnote
Halfnote is a very simple and secure notepad. Easy to register — provide your email address, choose a password, and you’re done. A simple blank notepad is presented, where you can write your secret passwords or documents. It’s very fast and the information is auto-saved as you type. The information you send is encrypted with your pass-phrase but it lacks SSL protection, which could have provided extra security by encrypting the session information.

Passlet
Passlet is a typical online password manager, currently in beta. It has an easy to input entry from where you can input: Title, Username, Password, and Notes. It encrypts the data by deriving 128-bit AES key from your master password. The key derivation is completely performed within the browser. In addition to secure data, Passlet uses SSL for session encryption, we can be sure of connecting to Passlet server by viewing the SSL Certificate.

eSecureKey
eSecureKey is another online password manager, currently in beta. It has a Portlet, which can be accessed with a Secure Key. This Secure Key is different from your login password, and is never transmitted to the server. This is the key used to encode and decode data. The portlet lists the existing entries and allows to add new information with tags for easy listing and searching. eSecureKey sends encrypted data to the server but lacks SSL for the session encryption.

PassPack
PassPack is currently in beta. It uses Packing Key to pack/unpack (encrypt/decrypt) data, which is all done in client side, inside the browser, no keys are sent to the server. It uses AES encryption and special security techniques, like disposable logins, which can be created in advance. Disposable logins are good for one time login only. This is useful when you access your data using a public computer. PassPack has taken the fight against phishing to a new level by allowing users to setup their custom Greeting Message after login, and ip address restriction, where users can choose to allow only certain ip address to have login access. PassPack uses SSL to encrypt session data as well. Other useful features in PassPack are import/export from/to a csv file. You can make an encrypted backup of your secret data using the packing key, and the restoration from the backup file is very easy too.

Clipperz
Clipperz uses local encryption within the browser so, your data is safe like all other online password managers. But Clipperz has some useful features that other online password managers lack. For example, it has a cool feature called direct login, which allows to quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Another good feature is offline copy, which allows users to dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when there’s no internet connection available. Clipperz is currently available in English, Japanese and Chinese. It stores the passwords and other confidential data in predefined templates called cards. Clipperz has several predefined templates for storing websites, banking, credit card, address book and custom card. There’re some new features coming soon, among them Import and Sharing should be very useful.

Conclusion
I think online password managers are handy and secure enough to store the username/passwords of many websites that we visit on daily basis like, digg, delicious, flicker, etc …. but for myself, I wouldn’t store critical secrets and financial data online yet! If you’re a system admin you might want to check KeePass that works across all platforms. Having said that, if you’re ready to take a plunge into online password managers then technology is ready and there’re excellent choices available. So, if you love simplicity, Halfnote is for you, if you want cool features like direct login or multiple language support, then go for Clipprez, if you want extra security like disposable logins and phishing protection go for PassPack.

Currently Cisco is the leader in Networking market, and Linux, the leader in Server market. So, if you want to test your complex (or not so complex) network configurations before buying any actual linux servers or the very expensive cisco routers, then you can use Dynamips to simulate Cisco Router/Switch and VNUML (Virtual Network User Mode Linux) to simulate your linux servers/routers. Both Dynamips and VNUML are open source and free.

Dynamips

Dynamips is a Cisco router emulator. It’s different from other router simulators in a sense that it doesn’t try to simulate the cisco IOS but loads and runs the real Cisco IOS. The software simulates the cisco router’s hardware, which then becomes capable of booting real cisco IOS. The goals of Dynamips are:

*To be used as a training platform, with software used in real world. It would allow people to become more familiar with Cisco devices, Cisco being the world leader in networking technologies ;
*Test and experiment the numerous and powerful features of Cisco IOS ;
* Check quickly configurations to be deployed later on real routers.

If you want to use Dynamips, then it’s recommended to be used together with Dynagen, which is an user-friendly front-end for the Dynamips cisco router emulator. It uses a simple INI like configuration file to define the routers, switches and networks. You can download Dynagen for Linux, Windows or OS X (the package already includes Dynamips). The Dynagen installation includes very useful Tutorial and sample labs.

Dynamips loading Cisco IOS

VNUML

VNUML is a virtualization tool based on User Mode Linux virtualization software, initially developed to simulate IPv6 scenarios based on Linux and zebra routing daemon. It’s also a very useful tool in simulating general Linux based network scenarios.

VNUML is aimed to help in testing network applications and services over complex testbeds made of several nodes (even tens) and networks inside one Linux machine, without involving the investment and management complexity needed to create it using real equipment.

To use VNUML tool you need VNUML language for describing simulations in XML, and an interpreter of the language (vnumlparser.pl), that builds and manages the simulation, hiding all UML complex details to the user. It is available in package format for .deb based Linux distributions like Debian, Ubuntu, and in source format for other distributions. VNUML Live DVD makes it possible to try VNUML without installing anything into your computer. Here are some useful documentaions: Installation guide, Tutorial and Example Scenarios. This VNUML and Dynamips/Dynagen mixed scenario is quite interesting because it simulates cisco router using Dynamips/Dynagen and Linux Servers using VNUML.

Simple VNUML Description

Let me give you a general idea about this certification. CISSP is a security certification carried out by (ISC)², which is a globally recognized, vendor neutral organization for certifying information security professionals. To pass the CISSP exam you’ll have to be competent in 10 Domains of the Common Body of Knowledge (CBK):

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To qualify to sit for the exams you need to:

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Update: Effective 1 October 2007, professional work experience requirements for the CISSP will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP CBK domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

The exam itself is 6 hours long, with 250 questions based on the 10 domains. 25 out of 250 questions are for research, but you’ll have to answer all of them, and there’s no way of knowing which one is which. So, 225 questions will be scored, and you’ll have to get 700 out of a possible 1000 points on the grading scale to pass. Different questions carry different weight (marks) and there’s no way to know which question carries how much marks. As of writing this, the exam costs US$ 499 if you register 16 days ahead of exam date or US$ 599 if you register later.

My Recommendation

The best book you can buy for your preparation is CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris. The most helpful place, with a lot of useful resources is CCCure.org web site. You can ask questions on the Forum or search for anything that you want to know about the exam. The forum is very lively, with a lot of CISSPs replying to your queries promptly. The Quizzer is another valuable tool to check yourself on where you stand, before starting the preparation and taking the exam. The quiz gives you a general idea about which domains or topics you’re weak in, this way you can devote more time to strengthen you weak areas. If you’re taking a self study route, you should view the flash based Exam Introduction and Overview by Clement, which provides a thorough overview of the CISSP Exam, with tips on how to prepare, how to study, what resources to use, and a whole lot more. I found it extremely useful.

How I prepared for the Exam

I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies. Even with these precautions, there’re times when mind goes wild and body aches like hell .

Because of my experience at work and previous studies, I was already familiar with most of the topics in Telecommunications and Networking, Cryptography, Operations Security, and Security Architecture and Design. I was ok with remaining domains but the Physical Security and Legal, Regulations, Compliance and Investigations were quite new to me.

My Study Materials
1. CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris
2. Mike Meyers’ CISSP(R) Certification Passport by Shon Harris
3. CCCure.Org (Quiz, Forum, and Summarized Concept)

Phase 1 (approx. 20 days)
I read CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris page by page first, then took the practice questions at the end of each chapter to see how I retained the material. As I was progressing, I had a feeling that I was forgetting the earlier chapters.

Phase 2 (1 day)
Took 250 questions quiz from CCCure Quizzer (select all 10 domains, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results of the quiz gave me a clear indication on which domain I was weak. I saved the results in Google Docs, so that I would be able to refer back to it later. I scored 76%.

Phase 3 (approx. 15 days)
Based on the results of the quiz, I prioritized to review the domains, starting with the one that I scored least. In this phase I read All-in-One book page by page for the second time, and after completing each chapter I took the CCCure Quizzer, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results suggested me which topics I needed to review within each domain. I saved each quiz results in Google Docs, so that I would be able to refer back to it later. I was scoring over 80% in each of the 10 domains.

Phase 4 (approx. 10 days)
For each domain I reviewed the questions and answers that I got incorrect. I narrowed down my preparation and zoomed down to the individual topics from the incorrect answers. After revising all the topics across all 10 domains that needed attention, I took the same quiz, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). By now I was scoring above 90% in each of the 10 domains.

Phase 5 (approx. 15 days)
The CD included in All-in-One book has a Total Tester Software with a lot of questions (60 to 100+ per domain). Took test for each domain. After taking the test from CD, read All-in-One book for the third time, but this time I just read the headings, subheadings, flipping, and skipping the pages, only stopped to read the topics which pulled my attention. When there were 2 days left for the exam, I started reading Mike Meyers’ CISSP(R) Certification Passport, it’s a very well summarized book which contains most of the concepts necessary for the exams. I highly recommend this book at the end of your preparation. On the last night before I went to bed I read the study guide (cram) that was produced by Michael Overley and improved by Jane E. Murley.

The Exam day

I was quite satisfied with my overall preparation, but that couldn’t help me with the anxiety and anticipation. I’d read a lot of horror stories at CCCure Forum about the exam questions. I went to bed early the night before exam, but found it quite difficult to fall asleep, anyway got around 5 hours of sleep. Woke up early on the exam day, did 45 minutes yoga, and had a heavy breakfast. I went to the exam center with some energy bars, a bottle of water, a pack of HB No. 2 pencils, a sharpener and an eraser. 2 pencils are provided by the ISC2 but aren’t that good, so I highly recommend you to take your own pencil, eraser and sharpener. I had brought a jacket with me and put it on throughout the exam. It was quite cold. You should be prepared for warm or cold condition.

The exam was physical, mental as well as English test. After 3 hours of sitting, my neck was like one big knot. I ate one energy bar, around half a liter of water, and went to toilet twice. Some questions didn’t make any sense at all.

If I had to break the questions, it would be something like this:

• Around 5% were straight forward. One line question and very obvious answer.
• 20 – 25% of the questions were very tricky, not difficult but needed to watch the keywords like NOT, WORST, BEST, etc. The practice quiz helped me a lot on watching the keywords.
• 20% either didn’t make any sense to me in English or were like questions from another subject. Maybe they were the research questions.
• 50 to 60% of the questions were similar to the CCCure quiz and All-in-One CD questions. They were just similar in construction and difficulty, but none were exactly the same.

All 100% of the 250 questions were the ones I saw for the first time. I’d never seen any of those questions in the quiz or practice questions. I circled the answers to my first 125 questions in the question booklet in around 2 hours. Then I copied (marked) those answers to the answer sheet, which took around half an hour. After that I started marking the answers directly to the answer sheet. I think marking directly to the answer sheet is a better idea, it’ll save you some time. It took me 5 hours to finish all 250 questions. Initially I’d put a question mark in the question booklet at those questions which I was not sure of. So, came back and reviewed the answers of those not-sure questions, ended up changing 8 answers. I didn’t have time to review all the questions, and may be that was a good thing . I was quite sure that I got around 50 to 60% correct, but came out exhausted, and was not sure if I would pass.

Post Exam

The wait after the exam is even worse than the preparation or taking the exam. In some cases the results are emailed as early as 5 days. So, after 5 days I kept on checking my email every few minutes, hoping to see the results. Also visited the Forum to see if anyone would post anything about the exam in Hong Kong on 22 April. Finally the results came in, exactly after 10 days, I opened the email and saw the word Congratulations!, That’s it. I felt like I’d let go of 100 pound weight from my shoulder, and felt as if my body had melted on the chair I was seating. A very pleasant feeling followed and I thought the time, effort and money spent were worth it.

After getting the results you need to get an endorser to sign the endorsement form and send it to ISC2 together with your resume. The endorser must be either one of the certificates holder, such as CISSP, GIAC, MCSE, MCDBA, CISM, CISA or company’s CEO, CIO, Managing Director, Executive Director or Managing Partner. I’ve already sent the signed endorsement with my resume and am now waiting for the official certificate.

Conclusions

The CISSP Exam is all about concepts. If you know the concepts well, you can pass, but don’t underestimate it, there’re a hell lot of concepts to remember. I think you need to have some experience in the field, otherwise it would be too difficult to just study and remember the concepts. Make a study plan and follow it. Read each and every page of the All-in-One book. Do as many as possible practice questions and quiz as you can. The preparation and exam both are physical as well as mental challenges so, take care of your body and mind too.

1. You register an account in OpenDNS site.
2. Login to your account.
3. Change your DNS Setting pointing to OpenDNS Servers.

That’s it, you’re good to go. The only difference from your normal environment is that now you’re using the OpenDNS DNS Servers.

