SHIFT HAPPENS Video (Technology in Perspective for Information Security Professionals, Consumers)

Shift Happens
View SlideShare presentation or Upload your own. (tags: sociology future)

Wednesday, May 19, 2010

White House Asks Public for Game Changing Cyber security Ideas

UPDATE: White House asks public for game changing cybersecurity ideas
BY EMILY LONG

The Obama administration will open next week a web-based forum to discuss a cybersecurity research and development agenda, according to a notice published in the Federal Register

http://www.nextgov.com/nextgov/ng_20100514_8658.php?oref=rss?zone=itsecurity

@CheriSigmon


 

Lieberman's Cybersecurity Bill Leans On Buying Power

[REPRINT] From Nextgov.com: Lieberman's cybersecurity bill leans on buying power
By Aliya Sternstein

Measure would require acquisition officers to learn about security vulnerabilities in technology products in

an effort to use the government's vast purchasing power to push vendors to provide more secure solutions.

Get the full story: http://www.govexec.com/story_page.cfm?articleid=45297

Thursday, March 18, 2010

Executive Coach: They Can Handle the Truth

Executive Coach: They Can Handle the Truth
By Scott Eblin

Taking your career to the next level.

Wednesday, March 17

When I'm conducting feedback for a client one of the things I really like to hear from the direct reports is something like, "My manager shares information with us that other managers don't share with their teams.  That helps us make better decisions and do better work." The flip side of what makes me happy is that every direct report should be singing the praises of their manager sharing information with them. When you treat people like adults, they usually respond like adults. Most people can handle the truth and resent it when they feel like they're being played. See full article here: http://blogs.govexec.com/executivecoach/

This applies to cybersecurity and other professionals. Your comments are welcome!


 

Wednesday, March 10, 2010

Cybersecurity Pros Receive Salary Bump, Hiring to Increase

Cybersecurity Pros Receive Salary Bump, Hiring to Increase

The hiring managers surveyed in the U.S. said that they're looking

for candidates with specific skills in these top five categories:

operations security;

access control systems and methodology;

information risk management;

applications and system development security;

and security architecture and models.

More than half of the professionals surveyed in

the U.S. received salary increases in 2009...

(#Cybersecurity Jobs)

SOURCE: clearancejobs.com

Friday, March 5, 2010

The Human Element Complicates Cybersecurity

COMMENTARY (REPRINT)

The Human Element Complicates Cybersecurity

The human factor remains one of the great impediments to improving cybersecurity - By Johnnie Hernandez Mar 03, 2010


 

Cyberspace is an untamed frontier. Data networks everywhere remain vulnerable to cyber threats. As Rep. Michael McCaul (R-Texas) recently pointed out, virtually every sector of cyberspace faces danger, including the U.S. military.


 

Congressional hearings on cybersecurity have revealed that most federal networks have been hacked, McCaul said. Many attacks are classified as espionage, with foreign countries stealing government information. One data dump was equivalent in size to the Library of Congress.


 

"I hope as with 9/11 we don't turn a blind eye & have a denial-of-service attack before we address this issue," McCaul said.


 

Legislation passed in early February by the House could go a long way toward addressing the issue. McCaul and Rep. Daniel Lipinski (D-Ill.) are the primary sponsors of the Cybersecurity Enhancement Act of 2009, which would dedicate federal funds toward beefing up cybersecurity in the public and private sectors. The Senate is considering similar legislation.


 

Yet despite the congressional focus on cybersecurity, all the money, software and hardware in the world can't entirely ward off cybersecurity threats. One nontechnology factor greatly impedes cybersecurity: the human factor.


 

We are the weak link in the chain. Too many people think they can just throw technology at the problem, but that alone is not the answer.


 

If people don't follow consistent, well-defined security policies and procedures — and undergo regular cybersecurity training and exercises — then an organization's networks and data won't be safe.


 

Being human is our greatest strength and our greatest weakness. We are capable of developing the most innovative technical solutions for protecting a network, but if those solutions are not installed, configured and maintained properly, they will not be effective. Worse yet, they will give a false sense of protection.

In a recent report, the International Institute for Strategic Studies, a British think tank, warned of the peril of cyber warfare.


 

"Despite evidence of cyberattacks in recent political conflicts there is little appreciation internationally of how properly to assess cyber conflict," said John Chipman, director-general of the institute. "We are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war."


 

The recently released Quadrennial Defense Review and proposed Defense Department budget for fiscal 2011 emphasize cyber defense. For instance, the budget request supports establishment of the U.S. Cyber Command, which will organize and standardize DOD cyber defense practices.


 

Military outfits are fully aware of human shortfalls when it comes to cybersecurity, so they regularly conduct training in realistic settings. However, those military organizations can't undertake so-called live fire exercises without risking an actual network meltdown.


 

In recent times, simulators — made by a number of companies, including ours — have been employed to train defenders of military and government data networks. The best example of this is an exercise known as Bulwark Defender. Each year, the military services and government agencies practice their tactics, techniques and procedures against unknown cyber enemies intent on stealing critical information and creating havoc on our networks. This is all accomplished within the safety of a nonoperational global network used to regularly train, certify and exercise network operators.


 

The network is known as the Joint Cyberspace Operations Range. The range, which has been used since 2002, is run by the Air Force Network Integration Center at Scott Air Force Base, Ill. It has trained thousands of network operators and defenders; during the past three years, it's been the underlying structure for Bulwark Defender.


 

We must develop and build new and smarter security technology and architectures in addition to defining and documenting security policies and processes. We must remain vigilant against cyber terrorism, cyber crime and cyber mischief.

However, until we take humans out of the loop, we will have to deal with our human inadequacies.


 

About the Author: Johnnie Hernandez is chief executive officer of EADS North America Defense Security & Systems Solutions Inc.


 

Brought to You By @SecurityQ http://twitter.com/SecurityQ

DoD Embraces Ethical Hacker Certification (CEH) to Protect US Interests

United States Department of Defense Embraces Hacker Certification to Protect US Interests -2010-03-01

CEH is now formally integrated into the certification requirements for U.S. DoD IA Workforce

The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD's computer network defenders (CND's), a specialized personnel classification within the DoD's information assurance workforce.


 

The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program. The current version (incorporating Change 2) was signed by Assistant Secretary of Defense, John G. Grimes and was officially instated on February 25, 2010. Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all components of the DoD.


 

The CND groups protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.


 

With this directive, military service, contractors, and foreign employees across all job descriptions must show 100-percent compliance with the new Certified Ethical Hacker training requirement by 2011. This shows the DoD's focus on better training and preparation of the U.S. military workforce in this area.


 

The Certified Ethical Hacker qualification tests the certification holder's knowledge in the mindset, tools and techniques of a hacker, fortifying it's certification tag line: "To beat a hacker, you must think like one."


 

"CEH has been selected due to the immense technical and tactical nature of the certification," said Jay Bavisi, co-founder and president of EC-Council. "It is one of the most technically advanced certifications on the directive for CND professionals. In fact, it is the only certification approved across four out of the five categories to prepare the CND teams. While other policy-based programs add value, CEH prepares the U.S. CNDs to combat hackers in real time, defending U.S. interests globally."


 

Bavisi added: "We have been researching this space for quite some time and with this mandate from the DoD, there has never been a better time for us to beat the hackers at their own game. We are racing to research complex hacker techniques and in the next release of our CEH program, we hope to showcase in over 150 modules, detailed and extremely complex attack and countermeasures that will help raise the level of knowledge of the CND teams."


 

KEY FACTS:

CEH is now formally integrated into the certification requirements for U.S. DoD IA Workforce


 

CEH is now required for CND Analyst, CND Infrastructure Support, CND Incident Responder, and CND Auditor as defined by Directive 8570


 

Newly revised DoD 8570 is available at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf


 

More information about EC-Council and Directive 8570 can be found at https://www.eccouncil.org/about_us/dod_8570.aspx


 

For more information about EC-Council, visit the website: www.eccouncil.org

What Defense Recruiters Want (REPRINT)

The following article makes excellent points, especially if you are a cybersecurity professional who is seeking employment now…

What Defense Recruiters Want

By Dona DeZube for ClearanceJobs.com - August 20, 2009

 

If corporate recruiters had only one word to describe the perfect job candidate…, it would be "honest."

"It's hard to say who's perfect," says Jessica Heilmann, senior recruiting manger for 3Di Technologies, LLC, Annapolis, Maryland. "The candidates I like best are honest and say what they want up front and what they're truly looking for. Don't say you'll move to Montana if you won't."

And don't say you have security clearances you don't have, as one recent job seeker did, she adds. That candidate came out of the military in 2004 and moved into stateside civilian work. He told Heilmann he was Ready Reserve and thought he had some kind of clearance, but didn't know what his status was. "My security officer checked and he didn't have one [a clearance]," she says. "I find it interesting when people have no idea of the status of their clearance. It's mysterious and unless you have a facility security officer (FSO) you have no way to find out."

Barbara Kalman, CEO of Kalman & Company, a Virginia Beach government contracting services firm, agrees. She likes candidates who neither over-inflate, nor understate their abilities. "The best thing is to be honest about your capabilities," she says.

Among the dishonest resumes Kalman has received was one from an applicant who claimed to have a military logistics background, yet knew nothing about logistics and another who claimed to have a degree from a university he hadn't attended.

Kalman, who hires for secure, technical positions, always checks the facts on the resumes she receives. "There are a lot of people unemployed right now, but the jobs we have are specific in background and educational needs, so it's not like I can randomly hire people," she says. "We check background, resume and references."

As a small business owner, Steven Mackie, president of Storage Strategies, Inc., a Springfield, Virginia data storage and engineering company, says he looks for candidates who are honest about their career goals. "What recruiters want are candidates who know what they want to do," he says.

He estimates that 20 percent of the applicants he hears from are teachers, former military and government employees who don't have a specific job target and are looking for any job in the Department of Defense (DoD) contracting arena because they think there are lots of open jobs in that field they can fit into.

Meanwhile, he's hiring from among the 80 percent of candidates who know what direction they want their career to take and the next job they want. "I look for an objective up front that supports what you want to do," he adds, "and enough horsepower in education, experience and qualifications to get there."

In addition to being able to clearly represent your skills and clearance, Richard Mazelsky, president of Clovis, a Bethesda, Maryland recruitment firm, suggests you think about the type of company culture where you'll be effective.

"Do you want to be in an environment where you have to report to a project plan lead once a week, or have a team directing your activities? Do you need to find the work intellectually stimulating?" he says. "You really have to do an assessment around fit."

Sticking to the truth about yourself and your career needs will ensure that your next position is the right one for you. "Nothing is worse for the candidate than to be placed in a situation where you're not capable or you're asked to do something you're not comfortable with," Mazelsky says. "It doesn't fare well for the candidate or the company."

Monday, March 1, 2010

Got Clearance? Got More Money

  1. Wired Workplace:

    Got Clearance? Got More Money

    A new survey shows that security-cleared IT professionals earn as much as 12 percent more in salary.

    See full column here: http://www.govexec.com/dailyfed/0310/030110ww.htm

“Cyber Corps” - like Peace Corps?

What do you think of this idea from a colleague?

Establish a "Cyber Corps" - set up like the Peace Corps - for cyber monitoring and early alerts, as well as for educational purposes. Students studying cyber security would be a community asset (but not in terms of cyber war or cyber defense). The purpose would be training for future cyber warriors while concurrently helping their community. The cyber corps tasks could be to monitor and report, and to provide sensing and early warning, etc.

Rationale: Since students must reproduce scenarios in a lab anyway, why not place them in a real environment with white or gray hats instructing?

Your thoughts, please?

Tuesday, August 4, 2009

InfoSec News, First Global Effort: US Secret Service, Italian Post Form Cyber-Crime Task Force

US Secret Service, Italian Post Form Cyber-Crime Task Force
— The US Secret Service, the Italian Post Office and the postal division of the Italian police are teaming up to fight transnational cyber-crime as the Rome-based European Electronic Crimes Task Force (EECTF).

It will be the first - and long overdue - task force designed to fight cyber crimes outside the United States and will use as its model the Electronic Crimes Task Force the Secret Service created in America.


-@CheriSigmon via @jaimechanaga

Friday, May 22, 2009

CISSP Exam this weekend

Many are taking the CISSP Exam this weekend. Good luck!

Don't forget to take brain-food snacks for the duration (up to six hours). You should be able to bring a beverage with a LID and a lunch or snacks for breaks. Do take your breaks.

Relax... Stay loose. Do your best. Let us know how it goes!

Wednesday, March 11, 2009

Let's connect on Twitter

Let's connect on Twitter:

http://www.Twitter.com/CheriSigmon

Monday, December 15, 2008

AT&T, T-Mobile Fined For Voice-Mail Security

AT&T, T-Mobile Fined For Voice-Mail Security

After a string of high-profile hacks, the Los Angeles district attorney has filed an injunction against the carriers for overstating the security of their voice-mail systems.

(By Marin Perez, InformationWeek, December 12)

AT&T (NYSE: T) and T-Mobile have paid fines and agreed to stop advertising that their voice-mail systems are safe from hackers. In a permanent injunction filed in a Los Angeles court Thursday, District Attorney Steve Cooley said the wireless operators were overstating how secure their voice mails are. The settlements are the culmination of year-long investigation that was launched after multiple complaints of unauthorized voice-mail access, including some from celebrities Paris Hilton and Lindsay Lohan.

For full story, see Information Week.

Tuesday, September 2, 2008

Online game demons are far from virtual

See "Online game demons are far from virtual," an article in the Baltimore sun. Interesting reading.


http://www.baltimoresun.com/technology/bal-bz.ml.consuming31aug31,0,5912300.column

Monday, August 18, 2008

Got Access?

Got Access?

http://www.cherisigmon.com?GotAccess

Sunday, March 23, 2008

White Hat Penetration Testing, Pen Testers, InfoSec,

WhiteHat Sentinel, a non-intrusive way to pen test applications (no affiliation).

Link: http://www.whitehatsec.com

Wednesday, March 12, 2008

8 Tips To Avert ID Theft During Tax Time (MarketWatch article)

Sorry I haven't posted in a while... I've been very busy at work and I actually took a couple of fun trips to Florida. Good morning! Here are some handy tips at tax time, with a view to avoiding Identity Theft. See this article at MarketWatch (USA):

"Eight tips to avert ID theft during tax time" - MarketWatch - USA

For added security use certified mail. Permanently shred unsecured documents from your computer that contain personal information used to prepare your tax...

http://www.marketwatch.com/news/story/eight-ways-avert-id-theft/story.aspx?guid=%7BC51C7BDB-40C1-45FF-B78A-077310E44DAE%7D

Thursday, January 17, 2008

Monday, January 7, 2008

InfoSec business and speaker in Phoenix... ISSA connection

If you're in Phoenix or you need an InfoSec speaker to come to your area, see this web site: Sapphire Security

The owner is the President of the ISSA Phoenix Chapter.

Protect yourself,
Cheri Sigmon
ISSA-NoVA

New Squidoo Lens - InfoSec CISSP

Check out my new Squidoo lens:

http://www.squidoo.com/infosecissp

Exploitation Kits Revealed - Mpack

Exploitation Kits Revealed - Mpack
Category: Malicious Code. SANS Information Security Reading Room -

http://www.sans.org/reading_room/

Friday, January 4, 2008

Evaluating a new course on blogging from Simpleology...

I'm evaluating a
multi-media course on blogging from the folks at Simpleology. For a while, they're letting you snag it for free if you post about it on your blog.

It covers:

  • The best blogging techniques.
  • How to get traffic to your blog.
  • How to turn your blog into money.

I'll let you know what I think once I've had a chance to check it out. Meanwhile, go grab yours while it's still free... - Regards, Cheri

Monday, December 17, 2007

Passwords - Windows, MySQL, other articles

1. Resetting a Lost MySQL PasswordBy Yaakov Ellis Due to my inexperience administering anything having to do with Linux, while trying to reset the root password, I accidentally put in some bad information into the password field (I forgot to use the password() function to generate ...Ellis Web - http://ellisweb.net/

2. HMRC advertises for security expertsBy dizzy(dizzy) Interesting job advert for "IT Security Risk Consultants", working in a Government department, mostly in Essex at the location of HMRC offices. So much for security procedures being in place and just not being followed. ...Dizzy Thinks - http://dizzythinks.net/

3. Show your Windows users the strength of their passwords as they type and change them! Filter your users new passwords, and enforce strong ones! NO MORE WEAK PASSWORDS!Digg / Security / upcoming - http://digg.com/security

Enjoy reading.

Regards,
Cheri

Thursday, December 13, 2007