InfoSec Information Security, CISSP Prep, IA Community Blog

White House Asks Public for Game Changing Cyber security Ideas

2010-05-19T12:40:00.001-07:00

UPDATE: White House asks public for game changing cybersecurity ideas
BY EMILY LONG

The Obama administration will open next week a web-based forum to discuss a cybersecurity research and development agenda, according to a notice published in the Federal Register…

http://www.nextgov.com/nextgov/ng_20100514_8658.php?oref=rss?zone=itsecurity

@CheriSigmon

Lieberman's Cybersecurity Bill Leans On Buying Power

2010-05-19T11:40:00.001-07:00

[REPRINT] From Nextgov.com: Lieberman's cybersecurity bill leans on buying power
By Aliya Sternstein

Measure would require acquisition officers to learn about security vulnerabilities in technology products in

an effort to use the government's vast purchasing power to push vendors to provide more secure solutions.

Get the full story: http://www.govexec.com/story_page.cfm?articleid=45297

Executive Coach: They Can Handle the Truth

2010-03-18T09:20:00.001-07:00

Executive Coach: They Can Handle the Truth
By Scott Eblin

Taking your career to the next level.

Wednesday, March 17

When I'm conducting feedback for a client one of the things I really like to hear from the direct reports is something like, "My manager shares information with us that other managers don't share with their teams. That helps us make better decisions and do better work." The flip side of what makes me happy is that every direct report should be singing the praises of their manager sharing information with them. When you treat people like adults, they usually respond like adults. Most people can handle the truth and resent it when they feel like they're being played. See full article here: http://blogs.govexec.com/executivecoach/

This applies to cybersecurity and other professionals. Your comments are welcome!

Cybersecurity Pros Receive Salary Bump, Hiring to Increase

2010-03-10T12:41:00.001-08:00

Cybersecurity Pros Receive Salary Bump, Hiring to Increase

The hiring managers surveyed in the U.S. said that they're looking

for candidates with specific skills in these top five categories:

operations security;

access control systems and methodology;

information risk management;

applications and system development security;

and security architecture and models.

More than half of the professionals surveyed in

the U.S. received salary increases in 2009...

(#Cybersecurity Jobs)

SOURCE: clearancejobs.com

Outlook Bright for Federal IT {Security} Jobs

2010-03-08T13:48:00.001-08:00

Wired Workplace: Outlook Bright for Federal IT Jobs (Repost)

Report says the need for technology {cybersecurity} professionals within the federal government remains strong.

A new survey finds that even in the tough economy, the job outlook for information security professionals within the federal government remains strong… (ISC)2's 2010 Career Impact Survey, which interviewed nearly 3,000 information security professionals worldwide, including 668 respondents in the U.S. government, found that nearly 61 percent of federal respondents who identified themselves as having hiring abilities said they were looking to hire permanent and/or contract employees in 2010. Of those hiring, 51 percent said they plan to hire three or more information security professionals this year. Despite these hiring projections, however, nearly 54 percent of hiring managers said their biggest hiring challenge was finding candidates with the right skills...

See full column at GovExec here: http://www.govexec.com/dailyfed/0310/030810ww.htm

The Human Element Complicates Cybersecurity

2010-03-05T10:15:00.001-08:00

COMMENTARY (REPRINT)

The Human Element Complicates Cybersecurity

The human factor remains one of the great impediments to improving cybersecurity - By Johnnie Hernandez Mar 03, 2010

Cyberspace is an untamed frontier. Data networks everywhere remain vulnerable to cyber threats. As Rep. Michael McCaul (R-Texas) recently pointed out, virtually every sector of cyberspace faces danger, including the U.S. military.

Congressional hearings on cybersecurity have revealed that most federal networks have been hacked, McCaul said. Many attacks are classified as espionage, with foreign countries stealing government information. One data dump was equivalent in size to the Library of Congress.

"I hope as with 9/11 we don't turn a blind eye & have a denial-of-service attack before we address this issue," McCaul said.

Legislation passed in early February by the House could go a long way toward addressing the issue. McCaul and Rep. Daniel Lipinski (D-Ill.) are the primary sponsors of the Cybersecurity Enhancement Act of 2009, which would dedicate federal funds toward beefing up cybersecurity in the public and private sectors. The Senate is considering similar legislation.

Yet despite the congressional focus on cybersecurity, all the money, software and hardware in the world can't entirely ward off cybersecurity threats. One nontechnology factor greatly impedes cybersecurity: the human factor.

We are the weak link in the chain. Too many people think they can just throw technology at the problem, but that alone is not the answer.

If people don't follow consistent, well-defined security policies and procedures — and undergo regular cybersecurity training and exercises — then an organization's networks and data won't be safe.

Being human is our greatest strength and our greatest weakness. We are capable of developing the most innovative technical solutions for protecting a network, but if those solutions are not installed, configured and maintained properly, they will not be effective. Worse yet, they will give a false sense of protection.

In a recent report, the International Institute for Strategic Studies, a British think tank, warned of the peril of cyber warfare.

"Despite evidence of cyberattacks in recent political conflicts there is little appreciation internationally of how properly to assess cyber conflict," said John Chipman, director-general of the institute. "We are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war."

The recently released Quadrennial Defense Review and proposed Defense Department budget for fiscal 2011 emphasize cyber defense. For instance, the budget request supports establishment of the U.S. Cyber Command, which will organize and standardize DOD cyber defense practices.

Military outfits are fully aware of human shortfalls when it comes to cybersecurity, so they regularly conduct training in realistic settings. However, those military organizations can't undertake so-called live fire exercises without risking an actual network meltdown.

In recent times, simulators — made by a number of companies, including ours — have been employed to train defenders of military and government data networks. The best example of this is an exercise known as Bulwark Defender. Each year, the military services and government agencies practice their tactics, techniques and procedures against unknown cyber enemies intent on stealing critical information and creating havoc on our networks. This is all accomplished within the safety of a nonoperational global network used to regularly train, certify and exercise network operators.

The network is known as the Joint Cyberspace Operations Range. The range, which has been used since 2002, is run by the Air Force Network Integration Center at Scott Air Force Base, Ill. It has trained thousands of network operators and defenders; during the past three years, it's been the underlying structure for Bulwark Defender.

We must develop and build new and smarter security technology and architectures in addition to defining and documenting security policies and processes. We must remain vigilant against cyber terrorism, cyber crime and cyber mischief.

However, until we take humans out of the loop, we will have to deal with our human inadequacies.

About the Author: Johnnie Hernandez is chief executive officer of EADS North America Defense Security & Systems Solutions Inc.

Brought to You By @SecurityQ http://twitter.com/SecurityQ

DoD Embraces Ethical Hacker Certification (CEH) to Protect US Interests

2010-03-05T08:28:00.001-08:00

United States Department of Defense Embraces Hacker Certification to Protect US Interests -2010-03-01

CEH is now formally integrated into the certification requirements for U.S. DoD IA Workforce

The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD's computer network defenders (CND's), a specialized personnel classification within the DoD's information assurance workforce.

The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program. The current version (incorporating Change 2) was signed by Assistant Secretary of Defense, John G. Grimes and was officially instated on February 25, 2010. Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all components of the DoD.

The CND groups protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

With this directive, military service, contractors, and foreign employees across all job descriptions must show 100-percent compliance with the new Certified Ethical Hacker training requirement by 2011. This shows the DoD's focus on better training and preparation of the U.S. military workforce in this area.

The Certified Ethical Hacker qualification tests the certification holder's knowledge in the mindset, tools and techniques of a hacker, fortifying it's certification tag line: "To beat a hacker, you must think like one."

"CEH has been selected due to the immense technical and tactical nature of the certification," said Jay Bavisi, co-founder and president of EC-Council. "It is one of the most technically advanced certifications on the directive for CND professionals. In fact, it is the only certification approved across four out of the five categories to prepare the CND teams. While other policy-based programs add value, CEH prepares the U.S. CNDs to combat hackers in real time, defending U.S. interests globally."

Bavisi added: "We have been researching this space for quite some time and with this mandate from the DoD, there has never been a better time for us to beat the hackers at their own game. We are racing to research complex hacker techniques and in the next release of our CEH program, we hope to showcase in over 150 modules, detailed and extremely complex attack and countermeasures that will help raise the level of knowledge of the CND teams."

KEY FACTS:

CEH is now formally integrated into the certification requirements for U.S. DoD IA Workforce

CEH is now required for CND Analyst, CND Infrastructure Support, CND Incident Responder, and CND Auditor as defined by Directive 8570

Newly revised DoD 8570 is available at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

More information about EC-Council and Directive 8570 can be found at https://www.eccouncil.org/about_us/dod_8570.aspx

For more information about EC-Council, visit the website: www.eccouncil.org

What Defense Recruiters Want (REPRINT)

2010-03-05T08:05:00.001-08:00

The following article makes excellent points, especially if you are a cybersecurity professional who is seeking employment now…

What Defense Recruiters Want

By Dona DeZube for ClearanceJobs.com - August 20, 2009

If corporate recruiters had only one word to describe the perfect job candidate…, it would be "honest."

"It's hard to say who's perfect," says Jessica Heilmann, senior recruiting manger for 3Di Technologies, LLC, Annapolis, Maryland. "The candidates I like best are honest and say what they want up front and what they're truly looking for. Don't say you'll move to Montana if you won't."

And don't say you have security clearances you don't have, as one recent job seeker did, she adds. That candidate came out of the military in 2004 and moved into stateside civilian work. He told Heilmann he was Ready Reserve and thought he had some kind of clearance, but didn't know what his status was. "My security officer checked and he didn't have one [a clearance]," she says. "I find it interesting when people have no idea of the status of their clearance. It's mysterious and unless you have a facility security officer (FSO) you have no way to find out."

Barbara Kalman, CEO of Kalman & Company, a Virginia Beach government contracting services firm, agrees. She likes candidates who neither over-inflate, nor understate their abilities. "The best thing is to be honest about your capabilities," she says.

Among the dishonest resumes Kalman has received was one from an applicant who claimed to have a military logistics background, yet knew nothing about logistics and another who claimed to have a degree from a university he hadn't attended.

Kalman, who hires for secure, technical positions, always checks the facts on the resumes she receives. "There are a lot of people unemployed right now, but the jobs we have are specific in background and educational needs, so it's not like I can randomly hire people," she says. "We check background, resume and references."

As a small business owner, Steven Mackie, president of Storage Strategies, Inc., a Springfield, Virginia data storage and engineering company, says he looks for candidates who are honest about their career goals. "What recruiters want are candidates who know what they want to do," he says.

He estimates that 20 percent of the applicants he hears from are teachers, former military and government employees who don't have a specific job target and are looking for any job in the Department of Defense (DoD) contracting arena because they think there are lots of open jobs in that field they can fit into.

Meanwhile, he's hiring from among the 80 percent of candidates who know what direction they want their career to take and the next job they want. "I look for an objective up front that supports what you want to do," he adds, "and enough horsepower in education, experience and qualifications to get there."

In addition to being able to clearly represent your skills and clearance, Richard Mazelsky, president of Clovis, a Bethesda, Maryland recruitment firm, suggests you think about the type of company culture where you'll be effective.

"Do you want to be in an environment where you have to report to a project plan lead once a week, or have a team directing your activities? Do you need to find the work intellectually stimulating?" he says. "You really have to do an assessment around fit."

Sticking to the truth about yourself and your career needs will ensure that your next position is the right one for you. "Nothing is worse for the candidate than to be placed in a situation where you're not capable or you're asked to do something you're not comfortable with," Mazelsky says. "It doesn't fare well for the candidate or the company."

Got Clearance? Got More Money

2010-03-01T08:15:00.001-08:00

Wired Workplace:

Got Clearance? Got More Money

A new survey shows that security-cleared IT professionals earn as much as 12 percent more in salary.
See full column here: http://www.govexec.com/dailyfed/0310/030110ww.htm

“Cyber Corps” - like Peace Corps?

2010-03-01T04:48:00.001-08:00

What do you think of this idea from a colleague?

Establish a "Cyber Corps" - set up like the Peace Corps - for cyber monitoring and early alerts, as well as for educational purposes. Students studying cyber security would be a community asset (but not in terms of cyber war or cyber defense). The purpose would be training for future cyber warriors while concurrently helping their community. The cyber corps tasks could be to monitor and report, and to provide sensing and early warning, etc.

Rationale: Since students must reproduce scenarios in a lab anyway, why not place them in a real environment with white or gray hats instructing?

Your thoughts, please?

InfoSec News, First Global Effort: US Secret Service, Italian Post Form Cyber-Crime Task Force

2009-08-04T00:42:00.000-07:00

US Secret Service, Italian Post Form Cyber-Crime Task Force
— The US Secret Service, the Italian Post Office and the postal division of the Italian police are teaming up to fight transnational cyber-crime as the Rome-based European Electronic Crimes Task Force (EECTF).

It will be the first - and long overdue - task force designed to fight cyber crimes outside the United States and will use as its model the Electronic Crimes Task Force the Secret Service created in America.

-@CheriSigmon via @jaimechanaga

CISSP Exam this weekend

2009-05-22T00:08:00.000-07:00

Many are taking the CISSP Exam this weekend. Good luck!

Don't forget to take brain-food snacks for the duration (up to six hours). You should be able to bring a beverage with a LID and a lunch or snacks for breaks. Do take your breaks.

Relax... Stay loose. Do your best. Let us know how it goes!

Let's connect on Twitter

2009-03-11T18:29:00.000-07:00

Let's connect on Twitter:

http://www.Twitter.com/CheriSigmon

AT&T, T-Mobile Fined For Voice-Mail Security

2008-12-15T14:13:00.000-08:00

AT&T, T-Mobile Fined For Voice-Mail Security

After a string of high-profile hacks, the Los Angeles district attorney has filed an injunction against the carriers for overstating the security of their voice-mail systems.

(By Marin Perez, InformationWeek, December 12)

AT&T (NYSE: T) and T-Mobile have paid fines and agreed to stop advertising that their voice-mail systems are safe from hackers. In a permanent injunction filed in a Los Angeles court Thursday, District Attorney Steve Cooley said the wireless operators were overstating how secure their voice mails are. The settlements are the culmination of year-long investigation that was launched after multiple complaints of unauthorized voice-mail access, including some from celebrities Paris Hilton and Lindsay Lohan.

For full story, see Information Week.

Online game demons are far from virtual

2008-09-02T21:30:00.000-07:00

See "Online game demons are far from virtual," an article in the Baltimore sun. Interesting reading.

http://www.baltimoresun.com/technology/bal-bz.ml.consuming31aug31,0,5912300.column

Got Access?

2008-08-18T03:25:00.000-07:00

Got Access?

http://www.cherisigmon.com?GotAccess

White Hat Penetration Testing, Pen Testers, InfoSec,

2008-03-23T17:41:00.000-07:00

WhiteHat Sentinel, a non-intrusive way to pen test applications (no affiliation).

Link: http://www.whitehatsec.com

8 Tips To Avert ID Theft During Tax Time (MarketWatch article)

2008-03-12T02:36:00.000-07:00

Sorry I haven't posted in a while... I've been very busy at work and I actually took a couple of fun trips to Florida. Good morning! Here are some handy tips at tax time, with a view to avoiding Identity Theft. See this article at MarketWatch (USA):

"Eight tips to avert ID theft during tax time" - MarketWatch - USA

For added security use certified mail. Permanently shred unsecured documents from your computer that contain personal information used to prepare your tax...

http://www.marketwatch.com/news/story/eight-ways-avert-id-theft/story.aspx?guid=%7BC51C7BDB-40C1-45FF-B78A-077310E44DAE%7D

Marketing Your InfoSec Consulting Practice

2008-01-17T23:55:00.000-08:00

http://internetmarketingexplained.com/x.php?af=425288

InfoSec business and speaker in Phoenix... ISSA connection

2008-01-07T14:36:00.000-08:00

If you're in Phoenix or you need an InfoSec speaker to come to your area, see this web site: Sapphire Security

The owner is the President of the ISSA Phoenix Chapter.

Protect yourself,
Cheri Sigmon
ISSA-NoVA

New Squidoo Lens - InfoSec CISSP

2008-01-07T01:57:00.000-08:00

Check out my new Squidoo lens:

http://www.squidoo.com/infosecissp

Exploitation Kits Revealed - Mpack

2008-01-07T01:56:00.000-08:00

Exploitation Kits Revealed - Mpack
Category: Malicious Code. SANS Information Security Reading Room -

http://www.sans.org/reading_room/

Evaluating a new course on blogging from Simpleology...

2008-01-04T00:24:00.000-08:00

I'm evaluating a
multi-media course on blogging from the folks at Simpleology. For a while, they're letting you snag it for free if you post about it on your blog.

It covers:

The best blogging techniques.
How to get traffic to your blog.
How to turn your blog into money.

I'll let you know what I think once I've had a chance to check it out. Meanwhile, go grab yours while it's still free... - Regards, Cheri

Passwords - Windows, MySQL, other articles

2007-12-17T04:47:00.000-08:00

1. Resetting a Lost MySQL PasswordBy Yaakov Ellis Due to my inexperience administering anything having to do with Linux, while trying to reset the root password, I accidentally put in some bad information into the password field (I forgot to use the password() function to generate ...Ellis Web - http://ellisweb.net/

2. HMRC advertises for security expertsBy dizzy(dizzy) Interesting job advert for "IT Security Risk Consultants", working in a Government department, mostly in Essex at the location of HMRC offices. So much for security procedures being in place and just not being followed. ...Dizzy Thinks - http://dizzythinks.net/

3. Show your Windows users the strength of their passwords as they type and change them! Filter your users new passwords, and enforce strong ones! NO MORE WEAK PASSWORDS!Digg / Security / upcoming - http://digg.com/security

Enjoy reading.

Regards,
Cheri

New Article about Online Security...

2007-12-13T02:13:00.001-08:00

Just posted a new short article about Online Security at this URL:

http://JITVideos.info/OnlineSecurity.html

Upcoming Global InfoSec Events (you can earn CPE's)...

2007-12-11T16:16:00.000-08:00

Here are some upcoming InfoSec Events around the globe:

1. SEMAFOR Security, Management, Audit Forum
22-23 January 2008
Hotel Marriott, Warsaw, Poland

2. John Colley, Managing Director of (ISC)2 EMEA, will be among the numerous Information Security Professionals to deliver a presentation at the second SEMAFOR Forum on January 22-23.

3. Infosecurity Italia
5-7 February 2008
Fieramilanocity, Milan, Italy

Earn CPEs at Italy’s most important and comprehensive information security exhibition. The event features informative conference sessions along with a top-level continuing education program devoted to information management as well as an exhibit featuring the latest technologies and solutions. Visit (ISC)2 at booth E22.

4. Secur Middle East Congress
18-19 February, 2008
JW Marriott Hotel, Dubai, UAE

Join (ISC)2 at this 2-Day conference covering the latest developments in securing wireless technology, identification and authentication, hacking and threat counter-measures, network security for corporate defense, and enterprise and security architecture. (ISC)2 members are offered a 15% discount and can earn up to 12 CPEs.

5. Infosecurity Belgium21-22 March 2008Brussels Kart, Brussels, Belgium

Visit (ISC)2 at stand C075 and earn CPEs by attending the seminar tracks at this 2-Day event. This year, (ISC)2 will be offering the opportunity to take certification exams (CISSP, SSCP, and concentration exams) at the event on 21 March, 2008. For registration information, please visit (ISC)2 's web site (http://www.isc2.org/).

Perhaps you can attend one of these events. (I'm not "affiliated" with any event, (ISC)2 corporate, event sponsors, or companies). This is a non-commercial post, provided as a simple courtesy to fellow IA professionals across geographic boundaries.

Regards,
Cheri Sigmon, CISSP

---

Summary: The Domains of the Common Body of Knowledge (CBK) for CISSP and SSCP certs

2007-12-11T15:57:00.000-08:00

Part A, CISSP knowledge areas

These are the Common Body of Knowledge (CBK) "Ten Domains" WRT the CISSP certification:

1. Access Control

2. Application Security

3. Business Continuity and Disaster Recovery Planning

4. Cryptography

5. Information Security and Risk Management

6. Legal, Regulations, Compliance, and Investigations

7. Operations Security

8. Physical (Environmental) Security

9. Security Architecture and Design

10. Telecommunications and Network Security

---

Part B, SSCP knowledge areas

Here are the Common Body of Knowledge (CBK) "Seven Domains" WRT the SSCP certification:

1. Access Control

2. Analysis and Monitoring

3. Cryptography

4. Malicious Code and Other Attacks

5. Networks and Telecommunications

6. Risk, Response, and Recovery

7. Security Operations and Administration

I hope this helps you, as a brief introduction. For details, go directly to the source, (ISC)2. ;-)

NOTE: WRT training options, I personally found the "Yellow Book" and the CISSP Prep Guide by Shon Harris to be the most helpful, along with a 10-week study group via the Information Systems Security Association, (ISSA), http://www.issa-nova.org/ and http://www.issa-hr.org/

Regards,
Cheri Sigmon, CISSP

Annc: (ISC)2 Special Events and Offers for InfoSec professionals

2007-12-11T15:47:00.000-08:00

For the latest special events and offers from (ISC)2, see this announcement:

InfoSec Special Events and Offers (Follow the links below for more details):

1. Advanced Certification Review Classes

2. The Ultimate Self-Study Package

3. (ISC)2 eLearning CPEs

4. Global events from (ISC)2

5. The Official (ISC)2 Guide to the CISSP® CBK®

NOTE: I am not affiliated with (ISC)2, except as a certified professional. This information is provided merely for your convenience, and I receive no profits from sharing this with you...

Regards,
Cheri Sigmon, CISSP

p.s. Next, I'll give you a list of the 10 domains in the Common Body of Knowledge (CBK), for those who are interested in getting started with the certification process. See the next post...

Welcome to the InfoSec and CISSP Community Blog...

2007-12-09T03:02:00.000-08:00

Welcome to the InfoSec and CISSP Community Blog...

If you are planning to take the CISSP exam or you have already been certified for the CISSP information security (InfoSec) certification by (ISC)2, this is the place for you.

Also, it is intended for people who just want to learn more about information security and good security practices in order to protect themselves and their loved ones, etc. Your feedback, files, and posts are welcome.

See these links:

1. If you want to prepare for the exam: (ISC)2 http://www.isc2.org/ and CCCure http://www.cccure.org/

2. If you want to watch InfoSec YouTube videos on demand:

http://www.jitvideos.info/

Regards,
Cheri Sigmon, CISSP
Blogger: InfoSec