The Advantages of using OpenDNS Server

You’ll be protected from Phishing attacks because OpenDNS keeps the database of phishing sites, so it can identify and stop sites trying to phish (cheat or trick) you. It claims to be faster than your ISPs DNS with large cache but I didn’t notice any change in my browsing speed after the change, but this could definitely be an advantage if your ISPs DNS is slow. It can correct the typos for you. For example, if you type nirlog.cmo instead of nirlog.com, it’ll correct your mistake and point you to the right site. The latest feature called Shortcuts allows you to type something easy-to-remember into your address bar for those web sites you visit often. For example, I can just type short “gmail” to visit Gmail, instead of typing the full url “http://www.gmail.com/“. This, I think is a very handy feature. Network admins can configure the full office networks too.

You can map short names for your favorite web sites

The Down side of using OpenDNS Server

You need to be always logged in to the Open DNS web site to use the service. They make money from the advertisement. It works like this, when there’s a typo OpenDNS cannot fix, it’ll redirect you to a yahoo search result with advertisement. I think that’s ok, but in some cases they’ll redirect you to a site that’s nothing to do with the web site you intended to visit. For example if you type http://nirlog.cm then it’ll redirect you to http://agoga.com/. It’s clearly not the site I intended to visit, the best thing OpenDNS could have done is to redirect to nirlog.com since there’s no nirlog.cm or at least it could have redirected to an organic search in Yahoo, the search engine they’re using. So, I think OpenDNS’s decision on what’s a typo, what’s wrong and right could be questionable. Actually the redirection has nothing to do with OpenDNS, it’s due to registrar for Cameroon, who has created parked pages with Agoga for every unregistered .cm domain.

When I typed http://nirlog.cm it redirected me to http://agoga.com

I think OpenDNS has a clear advantage over your ISPs DNS, with it’s phishing protection and speed in some cases. The shortcut is a very handy feature too. So for my personal machine I’ll keep the OpenDNS setting.

Update: John Roberts from OpenDNS has cleared the point about .cm domain in his comment, apparently registrar for Cameroon has created parked pages with Agoga for every unregistered .cm domain. So, it has nothing to do with OpenDNS. And also if you’ve setup OpenDNS on your networks, then you don’t need to login to the web site.

The email protocol (SMTP) was designed at a time when very few people were using emails and everyone basically knew each other. So, security was not a concern, but today the world has changed and that trust isn’t there anymore, but the SMTP protocol we’re using remains the same.

So, how is today’s technology dealing with this problem?

If it comes to your Inbox it’s your problem

This is the approach taken by most of the ISPs and small companies who cannot afford the cost of extra security or simply think that it’s end users problem. So, you and I receive emails with viruses, spams and phishing traps. We’re on our own to decide what to do with them. This approach has proven to be the most ineffective (since most users aren’t aware of the security issues). It has damaged corporate images, caused loss in productivity, money and business. If the users need to fight email problems at this level, then getting a good email client or third-party softwares is the best option. Some of the end user solutions available in the market are:

Apple Mail – Mac users have one of the best email client, with pretty good built-in spam filter. It can learn for over a period of time and can be quite effective in identifying spams. It has additional options to identify spams, for example, if your ISP uses SpamAssassin, Brightmail or another spam-analysis tool, Mail leverages that analysis.

Thunderbird – It’s a cross platform email client form Mozilla, with a built-in junk mail filter. It also has a learning capability, as you keep marking messages as spam, over time thunderbird’s filtering improves. Thunderbird also has anti-phishing protection that will tell you if it thinks the message might be a scam to steal your passwords, personal information, credit cards, etc…

There are some desktop anti-spam softwares that can be installed as plugin to the email client:
Trend Micro Anti-Spam Pilot – Free plugin to Outlook provided by Trend Micro.
Comodo Anti-Spam Desktop 2005 – Free anti-spam for Windows PC, supports popular email clients.

If you’re using a Windows PC then I think it’s obvious that you need an anti-virus software too. Some popular anti-viruses are Norton, McAfee and Trend-Micro. If you’re looking for a free one then get AVG Anti-Virus Free.

Stop it before it reaches to users Inbox

This is also called a gateway solution, where the incoming/outgoing emails are routed via email filters before delivering to the users Inbox. This has proven to be the most effective solution available today, but it’s by no means a 100% solution. Some new viruses, spams and phising emails do manage to bypass the filter. Here are different types of gateway solutions available:

Spamassassin – Very popular free mail scanner software, which works with most of the widely deployed email servers like Sendmail, Postfix, Qmail and many more. It uses a wide variety of local and network tests to identify spam signatures.

Ironport, Barracuda, Sophos, Mcafee, Symantec and many others… – They all provide a single box gateway solution to fight virus and spam. These email security appliances are relatively easy to implement in the existing email environment. They run special softwares and signatures are updated constantly. All you need to do is perform a simple configuration and point the MX record to these appliances.

Messagelabs and Postini – These are hosted gateway solutions to solve the email problem. The selling point of such service has been “no initial hardware and software investment” from the customers. It works similar to the Security appliance scenario, you have to point your MX record to these providers SMTP servers, where the emails will be filtered and only good emails allowed to reach your mail server.

Most of the popular free webmail providers such as Gmail, Yahoo and Hotmail use gateway solutions that is tightly integrated with the user’s web interface.

Let’s patch the email system

This is indeed a very smart solution, which requires some minor addition/modifications in DNS and SMTP server, but the problem is the scale in which emails are deployed today. It’s proving almost impossible to ask all the email server and domain name owners to make such a small change. Here are some popular extensions proposed to fix the SMTP protocol.

Sender Policy Framework (SPF) – SPF is an extension to the SMTP protocol, which allows to identify and reject emails from forged addresses. This is how it works: ” 1) the domain owner publishes this information in an SPF record in the domain’s DNS zone, and when someone else’s mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain’s stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.”

Sender ID – This is Micorsoft’s protocol, and it was derived from SPF. “The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sending domain.”

DKIM (DomainKeys Identified Mail) – DKIM is a method for email authentication using signatures, this is an enhanced protocol based on Yahoo’s DomainKeys. The sender’s MTA signs and receiver’s MTA verifies. “DKIM uses DNS-based self-certified keys. Because the scope of DKIM is limited, it does not need generalized, powerful and long-term certificates, issued by separate authorities.”

CSA (Client SMTP Authorization) and CSV (Certified Server Validation) are some other solutions proposed to solve the email problem.

Forget about the existing email system and let’s design a new one

This is the approach taken by some experts, who think that email at it’s current state is broken and there’s no point trying to patch it. Even if you come up with a good patch it’s difficult to implement anyway. So, why not design a new email system from scratch, with the security in mind. This sounds very radical but some people did propose such ideas and demonstrated a working system:

Internet Mail 2000 – This is a project launched by D. J. Bernstein, the author of popular Qmail MTA. “IM2000 is a project to design a new Internet mail infrastructure around the following concept: Mail storage is the sender’s responsibility” . The sender’s ISP, rather than the receiver’s ISP, is the always-online post office from which the receiver picks up the message. Meng Wong’s RSS Email is the implementation of IM2000. Here’s the presentation at Google in July 2006 Turning Email Upside Down: RSS/Email and IM2000 (Google Video)

Can e-mail be saved? – An old article from 2004, but is interesting to see how six of the industry’s most provocative thinkers envision the future email.

Some popular techniques used in most of the solutions

blacklists and whitelists – a list of email addresses, domains and ip addresses to either exclusively allow or block emails. There’re some public blacklists that are used by SMTP servers and gateways to block potential spammers. Spamhaus and Sorbs are popular public blacklist providers.

Bayesian spam filtering and trainable systems – based on Bayes’s theorem, “probability that an email is spam, given that it has certain words in it, is equal to the probability of finding those certain words in spam email, times the probability that any email is spam, divided by the probability of finding those words in any email”. These type of systems can be trained on a per-user basis.

Heuristic filtering – Heuristic filtering uses various tests for spam and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above some fixed value, the message is identified as spam.

Reverse DNS lookup of the connecting IP, Content filtering, Signature-based filtering (such as Vipul’s Razor), Greylisting (temporarily reject messages from unknown sender mail servers) and enforcing RFC Standards are also used to identify spam email.

Conclusion

Latest anti-virus and anti-spam techniques are proving to be quite effective, but it’s not implemented in all the email servers. For the spammers only 1-in-100,000 success rate is enough to pay for their efforts. As these anti-spam techniques become more effective, criminals are finding new ways to attack, and they always seem to be one step ahead of the security professionals. The recent problem with the image spam boom and Messagelabs Intelligence Report shows that. I personally think that we need a new email protocol like IM2000 or RSS/Email but also understand, it’s very unlikely to happen anytime soon. If 96% of spam still cannot kill the current email protocol, I wonder what needs to happen to replace it…

This article originally appeared in SecurityTNT.com