Tuesday, April 1, 2025

"Security for ordinary folks": Lessons from Signalgate - 4 - Cell phones, info capture, attack and breach

Cell phones are not secure.  And then, I suppose that I have to qualify that by saying cell phones are not *very* secure.  And then I suppose that I have to qualify even *that* by saying *most* cell phones are not very secure.

So, to start off with, yes, there are some cell phones which are secure.  There are some cell phones that are secured to specific levels.  But these cell phones are usually restricted in quite a few different ways.  One of the ways that they are restricted is that you cannot install just any app on one of these cell phones.  The cell phone itself will not allow you to.  And this takes care of an awful lot of the insecurity of cell phones, in that most apps for cell phones are not secured.  Security has not been part of the design of the app.  Okay, yes, some aspects of security *may* be *part* of the app.  The app may require you to enter a username and a password to get access to your specific account.  And, indeed, the cell phone app *may* protect the sign on; the exchange of your username and password with the system that is hosting that account, and may even possibly encrypt the information that you are transferring back and forth between your phone and the app.  But all of that is "maybe" on your bog standard cell phone.  On a secure cell phone it is going to be mandatory.  And anything that doesn't apply stringent security protocols is not going to be allowed on that cell phone.

But that is only one part of the whole security puzzle.  When I am preparing candidates for their professional certification in information security, I start with security management.  The point being that you can Have all the security tools that you want, and still not be secure.  You can be an absolute wizard at setting up firewalls, and know absolutely everything that there is to know about establishing a really secure firewall, but if you don't do all the rest of security, and if you don't manage it all together, you're not going to be secure.  In physical terms, I may illustrate it by saying you can have a front door that is solid, and barred, and has really fantastic locks, and you're not going to be secure if your back window is wide open.  So, you have to do the whole job with regard to security.  And cell phones definitely don't do the whole job.  Cell phones are there for availability.  Cell phones are there for convenience.  Cell phones are not for total and complete security.

To understand why, we go back to our Signalgate scandal.

The person who set up the group chat actually thought about security to a certain extent.  But only to eliminate a concern about people being able to get the contents of the chat at a later date.  This person enabled the setting that said that all the messages on the group chat would disappear after a week.  Yes, that can be helpful in terms of security.  (It's also illegal, in terms of government regulations with regard to archiving of all official government communications.  But so many other things were illegal about this whole story that what's one more?)

Anyway, back to this issue of the messages disappearing after a week.  Actually, this doesn't give you much security at all.  For one thing, you can simply copy the text of the messages and put them someplace else.  You can paste the text that you have copied from the messages into a text file on another app on the phone that allows you to make text notes.  Or you can take the text that you took off this group chat, and paste it into an email, and email it to yourself.  There's all kinds of ways that you can take this information and keep it, even though somebody has said that the information is supposed to disappear after a week.

There may be a setting on the Signal app that enforces something that says no, you can't copy that text.  This does make it a little bit harder to keep the text, but not very much.  For one thing, just about every cell phone allows you to take a snapshot of the screen: a screenshot.

And in fact, when those who were party to this chat (officially, at least) complained that the reporter was misrepresenting what had been said at the chat, and that nothing classified had been said at the chat, the reporter was able to provide an entire transcript of what had been said on the chat, including all the emojis that had been sent in messages in the chat (which, of course, would not have copied over as text).  But all he had to do was take screenshots of the messages on the chat.  And, there they all are.  A complete transcript: complete with emojis and everything that was said.

This is one of the reasons that cell phones are not secure.  There are far too many ways of taking information and copying it somewhere else that *isn't* secured, even if you apply security to the cell phone.

But wait, as they keep telling us in the ads, there's more!

Cellphones are actually computers.  Small computers, specialised to communications functions, but they are computers.  And of course, most of them can be connected to the internet.  And therefore people have found ways to write malware for cell phones.  And those pieces of malware can be sent to people, embedded in messages that read, "Hey, you'll get a kick out of this!  Click on this link!"  "Hey, this app is really fun!"  Install it on your phone!"  Or something like that.

And people will run a program, whether they realise it's a program or not.  And that program will take over their cell phone.

Most people, and particularly those people who are willing to think that there are no rules, and therefore rules about not just running any old software, and not clicking on any old link that somebody sends you in any email message or text.  People who are willing to not identify and verify people that they add to a group chat.  And people who are willing to discuss highly classified information on systems that are not rated for that level of sensitivity of information.  Well, those kinds of people will probably be quite willing to click on anything Without realising that it might be a piece of software that can take over your phone.

And, of course, once the software has taken over your phone, it can do whatever it wants.  Including setting up a permanent link to send anything that you tap into the phone (your credit card number?  high security government account password?), and anything that shows up on your screen when you are looking at the phone, and take recordings of every telephone conversation you have with that phone, and send it to ...

Well, anyone, really.  Chinese intelligence agencies.  North Korean intelligence agencies.  Russian intelligence agencies.  Possibly (*shudder* *shock* *horror*) even *Canadian* intelligence agencies!  Who *knows* what damage this could do!


Next: "Security for ordinary folks": Lessons from Signalgate - 5 - Authorization

Monday, March 31, 2025

"Security for ordinary folks": Lessons from Signalgate - 3 - Signal, Identity and authentication

Well, I suppose if we are talking about Signalgate, we should talk about Signal.

Signal is, essentially, a texting program.  It uses the Internet, rather than the texting channel for telephone service.  At least, for the most part.  You may be fairly familiar with Signal: you may use it under another name.  If you use WhatsApp, WhatsApp is basically identical to Signal, with one difference.

So, if you have used WhatsApp, you know all about Signal.  You know that it is primarily about text messages, and you probably know that you can use it to create groups, and send text messages to a number of people in the group.  You can also use it for audio and voice calls, but most people are just using it for the texting.  And, particularly, the group text chats.

(I suppose that I should mention the one difference between them.  WhatsApp is owned by Meta, which is, essentially, Facebook.  Therefore, it is Facebook which is managing the connection and setup of all communications done over WhatsApp.  The text chats, and even the voice and video calls, are encrypted.  Therefore people think that they are secure.  By and large that is probably true.  However, since Facebook sets up all the calls, it would, theoretically, be possible for Facebook to listen in on all WhatsApp calls and chats.  Signal uses the same technologies, and even the same protocols, as WhatsApp.  They are basically identical.  However, whereas Facebook manages all the calls for WhatsApp, Signal allows you to choose different hubs to manage your calls.  Therefore, while it would be possible for a single hub to listen in on the calls managed by that hub, no single hub would be able to listen in on all calls that are made through Signal.)

I suppose that it might be possible that this point, that simply having encryption doesn't guarantee you privacy, could be lesson 3A.  It certainly is important to know what encryption does do, and what it doesn't do, and the fact that encryption has to be managed properly in order to do the things that you want it to do.  But that actually isn't the lesson that I want to emphasize in this particular lesson.

No, what I want to emphasize, as lesson three, is identity.  Actually, when we in security talk about access control, we talk about IAAA: that is, identification, authentication, authorization, and accountability.  We will talk about authorization and accountability in later lessons.  Right now I want to talk about identification, and authentication.

First of all, somebody on the Signal channel wanted to add someone else.  We don't know who it was that they wanted to add.  Nobody is saying much of anything, and when they do say anything, most of the time they lie, and most of the time the lies conflict with each other.  So we don't have a lot of reliable information about this whole mess.  But we do know that they wanted to add someone to this channel, and that they weren't careful about the actual identification of the person that they added.  The person that they actually added was, in fact, a reporter that the Trump administration did not particularly like.  And, of course, there was absolutely no reason in the world that the people running the chat would want to add that reporter.

As a matter of fact, when the reporter was first added to the channel, and started seeing traffic on it, the reporter thought that it was some kind of hoax.  In fact, the reporter, initially, when he saw the initial messages going out on this Signal channel, felt that it was probably set up by someone in support of the administration, and was an attempt to fool the reporter into reporting on a story that was false, and then be made to look like a fool when the story was proven false.

However, as the messages went on, it looked more and more like this was, in fact, real communication, between real members of the Trump administration.  Who were, in fact, discussing planned attacks on Yemen.  And, so it proved to be.  Information about war planes being dispatched on bombing missions was given, prior to the aircraft taking off, and was, thereafter, confirmed by military reports of the activities, after the fact.

But back to the identification.  As I say, the people who added the reporter to the channel were not careful about the identification of the person that they added.  Additionally, they did not take the further step, which, in terms of information and access control would be an absolute minimum necessity, of doing the authentication.  This is verification, very often by something you know, or something you have, or something you are, that you are, in fact, the person that you're identification says you are.

So, neither the identification, nor the authentication, were done correctly.  In fact, the authentication wasn't even done at all.

So what does this mean to you, as an ordinary person, wanting to keep yourself secure or safe?  Well, the first thing to do is be careful with identification.  Identification, really, never can be trusted.  It is always simply asserted.  I say that I am Rob.  For the purposes of normal social conversation, this is probably sufficient.  But, if you wanted to do any business with me, you probably would want to know that you were dealing with Robert Slade.  And, indeed, since there are a great many Robert Slades in the world, you would probably want to know which Robert Slade you were dealing with.

As a matter of fact, if you wanted to do any significant business with me, you would probably want to verify, somehow, that I was, indeed, Robert Slade, and not just somebody *saying* he was Robert Slade.  You would want to authenticate the fact that I was Robert Slade.  If you are dealing with me over the Internet, and can't demand to see my driver's license (or something like that), then you might want to set up an account somehow with a coded username, which would be a form of identification that we might agree to, and then, every time we wanted to deal with each other, have a form of authentication.  The authentication might be something that I know: for example, a password.  It might be something that I have: such as the aforementioned driver's license, or possibly my cell phone number, to which you could send a text, with a pin, and then ask me to confirm what the pin was.  Or we could get really fancy and have fingerprint readers, or send pictures of each other, and that would be something that we are: otherwise known as biometrics.

Authentication is the really important part.  That's why those of us in information security keep on yammering on about the fact that you should choose long passwords, and strong passwords, and use a mix of upper and lowercase letters, and throw some numbers in there too, and even some punctuation marks.  Making the password hard to guess means making the authentication more reliable.  And, as I say, authentication is the important part.

And authentication is the part that these military geniuses Signally failed to do.


Friday, March 28, 2025

"Security for ordinary folks": Lessons from Signalgate - 2 - Cell phones and SCIFs

Lesson two is about cell phones.  No, I'm not going to say that you can't use cell phones.  Cell phones, for good or ill, are now part of our lives.  But a definite part of this story, and scandal, has to do with cell phones.

Cell phones are not secure.  At least not *very* secure.  Just today I got some information about a family of malware for cell phones, specifically targetting instant messaging systems, and with at least one component directly aimed at the Signal app.  And a bit later we will go into some of the details about why, and how, cell phones are not terribly secure.  But cell phones are certainly convenient, and sometimes they are even life-saving.  So, no, I am not saying that cell phones are evil, or that you should never use cell phones.

What I am saying is that you should think about how, and why, you use cell phones.

In this particular case, cell phones definitely should not have been used.  The Signal app should not have been used.  The information being discussed was very important, and confidential, particularly at the time that it was being discussed, and, despite the subsequent attempts to say that the information was not classified, and did not come under a category that needed to be classified and that somebody involved in the conversation could have declassified the information, whether or not the information actually was declassified, this type of information either was, or definitely should have been, classified, and shouldn't have been discussed in this type of communications arrangement.  Government and military people in the United States use, and are provided with, what is known as a SCIF: a Secure Compartmented Information Facility.  This is not simply a phone, or a terminal, but an actual facility: a room, locked, with either a card or a keypad in order to identify everyone who enters it, with a phone, or a terminal, that is built to a standard of security that would make it very difficult for any adversary to eavesdrop on any conversations.

So, what does this have to do with security for ordinary folks?  Ordinary folks are not provided with an SCIF.

This is quite true, but, once again, we go back to the idea of information classification.  (That's why we started off with the topic of information classification.)  Once again, you don't necessarily have to have some kind of formal information classification system.  But you should consider the information that you are dealing with, and how important it is, to you, and the communications channel that you are using.  Are you using this particular communications channel just because it's convenient?  Do you have another communications channel that might be better for this particular piece of information, or discussion?  Is there some other communications channel that both you, and the person you want to have a conversation with, share, and is it more suitable given the sensitivity (importance) of the information that you were going to discuss?

Cell phones, as I said, are convenient.  But they also have a lot of functions that might not immediately come to mind when all we want to do is place a phone call.  Just about every cell phone has a speakerphone option.  Are you sure that the person on the other end of the call doesn't have their phone on speakerphone?  Could it be that other people, sometimes quite a distance away, could overhear the entirety of both sides of your conversation, because the other person has their cell phone speakerphone on?  Then there's the fact that pretty much all cell phones can be set up to record a conversation.  This isn't unheard of with the landline, but it generally takes a little bit more trouble to do it.  It can be done easily, and quickly, on a cell phone just by downloading an extra piece of software.  Again, we'll go into a bit more detail about some of the problems with regard to cell phones in a subsequent piece in this series.  For now, just be aware of what can happen when sending different types of information over different types of communications channels.  Think about how important the information is, to you, and whether the ease and convenience of the channel that's immediately to hand makes it the best fit for the type of communications you want to engage in.

Using cell phones, and group chats, to discuss really important and top secret attack plans; the type of information that, if it goes as stray, could get people killed; well, cell phones probably aren't the best fit for that.  And besides, it would be illegal anyways.

Thursday, March 27, 2025

"Security for ordinary folks": Lessons from Signalgate - 1 - Rules

"Security for ordinary folks": Lessons from Signalgate

A couple of days after this all broke I was due to do another "security for seniors" session.  We were *going* to start frauds and scams.  But with this all over the news, and everybody talking about it (mostly incomplete, and often misinformed), and with some many basic security lessons to be learned from it, I figured I should take advantage of the opportunity.  So I covered the scandal, pointing out, along the way, that even though this news story was about national and even international security, it still had lots of lessons that *everybody* could benefit from.

So, day by day, herewith some security lessons, applicable to seniors, homemakers, owners of your own business, students of security, security professionals, and all the way down to vice presidents of superpowers.


"Security for ordinary folks": Lessons from Signalgate - 1 - Rules

Lesson one: this is why we have information classification rules.

Okay, maybe I have to back up a bit here.  A lot of ordinary folks will think information classification, itself, only applies to governments, the military, and big corporations.

First of all, this whole story, and scandal, couldn't have happened to a nicer guy.  I mean that, quite literally.  Nicer people are people who tend to follow the rules.  The MAGA camp is led by someone who not only doesn't think that the rules apply to him, he doesn't think that there *are* any rules, at all.  He thinks that rules, and policies, and laws, are for suckers.  People who follow the rules are weak, and are at a disadvantage when dealing with him.  He doesn't like rules, and laws, and doesn't think that there are any norms or standards of behavior.  He likes chaos.  He likes chaos because it means that he can do pretty much anything, and needle people, and get under their skin, and make them mad, knowing that when people are mad they will make mistakes.  The art of the deal, in his true viewpoint of the world, is simply taking advantage of every mistake that everybody makes.  People who believe that there are rules, and laws, and norms of conduct, are going to be at a disadvantage when dealing with him.  Since he doesn't like rules, he makes sure that nobody who is around him believes in rules, or laws.  He doesn't want to have anybody around him who will tell him that you can't do that: that that is against the law, or this is against policy, or that normal rules of diplomacy, or business, or anything else, say that you shouldn't do this.  Whatever "this" happens to be at the moment.  He wants to be able to do whatever he likes, and the weirder, and more chaotic, probably the better.  So the people he's got around him are also people who ignore even the fact that there *are* rules, laws, policies, or anything else that could restrict and confine and limit what you actually do.

But that is simply a political position, and a social observation, and really doesn't have anything to do with security for ordinary people.  What does have to do with security for ordinary people is risk assessment.  Risk assessment is simply looking at any activity, and noting what risk this activity poses for you.  And, in terms of information security, it is looking at any piece of information that you provide, and noting how important it is, to you, that this piece of information either be available to you, or, more likely, not be available to anyone else.  Or be available only to a select group of people.  And what are you going to ensure that that group of people remains select.

To illustrate this point, I assume that all of you know not to paste your credit card number on the outside of your door.  Or to print it out on pieces of paper, and to scatter it around the neighborhood.  If somebody gets hold of your credit card number, there is a chance that they can use your credit card number to start buying things with, and then you have to pay for them.  And, on one of the occasions when a media outlet asked to have me on the air, it was about using credit card numbers on the Internet.  I should mention that this happened about thirty years ago, and so the technology involved in credit cards, and credit card numbers, was a little bit different.  The host of the program, after we had talked about the bulk of the issues that had raised the topic, jokingly said something about he guessed that I would never buy anything with a credit card on the Internet.  I said that I never had, but that I had no objection to doing so.  He was greatly surprised, and asked why that was the case.  I asked him if he had ever paid a restaurant bill with a credit card.  He, once again very surprised, said that of course he had.  Remember that this was taking place quite a while ago.  This was before portable terminals and card readers would come out to the table as a matter of course when paying the bill for the meal.  What, I asked, you mean to tell me that you are willing to give your credit card to a person who is probably making minimum wage, knowing that they are going to take your credit card away from the table, and take it who knows where, and do who knows what with it, before they bring it back?  Oh, he said.  I take your point.

The point of saying that we need to do information classification is to say that we need to think about the value of the information that we are dealing with, and then think about the possible risks of handling that information, in the way that we propose to handle it.  Is it safe for us to do an e-transfer?  Well, probably it is.  Is it safe for us to send our credit card number, in an email?  Well, the risks involved in that are probably a lot higher.  Is it safe for us to send our bank account information in an email?  Well, I have done that, when I'm performing a contract for someone overseas, and they are going to be paying me by SWIFT transfer.  But I have a specific account, which contains very little cash, and which I use specifically for those kinds of transactions.  You have to decide what the risks are, what the value of the information is, to you, and what the risks of that information going astray are, to you, and, even if you don't set up a formal information classification system for yourself, you do have to think about how valuable this information is, and what kinds of protection you need to put on it.  That is, basically, the basis of information classification.  How valuable is the asset, to you, and how great is the risk, to you.  You have to make that decision.

Wednesday, March 26, 2025

CISSPForum FAQ

Having posted yesterday's bit about "Signalgate" and the origin of  "the usual suspects, I noticed that the CISSPForum FAQ was no longer findable on the Web.  So, with Gary's help, herewith is a copy so that it doesn't disappear.  (Sorry about the formatting.  I *may* get around to fixing it, but it isn't a huge priority right at the moment ...)  (I may *even* get around to updating it, but it isn't a huge priority right at the moment ...)

 


The Decidedly, Unashamedly and Proudly

Unofficial CISSPforum FAQ

Answers to Frequently Avoided Questions about CISSPforum

 

a.k.a. The Big Dummy’s Guide to CISSPforum

 

a.k.a. The CISSPforum Policy Manual (exposure draft)

 

FAQ originated by Chris Brown, heavily edited by Rob Slade and Gary Hinson
with numerous contributions from generous and sometimes unwitting
CISSPforum members and, allegedly, the Usual Suspects

 

Latest update one idle Friday in January 2019

 

Please bookmark and share the following case-sensitive shorty for this FAQ:

bit.ly/CISSPforum

 

or simply ask Google

 


Contents

INTRODUCTION

 

BASIC FORUM USE

FORUM CONTENT

 

ZOMBIE TOPICS

 

FORUM MEMBERSHIP OPERATIONS AND SETTINGS

 

(ISC)2 STUFF

 

MISCELLANY

 


1 INTRODUCTION

1.1 What is the point [of this FAQ]?

We’re not sure really. Does it need a point? How sharp must it be?

This document is the unofficial FAQ (Frequently Asked/Avoided Q uestions) for users of the CISSPforum mailing list for CISSPs. It is a collection of answers to questions that may have been repeatedly asked in the forum and (arguably) important information related to appropriate and inappropriate use of the forum.  Or not.

This FAQ inhabits a lesser-known quiet cul-de-sac just off the information superhighway, a side-turning from the roundabout behind the noisy industrial estate along a gravel track known as: http://www.noticebored.com/html/cisspforumfaq.html

We’d ask you to bookmark the URL for future reference and share it with your fellow CISSPs but we know that’s a waste of good bytes. Google has heard of it anyway. Thank Google for that!

If you’re not entirely sure what an FAQ is, permit Cragin to explain:

    FAQ on FAQs.

     

    1. What does FAQ stand for?

    Frequently Asked Questions.

     

    2. Frequently? How many times does a question have to be asked before it is added to a FAQ?

    None. The entire set of questions was written before the final fielding of the system or web site to which they refer .

     

    3. None? Just how often are these questions asked?

    Never.

     

    4. Asked? Who asked them?

    No one asked them. OK, well, actually, the implementation team wrote the questions, but they already knew the answers when they wrote them, so they were not actually ASKING the questions.

     

    5. Questions? What kind of questions are the FAQ?

    They are second and third sub-level topical headings from an unfinished (or unstarted) users' manual that have each been restructured from a statement to an interrogatory.

     

    6. Why did the implementation team write the FAQ?

    Because as they were in the final phases of fielding, they realized that the development team had either never gotten around to preparing user documentation, or had done such a shabby job that it was useless, and further that the operational interfaces of the application were so non-intuitive (or counter-intuitive) that end users would only be end, and never users, without instructional hand-holding.

     

    7. Then what is the purpose of the FAQ?

    The FAQ is used by Tier 1 Help Desk staff to avoid having to learn the application while at the same time allowing them to make callers feel simultaneously lazy and stupid: "You want to learn how to framitz the onglethard? It is clearly explained in the FAQ on our web site. Didn't you look at the FAQ before calling?"

     

    Copyright © D. Cragin Shelton 2008

1.2 What is CISSPforum anyway?

As vaguely hinted-at by its not exactly cryptic name, CISSPforum is basically a discussion forum for CISSPs (Certified Information System Security Professionals). Some among us may be SSCPs (System Security Certified Practitioners) and others such as CSSLPs (Certified Secure Software Lifecycle Professionals), CISMs and CISAs, and Cprofs (Proficient Cyclists).

Nobody much from (ISC)² global headquarters hangs out on the forum. Whether that is because they are too busy counting great piles of AMFs, hob -nobbin with the big nobs or simply “having a life”, we’re not sure. Anyway, the upshot is that it is a local forum for local people. It is user-led and user-trailed.

Membership of CISSPforum is a little known benefit of gaining your CISSP, little known largely because (ISC)2 chooses not to promote it or participate.  As one of out members said, “The most useful thing I got from my CISSP is this community - a wealth of knowledge and experience.” Some might even agree that we should earn CPEs for actively contributing to CISSPforum.

Technically speaking, CISSPforum is a group on Groups.IO, also known as an email reflector, a virtual mirror for electronic mail messages.  Individual messages sent to the group by group members are received by Groups.IO and blatted out to all members, not unlike a reflection denial-of-service attack.

Socially-speaking, CISSPforum is a friendly and supportive community of peers i.e. qualified information risk and security pros from all parts of the globe and all sexes. Some of us are newcomers to the profession, recently qualified, while some are grey-beards with a decade or four of experience in the trenches. Our ranks are swollen by IT auditors, consultants, trainers, academics, security officers, security managers, tech authors, scholars of ancient Greek, radio amateurs and others, mostly but not entirely CISSPs. Welcome all.

As a community of professional practice, CISSPforum is a great place to discuss information security and related topics. The scope of the forum naturally includes all areas of (ISC)²’s Common Body of K nowledge which coincides, thankfully, with the CISSP exam. From time to time, we also discuss the ISO/IEC 27000 series (ISO27k, ISMS), ISO 22301 (busines continuity management), ISO 9000 (QA), ISO/IEC 20000 (ITIL), IT governance, SOX, IT risk management, IT audit, IT forensics, UNIX/Windows/MacOS/OS390/etc. etc., networking, vulnerabilities, Windows, Windows vulnerabilities (and occasionally Mac vulnerabilities, Linux vulnerabilities ...), assorted cyberweapons and APTs, BYOD, IoT things. In fact anything hot in information security is likely to be brought up at some point, often before it hits the industry rags if slightly behind the blogosphere. It’s like an information security club, an online interactive encylopaedia with qualifiedcompetent and experienced contributors. OK, to be honest its a few really active contributors plus a larger number of inactive lurkers but we feel their presence in a spooky sixth-sense Stephen King’s Carrie kind of way.

Some of the discussions are straightforward questions and answers, that’s it. Others develop into full-blown discussion threads, depending on the skill or good fortune with which the original poster crafted a post containing such subtle nuances or contentious language that more people felt compelled to respond. Urgent but un-lame help messages generally get answers within minutes, while more contemplative posts can trigger threads that run for days or sometimes weeks. By and large, it is all very good natured, open and safe, though there’s often the very feintest whiff of sarcasm, especially when someone purports to be an expert on some topic. The forum is a wonderful safety vent for burning information security issues that bug you, and to challenge accepted norms. You’ll find deep technical threads running alongside lighter topics. Members contribute wisdom, knowledge, opinions and more for the benefit of all. Many of us have become virtual friends through the forum while others are virtually friends simply by virtue of their participation. We’re never stuck for friendly local guides when visiting far-off foreign lands although we’re still patiently waiting for our first forum romance, or rather the first one to be publicly acknowledged.

1.3 What is CISSP?

CISSP (Certified Information Systems Security Professional ) is a certification awarded to the deserving by ANSI-accredited (ISC)² confirming that the holder has:

  • Passed the CISSP exam, a typical multiple-choice examination that tests the examinees’ retention of key facts and, to some extent, their understanding of the fundamental principles of information security (that well known oxymoron);
  • Work experience in information security;
  • An ongoing commitment to maintaining their education in information security (CPEs);
  • Qualified to apply to join CISSPforum!

Despite what many recruitment consultants and other infosec-challenged people might think, CISSP is not a deep technical security qualification. It requires a reasonable understanding of both technical and non-technical information security matters, with the emphasis on breadth over depth of knowledge. That said, many CISSPs do have deep technical security knowledge and expertise in one or more of CBK domains, whereas some of us just wing it.

If CISSP is not right for you right now, (ISC)²’s other certificates might be:

ISC2 certificates 2019

1.4 Is there an official CISSPforum FAQ?

Not any more.

There used to be one but, in its infinite wisdom one dark day in 2018, (ISC)² decided to can the original (ISC)²-managed CISSPforum on! Yahoo! groups! While CISSPforum members collectively sighed with relief at the! end! of! Yahoo!’s nonsense!, the shutdown decision was made unilaterally without consulting CISSPforum members. In fact, we consider ourselves fortunate to have found out about it moments before the plug was pulled.  We were lucky!  We used to dream of being informed by (ISC)².

In the final few hours before its ultimate demise, Yahoo!’s archive! of! CISSPforum! messages! was shamelessly plundered and preserved for all eternity.  In years to come, wave after wave of new CISSPs will discover the wealth of insightful commentary and accumulated wisdom that lies therein, thanks to the historic messages having been uploaded to Groups.IO.  Simply browse or search and enjoy.

1.5 Disclaimer

The information provided in this FAQ is not guaranteed <full stop>

The information provided here is often the curious opinion of one deluded person and, however unlikely this may seem to them, there may conceivably be valid opposing views. Use the information in this FAQ at your own risk. Your mileage may vary. Do not run with scissors. Do not pass Go.

This is not legal advice. The legal buck doesn’t even think about wandering through this quiet turnpike on the information souperhighway while charging its time by the second.

The unofficial FAQ is neither promulgated nor endorsed by (ISC)2, its officers or its affiliates, nor by any government, nameless government agency or religion. It is technology-neutered and sexless. This is an independent unofficial and decidedly cranky work by a tiny albeit vocal and rather cynical minority of CISSPforum members with this particular version having been heavily modified by self-acknowledged beards-of-colour who are clearly disturbed, senile or ‘under the influence’, and possibly all of the above.

GM-free. Ford-free too. No cute cuddly animals were harmed in its production, only nasty slimy ones.  A number of electrons were mildly inconvenienced, and a few photons have been seen to change direction.

This FAQ is so environmentally friendly, it is likely to slip quietly away to hug yet another tree or kiss a whale the very instant your back is turned. Please don’t print it out, especially if you have an evil printer from hell.

1.6 Other versions of this FAQ

The original plain text FAQ was available only to CISSPforum members. It was very plain and really only of value/interest to those who already knew all about CISSPforum, being members thereof.

It was extensively updated, worked over and generally roughed up a bit by Rob Slade and assorted elves in 2005/6.

The sexy HTML web version now appearing on a screen near you was conceived by Gary Hinson in October 2006 and is updated when inspiration happily coincides with a spare hour, which frankly is hardly ever. Comments, further questions, answers and jokes are always welcome, via CISSPforum if possible. See the contact details towards the end whether you’d like to contribute something deep and meaningful, chuck rotten eggs or volunteer to take it over.

Back to FAQ contents


2 BASIC FORUM USE

2.1 How do I post messages to CISSPforum?

Any member of CISSPforum can post messages to CISSPforum simply by emailing cisspforum@groups.io .  Messages can also be posted online by group members using the Groups.IO web interface.  Either way, please be reasonably succinct and professional.

CISSPforum automatically rejects messages posted by non-members, unless they have carelessly allowed their authentication credentials to be stolen by a spam bot (which happens occasionally - proving that CISSPS are only human). Nevertheless, this is still the most effective anti-spam system we have. Spammers who join the forum are soon shown the error of their ways and risk being “horse whipped with Cat5 cable” (according to one member’s email signature anyway).

Identify yourself, please when you post messages . Your email address is seldom sufficient to identify you, at least until you have posted often enough that others will mutter under their breaths “Oh no, not him/her/it again!”. Simply end your posting with a standard business-like salutation including your name or else a nickname or some other term that you are happy for us to call you. Otherwise we will choose our own name, and it may not be to your liking. The being who posts under the pseudonym “/bpm”, for instance, probably does not appreciate being called “Slash” but thankfully he/she/it has a sense of humour.

When asking a question or seeking advice, give us a clue about your context. Your situation is probably relevant to the advice you seek. Government practice is different from commercial, not-for-profit, finance, healthcare, SME ....

If you are posting a long hyperlink, please either create and supply a shortened URL as well as the full link or simply enclose your long URL in angle brackets < and > which allegedly tells some email clients not to break the URL into little bits.  Some of us can only afford little screens.  We are pixel -challenged, N bits short of High Definition.

Do your homework before posting to CISSPforum to avoid being soundly lampooned. This is a professional forum for qualified information security people. Some Forumites just love to show off their extensive knowledge at every available opportunity and you’ll often get a broad range of opinions from the Forum ranging from short snippets to extensive diatribes, sometimes unconventional, conflicting, of dubious value and/or sarcastic. However, we resent being used as the research mechanism of first resort. If a poster is too lazy to craft a simple Google search or two and follow up on the results before coming to us, some of us are not afraid to say so. It may help to demonstrate that you have already made an effort to answer your own question. By briefly describing your research and analysis so far, you can prove that you are not just an information leech. You will also give the experts here a chance to go directly for the deep dive without repeating the basics you already know. You might try Asking Questions The Smart Way and, whether you are a Microsofty or not, read this advice also.

Finally (and this should really be the First Law Of Posting), please give your audience a moment’s consideration before hitting the <SEND> button . If you are sending or responding to an inflammatory or incendiary email, at least sleep on it first or read this.  If you are pillorying someone for asking a question the wrong way or saying something dumb, or complaining to the entire mailing list about something that offends you, remember this sage advice:

It is better to be thought a fool than to open your mouth and remove all doubt

Please be tolerant of others. We are not all on your wavelength. Some of us barely even speak your language (and you’ve probably never even heard of ours). CISSPforum is a global melting pot, so please don’t post anything racist, sexist, elitist, alarmist or any other kind of mist and please don’t fan the flames.

2.2 Is it safe to post my first message?

Of course! We’re all friends here! To the CISSPforum lurkers, we say: de-cloak and bathe us liberally in your knowledge and experience. Don’t be shy. Even a lame “me too” is marginally better than stony silence. But please re-read the tips just above before you dive right in.

There’s a special CISSPforum rule for Those Who Have Never Posted (you know who you are - we call you the Forum Virgins). You have our full permission to make Your First Posting without fear of retribution, dissent or ridicule. The trick is to write “First posting” or similar in the subject line and include something interesting in the body of your message.

The CUSses, beards-of-colour and others faithfully promise to be extra nice to you on your first posting. To be honest, we’re all generally nice people who don’t bite but occasionally bark a bit, albeit sometimes up the wrong tree. Hot discussions break out from time to time and create plenty of smoke but actual flames are very rare (see below for fire retardant advice).

2.3 How do I get people to respond positively and helpfully to my queries?

Good question! We heartily recommend and endorse the excellent advice in How to ask questions the smart way. It’s also not bad, by the way, on how to reply smartly to questions ...

2.4 How do I reply to messages?

CISSPforum has been set up so that, by default, replies are sent to the entire forum not just the originator of the message. That’s a load of information security professionals. If one day you accidentally reply to a forum message with a personal response without altering the To: line, be aware that your peers will see your ‘private’ message. The cranky ones will give you grief to add to your misfortune, no doubt ribbing you rotten for your mistake. If you wish your reply to go to only the original poster, use that person’s email address instead of cisspforum@Groups.IO. If you insist on sending ‘private’ messages to us all, please make them juicy if not defamatory, and prepare to be savagely lampooned.

2.5 Where have my messages gone?

We have no idea.  Check under the keyboard.  If you shake it upside down, do your golden crumbs of knowledge fall out?

Assuming you sent your messages to cisspforum@groups.IO, they will hopefully now be grazing happily in one or more of Groups.IO’s server farms. The will also, hopefully, have been distributed to all members of CISSPforum. If you are asking this question because your messages have not turned up in your email inbox, take a quick peek in your spam box. Rifle through the advertisements and other social engineering attempts for anything vaguely resembling a CISSPforum message, then teach your spam-bot the error of its ways. Smack its little robotty.

2.6 How do I turn down the volume?

At times, CISSPforum can be a LOUD mailing list. Other mailing lists only go up to ten. CISSPforum sometimes reaches eleven. If it is too LOUD for you, here are seven volume-moderating techniques:

  1. Skim the subject lines and just delete anything mentioning, for example, LinkeDin or other lame topics. Don’t fret.
  2. Read CISSPforum as a daily digest with all the day’s takings in one mega email. This is a Groups.IO option.
  3. Check the senders. Some forumites are worth reading, others worth skimming, some deserve to go straight into the bit bucket without even opening. Your email client probably has the tools to do this automagically. Look for ‘email rules’ or ‘filtering’.
  4. Set aside a certain period of time each day to peruse the latest mailings. When your time is up, delete the remaining unopened messages and get back to Real Life.
  5. Don’t bother about keeping up with the latest topics. Use Groups.IO’s browsing or cunningly-named search functions to check the archives. There is a wealth of accumulated information, and it’s surprising how often we discuss the same things over and over like a recurrent nightmare.
  6. Read the forum using Gmail or a similar email facility that automatically links postings with similar subject lines into threads. Pick out interesting threads. Ignore the rest.
  7. Ignore everything. Delete without reading. Unsubscribe. Go on, miss out on those golden nuggets that would make all the difference to your career. Go ahead - see if we care. Talk to the fingers cos the keyboard ain’t listening.
  8. (Bonus idea) Don’t send complaints about the volume of the list to the list. Don’t send complaints about LinkeDin, daft jokes and comments to the list. Don’t try to send attachments to the list. In particular, if you are catching up with emails, look through the list of emails to see if anyone else has already commented or complained about a posting that upsets you, and leave it at that. Think twice before posting fresh junk, even on Fridays. Use your delete key as it was meant to be used and move swiftly along.

2.7 What do I do if (when) a posting upsets me?

Unless you are extremely liberal and tolerant, someone is bound at some point to post something that you don’t like or that offends you in some way. Very often if you post a complaint, someone else will complain about your complaint and pretty soon we get into a huge and unedifying “discussion”. People telling other people to take their complaints offline will, of course, do that online, the irony escaping them.

Personal attacks are more hurtful than helpful. While you might really want to say something along the lines of “You need a good kick to the head or an enema - in your case, those may end up being one and the same”, the following fire-retardant advice, originally posted on the forum by a wrinkly diplomat, sums up how to avoid fanning the flame wars:

I’d recommend peace, love and understanding all round.

Be tolerant and respectful of others on the forum. We have many
cultures, abilities and styles here. We are not all like you.
Many of us have never even been to your country.

The forum is self-moderated. Self restraint and tolerance are the watchwords.

Count to twenty before responding to jibes. If someone has upset you,
explain to them (and only them ) what upset you, and let them respond privately, off-list.

If someone complains to you about your behavior, consider their feelings.
Please avoid slanging matches on the forum - take them off-line
behind the bike sheds perhaps.

If someone asks a dumb question, remember that you too were dumb once
and if you insult the questioner’s intelligence for asking such a
question, you still are. We all had to start somewhere.

This is a community of peers. There is room for humour and occasional
off-topic discussion
 but, please, take it easy on our <Delete> keys.

Enjoy the variety of experience. Relish the challenge of
understanding others’ points of view. Chip-in if you have something
constructive to say, to seek clarification, or to challenge underlying assumptions.

If you think the emperor has no clothes, speak up. Some of the best threads start that way.

And if all else fails, hit your <delete> key, chill out and move along.

2.8 Trolling and troll-baiting

If you are a troll, or if you feel compelled to point out that someone else is trolling, or to respond to a posting allegedly by a troll, or posting about someone else responding to a troll, or are defending or criticising a troll, troll allegations, or those who have previously defended or criticised a troll, or are in any other way referring to trolling, the trollees (not trolleys) or the trolls, please add [Troll] to the subject line of your message so that those of us with automated anti-troll filters have an easier time*. Better yet, before posting your message, please reconsider whether doing so will increase or decrease the signal-to-noise level for the majority of CISSPforum members or whether your spleen might be better vented against the alleged troll directly , off-list. On behalf of us who actually do have a life, thanks very much.

* The more advanced CISSPs simply configure their systems to route all troll messages directly to Write Only Memory (WOM) devices installed at several highly redundant but totally secret locations on the intergalactic Interwebnet. It is alleged that one of these black holes has been found lurking within the (ISC)2 website but the last brave datagram we sent in there to check it out never surfaced, at least not in our galaxy.

2.9 Are there rules for the forum other than this FAQ?

Yes - the universal rules for posting stuff to newsgroups and similar online discussion fora apply to CISSPforum too. In that respect, CISSPforum is not special at all.

One simple rule trumps the lot: consider your audience.  Just as it is considered socially unacceptable to shout FIRE! in a crowded cinema, spare a thought for those who receive and may be affected by your missives.

Thanks to one of the more surreal CISSPforum Friday threads, it has been acknowledged that there are certain “unwritten” rules for the forum but, of course, they are undocumented, ephemeral and virtual.  They may or may not still exist. They may or may not ever have existed. They may not, or may, come into existence at the point you post something. They are like Schroedinger’s kitty, only not quite as furry.

2.10 Can I distribute files via CISSPforum?

No, at least not directly. Any file attachments sent to the mailing list will be summarily stripped.  Members who post documents or other materials will be embarrassed at having posted, essentially, nothing. “Here it is!” they exclaim, triumphantly but here it is not. This is lame.

However, any forum member can upload a file to the Groups.IO web interface and optionally announce it on CISSPforum. Be sure you have permission from the copyright holder before publishing anything in this manner: reaching a community of peers effectively places it in the public domain and we wouldn’t like to see you marched-off by the DMCA Gestapo...

An even better idea if you want more than just casual feedback on your document is to write and upload a draft to Google Docs and post a forum message inviting CISSforumites to collaborate on writing/completing it. The combined brain power is awesome and we have yet to see a document that cannot be improved by the wider perspective. We’d encourage you to acknowledge all those who actively contribute and ideally publish the finished item to the CISSPforum files area or publicly under a Creative Commons license, but hey that’s the group’s choice.

2.11 Is this forum private?

What do you think? The servers are probably in America, land of the free. Do we really need to spell it out for you? Ask Edward Snowden.

Membership in the CISSPforum is allegedly restricted to those holding CISSP.  Generally speaking, a number of respected CISSPforum members take the membership restriction to imply that it’s a discreet and exclusive private gentlepersons’ club. They hold that discussions on CISSPforum should not be discussed or reproduced elsewhere, outside the forum, believing that “what happens on the forum stays on the forum”. Restricting discussions to the CISSP community will hopefully result in a freer and franker exchange of ideas, the theory goes.

That said, it is not entirely sensible for members to assume that the content of messages they post to the forum will remain restricted to the membership. Those concerned about privacy and confidentiality (and which of us isn’t?) should bear in mind the old adage that you should never send anything by plaintext email (or indeed by courier) that you would not want to see on the front page of the newspaper. Do your own risk assessment, folks.

As a point of etiquette, if you wish to raise the issues discussed in CISSPforum elsewhere, it is best either to rewrite the salient points in your own words (sanitizing the identities and expunging the facts as appropriate) or to contact the original author/s for explicit permission, or both. Members contacted in this way are invariably flattered to be asked. You will almost certainly get the help you need to re-publish or at least plagiarize the salient parts from original piece, and make a new friend in the process.

Back to FAQ contents


3 FORUM CONTENT

3.1 Is there an archive of CISSPforum postings?

Yes: CISSPforum messages are preserved for all eternity on CISSPforum.  Remember this if you are about to flame another member or post something privateoff-topic or lame. The cream of CISSPforum postings may also be shamelessly plundered for FAQ content.

3.2 Is this the proper place to compare certifications?

Probably not. The topic has been raised before and you are free to give it another go. You’ll get replies, some thoughtful, some not.

Strangely enough, most CISSPs maintain that CISSP rocks. Many of us, having CISSP on our CVs and business cards, are curiously defensive of the certification’s integrity and value. We have something of a vested interest.  That’s not to say it’s perfect, though.

3.3 Is this a good place to ask ethical questions?

Yes if you like.  Why not? It would be rude of us to refuse.

3.4 Is it OK to ask about topics previously covered?

Everybody does it but please see the next section for information about zombie topics.

3.5 What is OT (off-topic)?

Any forum posting containing “OT” in the subject line is considered off-topic and liable to be summarily deleted by those with More Important Things To Do. It is considered rude to post off-topic messages without the “OT”, and in fact slightly naughty to post on-topic messages with subject lines that just happen to contain those two specific letters in conjunction. As to exactly what is considered on- or off-topic, or at what point on- becomes off-topic or vice versa, well that’s a matter for your good judgement, or rather that of the majority of people on the list, or rather that of the vocal minority who feel compelled to tell us all whether something was on- or off-topic.

To be fair, on/off-topic is not a binary choice when it comes to many discussion threads, but subjects such as US gun laws are likely to descend rapidly into the abyss of politics, religion or both, leaving information security for dust.

The issue of moderation is a long-running joke on the forum: if you post a message asking why the moderator isn’t doing something, one of the long-time and vocal members (otherwise known as the Usual Suspects) will generally post a message claiming to be, or to nominate, the moderator of the week, and dispense moderation, in moderation.

It is traditional for the moderator not to be informed of his/her/its status. For example, Rob Slade was moderator during the early part of December, while he was out of town, only finding out upon his return. There being no moderator at that point, he had nobody to complain to.

The normal rules are relaxed slightly on Fridays but always beware going too far off-topic.

3.6 What topics are lame?

We all say dumb things from time to time but asking genuinely lame questions or offering supremely lame answers on CISSPforum can be a character-building experience, unless it is your first post anyway.

Before you ask a question, have you at least Googled it? Have you made even the slightest effort to search for the answer yourself? If so, great, go ahead and ask away. If not, be prepared to be told in no uncertain terms “Try looking at the first response on this Google query: ...”.

Zombie topicsout-of-office messages and off-topics are also considered more or less lame.

Responses can be lame too. It’s fair to assume, for starters, that being a member of this community means the original questioner has a modicum of intelligence and security expertise. To avoid cluelessness, take this classic response as a warning: “In order to attack your target, you should first recommend that your target gets an actual computer (www.dell.com or www.hp.com are two sites I’ve found useful for this), running Windows (www.microsoft.com, can be obtained at www.amazon.com). The attacker should of course know how to write an actual exploit (books at www.amazon.com, many sources to be found on the ‘Internet’, which you can recognize since it all starts with http). One thing that is often overlooked by junior hackers (explaining many failures to achieve desired goals) is that they do need a ‘computer’ for this (again, see www.dell.com, or for something more prestigious or esoteric try www.apple.com). I’m sure you realize all this, but one cannot be too careful.”

3.7 Where can I find thread summaries?

Basically, you can’t. This situation was accurately predicted by a rather boring prophet: “There shall in that time be rumors of things going astray, erm, and there shall be a great confusion as to where things really are, and nobody will really know where lieth those little things with the sort of raffia-work base, that has an attachment. At that time, a friend shall lose his friend's hammer, and the young shall not know where lieth the things possessed by their fathers that their fathers put there only just the night before, about eight o'clock.”

You may like to subscribe to the list using a Gmail account that automatically threads the responses. Or not.

3.8 When is Friday?

Being an information security professional can be a stressful existence. Some of us feel alone and isolated under pressure ... but we’re not. As members of the CISSPforum extended family, we have peers, friends, fellow pro’s, oh and that “uncle” who always turns up at weddings and funerals but nobody admits to knowing or inviting.  CISSPforum is our stress-relief valve. Sometimes, there is nothing better than a good rant.  Fridays are reserved especially for that purpose.

One of the unwritten rules of CISSPforum is that the normal rules (both written and unwritten) for posting messages are relaxed on Fridays in preparation for the weekend’s fun (the equivalent of dress-down-day, bad shirt day, or POETS day), within reason. Since “within reason” is itself part of the unwritten rules that are relaxed, even that is optional but please be sensible. This is a multicultural professional forum and we’re all pretty busy. OK perhaps not quite so frantic on Fridays.

On Fridays, expect to see the usual sarcasm, irony, pathos (and bathos), poignancy and passion, anecdotes and hopelessness, delicacy and discernment, humour (sometimes without you) and satire, derision and hyperbole, alliteration and synecdoche turned up a notch, with the occasional deep and meaningful discussion on coffee, donuts, poutine and sushi. Have fun, just avoid turning up the heat.

It has been alleged that some members literally dress down on Fridays. Whether this extends to nude posting is unknown at this point and none of us has the nerve to ask. It’s considered good security practice to cover your web cam lens though.

Those CISSPforum members who have the benefit of living slightly West of the International Date Line start their Fridays in advance when other less fortunate members to the East are still living in the past. Therefore, Fridays start on Thursdays. What’s more, when the less fortunate Easterners post their Friday messages, it is already The Future for the very same Westerners. Although certain grammatical problems are created by this particular form of time travel, the Westerners enjoy Easterners’ Friday postings on Saturdays. So, to summarize, “Friday” = Thursday + Friday + Saturday. We got used to the delays in Yahoo! groups which meant that some postings were two days late, or more, so therefore postings made Tuesday and Wednesday = “Friday” and postings sent “Friday” may show up Sunday or Monday, thus all seven days of the week are now officially “Friday.”

It has subsequently been suggested that “Friday” be celebrated only on days that begin with the letter "T" including Tuesday, Thursday, Today, Tomorrow, Thaturday and Thunday. We like Fridays on the Forum.

Mental health is a serious business but please forgive us if, at first anyway, we take things lightly. Often we’re just trying to help you defuse your ticking time bomb. Which wire to cut? If you are in serious trouble and don’t appreciate our ‘help’, say so and we’ll cut the crap. There is an immense pool of wisdom collecting dripwise under the forum. Collectively and individually, forum members have generally been there, done that, and staggered back from the brink. Let us throw you a lifeline. Simply raise your hand and call out.  We’re here for you and we care.

Back to FAQ contents


4 ZOMBIE TOPICS

4.1 What are zombie topics?

All manner of information security and other fascinating topics have been discussed on CISSPforum over the years. The following topics, however, have been discussed to death, several times, yet somehow they refuse to lie down and die. The forum is not moderated so you are welcome to raise these topics yet again (provided you have Something Important to say on the subject) but if you do, be prepared for a somewhat less than enthusiastic response and watch out for silver bullets, pointed wooden crosses or garlic around the door.

4.2 Zombie topic: reformed hackers

Been argued, no resolution. Some hold that, like Caesar’s wife, infosec professionals must be above suspicion, whiter than white (hats). Some hold that reformed hackers have “paid their debt to society” and have useful knowledge to contribute. The ensuing exchange is a bit like the Pope discussing religion with an atheist.

The arguments are also trotted out when discussing whether to even appear on the same conference speakers’ platform as the likes of Messrs. Mitnick and Abagnale. Some of us will, some of us won’t. It all depends on the height of one’s horse.

4.3 Zombie topic: security ROI (Return On Investment) or ROSI (Return On Security Investment)

This is undoubtedly an important topic but most of us are tired of seeing the same old same old. CISSPs have at various times challenged the “R” and “I” part of ROI, and the future is not so ROSI according to some. To make things still worse, the quantitative vs. qualitative vs. hocus pocus risk analysis thread often gets intertwined with the ROI zombie, making our lives a misery for a couple of weeks at a time.

If you have something truly novel to say on justifying security or risk management expenditure to management - a new approach, a revolutionary investment model, a neat way to persuade management to lengthen the corporate purse strings (something like a metrics dashboard using blinkenlights maybe?) - go ahead but for your own sanity, please check that we have not already thrashed the life out of it.

4.4 Zombie topic: cissp.txt

We are really tired of this topic. One or more of the following zombies arise from their tombs every six to twelve months to haunt us with their blood-curdling cries:

    a) “There is a list of CISSPs at [someURL].cissp.txt. This is appalling!”

    b) “There is a list of CISSPs at [someURL].cissp.txt and my name is not on it! What gives?”

    c) “There is a list of CISSPs at [someURL].cissp.txt and my name is on it! Aaaiiieeee!”

Yes, it’s true. There is a list that appears at various places around the net, usually named cissp.txt. This contains some names and contact information (a few of which, shock horror, are still valid!) of CISSPs who had listed themselves in the public directory at ISC2.org way back in  circa 2003, others say early 2005 - eons ago in Internet time or web-years). At one time someone lame evidently mined the public directory, possibly for marketing purposes. Later, someone thought it would be a good joke to post the list on the web to see if they could get lots of people upset. They appear to have succeeded. Several times around.

Oh, and a special note for posters in category (c).  You have had your CISSP for a while and posted some info to the (ISC)2 public directory, so why are you so upset? Get real.

4.5 Zombie topic: terrorism

Terrorism and indeed cyberwarfare/WWIII does have a relevance to security, of course, but please try and contribute some light to the discussion, not just more heat. Check out the archives and see what has already been said. Postings advocating violence against any persons or groups are DEFINITELY way off-topic.

4.6 Zombie topic: can I get CPEs with that?

Every so often, someone asks “Can I get CPEs for [taking a prep course for something else | listening to my iPod | watching Sneakers | doing CISA/CISM homework | etc.]?”, sometimes with the rider “I’ve checked the (ISC)guidance but what do you think?” ... and the forum groans.

Forum members can only give unofficial and generally unreliable advice on this point. Does the material in the [course | iPod | running shoe | etc.] pertain to the CBK domains of the CISSP certification? If the material is pertinent to the CBK, Jack Holleran for one would say “yes”. One hour of relevant infosec study earns you one CPE, provided it can be validated in some way.

And that’s the crunch.

For the definitive answer on CPEs, contact (ISC)directly. The official guidance is reasonably comprehensive and not too bad actually in terms of opportunities to earn CPEs for free. Remember also this point from (ISC)²: “As a professional who follows the (ISC)² Code of Ethics, please use your best judgment within these guidelines to select those activities which qualify for CPE credits and which will enhance your professional development.” In other words, be sensible and play nicely.

FWIW, here’s a bunch of ways of continuing your professional education and, in many cases, earning CPEs as you do:

  • Attend meetings and events of information security groups such as ISSA, ISACA, HTCIA, Infragard, AFCA, ASIS, various infosec SIGs, (ISC)2 chapters etc. Better still, join the groups and actively participate. Even better, research topics, write presentations and offer to deliver them at such meetings. Best of all, join the committee or the board of directors.
  • By the way, as a CISSP, you are probably welcome to attend infosec meetings and events in the area where you work, live or stay, including work assignments that take you away from home: simply contact the organizers and ask politely. Offers to present are often well received, especially if you have something interesting and valuable to share with other infosec pros, preferably something they haven’t heard at least a million times already.
  • Attend or at least listen to presentations, conferences, webcasts/webinars/e-symposia, Podcasts etc. by security product vendors, infosec luminaries and other CISSPs. Actively participate where possible. Posing awkward questions is especially recommended in the case of vendor presentations (and really ought to qualify for special bonus CPEs). Many organizations that routinely release webcasts (such as CERT) send email notifications to their mailing lists when new ones are announced.  Most webcasts, conference presentations etc. are archived and remain available for a while, which is handy if the initial broadcast happens in a different time zone to you. It’s also a legitimate way to cut down the total time commitment thanks to the fast forward button and skimming stuff you already know (use with care - in some cases, there may be nothing of any substance left). Better still, research, prepare and deliver such presentations.
  • Read information security magazines such as Infosecurity Professional and look out for advertised events and seminars. Some mags on (ISC)2’s recommended reading list provide rather lame CPE quizzes, ostensibly to check that you have actually read and understood the content. The quizzes are not that hard to fake but remember why you became a CISSP, and why ‘Continuing Professional Education’ is worthwhile. No matter how devious and diligent you may be, I don’t believe “Researching and exploiting design flaws in CPE quizzes” itself qualifies for CPEs and probably fails the CISSP ethics canon.
  • Write articles on information security and related topics for publication in professional journals such as EDPACS, ISSA Journal, and Proceedings of the IEEE.
  • Read information security books and ideally write reviews of them for other prospective readers. Better still, write good infosec books.
  • Read and preferably comment on or otherwise contribute to infosec blogs.
  • Prepare and/or deliver training seminars on information security-related topics, such as CISSP, CISM and CISA revision courses, study groups etc.
  • Review and comment on draft information security standards, professional practice statements and the like. Please at least try to be constructive.
  • Write new CISSP (or CISA or CISM ...) questions. This is well worthwhile but much harder than it may appear. You are unlikely to earn nearly as many CPEs as the number of hours you actually put into researching, writing and honing your questions, especially at the start of your exam-writing career.
  • Study for further qualifications. In the case of information security-related qualifications such as CISSP concentrations or CISM and CISA, don’t forget that CPEs earned for any one usually qualify for the others too. Honestly, it gets easier.
  • Volunteer to proctor CISSP (or CISA or CISM ...) exams. Several CISSPforum members say they signed up for this but never got the call so don’t bank on this one.
  • Volunteer to take over publishing and maintaining this FAQ. Please.  It probably qualifies for CPEs, Green Shield Stamps, likes, lucky fortune cookies, lottery wins and medals.  Chests laden with gold and safety deposit boxes overflowing with conflict diamonds will be
  • Last but not least, actively participate in CISSPforum. Share your security wisdom. Challenge the accepted order. You don’t earn CPEs purely for participating, unfortunately, but may well do so in the course of researching and writing thoughtful forum postings. Remember this point when getting ready to post something. While it’s easy to dash off a quick email with little if any thought, taking a bit more time to get your thoughts in order, find, check and incorporate relevant references, and provide something of genuine value to your peers will earn you more respect on the forum, and perhaps a few CPEs too.

The bottom line: CISSPs who are truly committed to the information security profession have absolutely no trouble earning sufficient CPEs. If you are scratching around to find enough CPEs to clear the minimum hurdle of 120 CPEs per 3 year cycle (for CISSPs), step back and take a cold hard look at your commitment level. Is your personal development and career advancement really of so little concern to you?  Are you in the right profession?  Would you much rather be doing Something Else with your life?

See also the notes on submitting CPEs, a lame topic.

4.7 Zombie topic: why are we still using Yahoo! Groups?

Finally, in 2018, this zombie was finally put out of its misery when (ISC)² summarily pulled the plug on the Yahoo! forum. In addition to the official (ISC)² community, a replacement for CISSPforum was launched by the CUStards  on Groups.IO.

We’re still patiently waiting for the email from (ISC)² about this. It appears to be one of those infamous long!-delay! Yahoo! messages! that will materialize at some random point in the future, out of the blue, lacking all context.

By the way, the official (ISC)² community claims to have 22,000 members, less than 10% of whom have ever posted. Even so, in terms of sheer volume, it wins hands-down over CISSPforum. It even has kudos and badges for posting stuff and giving out kudos!  Rejoice!  We’ll leave it to you to determine whether it generates sufficient interest and value to justify your involvement, or whether you’d be better off in CISSPforum or down the pub. Just remember that, sometimes, less is more, an approach the (ISC)² search functions take to the ultimate extreme. Whatever you seek, enjoy the pregnant pause while the inevitable “No search results found” is dragged kicking and screaming from the web server. It might as well read “Computer says no”.

4.8 Zombie topic: “We’ve been hacked - what do I do?”

Luckily this zombie is not as frequent a visitor to the forum as some of the others but we do occasionally get someone hitting the big red panic button and emailing in, all red-faced, sweaty-browed and hair growing visibly more grey by the minute. A typical question might be “I’ve just had a call from the Help Desk. They have taken a call from a user in the business who says his PC is acting strangely. The network boys and girls tell me there is loads of traffic on the user’s LAN segment and it looks as if the machine is spewing forth spam like it’s going out of fashion. HELP! What do I do?”.

The responses usually wander into various aspects such as which are the best forensics tools to analyze the system, how to analyze the live system before shutting it down, and why it is so important to brew up an incident management process BEFORE not DURING an incident, but the best immediate response to date on this sort of query is: “If you believe the system is compromised, and you don’t have the tools and skills to perform live (or any) forensic analysis, pull the network cable and get an expert. Don’t switch it off. Don’t even run a directory listing. Do not pass Go.  Do not collect 200 Bitcoins.”

If you are the expert, and you’re already on site and ready to go, IT forensics grab-bag in hand, underpants worn on the outside, things are different, obviously.

Back to FAQ contents


5 FORUM MEMBERSHIP OPERATIONS & SETTINGS

5.1 How do I subscribe to CISSPforum?

  1. First, get the easy bit out of the way: get yourself certified as a CISSP by (ISC)2. The forum is for the certified only.
  2. Find the CISSPforum page at groups.IO, read the destructions and apply to join.  Supply the information the admins need to check you out, namely your CISSP certificate number and your name as shown on your certificate.
  3. After lurking and analyzing the traffic for a while, please send us a nice ‘hello’ message, ideally with something interesting about you, your job, your interests, your favorite security standards, almost anything really. Tell us what you thought of the CISSP examination maybe, or the (ISC)2 community. Say how you found out about the CISSPforum (was it through this FAQ?). Ask us about the unwritten rules.

If you get stuck, ask a fellow CISSP for help or contact the forum admins.  They are open to bribery and corruption, but please don’t tell (ISC)².

5.2 How do I join CISSPforum if I’m not yet a CISSP?

Easy: get yourself a coffee, turn off your phone and spend a merry hour or two absorbing the solid information and advice in an excellent Flash tutorial from ardent CISSPforum member and security evangelist Clement Dupuis. Become a CISSP and you will be welcome, if not compelled, to join the CISSPforum.

For fans of the UK comedy series Little Britain, yes, CISSPforum is a local forum for local people.

5.3 Since this is “CISSP forum”, that means that everyone is a CISSP, right?

Kind of. Lapsed CISSPies have been known to hang around like a bad smell long after their certifications have expired. You can usually tell actual CISSPies and especially the CUStards by how cranky they are, but not always: some remain stealthy.

5.4 Can I access the forum and files online?

Yes, if you are a member. Be our guest.

5.5 How do I temporarily stop getting email from the forum or change to digest mode?

Well done to you if you thought of this before shooting off on that extended vacation or business trip. Please read the next answer also.

You’ll find the message delivery options in the Groups.IO web interface hidden in plain view under the Subscription tab.

5.6 How do I set up my Out-Of-Office message so I don’t spam the whole forum?

Do not turn on “reply-to-messages-not-sent-directly-to-me” or “reply-to-all”. Your best bet is to RTFM for your email system or call your IT Help Desk.

5.7 How do I change the email address with which I subscribed to CISSPforum?

I guess you’ll need to flounder around in that Groups.IO web interface thing, again. 

5.8 How do I unsubscribe?

CISSPforum is a lifelong commitment. Unsubscription is not an option: once you’re in you’re in. You can check out any time you like, but you can never leave.

Flounder around in that Groups.IO web interface thing, again.  Again.

Back to FAQ contents


6 (ISC)2 STUFF

6.1 How do I receive regular communication from (ISC)2?

Method 1: subscribe to the (ISC)2 newsletter. To do this, simply sign into the (ISC)2 website, then click on “Subscribe to (ISC)2 newsletter.” You will be taken to a bcentral.com partner site where you must provide your email address, name, city, state, country and company name, inside leg measurement, dental records and a cheek scraping - well, enough to satisfy the data entry validation routines anyway. You may also disclose your interests (very short list) and certifications (also a short list). Within a few minutes you will receive a confirmation message welcoming you to the (ISC)2 newsletter mailing list, or not if you did not supply a valid email address.

Method 2: receive (ISC)2’s Infosecurity Professional magazine either as a free electronic softcopy by email or in print if you pay the postage and packing charge and don’t mind slaying trees. The magazine is just one of many benefits for “members” of (ISC)2. The first edition was released in April 2008 - search the CISSPforum archives for informed comment on the content.

6.2 How do I submit CPEs?

Read the (ISC)2 instructions which contain lots of detail plus a helpful link to the submission form.

Most questions about CPEs on the forum are lame since the (ISC)2 guidance generally answers them all.

6.3 How many CPEs can I get for that?

The CISSPforum is just a bunch of guys and gals, you know. We are not (ISC)2We don’t award CPEs.

Most of us really don’t care much about CPEs because we are active infosec professionals who are awash with CPEs as a result of lots of reading, research, webinars, conferences, training courses and stuff. We don need no steenkin badges. Several of us teach, present to or write stuff for other CISSPs and CISSPwannabies to consume and claim their CPEs.

(ISC)2 offers reasonable advice on how to earn CPEs, including the official CPE guidelines.

If you need to find out precisely how many CPEs to claim for something, and what Type they are, just ask (ISC)2 not us. If you insist on asking us, expect a flatulent response. You could try setting up one of those web survey things and inviting us to vote. Just make sure you include the option “42”.

6.4 Where do I find anything on ISC2.ORG?

Good question! Some have speculated that when the late Douglas Adams wrote the Hitchhikers Guide To The Galaxy, he was thinking of the (ISC)2 website ...

    Mr Prosser said: "You were quite entitled to make any suggestions or protests at the appropriate time you know."

    "Appropriate time?" hooted Arthur. "Appropriate time? The first I knew about it was when a workman arrived at my home yesterday. I asked him if he'd come to clean the windows and he said no he'd come to demolish the house. He didn't tell me straight away of course. Oh no. First he wiped a couple of windows and charged me a fiver. Then he told me."

    "But Mr Dent, the plans have been available in the local planning office for the last nine month."

    "Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything."

    "But the plans were on display ..."

    "On display? I eventually had to go down to the cellar to find them."

    "That's the display department."

    "With a torch."

    "Ah, well the lights had probably gone."

    "So had the stairs."

    "But look, you found the notice didn't you?"

    "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."

We’re still looking for the “Beware of the Leopard” sign at the (ISC)2 website. If you find it, please post a message to CISSPforum and we’ll call off the hunt. Meanwhile try Google.

6.5 What do I get for my AMFs (Annual Mugging Fees)?

Quite often the discussion about which activities do or do not qualify for CPEs and/or how difficult it is to find information on the (ISC)2 website ends up with someone asking “What does (ISC)2 do for us anyway?”. This is not unlike Monty Python’s “What have the Romans done for us?” in the Life of Brian.

Even (ISC)2 accepts that it’s perfectly reasonable for CISSPs to ask “Do we get value for money for our Annual Maintenance Fees (AMFs)?”. (ISC)2’s official response mentions obvious member benefits such as security webinars and the career center, and talks about the wider benefits through various marketing efforts to promote the security profession in general and, by implication at least, CISSP holders in particular. It’s unfortunate that they neglected to mention the biggest benefit of all, CISSPforum, though!

The bottom line is a personal value decision: will the benefits to you of CISSP qualification exceed the AMFs? If you are working for an employer who requires security qualifications, the answer should be obvious, especially if you are privileged enough to reclaim your AMFs and associated training/educational costs as legitimate business expenses. Likewise if you are searching for a new position and your qualifications will earn you a higher salary or land you a better job with a more enlightened employer/manager (not so obvious a benefit maybe but, believe me, job satisfaction is worth a lot).

Finally, there is the Zen perspective. Will the effort to achieve and maintain your qualification make you a better person? Will it satisfy your inner drive to be good at information security? Do you value being part of the global professional infosec community? Do you maintain motorcycles?

Back to FAQ contents


7 MISCELLANY

7.1 What is the 11th domain?

The 11th CBK domain is an obscure reference to any topic that the membership of the forum currently considers clueless whether off-topic, misguided or just plain lame. It includes the old favorites “Out-Of-Office”, “Unsubscribe” and “Could have found it on Google in 2 µS.” Occasionally, it is a genuine proposal to extend the CBK to cover additional domains such as ‘human factors’ but such proposals seldom get anywhere due to conservatism, inertia and apathy, a terminal combination.

7.2 Who are the Usual Suspects?

Never mind life, the universe, everything. Who or what are the Usual Suspects? That’s the Ultimate Question. The designation “Usual Suspects” arose in the dim and distant past from an accidental mis-posting to the CISSPforum of a private message from an (ISC)2 staffer to another regarding certain outspoken and unnamed CISSPforum members. The comment is alleged to have spawned a sinister (or is it dextral?) secret society within the inner sanctum of CISSPforum, the ertified Usual S uspects (CUS), also known as the CUStards. Even the CUStards do not know precisely who the CUStards are nor what they have done to deserve the dubious distinction beyond being “outspoken” but rumors abound of special handshakes and blackballing, weird initiation ceremonies involving sushi and/or poutine, an unwritten but staunchly upheld code of honor, and a predilection for emitting well-aged bodily gases. There is no known method to join the CUStards, nor indeed to leave, although most members tend not to contribute quite as much volume post-mortem, though just as much value.

7.3 Who is responsible for this unofficial FAQ?

The current mug editor/maintainer of this FAQ is, allegedly: Gary Hinson Gary@isect.com

By all means chuck rotten eggs at me but be warned: the more you throw, the greater the chances you’ll be “invited” (cosa nostra style) to become the new FAQ editor/maintainer ...

7.4 Can I submit new questions and answers or corrections to the FAQ?

Absolutely! Send them directly to the current editor (pencil each one on a crisp $20 bill for the special express service) or better still post them to the CISSPforum for general discussion. All potential submissions are gratefully received. The best bits will be shamelessly plagiarized.

7.5 FAQ Credits

Thanks to the following for their invaluable contributions to this FAQ: Chris Brown, the late lamented Laurie McQuillan, John McGuire, Matt Curtin, Jack “Hollerin” Holleran, Rob “Grandpa” Slade, Pat “Spring Bunny” McGregor, Anton “Cats in Context” Aylward, Les “G’day Jimmy” Bell, Karen “Stop”ford (head of the No Department), D. “Cragin” Shelton, Mim-The-Merciless (slayer of the humor impaired), and Gary “Passionate” Hinson. Other members of CISSPforum and CUStards have contributed to the FAQ either through insightful postings to the forum or by pestering the editors privately (i.e. in a private place).

I’d like to thank my producer, the director, the investors, the NSA and of course the venerable Consortium without which this FAQ would not have been possible necessary.

7.6 What’s new here?

  • Lately: further tweaks and “improvements” may, or may not, occur.
  • December 2018: Gary finally got both the urge and the free time to update the FAQ’s original! Yahoo! references! to Groups.IO  In addition to Spring-cleaning a few broken links, Gary removed the old instructions for joining the LinkeDin CISSP group since the validation facility appears to have disappeared without trace from the (ISC)2 website. The function used to be tucked away under the profile page but if it’s still there, it must be white-on-white, perhaps one solitary pixel. You’re on your own there. Try hunting the HTML source code maybe. Good luck Jim.
  • October 2006 : Gary took up the editorial cudgel in October 2006, beating Rob’s rather quaint plain ASCII text version into a modern, sleek -looking HTML web page with go-faster stripes, giving us the luxury of actual headings, working hyperlinks and most of all, readability. If you think you might prefer the original, it’s stored for all posteriors on the CISSPforum files area on Yahoo! Groups, where it is available to current members of the CISSPforum ... which hints at the real reason this FAQ was published as a public web page: the instructions for how to sign-up for the CISSPforum used to be available only to current members of CISSPforum. Doh! That’s a bit like printing the “pull cord before passing 1,000 foot altitude” inside the parachute, or having a black button on a black panel light up black to tell you it’s on. Shades of Catch-22 and HHGTTG.
  • 2005-2006 : Rob Slade copied a ton of Chris’s stuff, modified the rest so that it made less sense and did a fabulous job of injecting the odd ray of humor. He skillfully incorporated new stuff from CISSPforum including contributions from Laurie, John, Gary, Anton, Axel and Matt. In parallel, Anton set up a wiki version, after searching in vain for the ancient Greek word for wiki.
  • 2003-2004 : The original editor of this FAQ was Chris Brown who has mysteriously vanished into the ether, if not the net. Before he passed, Chris freely admitted that much of the content was outrageously stolen from posts to CISSPforum. The FAQ was uploaded to the CISSPforum files area in October 2003 and updated a couple of times before Chris evidently gave it up as a dead loss and went back to Real Life™. We remain eternally grateful, Chris (that you started this, not that you went away)(Seriously, Chris, do get in touch. Are you OK mate?).

Back to FAQ contents


The end of the unofficial CISSPforum FAQ is nigh.
That’s it, there is no more.
Just a horizontal line (yes, yet another rule!),
and a final link back to the top for those poor unfortunates
lacking page-up keys, vertical sliders and wheely mice.