In the comments to an earlier article, Ideal Skill Set For the Penetration Testing, a reader, Nicole, asked, “Does anyone have any suggestions on where I should start building practical skills?” I originally wrote this as an answer to her comment. But it’s a question I get a lot […]
For 2011, ISACA has updated the domains reducing them from 6 to 5. Domain 4 now includes Disaster Recovery from the old Domain 6. This section has six areas that you need to understand for the CISA exam.
1) Information Systems Operations
One of the management control functions is to ensure […]
Application development security requires an awareness of how different environments demand different security. For example, the security for running a mainframe application that is not accessible by anything except the mainframe would be considerably different than the security for a web based application that anyone on the internet has […]
Description: Using grep to find common web application vulnerabilities within your applications.
It is a common misconception that companies need to purchase complicated and expensive software to find security vulnerabilities (bugs) within their applications. These specialized software applications, whether they be black-box or white-box, open-source or commercial, do make the […]
It’s interesting to notice how ISACA is aligning itself with the International Organization of Standards ISO/IEC 27002. The title for Domain 3 is Information Systems Acquisition, Development and Implementation and the title for Section 12 of ISO/IEC 27002 is Information Systems Acquisition, Development and Maintenance.
There are 14 areas that […]
In our ongoing series of interviews, Joanna Rutkowska answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work she does.
Joanna Rutkowska is a strange combination of a security researcher and a system-level architect. She is the Founder of Invisible […]
There are several topics we need to look at when we discuss the Legal domain of CISSP. First you need some background and a couple of important distinctions:
Civil Law and Common Law — The most significant difference is in civil law judicial precedents and particular case rulings do not […]
An Introduction to S-Tools
Steganography (as we discussed in our coverage of the CISSP Cryptography Domain) is the hiding of information within a picture, say a *.bmp file or a *.gif file. To demonstrate steganography’s simplicity this article will cover a brief demonstration of hiding information within a BMP picture […]
The iPhone is one of the most popular mobile devices on the market with an array of downloadable apps for users to do any number of things. Its popularity and the users’ habit of downloading apps make it a popular target for malware developers and data thieves.
As I demonstrated […]
CISA – Domain 2 – Governance and Management of IT
ISACA has revamped the CISA material and this domain now contains the Business Continuity section from the old Domain 6. There are 13 areas that you need to understand in Domain 2.
1) Corporate Governance
Know the definition for corporate governance
Know what ISO 26000 […]
In this video, we will review the wealth of forensic data stored on an iPhone 3Gs using Paraben’s Device Seizure software.
The iPhone is one of the most popular mobile devices on the market and that makes it a popular target for malware developers and data thieves.
Some of the types […]
Several of you have been asking for a mapping of the new CISA 5 domains to the previous year’s six domains. The new mapping is as follows:
The major change is the old Business Continuity and Disaster Recovery domain has been split into two parts and merged into Domain 2 […]
In our ongoing series of interviews, we got HD Moore to answer a few questions and pull back the curtain a bit on the methods, tools and motivation for the research he does discovering security exploits.
HD Moore is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the […]
Description: A tool for each of the OWASP Top 10 to aid in discovering and remediating each of the Top Ten
If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced […]
The cost and quality of penetration tests vary wildly between different vendors. As a response to those differences, a group of security professionals have been developing the Penetration Testing Execution Standard (PTES). We solicited some comments about this standard, and standards in general, from several people including:
Christopher Nickerson of […]
You only have to turn on the TV and watch some of the footage of the destruction caused by the tsunami in Japan to realize the importance of business continuity and disaster recovery planning or think back to the September 11 attacks and remember the destruction in New York City […]
First, Get a copy of the CISA Review Manual and a copy of the Q&A CD
Second, Read one Domain then answer all the questions on the Q&A CD for that Domain until you can answer everyone correctly. As you answer the questions look in the Review Manual for that […]
ISACA’s 2011 CISA Exam material has been revised from six domains to five domains. Prior to 2011 Domain 6 was Business Continuity and Disaster Recovery. That old Domain 6 has been separated into two parts with Business Continuity being included in Governance and Management of IT which is Domain 2 […]
As the first in an ongoing series of interviews, we got recent Pwn2Own winner Charlie Miller to answer a few questions and pull back the curtain a bit on the methods, tools and motivation for the research he does discovering security exploits.
Charlie Miller is currently Principal Analyst at Independent […]
There are books upon books about cryptography and this article will not attempt to regurgitate all of the historical background about the subject. However, there are some specific definitions and concepts that you need to understand in order to successfully navigate the CISSP exam and, for that matter, to […]