One of my colleagues needed to open a large XML file (nearly a Gigabyte in size) to review the data and make any corrections to it. She tried Notepad++ as well as Microsoft XML Notepad 2007. It took minutes to load the file. She could barely scroll through the page. I searched for a free and opensource tool that would do the job. I came across GNU Emacs. It is a powerful editor for the GNU operating system. GNU Emacs for Windows is also available for download, and it works like a charm.
To get a copy of GNU Emacs for Windows, you can visit http://ftp.gnu.org/gnu/emacs/windows/ and download the latest version for your platform. For example, on my 64-bit Windows 10 system with an Intel processor, I downloaded emacs-26.3-x86_64.zip. I unzipped the folder at my desired location (C:\Program Files\Emacs) and browsed to the bin folder to launch emacs.exe. I also created a desktop shortcut to emacs.exe. This editor opened that large XML file without any hesitation. It was easy to work on. I helped my colleague setup this editor on her workstation. She got very excited as she was able to work on the file effortlessly. I am sure you will find this editor exciting too when you run into the same issue my colleague ran into.
I cleared CISSP exam in the first attempt last week. I have been working in the technology area for 10 years now in several roles (from the Engineer level position to the Director level position). I followed the following resources in the sequential order.
Cybrary CISSP Free Online course by Kelly Handerhan : This gave me a quick overview of CISSP course. [Spent roughly 30 hours here.]
CISSP by Shon Harris : Read first four domains. I got in-depth knowledge of those four domains. [Spent about 20 hours here.]
Simple CISSP by Phil Martin (Audio Book): Great to listen during lunch, workouts and drive-time. [Spent about 30 hours here. Listened to some sections multiple times.]
Spent some time going over r/cissp comments. Saw lots of advice that CISSP exam is more about management-based questions and less about knowledge-based questions. I decided to focus more on 'WHY' factors of all the security domains, rather than trying to memorize every technical details and numbers.
I set a 60 days goal to appear for the exam and registered for the test.
During first 50 days, I read CISSP Official 7th edition book cover to cover, word by word, highlighting the areas that I felt crucial. Also, completed CISSP Official Practice tests during those days. [Spent roughly 2 hours each day; 1 hour during the work lunch and 1 hour at home]
Next 7 days, I read Eleventh Hour CISSP study guide by Eric Conrad.
During last three days, I reviewed all of the highlights I made on CISSP Official 7th Edition book and summaries/quizzes at the end of each chapter.
Took a good enough sleep and rested before the exam.
During the testing, I planned to finish 40 question during the first hour, 50 questions during the second hour and 60 questions during the third hour. Since CISSP exam is the adaptive test and can't go back to correct the answers, I wanted to make sure I carefully read and answered the top 100 questions. I kept track of the number of questions I answered approx every 30 minutes and made sure I was on track.
Majority of the questions were scenario based questions and I had to think from the management perspective to answer the questions. It was a terrifying experience to go through those questions. I had to remind myself several times not to worry but focus on the questions and what would I do as a CIO or CISO while answering the questions. My test completed at 102 questions. And, sure enough, I passed the test.
I hope you find this information useful for your own CISSP journey. Best of Luck!
In my career, I had opportunities to lead the several large-scale change projects that would impact almost all the employees and the customers of the organization. Switching out the legacy communication system, Windows 10 roll-out, Technology Refresh project, Business Processes Automation, and Paperless initiative are to name a few. When implementing the change, there is a mix of excitement and resistance. The people are on an emotional roller coaster ride out there. In this article, I would like to share what we did to successfully implement those large scale changes and also present a few frameworks that can be used as the guideline when implementing the change.
In my experience, with the stakeholders’ buy-in, the top management support and the proper planning, we got closer to the desired state a lot easier in the transformation projects. We communicated the sense of urgency on why the change is necessary, built the guiding committee, got the right vision and strategy for the change effort, made people feel empowered, created several smaller wins. We let the momentum build and continued making the several waves of changes until the desired state reached and continued the effort until the new state became the new status quo. This process is not always easy but it hasn’t failed for us yet either.
Each enterprise is unique in its own culture. Daily practices are embedded in its culture, and thus culture is incredibly resilient. Cultural transformation aims at making a fundamental change in the business practices to adapt to a new ever-changing competitive market. Cultural transformation via logic alone is not possible. People don’t welcome a change unless they see the rewards, the clear message/vision for the transition, and feel empowered. Stakeholders buy-in and support of senior management is crucial for the successful transformation.
There are some useful frameworks for cultural transformation which can be used as the guidelines for the successful transformation.
Kurt Lewin’s Three-Stage Change Model
This model provides a high-level fundamental approach to implement a change effort and make sure it sticks. Here are the three stages of Kurt Lewin’s change model:
Stage 1. Unfreeze the existing culture
Ice cube has to be melted before it can be transformed into a different shape. Similarly, for the cultural transformation, the people have to be ‘unfrozen’ as the natural tendency of many people is to resist change and stick to the old ways. Unfreezing is the process of spreading awareness and getting buy-in on why the status quo has to go, and things have to be done differently. Storytelling can be a great tool to achieve this goal.
Stage 2. Implement the change
In this stage, the change becomes a reality. It has to be carefully planned and executed. Most people struggle with this new reality as they have to learn new ways of doing things. Professional development, communication, support and time are critical for people to become familiar with the change.
Stage 3. Refreeze the new culture before it rollbacks to the old way
This is when the effort is made so that new state continues despite the pull of the old ways ensuring the people do not revert to their old ways of thinking or doing things.
Kubler-Ross’ Change Curve based on the Five Stage of Grief model
This model provides the emotional stages (Denial, Anger, Bargain, Depression & Acceptance) the people experience when faced with changes or loss. It helps to understand the stages of personal and organizational transitions. Some people will inadvertently be affected negatively by the change, particularly those who benefit from the status quo. Some people will feel threatened or insecure by the change. Some people may not believe in the change. The emotional component is crucial when considering the cultural transformation. An organization should support its employees in the process of making changes. If people feel that you are making it hard for them, they will push back and likely do something you don’t want.
John Kotter’s The Eight Steps Change Model
This model provides the eight critical steps for increasing the chances of successful change programs.
Step 1. Create urgency on why the change is crucial
Step 2. Form a powerful coalition to guide the transformation
Step 3. Develop the right vision and strategy for the change
Step 4. Communicate the vision to get the buy-in
Step 5. Empower people to act on the vision
Step 6. Plan for and create short-term wins
Step 7. Build on the change by creating waves of changes
Step 8. Anchor the changes in the culture to make sure the new state sticks.
Be resilient when embarking on the cultural transformation process as the ride is going to be full of surprises and messy. Trusted relationships among the stakeholders with a clear vision and responsibilities are crucial. There will be several ups and down, and the change process may fail. If it fails, it should be taken as the shared responsibility, learn from the failure and start again until the goal is achieved. There is a popular narrative that 70% transformation programs fail. However, adopting the framework as the guidance can help get closer to the desired state.
Let's say you have Windows 10 PC and would like to setup Microsoft SQL for the development and testing.
#Download the installer and install Docker for Windows https://docs.docker.com/docker-for-windows/install/
(Caution: This is not for the production environment. It is only for the development and testing.)
#Switch Docker to Windows container after the install
#It is easy switch. Find the Docker tray icon in the task bar> right click > Switch to Windows Container
#To pull docker image from docker hub
#Use Windows PowerShell to run the Docker commands docker pull microsoft/mssql-server-windows-developer
#To run the container using the pulled image docker run -d -p 1433:1433 -e sa_password=Password1! -e ACCEPT_EULA=Y microsoft/mssql-server-windows-developer
#Above Docker command maps container port 1433 to host port 1433. Thus, host IP address or gateway.docker.internal can be used in SSMS to gain access to the database. Credentials: Local Authentication, sa username and Password1! for the password.
#To check the currently running containers docker ps
#To list the containers docker container ls -all
#To view an IP of a docker container docker inspect –format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}’
#To stop the container docker container stop
#To start the container docker container start
#To remove the cotainer docker rm
#To list the docker images docker image ls
#To download and restore sample database from Microsoft
Visit https://docs.microsoft.com/en-us/sql/samples/adventureworks-install-configure?view=sql-server-ver15
Download one of the backup files you are interested in. Say, you downloaded Advendtureworks.bak file to c:\Downloads folder.
Copy the backup file to the MS SQL Server container. Top copy the file from the local host to the container, you have to STOP the container first. docker container stop docker cp c:\Downloads\Adventureworks.bak :c:\Users\Public\
Start the container. Now, follow the restore instruction provided in the earlier URL.
Disclaimer: I am writing this blog as a personal notebook for CISSP exam preparation. It shouldn't be used as otherwise.
CISSP Common Body of Knowledge covers 8 domains.
WHY?
1. Security & Risk Management
WHAT?
2. Security of Asset
3. Security of Network and Communication
4. Security of Software and Development
HOW?
5.Assessment and Testing
6. Security Engineering
7. Security Operations
8. Identity and Auth Management
1. Security & Risk Management
WHY?
