Friday, July 26, 2013

How To Get More From Your IT Certs

As many of us are keenly aware, the information technology and security certification process is far from ideal. There are more than a few legitimate concerns about what we are actually getting out of expensive efforts to produce a highly certified labor force (noting that this isn't always correlated with highly skilled). One thing however that is interesting in these types of discussions is that we have a natural tendency to focus on what others should be doing: certification bodies, HR departments, etc...

While it is easy to criticize others, it is much harder to determine if there are things that we can do ourselves to make things better.  Along that line of thought, here are some ideas on ways that you can get the most real benefit from your own certification efforts:    

Forget About "The Test"
When you think about IT/IS certification there are probably a few things that flash though your mind: studying, jobs, money, bragging rights, and the test.  It is usually that last item that gives people the most anxiety. This anxiety actually causes a lot of folks to view certifications as a testing challenge.  If you look at certification attempts in this way you often end up focusing 100% of  your energy on just passing the eventual exam.  The truth is that you can study for a test even without really having a deep understanding of the material the tests covers;  This approach involves a form of intelligent guessing anchored to some rote memorization.  You can get really good at this approach and "defeat" many exams.  However at the end of this process, you've only gotten better at taking tests and not at the actual material that the test is built around.

A better way to look at a certification attempt is as an opportunity for formal study of a body of material.  Every time you prepare for a certification, you should think about the competencies that the program is attempting to establish as a foundation.  Actually if the certification is not explicit about this, then you yourself should write down all concepts, methods, and practices that you should be able to competently manage at the end of your studies.  You should then build your study plan around addressing those areas that you are deficient and hammer these hard.  This is the real work behind a certification attempt.  When you can prove to yourself that you meet the baseline competencies that the certification covers, then begin to focus on the test.  Ironically, you may have to study the exam at that stage to translate your knowledge into the confines of the examination process.  However if you've done things in the right order and not cheated yourself out of garnering real knowledge and capability, then preparing for the test really is often an very easy task.  The important thing is not confusing the two objectives; Passing the exam is not the same as deserving the certification. 

Study As If To Teach
Another way to get more value out of your certification attempt is to make some small tweaks to the way you study.  A few years back, my study methods were basically reading, flash-cards, and doing quick hands-on run through anything related to command syntax or specific tools.  This approach is more than enough to pass a great number of IT/IS certification exams; however while studying this way I felt that I really was merely getting competent and not really getting a deep understanding of some areas.  Then I came across some advice in a book about reading everything as if you had to teach it at the end of the week.  This single tweak in perspective applied to my weekly reading made huge differences to my retention of knowledge.

High caliber educators have known this for a long time.  The best way to learn anything is to prepare to teach it.  As you go through your certification process, think about how you would teach the material that you are studying.  Also, think about how you would explain it to someone who doesn't have a technical background.   Einstein had a great quote about this:  "You do not really understand something unless you can explain it to your grandmother."

Give it a try and see how it works for you.  If you internalize information thinking about how you would teach it then you will see amazing improvements in your depth of understanding.  Even better, you might even actually look for groups and opportunities to actually teach the material to others.

Have A Knowledge Maintenance Plan
This one is a bit of hard truth, but for many people the knowledge they gain in their certification process will be eroded to some extent after six months.  Fast forward a few years and the knowledge attrition will be even greater. Knowledge is a use it or lose it game. (Remember those foreign language classes you took in high-school?)

To prevent losing the time and effort we expended in building new knowledge,  we have to make sure that have a plan for sustaining it AND adding to it long after your exam is over. If you are committing yourself to be both a  knowledgeable and skilled professional then you are never done both learning and reinforcing what you have learned.  Do not make the mistake of thinking that after you are done with studying once a a certification is over. I have never met a highly qualified professional who didn't in addition to his/her daily work in the office also have a home-lab or project that they were working on the side.  I personally try to spend at least 30 minutes to one hour (if I'm lucky) practicing a new skill or reviewing things I've learned in the past. It's a hard commitment to keep especially when things get busy, but a critical one if you are going to work in any field that deals with technology.

The basic maintenance tasks of  reviewing what you have already learned can be greatly aided by building a system based around the learning technique of spaced repetition.  The basic idea of space repetition is that if you need to retain a large amount of material over an indefinite time-span then the best way to do this is periodically revisit material over a long time period. A great tool for accomplishing this is Anki which is an open-source flash card program that works on a variety of platforms including mobile devs running IOS & Android.  I really can't say enough about this program.  I now use it for maintaining knowledge bases for almost everything professional and personal that I am actively learning and developing knowledge and skill in.

To get a better idea of what Anki can do, check out the cool presentation below by Roger Craig who holds the all-time record for single day winnings on jeopardy.  In this video he discusses his study strategy and how he uses Anki to execute it and measure his progress.

Actually Use Your Knowledge 
Last but not least, you can't forget that the best way to maintain your knowledge is to use it!  No multiple-choice test or can ever measure your ability do something innovative, useful, and possibly even productive with your knowledge. Nothing beats experience. Nothing. Accept no substitutes; even if they do offer you an attractive piece of paper to hang on the wall. :-) 

Ideas/Further Reading?
Do you have methods you've developed for getting the most value from your certification attempts? I'd love to hear about it.  

Anki  (High recommend. Great tool for managing your personal KB through spaced repetition).

