Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Security Certifications

There are several (overlapping) ones. Collect them all!

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

resume-certificate-158x112.png For security professionals, there are several expensive overlapping certification exams, from competing agencies.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

This map is from security techo thriller book reviewer Paul Jerimy at https://pauljerimy.com/security-certification-roadmap: security-cert-landscape Click for full screen image.

CCSK (Cloud Security Alliance Certificate of Security Knowledge)

The Certificate of Cloud Security Knowledge (CCSK) is marketed as a complement to other credentials (CCAK, CISA, CISSP, CCSP) by the Seattle-based Cloud Security Alliance (CSA) which also markets training.

QUESTION: The CSA Cloud Trust Protocol Daemon protoype is inactive?

Whizlabs has sample tests but questionable quality with too many double negative questions and answers.

The CCSK is an open-book, online exam, completed in 90 minutes. Purchasing the exam costs $395 (free to veterans) for two test attempts, which you will have 2 years to use. The minimum passing score is 80% of the 60 multiple-choice vendor-neutral questions selected randomly from the CCSK question pool in v4 of the exam available December 1, 2017:

https://www.meetup.com/Cloud-Security-Alliance-Northeast-Ohio-Chapter/events/275707693/ Cloud Security Alliance NorthEast Ohio chapter

Domain 1 Cloud Computing Concepts and Architectures

  • Definitions of Cloud Computing
    • Service Models
    • Deployment Models
    • Reference and Architecture Models
    • Logical Model
  • Cloud Security Scope, Responsibilities, and Models
  • Areas of Critical Focus in Cloud Security

Domain 2: Governance and Enterprise Risk Management

  • Tools of Cloud Governance
  • Enterprise Risk Management in the Cloud
  • Effects of various Service and Deployment Models
  • Cloud Risk Trade-offs and Tools

Domain 3: Legal Issues, Contracts and Electronic Discovery

  • Legal Frameworks Governing Data Protection and Privacy
    • Cross-Border Data Transfer (GDPR)
    • Regional Considerations (California)
  • Contracts and Provider Selection
    • Contracts
    • Due Diligence
    • Third-Party Audits and Attestations (SOC, ISO)
  • Electronic Discovery
    • Data Custody
    • Data Preservation
    • Data Collection
    • Response to a Subpoena or Search Warrant

Domain 4: Compliance and Audit Management

  • Compliance in the Cloud
    • Compliance impact on cloud contracts
    • Compliance scope
    • Compliance analysis requirements
  • Audit Management in the Cloud
    • Right to audit
    • Audit scope
    • Auditor requirements

Domain 5: Information Governance

  • Governance Domains
  • Six phases of the Data Security Lifecycle and their key elements
  • Data Security Functions, Actors and Controls

Domain 6: Management Plane and Business Continuity

  • Business Continuity and Disaster Recovery in the Cloud
  • Architect for Failure
  • Management Plane Security

Domain 7: Infrastructure Security

  • Cloud Network Virtualization
  • Security Changes With Cloud Networking
  • Challenges of Virtual Appliances
  • SDN Security Benefits
  • Micro-segmentation and the Software Defined Perimeter
  • Hybrid Cloud Considerations
  • Cloud Compute and Workload Security

Domain 8: Virtualization and Containers

  • Mayor Virtualizations Categories
  • Network
  • Storage
  • Containers

Domain 9: Incident Response

  • Incident Response Lifecycle
  • How the Cloud Impacts IR

Domain 10: Application Security

  • Opportunities and Challenges
  • Secure Software Development Lifecycle
  • How Cloud Impacts Application Design and Architectures

Domain 11: Data Security and Encryption

  • Data Security Controls
  • Cloud Data Storage Types
  • Managing Data Migrations to the Cloud
  • Securing Data in the Cloud

Domain 12: Identity, Entitlement, and Access Management

  • IAM Standards for Cloud Computing
  • Managing Users and Identities
  • Authentication and Credentials
  • Entitlement and Access Management

Domain 13: Security as a Service

  • Potential Benefits and Concerns of SecaaS
  • Major Categories of Security as a Service Offerings

Domain 14: Related Technologies

  • Big Data
  • Internet of Things
  • Mobile
  • Serverless Computing

ISC2.org

ISC2.org (a non-profit), publishes a Code of Ethics at https://www.isc2.org/ethics

https://www.isc2.org/Certifications/Qualification-Pathfinder

Prices for exams taken at Pearson Vue test centers:

CC: Certified in Cybersecurity (CC)

$199

SSCP

$249 USD SSCP (Systems Security Certified Practitioner)

CGRC

$599 USD CGRC (Certified Government Risk and Compliance) professional – previously CAP (Certified Authorization Professionl) until Feb 23, 2023 – is for individuals with 2+ years of experience being responsible for the implementation and management of information security risk management and compliance programs. Pass 70% of 125 questons over 3 hours at a Pearson VUE Testing Center.

CGRC Content maps to the NIST SP 800-37 RMF (Risk Management Framework) categories:

  • “Left of boom”: Identify, Protect,
  • Detect, Respond, Recover.

CGRC is taken from a broad spectrum of vendor-neutral topics in the CGRC Common Body of Knowledge (CBK®) over 7 domains:

  1. Information Security Risk Management Program
    • Control Objectives for Information and Related Technology (COBIT)
    • International Organization for Standardization (ISO) 27001,
    • International Organization for Standardization (ISO) 31000,
    • Federal Information Security Modernization Act (FISMA),
    • Federal Risk and Authorization Management Program (FedRAMP),
    • General Data Protection Regulation (GDPR),
    • Health Insurance Portability and Accountability Act (HIPAA)
  2. Scope of the Information System:
    • Federal Information Processing Standards (FIPS) 199,
    • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27002,
    • data protection impact assessment
  3. Selection and Approval of Security and Privacy Controls: baseline and inherited controls; control enhancements (e.g., security practices, overlays, countermeasures); continuous control monitoring strategy (e.g., implementation, timeline, effectiveness); Information Security Management System (ISMS)
  4. Implementation of Security and Privacy Controls
    • Information Technology Security Guidance ITSG-33 – Annex 3A,
    • Technical Guideline for Minimum Security Measures,
    • United States Government Configuration Baseline (USGCB),
    • National Institute of Standards and Technology (NIST) checklists,
    • Security Technical Implementation Guides (STIGs)
    • Center for Internet Security (CIS) benchmarks,
    • General Data Protection Regulation (GDPR)
  5. Assessment/Audit of Security and Privacy Controls
    • Risk treatment options (i.e., accept, avoid, transfer, mitigate, share)
  6. Authorization/Approval of Information System
  7. Continuous Monitoring

  • https://www.isc2.org/certifications/References#
  • https://www.isc2.org/Certifications/CAP/experience-requirements
  • https://resources.infosecinstitute.com/overview/cgrc/ reports there are 4,157 CGRC/CAP holders

Gerald Auger, PhD (SimplyCyber.io, publisher of the $30 GRC (Governance, Risk management, and Compliance) Analyst Master Class. The first scholarly research on GRC was published in 2007 where GRC was formally defined as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.” Good governance includes:

  • Ethics and accountability
  • Transparent information sharing
  • Conflict resolution policies
  • Resource management

CISSP

CISSP-logo- Square-131x131 Even at $749 USD, the Certified Information Systems Security Professional exam (pronouced “sis pee”) is a sought-after technical certification in cybersecurity leaders as the “gold standard” of vendor-neutral cybersecurity certifications. Earning it proves you understand cybersecurity from a management viewpoint -— a requirement if your organization is subject to PCI, GDPR, HIPAA, SOX, ISO 27001, or other regulations.

The first version of the Common Body of Knowledge (CBK) was finalized in 1992 and the CISSP credential was launched in 1994. Since it’s an internationally recognized, there are questions about cybersecurity regulations in Canada, UK, EU, etc.

Rather than the previous 250 questions over 6 hourse, the CISSP exam is now adaptive, asking 100-150 questions, depending on whether answers are correct. PROTIP: With Adaptive Testing, your objective is to get hard questions. So study as if you’ll get all hard questions. The better you are, the harder the test is. If you aced the first 10 questions, you’ll be put into “brutal mode”. With CAT (Computer Adaptive Testing), the more one aces every question, the quicker she would get done before the 3 hours. VIDEO: This also means you won’t be able to go back and change answers in previous questions answered.

There is a 5 year experience requirement, attested by other professionals.

You need to pass at least 70% on each of the eight CISSP domains.

PROTIP: I think Mike Chapple’s 33-hour LinkedIn Learning videos (and on YouTube) provide the most detailed, best sequenced introductory lectures, updated for the May 2021 BOK. He includes demos of the most popular software. Links to each CISSP domains contains a link to his tutorial on that domain.

Numbers to the right of his videos are counts of questions in the OReilly/Pearson bank:

  1. Security and Risk Management - 334
  2. Asset Security - 44
  3. Security (Architecture and) Engineering - 268
  4. (Communication and) Network Security - 114 on OSI model
  5. Identity and Access Management (IAM) - 82 on biometrics
  6. Security Assessment and Testing - 41 on NIST SP 800-92
  7. Security Operations - 245
  8. Secure Software Security (Development Lifecycle) - 164 includes a demo of ZAP Proxy for fuzzing, Git & GitHub.

Parentheses in domain names contain words removed in the 2023 version of CISSP.

“Every domains are interconnected. It’s swimming with overlap.”

Official Flash cards of definitions:

  1. The Information Security Environment - 18 items
  2. Information Asset Security - 17 items
  3. Identity and Access Management (IAM) - 24 items
  4. Security Architecture and Engineering - 48 items
  5. Communication and Network Security - 88 items
  6. Software Development Security - 101 items
  7. Security Assessment and Testing - 18 items
  8. Security Operations - 62 items

https://learning.oreilly.com/search/?q=cissp&type=*&rows=10 Search on OReilly.com

Quizzes on CloudAcademy.com by exam domain:

  1. Security and Risk Assessment
  2. Asset Security
  3. Security Architecture and Engineering
  4. Communication and Network Security
  5. Identity and Access Management
  6. Security Testing and Assessment
  7. Security Operations
  8. Security Development Security

Written References:

  • $58 Sybex BOOK: “(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle Second Edition” by Mike Chapple, who has a video course on LinkedIn Learning which is deep yet concise, with effective sequencing of topics. He also shows demos of security-related Windows programs where appropriate, such as Windows Firewall Log Viewer.

  • Joseph Delgadillo’s cissp-testprep-cheatsheet provides a PowerPoint file.

  • My notes on cyber security highlights what to remember.

Practice Questions:

Not yet updated to CISSP 01 May 2021 changes:

Video prep courses view:

Jerod Brennen created video courses (on LinkedIn Learning) for each domain:

  1. Secure Software Concepts Released Feb 12, 2020 (Confidentiality, Integrity, Availability triad, IAM, design)

  2. Secure Software Requirements

  3. Secure Software Design 1h 48m

  4. Secure Software Implementation/Programming

  5. Secure Software Testing (online and offline)

  6. Secure Lifecycle Management

  7. Secure Deployment, Operations, and Maintenance

  8. Supply Chain and Software Acquisition

Quizzing Tests:

YouTube videos with content index (and ads) by Rob Richa, with John Berti of Destination Certifications:

  1. Security & Risk Management

3.

  • Models and Frameworks: https://www.youtube.com/watch?v=qZB6_lp9M30​&t=30s
  • Evaluation Criteria: https://www.youtube.com/watch?v=WqHmDL7YAvw​&t=30s
  • Trusted Computing Base: https://www.youtube.com/watch?v=fwU7n_3h058​&t=30s
  • Vulnerabilities in Systems: https://www.youtube.com/watch?v=fPUypU7ysMw​&t=30s
  • Cloud: https://www.youtube.com/watch?v=-rWQ7YuxiLY​&t=30s
  • Cryptography: https://www.youtube.com/watch?v=LLRaa0kOMDM​&t=30s
  • Digital Certificates, Digital Signatures & PKI: https://www.youtube.com/watch?v=8XKdFSG3ua4​&t=30s
  • Cryptanalysis: https://www.youtube.com/watch?v=pnITDgs63M4​&t=30s
  • Physical Security: https://www.youtube.com/watch?v=7ESQwNJ9HXU​&t=30s

5.

  • Access Control Overview: https://www.youtube.com/watch?v=BUcoABZzeQ4​&t=30s
  • Single Sign-on & Federated Access: https://www.youtube.com/watch?v=_U4QMIxVk8M​&t=30s

6.

  • Security Assessment and Testing Overview: https://www.youtube.com/watch?v=eDVZvw5NziA​&t=30s
  • Vulnerability Assessment and Penetration Testing: https://www.youtube.com/watch?v=vZ0S8GdWiIk​&t=30s
  • Logging & Monitoring: https://www.youtube.com/watch?v=cwcARccyWyY​&t=30s

  1. Security Operations:
    • Investigations: https://www.youtube.com/watch?v=Urev5cZgny8​&t=30s - Locard’s Principle: perp. will leave something behind and take something
    • Incident Response: https://www.youtube.com/watch?v=PwxFwndQ7Jk​&t=30s
    • Malware: https://www.youtube.com/watch?v=SVbrRozyIpo​&t=30s
    • Patching & Change Management: https://www.youtube.com/watch?v=xX4U6Lz82Bk​&t=30s
    • Recovery Strategies: https://www.youtube.com/watch?v=DrrfrJBnx28​&t=30s
    • Business Continuity Management (BCM): https://www.youtube.com/watch?v=oAjNL3I_3-E​&t=30s

8.

  • Secure Software Development: https://youtu.be/fS5WWjuyFmQ​&t=30s
  • Databases: https://youtu.be/-70DBd6cNDw&t=30s

Bootcamp: 13 day 2 hours each from April 13, 2020 FRSecure CISSP Mentor Program (12th year) streaming by @evanfrancen. S2me.io

posted by SANS Blue Team Ops:

Flash cards:

  • https://quizlet.com/343215416/csslp-exam-guide-flash-cards/

Suggestions:

CCSP

$599 USD CCSP (Certified Cloud Security Professional). Get 70% of 125 questions correct in 3 hours. Whew. The domains, 17% each,

  • Cloud Concepts, Architecture and Design
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Cloud Security Operations
  • Legal, Risk and Compliance

This PDF has the details.

ccsp.alukos.com is a GitBook-formatted listing with glossary of terms, laws by country, standards by each body, frameworks.

Prep courses:

I think ISC2 is being too clever with their questions, past the point of making the test as much about knowing the twisted mind of the test maker rather than understanding the underlying material. I wich that ISC2 test writers see “Advanced” level of “knowledge” as higher order thinking (such as evaluation) rather than teasing out twisted meaning of words in tests.

Bragging:

  • https://charbelnemnom.com/passed-official-ccsp-exam-certified-cloud-security-professional/

ISACA.org

ISACA.org was created by CISA, a consortium of cloud companies who also maintains a Vulnerability Catalog, the CAIQ, and hold the Digital Trust World conference. It asks for a $50 test application processing fee in addition to USD $145 annual membership fee plus up to $50 monthly local chapter dues. Members get a $185 discount to the $760 online, remotely-proctored exam fee to Pearson Vue. Its website uses Salesforce Authenticator for 2FA. There’s also a $45 annual maintenance fee for each certification, plus $50 for each recertification. And costs for continuing education.

Exec Order 14028 update of 13366

ISACA CSX

ISACA’s Cybersecurity Nexus (CSX) Certificates

Zero Point Security CRTO

The Certified Red Team Operator (CRTO) course and certification is 48 hours of lab time spread across a 4 day event where the student has to find and submit 8 flags (6 flags to pass) within Snap Labs.

https://medium.com/@adamgoss/certified-red-team-operator-crto-review-71ea4edef62a

Offensive Security

Offensive Security is a for-profit company offering courses with labs and certifications:

  • $495 OSCP (Certified Professional) is one of the most difficult to pass because it is part “hazing ritual” and part proctored via webcam. It is a 24-hour time-boxed test where you penetrate of as many machines as you can within a massive virtual environment (which includes Active Directory), using Kali Linux. That’s followed by another 24-hour time frame to write (with screenshots) an exam report. You must also pass a background check. The PWK prep course is $1,295. More

  • OSEE (Offensive Security Exploitation Expert) covers DEP, ASLR evasion, heap spraying, function pointer overwrites. OSEE holders must complete the Advanced Windows Exploitation (AWE) course by Offensive Security held in a live hands-on environment at a Black Hat conference in Las Vegas, NV.

That plus pass a rigorous 72-hour practical exam that includes preparing a comprehensive penetration test report. So this certificate indicates a level of expertise far beyond that of most penetration testers.

Topics include: 64-bit Exploitation, Debugging, DEP ByPass, Disarming EMET Mitigations, Exploit Development, Heap Spray, Kernel Driver Exploitation, Kernel Pool Exploitation, Memory Protection Bypass, NX/ASLR Bypass, ROP Chain, Sandbox Escape, Shellcode, WinDBG, Windows Kernel Exploitation.

  • OSWE (OSWE Web Expert) covers web security testing: XSS attacks, SQL injection, XML external entity injection, Weak random token generation, DOM XSS, Server side template injection, Command injection via websockets (black box material)

  • OSCE is being retired. It covered exploits used by attackers to breach security infrastructures

SANS

SANS formed the Global Information Assurance Certification (GIAC) program to act as the certification arm for its training courses. GIAC has a https://www.giac.org/certifications/get-certified/roadmap to dozen of exams across six specific domains. It offers remote proctoring through ProctorU.

  • GEVA (GIAC Enterprise Vulnerability Assessor)requires 71% correct from among 75 questions over 2 hours. It covers Vulnerability assessment framework planning and methodology in an enterprise environment; Discovery and validation of vulnerabilities using tactics like network scanning and PowerShell scripting; Remediation and reporting techniques utilizing proper data management

  • GCIH (GIAC Certified Incident Handler) requires an undeterminate correct from among 100-150 questions over 4 hours. It covers Incident Handling (Response) and Computer Crime Investigation; Computer and Network Hacker Exploits; Hacker Tools (Nmap, Nessus, Metasploit, Netcat). A single chapter on NIST800-61.

Based on the NICE framework

  • GCED (GIAC Certified Enterprise Defender) requires 70% correct from among 115 questions over 3 hours. It covers Incident handling and computer crime investigation; Computer and network hacker exploits; Hacker tools (Nmap, Nessus, Metasploit and Netcat)

  • GSE (GIAC Security Expert) is the premier security-related certification available today. After you score at least the gold level in 2 of 3 tests above, you take a multiple-choice test, then a hands-on lab (not available due to COVID). The proctored Exam has Minimum Passing Score of 64% to 24 VM-based Hands-On Questions with a 3-Hour Time Limit.

CompTIA

So compliance with DoD 8570-2005 retired by NIST DoD Directive 8140.01 means job candidates need to have passed to it to just apply for some government jobs. DoD 8140 expands on DoD 8570 to leverage the Defense Cybersecurity Workforce Framework (DCWF), which draws from the original National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) and DoD Joint Cyberspace Training and Certification Standards (JCT&CS).

CompTIA certifications were designed for compliance with ISO 17024 standards and approved by the US DoD to meet directive 8140/8570.01-M requirements. Regulators and government rely on ANSI accreditation, because it provides confidence and trust in the outputs of an accredited program. Over 2.3 million CompTIA ISO/ANSI-accredited exams have been delivered since January 1, 2011.

Security+

Security+ is considered an “entry level” exam but its detailed coverage of some obscure encryption protocols makes it difficult even for professionals.

PROTIP: I passed the Security+ after studying literally 4 years, on and off. What helped me get over the intimidation is to seek out the trick questions and delight in them as an intellectual curiosity.

https://public.cyber.mil/devsecops/

PenTest+

https://www.whizlabs.com/comptia-pentest/

CASP+

CASP+ (CompTIA Advanced Security Practioner) exam CAS-003 is for practitioners — not managers — at the advanced skill level of cybersecurity – implementing solutions policies and frameworks. For $396 for COMPTia members or $466 USD (or $799 with retake and $849 with Labs), you’ll have 165 minutes to answer 90 multiple-choice and “hands-on, performance-based” questions, for pass/fail grading. The domains:

  1. 19% Risk Management
  2. 25% Enterprise Security Architecture
  3. 20% Enterprise Security Operations
  4. 23% Technical Integration of Enterprise Security
  5. 13% Research, Development, and Collaboration

Performance-based questions (PBQs) test a candidate’s ability to solve problems in a simulated environment that approximates a virtual environment with a firewall, network diagram, terminal window, or operating system. 12 Flash cards Sample

  • To check config on RedHat 5.5:

    chkconfig --test

  • Services to disable on DNS:

    http, mysqld, lopd, bluetooth, wpa supplicant

  • To stop service:

    service httpd stop

CASP+ satisfies Baseline Certification for DoD IAT (Information Assurance Technical) Level III, IAM (Information Assurance Management) Level II, and IASAE (Information Assurance Security Architecture and Engineering) level I and II jobs.

CASP+ Practice Tests by Nadean H. Tanner (at Puppet, Metasploit)

O’Reilly Live Video Crash Course by Dean Bushmiller.

video 18+ hours released Jan. 2018 by Michael J. Shannon:

  1. Risk Management

    1: Business and Industry Influences and Risks

    2: Organizational Security Privacy Policies and Procedures

    3: Risk Mitigation Strategies and Controls

    4: Risk Metric Scenarios for Enterprise Security

  2. Enterprise network and Security Architecture

    5: Integrating Network and Security Components, Concepts, and Architectures

    6: Integrating Security Controls for Host Devices

    7: Integrating Controls for Mobile and Small Form Factor Devices

    8: Selecting Software Security Controls

  3. Enterprise Security Operations

    9: Conducting Security Assessments

    10: Selecting the Proper Security Assessment Tools

    11: Implementing Incident Response and Recovery

  4. Technical Integration of Enterprise Security

    12: Integrating Hosts, Storage, and Applications in the Enterprise

    13: Integrating Cloud and Virtualization Technologies in the Enterprise

    14: Integrating and Troubleshooting Advanced AAA Technologies

    15: Implementing Cryptographic Techniques

    16: Secure Communication and Collaboration Solutions

  5. Research, Development and Collaboration

    17: Applying Research Methods for Trend and Impact Analysis

    18: Implementing Security Activities Across the Technology Life Cycle

    19: Interacting Across Diverse Business Units

Kelly Handerhan’s Cybrary videos

CASP CAS-003 help on Reddit (archived)

Ucertify has good labs

Sybex book has labs as well

Udemy video “Prepatory course for the exam CAS-003”

  1. Understanding Risk Management - 2hr 22min QUIZ
  2. Network and Security - 1hr 55m QUIZ
  3. Implementing Advanced Authentication and Cryptographic Techniques - 1hr 46min QUIZ
  4. Implementing Security for Systems, Applications, and Storage - 2hr 23min QUIZ
  5. Implementing Security for Cloud and Virtualization Technologies - 1hr 45min QUIZ
  6. Utilizing Security Assessments and Incident Response - 1hr 42min QUIZ

Amazon search CAS-003

The Official CompTIA CASP+ Self-Paced Certification Study Guide (Exam CAS-003) Paperback by Jason Nufryk is $219.00

Notes:

Memory dump tools: Memdump, KnTTools on Windows, FATKit

Runtime Debugging: AddressSanitizer, C# Deleaker, Software Verify

Attestation provides evidence about a target to an appraiser so that policy compliance can be determined prior to authorization of access.

The Annualized Loss Expectancy (ALE) is the product of the Annual Rate of Occurrence (ARO) multiplied by the Single Loss Expectancy (SLE).

Bluesnarfing is the unauthorized access of a device by an attacker who is trying to access information on the device.

Hyperconvergence takes convergence a step further by utilizing software to perform integration without requiring hardware changes.

CompTIA CySA+

CompTIA CySA+ (CSO-001) “Security Analyst” exam launched April 21, 2020 on Vue & Pearson online $359 to answer 75% of 85 questions in 165 minutes.

VIDEO:

  1. Threat and vulnerability management:

    1. Explain the importance of threat data and intelligence.
    2. Given a scenario, utilize threat intelligene to support organizatoinal security.
    3. Given a scenario, perform vulnerability management activities.
    4. Given a scenario, analyze the output from common vulnerability assessment tools.
    5. Explain the threats and vulnerabilities associated with operating in the cloud.
    6. Given a scenario, implement controls to mitigate attacks and software vulnerabilities.
  2. Software and systems security
    1. Given a scenario, apply security solutions for infastructure management
    2. Explain software assurance best practices
    3. Explain hardware assurance best practices
  3. Security operations and monitoring:
    1. Given a scenario, analyze data as part of security monitoring activities.
    2. Given a scenario, implement configuration changes to existing controls to improve security.
    3. Explain the importance of proactive threat hunting.
    4. Compare and contrast automation concepts and technologies.
  4. Incident response
    1. Explain the importance of the incident response process.
    2. Given a scenario, apply the appropriate incident response procedure.
    3. Given an incident, analyze potential indicators of compromise.
    4. Given a scenario, utilize basic digital forensics techniques.
  5. Compliance and assessment
    1. Understand the importance of data privacy and protection
    2. Given a scenario, apply security concepts in support of organizational risk mitigation
    3. Explain the importance of frameworks, policies, procedures and controls.

Udemy course

Cisco CCIE

CCIE - Cisco

Only 4,000 people have passed it world-wide.

EC-Council Penetration Tester

(International Council of E-Commerce Consultants) EC-Council from Malaysia since 2001 has 3 levels of certification. See FAQ at https://cert.eccouncil.org/faq.html

33% off until Dec 31.

CEH

The CEHv10 (Certified Ethical Hacker version 11) ANSI exam as defined by https://www.eccouncil.org/programs/certified-ethical-hacker-ceh asks 125 multiple-choice questions in 4 hours.

The exam is protored by ECC EXAM (as 312-50) and Pearson VUE (as 312-50), courseware is discounted to $850, with upgrade for VUE exam for $100. from “Aspen iLabs”.

Exam Brochure: https://www.eccouncil.org/wp-content/uploads/2016/07/CEHv10-Brochure.pdf

CEH Candidate Handbook: https://s3-us-west-2.amazonaws.com/edm-image/documents/CEH-Handbook-v2.2.pdf

Blueprint: https://cert.eccouncil.org/images/doc/CEH-Exam-Blueprint-v2.0.pdf

CPENT / ECSA

The Advanced level is ECSA: Security Analyst https://www.eccouncil.org/programs/certified-security-analyst-ecsa-practical/ is being phased out in Oct. 2020 in favor of the CPENT (Certified Penetration Testing Professional).

Covers “double pivoting”.

$2199 w/ training, $799 for challenge.

LPT

At the Expert Level is LPT: Licensed Penetration Tester [Master] https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/ with training via CPENT.

EC-Council

EC-Council built the Advanced Penetration Testing Cyber Range (ECCAPT).

IIBA Cybersecuity Analysis

IIBA, the International Institute of Business Analysis (Pickering, Ontario, Canada), has an affiliation with the IEEE. Membership costs $139/year. For $250 until Oct 31, 2022 then $400/$475 for members/non-members, it offers the CCA (Certification in Cybersecurity Analysis) among its 6 other certifications administered online by PSI. IIBA does not disclose the score needed to pass, scores attained, nor scoring percentages.

As of Aug 2022, 266 CCA attendees had 90 minutes to answer 75 multiple-choice questions in these Knowledge Areas:

  • Cybersecurity Overview and Basic Concepts 14%
  • Enterprise Risk 14%
  • Cybersecurity Risks and Controls 12%
  • Securing the Layers 5%
  • Data Security 15%
  • User Access Control 15%
  • Solution Delivery 13%
  • Operations 12%

AWS Security

See my notes at https://wilsonmar.github.io/aws-security

Microsoft SC-900 & AZ-500

PDF: Updated Jan 21, 2021 Microsoft’s AZ-500 Azure Security Technologies Associate online exam for people who maintain security posture, identify and remediate vulnerabilities by using a variety of security tools, implement threat protection, and respond to security incident escalations. Domains:

  1. Manage Identity and Access (30-35%)
  2. Implement Platform Protection (15-20%)
  3. Manage Security Operations (25-30%)
  4. Secure data and applications (20-25%) (Policy and Data Infrastucture & Data at Rest, App Security, Key Vault)

It costs $165 to Pearson Vue, less if you’re a certified trainer or in the esi.microsoft.com/getcertification, which has practice tests from MeasureUp.

Prequisite is certification as either:

or

Microsoft’s learning paths for AZ-500 :

  1. Secure your cloud applications in Azure 6 Modules - 5 hr 36 min
    1. Microsoft Azure Well-Architected Framework - Security - 1 hr 2 min
    2. Top 5 security items to consider before pushing to production - 45 min
    3. Create security baselines - 1 hr
    4. Manage secrets in your server apps with Azure Key Vault - 46 min
    5. Secure an ASP.NET Core web app with the Identity framework - 1 hr 8 min
    6. Control authentication for your APIs with Azure API Management - 55 min

  2. Implement resource management security in Azure 6 Modules - 3 hr 27 min
    1. Protect against security threats on Azure - 25 min
    2. Build a cloud governance strategy on Azure - 48 min
    3. Control and organize Azure resources with Azure Resource Manager - 46 min
    4. Secure your Azure resources with Azure role-based access control (Azure RBAC) - 37 min
    5. Manage access to an Azure subscription by using Azure role-based access control (Azure RBAC) - 21 min
    6. Create custom roles for Azure resources with role-based access control (RBAC) - 30 min

  3. Implement network security in Azure 5 Modules - 5 hr 8 min
    1. Secure network connectivity on Azure - 32 min
    2. Configure the network for your virtual machines - 1 hr 34 min
    3. Secure and isolate access to Azure resources by using network security groups and service endpoints - 43 min
    4. Encrypt network traffic end to end with Azure Application Gateway - 1 hr 17 min
    5. Monitor and troubleshoot your end-to-end Azure network infrastructure by using network monitoring tools - 1 hr 2 min

  4. Implement virtual machine host security in Azure 6 Modules - 6 hr 4 min
    1. Microsoft Azure Well-Architected Framework - Security - 1 hr 2 min
    2. Create security baselines - 1 hr
    3. Create a Linux virtual machine in Azure - 1 hr 26 min
    4. Create a Windows virtual machine in Azure - 51 min
    5. Secure your Azure virtual machine disks - 1 hr 1 min
    6. Protect your servers and VMs from brute-force and malware attacks with Azure Security Center - 44 min

  5. Manage identity and access in Azure Active Directory 9 Modules - 5 hr 17 min
    1. Protect against security threats on Azure - 25 min
    2. Create an Azure account - 39 min
    3. Manage users and groups in Azure Active Directory - 50 min
    4. Create Azure users and groups in Azure Active Directory - 41 min
    5. Secure your application by using OpenID Connect and Azure AD - 50 min
    6. Secure Azure Active Directory users with Multi-Factor Authentication - 38 min
    7. Manage device identity with Azure AD join and Enterprise State Roaming - 25 min
    8. Allow users to reset their password with Azure Active Directory self-service password reset - 31 min
    9. Add custom domain name to Azure Active Directory - 18 min

  6. Manage security operations in Azure 8 Modules - 6 hr
    1. Protect against security threats on Azure - 25 min of tailwindtraders.com. Its security posture is monitored using Azure Security Center adaptive application controls to define rules for secure score. Azure Logic Apps and Security Center connectors. Azure Sentinel SIEM using Common Event Format (CEF) messaging standard, Syslog, or REST API.
    2. Create security baselines - 1 hr
    3. Identify security threats with Azure Security Center - 43 min
    4. Resolve security threats with Azure Security Center - 44 min
    5. Protect your servers and VMs from brute-force and malware attacks with Azure Security Center - 44 min Security Center uses network security group (NSG) rules to restrict access to management ports when not in use.
    6. Analyze your Azure infrastructure by using Azure Monitor logs - 36 min
    7. Improve incident response with alerting on Azure - 53 min
    8. Capture Web Application Logs with App Service Diagnostics Logging - 55 min

https://microsoft.github.io/AzureTipsAndTricks/

https://cloudacademy.com/learning-paths/az-500-exam-preparation-microsoft-azure-security-technologies-650/

VIDEO: DOCS: Microsoft Threat Modeling Tool

Well Architected Framework

The Microsoft Azure Well-Architecture Framework 5 pillars are the same as Amazon’s:

Peter Zerger (@pzerger) :

CloudAcademy.com 16h video series by Thomas Mitchell

McK Udemy.com “updated 2020” 15.5h videos by Alan Anthony Rodrigues

Other videos:

  • https://zimmergren.net/passing-az-500-microsoft-certified-azure-security-engineer-associate/

  • https://www.pluralsight.com/courses/microsoft-azure-incident-response-remediation

  • https://blog.ahasayen.com/az-500-azure-security-engineer-exam/

Google

Google Professional Cloud Security Engineer, for $200 for 50 questions in 120 minutes, will have obtained the skills to “enable organizations to design and implement a secure infrastructure on Google Cloud Platform. Through an understanding of security best practices and industry security requirements, this individual designs, develops, and manages a secure infrastructure leveraging Google security technologies. Topics and skills:

  • Configure access within a cloud solution environment
  • Configure network security
  • Ensure data protection
  • Manage operations within a cloud solution environment
  • Ensure compliance

SAP

First, memorize SAP Acronyms using my flashcards on Quizlet.com

SAP has two levels of certifications for Security pros. Both costs $242 USD to answer 65% of 80 multiple-choice questions in 3 hours.

Elsewhere:

  • https://www.udemy.com/course/sap-security-and-authorizations/
  • https://www.udemy.com/course/sap-hana-installation-operation-and-administration/

Secure Coding

CodeBashing.com from Checkmarx has gamified tutorials on identifying and mitgating vulnerabilities in code for many languages: Hacking Headlines, Source Code (for each language): Android (Java), iOS, C/C++, C# .NET, .NET Backend, .NET Advanced, Go, Java, Java Backend, Java Advanced, Scala NodeJS, PHP, Python Django, Ruby on Rails,

References

On Udemy: McK Security Product Lifecycle 101 (SPLC) by Implementing Security. Voiced by an enthusiastic voice pro. References SAMM 2.0, OWASP Top 10.

  • Data-Driven Security (Pearson) by Jacobs and Rudis

Podcast: Evan Francen’s Unsecurity

More on Security

This is one of a series on Security in DevSecOps:

  1. SOC2
  2. FedRAMP

  3. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  4. Git Signing
  5. Hashicorp Vault

  6. OPA (Open Policy Agent)

  7. WebGoat known insecure PHP app and vulnerability scanners

  8. Test for OWASP using ZAP on the Broken Web App

  9. Encrypt all the things

  10. AWS Security (certification exam)

  11. AWS IAM (Identity and Access Management)

  12. Cyber Security
  13. Security certifications

Security Certifications was published on .