Wow, that's impressive. Congratulations!

Check out: http://www.chineseclass101.com/

I use the Japanese equivalent for my studies. These are short, daily podcasts that teach you the language. You can pay a nominal fee to get access to the learning center and do flash cards and a lot of other interactive study tools. Innovative Language has a lot of other languages too.

Ew. Share permissions are trash. Those are left over from the Win9x days; they existed before NTFS permissions and attempted to provide a minimal level of security. It's often easiest to just give Everyone Full Control share permissions and then get granular with NTFS permissions. Trying to mix-n-match often leads to misconfigurations. Since accessing a share will use the most restrictive of the share and NTFS permissions, you won't have any surprises if you get the NTFS permissions rights. There might be some instances where you'd want to provide more restrictive share permissions, but they're very rare since people are usually accessing files exclusively over the network and not working locally.

It's pretty weak you can't get your own share that only you have access to. That's really not asking for that much IMHO...

That is certainly part of it. I described what I "do for fun" for someone who asked the other day, and they condescendingly replied, "So you just sit in front of a computer all the time?" The other part is having a genuine interest in the material. A lot of the guys I work with hate that there is an expectation that they should be putting in time outside of work to improve their knowledge/skills. There is clearly some ill will that I put up 2-3 certs per quarter while they don't even do that in a year. I also don't have cable and spend a good portion of my leisure time tinkering with security stuff. Nothing I do is magic or special.

I guess another part would probably be biting the bullet and being able to learn things you don't want to. I'm also not a fan of a lot of the BS managerial aspects of security, but I get stuck working with a lot of that too. I'm doing my first formal policy review this week, and in addition to a lot of other research and review I've done in advance, I read an entire security policy book during my flight on Monday. I'm extremely ADHD and hated every page of it, but it needed to be done. I've done similar things with risk management, IT audits, BCP/DRP, vendor management, etc.

And for the record, I think it would take me at least two years of intense study to even come close to sil's level of expertise. That's one of the reasons I love these types of forums and mailing lists. I'm competitive and OCD, so having exposure to these individuals really pushes me to better myself. I'll never be the best, but I'm definitely going to try, and I'll be much further along than had I just progressed as I felt like it.

I wish I could disagree. I've put more time and money into popular certifications that are garbage when it comes to real-world applicability than I would like to admit...

While this isn't a tutorial, you might have some fun working through the exercises here: http://www.hackthissite.org/

Can't you configure ACLs so only you guys can access it?

Sil, I think you're making the mistake of assuming everyone is as skilled as you

A zero-day may be sold to someone simply looking to increase his botnet numbers in order to send spam or perform DDoS attacks. These attacks may be amateur, common, and noisy. While I don't think you should rely on those systems by any means, I wouldn't necessarily write them off as being worthless either.

I agree 100% on the extrusion detection. That's what I was getting at with egress filtering, but that really doesn't capture the essence of what's involved.

You might be interested in several of these: http://seclists.org/

Defense-in-depth is the best approach. Running with minimum privileges, egress filtering, NI[DP]S/HI[DP]S, etc.

Congratulations dude!

What's the next project?

The last 10 questions (I believe) in my exam involved me connecting to a virtual lab via a Java app to use tools/perform attacks to get the information necessary to answer the questions. It took about 5-10 seconds for the screen to refresh with the smallest amount of information, so I just skipped them and guessed at those remaining ones. You didn't have that?

I didn't expect there to be overlap between the practice exams and the actual exam. I guess what I was asking was, did you feel it was worthwhile to buy the additional exam, or was it a lot of what you already covered in the other two?

I'd take some time and really figure out which direction you want to go in. Windows? *nix? Programming? Networking (Cisco/Juniper)? Databases? Web apps? You're really going to flounder and spin your wheels if you try to proceed with finding some direction.

I'd hold of on certs until you're ready to commit to something. If you just want to land a help-desk type job to get your foot in the door, check out the MCDST/MCITP:EST.

Congratulations on the pass!

I've never used the practice exams I've had (time constraints). Did you find them all to be fairly unique, or were there overlap in the questions between them? i.e. did you feel the additional purchase was worth it?

What were your thoughts on the difficulty of the exam? It ended up being easier than I expected, but I've heard others really struggle with it. It obviously depends on your background.

Did you have any trouble with the lab at the end? I know myself and others have just skipped that section because the performance was so bad.

Remember that the CISSP has fairly substantial experience requirements. You can still be an associate if you pass the exam but don't meet the requirements. However, pursuing certifications in whatever discipline you're interested in would probably be a better start for someone just starting out.

I'm all about maximizing my study time. I love podcasts when in transit, exercising, and so on. http://www.getmon.com/ has a lot of security podcasts, and I use japanesepod101.com for my language studies (there are a lot of other 101s, so see if they have one for the language you're interested in).

I also have an account only for security news on twitter, and I can kill a few minutes waiting in line or wherever and catch up on those on my iPhone. The Anki flashcard utility is also gold, and I use that on my PCs and iPhone as well.

I definitely like the self-recorded note idea. I'll have to work that into the rotation. I'll also have to find some sexy-sounding chica to record them for my, so they'll be more interesting