I've been discussing the Institute for Security and Open Methodologies (http://www.isecom.org/) with my students and clients, with quite a bit of interest. Here's a short list of links for further information.
The Open Source Security Testing Methodology Manual - http://www.isecom.org/osstmm/
This is the essential methodology handbook for ISECOM security practitioners, or from the horse's mouth: "The OSSTMM is a formal methodology for breaking any security and attacking anything the most thorough way possible."
An Introduction to OSSTMM Version 3, by Michael Menefee - https://www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html
Menefee, who based his security consultancy around the OSSTMM, gives us the short list of Key Concepts.
Implementing OSSTMM Strategies Creates Value, also by Michael Menefee - https://www.infosecisland.com/blogview/8340-Implementing-OSSTMM-Strategies-Creates-Value.html
Menefee's interview with Christoph Baumgartner, CEO of OneConsult, a security firm using the OSSTMM: "Relying on the OSSTMM has been one of the most important strategic decisions of my professional life - and I have never regretted it."
Healthcare Risk Assessment Essentials, by Jack Daniel - https://www.infosecisland.com/blogview/6937-Healthcare-Risk-Assessment-Essentials.html
The four-step process of Discovery, Assessment, Recommendation and Review.
Risk assessment tips for smaller companies, by Dejan Kosutic - https://www.infosecisland.com/blogview/4499-Risk-assessment-tips-for-smaller-companies.html
An interesting summary of four basic steps in assessment.
This is an excellent in-depth look at cyber hacking and security resources: http://www.cybersecurityeducation.org/resources/ by David Parker | CyberSecurityEducation.org
Business Networking 101
by Vanessa FardiWe have seen the word a million times in articles, magazines, blogs, even Facebook, but it is very likely we do not have the slightest idea of what ‚ÄúNetworking‚Äù actually means. We might relate it directly to Facebook and we definitely know it is an important tool when it comes to doing business. But, do we know its actual objective? Networking can be defined as the exchange of information or services among individuals, groups, or institutions, and it specifically refers to the cultivation of productive relationships for employment or business. Now that we finally know what it means, how do we get it done? Should we just go to parties, meetings, benefits and events, talk to people about our company or business, exchange business cards and be sociable? Yes, that is exactly what a networker does. The main idea is to make new contacts with the objective of forming mutually beneficial business relationships. That is it! Now you are an expert on the subject.There is another aspect we have to consider, why go ahead and do business networking? Some entrepreneurs and business owners actually think business networking is a more cost-effective method of getting new clients than advertising or public relations. Business networking can be conducted in a local business community, or on a larger scale on the Internet. Social networks play a very important role for companies nowadays. Even law firms and oil companies have Facebook and Twitter in order to attract more clients and be able to get the word out there about what they do. Social networks make companies more approachable to the general public and potential future clients. That is the reason why the position of Community Manager has boomed over the last five years. If it is not on Facebook, Twitter, Instagram or LinkedIn, your company literally does not exist.To be the greatest networker known to man, just follow these simple, yet life changing, tips:
- Always be honest. No one likes a liar.
- Carry your business cards with you at all times.
- Try to meet at least five or more new people at an event.
- Be friendly.
- You will need to give to be able to receive. The business relationship works both ways.
- Go get them!
This July 1st (2016), the CompTIA A+ certification rolls over to the 901-902 version, with some pretty significant changes to the test materials. I’ve been evaluating books for my upcoming classes, and decided I’d try out not just different publishers’ offerings, but different forms of the media. As an instructor, I’ve relied heavily on physical books to run my classes: they’re marked up, dog-eared and riffed with sticky notes for points I want to hit in class. Could I do as well with an eBook?
Pearson hooked me up with an epub version of this Exam Cram, written by David Prowse. I’ve been in this business for many years – and so has he. His materials are pretty darn good, including an online A+ training course I had the opportunity to preview (and review). When it comes to highly technical books, there are plenty of them that are written by committee, and read like it. I’ve got nothing against a dry, factual style, but my students seem to be more willing to read single-author books with a breezier prose style. This book falls into the second category, and has the kind of comfortable, personable text that makes reading 982 pages a lot less of a chore. By comparison, the 901-902 text by Mike Meyers runs 1472 pages of first-person conversation, while the text from Docter, Dulaney and Skandier is 1312 pages of formal discussion (what did I say about writing by committee?). Prowse gets one point for good prose style and one for shortest length, which does in fact matter.
One of the biggest changes for the new certification is the much-changed list of operating systems covered. XP is out, finally, but Vista lingers on, along with Windows 7, 8 and 8.1. Windows 10 is not covered. But OSX is getting a lot more discussion, which matches the workplace I see, mostly Windows but with a contingent of determined Mac users. The three texts I reviewed handled this issue differently. This Exam Cram splits OSs out among the main test topics, so there’s not one place that solely discusses Windows 7, for instance. Docter/Dulaney/Skandier do the opposite, with 50-60 page chapters on each major OS, which might be a good idea for organization, but does lead to a lot of duplicate discussions of installation and deployment, for instance. In my reading all three texts ended up covering the same materials for each OS, because the CompTIA A+ Objectives are so clearly spelled out in this area. Frankly, I kind of like the way Prowse handles things, discussing the topic under a major heading with subheads for each OS’s differences. iOS and Android also get a little more emphasis, though largely along the same lines as the 801-802 tests: checking versions, doing resets and synchronizing. The whole topic of OSs is one of the areas where the eBook really shines, with beautiful full-color high-resolution images.
Color images appear frequently in the text, and put the printed books’ grayscale images to shame. Many of them are close-ups of details, and I had to admire how well I could see things like silkscreen lettering on circuit boards. I wasn’t sure how comfortable I’d be using the eBook, as I’ve mentioned, and I tried more than one e-reader. Windows 8.1 offered a friendly link to the friendly Windows store for an epub reader, and served up an app that got even more friendly by installing a toolbar and search engine, and modifying my network settings, none of which I appreciated. It took some lengthy research to uninstall that crapware, then the research I should have done in the first place: what are the really good eBook readers, for Windows, in 2016? This led me to Adobe Digital Editions, much despised in its 1.x versions but apparently much improved in the current 4.5.x version. I thought I would miss my sticky notes, but the Bookmarks feature fills the gap really well. And it’s nice to click directly from the Table of Contents to a chapter, or even better, easily search for particular terms, something I had to rely on Indexes to do for me in paper books. I had to find the right tips page to figure out highlighting: select text, right-click, voila!
There are a lot of subtle things that get glossed over in a lot of A+ texts, for instance the issue of Northbridge and Southbridge, bridges that were originally real bridges with real, separate controller chips, but which are now “virtual,” in the sense of being absorbed into the main processor or other subsystems. Of the three texts I reviewed, only this one discusses the DMI bridge in Intel-processor chipsets, and none discusses DMA channels (which apply to RAM, not processors); there’s a certain degree of depth that’s being lost as different manufacturers devise very different solutions to the same fundamental problems. Intel’s DMI differs significantly from AMD’s HyperTransport bus, and both differ from Intel’s Quick Path Interconnect (QPI). Prowse gives all these some attention, and he’s the only one in this group who does. And that’s just one example.
The most important work students can do for certification exams is taking lots of sample tests. There are resources online, of course, and many are quite good. Brain dumps, on the other hand, are worse than useless because they’ll mislead you or insist on wrong answers. So the test material that comes with a CompTIA-approved text is actually really important, because for the most part it accurately reflects real question styles, for instance the frequent use of scenarios in questions. The Meyers book uses 10-question end-of-chapter quizzes that are good; they come at the end of lengthy chapters, which means you’ll read for a while before dealing with relevant questions. I have to admit I like Prowse’s Cram Quizzes, short 5-question tests that come two or three times per chapter. That’s a good idea: look at the material, then look at the kind of questions you’ll see for it. And not just multiple-choice questions, but performance-based questions like the ones you’ll be getting on the real exams going forward.
This makes for an interesting point: only Prowse’s online version of this course offers genuine simulations of the performance-based questions, for instance dragging and dropping devices to the correct slots. Obviously you’re not going to do this with either paper books or an eBook, but different writers have dealt with this in different ways. The Sybex book comes with access to an online lab and test bank, which I haven’t explored yet. This Prowse Exam Cram uses write-it-by-hand versions of the performance-based questions, which are actually pretty good substitutes, considering a lot of that drag-and-drop stuff is just silly.
Ultimately, I liked the Prowse book itself the best among this group, and surprised myself that I liked the eBook much more than I thought I would. It’s the shortest of the group I evaluated, yet covers many topics more completely. And Prowse’s writing is easy to read without trying to be too funny or chummy. Every classroom I work in has a projector, so it’s totally feasible to bring the book in digital form and put it up on the screen. When I’m drawing students’ attention to highlights, they can see exactly what I’m talking about, easily. I’m finding myself completely willing to try out this book, as an eBook, this coming term. Maybe the most interesting thing to see will be how well my students like using it. If they do, I’m going to permanently lighten my book bag and never look back.
CompTIA® A+ 220-901 and 220-902 Exam Cram
Copyright © 2016 by Pearson Education, Inc.
ISBN-13: 978-0-7897-5631-2ISBN-10: 0-7897-5631-5
Pearson’s A+ Video Courses: A Serious Alternative to Classroom Training
Video training has become a really big business. I’m a classroom teacher myself, and teach the A+ certification and several others, so the question of whether video training can replace classroom time is pretty personal, and I come at it a little skeptically. I’ve endured some truly painful online and video training courses, and I’m betting my gentle reader has too. Do they have to be awful? Or can they truly be good enough to replace “live” teachers? And more important, are they a good bargain relative to live classes?
No, they don’t have to be awful. Some are definitely better than others. Twenty years ago the user interfaces were mish-mashes, a situation that has hugely improved. Today they’ve almost all settled toward uniform layouts, which honestly improves the user experience across the board. It’s great to have a course outline with links to lessons down one side of the workspace or the other, for instance. Live classes often have a separate area for text material and another column for chat. Sometimes there’s a panel for downloadable materials, and sometimes all of these are wrapped up in one tabbed column (my favorite). What really matters is, which of these elements are included in a given course? And far more critical, how good is the actual presentation material?
In this case the material is quite good. The video pane alternates between Powerpoint-like slides, detailed video close-ups of hardware and actual assembly, and the presenter (whom I presume is David Prowse himself) talking and using a white board. This last is kind of classroom-like, complete with quick-and-dirty sketches. David has a good physical presence and a good speaking voice, so it works well. The frequent change of visual layout keeps things interesting, which is critical for recorded trainings. And the level of detail is really quite good; at 20+ hours for the 901 video course and 40+ for both 901 and 902, it’s close to the number of hours most live classes will run. That’s a lot of material, but in small chunks running about five minutes each. This is a popular format length these days: most students like being able to “drop in” to the course when they have some free time without making an hour-long commitment. Plus, it’s not so painful if you have to repeat a lecture. Personally, I find myself reluctant to start hour-long lessons online, but I can devour a five-minute video almost any time.
Lessons consist of Learning Objectives, lectures, Performance Based Exercises (very much like the ones you’ll find on the actual test) and PC Build demonstrations. The Learning Objectives aren’t a boring list of topics; instead, David gives a brief but much more informative talk about the lesson. Some Performance Based Exercises are classic drag-and-drop matching tasks, but some require you to demonstrate actual familiarity with Windows by, for instance, setting a static IP address, which is a highly relevant skill. The overall high-quality video production really shines in the PC Build walkthroughs, though these may be most useful for less experienced students. Modules are collections of Lessons, and include Module Quizzes (again, very similar to actual test questions). Most textbooks in this area include at least a couple of sample tests, whether on CD or by download. With this package you get a series of Module Quizzes, which as I’ve mentioned are pretty good, but you don’t get formal timed sample exams.
Can really hi-res video of motherboards and RAM and video cards replace the hands-on, pass-it-around of a live class? Put simply, yes, provided you’re already familiar with these things. But no, not if you’ve never handled them. How should you hold a stick of RAM? What part(s) should you never touch? If you picked up a module in a job interview would you be comfortable holding it? If these questions just make you laugh, you’re a good candidate for this course.
There were a couple of things I missed in the user interface package. There are no Supplementary Materials, which is a pretty small issue in a really complete package like this one, though I’ve run into some really valuable supplementary handouts from time to time. But the lack of student-teacher interaction might be a more serious issue. This is obviously the primary benefit of a live classroom or online class: you can say, Wait, I’m stuck on this, or I can’t make that work, or Mine doesn’t look like that. I’ve seen the chat window fill with questions, and I’ve found some of the most valuable material there when an instructor is provoked to a deeper explanation.
Some of the online course platforms use a hybrid method, where the course is recorded but the chat function is always available (and teachers are expected to respond to inquiries, even months or years later). Given the model of this video courseware, that’s not practical here. But this lack does take the course another big step away from the live classroom.
What really matters here is, can you take this video course and pass the A+ exam? There’s never a certain answer to that, because so much depends on the experience you bring. Some people are really successful at passing certification tests simply by reading a book or two; those people usually are already familiar with the topic and have advanced study skills. Most of us need more. If you can’t take a classroom course where you live, a video course is a very good alternative, at least if the course itself is high-quality, though I’d recommend spending some serious hands-on time with real hardware. The past few years have seen courses like this one dramatically improve, and at this point they’re certainly a viable alternative, especially if you’re relatively disciplined about your study – and like learning from videos rather than books.
Now for brass tacks: you can take two live courses for the 901 and 902 tests, with textbooks and test vouchers included, for about $2000 depending on your area. These two video courses list as a $499 package as I write this, much more expensive than a textbook and not including the tests, which will run you another $450. You could buy a text and some sample tests and spend barely more than half the price of classroom courses. If you’ve already got some experience with PCs, this could be a real steal for you.
Pearson IT Certification CompTIA A+ 220-901 Complete Video Course – January 22, 2016
By David L. Prowse
ISBN-13: 978-0-13-449930-7 / ISBN-10: 0-13-449930-1
Pearson IT Certification’s CompTIA A+ 220-901 and 220-902 Complete Video Course Library – April 18, 2016
- [ Book Review ] :: CISSP Training Kit (Microsoft Press Training Kit) 1st Edition
- [ Hacking Tools ] : sqlmap
- A dictionary of Unix commands
- Playing with the Raspberry Pi
- Book Review: CISSP Cert Guide (Pearson IT Certification, 1st Edition)
- Book Review: CompTIA Healthcare IT Technician HIT-001 Cert Guide, by Joy Dark and Jean Andrews
- Book Review: Just about to fade away: thoughts on the CompTIA A+ Authorized Cert Guide, Third Edition
- When Security Is Too Hard For Your Mother: a Dark Matters article
- Can we trust TOR, or any public VPN service?
- "High School Hackers"