Wednesday, July 24, 2013

Will This Certification Get Me A Job?

Will the Network+ Certification Get Me a Job?

Here's a question I often receive from people: "Will this certification get me a job?" It's sometimes worded a little differently. Here are a few variations.

Here's the Short Answer

No.

Long Answer

A certification helps you land an interview but is only a small part of a larger picture. Most companies are looking for someone that will be a good fit in the job within the company but they are interested in much more than just what tests you can pass. However, if you can't pass the test, you often never get the interview.
Here's the typical process for someone pursuing and being offered a job
  • An organization advertises for a job
  • You submit a resume (with or without a cover letter)
  • Your resume is picked as a possible candidate
  • You might be asked to complete one or more tests
  • You are asked to do one or more interviews
  • You are given an offer
  • You start your new job
Your certification and the underlying knowledge is important when your resume is reviewed, when you complete some technical pre-interview tests, and when you're interviewed. However, it is isn't the only important element.
Get Certified Get Ahead - Certification Get Me A Job

Rare Exception

With very few exceptions, you need more than a certification to get a job. Here's an example of a rare exception.

Imagine someone named Joe who recently left the U.S. military with a security clearance. Joe has very little IT experience but decides to pursue the A+ certification and earns it.

A contractor (called Acme of Wiley E. Coyote and Road Runner fame) has a contract with the U.S. DoD. One position recently opened up. It requires someone with an A+ certification and a security clearance. Normally, Acme gets $50 an hour for every hour a person is working in this position and they pay $30 an hour to someone working in it. Acme is losing $20 an hour (or about $800 a week) for every hour this position remains unfilled.

If Joe applies and can prove he has an A+ certification, the clearance, and a pulse, he has the job.

Your goals

When pursuing a new job, you often have two short-term goals.
  • Get an interview. The first goal is to get an interview. You have the best chance of success here if your resume has the certifications and the knowledge/skillset required for the job. A cover letter (or email introduction) also helps.
  • Shine during the interview to get an offer. You need to demonstrate that have the knowledge/skillset required by the job and you are a good fit on the organization's team. This is often much more than your technical ability.
If you're not getting interviews, improve your resume and introduction process.

Check out this article: Skills mismatch hinders the hiring of new graduates, survey finds. It mentions that "Forty-nine percent of human resource officials polled by the professional organization said this year’s college graduates lack basic English skills in grammar and spelling."  This is often reflected in applicant's resumes. A single typo can get your resume thrown in the rejection pile.

If you're not getting jobs after interviews, improve your interview techniques. Check out this article for five tips to help you during your next interview.

Elimination Phases

Hiring managers often have a very short time to look at a resume. When a job requires a certification, resumes without the certification are quickly eliminated. A hiring manager might have 100 resumes to fill a single job and this job requires a specific certification. He looks through them and sees that only about 10 include the certification. The rest are tossed aside.

If you have the certification they require, you'll make it to the next phase. However, just having this on your resume won't be enough.

Here's a resume tip I recently posted on the Get Certified Get Ahead Facebook page.

~~~ Resume Tip ~~~ Take the time to target your resume for every new position. Ensure each resume includes the key words of the position you’re applying for, so that it has a better chance of being noticed. Many employers and head hunters accept resumes online and put them into a database. They then search the databases with specific keywords. If you use a one-size-fits-all resume, you have less of a chance to get the interview and ultimately the job.

Testing  Phases

Some jobs require candidates to take one or more tests. Some tests are strictly technical asking you multiple-choice technical questions. You aren't expected to ace them, but they often give the hiring managers an idea of your technical knowledge.

Other tests are deeper. Organizations sometimes use psychological tests to gauge how someone might interact with customers or how they might respond in a highly stressful environment. Again, perfect answers aren't expected, but they do give the hiring managers some insight.

One test that will surely eliminate you is a drug test. Many companies require you to submit to drug testing to see if you are a drug user.

Background Check Phase

It's common for an organization to do a background check on a potential employee at just about any point in the hiring process. A background check typically includes legal and financial checks.

Legal checks often include local, state, and national sources to see if a potential employee has any legal issues that might impact their employment. Legal issues won't necessarily eliminate a person from a job. As an example, it probably won't matter if a person with a recent speeding ticket is applying for a technical job that doesn't require driving.  On the other hand, if a person is asked and they lie about it, it will matter. 

Financial checks are used in many different ways. I remember a student in a class telling me that insurance companies frequently use financial checks when pricing insurance policies. A poor credit score typically results in a higher priced policy. Similarly, hiring managers might equate a poor credit score with a lower level of responsibility and use this as an elimination factor.

Interview Phases

During the interview phase, you have an opportunity to shine. You can expect to be asked about your knowledge and skill set related to the job and you should be able to easily talk about anything you've included on your resume.

If you list a Security+ certification, you might be asked about the certification, or content that someone that passed the certification would be expected to know. If your answers indicate that your resume claim is incorrect, expect to be eliminated. As an example, if your resume indicates you have a certification but you admit during the interview that you don't have it, expect to be eliminated.

You can also expect to be asked questions that will bring out your personality. These types of questions are rarely direct. However, how you respond, especially to questions you aren't prepared to answer, help people understand you better. You won't hear questions like the following list, but interviewers are often curious about the answers to them just the same.
  • Are you a goal-setting achiever? Or are you are a quitter?
  • Do you enjoy participating in a team to help the company succeed? Or are you out for yourself only.
  • Are you friendly and look for the best in people? Or do you carry a chip on your shoulder looking for the worst in others?

Summary - Certifications Make you Marketable

In summary, a certification can certainly make you marketable, but it isn't the only consideration for any job. You cannot expect any certification to get you a job. You can expect a certification to make you more marketable and help you land an interview. After that, it's up to you.

 

Wednesday, July 3, 2013

Identify Social Engineering Attacks

Identify Social Engineering Attacks

Can you identify different types of social engineering attacks in the Security+ exam?

The Security+ exam expects you to to be able to analyze and differentiate different types of social engineering attacks, including shoulder surfing, dumpster diving, tailgating, impersonation, hoaxes, whaling, phishing, and vishing.  You might even see a performance based question related to these types of attacks. 

Social engineering is the practice of using social tactics to gain information. It’s often low-tech and encourages individuals to do something they wouldn’t normally do, or cause them to reveal some piece of information, such as their user credentials.

Some of the individual methods and techniques include:
  • Flattery and conning
  • Assuming a position of authority
  • Encouraging someone to perform a risky action
  • Encouraging someone to reveal sensitive information
  • Impersonating someone, such as an authorized technician
  • Tailgating or closely following authorized personnel without providing credentials

Performance Based Questions

Topics such as identifying attacks are ideally suited for the new performance based questions on the CompTIA Security+ exam. Instead of answering a multiple choice question, you might need to identify an attack and match it to the most likely target. If you're unfamiliar with the new performance based questions, check out these blogs too:

Matching Attacks Practice Question

The following table includes three columns: attack methods, attack targets, and attack types. However, they are jumbled and not in the correct order.

Would you be able to rearrange the items in the table so that each attack method is matched to the appropriate attack target and attack type? Each attack method, attack target, and attack type is used only once so your solution needs to ensure that all choices are used.
Attack Methods Attack Targets Attack Types
Identify Social Engineering Attacks - Internet Internet Web Page Identify Social Engineering Attacks - CEO CEO

Rogueware

Identify Social Engineering Attacks - Phone Attacker
Phone Attacker
Identify Social Engineering Attacks - UserUser

Vishing

 Identify Social Engineering Attacks - Email Identify Social Engineering Attacks - Receptionist Receptionist

Whaling

Pass the Security+ exam the first time you take it: CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Phishing and Whaling

Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack will often send the user to a malicious website that appears to the user as a legitimate site.

The classic example is where a user receives an e-mail that looks like it came from eBay, PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the recipient has an account at the company, just as a fisherman doesn’t know if any fish are in the water where he casts his line. However, if the attacker sends out enough e-mails, the odds are good that someone who receives the e-mail has an account.

Whaling is a form of spear phishing that attempts to target high-level executives.

As an example, attackers singled out as many as twenty thousand senior corporate executives in a fine-tuned whaling attack a few years ago. The e-mails looked like official subpoenas requiring the recipient to appear before a federal grand jury and included the executive’s full name and other details, such as their company name and phone number.

The e-mails also included a link for more details about the subpoena. If the executives clicked the link, it took them to a website that indicated they needed a browser add-on to read the document. If they approved this installation, they actually installed a keylogger and malware. The keylogger recorded all their keystrokes to a file, and the malware gave the attackers remote access to the executive’s systems.

Similar whale attacks have masqueraded as complaints from the Better Business Bureau or the Justice Department. Executives are sensitive to issues that may affect the company’s profit, and these attacks often get their attention. This blog also covers phishing, spear phishing, and whaling.

Vishing

Vishing attacks use the phone system to trick users into giving up personal and financial information. It often uses Voice over IP (VoIP) technology and tries to trick the user, similar to how other phishing attacks try to trick the user. When the attacker uses VoIP, it can spoof the caller ID, making it appear as though the call came from a specific company.

In one form of a vishing attack, a person receives a phone message indicating they need to call about one of their credit cards, and the message provides a phone number. In another form, the person receives an e-mail with the same information.

If the person returns the call, an automated recording gives some vague excuse about a policy and then prompts the user to verify their identity. One by one, the recording prompts the user for information like name, birthday, Social Security number, credit card number, expiration date, and so on. Once the person provides the information, the recording indicates the account is verified. What really happened, though, is that the person just gave up some important data to a criminal.

Rogueware

Rogueware (or scareware) is a type of Trojan that masquerades as a free antivirus program. When a user visits a site, a message on the web page or a popup appears indicating it detected malicious software (malware) on the user’s system. The user is encouraged to download and install free antivirus software. Users that take the bait actually download and install malware.

After a user downloads it and starts a “system scan,” it will report that it has located malware  and pop up an official looking warning. In reality, it doesn't scan for malware and will always reports bogus infections.

If users try to remove the threats, they are informed  that this is only the trial version, and the trial version won’t remove any threats. However, for the small fee such as $79.95,  users can unlock the full version to remove the threats. Many people pay. Panda security reported that criminals took in an average of $34 million a month in recent years. This blog also covers rogueware.

Matching Attacks Practice Question Answer

The following table shows the attack methods, attack targets, and attack types in the correct order.
  • Whaling is a targeted phishing email sent to CEOs and other senior executives.
  • Vishing is a type of phishing attack using a phone.
  • Rogueware is bogus antivirus software downloaded by unsuspecting users from a website.
Attack Methods Attack Targets Attack Types
 Identify Social Engineering Attacks - Email Identify Social Engineering Attacks - CEO CEO

Whaling

Identify Social Engineering Attacks - Internet Internet Web Page Identify Social Engineering Attacks - User User

Rogueware

Identify Social Engineering Attacks - Phone Attacker
Phone Attacker
Identify Social Engineering Attacks - Receptionist Receptionist

Vishing

Summary - Identify Social Engineering Attacks

Ensure you understand the basics of social engineering attacks when taking any security-based exam such as the Security+SSCP, or CISSP exams. Whaling is a targeted phishing attack against CEOs and other senior executives.  Vishing is a type of phishing attack that uses phones. Rogueware is bogus antivirus software that a user can download from a webpage on the Internet.

Monday, July 1, 2013

Microsoft TechNet Subscription Service Retiring

Microsoft TechNet Subscription Service Retiring

I was a little surprised when I opened an email from Microsoft announcing "Technet subscription service retiring."

The last day to purchase a TechNet Subscription through the TechNet Subscriptions website is August 31, 2013. Subscribers may activate purchased subscriptions through September 30, 2013.

Microsoft will continue to honor all existing TechNet Subscriptions. Subscribers with active accounts may continue to access program benefits until their current subscription period concludes.

Great for Learning

I've had a TechNet Subscription almost every year since about 1999 when I first became a Microsoft Certified Trainer (MCT). It has been an outstanding resource to obtain both new and established products. This has been absolutely essential as a trainer and author when I was writing about new products, and tremendously valuable when I was prepping for an established product that was new to me.

Need more specifics on which products are included with a TechNet Subscription? You can download the full list of products available by subscription level here.

For some of these years, Microsoft provided a TechNet subscription to all MCTs. For other years when they didn't provide it, I paid for it out of my pocket. I've certainly valued this and wonder if they plan on replacing it with anything such as an MSDN subscription. We'll see.

TechNet Subscription Alternatives

If you don't have a Technet Subscription and don't want one, you can still use these resources:
  • TechNet Evaluation Center: Free evaluation software with no feature limits, available for 30-180 days. Includes rich evaluation resources and TechNet Virtual Labs, which enable you to evaluate software without the need to install bits locally.
  • Microsoft Virtual Academy: Free online learning site, with over 200 expert-led technical training courses across more than 15 Microsoft technologies with more added weekly.
  • TechNet Forums: Free online forums where IT professionals can ask technical questions and receive rapid responses from members of the community.

MSDN is the Real Replacement

MSDN Subscriptions provide a paid set of offerings that are available for those who require access to evaluation software beyond what the above free offerings provide.

For years, MCTs have asked for MSDN Subscriptions instead of the TechNet subscription so that they could access application software available within Visual Studio. It would be great if they replaced the TechNet Subscription with MSDN. I'd seriously consider returning to teaching some application courses. 

I actually backed off teaching some application courses simply because it cost so much to get Visual Studio.At $6119 for Visual Studio Premium with MSDN, it becomes a huge investment. Especially when you compare it to the $349 for TechNet Professional.

Permanent?

If you want the the TechNet Subscription, get it now.  Microsoft might back peddle and change their mind later.  They have quite a history of making U-turns. However, if they do change their mind, I doubt it'll be soon after August 31, 2013.