CISSP certification: Rules, laws and regulations (US).

Rules, Regulations and Laws you should know for the exam (US):

  • HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
    • Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
    • HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
    • The rules mandate Administrative, Physical and Technical safeguards.
    • Risk Analysis is required.
  • Security Breach Notification Laws.
    • NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota).
    • They normally require organizations to inform anyone who had their PII compromised.
    • Many have an encryption clause, lost encrypted data may not require disclosure.
  • Electronic Communications Privacy Act (ECPA):
    • Protection of electronic communications against warrantless wiretapping.
    • The Act was weakened by the Patriot Act.
  • PATRIOT Act of 2001:
    • Expands law enforcement electronic monitoring capabilities.
    • Allows search and seizure without immediate disclosure.
  • Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:
    • Most commonly used law to prosecute computer crimes.
    • Enacted in 1986 and amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft Enforcement and Restitution Act).
  • Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law, created by the payment card industry.
    • The standard applies to cardholder data for both credit and debit cards.
    • Requires merchants and others to meet a minimum set of security requirements.
    • Mandates security policy, devices, control techniques, and monitoring.
  • Gramm-Leach-Bliley Act (GLBA):
    • Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB.
    • Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
  • Sarbanes-Oxley Act of 2002 (SOX):
    • Directly related to the accounting scandals in the late 90’s.
    • Regulatory compliance mandated standards for financial reporting of publicly traded companies.
    • Intentional violations can result in criminal penalties.

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

IT Security from Gizmodo: “IRS Awards Equifax $7.25 Million No-Bid Contract to Help ‘Verify Taxpayer Identities'”

IRS Awards Equifax $7.25 Million No-Bid Contract to Help ‘Verify Taxpayer Identities’ [Updated]

EFF co-founder John Perry Barlow once said that asking the government to protect your privacy is like asking a peeping tom to install your window blinds. The Internal Revenue Service, it seems, has taken this warning as a recommendation.

The no-bid contract, which pays $7.25 million, is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service—despite its involvement in potentially one of the most damaging data breaches in recent memory.

Source: gizmodo.com/irs-awards-equifax-7-25-million-no-bid-contract-to-hel-1819119424

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

IT Security from Govtech: “University Labs Put Cybersecurity Under the Microscope”

University Labs Put Cybersecurity Under the Microscope

Three professors who are experts in cybersecurity discuss what’s going on in the research field and where it’s headed.

2016 was a banner year for cybersecurity events: the hacking of the presidential election by Russia; the theft of NSA cybertools; the revelation of Yahoo’s data breach with 1 billion accounts exposed between 2012 and 2014. This year is proving to be just as active, and that means cybercrime is becoming increasingly costly for industry and government.

The financial loss from cybercrime in the U.S. exceeded $1.3 billion in 2016, a rise of 24 percent, according to a report issued by the FBI’s Internet Crime Complaint Center. Worldwide spending on security-related hardware, software and services reached $73.7 billion, according to IDC, an IT research firm. That number is expected to hit $90 billion in 2018.

Source: www.govtech.com/security/GT-OctoberNovember-2017-University-Labs-Put-Cybersecurity-Under-the-Microscope.html

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #3

Which is not a SDLC software development methodology?
A: Waterfall.
B: Agile.
C: Sashimi.
D: Bottom-up.

CBK 8: Software Development Security
Source: ThorTeaches.com practice tests

Answer


D: Waterfall , Agile and Sashimi are all SDLC methods, bottom-up is not.

show less

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CyberSecurity from BBC “More than 1,000 attacks reported in center’s first year”

Many cyber-attacks ‘a significant threat’

More than 1,000 incidents were reported to the National Cyber Security Centre in its first year of operation.

The centre – part of the intelligence agency GCHQ – says more than half the incidents posed a significant threat.

None of the incidents was category one level involving interference with the democratic system or crippling critical infrastructure such as power.

But NCSC head Ciaran Martin warned there could be more significant and damaging attacks in the near future.

Source: www.bbc.com/news/uk-41478608

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Intellectual Property.

Intellectual Property:

  • Copyright © – (Exceptions: first sale, fair use).
    • Books, Art, Music, Software.
    • Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.
  • Trademarks ™ and ® (Registered Trademark).
    • Brand Names, Logos, Slogans – Must be registered, is valid for 10 years at a time, can be renewed indefinitely.
  • Patents: Protects inventions for 20 years (normally) – Cryptography algorithms can be patented.
    • Inventions must be:
      • Novel (New idea no one has had before).
      • Useful (It is actually possible to use and it is useful to someone).
      • Nonobvious (Inventive work involved).
  • Trade Secrets. 
    • You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.

Attacks on Intellectual Property:

  • Copyright.
    • Piracy – Software piracy is by far the most common attack on Intellectual Property.
    • Copyright Infringement – Use of someone else’s copyrighted material, often songs and images.
  • Trademarks.
    • Counterfeiting – Fake Rolexes, Prada, Nike, Apple products – Either using the real name or a very similar name.
  • Patents.
    • Patent infringement – Using someone else’s patent in your product without permission.
  • Trade Secrets.
    • While a organization can do nothing if their Trade Secret is discovered, how it is done can be illegal.

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

IT Security from pionline.com: “Cybersecurity becoming big ESG concern”

Cost of breaches puts issue at forefront of asset owners’ agenda.

Cybersecurity is becoming big ESG (Enterprise Strategy Group) concern.

Cybersecurity is moving up the agenda for institutional investors and their money managers as a responsible investment consideration, as several high-profile attacks and breaches bring the issue to the front of investors’ minds.

Sources at retirement plans and money management firms said the issue is being considered in particular when thinking through environmental, social and governance factors within investment portfolios.

Source: www.pionline.com/article/20171002/PRINT/171009985/cybersecurity-becoming-big-esg-concern

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Practice question #2

In software development security should be:
A: Added on later.
B: Added when we are compromised.
C: Designed into the software.
D: Added only in important areas.

CBK 8: Software Development Security
Source: ThorTeaches.com practice tests

Answer


C: Security should be designed into the software and be part of the initial requirements just as functionality is. The more breaches and compromises more we see the move towards security being part of the scope of the software design project. We use software, at our jobs, our personal lives, our homes, cars, power, water … It is everywhere and it has been and still is common to write functional code, security is an afterthought or not considered at all.

show less

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

National Cyber Security Awareness Month – Stay Safe Online

National Cyber Security Awareness Month – Stay Safe Online

Each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. That’s what National Cyber Security Awareness Month (NCSAM) – observed in October – is all about!

Source: staysafeonline.org/ncsam/

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Need to know and least privilege.

Most large organizations use role based access control, your access levels are determined by your job role. 

Even if you have access to the data you may not be allowed to access it unless required by what you are working on, this is called need to know.

  • Need to know:
    • Just because you have access does not mean you are allowed the data.
    • You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.
    • Leaked information about Octomom Natalie Suleman cost 15 Kaiser employees fines or terminations, they had no valid reason for accessing her file.
      • We may never know who actually leaked the information. It may not be one of the 15, but they violated HIPAA by accessing the data without a need to know.

Another approach is giving employees as little as possible access, just enough for them to do their job.

  • Least privilege:
    • Users have the minimum necessary access to perform their job duties.

IT & Cyber Security trainer
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading