CISSP certification: The 3 states of data.

We need to protect our data as well as we can regardless where it is and if it is in use or not. 

  • Data has 3 States: We want to protect it as well as we can in each state.
    • Data at Rest (Stored Data):
      • This is data on Disks, Tapes, CDs/DVDs, USB Sticks
      • We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).
      • Encryption can be Hardware or Software Encryption.
    • Data in Motion (Data being transferred on a Network).
      • We encrypt our network traffic, end to end encryption, this is both on internal and external networks.
    • Data in Use: (We are actively using the files/data, it can’t be encrypted).
      • Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Continue Reading

IT Security – from “More open CISSP job openings, than the total number CISSP certified individuals in the US”

Cybersecurity Supply And Demand Heat Map

Cybersecurity talent gaps exist across the country.Closing these gaps requires detailed knowledge of the cybersecurity workforce in your region.

~300,000 open Cybersecurity jobs in the US today.

This interactive heat map provides a granular snapshot of demand and supply data for cybersecurity jobs at the state and metro area levels, and can be used to grasp the challenges and opportunities facing your local cybersecurity workforce.

There are currently more job openings in the US than there are CISSP certified individuals.

69,549 CISSP certified people and 76,336 job openings.


Continue Reading

CISSP certification: Thor Pedersen’s answer to “Is it a good idea to prepare for CISSP now?” – Quora

I think any time you are ready and you can dedicate the time you need to do it is good, so YES!.

It will get you past the recruiter to the interview.

CISSP is a management level certification (1 mile wide, 1 inch deep).

CISSP is a lot more known, higher salary ranges than most other ITSec certificates.

When I did mine I did it as part of a IT security group of certificates, I took about 6 months, but it was part time (evenings/weekends), and I did a few in that time frame.
Since curriculum overlaps a lot I figured I would take 4 certifications with little extra effort.

Continue reading:

Continue Reading

CISSP certification: Phishing and vishing.

Phishing, Spear Phishing and Whale Phishing (Fishing spelled in hacker speak with Ph not F).

These are all types of social engineering, the attackers is trying to circumvent technical and administrative safeguards.

  • Phishing (Social Engineering Email Attack):
    • Click to win, Send information to get your inheritance …
    • Sent to hundreds of thousands of people; if just 0.02% follow the instructions they have 200 victims.
    • A Public Treasurer in Michigan sent 1,2m to Nigeria (1,1m of taxpayer funds and $72,000 of his own).
  • Spear Phishing:
    • Targeted Phishing, not just random spam, but targeted at specific individuals.
    • Sent with knowledge about the target (person or company); familiarity increases success.
  • Whale Phishing (Whaling):
    • Spear Phishing targeted at Senior Leadership of an organization.
    • This could be: “Your company is being sued if you don’t fill out the attached documents (With Trojan in them) and return them to us within 2 weeks”.
  • Vishing (Voice Phishing):
    • Attacks over automated VOIP (Voice over IP) systems, bulk spam similar to Phishing.
    • These are: “Your taxes are due”, “Your account is locked” or “Enter your PII to prevent this” types of calls.
Continue Reading

IT Security – from (ISC)² “Is IT the solution to filling cybersecurity workforce gap?”

Is IT the solution to filling cybersecurity workforce gap?

Insights from the 2017 Global Information Security Workforce Study show that the IT players in your organization may be the key to filling the looming cybersecurity workforce gap. The survey was taken by 10,584 cyber and information security professionals in North America, and showed a projected 265,000 industry jobs will be left unfilled in 2022. Practitioners back up that data, with 68 percent indicating their organizations had too few security professionals. Filling a gap of that size with qualified professionals is daunting, but the help may already be in your organization in the information technology department. In North America, 87…


Continue Reading

CISSP certification: Hacktivism and state sponsored hacking.

Types of attackers:

  • Hacktivism/Hacktivist (hacker activist):
    • Hacking for political or socially motivated purposes.
    • Often aimed at ensuring free speech, human rights, freedom of information movement.
    • Famous attacks: Anonymous – DDOS attack on Visa, Mastercard, PayPal to protest the arrest of Julian Assange (WikiLeaks). Google/Twitter/SayNow worked together to provide communication for the Egyptian people when the government did an internet blackout during the 2011 protests.
  • Governments:
    • State sponsored hacking is common; often you see the attacks happening between the hours of 9 and 5 in that time zone; this is a day job.
    • Approximately 120 countries have been developing ways to use the internet as a weapon to target financial markets, government computer systems and utilities.
    • Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet (US/Israel), US Office of Personnel Management (China), …
Continue Reading

IT Security from The Guardian “Deloitte hit by cyber-attack revealing clients’ secret emails”

Deloitte hit by cyber-attack revealing clients’ secret emails

Exclusive: hackers may have accessed usernames, passwords and personal details of top accountancy firm’s blue-chip clients.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

The account required only a single password and did not have “two-step“ verification, sources said.


Continue Reading

CISSP certification – from (ISC)² “What Does 125,000 (ISC)² Members Mean to You?”

What Does 125,000 (ISC)² Members Mean to You?

(ISC)² is proud to announce that our membership has surpassed 125,000 certified cybersecurity professionals globally. As demand for skilled security professionals continues to grow exponentially, (ISC)² certification and continuing education programs enable cybersecurity and IT security practitioners to prove their expertise, advance their careers and contribute to a more secure society. Here’s what some members are saying about the milestone: “125,000 members is a very large number for a community of dedicated people continuously raising the bar by learning, researching, teaching and sharing their knowledge and skills to make our cyber world safer,” said Emmanuel Nicaise, CISSP, president, (ISC)² Belux…


Continue Reading

CISSP certification: Insider vs. outsider compromises.

Types of attackers:

  • Outsiders:
    • Unauthorized individuals – Trying to gain access, they launch the majority of attacks, but are often mitigated if the organization has good Defense in Depth.
    • Interception, malicious code (e.g., virus, logic bomb, Trojan horse), sale of personal information, system bugs, system intrusion, system sabotage or unauthorized system access.
    • 48-62% of Risks are from outsiders.
  • Insiders:
    • Authorized individuals – Not necessarily to the compromised system, who intentionally or unintentionally compromise the system or data.
    • This could be: Assault on an employee, blackmail, browsing of proprietary information, computer abuse, fraud and theft, information bribery, input of falsified or corrupted data.
    • 38-52% of Risks are from insiders, another reason good Authentication and Authorization controls are needed.
Continue Reading