My Best Education

The ISSA is holding elections to the international board in June.  A long time friend and colleague is running, George Proeller.  I have known George for many years and can attest that his official biography http://www.issa.org/Elections/2009%20Election%20CandidatesAV.html#proeller leaves much out.  During his term as president of the local chapter, his primary foci were jobs for members, educational and improvement opportunities for members, and value for our membership dollar.  I certainly did get value for my dollar, I can assure you.  We have a vibrant and strong membership because of the leading efforts of George.  I’m positive he will be able to positively impact ISSA international as well.  His work in South America alone shows his forward and global thinking.

If this sounds like an endorsement, it is — an enthusiastic one.

I’m a tactile learner. Things that I read or hear just don’t sink in until I do it. The simple act of having to do at

Virtualization. Students can be given a virtual pc w/ all needed software installed which they can then use.

Remote access. Students are given access to a facility remotely w/ all needed software and they use their local system as thin client.

Some items just don’t virtualize, such as hardware. Let’s consider something as simple as a forensic clone of two hard drives. The cost for the student to have the actual hardware would be around $700. A training facility could rent the equipment, but they are then limited by the number of simultaneous students. The solution is development of Simulation techniques that can provide through simulation as much of the hands on as possible.

The other possibility is to bring the instructor to the student in the form of videos. I’ve been exploring this for sometime using Camtasia Studio. Reactions seem to be mixed. Unfortunately, I’m not collecting statistics to know if or to what degree others are being helped by the videos. My sense is that they work for some, but still not for others.

And that seems a good summary of the industry. Continual experiementation, always a drive to find what works best.

How many computers do you have sitting around? If you’re a geek, there’s a pretty good chance that you have a couple sitting around that you expect to use for this learning project or that learning project. Maybe put the latest Fedora on it. Or that beta of the latest Microsoft offering. We need systems and the easiest way to work with the technology is to have a few boxes sitting around to install it on, right?

Maybe not anymore. I’ve been playing around with virtualization lately and have really come to appreciate the flexibility it gives me. I’m certainly aware of virtualization’s inroads into industry — it’s becoming very mainstream there. But as a geek and trainer I also appreciate the power it gives me for self-education. No long do I have to punch the KVM to switch machines, I can mouse between systems. Since I’m focusing on keeping my primary workstations beefed up as much as possible, they make ideal virtualizations hosts.

I’m pleased that VMware now makes Server free. I found it pretty easy to set up and configure, especially for *NIX flavors. It’s biggest downside is you need to be a little more familiar with it to have the power to it offers.

Microsoft’s Virtual Server I found to be very finicky. By setting it up as its own userID, I was able to get it running in a reasonably stable manner. None the less, it was harder and more time consuming to use than VMware Server.

Easiest to use so far has been Virtual PC. While I expected it to have much less functionality then Virtual Server, it’s ease and speed of setup actually makes it the more practical product. While Virtual PC claims to support *NIX systems, I have not tried that yet. One feature Virtual PC has that I really like is the ability to build a system from the ISO image rather than a physical CD. Since I get all my OS images by ISO, this is a real convenience.

I have not worked with either Microsoft’s Steady State nor VMware’s Workstation edition. I plan to and will let you know my reactions then.

If you haven’t already tried virtualization for your home system, I’d recommend it. It’s a great way to have a “safe surfing” system. One of my pet peeves is the number of programs and web sites that assume the user runs a browser with no restrictions. Now I can. Once I’m finished with the #$*%^$##$ incompetent webmaster, I can blow-away the virtual machine and replace it from my base image with minimal work.

I often read or hear people asking “Do I need math to study . . ” Allow me to offer some thoughts as someone who has worked in IT for over 25 years. I studied a fair amount of math in college and now regret not getting a double major Math/Computer Science. I was in a hurry, what can I say?

How often do I whip out a slide rule (or the twenty first century equivalent) and solve some formula learned in college? Never. The hardest math I “do” is related to taxes. That doesn’t mean that I don’t “use” math however.

I’ve often benefited from what I call an instinctual feel for how things work, what’s optimal, and the best way to do things. This is not instinct however. This comes from having a varied and strong math background that includes statistics, queuing theory, and algorithmic analysis. What seems like instinct is really the old math training kicking in.

On the job, I’ve worked with many folks with varying academic backgrounds. Some concepts were, to people with weak backgrounds, are simply transparent. They don’t even realize they don’t know the concepts existed much less understand what was happening. In some cases, they could identify the event but know know any of the theory regarding how to manipulate or quantify it.

There is an old saying “You never know what you don’t know” that applies. There are many people working in many different fields who are all successful without many core academic skills. Since they can suceed without good math or English skills does that mean that those skills aren’t important? I don’t believe so. It only means that they’ve limited themselves in ways they don’t even know. In the process, they’ve limited their success and and their lives.

Please don’t let this happen to you.

The objectives for the new Security+, 2008 Objectives are now officially available on the CompTIA web site. They are planning on general availability of the exam in October 2008 and retirement of the 2003 objectives 2qtr of 2009. No word yet if a beta will be available.

This is a much needed update as the topics on the 2003 object list were quite dated. The big changes include currency for modern threats and the number of domains they use; increasing domains from 5 to 6.

Sadly, cryptography is still late being listed. Authors will use the same sequence when they write their books and many courses will be written to the books. As a result students will still get cryptography late rather than up front. I can’t really fault CompTIA for this order, I place the blame on course designers who don’t think about sequencing of material.

See ya’ around.

I’ve been reading “The World is Flat” lately.  The book discusses how globalization is impacting everyone and offers thoughts on how to best adapt to the changing world.  While most of it is based on interviews and anecdotal  evidence, the book does serve to get one thinking.

 I’m amazed at how focused most learning is that we IT Security folks engage in.  While we do need to be experts in security, I’m concerned we have two narrow of a life focus.  Do we miss the bigger picture when we focus on the details extensively?  Do we ignore the “why” by seeping ourselves in the “how?”

Yes, we are knowledge brokers.  We need the technical knowledge.  Should we take a little time to make ourselves more human?

 Talk with you next time.

Dennis

We often don’t think much when we set up a wireless access point.  In fact, a quick wardrive would demonstrate that many people never change the SSID on their access point from the default.  Prehaps a few thoughts on that are in order.

 By changing the SSID we establish “ownership” of the AP.  We are saying “this isn’t yours” and refute any claim that a bandwidth thief may have that “they didn’t know” it wasn’t theirs.  But what should the SSID be?

 Never use:

• Your name
• Your address
• Political statements

These reveal more than should be revealed and may invite intrusions into your space.  Only rarely would one violate these rules.  A coffee shop may name their SSID “Joe’s Java - Customer Use only” but that’s a reasonable execption.

 Your thoughts?

Dennis

The folks at attrition.org maintain a list of data breaches and data losses.  I get an RSS feed from them and it’s amazing how often people lose data.  Here’s the URL, hope you enjoy.

http://attrition.org/dataloss/dlunplugged.html

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!