Is CompTIA’s CASP a good next step?

I teach several CompTIA certifications, and believe they certainly have value. But I make it a point not to try to maintain a huge array of them. They’re often a starting point, something that gets your value recognized. But once your name is out there and you’ve established value, work is likely to be a problem only in its overabundance. Assuming you’ve got something to offer.

That does call for a degree of attention to what’s being asked for by any substantial group of customers. One of the most substantial groups I know is the massive defense industry, which is particularly the case in New Mexico. The so-called “DoD Order” requires a high degree of certification for anyone involved with information, which means that national laboratory employees, military personnel and contractors like Lockheed Martin are all asking for, or requiring, security certifications.

I make no secret that I’m involved with ISECOM and frankly prefer the style of security the institute advocates: describing, creating and supporting a culture of security consciousness. Consider, for perhaps an unfortunate example, the security of gangs, and members both in and out of prison. They have no real problems with information leakage, because the strictures are absolute: no one talks, everyone walks; you talk, you die. It’s a shame to put it in these terms, but I’ve witnessed the collapse of businesses and watched the weeping employees filing out with their boxes of cubicle tchotchkes. Sometimes security is highly preferable to unemployment or worse.

Now the DoD is expressing some respect for the CASP:

The Department of Defense (DOD) has begun including the security certification known as “CompTIA Advanced Security Practitioner” (CASP) in its accepted roster of industry-based security exams to prove technical skills, the trade group says.

It might be time to start studying.

* * *

So you tell me America needs to attract young hackers?

Luring Young Web Warriors Is Priority, you tell me?

And enticing them with game-like learning is the way to go, you say?

China has been doing this for years, I hear?

Now the New York Times even endorses it?

The secretary of that agency, Janet Napolitano, knows she has a problem that will only worsen. Foreign hackers have been attacking her agency’s computer systems. They have also been busy trying to siphon the nation’s wealth and steal valuable trade secrets. And they have begun probing the nation’s infrastructure — the power grid, and water and transportation systems.

So she needs her own hackers — 600, the agency estimates. But potential recruits with the right skills have too often been heading for business, and those who do choose government work often go to the National Security Agency, where they work on offensive digital strategies. At Homeland Security, the emphasis is on keeping hackers out, or playing defense.

See the whole article at


This is why calling it war is a problem: Are Hackers a Killable Target in a Cyber-War?

More than one internationally renowned cyber-security expert has warned against applying the vocabulary of war to the world’s current uneasy state of the Internet. Now that nations have begun creating destructive malware (which I hereby dub “warware”), anyone who considers themselves a hacker has to feel a tightening in the belly.

A big part of the problem is the meaning of the word “hacker,” a term originally coined to describe the fabricators/electronics tech/coders who beat on hardware, components and code to make the damn things DO something. Now it’s been hijacked by its use for “cyber criminal.” That’s a shame, but it’s a done deal.

But the real issue is, who gets to decide who’s a “war hacker?” Should we be calling them “whackers?” And should we all fear a Hellfire missile from above if we’re tinkering with the wrong project? God forbid, for instance, that you’re trying to teach teenagers how to tinker with the guts of their computers.

Don’t take my word for any of this. Start here instead:

* * *

“Hello, I’m a VxWorks device. Would you like to own me?”

There’s a server lurking on your home network if you’ve got an Internet-connected box like, say, a Sony Bluray player:

A recent report describes a critical and widespread vulnerability in electronics running VxWorks, an embedded real-time operating system (RTOS). Examples of affected devices include DSL concentrators, SCADA industrial automation systems, D-Link video conferencing systems, fibre channel switches, and Apple Airport Extreme wifi routers. The problem: a back-door diagnostic communications port provided by VxWorks.

Now, the above is from 2010. It poses an interesting challenge: how many vulnerable devices are waiting in people’s homes now in 2013?


The Feds are finally calling out China for its criminal hacking, and the Pentagon warns that cyberattacks are acts of war

We have seen the threat, and the threat is China:

U.S. National Security Adviser Tom Donilon stopped speaking in vagaries on Monday and called China out by name for the high number of cyber attacks coming from China that target U.S. businesses and federal agencies.

In the past, White House and government officials avoided specifically calling out China for the cyber attacks. However, the administration has since stepped up the rhetoric on getting serious about combating cyber threats. Government officials, to include former Defense Secretary Leon Panetta, has addressed U.S. concerns with China in the past, but they have not laid out their concerns publicly.

They’ve penetrated our nuclear command and control infrastructure:

“From the President on down, this has become a key point of concern and discussion with China at all levels of our governments.  And it will continue to be,” Donilon said. “The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property.”

China has long been established as the worst offender for hosting attacks. Analysts have said thousands of cyber attacks target the White House every day. Many are assumed to emanate from China.

In September, a Chinese group of hackers reportedly broke into a White House network in what was called one of “Beijing’s most brazen cyberattacks.” The hackers broke into a “system used by the White House Military Office for nuclear commands,” according to a USA Today report.

Finally, from the Wall Street Journal, Pentagon confirmation that this sabotage can constitute an act of war:

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

Repeat: Cyber crime, conducted by a sovereign nation, is an act of war.


The New US Cyber Command: Going On the Offensive

At least the rhetoric sounds good:

The chief of the military’s newly created Cyber Command told Congress on Tuesday that he is establishing 13 teams of programmers and computer experts who could carry out offensive cyberattacks on foreign nations if the United States were hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime.

The biggest problem remains: those who refuse to admit the threat is real.


Health Care Providers Can’t Find and Keep IT Staff

Were you surprised? After years of loading IT staff with more and more work, IT pros are willing to jump ship at the first good offer. And healthcare providers are feeling the pinch.

On the one hand, I could point an accusatory finger at an industry that has practiced bad relations.

On the other, I would say, Look! Opportunity!


Yes, Virginia, there is a cyber threat, and the US government is warning us about it

Yesterday I was arguing with a colleague over the reality of cyber threats, in this case from China.

“I don’t believe it,” he said. “Do you believe everything you see on the Internet?”

“No. I consider the sources, and any agenda they may have. And I look for the primary source, the actual witness or victim or the first reporter on the scene. But are you saying you don’t think these attacks are happening?” I did a quick three-word Google search and immediately came up with a New York Times article on the subject.

“If China was really doing that stuff, we’d be at war with them.”

“We are moving toward war. Wouldn’t you consider it an act of war if the Chinese penetrated our nuclear missile command and control networks? Because they have.” Another Google, another instant example. “And it’s not the Chinese police, not the Chinese civil government, but the Chinese Army that is perpetrating these attacks.”

But no, he would not take it from me, and frankly that’s fine, as long as one is open to finding valid evidence and applying critical analysis to it. That call for more education than just technical certifications, though.

You shouldn’t take it from me either. Consider the Wall Street Journal as a possibly qualified source: