Tuesday, November 15, 2011

In conclusion...

As a brand new blogger I found the experience of discussing current events or material covered in class on this blog to be gratifying.  In addition, I really enjoyed reading the blogs of my classmates.  I was impressed with my classmates blogs, watching them develop each week with the addition of pictures, links and well developed posts.
I attempted to write about current events that interested me.  I asked my family to follow me, so I considered them as I selected my topics.  My father tried to follow my posts but became discouraged as he said he didn’t understand what I was writing about. 
My posts fell into several categories:  personal security, network security, PCI DSS, new technology, a scam, Steve Jobs, social networking, cyber threats and certification.  All of the topics I chose to blog about were interesting to me.  I hope that readers of my blog would be interested enough to read my thoughts and even read the article (linked in the blog) that caught my attention.  It was fun to find pictures for the post to entice the reader to read what I wrote.
I used a variety of sources to find my weekly topic.  Kim Kommando is my hero.  She sends out a brief email to a huge audience with something interesting.  She provides information effectively to a diverse audience with a knack for making the topic understandable to folks with various levels of technology experience.  Information technology is not the same as molecular biology.  The types of information we deal with on a daily basis and the knowledge we have can be very valuable to people of all walks of life.  The information we can share with others to enhance their understanding of technology is powerful stuff.  I look at a variety of websites on a daily basis to include Kim Kommando’s daily email.  Some of the ideas for posts came from her email messages.
I believe that blogging is a great way to share information we learn along the way.  Furthermore, you can’t blog about something you know nothing about.  Blogging was a great way to get a grasp on a concept. 
Posted by at No comments:

Wednesday, November 9, 2011

Do you want be a CISSP?

Achieving the CISSP certification is one way to show the world that you have the technical ability, knowledge and experience in the IT Security field.  If you think the certification is important, I encourage you to prepare well for it, then take the test and join me as a CISSP.  The exam covers the 10 domains called the Common Body of Knowledge (CBK) in 250 questions.  In order to pass the test you must achieve a score of 700 points or more.  There are several additional steps beyond passing the test that each candidate must complete to earn the CISSP certification.  I'll walk you through the basics... 

 
Minimum experience requirements:
You must have a minimum of five years of professional experience in the information security field or four years plus a college degree. You may subsititute an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement.
A candidate must also provide acceptable answers to 4 questions related to regarding criminal history and related background.

 
Before the exam:
1.  Study. 
    a.  Complete a self assesment quiz to see where your strengths and weaknesses are.
    b.  ISC(2) has several free webcasts valuable for your review.
    b.  Shon Harris books and DVDs are great references to ensure you have a full understanding.
    c.  Take free practice quizes before taking the test.  The test questions are long and complicated.  It is critical that you read all the words in the question as it is easy to speed read the question and answer it wrong.        
   d.  The candidate will be required to agree to follow the ISC(2) Code of Ethics to become CISSP certified.  Be sure to read and understand the requirements as this is not optional.
   e.  Read the ISC(2) Candidate Information Bulletin available for download from:  www.isc2.org/cib
2.  Join a study group if possible.  NebraskaCERT generally offers one prep class per year.  Check their website or go to a meeting if you're looking for a study partner or session.

 
Day of exam:
  • Print a copy of the email "ticket" you receive from ISC(2) and bring it with you to the exam site.  A proctor will check you into the exam.  The informaiton on your ticket will be cross referenced by the proctor.
  • Bring a valid form of identification that has your picture on it (Driver's License, Military Identification, etc.)
  • Bring a snack.  Candidates are provided a space in the room away from the desk/table where the test is administered.  You may get up from the test to quietly eat the snack in the room.  
  • Do not bring your cell phone, books, papers, or other items into the test area.  You will be provided pencils. 
  • Be sure to be well rested and focused on the material on the day of exam.  Leave other stresses at home.
How do I know if I passed?
ISC(2) will email you the results of the exam usually within one week of completing the exam.  If you pass, you will get a letter that begins with "Congratulations ....".  You will not be provided your score.  If you did not pass, you will receive a letter that does not begin with "Congratulations".  Those who do not pass will receive their score.

