CISSP & IT security: Equifax data breach with close to 60% of all US adult compromised (143 million).

Equifax Inc. (NYSE: EFX) announced on 9/7 a cybersecurity incident potentially impacting 143 million U.S. residents.

 

The attackers exploited a website application vulnerability and gained access to certain files.

Based on Equifax’s investigation, the attackers had access from mid-May through the end July 2017.

 

 

 

The criminals gained access to peoples names, addresses, birth days, social security numbers and in some cases drivers license numbers.
Other than the obvious questions on how this could happen and how to protect your identity online if you were exposed, it also raises some other questions.

#1: Equifax offers credit monitoring (one of their key services) to anyone effected by the breach, but only for 1 year.
You will be vulnerable a lot longer than that from the breach. Is this just a smart up-sell?
You also waive your rights to sue Equifax if you get the protection, unless you write them within 30 days letting them know you want to opt out of the “no sue” clause.

#2: After the breach the Equifax Chairman and CEO, Richard F. Smith, said “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
This is almost as hamfisted as the BP CEO explaining how he had to cut his vacation short and no one was as effected by the gulf oil spill as he was.
Equifax lost 58% of the adult US populations names, addresses, birthdays and social security numbers and you think you are a leader of protecting data?!?

#3: The breach was detected in July, in August Equifax bought the “sign up here if you were compromised” website (https://www.equifaxsecurity2017.com) and in September they told the press.
Why did it take that long to tell anyone about the breach?
From the discovery to the disclosure, the attackers could have have made 100,000s of fake credit cards and bank accounts, they can have ruined many lives because Equifax waited almost 6 weeks to disclose the breach.

#43 Senior Executives sold close to 1.8 million USD in Equifax stock (these were non-planned sales) just days before the public was told about the breach, but over 5 weeks after Equifax knew about the breach.

Supposedly they did not know about the breach, I just really doubt the CFO wakes up one morning and decides to sell $1,000,000 of stock that wasn’t planned and then a few days later “Oh by the way we were breached 6 weeks ago”.
Chief Financial Officer John Gamble sold stock for $946,374.
U.S. Information Solutions President Joseph Loughran sold stock for $584,099.
Consumer Information Solutions President Rodolfo Ploder sold stock for $250,458.
How can or will anyone ever trust Equifax with their data?

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Quantitative Risk Analysis.

  • Quantitative Risk Analysis – We want exactly enough security for our needs.
    • We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
    • Asset Value (AV) – How much is the asset worth?
    • Exposure factor (EF) – Percentage of Asset Value lost?
    • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
    • Annual Rate of Occurrence (ARO) – How often will this happen each year?
    • Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
    • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
  • Laptop – Theft/Loss (unencrypted).
    • The Laptop ($1,000) + PII ($9,000) per loss (AV).
    • It is a 100% loss, it is gone (EF)
    • Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
    • The organization loses 25 Laptops Per Year (ARO)
    • The annualized loss is $250,000 (ALE)
  • Data Center – Flooding
    • The Data Center is valued at $10,000,000 (AV)
    • If a flooding happens 15% of the DC is compromised (EF)
    • Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
    • The flooding happens every 4 years = 0.25 (ARO)
    • The annualized loss is $375,000 (ALE)

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Book recommendations.

When choosing the books you use for your CISSP certification I think it is important to understand your own skill level and how much knowledge you would need to both pass the certification, but ultimately do your job well as an IT security professional.

The first 2 books I would recommend for people with some IT security experience I would suggest these 2 books, they are missing all the fluff the full guides have, this is exactly what you need for the CISSP certification and no more.

CISSP Study Guide, Third Edition(Paperback)
by Eric Conrad, Seth Misenar, Joshua Feldman

Eleventh Hour CISSP®, Third Edition: Study Guide (Paperback)
by Eric Conrad, Seth Misenar, Joshua Feldman

For people with some limited or no IT security experience I would suggest either or both of these books, on top of the CISSP knowledge they also have more full and in depth general IT security knowledge.

CISSP All-in-One Exam Guide, Seventh Edition (Hardcover)
by Shon Harris, Fernando Maymi

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Paperback)
by James M. Stewart, Mike Chapple, Darril 

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Free full CISSP practice exam on udemy.com – until 9/13-17

I just made one of my CISSP full 250 question practice exams completely free for a few days!

https://www.udemy.com/cissp-certification-practice-exam-3/?couponCode=BBHF-THORTEACHES

This is a full CISSP practice exam, it has 250 questions just like the exam and the domains are weighted at the same percentage as well.

The exam has 8 Domains make up the CISSP CBK (Common Body of Knowledge):
Security and Risk Management – 16%
Asset Security – 10%
Security Engineering – 12%
Communications and Network Security – 12%
Identity and Access Management – 13%
Security Assessment and Testing – 11%
Security Operations – 16%
Software Development Security – 10%

At the end of the practice exam you can see the total % score and a weighted % score for each of the 8 domains as well as you can review each question and sort by knowledge area, correct answers, wrong answers, skipped questions and questions marked for review.

To pass the exam you need the knowledge to pass (obviously), but that is not enough.

Understand and answer every question from a Manager or a Risk Advisors point of view, NOT C-level or as a techie.

Spot the keywords (non-repudiation, public key,) and the indicators (Not, Most, First).

It is a LONG exam, you have 6 hours to answer 250 questions and I suggest multiple passes.

Mark for review and revisit the questions you are not sure about, but make sure to check an answer, even if you have no clue 25% chance is better than 0%.

Eliminate wrong answers: If they ask about encryption and the answer are DES, AES, Sprinkler systems, the OSI model, you can safely eliminate Sprinkler and OSI, you are now at a 50% chance of a right answer.

Do some practice tests like this one, do the full 6 hours and 250 questions to see how you handle it, this is as much mental stamina and reading the questions right  as it is the actual knowledge.

You can take this test as many times as you want, the questions and the answer order is randomized.  I would suggest 80%+ of right answers consistently on all domains using multiple practice tests before booking the exam.

Take the practice test, find your weak areas, study those and then take it again, rinse/repeat as much as needed.

On this practice test you can see your progress, it saves the previous attempts.

 

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Qualitative Risk Analysis.

  • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Qualitative Risk Analysis with the Risk Analysis Matrix.
      • Pick an asset: A laptop.
      • How likely is one to get stolen or left somewhere?
        I would think Possible or Likely.
      • How bad is it if it happens?
        That really depends on a couple of things:
      • Is it encrypted?
      • Does it contain Classified or PII/PHI content?
      • Let’s say it is Likely and a Minor issue, that puts the loss the High Risk category.
      • It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Access Control Defensive Categories and Types:

Access Control Defensive Categories and Types:

  • Access Control Types (Many can be multiple types – On the exam look at question content to see which type it is).
    • Preventative:
      • Prevents action from happening – Least Privilege, Drug Tests, IPSs, Firewalls, Encryption.
    • Detective:
      • Controls that detect during or after an attack – IDSs, CCTVs, Alarms, anti-virus.
    • Corrective:
      • Controls that Correct an attack – Anti-virus, Patches, IPSs.
    • Recovery:
      • Controls that help us Recover after an attack – DR Environments, Backups, HA Environments .
    • Deterrent:
      • Controls that Deter an attack – Fences, Security Guards, Dogs, Lights, Beware of the dog signs.
    • Compensating: 
      • Controls that Compensate – other controls that are impossible or too costly to implement.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: ISC² Code of Ethics.

Before you can take the exam you will agree to the ISC² Code of Ethics, they are also very testable on the certification. Learn them.

  • ISC² Code of Ethics
    • You agree to this before the exam, and the code of ethics is very testable.
    • There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.
    • Code of Ethics Preamble:
      • The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
      • Therefore, strict adherence to this Code is a condition of certification.
    • Code of Ethics Canons:
      • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
      • Act honorably, honestly, justly, responsibly, and legally.
      • Provide diligent and competent service to principles.
      • Advance and protect the profession.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Friday-Five Questions September 1st 2017.

A DDOS attack is meant to disrupt which leg of the CIA Triad?

When we get his by a DDOS (Distributed Denial Of Service), is disrupts our availability, but not integrity or confidentiality.

In the US security breach notification laws are:

Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

What is not an example of good multifactor authentication?

Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

Which type of access control models are based on subjects clearance?

MAC - (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.

Which is an asymmetric form of encryption?

RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Friday-Five Questions: Identity and access management.

In a good password policy, which should be allowed?

Passwords should never contain: The name of a pet, child, family member, significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password". Winter2017 is not a good password, even if it does fulfil the password requirements. The official recommendations by the U.S. Department of Defense and Microsoft. Password history = set to remember 24 passwords. Maximum password age = 90 days. Minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Type 1 authentication is:

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication form is the worst to have compromised, because it can't be changed?

Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones, biometrics can’t. You can't change your fingerprints, once compromised they are always compromised.

PINs, passwords and passphrases are which type of authentication?

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication protocol is no longer considered secure?

TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Friday-Five Questions: Well-known ports.

On which port does POP3 normally use?

A POP3 server listens on well-known port 110.

Your organization is using a secure website using https://, which port is used by default?

HTTPS URLs begin with "https://" and use port 443 by default, or alternatively 8443, whereas HTTP URLs begin with "http://" and use port 80 by default.

To upload files using FTP which ports would be the common ports?

FTP uses TCP port 20 for FTP data transfer and TCP port 21 for FTP control.

Which well-known ports does email programs use POP3, IMAP, and SMTP

SMTP (Simple Mail Transfer Protocol) uses TCP port 25 as default, but can also use port 2525. POP3 (Post Office Protocol, version 3) uses TCP port 110. IMAP (Internet Message Access Protocol) uses TCP port 143.

Using SSH we log into our cloud servers, which port is assigned to SSH?

The well-known TCP port 22 has been assigned for contacting SSH servers.

 

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading