Saturday, 29 June 2019

The Parent Trap: Lack of Knowledge Holds Children Back from Cybersecurity Careers

Parents can play an influential role in their children’s choice of careers but when it comes to cybersecurity, most parents have no advice to give. That’s because they really don’t know much, if anything, about the subject.

ISC2 Study Materials, ISC2 Guides, ISC2 Learning, ISC2 Tutorials and Materials

A survey by cybersecurity training provider SANS Institute revealed that 63% of parents in the U.K. can’t answer questions about how to find a job in the cybersecurity field. Almost as many parents (61%) said they have little or no knowledge of any career opportunities in the industry, even though 91% said they have heard of cybersecurity.

And despite the high earning potential of cybersecurity careers, 72% of parents said they’ve never considered a career in the field for their children. This lack of knowledge among parents is troubling considering the EMEA (Europe, Middle East, Africa) region currently has a 142,000 shortage of cybersecurity workers, based on (ISC)² research. If children aren’t receiving advice to consider a cybersecurity career, this lowers the prospect of closing the gap any time soon.

“These findings should be seen as a wakeup call to the cybersecurity industry that it needs to do more to promote itself,” said James Lyne, CTO, SANS Institute. “The only people who can really spread that message are those working in the industry already – it’s another way to help close the skills gap we are currently suffering.”

Cyber Misconceptions


While parental knowledge of cyber careers is seriously lacking, there seems to be more awareness of IT careers. More than a quarter of survey participants (27%) said IT is one of the top five career choices for their eldest child, an indication that parents understand the career potential in the overall IT field.

Interestingly, 69% of parents indicated they thought cybersecurity is taught in school, and 87% said they would like their children to learn about cybersecurity as part of the curriculum and in extracurricular activities.

These findings are evidence that if parents aren’t advising their children to pursue cybersecurity career opportunities, it isn’t out of prejudice against the field. Rather, it’s because they really don’t know enough about it and, given the choice, they want their children to learn more about the subject.

Signs of Hope


On a positive note, the SANS Institute also polled U.K. students and found 46% of them have heard of cybersecurity from their parents. With a little more knowledge among parents, it is likely that interest in cyber careers would get a boost.

To achieve that, as Lyne suggested, the industry has some work to do. Collaboration with schools in raising cybersecurity awareness and education among students and parents would be a step in the right direction. Such efforts may take time, but are definitely worth considering. The alternative is the continuation of the cybersecurity skills gap well into the future.

Thursday, 27 June 2019

EMEA Skills Gap Puts Cyber Workers at a Disadvantage Against Attackers

ISC2 Certifications, ISACA Guides, ISC2 Study Materials, ISC2 Learning

A severe cybersecurity skills gap in EMEA (European, Middle East and Africa) is making it hard for cybersecurity staff to cope with their workloads or acquire the skills they need to handle emerging technologies, according to a new report by Symantec.

Cybersecurity workers believe they are at a serious disadvantage against attackers. Simply finding the time to learn emerging technologies, such as those related to mobility and cloud, is a challenge for a workforce whose experience as a group ranges from 10 to 30 years, the report says.

“Declining skills are highly problematic for cyber security professionals, who are effectively in an arms race, in which talent and skill are their most important weapons. Unfortunately, enterprises feel they are falling behind in precisely this area,” according to the report, High Alert: Tackling Cyber Security Overload in 2019. The report is based on the findings of a study conducted by the University of London for Symantec of more than 3,000 security decision makers in France, Germany and the United Kingdom.

Citing an IDC statistic, the report says 97% of European enterprises agree a skills gap exists and that it has negative effects. “It means only 3% of enterprises in Europe believe the industry has the requisite talent to deliver on its mandate – to ensure business integrity and protect sensitive company, customer and shareholder data,” the report says.

ISC2 Certifications, ISACA Guides, ISC2 Study Materials, ISC2 Learning
The cybersecurity skills gap is well documented. (ISC)²’s Cybersecurity Workforce Study, 2018 found that the EMEA region has a shortfall of 142,000 cybersecurity workers. Worldwide, the skills shortage is nearly 3 million, with Asia Pacific experiencing the biggest gap, 2.14 million. The shortfall in North America is about 500,000.

Cyber Struggles


The Symantec report paints a dire picture of the current struggles of cybersecurity teams in Europe. Nearly half of survey participants (45%) say technological change is happening faster than their businesses can adapt; 48% believe attackers “have a raw skills advantage over defenders;” and 44% say their team lacks the necessary skillset to fight cyber threats.

In addition, 33% say the volume of threat makes it harder to protect their organizations. Perhaps not surprisingly, 49% of participants say attackers have unprecedented access to resources and support provided by bad actors.

Even with all these challenges, the report says only 4% to 8% of IT budgets are allocated to security. Those amounts often don’t even cover the costs of hiring and retaining security professionals, which forces CIOs, CISOs and security managers to ask for more money.

Citing information from the Symantec CISO Forum in February 2019, the report says that hiring a cyber professional takes at least six months and often takes even longer – nine to 12 months. As a result, CISOs are taking a pragmatic approach of teaching skills on the job to candidates who make up for lack of experience with “attitude, mindset and potential.”

To help address the skills gap, the report recommends that cyber workers do a better job of learning from each other and take advantage of cloud-based security solutions, managed services and automation. These steps will help reduce repetitive, mundane tasks and let cyber workers focus on higher-value work.

(ISC)² offers free on-demand courses to its members and associates online through its Professional Development Institute in order to help cybersecurity professionals learn new skills at a pace and timing that works for them. These courses are also available for purchase to non-members.

Tuesday, 25 June 2019

Data Breach and Cyber Attacks – what impact does it have on companies?

Data Breach and Cyber Attacks, Cybersecurity, ISC2 Learning, ISC2 Study Materials

A Data Breach or a breach of data security is the viewing or stealing of sensitive, proprietary or confidential information by unauthorized third parties. This form of crime can both cause damage of property for example, sabotaging computer systems.  It can also lead to a violation of property rights, such as theft of source codes, customer data or other information. In addition, it could affect whole business systems of an enterprise level company. The most common scenario for a data theft is a hacker attack that penetrates into a company’s network.

The 2015 Data Breach Investigations Report by Verizon, which has been published annually starting 10 years ago, gives an insight into the growing number of cyber attacks affecting companies, organizations and governments. The study provides precise figures and discloses what data theft could cost. Last year, there were 80,000 security incidents in 61 countries and in 2,100 cases, these were attacks by cybercriminals. Compared to last year this represents an increase of 55 percent of successful attacks, with the total number of cases rising by 26 percent.

The most common types of cyber attacks


About 90 percent of all attacks by hackers carried out with the following:

◈ Human failure eg. sending out of emails to a wrong recipient
◈ Attacks to web applications
◈ Crimeware (different kinds of malware trying to take over the control over data systems)
◈ Misuse of data by insiders
◈ Physical theft of data or data loss
◈ Denial of service attacks
◈ Cyber-Espionage
◈ Attacks on Point of Sale Systems
◈ Skimming of payment details: spying out of credit card details and numbers

Data Theft & Phishing still popular with hackers


In attacks by hackers on companies resulting in the theft of confidential data, most attackers use vulnerabilities in web applications. Often, cyber criminals steal or use phishing methods in order to gain access to the software.   The data theft by phishing attacks is very popular within the hacker community – and even more successful, when both methods are combined together. According to the study it is expected for large-scale phishing campaigns via e-mail that 23 percent of recipients read the message and another 11 percent even open the attachment. Particularly successful phishing seems to be in the communication, legal and customer service departments of companies – exactly where people generally handle large scales of email communications including email attachments. According to the study also the insider attacks increase compared to external attacks – particularly with regard to the theft of intellectual property.

Most common e-crime offenses


A KPMG study sheds light on the subject of cybercrime in companies. Compared to the preliminary study in  2013, respondents were significantly more likely to be victims of an e-crime. In the past two years, 40 percent of companies were affected by a cybercrime, in 2013 only 27 percent. This represents an increase of almost 50 percent. Financial Services have to deal most often with e-crime incidents. 55 percent of the representatives of this industry declared that they had been attacked at least once. In comparison to other segments where only 33 percent said that they were affected. Financial Services thus prove to be particularly attractive to potential perpetrators. The most commonly identified types of crimes, according to the KPMG study, are the following.

Computer fraud


Fraudulent actions taking advantage of information and communication technologies via manipulation of data processing systems or processes.

Spying or interception of data


Unauthorized recording, eavesdropping or monitoring of data which is in the transmission process (for example; email, instant messages, network traffic, IP telephone).

Manipulation of accounts and financial data


Unauthorized modification of account details and financial data in accounting or payment systems.

Data theft


Unauthorized acquisition of data.

Infringement of copyright


Breach of the rights of and exploitation of copyrighted electronic data (for example, creating an illegal copy and use of software programs and content of audiovisual media)

Breach of commercial or industrial secrets


Unauthorized appropriation and disclosure of confidential or secret company information and/or of business partners using information technologies.

System damage or computer sabotage


Disruption of data processing structures, for example by damaging or manipulating computers, networks or media.

Blackmail


Blackmail with threat of e-crime actions.

Saturday, 22 June 2019

Small Businesses Not the Weakest Link in the Supply Chain, Study Shows

ISC2 Certifications, ISC2 Tutorials and Materials, ISC2 Networks Certifications
A new (ISC)2 study suggests that small businesses may get too much attribution for causing security breaches for their large enterprise clients. While it’s true that enterprises have suffered breaches caused by third parties, they are more likely a result of actions by a large partner, not a small business.

The Securing the Partner Ecosystem study, which polled respondents both at large enterprises and small businesses, revealed about one third of enterprises (32%) have experienced a breach caused by a third party, but in these cases, large partners are more likely to blame (54%) than small business partners (46%). Only 19% of small business respondents overall say they’ve caused a data breach for an enterprise client or partner.

As a rule, enterprises aren’t concerned about the security practices of small business partners, considering 57% said they are confident and 37% very confident in their cybersecurity measures. And while enterprises have no qualms about holding others responsible for security incidents, almost half (48%) would consider themselves “ultimately at fault” for an incident caused by a third party.

ISC2 Certifications, ISC2 Tutorials and Materials, ISC2 Networks Certifications

For their part, small businesses hold themselves accountable for breaches at large partners – 73% say they would feel liable if a client was breached. That is the case even if their actions were an indirect cause of the incident.

High Confidence


Enterprises have high confidence in their own cybersecurity posture as well as the security practices of partners. Nearly all enterprises in the study (96%) have contract provisions specifying data access, storage and transmission by third parties.

Almost as many (95%) have standard vetting procedures for small business suppliers’ cybersecurity capabilities before allowing them to access systems. Methods employed to evaluate a partner’s security posture include reviews by a security team or provider (85%), on-site inspections (52%) and RFQs (34%).

A full 98% of enterprises are confident (54%) or very confident (44%) in their ability to protect their own data even if a third-party supplier is breached. However, their confidence may not be entirely justifiable.

For one thing, enterprises don’t always have a handle on how much access third parties have to their systems, with 34% of them saying they have been surprised by a third party’s broad level of access to their network and data. An even higher number of small businesses (39%) were just as surprised by the level of access they were granted.

Also pointing to enterprise overconfidence is a finding about how they react when told by a third party about security vulnerabilities. More than one third (35%) of enterprise respondents said that no action is taken to mitigate these vulnerabilities once notified.

