Monday, November 11, 2013

The Exam - I Passed

Well, that's finally done!

Some notes on the process ...

Testing Center

I arrived 1 hour early.  I did a last minute review of some notes.
You need to show two pieces of I.D.
You have to basically empty your pockets before entry.  No wallet, keys, pencils, etc.  They put all my personal stuff in a basket and locked it up in a cabinet.
Use the restroom before going in.
For the exam, I received a mylar sheet and a marker to use.  I did a "brain dump" of a couple last minute memorizations

The Test.

Overall, the testing program is pretty intuitive, how to flag questions, how to go back, etc.
The clock starts ticking when you click on the [begin] button.
You have 90 minutes for 60 questions.
In the upper right side of the screen is the question number and the remaining time.
All questions are multiple choice.
You can "flag" questions to come back to later, so your answers aren't final until you hit the final submit.
I went through my flagged questions (about 20) a second time.
There were 3-4 that I was pretty uncertain of, but was able to eliminate a couple completely wrong answers to increase my odds.
I went through the entire exam a second time to review my answers.
I finished in 59 minutes.  I was not at all rushed.
When I hit the final [complete] button the results were near instantaneous.
I received a "Congratulations - pass" display with some other text and a printout.
No score was shown

Observations / Advice.

The bulk of my time, perhaps 90% + was spent on PCI DSS.  This worked, but next time I'll invest some energy in P2PE and PA-DSS
I hadn't expected questions that referenced the requirement numbers only, so next time I would memorize those.  For example (there is no Requirement 13.2) a question may ask:
According to Requirement 13.2, which of the following is true:  A  B  C  or D
Expect more than one correct answer.  You'll need to pick the "best right" answer.  Be sure that your best answer directly answers the question.

An electronic certificate was mailed in approximately 24 hours - No hardcopy is provided.


Sunday, November 10, 2013

EXAM - Pre-exam Thoughts

This certification has not been out for very long.

There are only about 1000 PCIP's in the world.

A couple things that I'm used to finding for exam prep are not evident with this new certification:

1)  I can't seem to find a clear detailed scope of what material the exam will cover.  I've extracted some objectives from a training class and am assuming that this will be fairly accurate.  Rumor is that you need a 75% passing grade.

2)  Since this is still pretty new, there are not a lot of posts/emails to be found on experiences with the exam.

3)  I have not been able to locate any practice exams or sample questions.  I will try to create some myself within this blog.

4)  I have been seeing cases where expert opinion regarding PCI varies according to who you talk to.  Many items appear to be open to interpretation.  This is not really what you want going into a multiple choice exam.

Not bitchin' / Just sayin'

Minor issues (I hope).  We will forge ahead.

Saturday, November 9, 2013

EXAM - How the heck can I take it?

Doing an internet search will not help you get this thing moving.

You'll need to access this page directly   [HERE]

Yeow!  Here are the costs:


Fee Category
Non-Participating Organization
Participating Organization
PCIP Application Administration Fee – includes first two years of qualification, account maintenance and listing
$995
$395
Account Maintenance Renewal Fee - assessed after the first two year period and every two years thereafter
$99
$99
PCIP Training/eLearning Course - includes access to eLearning course and ability to take the exam once.
$1250
$995
PCIP Exam Fee
$395
$395
PCIP Exam Retake Fee
$395
$395


Here is a breakdown of the steps you need to take:

1) Pre-Register. 

Go to this site [HERE], and enter your demographic information. You will need to know if your company is a Participating Organization (PO) and if they are, enter the reference code.

This takes all of 2 minutes.

Upon submitting my info, I received an email confirmation almost immediately stating that they've received my registration.

2)  Registration is reviewed.

You have no additional actions yet.  My review and reply to this pre-registration took just about 4 hours.  I wonder if this would take longer on the weekend with nobody in the office?

Here is a copy of the email I received:

PCI Security Standards Council

7/24/2013 10:50:01 AM
Dear Dan Whatsyername,

Thank you for showing interest in the PCIP Program. You will receive two invoices in the next couple of days. One for the application fee and one for the training and/or exam fee. Once the invoices are paid you will receive credentials to log into the portal to submit your PCIP Professional Application.

If you have any questions please contact pcip@pcisecuritystandards.org

Thank You,

Dawn Perna
PCIP Program Manager

T: +1 (781) 876-6222
pcip@pcisecuritystandards.org

Please do not reply directly to this email.


So now I wait for the invoices and will update this post when I do.

3)  Invoice

Well that didn't take long.

Approx. 4 more hours later and I have the first .pdf invoice by email.

Dear PCIP Candidate,

Thank you for your interest in the PCIP Program. Attached is an invoice for your PCIP Application fee.
                       
Please note that until payment is received, we are unable to issue login credentials for the PCIP Application.  All application fees are NON-TRANSFERABLE and NON-REFUNDABLE.

Best regards,
Lynsey

Lynsey Chaplik, Sr. Staff Accountant
Accounts Receivable
PCI Security Standards Council, LLC
401 Edgewater Pl., Ste. 600
Wakefield, MA 01880 USA


Options for payment include:

          1)  Mail invoice and a personal check.
          2)  Mail invoice and include your credit card number, exp date, security code
          3)  Wire transfer the loot
          4)  Fax invoice with a credit card number.

Funny.  They shouldn't have to tell an exam candidate "do not email credit card info", but they do.  I would suggest that if you do email your credit card info that they automatically fail you on the exam giving you a score of "LOL".

They won't take phone orders either.

Now I just need to come up with some cash and get the second invoice.

This isn't going to be cheap.

4)  Second Invoice.

The second invoice for the exam came 24 hours later.  They've processed these pretty fast.

But, man, this sure isn't cheap (have I said this before?).

I need to work on some funding before I can progress.

5)  OK, Work paid

Here's the latest email:

PCIP Registration

We have received payment for your application fee. Thank you.

You now need to login to the website portal to complete the second part of your PCIP application.

To login to the PCI SSC portal please visit https://programs.pcissc.org and choose the 'PCIP Application' area.

Your username to access the portal is below
Username: xxxxxxxxxxx

You can retrieve your password using the 'Forgot Password' feature located here.

https://programs.pcissc.org



Please do not reply directly to this email.


6)  Complete the second part of the Application

Click on the link indicated in the email above
https://programs.pcissc.org

 Then there are three parts:

          A)  Download and sign the "ATTESTATION" document at 
               https://programs.pcissc.org/user/pcipreg/PCIP%20Application%20Attestation.pdf 

          B)  Upload a copy of your resume

          C)  Upload your signed copy of the "ATTESTATION" document from step A above and click on the check box if you agree to "advocate, adhere to, and support the Code of Professional Responsibility".

7)  OK, I did some of this stuff. 

And received the following email from the testing center:



On Tuesday, October 15, 2013 11:57 AM, "PearsonVUEConfirmation@pearson.com" <PearsonVUEConfirmation@pearson.com> wrote:
 
**PLEASE DO NOT REPLY TO THIS E-MAIL**

PCI Security Standards Council has requested a Pearson VUE Web Account be created to allow you to schedule and manage your exam appointments at www.pearsonvue.com. Below are your username and temporary password.

Username:
myname123
Temporary Password:
NotGonnaHappen

When you first sign in, as a security measure for your protection, you will be required to select a new password. We recommend choosing your new password carefully to make it hard for anyone else to guess.

We recommend choosing a new password that is both easy to type and easy to remember so that you do not have to record it where someone else might see it. Your new password must contain at least seven characters and may not contain your username. Use both uppercase and lowercase letters as well as numbers and/or symbols, preferably in unexpected ways. Avoid names and words that would be easy to guess.

THE PCI SECURITY STANDARDS COUNCIL STRONGLY RECOMMENDS THAT YOU SCHEDULE YOUR EXAM IMMEDIATELY AS NEARBY TEST SITES MAY NOT HAVE AVAILABILITY TOWARDS THE END OF YOUR SCHEDULED TESTING WINDOW. NO EXTENSIONS WILL BE GRANTED DUE TO NEARBY TEST SITE AVAILABILITY.

If you have any questions, please visit our website at pearsonvue.com/pci/contact to find the contact information for your testing program.

Thank you for choosing Pearson VUE!
 
8)  Now to set up a testing date.

I'm not ready for this, but having the date set will get me to move more in a more focused manner.

IMPORTANT NOTE:  It looks like there is ~ a 30 day window to select the date.  I didn't complete this process in a timely manner and was left with a very small window.

Friday, November 8, 2013

EXAM - PCIP Exam Objectives

The only place I could really determine the scope/objectives of the exam were extracted from a PCIP training course description.

They include:

1.    Principles of PCI DSS, PA-DSS, PTS, P2PE, and PIN Security

2.    Understanding PCI DSS v2.0 requirements and intent (two documents below)

       Payment Card Industry (PCI) Data Security Standard
       Navigating PCI Requirements

3.    Overview of basic payment industry terminology
      

       How Credit Card Payments Work - authorize.net video 
       PCI Security Standards Glossary

4.    Appropriate uses of compensating controls

       Refer to Appendices B & C in the following document:
       Payment Card Industry (PCI) Data Security Standard

5.    How and when to use Self-Assessment Questionnaires (SAQs)
       SAQ Info

6.   Recognizing how new technologies affect the PCI (P2PE, tokenization, mobile, cloud)
      Note:  at the seminar I attended we were informed that guidlines and supplemental documents
      were not included in the exam.

       Point to Point Encryption (P2PE) FAQ's       
       https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf        PCI DSS Cloud Computing Guid e lines

      
7.    PCI Code of Professional Responsibility
       Link to Code of Professional Responsibility

8.   Case study application

Thursday, November 7, 2013

Study Material - Code of Professional Responsibility


Located at https://programs.pcissc.org/user/pcipreg/PCIP%20Code%20of%20Professional%20Responsibility.pdf

Copyright 2012 PCI Security Standards Council, LLC

Appendix B

Code of Professional Responsibility

The PCI Security Standards Council (PCI SSC) is an open global forum for the ongoing development,enhancement, storage, dissemination and implementation of security standards for account data protection. PCI SSC’s mission is to enhance payment account data security by driving education and awareness of the PCI SSC security standards (the “PCI Standards”). To help achieve this goal, PCI has adopted this Code of Professional Responsibility to help ensure information security professionals adhere to the highest standards of ethical and professional conduct. Adherence with this Code will help ensure the safe handling of cardholder information and enhance payment card data security.

All PCI SSC qualified individuals and all PCI SSC qualification candidates must advocate, adhere to, and support the following Code of Professional Responsibility. PCI SSC qualified individuals who intentionally or knowingly violate any principle of this Code will be subject revocation of qualification and/or other disciplinary action by PCI SSC.

Principles

Professional Competence and Due Care

Perform each aspect of your work honorably, responsibly, and legally

Act in the best interests of all entities that you provide services or support to, while maintaining high standards of conduct and being consistent with the PCI Standards and guidance

Deliver diligent and competent services in accordance with the PCI Standards and applicable laws

Render only those services for which you are fully competent and qualified

Promptly advise all entities that you provide services or support to on changes in PCI

Standards and guidance

Participate in learning throughout your career to maintain the knowledge, skills and expertise needed in the payment security industry

Promote current information security best practices and standards Security and Confidentiality

Respect and safeguard confidential, proprietary, or otherwise sensitive information with which you come into contact in the course of professional activities, unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties

Take affirmative steps to comply with the PCI Standards to assure that confidential information is maintained securely

Immediately notify the appropriate authorities and proper industry personnel should you suspect a compromise or breach in security

Integrity

Refrain from conduct which would damage or reflect poorly on the reputation of PCI SSC, its standards, the profession, or the practice of colleagues, clients, and employers

Report ethical violations to PCI SSC in a timely manner

Refrain from any activities which might constitute a conflict of interest

Perform all duties with objectivity

Compliance with Industry Laws and Standards

Perform duties in accordance with the PCI Standards

Comply with existing laws and regulations, with local laws taking precedence over PCI Standards

Cooperate with law enforcement agencies

Violation and Enforcement

Depending on the severity of the violation, disciplinary action could include:

Warning

A written warning could be issued that specifies the consequences if the situation occurs again, or if there is another violation.

Suspension

PCI SSC qualification could be suspended for all programs in which the individual participates.

Revocation

PCI SSC qualification could be revoked for all programs in which the individual actively participates.

PCI SSC is committed to enforcing its Code of Professional Responsibility, and has adopted a procedure that allows fair and objective review of allegations of violations of the Code.


Copyright 2012 PCI Security Standards Council, LLC

Monday, November 4, 2013

Exam Prep - Online Security Quizzes

Here's a list of some free online security quizzes.
There are many more available, but at the time of this post, these have no sign-up requirements, there are no necessary downloads and no personal information is required.

These do not directly relate to the PCIP exam since, well, none exist at this time.
But since PCIP has strong hooks into IT Security, these may be of value.  
Obviously anything noted in the PCI DSS has precedence over what's in these quizzes

-  A multiple guess quiz that I made up from the PCI DSS documentation.
   This is contained within the blog

 http://pcip-study.blogspot.com/2013/05/study-questions.html

-  A short answer/definition quiz that I also made up using the PCI glossary.
   You can also find this within this blog

http://pcip-study.blogspot.com/2013/05/study-questions-short-answer.html

-  An "Internet Safe Shopping" quiz from McAfee
   10 question. Rather basic.

http://home.mcafee.com/SafetyQuiz/QuizShopping.aspx?culture=en-US&

-  About.com "Computer Security 101" quiz
   10 question. Also pretty basic.

http://netsecurity.about.com/library/blquiz1-1q.htm

- ProProfs.com "Internet Security Quiz" by Brian Leng
  10 questions.  Click on the "Start" button for the online version.

http://www.proprofs.com/quiz-school/story.php?title=internet-security-quiz-brian-leng

-  A COMPTIA Security+ practice exam from GoCertify.com.
   15 questions.  I like this one best.

http://www.gocertify.com/quizzes/comptia/security-plus-sy0301.html

-  CNN.com technology poll.
   8 Questions - A public poll that will show you results

http://www.cnn.com/2009/TECH/09/28/online.safety.quiz/

-  And finally, here is a whole list of security exams from whatis.com
   These are also very good and detailed

http://whatis.techtarget.com/reference/Security-Quizzes


Saturday, November 2, 2013

VIDEO - Fundamentals of PCI


A quick Cisco video

https://www.youtube.com/watch?v=EKa8L45RLQ8

And a one hour Cisco video

Episode 99: PCI Compliance Made Simple

 

Study material - Chronology of Required Events

Lots of dates and times were presented.  In trying to organize my thoughts, I've extracted all timing requirements and consolidated them below:

Immediately - respond to security breaches (Req 12)

15 minutes - Timeouts should be set to 15 minutes of inactivity (Req 8)

1 day - Vendors or guests temporary access to enter secure facility suggested at one day (Req 9)
1 day - Review network and data center access logs - can be done programatically (Req 10)

Weekly - Look for changes to critical files ( Req 11)
Weekly - Look for unusual changes to dates on system or application executable files (Req 11)

Monthly - Install vendor-supplied security patches within one month of release (Req 6.1)
Monthly - Address critical vulnerabilities within one month (Req 6)

90 days - Remove inactive user accounts (Req 8.5.5)
90 days - Change passwords (password obsolescence) (Req 8.5.9)

Quarterly - Identify purge candidates in database (Req 3.1.1)
Quarterly - Keep usage logs readily available with 12 months accessible (Req 5)
Quarterly - Address non-critical vulnerabilities within three months (Req 6)
Quarterly - (minimum) Storage of video captured from secure-room access (Req 9.1.1)
Quarterly - Run a wireless access scan (Req 11.1)
Quarterly - Run network vulnerability scans (Req 11.2)

Six months - Review firewall and router rule sets (Req 1.1.6)
Six months - Sample terminated users to ensure deactivation (Req 8.5.4)

Annual - Keep usage logs accessible one year with three months readily available (Req 5)
Annual - Conduct a vulnerability assessment for public facing web apps (Req 6.6)
Annual - Review security for offsite backup storage (Req 9.5)
Annual - Inventory media (req 9.9.1)
Annual - Retain network and data center logs (Req 10)
Annual - Run penetration tests (Req 11)
Annual - Conduct Risk Assessment (Req 12.1.2)
Annual - Educate personnel (Req 12.6.1)
Annual - All personnel acknowledge that they have read and understood policy&procedures (Req 12.6.2)
Annual - Monitor Service providers PCI DSS compliance (Req 12.8.4)
Annual - Test Incident Response Plan (Req 12.9.2)
Annual - Review, document and validate Compensating Controls (Appendix B)

Sunday, September 22, 2013

Study Material - Treasury Institute blog

The Treasury Institute is focused on PCI compliance for colleges and universities.

The person posting on this blog is "Gene Willacker [who] is the PCI Compliance Officer for Michigan State University (MSU)".

Gene has compiled a great list of PCI 3.0 information in his blog.

The link is [here]

Saturday, September 21, 2013

Study Material - Some web explanations

Sometimes it helps to get a second explanation or description of things.  Here are some:

Requirements 1.1.3, 1.3.1, 1.3.2, 1.3.4  DMZ
http://searchsecurity.techtarget.com/definition/DMZ

Requirement 1.3.6  Stateful Inspection
http://kb.kerio.com/product/kerio-control/firewall-packet-filtering/what-is-stateful-packet-inspection-429.html

Requirement 1.3.8  Network Address Translation (NAT)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Requirement 1.3.8  Proxy Servers
http://whatismyipaddress.com/proxy-server

Requirement 2.1, 2.1.1  Simple Network Management Protocol (SNMP)
http://compnetworking.about.com/od/networkprotocols/g/snmp-management-protocol.htm

Requirement 2.1.1  Wired Equivalent Privacy (WEP)
Note:  This encryption technique is not secure.

http://searchsecurity.techtarget.com/definition/Wired-Equivalent-Privacy

Requirement 2.1.1 Wi-Fi Protected Access version 2 (WPA2)
http://www.computerworld.com/s/article/9002706/Tutorial_How_to_set_up_WPA2_on_your_wireless_network_

Requirement 2.2  Industry accepted standard organizations

Center for Internet Security (CIS)
http://www.cisecurity.org/

International Organization for Standardization (ISO)
http://www.iso.org/iso/home.html

SysAdmin Audit Network Security (SANS)
http://www.sans.org/

National Institute of Standards Technology (NIST)
http://www.nist.gov/

Requirement 2.2.1  Domain Name Servers (DNS)
http://www.howstuffworks.com/dns.htm

Requirement 2.2  Secure Shell (SSH)
https://kimmo.suominen.com/docs/ssh/

Requirement 2.2  Secure File Transfer Protocol (S-FTP)
http://kb.iu.edu/data/akqg.html

Requirement 2.2  Secure Sockets Layer (SSL)
https://www.ssllabs.com/projects/rating-guide/

Requirement 2.2  IP Security Encryption (IPSec)
 http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml#intro

Requirement 6.5.7  Cross Site Scripting (XSS)
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Requirement 6.5.9  Cross Site Request Forgery (CSRF)
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Requirement 12.3.2  Token
http://searchsecurity.techtarget.com/definition/security-token



Tuesday, September 17, 2013

Study Material - SDLC

The Systems Development Life Cycle (SDLC) is a commonly used "methodology" for creating applications and systems.

The SDLC steps vary depending on who you talk to but they usually involve a lot of the same steps:  initiation/planning, analysis, design, develop/test, implement, maintenance/support.

PCI DSS requirement 6.3 addresses secure application development, commonly called "S-SDLC".

Microsoft has some useful info on this to show how security should be integrated into software development [HERE]

Thursday, August 15, 2013

Study Material - Cisco Perspective

Cisco has developed products to assist with PCI Compliance.  They've clearly jumped on the bandwagon.

Here is a good one page visual on "network segmentation"

And another one on mapping Cisco products to PCI Wireless Compliance




Monday, August 12, 2013

Study Questions - A quick, simple test

Here is a simple 10 question security quiz.

When done, it will provide you with a score and explain the correct answers.

You can find it [HERE]

Thursday, July 18, 2013

Study Material - SSL

Symantec published a free 8 page guide to SSL called the BEGINNER’S GUIDE TO SSL CERTIFICATES

To access this, you will need to enter your contact info. here is the [LINK]

Obviously there will be some company marketing info included, but there is substantial general info as well.

Wednesday, July 10, 2013

Study Material - Hmmm. never thought about RAT's

Actually, I've never thought about "sextortion" either.

Hell, I would have never guessed that such a thing existed.

Regardless of what I think, heres an article on remote-access tools (RATs) and "camjacking". "sextortion"

I'm wondering if the exam will this level of breadth, although Security+ does address RAT's

Study Material: Free Security (and other) Training

I just received this email today.

I signed up and started some Security+ training.

Although this is not directly related to PCIP, the security concepts would provide a lot of value.

Finally, I should note that I am in no way affiliated with this organization and it provides no value to me whether you use them or not.




1-800-418-6789 | United Kingdom: (0) 20 8816 8036
International: +1 813-769-0920

Same LearnSmart Training. Now Free.

Everything you've become accustomed to with IT and Certification Training has changed! You no longer have to spend thousands to understand the latest technologies or get a leg up on your career. Today marks a new era in how you get training. Starting today, LearnSmart training is now FREE.
Hundreds of hours of IT and Career skills training are now at your fingertips along with the most talked about learning management system in the industry - all for FREE.
Get FREE access to LearnSmart including:
·   Vibrant and complete training courses
·   The most respected and accomplished instructors
·   The widest variety of e-Learning media and courseware
·   Five-star customer support
·   No commitment and no charges or fees
Don’t just try us out... take advantage of us. This isn’t a trial or a demo, we’re handing you the keys. Welcome to the family, come on in and put your feet up. Get the training you need... for Free. The world of IT training has changed. Get the same LearnSmart training, now for Free.

Classroom in the Cloud

LearnSmart is the first LMS of its kind that’s designed to go where you go, and to be compatible with all of your mobile devices. Of course you can sit at a desk (or your kitchen table) and train on your laptop, but that’s so 2002. With the LearnSmart Theater you can train in your favorite coffeehouse on your tablet or on the bus with your smartphone. If you’re really committed you can even train at a long red light! (Be careful!) With LearnSmart, your training is truly portable, allowing you to make the most of your time – wherever you spend it.
LearnSmart Video Training is 100% cloud-based training, so you know the content is always up to date and you can use it anywhere. Each course is brought to you by industry experts who know the facts and the practical application of your course better than anyone. Learning is simple fast and fun with the LearnSmart Theater. It’s easy to navigate, fully-featured and comes complete with supplemental training options you’ll find nowhere else.

Your Info, Your Schedule

Taking notes is one of the most effective ways of retaining information. The LearnSmart system allows students to keep track of key facts in a virtual notebook. Users can sort their notes by course, or by date, making it simpler to review the material before taking their final exam. The My Notes section is also a good spot to help you keep track of the courses you’re taking – including dates of certification exams, etc.
While your notes are, of course, your personal take on the material presented, they can also be a helpful teaching aid for your fellow students. By presenting your unique version of the coursework – and flipping through another pupil’s rendition of the same – you get an extra opportunity to catch what you might have missed, and to look at things in a new way. Since not everyone takes away the same benefit or key information from a lesson, it can go a long way toward improving your understanding when you and a study buddy are able to compare notes.

Connect With Us

Remember to follow our blog and connect with us on your favorite social networks to stay up-to-date with eLearning, IT and Certification Testing, and technology news in general.

Enterprise Training from LearnSmart

To discuss training solutions for your organization, please contact a LearnSmart representative at 1-800-418-6789.

1300 N. Westshore Blvd. Ste 125 | Tampa, FL 33607 | © 2013 LearnSmart | All rights reserved.