IT Security – from Internet Society “Five Steps You Can Take Right Now to Increase Your Privacy”

Five Steps You Can Take Right Now to Increase Your Privacy | Internet Society

You should care about your privacy online even if you think you have nothing to hide. A key aspect of privacy is being able to choose what information you share publicly and what is private. Would you want your bank account balance displayed for anyone to see? What about your medical history? Encryption is a …


Continue Reading

CISSP Practice question #5

Who would perform a structured audit?
A: Senior management.
B: IT security staff.
C: External auditors.
D: Internal auditors.

CBK 6: Security Assessment and Testing
Source: practice tests


C: Structured audits (3rd party): External auditors there to validate compliance, they are experts and the audit adds credibility. Can also be a knowledge transfer for the organization, required annually in many organizations.

show less

Continue Reading

IT Security from CSOOnline: “Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021”

Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021

The cyber crime epidemic is expected to triple the number of open cybersecurity positions to 3.5 million over the next five years.

A new report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million openings last year.

Employment figures from the U.S. and India highlight the cybersecurity labor crisis.

In 2017, the U.S. employs nearly 780,000 people in cybersecurity positions, with approximately 350,000 current cybersecurity openings, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.

The current number of U.S. cybersecurity job openings is up from 209,000 in 2015. At that time, job postings were already up 74 percent over the previous five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics.

At this rate, the U.S. is on pace to hit a half-million or more unfilled cybersecurity positions by 2021.

The National Association of Software and Services Companies (NASSCOM) recently estimated that India alone will need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy.

Demand for security professionals in India will increase in all sectors due to the unprecedented rise in the number of cyber attacks, according to NASSCOM. Despite having the largest information technology talent pool in the world, India is highly unlikely to produce an adequate number of professionals to close the cybersecurity skills gap.


Continue Reading

IT Security – from The Entrepreneur “4 Vital Cyber Security Measures Every Safety-Conscious Entrepreneur Needs to Take”

4 Vital Cyber Security Measures Every Safety-Conscious Entrepreneur Needs to Take

It’s a no-brainer that it’s more cost effective to hire an expert than to recover from the damage a data breach may cause.

Throughout history, whenever technology has advanced, there has always been a concurrent change in the way we live our lives and go about our business. For the most part, this co-evolution has been welcomed and embraced. These advancements have made work simpler, and communication and collaboration across networks seamless.


Continue Reading

CISSP Practice question #4

Which is true about Twofish?
A: It is a 64bit block cipher, with 56bit keys.
B: It is a 64bit block cipher with a 112bit key.
C: It is a 64bit block cipher with a 128bit key.
D: It is a 128bit block cipher with 128, 192 or 256bit keys.

CBK 3: Security Engineering
Source: practice tests


D: Twofish. Uses Feistel. Symmetric, block cipher 128bit blocks, key length 128, 192, 256 bits. Considered secure.

show less

Continue Reading

CISSP certification: Thor Pedersen’s answer to “What certifications should I do before getting into CEH or CISSP?” – Quora

When I did mine I did it as part of a IT security group of certificates, I took about 6 months, but it was part time (evenings/weekends), and I did a few in that time frame.
Since curriculum overlaps a lot I figured I would take 4 certifications with little extra effort.
I studied for 2 1/2 months, took the CCNA-S and CEH exams, studied another 2 months and took the Security+ exam, then another month and I took the CISSP.
There is a huge overlap in materials and 4 certificates looks a lot better than 1 🙂

When I did mine I watched videos, read book, re-watched videos and took a full practice test (250 questions), then when I knew my weak areas I read the book (Shon Harris) and re-watched those videos, then another practice test and so on.
I would also visit a lot of forums, read on related topics and fill the holes I had in my knowledge (had a networking ITSec background).

Realize this is a management exam, think like management, not like a techie (that was my hardest challenge).

Realize it is a marathon not a sprint.

Take tons of practice tests, once you hit 80%+ consistently you are ready.

Continue reading:

Continue Reading

CISSP certification: Rules, laws and regulations (US).

Rules, Regulations and Laws you should know for the exam (US):

  • HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
    • Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
    • HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
    • The rules mandate Administrative, Physical and Technical safeguards.
    • Risk Analysis is required.
  • Security Breach Notification Laws.
    • NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota).
    • They normally require organizations to inform anyone who had their PII compromised.
    • Many have an encryption clause, lost encrypted data may not require disclosure.
  • Electronic Communications Privacy Act (ECPA):
    • Protection of electronic communications against warrantless wiretapping.
    • The Act was weakened by the Patriot Act.
  • PATRIOT Act of 2001:
    • Expands law enforcement electronic monitoring capabilities.
    • Allows search and seizure without immediate disclosure.
  • Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:
    • Most commonly used law to prosecute computer crimes.
    • Enacted in 1986 and amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft Enforcement and Restitution Act).
  • Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law, created by the payment card industry.
    • The standard applies to cardholder data for both credit and debit cards.
    • Requires merchants and others to meet a minimum set of security requirements.
    • Mandates security policy, devices, control techniques, and monitoring.
  • Gramm-Leach-Bliley Act (GLBA):
    • Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB.
    • Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
  • Sarbanes-Oxley Act of 2002 (SOX):
    • Directly related to the accounting scandals in the late 90’s.
    • Regulatory compliance mandated standards for financial reporting of publicly traded companies.
    • Intentional violations can result in criminal penalties.
Continue Reading

IT Security from Gizmodo: “IRS Awards Equifax $7.25 Million No-Bid Contract to Help ‘Verify Taxpayer Identities'”

IRS Awards Equifax $7.25 Million No-Bid Contract to Help ‘Verify Taxpayer Identities’ [Updated]

EFF co-founder John Perry Barlow once said that asking the government to protect your privacy is like asking a peeping tom to install your window blinds. The Internal Revenue Service, it seems, has taken this warning as a recommendation.

The no-bid contract, which pays $7.25 million, is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service—despite its involvement in potentially one of the most damaging data breaches in recent memory.


Continue Reading

IT Security from Govtech: “University Labs Put Cybersecurity Under the Microscope”

University Labs Put Cybersecurity Under the Microscope

Three professors who are experts in cybersecurity discuss what’s going on in the research field and where it’s headed.

2016 was a banner year for cybersecurity events: the hacking of the presidential election by Russia; the theft of NSA cybertools; the revelation of Yahoo’s data breach with 1 billion accounts exposed between 2012 and 2014. This year is proving to be just as active, and that means cybercrime is becoming increasingly costly for industry and government.

The financial loss from cybercrime in the U.S. exceeded $1.3 billion in 2016, a rise of 24 percent, according to a report issued by the FBI’s Internet Crime Complaint Center. Worldwide spending on security-related hardware, software and services reached $73.7 billion, according to IDC, an IT research firm. That number is expected to hit $90 billion in 2018.


Continue Reading