security.crudtastic.com

I can now add CISA to my resume!

I got my results emailed to me during the night. For some reason the first thing I did when I woke up this morning was to check my email, and it said I had passed!

So I’m pretty much certified out now .. I still have to sit my GIAC GCIH exam from SANS Canberra this year (which I’m trying to get sorted out now).

Anyway .. if anyone is planning on sitting their CISM or CISA exams at the end of the year have a look through some of my old study notes for a few tips etc. If you have any more specific questions feel free to leave me a comment or send me an email.

SANS Institute is pleased to announce SANS Critical Infrastructure Protection at Oceania CACS 2009 from 10-11 September 2009.

Full details for the SANS event can be found at http://www.sans.org/canberra09_2/. An overview of the entire ISACA CACS 2009 event can be found at http://www.isaca-canberra.org.au/CACS2009

The critical infrastructure of a nation is the system of highly complex and interdependent physical and cyber-based assets essential to the minimum operations of a nation’s economy and government. It includes, but is not limited to, communications, energy, banking and finance, transportation, water supply, and emergency services. It could be owned and operated by the government or the private sector, or both. Much of our nation’s critical infrastructure has historically been physically and logically separated; they were systems that had little interdependence. But as a result of advances in information technology over the past several decades and the necessity of improved efficiency, these systems and assets have become increasingly automated and interlinked. Unfortunately these same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities requires flexible and evolutionary approaches that span both the public and private sectors and protect both domestic and international security.

Because of imbalances in military strengths, our future enemies – including nations, groups, or individuals – may seek to harm us in non-traditional ways, including attacks within our country against our critical infrastructure. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy. This new threat is visible in the terrorist attacks on the World Trade Center in 1993 and 2001, Timothy McVeigh’s truck bomb attack on the Alfred P. Murrah Federal Building in Oklahoma City in 1995, natural events (such as category 5 hurricanes), and growing numbers of cyber espionage attacks against the military, civil government, and the private sector.

This course begins by examining in depth the events of the past 20 years, including the lessons learned about the interdependencies of the critical infrastructures following the Oklahoma City bombing and the terrorist attacks against the World Trade Center and what we learned in the aftermath of hurricanes Katrina and Rita in the summer of 2005. While there are many cross-sector interdependencies to consider, we will focus on the dependence of the various infrastructure sectors on the Internet and the impact of highly complex computer controlled systems. We will also discuss the creation of the Department of Homeland Security and its role in protecting the nation’s critical infrastructures from cyber intrusions.

Authored and presented by one of the nation’s leading experts on critical infrastructure protection and cyber warfare, you will receive detailed explanations of specific pervasive Internet technical problems and conduct in-depth examinations of the types of attacks that might do the most harm to your organization and your infrastructure sector. We will take a comprehensive look at the current Internet governance model, and you will learn how to develop business continuity and disaster recovery plans to counter current cyber threats and threat actors that take advantage of this model. You will also gain knowledge about the new directions being taken by criminals, terrorists, spies, and nation states and what our nation is planning to do for the defense of our critical infrastructure against these new threats. Finally, you will learn how to protect your networks from the dangers lurking in cyberspace while developing a full understanding of emerging techniques used to detect and contain outbreaks of malicious activity on the Internet.

This class is designed to give the student a full examination of the scope of critical infrastructure vulnerabilities, the dependence of critical infrastructures on the Internet, and Internet security problems. No laptop is required, but the subject material requires at least a working knowledge of computer networks and business decision making. The ideal student is a manager, supervisor, senior engineer, or other professional with a strong working knowledge of plant operations or a government official with responsibilities for CIP policy development wanting to learn more about the interdependence of critical infrastructures and the dangers posed by the global Internet.

Register now to ensure you don’t miss out on this event – http://www.sans.org/canberra09_2/register.php

So, tomorrow I will sit the ISACA CISA exam.

I’m feeling fairly well prepared .. I had a fair bit of time to study leading up to the exam. Here’s a few things I noted while getting ready for the exam.

1. Don’t bother with testkings or braindump or any of those sites. I spent a few hundred dollars on sims/practice exams .. all pretty well worthless in my eyes.
2. Only use the ISACA CISA review manual .. they’re the ones writing the questions from THEIR manual .. all the answers are in there
3. Make sure you actually have some working experience for this exam. Although your job may not cover all of the subject areas, you are likely to have touched on a few, and that makes life a lot easier
4. The exam was written with the company in mind. A lot of things boil back to “what’s best for the company”
5. Try and get along to some review courses before the exam date. this year there were none in my area .. but luckily SANS put on a free 3hr review session (it was good too)

So today has been a day of very light review, it was time to relax. What I don’t know now .. well .. I probably won’t remember anyway! I’ll have a nice dinner tonight, watch a bit of TV, and then head off to bed nice and early.

Hopefully in 6-8 weeks you’ll be seeing a post here saying that I’ve passed

Good luck to anyone else sitting their exam tomorrow

** UPDATE **

I just thought I’d add a little more information in here (just to keep in the back of your mind). The exam weightings .. you should have probably taken note of those before now (if you haven’t .. I’m sure you’ll be fine) are as follows

• Ch1 – IS Audit Process – 10%
• Ch2 – IT Governance – 15%
• Ch3 – Systems and Inf Life Cycle Management – 16%
• Ch4 – IT Service Delivery – 14%
• Ch5 – Protection of Info Assets – 31%
• Ch6 – BCP & DR – 14%

So, Chapter 5 is the big one – Protection of Information Assets. If you have a working technical knowledge, most of this stuff you will know, If you’re a Financial auditor wanting to get your CISA, this could be a bit more of a challenge. The other dark horse here is Chapter 3, it’s a big section of the book that not a lot of places do (or at least do it well) .. keep that one in your mind

Now everyone relax, take some time out .. and make sure you’re ready for tomorrow. Make sure you know where you’re going and how to get there (don’t get caught in traffic – give yourselves plenty of time to travel). Have a nice breakfast, nothing too big that will put you to sleep, take a light jacket to keep yourself warm (in case the air con is a bit cold), take some water and some snacks (and not the annoying loud one in wrappers – damn you guy from my CISM exam!!).

Hey security chums!!

The ISACA CISA certification exam is coming up (June 13th if memory serves me correctly). So for those of you who haven’t started studying yet, it’s time to get crackin!

I’m publishing some of my study notes as I go along through all my material .. this information is more so for myself to keep my brain bombarded with all this knowledge in preparation, but it could be of some use to someone (who knows). You can find it HERE. As usual I have used the trusty ZOHO.COM for this

If you’re registered for the CISA exam in Brisbane Australia, there is a review course about to start every Wednesday night that goes until the exam date. If you need any more details drop me a line or leave me a comment.

EDIT – Seems the Zoho link was a bit screwed .. try this one instead – https://notebook.zoho.com/nb/public/crudtastic/book/174509000000015001