Cybersecurity Staffing


Another surprising revelation in the study has to do with the number of cybersecurity staff employed by enterprises vs. small businesses – 42% of small businesses (with 250 or fewer employees) have at least five cybersecurity staff while 75% of large enterprises (1000 employees or more) employ at least 10 staff members dedicated to cybersecurity. This means that proportionally, many small businesses employ a higher percentage of cybersecurity professionals than enterprises.

While some of this may be explained by the types of tasks cybersecurity teams handle – for instance, there could be more automation at large companies – it also suggests that small businesses aren’t as lax with security as often assumed. It’s even possible the finger-pointing over the years has inspired them to strengthen security efforts.

The research leads to the conclusion that an organization’s size may not be the best indicator of its risk profile. Subscribing to cybersecurity best practices, appropriate staffing levels and maintaining good access management are far more important factors to consider.

Thursday, 20 June 2019

What Does Our Partnership with CyberUSA Mean?

After a lot of planning and coordination, we were excited to announce our new partnership with CyberUSA earlier this week. What is CyberUSA, you may ask? Governed by its members, the nonprofit was established to enhance information sharing between states and improve cyber resilience at all levels of participation: local, regional, and national. It is focused on the common mission of enabling innovation, education, workforce development, enhanced cyber readiness and resilience within our state and local communities, and connects them at the national level. What does all that mean?

CyberUSA, ISC2 Certifications, ISC2 Learning, ISC2 Guides, ISC2 Study Materials

The key takeaway is that – against the backdrop of a shortage of half a million skilled cybersecurity professionals in North America – we’re finally getting more focus on the need to address the men and women currently in the cybersecurity workforce, and those we are trying to recruit to join our ranks. Recent Congressional initiatives have pointed to the need to dramatically ramp up the resiliency, efficacy and protection of vital national resources such as our election systems and critical infrastructure. State, regional, and local governments and organizations will need to play a central role.  Historically, the emphasis from the federal level has been on specific technologies and policy mandates from Washington, DC. Those have been met with mixed results. It’s a good time to refocus on the fundamental role of humans in our need to define and manage these critical security capabilities.

We want to leverage this partnership to fill an important gap. While the Department of Defense and federal agencies have defined cybersecurity workforce roles and requirements, most state, regional, and local entities have not. In addition to our work with CyberUSA, we are also deeply engaged with the National Initiative for Cybersecurity Education (NICE) run by the National Institute of Standards and Technology (NIST). By creating this partnership where we can map the great work done on the NICE Cybersecurity Workforce Framework and use state-level groups such as CyberFlorida to tailor these requirements for their state, we anticipate quickly ramping up a solid bulwark of professionals to deal with cybersecurity challenges outside our federal government.

Tuesday, 18 June 2019

What Does a Cybersecurity Professional Do?

Cybersecurity professionals are trained to find weaknesses in in databases, networks, hardware, firewalls, and encryption. The number one priority of a cybersecurity professional is to prevent attacks by ‘fixing’ potential issues before they are exploited by malicious users. Additionally, cybersecurity specialists will handle clean up after cyber attacks and security breaches.

Cybersecurity Professional, ISC2 Study Materials, ISC2 Learning, ISC2 Tutorial and Material

Sometimes referred to as information security engineers, cybersecurity technicians, or security analysts, they are part construction manager, part doorman, part detective, and part undercover police officer. They are the unsung heroes of the stability of the internet!

Where Do Cybersecurity Professionals Work?


As of 2019, most cybersecurity jobs are located in and around Washington D.C., where analysts work for the Federal government protecting very sensitive data1.

In the private sector, most cybersecurity technicians double as network analysts, because both are so closely related.

Cybersecurity Jobs – A Day in the life


The experience to understand the difference between general network traffic and a cyber attack is one of the most important skills cybersecurity professionals can acquire. Cyber attacks will often creep in with the rest of the traffic.

Unless there are major attacks detected, the job of a cybersecurity professional is a regular 9 to 5. Most days are split between monitoring traffic, writing reports, planning for future upgrades, and finding potential risks. A cybersecurity professional’s job is to stay ahead of the attackers.

The Biggest Threats to A Cyber Security Professional


There has been no shortage of data breaches in recent years. We are quick to forget, but almost 143 million Americans have had their data compromised in data breaches from Equifax, Target, and Ashley Madison just to name a few1. This includes financial information, social security numbers, and other sensitive data. All stolen.

Ransomware became the next big threat in the cybersecurity industry. Hackers would install malicious software and demand payment to return control to the rightful owners. The worst part is that it worked, and many hospitals paid high ransoms to unknown attackers3.

Are Cybersecurity Professionals Blamed for Hacks?


Much like any job, they may take blame for mistakes if it can be proved that the cybersecurity professional’s job was to secure something that was not secure, especially if they were negligent or let an obvious error take place. However, most companies are not quick to blame the professionals that are maintaining the sanctity of their web properties.

Cybersecurity Training


Cybersecurity jobs are in high demand, and this niche part of the tech industry is expanding. Cyber security and network technician programs will only continue to grow as the influence of the internet increases all over the world. If you want to take the next step and study to become a cybersecurity pro, contact us visit here Cybersecurity Professional.

Saturday, 15 June 2019

What Is the CCSP Certification?

CCSP Certification, CCSP Study Materials, CCSP Exam, CCSP Tutorials and Materials

The Certified Cloud Security Professional (CCSP) Certification is an information technology certification that tests applicants’ knowledge of cloud security topics. It is administered by the International Information System Security Certification Consortium, ISC2, and was developed in partnership with the CSA.

The ISC2 CCSP is designed as a certification for mid-level security professionals who want to show their proficiency in the field of cloud security. It is similar to the ISC2 CISSP exam in the choice of topics and difficulty but focuses on cloud security.

How Does the CCSP Certification Differ From Other IT Certifications?


The CCSP certification is one of the few certifications focusing specifically on cloud security. Many other Information Technology certifications take a generalist way to security topics or have a deep level of focus in another area within the domain of information security. In contrast, the ISC2 CCSP exam is designed to test knowledge of the application of cybersecurity techniques, tools, and procedures to cloud computing. A fair amount of focus is placed on drawing attention to the points where the use of cloud computing needs a different approach to security.

The CCSP is far from the only cloud-focused certification available. Many other certifications have been developed by cloud vendors and other certification companies to test candidates’ knowledge of cloud computing concepts and technology. However, the CCSP’s focus on cloud security supports to change it from these other certifications.

The most similar certification to the CCSP is the Cloud Security Alliance’s  CCSK (Certificate of Cloud Security Knowledge). The CSA partnered with ISC2 to create the CCSP exam. According to the CSA blog, the CCSP includes much of the same content spread by the CCSK but also tests knowledge of governance, traditional security, and user privacy in cloud environments.

The CSSP is probably the most extensive certification available on the topic of cloud security. It is designed to test knowledge of cloud security topics at a level comparable to that of the CISSP certification.

ISC2 CCSP Exam Summary


◈ Exam Name: ISC2 Certified Cloud Security Professional (CCSP)
◈ Exam Code: CCSP
◈ Exam Price: $549 (USD)
◈ Duration: 240 mins
◈ Number of Questions: 125
◈ Passing Score: 700/1000
◈ Sample Questions: ISC2 CCSP Sample Questions
◈ Practice Exam: ISC2 CCS PCertification Practice Exam

What Does the CCSP Exam Cover?


The ISC2 CCSP exam is designed to test an applicant’s knowledge of everything to do with cloud security. The CCSP exam is a 125-question multiple-choice test with a 4 hour time limit. There are a total of 1000 possible points, and a passing score needs a minimum of 70 percent of these. The CCSP exam questions are divided into six diverse domains with the following ratios:

Domain 1: Architectural Concepts and Design Requirements (19%)
Domain 2: Cloud Data Security (20%)
Domain 3: Cloud Platform and Infrastructure Security (19%)
Domain 4: Cloud Application Security (15%)
Domain 5: Operations (15%)
Domain 6: Legal and Compliance (12%)

The rest of this section is devoted to giving a brief overview of the topics included in each domain of the CCSP exam.

Domain 1: Architectural Concepts and Design Requirements (19%)


The first domain of the ISC2 CCSP exam covers the background knowledge necessary to secure cloud computing systems. This covers basic cloud computing concepts, the different types of cloud architectures, security concepts related to cloud computing, principles of secure cloud computing and how to recognize advanced cloud services.

Domain 2: Cloud Data Security (20%)


This domain is focused on everything to do with protecting data on the cloud. Related knowledge involves the CSA Cloud Data Lifecycle, security considerations of cloud data storage, techniques, and tools for data security, how to find and classify data on the cloud, protecting personal data based on jurisdictional requirements, maintaining access to data, implementation of data retention, archiving and deletion processes and data event management.

Domain 3: Cloud Platform and Infrastructure Security (19%)


The third CCSP domain focuses on the security aspects of cloud infrastructure. An ISC2 CCSP applicant should know the essential components of cloud infrastructure, be able to perform a risk assessment, implement and design security controls for the cloud and know how to integrate cloud computing into their organization’s business disaster/continuity recovery (BC/DR) plan.

Domain 4: Cloud Application Security (15%)


This section of the ISC2 CCSP exam is focused on securing and developing cloud applications. On the development side, candidates should be aware of the different challenges of growth for the cloud, familiar with software validation and assurance for cloud applications, practice good supply chain management and know the SDLC. The security side of this domain includes the Secure Software Development Lifecycle, cloud-specific security technology and management of identity and access in the cloud.

Domain 5: Operations (15%)


In this domain, an applicant requires to prove knowledge of how to design, implement, run, build, maintain and assess the risks of both logical and physical cloud infrastructure. This section also examines knowledge of related regulations like ITIL and ISO/IEC 20000-1, the collection of digital evidence in the event of a conflict and how to maintain communication with all stakeholders in the cloud environment.

Domain 6: Legal and Compliance (12%)


The final domain of the ISC2 CCSP is focused on any cloud-specific laws and regulations not covered in newer domains. This involves how the cloud affects regulatory compliance, jurisdiction-specific privacy regulations, risk management, and auditing. Also covered are the management of the supply-chain, vendor contracts, and outsourcing.

Friday, 14 June 2019

What’s Tested on the CISSP Exam?

CISSP Exam, CISSP Study Materials, CISSP Learning, CISSP Certifications

CISSP, which stands for Certified Information Systems Security Professional, is a certification provided by (ISC)2 that indicates that an individual can design, implement, and maintain an information security program in a business. The CISSP exam is one step in the process of becoming a fully-certified CISSP.

About the CISSP Exam


The CISSP exam is a multiple-choice CAT exam offered at Pearson VUE Testing Centers. CAT stands for Computer Adaptive Testing, which is a means of assessing a test-taker’s level of knowledge with fewer questions and a shorter testing period than linear testing models. The computer will give you questions based on how you answered previous questions on the exam. As you correctly answer more difficult questions, the computer will anticipate your ability level and give you even more difficult questions to answer. This way, the computer can test the range of your abilities more quickly than it would have by giving you a larger, pre-determined set of questions.

Something to keep in mind: because each question informs the next question you’re given, there’s no way to go back and check your answers when you finish the exam; once you finalize an answer on a question, you can only move forward in the exam.

Based on the CAT, the CISSP exam is between 100-150 questions, with a time limit of 3 hours. You need to get 700 of 1000 total points to pass the exam.

The exam cost is $699 for students in the United States. You’ll pay this fee when you register for the exam.

The CISSP exam covers eight fundamental domains of information security, listed and weighted approximately on the exam as follows:

◈ Domain 1: Security and Risk Management (15%)
◈ Domain 2: Asset Security (10%)
◈ Domain 3: Security Architecture and Engineering (13%)
◈ Domain 4: Communication and Network Security (14%)
◈ Domain 5: Identity and Access Management (13%)
◈ Domain 6: Security Assessment and Testing (12%)
◈ Domain 7: Security Operations (13%)
◈ Domain 8: Software Development Security (10%)

CISSP Exam Registration


As mentioned previously, you’ll take your CISSP exam at a Pearson VUE Testing Center. In order to register for the exam, go to the Pearson VUE website and create a Pearson account. Once you’ve read through Pearson VUE’s Non Disclosure Agreement, you’ll be able to select an exam, exam location, and exam date/time. You’ll also pay the $699 exam fee at this time. After you register, Pearson VUE will send you a confirmation email.

After the CISSP Exam


You’ll be told if you passed or failed immediately upon completing the CISSP exam. You won’t have access to your numerical score–of you pass, you’ll simply be told that you passed. If you fail, while you still won’t have access to your numerical score, you’ll receive a diagnostic feedback assessing your performance on the different domains of the exam.

You can take the CISSP exam a total of 3 times within a 12-month period. If you don’t pass the exam the first time, you can take it again in 30 days. If you don’t pass the second time, you can take it again 90 days from your second test date. If you don’t pass the third time, you can take it again 180 days after your most recent attempt, as long as it’s outside of the 12-month period in which you can only test a total of 3 times.

Passing the CISSP exam doesn’t make you a CISSP–you also need to complete the required job experience and submit an endorsed application to (ISC)2.

Thursday, 13 June 2019

What are the 8 CISSP domains?

CISSP Domains, CISSP Certifications, CISSP Study Materials, ISC2 Certifications

The globally renowned CISSP® (Certified Information Systems Security Professional) qualification provides information security professionals with an objective measure of competence and is divided into eight domains:

1. Security and Risk Management
2. Asset Security
3. Security Engineering
4. Communications and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

1. Security and Risk Management


Security and Risk Management is the largest domain in CISSP and focuses on a number of key business topics: the concepts of confidentiality, integrity and availability; security governance principles; compliance requirements; legal and regulatory issues relating to information security; IT policies and procedures; and risk-based management concepts.

Average weight in the exam: 15%

2. Asset Security


Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements.

Average weight in the exam: 10%

3. Security Engineering


Security Engineering covers several important information security concepts, including: engineering processes using secure design principles; fundamental concepts of security models; security capabilities of information systems; assessing and mitigating vulnerabilities in systems; cryptography; and designing and implementing physical security.

Average weight in the exam: 13%

4. Communications and Network Security


The Communications and Network Security domain looks at designing and protecting network security. It covers topics including: secure design principles for network architecture; secure network components; secure communication channels; and preventing or mitigating network attacks.

Average weight in the exam: 14%

5. Identity and Access Management


Identity and Access Management helps professionals understand how to control the way users can access data. It covers: physical and logical access to assets; identification and authentication; integrating identity as a service and third-party identity services; authorisation mechanisms; access control attacks; and the identity and access provisioning lifecycle.

Average weight in the exam: 13%

6. Security Assessment and Testing


The Security Assessment and Testing domain focuses on designing, performing and analysing security testing. Topics covered include: designing and validating assessment and test strategies; security control testing; collecting security process data; test outputs; and internal and third-party security audits.

Average weight in the exam: 12%

7. Security Operations


The Security Operations domain covers key topics including: understanding and supporting investigations; requirements for investigation types; logging and monitoring activities; securing the provision of resources; foundational security operations concepts; applying resource protection techniques; incident management; disaster recovery; and managing physical security.

Average weight in the exam: 13%

8. Software Development Security


The final CISSP domain helps professionals to understand, apply and enforce software security. It covers: security in the Software Development Life Cycle (SDLC); security controls in development environments; effectiveness of software security; and secure coding guidelines and standards.

Average weight in the exam: 10%

Tuesday, 11 June 2019

Mitigating DDoS attacks

ISC2 Certifications, ISC2 Guides, ISC2 Learning, ISC2 Tutorials and Materials

Distributed Denial of Service (DDoS) attacks have been on the rise in recent years and show no sign of slowing up. With businesses and consumers both feeling the impact of DDoS attacks, mainstream media outlets (i.e. ABC, CNN, and  the New York Times) have provided in-depth coverage of some of the larger attacks.

Despite rising awareness of DDoS attacks, their perpetrators are undaunted and continue to level attacks against organisations of all sizes on a daily basis. This is the result of a growing number of wrongdoers easily aligning themselves with nefarious groups. They create or locate readily available tools to launch automated attacks against any target, from social media and travel websites, to global enterprises and government agencies.

Organisations that fall victim to a DDoS attack typically suffer damage in one or more areas: deteriorating customer trust; lost revenue; negative brand impact; or slowed web innovation and expansion. As a result, organisations of all kinds recognise the need to shore up their web infrastructure against these easily launched DDoS attacks.

Defining a DDoS attack


A denial of service attack occurs when web infrastructure, usually one or more servers, becomes so overwhelmed with malicious traffic that it utilises all its resources and can no longer respond to legitimate website users. A distributed denial of service attack amplifies this scenario by launching an attack from multiple computers distributed across the Internet. Most large-scale DDoS attacks leverage botnets – computers with breached security that are being controlled and manipulated by the perpetrators of the attack. The perpetrators instruct all computers in the botnet to send fake or malicious traffic to the targeted organisation’s web servers, overwhelming them with traffic and rendering them incapable of serving legitimate users.

DDoS attacks – the cheap and fast weapon of choice


DDoS attacks have become prevalent for three simple reasons – they are cheap, simple to create, and effective. Instructions for creating a botnet can be found easily online. For example, anyone can perform a Google search on “cheap, automated DDoS” and quickly came up with a botnet creation and launch tutorial. These tutorials come complete with detailed programming instructions to create, launch, and control bots. It even teaches potential perpetrators how to secure their bots and themselves.

The  Most Common of DDoS attacks


Flood attacks


Three types of volumetric attacks make up the overwhelming majority of DDoS attacks. Among these, the easiest to launch and understand are flood attacks, such as GET/POST flood, SYN flood, and UDP flood. They all “flood” a targeted web server with requests, causing the server to respond and open connections to the compromised computers (botnet) that are making the requests. By not responding back to the targeted server, the botnet holds open all server connections as the targeted server awaits responses. Eventually, the targeted server maintains so many open connections that it runs out of available ports to serve legitimate users, causing service outage.

ICMP flood attacks


A variation on the  standard flood attacks is the  ICMP Flood, which goes  by such  names as Smurf attack, Ping flood, and  Ping of Death.   Perpetrators of this type of DDoS attack  spoof  (fake) the  IP address of the targeted victim, then use  that  IP address to send out a broadcast of requests to a network of computers. When the  network of computers responds, the  targeted victim’s network becomes flooded with response traffic, thereby blocking legitimate user traffic from reaching the  victim’s machine.

DNS flood


A third, and increasingly common, type of flood attack is called a DNS Flood. A DNS flood attack works by spoofing the IP address of the targeted victim’s server DNS and using it in communications with improperly configured DNS resolvers, called Open DNS Resolvers. Open DNS Resolvers reply to all DNS requests, often with large amounts of data, without confirming their origin. This combination of many machines and large responses makes Open DNS Resolvers ideal resources for launching a large-scale attack. Moreover, they offer ample opportunity to hackers, as noted by The Open Resolver Project, which currently tracks over 27 million Open DNS Resolvers in operation today across the Internet. With so many open resolvers, each with the ability to transmit large amounts of traffic, it is easy to see why DNS flood attacks occur more often today than ever before.

If you’d like to learn more about XOR.DDoS attacks, please read our blog article: Understanding XOR.DDoS attacks

The ‘who’ and where behind DDoS attack origination

As for who perpetrates all these DDoS attacks, that is a difficult puzzle facing the law enforcement community. Groups range from government agencies and organised crime syndicates, to political activists and individual thrill-seekers. The profile of DDoS attack perpetrators is ever shifting, depending on the nature of current issues and opportunities presented. That said, the most common DDoS attackers include the following:

◈ Organised crime syndicates
◈ State-sponsored wagers of electronic warfare
◈ Businesses attempting to weaken competitors
◈ Politically motivated cyber  terrorists (hacktivists)
◈ Extortionists
◈ Hackers seeking profits
◈ Individuals out for a thrill

Traditional web infrastructure cannot handle DDoS protection

Just as traditional web infrastructure has  proven inadequate for handling large amounts of legitimate web traffic, it falls short in fending off most DDoS attacks. Both the origin and overflow infrastructure lack the resources for all but the smallest of DDoS attacks. The typical enterprise’s server and switch capacity fall far short of the capacity required for mitigating a DDoS attack. In today’s environment of tightened IT budgets, most organisations cannot afford to expand their web infrastructure in the manner required to absorb a DDoS attack. In addition, the costs of establishing additional data centers just to defend against DDoS attacks makes little sense. For this reason, organisations are turning to managed hosting providers and/or content delivery networks (CDNs) with DDoS absorption capabilities to serve their websites to a global audience.

CDN with DDoS absorption


Managed hosting providers and CDNs are not equal when it comes to DDoS absorption. First, the larger managed hosting providers with the capacity needed to absorb an attack often exist on the very networks frequently experiencing DDoS attacks, or at the very least carrying their traffic. Moreover, managed hosting providers do not span across different networks as the larger CDNs do, making them unable to match global CDNs in their ability to shift network usage quickly in the event of an attack on specific networks.

Gain DDoS mitigation now, but plan for evolution


Given the reality of today’s online world – that high-volume DDoS attacks will continue to strike a wide variety of organisations across industries and geographies, professionals charged with maintaining an operational web presence must act fast to shore up their web infrastructure. At the same time, however, they should plan carefully and leverage a service provider that has a track record for evolving its infrastructure and services in line with the evolving nature of the online world. Only this type of strategy will enable continued online innovation in a manner that protects ongoing business today.

Saturday, 8 June 2019

Cybersecurity Awards for Leading Professionals

Nominations are now open for the 2019 Information Security Leadership Awards Americas. The awards will be presented during a ceremony at (ISC)² Security Congress on Wednesday, October 30 at the Walt Disney World Swan and Dolphin Resort in Orlando and will be open to All-Access pass attendees. As this is the first global event in (ISC)² history, it is expected to be the largest Security Congress ever, with as many as 4,000 attendees.

Cybersecurity, ISC2 Certifications, ISC2 Guides, ISC2 Learning, ISC2 Tutorials and Materials

The ISLA Americas nominations are open to (ISC)² members and non-members alike who are working in North, South and Central America. The deadline to submit all nominations is July 12. The categories for this year’s awards are:

◈ Information Security Practitioner
◈ Senior Information Security Professional
◈ Up-and-Coming Information Security Professional
◈ Community Awareness

Jeremy Molnar nominated a colleague last year saying “Jobs in security can often be thankless, since the headlines are focused on when bad things occur or when things go wrong. Being able to celebrate those that are doing great things in the industry allows us to be aware of what those things are – which helps us all – but it also helps to continue to motivate those individuals and to let them know that we see those things are working, even if it doesn't generate headlines.”

Celebrating Diversity


Cybersecurity, ISC2 Certifications, ISC2 Guides, ISC2 Learning, ISC2 Tutorials and Materials
A new addition to this year’s award program will be the first-ever (ISC)² Diversity Award. This inaugural honor will be presented to an individual that represents the core values of (ISC)² through significant contributions that have driven a more diverse cybersecurity workforce. We look forward to honoring someone who has significantly advanced diversity in our field through activities like scholarships, advocacy, nonprofit work or other means.

Read More: ISC2 Certifications

Thursday, 6 June 2019

Cybersecurity Falls Short in Organizations Undergoing Digital Transformation

While C-level executives understand the need for cybersecurity as their organizations undergo digital transformation, they aren’t prioritizing it enough, according to a recent Deloitte report based on a survey of 500 executives.

Cybersecurity, Digital Transformation, ISC2 Study Materials, ISC2 Guides

The report, “The Future of Cyber Survey 2019,” reveals a disconnect between organizational aspirations for a “cyber everywhere” future and their actual cyber posture. One area where this is evident is in budgeting, with organizations allocating only 14% of their digital transformation budgets to cybersecurity.

Further evidence is how often cyber appears on the agendas of company board meetings. Cybersecurity makes it to the agenda of 49% of organizations at least quarterly, which is a positive sign, but it also means the remaining 51% of organizations address it less frequently. Only 4% of respondents said cybersecurity appears on their board’s agenda on a monthly basis.

Overall, the report reveals that while organizations are aware of the need for a strong cybersecurity posture, their actions don’t necessarily reflect that need. “There is still much work to do in aligning cyber initiatives to executive management’s digital transformation priorities,” the report says.

Everyone’s Responsibility


Cybersecurity, Digital Transformation, ISC2 Study Materials, ISC2 Guides
As organizations move forward with digital transformation, they should adopt a “cyber everywhere” perspective, with everyone within an organization sharing cybersecurity responsibilities.

“As the world becomes smaller, cyber is getting bigger, and it’s moving in multiple dimensions across multiple disciplines—beyond an organization’s walls and IT environments and into the products it creates, the factories where it makes them, the spaces where its employees conceive them, and where its customers use them,” the report says.

Yet, less than one fifth of organizations (18%) have security liaisons in their business units “to foster greater collaboration, innovation, and security.” Those that do, the report reveals, are more effective in managing cyber risk through collaboration and innovation.

More often, interaction between the cybersecurity team and business units occurs through security assessments (29%) or security steering committees working with business units (29%). About one quarter of organizations (24%) use separate security organizations within each business.

The financial services sector, the survey found, is doing a good job of creating an effective cybersecurity culture by embedding security officers in business units. “Their sole mission is to embed security in new initiatives, manage compliance, and foster collaboration and modernization. This model becomes a catalyst for better efficiency and risk management.”

Breaches Are Common


Nearly all respondents (95%) said their companies have experienced multiple cyber attacks. More than half (57%) said their most recent breach occurred within the past two years, seriously impacting revenue, reputation and leadership stability.

One third of respondents (32%) said their company’s CISO reports to the CEO, which Deloitte found encouraging because its earlier research put the number closer to 20%. Either way, it’s a small percentage. Companies with CISOs reporting directly to the CEO are more likely to have a strong cybersecurity culture.

Overall, the report concludes, organizations need to become more nimble, flexible and collaborative to secure themselves, their employees, customers and partners. For that to happen, C-level executives need to prioritize cybersecurity as their companies transform themselves for a digital future.

Tuesday, 4 June 2019

Writing Cybersecurity Articles - Setting Up Your Writing Process

Cybersecurity, ISC2 Study Materials, ISC2 Guides, ISC2 Learning

Writing can be one of those professional development win-win activities that not only brings joy to the person engaged in it, but also brings knowledge, value — and yes, in some cases even joy — to the reader. All of us remember reading a particularly well-crafted sentence and thinking to ourselves “wow, that was well written.” You might have even thought “gee, I wish I could write like that.” Well, you probably can, but unlike in the movies, it probably won’t come to you in a full sentence at the moment you summoned it. In this article, I want to encourage you to explore — especially if you tried before and gave up — developing your writing, by setting up a process that is both light and rewarding to you personally, and since this is after all an (ISC)² blog, professionally.

What Drives You?


Motivation is an important force to accomplish our goals. Of course, we need a lot more than motivation to get things done but having that quick internal reflection about what drives you to writing is an important part of your journey. Remember a time when you wrote something that you were particularly happy with? Perhaps it was writing letters to friends, writing poetry, writing an essay — whether a philosophical one or a business-focused one. You still have that spark, that ability to transmute ideas or feelings into words.

Spend a few minutes analyzing whether your motivation to write is internally driven — you want to write primarily for yourself, whether or not there will be a reader other than you — or externally driven — you need to write for work and haven’t really looked forward to it. It could also be a combination of internal and external factors. Understanding what motivates you to give writing another try now will help you push through the hurdles and the self-doubt later.

Decades ago, I heard the writing process being described much like muscles, that writing was something that needed regular exercise to develop, and that with enough practice, one could achieve a level of speed and form that would put you in the prestigious class of being “an author.” However, the idea of sweating through the writing process wasn’t at all appealing, in large part because the finished product — in this case a highly theoretical academic paper that might only be read by a handful of people — wasn’t appealing to me. Fast forward to 2019, and in the past six years, I have co-authored two books, written over one hundred blog articles for SecurityIntelligence.com, and written many more blog articles for other outlets, including three so far for the (ISC)² blog. What changed? I focused on writing pieces that I felt brought value to the reader.

Achieving Clarity on the What


There are three main questions you should ponder before you unleash your writing. Who is your reader? What will be your message — and the “tone” of your writing? And finally, what is the value you want to bring to your reader?

The reader could be someone who is at a similar level as you, someone with a similar background and work experience as you. The reader could be someone at a different level — for example a security manager or CISO writing for business executives. Or the writing could be for a broad audience, such as all staff. Having some clarity on the reader will allow you to “speak to them” in your writing — yes, I realize I just mentioned “speaking” to the “reader” but it’s an approach that I found works well for my writing style.

Having clarity on what your message will be is the surest way to have the writing “flow” out of you. So before you allow yourself to get lost in the writing process, spend ten minutes thinking about a title, an angle, and developing some of the main points of your article. Now is also a good time to decide on the tone of your writing, whether it will be “business formal” — think of something you might read that covers law and privacy — versus a more “business casual” tone — very much like this article. Or somewhere in between.

I chose to specify the notion of value to the reader separate from the notion of message, as focusing on the message has you thinking about “what you will write about”, while the former has you thinking about “what will my reader get from this” or even “how will they use this information.” Once you’ve completed a first draft, focusing on value to the reader will help you refine your article during the review process.

Set Up Your Writing Environment


The writing process can be stressful, especially if you start feeling like it’s not happening the way you wanted to. It’s easy to go from “I’m going to do this” to “I’ve been staring at a blank page for an hour… I’m just not cut out for this.” Which is why I ask you consider your writing environment, as it can have a positive or negative impact on your flow.

When & where should I write?

Understand that where we are, how we feel, and what time of the day it is, all impact our writing process. If you try to write at work, just the simple fact of sitting at the same desk where you normally perform other work-related tasks, you brain will automatically be thinking about those tasks instead of writing. So, explore finding other spots, the kitchen table, the couch, a coffee shop, a quiet space at work away from your office. Where is a spot where you find yourself having deep thoughts? Try writing there. Of course, it helps if you can also have an hour or two of peace and quiet.

What about the when of writing? In my experience there isn’t a one-time-fits-all perfect time. I’ve done writing in the evenings, mid-day, and in the mornings. Whether the writing flowed was more a product of how I felt, whether I was in the flow, and whether I had been thinking about the article for a while. If you only have time to write in the evenings, then give it a try, but if it’s not conducive, try a different time of day. Eventually you’ll develop the sense of how “in the flow” you find yourself in at different points during the day.

Exploring your particular approach to writing

Another potential roadblock to your writing has to do with the particular approach you will take when writing. Two main writing paths are:

◈ Your words, their ideas — in which you’ll write something, but it will be based on someone else’s ideas, along the lines of a summary or an analysis. This particular approach can help you overcome writer’s block as the writing is based on an already existing body of work, and you can create sentence-by-sentence constructs that can later be rearranged into a well-structured and cohesive document.

◈ Your words, your ideas — in which you’ll write down your own opinions and ideas. This writing will bring you more joy, since it represents your thoughts or feelings, but can be more challenging as you’re juggling the creative process — what are my thoughts, ideas, feelings — along with the writing process itself — how do I express those.

If you jump directly into the second category and find it challenging, practice developing your writing flow by spending some time working out your writing muscles in the first category (your words, their ideas).

Take Action Today


This article would be a nice theoretical essay if it stopped at the previous paragraph. You’ve made it this far, so, why not take the next steps, small steps that can have a big impact.

Unleash and capture your ideas

Most people have hundreds or thousands of ideas in a single day. But they often disappear as quickly as they came. Unless you capture them — right there on the spot — on paper, electronically, or even via a short voice recording. Sometimes it can be as short as one sentence, a title of sort that specifies both the topic and your particular angle. Or it can come in as a burst of sentences all somewhat related. These may have to be untangled into one cohesive article, or a short series of articles.

The important point is to have a process for capturing ideas, especially good ideas, when they happen. The next step is to regularly review that list of ideas, and, if it gets too long, to prune it down to the best ideas.

Follow the trail of leaders before you

One of the best ways to generate ideas and to explore the many forms that writing can take is to surround yourself with good writing. The good news is that there are many free sources of good writing; here are a select few:

◈ The (ISC)² blog and other security and privacy related outlets

◈ Outlets that cover a more general-business perspective such as com, hbr.org (Harvard Business Review), Forbes.com

◈ Leading figures in our field such as Dan Geer, Douglas Hubbard, and Bruce Schneier.

◈ Many blog authors have also taken to posting their writing on Medium.com. If you subscribe, you can also specify the kinds of topics you like to read about and get weekly digests focused on those topics.

◈ Find and follow some of the leading authors that have been inducted in the Cybersecurity Canon, which calls itself "a list of must-read books for all cybersecurity practitioners." I recommend you start by those who made it into the “hall of fame” to help narrow down the field.

Try It, But Be Patient


Be patient with yourself when it comes to writing. Writing might not happen today, even though you really wanted it to — or worse, needed it to. Tell yourself that you’ll try again tomorrow. As you become more proficient at writing, be aware of your mental state when you sit down. Try to wait for a time when you find yourself “ready” to write.

Recipe for Success?


What about you, do you have a particular recipe for writing success that you want to share with a fellow cybersecurity professional? Comment below or consider submitting your own blog article to this outlet or others.

Saturday, 1 June 2019

Additional Recognition for Cybersecurity Certifications

Cybersecurity Certifications, ISC2 Study Materials, ISC2 Guides, ISC2 Learning, ISC2 Certifications

Following the signing of a Multilateral Recognition Arrangement (MLA) signed last year that confirms the American National Standards Institute’s (ANSI) standing as an internationally respected accrediting body with rigorous standards, all nine (ISC)² cybersecurity certifications are now recognized by the International Accreditation Forum (IAF).

The MLA applies to IAF accrediting bodies, including ANSI, and shows that the organizations they accredit all meet the same rigorous standards.

Cybersecurity Certifications, ISC2 Study Materials, ISC2 Guides, ISC2 Learning, ISC2 Certifications
According to a press release issued by ANSI, “Regional Accreditation Group members of IAF are admitted to the IAF MLA only after a most stringent evaluation of their operations by a peer evaluation team which is charged to ensure that the applicant member complies fully with both the international standards and IAF requirements.”

(ISC)² was the first cybersecurity certifying body to meet the requirements of ANSI/ISO/IEC Standard 17024, which is a global benchmark for certifying qualified professionals. The (ISC)² accredited certifications that are now recognized by the IAF include:

CISSP

SSCP

CCSP

CAP

CSSLP

HCISPP

CISSP-ISSAP
CISSP-ISSEP
CISSP-ISSMP