It is all about CIA (Confidentiality, Integrity and Availability), also referred as AIC
HOW?
Administrative/Management(soft) Controls,
Technical (logical) Controls and
Physical/Operational Controls
Control Types:
Preventive
Detective
Corrective
Deterrant
Recovery
Understand these terminologies is crucial:
Asset: What we are trying to protect
Vulnerability: Weakness or gap in our protection efforts
Threats: Anything that can exploit a vulnerability
Risk: The potential loss of an asset as a result of a threat exploiting a vulnerability. It is the intersection of above three (Asset, Vulnerability and Threat)
Corrective Action : Assessing threats and identifying vulnerabilities is critical to understanding the risk to assets and take appropriate corrective action.
Specifies the components/controls that need to be in place to have a complete security program
It is like a parts list.
2. Enterprise/Security Architecture Frameworks
Zachman, ToGAF, DoDAF, MoDAF, SABSA
It shows how to integrate those components/controls into the various layers (Executives, Business Managers, System Architects, Engineers, Technicians, Enterprise) within an organization.
It is a blueprint to follow when building something with those parts.
3. System Architecture
COBIT (private organizations), NIST SP 800-53 (Federal), COSO Internal Control
Defines how we can develop those components/controls
4. Process Development
Defines how to manage those components/controls
Process Management tools (ITIL, Six Sigma, CMMI/Capability Maturity Model Integration)
5. Process Life Cycle
Discuss how to keep the process up-to-date and healthy
4 steps process in cyclic order: Plan - Implement - Operate/Maintain - Evaluate
Let's see how these frameworks come in play. Suppose a company hires you to create a comprehensive security program. First you would do is look up ISO 27000 as a guidance to create an ISMS which provides all the controls you should put in place. Then, you choose a security framework such as ToGAF to create the ISMS and start the Process Life Cycle.
You go in the planning phase. You gather the right people, identify what needs to be done and identify the possible solutions.
Then, you go to the implementation phase. You create blueprints and implement them. You continuously make sure framework attributes (Strategic alignment, Business Enablement, Process Enhancement) are being monitored to ensure success. At this point, you have selected and implemented various controls. The categorization of controls into administrative, technical & physical along with the functional grouping (such as preventive, deterrent, detective etc) will have been a great help.
Ideally before going live, external party audits your implementation, more than likely the auditor will check your implementation against COBIT/NIST SP 800-53. They will find your shortcomings.Once you have addressed any audit shortcomings, you will enter the Maintain step.
At this point, you will want to manage the process using ITIL, Six Sigma or CMMI. This will help you in the Evaluate step, which then feeds back into Plan.
I love 'uniq -c' Linux command because it returns all the unique values along with their occurrences count.
I wanted do the same from Google Sheets. This is how I do it.
Let's say I have a list of fruits in Column A. There are repetitions and I would like to find the number of their occurrences.
Step1: Go to cell C1 and enter the formula '=UNIQUE(A:A)' . It returns all the unique items on column A.
Step2: Go to Cell D1 and enter the header 'Count'. Go to Cell D2 and enter a formula '=COUNTIF(A:A,C2)' . It counts the number of occurrences of the unique items listed in Column C.
Note: Make sure that you have perl-DBD-mysql, perl-DBI and perl installed. If those package are missing, you can use YaST, YUM, ZYPPER, APT-GET to install those missing packages based on your distro. Step1: Create a perl script that connects to the database and runs a query to show full processlist. Then, it goes through each row of the output from show full processlist and checks if a process is Query and it is running over 300 seconds(5 minutes). If so, kill that query. /usr/local/bin # less killLongRunningSql.pl use strict; use DBI; use DBD::mysql; #MySQL connection my $db_name = "YourDatabase"; my $db_connection = DBI->connect("DBI:mysql:$db_name","username","password") or die "Connection Error: $DBI::errstr\n"; #Execute query that shows the processlist my $run_query = $db_connection->prepare("SHOW FULL PROCESSLIST"); $run_query->execute or die "SQL Error: $DBI::errstr\n"; #Declare @row array to store each row of above query being executed my @row; while (@row=$run_query->fetchrow_array()){ if ( @row[5] > 300 && @row[4] =~ /Query/ ){ my $killQuery = "KILL QUERY @row[0]"; print "Query to be Executed: $killQuery\n"; print "Process Info: @row[0] @row[1] @row[2] @row[4] @row[5]\n"; my $killQueryExecute = $dbh -> prepare($killQuery); $killQueryExecute-> execute; }
}
Step2: Add above script to cronjobs to run every minute