If only the material was superb and or a lot of jobs required the certification!

But I'll let you know if I find any more certs like this!

Wow, nothing?  I'll make sure to pick a more interesting topic to review next time 

Thanks eth3real, I think I'll add a 2 or 4 gig partition to be safe.

If I decide to triple boot Backtrack, OpenSuse and Windows 7, can Backtrack and OpenSuse use the same swap partition?  I assume so, but I've never had 2 linux installations before

I decided to write a review of the material I went through for the Certificate of Cloud Security Knowledge (CCSK) offered by the Cloud Security Alliance (CSA).  This is not a complete review, as I have not gone through all the material, nor have I taken the exam.  When I first learned of this certification a few months ago, I couldn't find much (useful) information on it, so I decided to post a review for anyone else who might be curious.  Also, this is my first review, so I'm sorry if it sucks   More information on the CCSK can be found here:

https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/

I came across this certification a couple of months ago, and it seemed interesting.  The startup I'm working for focuses on cloud security, plus the cert is backed by the CSA, so it looked really useful.  I'm not one to get a new cert just to add letters to my resume (otherwise I would've gotten a CEH!), but if I can learn new skills and topics then that's what I'm concerned with.  Given that this certification is so new, having it on a resume probably won't help pass an HR screen (a search of Monster and Dice returned no job mentioning a CCSK), but I was hopeful that the stuff I learned for the CCSK might be beneficial for the technical portion of an interview.   Plus it seemed relatively simple to achieve for a few reasons:

1. The certification exam questions come entirely from 2 freely available documents, no need to pay for an expensive class to get the material.
2. The exam only costs $295 and the voucher doesn't expire.  You can pay for it now and take it in a year.
3.  The exam can be taken from home, no need to go to a testing center.
4.  You get two chances to take the exam, if you fail the first time, you can take it again without having to pay an additional fee.

Now on to the material.

The CCSK certification tests knowledge from 2 documents, the first of which is this:

http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

A 76-page document written by the CSA which presents the 13 domains tested by the certification.  The first "domain" is really just an overview of cloud computing which provides some useful material, such as characteristics of cloud computing and the differences between public and private clouds.  While useful, the standard Wikipedia article on cloud computing is easier to understand and is more thorough.  If you didn't know what cloud computing was before reading this, I doubt you'd fully understand it after.

The remaining 12 domains are:
1. Governance and enterprise risk management
2. Legal and electronic discovery
3. Compliance and audit
4. Information lifecycle management
5. Portability and interoperability
6. Traditional security, business continuity and disaster recovery
7. Data center operations
8. Incident response, notification and remediation
9. Application security
10. Encryption and key management
11. Identity and access management
12. Virtualization

I won't discuss each domain, but each section basically breaks down like this: A sentence or two about the security risks associated with a given domain, followed by a little discussion of how the security risks are greater for cloud computing than a typical environment.  Lastly bullet-point recommendations are given to help resolve/reduce the security concerns.  Note: All recommendations given are for businesses who are shopping around for a cloud service provider.  THIS CERTIFICATION DOES NOT PROVIDE ANY GUIDELINES FOR SECURING YOUR OWN CLOUD INFRASTRUCTURE.  After going through the material, I now think about it as sort of a buyer's guide for organizations looking to use cloud services.

Bottom line: Are the recommendations useful?  Yes, there are suggestions like "ensure that an organization has the right to audit their cloud service provider" or "make sure that the VM images given by the provider are trusted."  And then there are various recommendations that state "Make sure you put [SOME CLAUSE] in the contract."  These are all important and should definitely be considered when choosing a cloud provider.  But honestly, making sure things are in the contract and the right to audit should typically always be considered when using any third-party service.  It seems like the majority of these recommendations, while useful, are not specific to cloud computing.  While there are a few that pertain to cloud computing, such as "make sure you have the right to perform a vulnerability assessment on your applications hosted by the cloud provider", these seem to be in the minority.  And I understand that not everything should be cloud-specific, I was just assuming/hoping that there would be more emphasis on cloud computing-specific issues.

The second document for the CCSK is the following:

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

A 125-page document written by the European Network and Information Security Agency (ENISA). I have not read this document yet.  Apparently only 10% of the CCSK certification exam comes from this document (Probably because the CSA wrote the first document and they're the ones offering the certification!)  Most of the people I found on the Internet who earned this cert didn't really read this and were still able to pass.  Browsing through it, it seems similar to the first document, although honestly, it looks to be organized in a better manner than the first, which leads me to believe there might be less repetition.  If I ever decide to take the exam, I'll definitely go through this to see what I can learn even though I probably won't be tested on it.

The Exam
I have not taken the exam.  While I did learn some useful things, I don't necessarily believe I learned enough to justify earning a certification.  Still for those interested, here is information on the test:

1. 50 multiple choice questions with a 1-hour time limit
2. Need 80% to pass, can retake it once for free, so 2 chances to pass
3. 70% of the exam is on the CSA document, 20% on the ENISA, and 10% on applied knowledge from material on both
4. You can use the PDFs during the exam

Summary
So did I learn something?  Yes.  Did I learn about cloud security issues?  Yes, but only in terms of security policy issues that occur when a business uses a cloud provider, and because of that, a lot of the material seems as if it would apply to a business using any sort of third-party provider/contractor.  So the information is definitely useful, but (in my opinion) not very cloud-specific.  That, combined with a lot of repetition, left me feeling that cloud security was unfortunately not the focus of the material.

If anyone wants to go through the material, I would suggest reading the first domain of the CSA document, and then just the opening paragraphs of the subsequent domains without the recommendations.  This way you might get the feeling that it's actually a guide for cloud security policy, instead of just a buyer's guide for businesses interested in cloud computing.
 
Pros:
1. Simple, straightforward material that is freely available
2. Useful information in regards to the security policy implications a business faces when using a cloud service provider
3. Gives some useful policy recommendations that can apply to a number of areas, not just cloud computing
4. Test is cheap, can be taken from home, and you get two chances to pass

Cons:
1. Repetitive
2. Some material (in particular many of the policy recommendations) are not very cloud-specific
3. Structure of the material seems to put more emphasis on the recommendations, which (in my opinion), can make it feel more like a "cloud computing buyer's guide" as opposed to a security certification
4. Non-technical, policy-only certification (which I suppose could be a plus depending on your interests)
5. No information for a cloud service provider that wants to secure their own cloud infrastructure
6. New, so no jobs listings mention it

References:
https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
https://cloudsecurityalliance.org/CCSK-prep.pdf

I hope this review is useful, let me know if anyone has any questions.

I'm primarily going to use it as an attacking machine.  So running john the ripper, nmap, nessus, metasploit, etc.  In fact, I'm considering either triple booting OpenSuse, Backtrack 5, and Windows.  Or I might just use Backtrack instead of OpenSuse.

I also tend to have a lot of Firefox tabs open, which I know uses up a lot of memory in Windows at least.

So I've finally decided to setup a dual-boot for OpenSuse x64 and Windows 7 on my new notebook.  (I've been running OpenSuse in a VM just because I like that my new system can run multiple VMs simultaneously!)

I was wondering, what should the size of the swap partition be?  I used to make it double the amount of RAM, so when I had 512 MB I made it 1 gig.  But now I have 8 gigs of RAM, which would make the swap 16 gigs which seems too big.  I've never used a 64-bit version of linux before, so does anyone have any suggestions as to how big the swap should be with 8 gigs of RAM?  Also, my OpenSuse system will be on an SSD drive if that matters.

I did a Google search on this first and (surprisingly) didn't really come up with any useful tips.

I don't know, I haven't found any books on scripting languages I like yet!

Here's what I recently posted on eCPPT:

I highly recommend the eCPPT, for the cost it is probably the best entry level web hacking course/certification.   if you want to get into web penetration testing, but don't have much knowledge or experience, take the course.  There are 3 sections to the eCPPT: web, network, and system security.  The system section is all Windows-based, so they'll teach you how to write drivers, rootkits and buffer overflow exploits for Windows, which is pretty cool, but if you're not into Windows, then that probably won't be very useful to you.  The web section, however, is awesome and I highly recommend it, provided you don't really have any web security experience.  If you already know how to perform advanced XSS and SQL Injection exploits, the eCPPT is probably not for you.  Also, the actual final exam for the eCPPT only really tests the section on web security.

Also,  eCPPT is $599 with a 5% discount for EH members, the lowest cost of OSCP is $750 and up.

Personally, I'm not a big fan of O'Reilly programming books.  They're all about syntax, with no useful examples.  I haven't read the Ruby book, but I went through the Python book, and although I "understood" everything, I found it somewhat hard to start my first program.  A syntax book would be useful if I was porting something from one language to another, but if I'm trying to learn and understand a new language, I like more examples.

But honestly, everyone's different.  In my experience, as far as programming books go, the style/approach of the book is just as important as the material.  If you can learn Python and Ruby just by looking at syntax, then maybe those books will work for you.

You might want to check your library and see what kind of books they have.  Even if you can't find anything superb, it might help you realize what style of book would work best for you before you shell out 25-35 bucks for something that got good reviews on Amazon.

Here are pictures of my rack setup.  Power strip/surge protector on bottom, 3 2950 switches above that, with the routers on top.  The 1841 is just sitting on top, and a 4 port serial-to usb adapter on top of that.  It really isn't slanted very much, so I'm not afraid of things sliding off.  It's very small, only about 2 feet tall, a lot smaller than I thought it was going to be.

I'll tell you what I just told my friend about eCPPT:

I highly recommend the eCPPT, for the cost it is probably the best entry level web hacking course/certification.   if you want to get into web penetration testing, but don't have much knowledge or experience, take the course.  There are 3 sections to the eCPPT: web, network, and system security.  The system section is all Windows-based, so they'll teach you how to write drivers, rootkits and buffer overflow exploits for Windows, which is pretty cool, but if you're not into Windows, then that probably won't be very useful to you.  The web section, however, is awesome and I highly recommend it, provided you don't really have any web security experience.  If you already know how to perform advanced XSS and SQL Injection exploits, the eCPPT is probably not for you.  Also, the actual final exam for the eCPPT only really tests the section on web security.

Lastly, there is no time limit for when you need to take the eCPPT exam.  I went through all 3 sections in 5 months and then took the exam.

I'm just worried that not only will the boring policy job cut into my time to learn the fun stuff, but also I don't know if I'll want to come home and learn more on my own after doing boring work all day

I've just started working on my CCNA, so now I know the answer to that question.  I actually like it when I get asked interview questions that I don't know the answers to, it gives me new topics to study.  So the more interviews I fail, the smarter I'll become...

Way to go, I'm hoping to be a SANS volunteer for GWAPT here in Phoenix in February.  Hopefully I'll get it and then I can join your ranks 

I've read Web Application Hacker's Handbook (1st ed), which I didn't find all that useful.  Most of the concepts I'd already learned in my master's program.  I'm currently starting the Art of Exploitation and the Metasploit Penetration Tester's Guide, these books are more up my alley, with hands-on examples of the topics.

Besides EH, I visit Packet Storm and ExploitDB regularly.

I really wanted to take OSCP after I finished eCPPT in August, but these past few months have been busy, and I didn't think I'd have the time to properly focus on OSCP since I hear it is so intense.  I've just started working on my CCNA, and once I finish that, I plan to start on OSCP.  Plus I'll have finished the Metasploit and Art of Exploitation books by then, which should help in the class.

I also submitted an application to be a volunteer for SANS here in Phoenix in February so I can take GWAPT for a cheap price.  I doubt I'll get it, but it can't hurt to try

Lately, I've been getting a number of calls about various security-related contract positions, mostly policy or audit-type jobs.  Now my goal is to get a full-time pentesting position, so I haven't really given these policy contract positions much thought since I don't think they'll give me the experience needed to be a pentester (and by that I mean, they won't give me the knowledge needed to pass a pentesting interview).

Some background on me, I have a master's in information security, a great GPA, and over 10 years of IT and software development experience.  My security-related experience is limited to one internship, and my current position of doing part-time, unpaid website pentesting for a small startup company.  My resume is good enough that I receive callbacks for 80% of the jobs I apply for, but my problem is actually passing the subsequent interview rounds as I don't know the answers to certain technical questions due to my lack of experience.  So my idea for the past year has been to work on various certifications and classes like eCPPT and HackingDojo to try to gain knowledge so I can pass the technical parts of the interview.

As a result, I haven't really considered these audit or policy positions as I don't think they'll provide me with the answers to questions like "How many IPs are on a /23 network?" or "Where is Libc located in Linux?"  I'd rather work on certifications and teach myself various things instead of working on policy stuff I don't care about.  Are there any types of contract positions (besides the obvious like network security, intrusion analysis, etc), that I should be on the look out for that would help me start a career as a pentester?

Thanks.