 
There are a few more steps after you pass the exam before certification is approved:
If you pass, the letter will remind you that you are not permitted to use "CISSP" yet.  You will be instructed to submit your resume for review. 
You must be endorsed by another (ISC)² certified professional in good standing before the credential can be awarded.  The endorser will attest that the candidate's assertions regarding professional experience are true and to the best of the endorser's knowledge, and that the candidate is in good standing within the information security industry.

 
What are the on-going requirements to maintain the CISSP certification?
All CISSPs must maintain their certification by completing Continuing Professional Education (CPE) credits before the three year period and pay $85 per year. 
ISC(2) requires that each CISSP must complete a minimum of 20 CPEs each year - so a CISSP cannot complete 120 CPEs during year one and maintain his or her certification.  A CISSP may complete more than 20 CPEs per year, but not less.  If a CISSP does not complete 20 CPEs each year, he or she will need to retake the CISSP exam. 

 
What counts as CPE?
You can earn CPEs by:
  • Attending educational/training conferences and seminars
  • Attending conferences
  • Attending Professional Association Chapter Meetings (such as Infragard and NebraskaCERT)
  • Attending Vendor Presentations
  • Completing college courses (*you must pass the class)
  • Providing security training to others
  • Publish a security article or book
  • Serve on the board of a professional security organization
  • Complete computer based training
  • Read Information Security books or authorized magazines (may be required to complete a book report)
  • Various IT related volunteer work

How do CISSPs submit CPE?
All CISSPs must register on the ISC(2) website using information provided from ISC(2) after the CISSP certification is earned.  CISSPs log into the website to submit CPEs and pay the annual maintenance fee.

 
Good luck.  May the force be with you!
Posted by at No comments:

Tuesday, November 1, 2011

How secure is your corporate network?

According to the SC Magazine article, Reducing network breaches, between 178 -218 million user accounts, email addresses, token seed files or "records" were stolen from organizations by cyber theives from the published top six network breaches.  That is pretty frightening! 

How could this happen??  The article suggests that social engineering attempts are especially problematic.  Years ago many people recieved the Nigerian email where a wealthy foreigner needs help moving money from his homeland and promises a reward for helping him.  Things have gotten more sophisticated since the early scams such as the Nigerian scam.  The article suggests that organizations need to provide continuous information to employees to warn them about providing information from unsolicited calls, email messages or visits asking for information.  Some email messages requesting information appear to be legitimate or may offer a prize for providing information which may entice some folks to willingly give away valuable company information.

Thumb drives, wireless networks, smart phones, and laptops make life simpler for employees, but also can weaken the network perimter and safety of corporate information.  The article suggests that smartcards using a credential management system be used to ensure a multilayered strong authentication protects access to corporate servers, VPN and cloud applications.  

The protection of customer information is critical to the continued success of a company.  PCI compliance will not guarantee 100% protection, but will provide a good place to start.

The bottom line is that employees are the first line of defense in social engineering attempts.  American children are taught to help others and be friendly.  The author encourages organizations to continuously remind employees to be skeptical of others asking for information.  I would encourage employees not to unsolicited surveys.  The best response to an unsolicited phone call requesting you to complete a survey is asking the caller to take you off his or her list.  The caller has no way of knowing who the caller is, where the information is going or who the information might be sold to.  Professional magazine subscriptions require a subscriber getting a free publication to provide certain information.  If you don't read the publications, do not subscribe.  If you read them, provide them the least amount of information possible.  Never provide a co-workers name, title or email address.  Most technical magazines are available at no cost on-line anyway.

We should all learn to be skeptical.  Being skeptical is healthy.  Most skeptical people wouldn't imagine why a rich Nigerian would need their help to move money and most skeptical folks wouldn't believe an email message from the US Postal Service asking for personal information so they could deliver a package to their facility.  How the would the US Postal service have your email address?  Answer:  they wouldn't.  It just takes a few minutes for us to think about the information.  Does it make sense?

It will pay off to be skeptical.


References:
http://www.snopes.com/fraud/advancefee/nigeria.asp
Posted by at No comments:
Subscribe to: Posts (Atom)