Your CISSP is Worthless - So Now What? (Good post + points by Dave Shackleford)

The real value of IT certifications: Education (Nice article by )

Tuesday, July 16, 2013

Three Reasons Why WEP Still Matters

In information security, we often spend a significant amount of time focusing on the latest vulnerabilities and attacks.  Our drive to find new things to worry about is often influenced by subjects that we don't prefer as much --  old security issues. The fact that so many "old" security problems are still relevant is often a source of professional chagrin.   However painful it may be,  it is important to periodically revisit long standing issues that still hound us.  If we are going to make progress and meaningfully grapple with contemporary challenges, then we have to truly learn from the failures of the past.  WEP represents one security failure that we can't afford to forget.

Brief History of WEP
WEP, or Wired Equivalent Privacy, is a WiFI security algorithm that was bundled into the original 802.11 standard back in "ancient times" (1999) and developed by a group of IEEE volunteers. The aim of WEP was to provide confidentiality to wireless transmissions (shared medium) that would be similar to wired switched connections. Almost immediately after WEP's introduction, serious security flaws were uncovered along with increasingly sophisticated methods for exploiting these weaknesses. However, the final death-blow for WEP should have come in 2007 when researchers in Germany demonstrated methods which allowed recovery of WEP keys in record time. ("Gone In 60 Seconds").

The fact that WEP is irrevocably broken is of course only a small part of the story.  For many years now, the battle to eradicate WEP has raged on and taken many fronts. One primary front has been education -- if you've taken any security or network courses , you've certainly had it drilled into you by your instructors that WEP is bad (if they didn't explain exactly why, then check out video at bottom of post). Another major effort to outlaw WEP was made via compliance -- PCI-DSS v1.2 (introduced in 2008) made WEP explicitly prohibited for use in merchant card-holder environments.  The latest major push is being made through equipment phase-out -- the WiFi Alliance announced in 2010 that WiFi certified equipment should deprecate all WEP functionality by this year (2013).

Even with all the effort spent to make WEP a bad memory of the past, the sad truth is that WEP remains a very important issue for three reasons:

Reason #1. WEP Isn't Dead (Legacy Tech Zombies On)
The sad truth is that WEP is still very much alive. Evidence to this point can be found on WIGLE, a site where individuals submit both the location and properties of wireless networks from around the world.  At the close of 2012, WIGLE statistics show that WEP encrypted access points still made up  ~ 18.8% of all wireless networks observed to date. So, 1 in 5 wireless networks globally may still be using a fundamentally flawed encryption solution (see stats below).
Legacy Tech Doesn't Die Easily 
Source: WIGLE Wireless Stats
It is astounding to consider that nearly 20% of all wireless access points are susceptible to easily performed attacks (of course 25% observed by "WIGLERs" employed no crypto at all.).

We know of course that both people and business often don't upgrade or reconfigure technology that continues to function even when cognizant of the risks (i.e TJMaxx breach).  For this reason, WEP remains a "live" vulnerability in a very real sense.  However more fundamentally, the "long life" of flawed or outdated security methods should give us all a reason for pause. (SSL + CAs anyone?).

Reason #2. WEP Reminds Us That Security Review Is Essential 
While we often talk about the flaws in WEP in terms of misuse of cryptographic primitives, we often don't talk about the core issue that led to this.  It is held by many that the real root cause for WEP flaws was the lack of peer review (esp. by cryptographers) which allowed the IEEE engineers to get so far down the road without spotting significant design flaws.

The lack of effective security review still remains a major issue that shows up over and over again. One illustrative example of this that delights some and pains others, is the history of failure of DRM technologies that were incubated in relatively isolation. (i.e. defeat of AACS).  In all cases with major system design, if security issues are missed early on in a design stage, then the cost of addressing these issues downstream through retroactive engineering is often so expensive that companies often don't even bother.

On the IT end of this issue, when is the last time you heard a vendor tell you not to worry about the security of their product because "it's encrypted"?  The lesson of WEP  should also have taught us that even if vendors do use strong encryption algorithms that implementation flaws in other areas (i.e. PRNG, key management, etc) can seriously cripple or invalidate the security of the whole system.  For this reason, the response to "it's encrypted" needs to be a number of questions that few actually ever ask.   One of these questions should be how exactly does the company approach solution/code review to prevent missing serious issues? The integration of security code review (particularly by third-parties) into software design processes can yield highly cost-effective identification and remediation of security issues early in the project pipeline.  However, many companies still do not have mature development processes that help reduce the risk of myopic omissions via effective independent security testing and review.

Reason #3. Hacking WEP Should Be Basic Skill For IS Pros
Ever had to introduce yourself at a party and explain what you do for a living?  If you said something
about "information security"or the like, you might have gotten a a response like "oh, so you break into computers for a living".

Even if your IS-related job has nothing to do with breaking into computers for a living, I'd suggest that you still develop and maintain ability to demonstrate the impact of ignoring common security flaws. The adage holds true that seeing is believing, but sadly many IS professionals lack training to demonstrate even simple hacks.  One of the reasons that WEP is still alive is there are no doubt still many misguided souls who believe that WEP is "secure enough".  This statement most often reveals a lack of understanding about how trivial it is to defeat most WEP implementations or false assumption that no-one would bother attacking their WLAN.    Dislodging these viewpoints is often easily done by demonstrating (with permission of course) how easy it really is to slice through bad security.

If you've never cracked WEP before, the Aircrack-ng simple wep cracking tutorial is a great place to start.  Also, check out the video below on structural weaknesses in WEP protocol to understand how these attacks work beneath the hood.

Ideas?/Further Reading
What are some other "old security" problems that are still with us and worthy of attention?  I'd love to hear your thoughts.

Unsafe At Any Key Size by Dr. Jesse Walker (Seminal paper on WEP weaknesses)