How was the CISM Today
Hi Guys,
I had CISM exam today and let me tell u that the exam was healthy difficult. Some questions were really difficult and conceptual and some where very straight forward.
Frankly I don't know the result. I want to hear from you also how u feel about the exam and ur experiences.
Thanks
I had CISM exam today and let me tell u that the exam was healthy difficult. Some questions were really difficult and conceptual and some where very straight forward.
Frankly I don't know the result. I want to hear from you also how u feel about the exam and ur experiences.
Thanks
Comments
If this is indicative of all ISACA exams, regardless of outcome when results come out, I don't think I'll be taking another (or retake CISM). It has been an expensive journey and I'm not sure how much the databases Qs helped, the manual was tedious and the exam confusing.... it's as if they ran out of real, well thought out questions to ask.
I'm hitting CISSP next year, I think.
Yes i think you're right here, its expensive and well i've got to be honest the materials bored me real bad so i'd probably not retake if i failed. Though i take it this way, at least i know now that i do not have a very high respect over these certs.. I'd rather study hard for something that gets me some real knowledge, so after my OSCP, an OSCE or such. One guy at the test center told me that he thought the CISSP was obsolete and that is why he didn't took it, i felt like man, at least i came out of my CISSP with the feeling that i've learned some decent things - to me ISACA is too closed circuitry, there is nothing out there except their own study materials which makes your journey hard and expensive..
haa well, lets see the results now..
Cheers guys,
m.
Also, I personally think that some of ISACA's questions and answers on the exam and QAE book reflects little on real-world requirement and they are dated; especially on the technical side. For example, on the QAE, ISACA considers stronger password to be the answer to brute-force attack. I personally think that account lockout to be a superior solution. Another example from the QAE is that ISACA believe that the number of administrator presents greatest threat to an internal wireless network. Personally, I believe that rogue AP presents greater threats in an internal wireless network. With that said, it would be difficult for someone like myself coming from a technical security background to accept these as answers let alone, present these solutions to the management if I am an Info Sec manager.
As far as similarity between the QAE and exam is concerned, there are a few similarities. A few forumers here have already pointed earlier that the questions on the exam will be different from the QAE but the 'tone' would be the same. I did noticed some question on the exam that was similar to the QAE. The answers on the exam, however, was somewhat 'diluted' to become vague / obscure but contain hints to be the correct one.
The two questions that you quoted I got right, phew!nat least that 1%!
Brute-force attacks use dictionary words for cracking, so a strong password prevents cracking. I used to host WordPress websites and attackers use botnets to carry out distributed brute-force attacks where each botnet will try 3 password combinations only. So account lockout will not help.
Account lockout mechanism usually has both a duration (e.g. 30 seconds) component and a number of invalid attempts component. Brute-force attacking tools can be customized to have fixed delays between attempts to prevent account lockouts.
What if your system admin password is password?
Will account lockout help? In fact, I do not even have to use a brute-force attack tool.
If account lockout works for 3 invalid attempts in 30 seconds, can the attacker tune his brute-force attack tool to try one combination every 15 seconds instead? With one attempt every 15 seconds, we get 240 attempts per hour and 3K attempts per day. All we need is someone with a weak password.
Just this year, someone "hacked" into 300 accounts to SingPass, which is Singapore's national identity authentication mechanism. The system has account lockout mechanism and implements captcha if your first 2 attempts are invalid. How did he do it? The 300 accounts have their userid as passwords.
To be fair, we should implement both password complexity and account lockout. And for those who say "who will be so stupid to use password as their password?", I present 20 most popular passwords
Only non-IT personnel makes such mistakes? A senior app dev manager at a previous job had his team's development database server administrator account password as password. We discovered it while trying a free VA scan software.
Another IT manager default account policy for new employee is your first name as userid, and password is userid123. So my userid will be mike and my password is mike123. And he kept wondering how spammers managed to login to his mail server to send spam mail.
So a strong password policy is still a better control than account lockout.
With a dictionary attack, the effectiveness of it relies heavily on how comprehensive or extensive your list is. Brute-force on the other hand, I believe, depends on the computing resource the attacker has. Now, even if we do have a strong password, wouldn't it be just a matter of time before the machine successfully attempts all possible combination?
Now, for some of the cases you have cited, I believe they are blunders at every level of the security process. ISACA like any other professional body emphasizes on security participation on every level of the application development life cycle.
So during the development phase they should appropriately define validation rules to check if password is the same as the username as well as incorporating capabilities for administrator to specify password complexity, password length, password expiration and password history in the application.
Next is during acceptance testing phase. The compliance analyst performing hardening review must ensure that password parameter setting on the application is defined according to the established security policy and enforced in the application before signing off.
And lastly the procedure for generating new password and resetting password for user. Help desk team should note if the password is secure, created inline to the security policy and handed over to user securely. Security awareness training would also come in handy at this phase.
Again, I don't believe weak password alone is solely to be blamed for the incidents cited; a strong password definitely helps. But when dealing with brute-force attack, it would be a matter of time. I do agree with you that strong password must be used in conjunction with account lock out.
Hilarious
1 month today.