Thursday, 2 July 2020

It’s Official: (ISC)2 Security Congress Will Be Virtual This Year

ISC2 Security, ISC2 Learning, ISC2 Tutorial and Material, ISC2 Exam Prep
As COVID-19 continues to surge across the globe and corporate travel restrictions put in place, (ISC)² has announced its decision to make its Security Congress for 2020 a virtual conference. The renowned three-day conference, focused on industry discussion and continuing education for security professionals of all levels, will be held online from November 16-18.

This decision is in recognition of the fact that many training budgets have been reallocated due to the economic impact of COVID-19. As such, (ISC)² Security Congress 2020 is offering a heavily discounted Early Bird pricing to (ISC)² members and associates of just $295 for an All-Access pass and $395 for non-members.

Registration details will be announced when open, as well as more information on the full program agenda. Check for routine updates.

This year’s event will feature upwards of 40 sessions by presenters from around the globe. (ISC)² members will also have the opportunity to earn as many as 45 continuing professional education (CPE) credits – more than any other previous Security Congress – by attending live and on-demand sessions. Professional development sessions will provide actionable insights into a wide array of both technical and soft skills topics including Cloud Security, DevSecOps, Governance, Risk and Compliance (GRC), Career Development, Privacy, workforce challenges and more.

ISC2 Security, ISC2 Learning, ISC2 Tutorial and Material, ISC2 Exam Prep

By making the event virtual and drastically reducing the pricing, this year’s Security Congress will be more accessible than ever before, especially to those outside the U.S. for whom travel – even in a normal year – can be prohibitive. Security Congress will now be able to bring the global cybersecurity community together and make the best out of one of the most challenging years our profession has ever faced.


Tuesday, 30 June 2020

Beware of TMI: Cyber Crooks Are Watching

ISC2 Tutorial and Material, ISC2 Exam Prep, ISC2 Certification, ISC2 Guides
Research conducted since the start of the COVID-19 pandemic shows an increase in cyber threats as cybercriminals try to take advantage of users working remotely. What most users may not realize is that they could be making it easier for threat actors to target them.

Here’s how: Every time a user posts a picture of his or her remote office setup on social media or participates in a videoconference, the user unwittingly may be revealing personal or company information that threat actors can exploit. In an opinion piece published by the Wall Street Journal, a cybersecurity expert warned about the dangers of over-sharing.

“People often don’t realize how much personal information they are revealing in photos—images of their houses and hobbies that provide clues about their usernames, passwords and other personal information. And hashtags like #WorkFromHome and #HomeOffice make it convenient for crooks to zero in on photos that contain those details,” wrote Jason R.C. Nurse, a cybersecurity at the University of Kent’s School of Computing in the U.K.

Nurse notes that so far, no cybercrimes have been documented as a result of sharing photos during the pandemic, but the potential is there. There is no doubt, however, that threat actors have upped their game, as evidenced by separate studies that (ISC)2 and ISACA have conducted.

In the ISACA study, 87% of respondents believe the rush to set up remote workstations to cope with the pandemic has increased data protection and privacy risks. The (ISC)2 poll, meanwhile, found that nearly a quarter of respondents (23%) have seen an increase in security incidents at their organizations since work-from-home policies were instituted, in some cases as many as double.

Too Much Information

In the Wall Street Journal article, Nurse says online crooks can scour photos to identify personal information that users don’t realize they are sharing. For instance, an Amazon package could contain a person’s name and address. Photos from a birthday party might reveal someone’s birthday and age.

A threat actor could pull that information together in a phishing email containing enough personal details to make the email believable and prompt the recipient to click a compromised link. The same type of information can be shared in web conferences, Nurse noted.

Cyber attackers can also glean information about hobbies and interests from social media posts, photos and videoconferences. Sports team memorabilia, books about a particular topic, and other objects can deliver the clues cybercriminals are looking to use to lend credence to their attempts to trap unsuspecting users.

Corporate Details

In addition to unwittingly revealing personal information, remote workers may also expose corporate details without realizing it. “My preliminary analysis of photos from the new wave of work-at-home postings has found that people unwittingly reveal images of sensitive internal corporate correspondence and webpages on their screens—a trove of information for criminals,” Nurse wrote.

ISC2 Tutorial and Material, ISC2 Exam Prep, ISC2 Certification, ISC2 Guides

Users can even reveal information about the technology they are using, such as laptop serial numbers and software applications. A criminal could use that to call a company’s helpdesk, pose as a user and obtain information that provides access to the person’s system.

Everything Nurse describes in his article is avoidable, so long as users are made aware of the risks. It’s an important reminder that cybersecurity isn’t just about technology; it also involves a strong human factor that every organization needs to address to protect itself and its users.

Saturday, 27 June 2020

There's Training ... and there's Official Training: Know the Differences

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Certification, ISC2 Exam Prep

When it comes to (ISC)² certification exam prep, there is no shortage of choices – especially for the CISSP and CCSP credentials. With so many options, where’s the assurance that you’re putting your time, faith and money into a vetted training resource?

It’s an excellent question. So let’s break down three key distinctions between (ISC)² Official Training from an authorized provider versus training from an unauthorized company. Because the right source can make all the difference in crushing your certification goal – and protecting your investment.

1. (ISC)² Authorized Instructors

Taking on the globally recognized CISSP or CCSP demands commitment and motivation. When you pursue Official Training, you’re guided by an instructor who actually holds the credential you’re going after. (ISC)² and our Official Training Providers guarantee you learn from verified industry experts who have completed a rigorous process to teach our official courseware.

(ISC)² Authorized Instructors have been in your shoes… That’s why they know exactly how to keep you engaged and focused, every step of the way.

2. Most Relevant, Up-to-Date Course Materials

When you choose an Official Training Provider, you’re taught the most relevant and current content available. The courseware is developed by (ISC)², the creator of the Common Body of Knowledge (CBK®).

The (ISC)² CBK is a collection of topics relevant to cybersecurity professionals around the world. It establishes a common framework of information security terms and principles, enabling cybersecurity and IT/ICT pros worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding, taxonomy and lexicon. Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK, used to assess mastery of the most critical aspects of info sec.

3. Comprehensive Exam Prep

Passing an (ISC)² certification is as rewarding as it is challenging. You want to feel confident on exam day, and confidence comes from knowing you’re prepared. The Official Training route is a proven way to help set yourself up for success. With an Official Training Provider at your side, you have convenient access to comprehensive exam prep that aligns with all domains in your chosen certification.

Again, all of our training providers have undergone a meticulous vetting process by (ISC)² and are trusted training resources for individuals, organizations and government agencies. Official Training Providers offer delivery options such as bootcamps, in-person classes and online seminars. They also provide training and exam voucher packages.

While unofficial training companies may claim to include the exam voucher, this is neither true nor ethical. (ISC)² and Official Training Providers are the only organizations authorized to offer vouchers for our exams.

Prep Like a Pro with an (ISC)² Official Training Provider

(ISC)² certifications are highly regarded in the cybersecurity industry, so it’s not surprising that countless training companies offer exam prep for them. But you wouldn’t trust your personal fitness to just anyone wearing a track suit, just as you wouldn’t have your car repaired by an unauthorized garage. The same holds true with certification exam prep. When enlisting a training provider, it pays to know who’s really preparing you.


Thursday, 25 June 2020

Cyber Security Risk Analysis

Cyber Security, Risk Analysis, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Prep

Risk analysis refers to the review of risks associated with the particular action or event. The risk analysis is applied to information technology, projects, security issues and any other event where risks may be analysed based on a quantitative and qualitative basis. Risks are part of every IT project and business organizations. The analysis of risk should be occurred on a regular basis and be updated to identify new potential threats. The strategic risk analysis helps to minimize the future risk probability and damage.

Enterprise and organization used risk analysis:

◉ To anticipates and reduce the effect of harmful results occurred from adverse events.
◉ To plan for technology or equipment failure or loss from adverse events, both natural and human-caused.
◉ To evaluate whether the potential risks of a project are balanced in the decision process when evaluating to move forward with the project.
◉ To identify the impact of and prepare for changes in the enterprise environment.

Benefits of risk analysis

Every organization needs to understand about the risks associated with their information systems to effectively and efficiently protect their IT assets. Risk analysis can help an organization to improve their security in many ways. These are:

◉ Concerning financial and organizational impacts, it identifies, rate and compares the overall impact of risks related to the organization.

◉ It helps to identify gaps in information security and determine the next steps to eliminate the risks of security.

◉ It can also enhance the communication and decision-making processes related to information security.

◉ It improves security policies and procedures as well as develop cost-effective methods for implementing information security policies and procedures.

◉ It increases employee awareness about risks and security measures during the risk analysis process and understands the financial impacts of potential security risks.

Steps in the risk analysis process

The basic steps followed by a risk analysis process are:

Conduct a risk assessment survey:

Getting the input from management and department heads is critical to the risk assessment process. The risk assessment survey refers to begin documenting the specific risks or threats within each department.

Identify the risks:

This step is used to evaluate an IT system or other aspects of an organization to identify the risk related to software, hardware, data, and IT employees. It identifies the possible adverse events that could occur in an organization such as human error, flooding, fire, or earthquakes.

Analyse the risks:

Once the risks are evaluated and identified, the risk analysis process should analyse each risk that will occur, as well as determine the consequences linked with each risk. It also determines how they might affect the objectives of an IT project.

Develop a risk management plan:

After analysis of the Risk that provides an idea about which assets are valuable and which threats will probably affect the IT assets negatively, we would develop a plan for risk management to produce control recommendations that can be used to mitigate, transfer, accept or avoid the risk.

Implement the risk management plan:

The primary goal of this step is to implement the measures to remove or reduce the analyses risks. We can remove or reduce the risk from starting with the highest priority and resolve or at least mitigate each risk so that it is no longer a threat.

Monitor the risks:

This step is responsible for monitoring the security risk on a regular basis for identifying, treating and managing risks that should be an essential part of any risk analysis process.

Types of Risk Analysis

The essential number of distinct approaches related to risk analysis are:

Cyber Security, Risk Analysis, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Prep

Qualitative Risk Analysis

◉ The qualitative risk analysis process is a project management technique that prioritizes risk on the project by assigning the probability and impact number. Probability is something a risk event will occur whereas impact is the significance of the consequences of a risk event.

◉ The objective of qualitative risk analysis is to assess and evaluate the characteristics of individually identified risk and then prioritize them based on the agreed-upon characteristics.

◉ The assessing individual risk evaluates the probability that each risk will occur and effect on the project objectives. The categorizing risks will help in filtering them out.

◉ Qualitative analysis is used to determine the risk exposure of the project by multiplying the probability and impact.

Quantitative Risk Analysis

◉ The objectives of performing quantitative risk analysis process provide a numerical estimate of the overall effect of risk on the project objectives.

◉ It is used to evaluate the likelihood of success in achieving the project objectives and to estimate contingency reserve, usually applicable for time and cost.

◉ Quantitative analysis is not mandatory, especially for smaller projects. Quantitative risk analysis helps in calculating estimates of overall project risk which is the main focus.

Tuesday, 23 June 2020

Difference Between Cloud Computing and Virtualization

Cloud Computing and Virtualization, ISC2 Tutorial and Material, ISC2 Exam Prep, ISC2 Guides

Cloud computing and virtualization are very closely related terms where the virtualization drives single resource behaves as many whereas cloud computing enables distinct departments and companies retrieve a single pool of spontaneously provisioned resources. Virtualization is the primary technology used to make the cloud computing functional. However, it is different from cloud computing which we have described below in detail.

Comparison Chart

Basic Pool and automate virtual resources for on-demand use. Built multiple simulated environments from one physical hardware system.
Scalability  High  Low 
Set-up  Tedious  Simple 
Cost  Private cloud: High CAPEX and low OPEX
Public cloud: Low CAPEX and high OPEX 
High capital expenditures (CAPEX), low operating expenses (OPEX). 
Flexibility   Very flexible  Quite less 
Type of service  Iaas  Saas 
Dedicated hardware  Multiple  Single can also work
Integration  Future expansion of users, applications, etc.  Expansion of new machines within the same infrastructure. 
Workload  Stateless  Stateful 
Disaster recovery  Depends on multiple machines  Depends on a single machine 
Form  Private and public cloud  Hardware and application virtualization 
Accessibility  Prevalently accessed  Not allowed to be accessed from outside the network 

Definition of Cloud Computing

Cloud computing refers to a set of principles and approaches to deliver the application and services that run on a distributed network and accessed by general internet protocol on demand. It can provide limitless virtual computing, network, storage and infrastructure resources, services, platforms and applications.

In a simpler way, Cloud computing comprised of the technology, services and applications that can be delivered over the internet and turns them into a self-service utility.

The term cloud is relevant to the two fundamental concepts. One of which is an abstraction and the second one is virtualization.

◉ Abstraction: Cloud computing hides the details of the system implementation from the end users and developers. Applications runs on the undefined physical systems. Similarly, data is stored at undetermined locations. The systems administration is outsourced to others and accessed by the user globally.
◉ Virtualization: virtualization plays an essential function in cloud computing by pooling and sharing resources. It can provide the system and storage as required from centralized infrastructure, charges are imposed on a metered basis, multitenancy is employed, and resources can be swiftly scaled.

Definition of Virtualization

Virtualization is the foundation of cloud computing as mentioned above. It is technology which enables the generation of several simulated environments or persistent resources from a solitary physical hardware system. Here the role of hypervisor is crucial, which is directly connected to the hardware to make several virtual machines from it. These virtual machines functioning is distinct, separate and does not interfere with each other.

However, the Virtual machine depends on the hypervisor capability to isolate the resources of the machine from hardware and disseminate them suitably. It assists in the formation of the intellectual abstraction layer.

Cloud Computing and Virtualization, ISC2 Tutorial and Material, ISC2 Exam Prep, ISC2 Guides

Virtualization can exist in different classes including server and storage virtualization.

◉ Server virtualization constructs the abstraction layer among the application running on the server and the hardware utilized to store the OS. Server virtualization helps OS in sharing the same hardware, where OS is transferred among various hardware simultaneously but this does not generate any interference between the running applications.

◉ Storage virtualization is associated with the data store where an abstraction layer is present between the application and the storage. This can extensively decrease the storage cost of organizations or users.

Key Differences Between Cloud Computing and Virtualization

  1. Cloud computing provides an integrated environment of pooled, and automated resources, services which can be accessed on-demand. Conversely, the virtualization is used to construct multiple simulated environments through one physical hardware system.
  2. Cloud can be easily scaled up while virtualization is scaled out.
  3. Setting up a virtualization system is simple and requires less effort. As against, establishing a cloud is complex, tedious and time-consuming.
  4. Overall cost of cloud computing is high as compared to virtualization.
  5. In cloud computing, multiple dedicated hardware is utilized while in virtualization single hardware can work well. That is the reason at the time of disaster recovery several peripheral devices are referred in cloud computing instead of single like in virtualization.
  6. The workload in the cloud is stateless whereas in case of virtualization it is stateful.
  7. Cloud is highly flexible and accessible relative to virtualization.

Saturday, 20 June 2020

The pros and cons of open source cyber security

Cyber Security, ISC2 Study Materials, ISC2 Exam Prep, ISC2 Certification

Open source brings many advantages to enterprises, such as pricing. However, in increasingly security-conscious enterprises it can be unclear how open source software does on cyber security.


1. Community

The main advantage of open source from a security perspective is the vast community that contributes to open source software.

The sometimes thousands of pairs of eyes mean that the software is subject to stringent and thorough examination from dedicated coders.

Additionally, security companies can use their vast resources to look at the code. For example, many of the major vulnerabilities in the Android operating system such as StageFright have been found by professional cyber defence companies.

Proprietary software, on the other hand, may only pass through three or four tests before it is shipped to customers.

2. Visibility

As well as finding security vulnerabilities that might be exploited by hackers, open source also guarantees a degree of transparency with the security vendor themselves.

For companies that are extremely concerned about privacy, this means that they can be completely sure that there are no ‘backdoors’ in the products.

3. Control

Since open source software can be modified by whoever wants to, this gives individuals and organisations unlimited scope to tailor the security of a piece of software to their own needs.

Organisations may have differing priorities or requirements, and may wish to harden a particular part of a software product to guarantee they have covered this.

It also means that software can be tailored to meet differing compliance requirements, for example when used in different countries.

4. Updates

Open source can also speed up the update process, as the community of developers can quickly fix a bug and issue an updated version of the software.

The users are then able to choose whether to use this fix or wait for an official version.

This prevents the update having to go through the company and means users can take more control over updating their software.


1. Visibility

The cons of open source security are in many ways the mirror image of the pros. The fact that the source code can be viewed and modified by anyone also means that attackers can scan the code for vulnerabilities.

Opinion is divided on whether this disadvantage outweighs the advantages. While the community of coders involved in open source can be huge, bringing the advantages of the ‘wisdom of crowds’, it is not guaranteed that that these large numbers of people will be inspecting every single bit of code.

All of this depends on the level of sponsorship a piece of software receives. If it is a small number of people looking at the code, they may be outfoxed by a team of dedicated hackers.

2. Manipulation

Again, while any security professional is able to edit open source software according to their needs, it is also possible that open source software could be manipulated by a hacker. For example, the hacker could distribute malware by embedding malicious code into the original open source distribution.

The basic open source programme might perform the same useful features and look much the same as the real software, but with malware embedded in it.

The fact that open source software is often available to download from many different locations on the web can make it harder for users to tell whether they are getting the programme they wanted.

Thursday, 18 June 2020

On-Premise Accelerated Training to Resume at Firebrand

ISC2 Tutorial and Material, ISC2 Exam Prep, ISC2 Prep, ISC2 Certification

Training and examinations have been impacted by the outbreak of COVID-19. Understandably, classrooms and testing centers have had to pause around the world as part of efforts to combat the virus. In the UK, lockdown restrictions are easing and allowing a multitude of businesses and services to resume physical operations. Lockdown easing is allowing testing and training to return, albeit with some changes to support social distancing.

Starting on Monday, June 22, we will reopen our UK training center at Wyboston Lakes, welcoming back students for on-premise training and examinations, with our first course being for the (ISC)2 CISSP certification.

These courses will, for the time being, be delivered in a hybrid format, meaning learners can choose to attend on-premises, dial-in via our OIL (Online Instructor-Led) virtual classrooms, or some combination of both. Learners don’t have to sit classes at the training center if they don't feel comfortable yet.

Everyone is eager to go back to "normal", but it's paramount that it happens safely. That means respecting and adhering to government regulations, as well as addressing our learners' concerns. We'd like to reassure you that we're taking every possible step to ensure that the reopening process and operation of on-premise courses is as safe as possible.

Wyboston Lakes has hosted training and overnight guests throughout the lockdown, as it has served as a base for key workers to attend their own training. As a result of this, there are already strong social distancing and hygiene practices in place onsite.

On top of this, we are implementing a wide variety of safety measures to protect our learners and staff during this process including:

◉ Hand sanitizer points at all entrances and in all classrooms

◉ Deep cleaning of facilities before every course starts

◉ All staff and students must always practice social distancing, by standing at least two meters away from other people

◉ Signage and floor stickers will be used to ensure social distancing is maintained

◉ Screen guards at all reception areas

◉ A one-way system will be in place across the site

◉ Student entry, exit and break times will be staggered

◉ Bedroom check-in and check-out will be contact-free

Firebrand’s approach aligns to government advice on safe workplaces. We will continue to monitor government advice - which may become more or less restrictive - and react accordingly.

We're doing our very best to offer our (ISC)2 learners the broadest possible choice when it comes to learning experiences, and that includes on-premise classes as well as online instructor-led.

Whether in person or online, we look forward to seeing you soon.


Tuesday, 16 June 2020

Evolution of Cloud Computing

Cloud computing is all about renting computing services. This idea first came in the 1950s. In making cloud computing what it is today, five technologies played a vital role. These are distributed systems and its peripherals, virtualization, web 2.0, service orientation, and utility computing.

Cloud Computing, ISC2 Tutorial and Material, ISC2 Certification, ISC2 Exam Prep, ISC2 Guides

Distributed Systems:

It is a composition of multiple independent systems but all of them are depicted as a single entity to the users. The purpose of distributed systems is to share resources and also use them effectively and efficiently. Distributed systems possess characteristics such as scalability, concurrency, continuous availability, heterogeneity, and independence in failures. But the main problem with this system was that all the systems were required to be present at the same geographical location. Thus to solve this problem, distributed computing led to three more types of computing and they were-Mainframe computing, cluster computing, and grid computing.

Mainframe computing:

Mainframes which first came into existence in 1951 are highly powerful and reliable computing machines. These are responsible for handling large data such as massive input-output operations. Even today these are used for bulk processing tasks such as online transactions etc. These systems have almost no downtime with high fault tolerance. After distributed computing, these increased the processing capabilities of the system. But these were very expensive. To reduce this cost, cluster computing came as an alternative to mainframe technology.

Cluster computing:

In 1980s, cluster computing came as an alternative to mainframe computing. Each machine in the cluster was connected to each other by a network with high bandwidth. These were way cheaper than those mainframe systems. These were equally capable of high computations. Also, new nodes could easily be added to the cluster if it was required. Thus, the problem of the cost was solved to some extent but the problem related to geographical restrictions still pertained. To solve this, the concept of grid computing was introduced.

Grid computing:

In 1990s, the concept of grid computing was introduced. It means that different systems were placed at entirely different geographical locations and these all were connected via the internet. These systems belonged to different organizations and thus the grid consisted of heterogeneous nodes. Although it solved some problems but new problems emerged as the distance between the nodes increased. The main problem which was encountered was the low availability of high bandwidth connectivity and with it other network associated issues. Thus. cloud computing is often referred to as “Successor of grid computing”.


It was introduced nearly 40 years back. It refers to the process of creating a virtual layer over the hardware which allows the user to run multiple instances simultaneously on the hardware. It is a key technology used in cloud computing. It is the base on which major cloud computing services such as Amazon EC2, VMware vCloud, etc work on. Hardware virtualization is still one of the most common types of virtualization.

Web 2.0:

It is the interface through which the cloud computing services interact with the clients. It is because of Web 2.0 that we have interactive and dynamic web pages. It also increases flexibility among web pages. Popular examples of web 2.0 include Google Maps, Facebook, Twitter, etc. Needless to say, social media is possible because of this technology only. In gained major popularity in 2004.

Service orientation:

It acts as a reference model for cloud computing. It supports low-cost, flexible, and evolvable applications. Two important concepts were introduced in this computing model. These were Quality of Service (QoS) which also includes the SLA (Service Level Agreement) and Software as a Service (SaaS).

Utility computing:

It is a computing model that defines service provisioning techniques for services such as compute services along with other major services such as storage, infrastructure, etc which are provisioned on a pay-per-use basis.

Saturday, 13 June 2020

Advice from 3 Cyber Pros on Getting Certified

ISC2 Exam Prep, ISC2 Guides, ISC2 Certification, ISC2 Learning

There is no question that now is a great time to break into cybersecurity as a career. (ISC)² research shows the shortage of skilled security resources is approaching 3 million globally.

Getting into this line of work can be approached from many different angles. Whether you are an experienced professional looking to make a pivot into security or a college student exploring the field, the right preparation, network and credentials can make all the difference.

We asked three cyber professionals about their journey into security and the advice they would give to up-and-comers in the field. Here’s what they shared.

Certification helps direct your security focus

Michael Banks, a cybersecurity engineer with Amazon Web Services, first got a taste of IT and security in the Army as a reservist.

Banks wanted to continue to pursue a career in security, so he became an Associate of (ISC)² through his journey to become a certified CISSP. Through the Associate designation, aspiring security pros can take any (ISC)² certification exam without the required work experience. Upon passing, they become an Associate of (ISC)² as they work to gain the necessary experience to achieve full certification.

“Going through that process made me more well-rounded in areas I may not have hit before,” Banks said.

Banks also notes the social connections and contacts he’s gained through (ISC)² membership have been invaluable to career development and to helping him navigate some of the tougher aspects of working in security.

“At DefCon there were some activities for (ISC)² members and it was great networking there,” he said. “Over the years you meet other CISSPs and it’s always great to have a conversation. They understand aspects of working in security that others might not.”

Banks says he advises others considering a security career to look at the opportunities through (ISC)² as a chance to explore the right fit for your focus.

“Come at it from a perspective of learning,” he said. “Because security is so broad in nature, it gives you the ability to see a lot of domains of infosec. It helps a lot of people determine what they want to do in infosec.”

Certification is a career accelerator

ISC2 Exam Prep, ISC2 Guides, ISC2 Certification, ISC2 Learning
Rachel Phillips, a cybersecurity analyst based in Seattle, originally started her career in technology management, working on data-driven campaigns in the marketing industry. During that time, she was pursuing a master’s degree in IT and a mentor suggested she consider security for her focus. It turned out to be a great choice.

Phillips then decided to go for her CISSP certification, because she considered it the “gold standard” in security certifications and through that became an Associate of (ISC)² in the process. Another wise choice, as she said it opened many new doors in security.

“With that on my resume, it showed my commitment to the profession and gave me a vocabulary to speak intelligently to others in the field,” Phillips said. “Before I had even graduated, I had my first job offer.”

Now a CISSP, Phillips says she continues to enjoy the benefits of (ISC)² membership. She feels the work she put in to earn the CISSP has advanced her career at a faster pace.

“It helped me earn credibility with peers, colleagues and executives,” she said. “By becoming an Associate, I easily shaved three years or more off in terms of where I am in my career, how I am viewed, how I am paid, and what I have available to me to do next. It is definitely a career accelerator.”

Phillips advises anyone considering a career in information security to consider (ISC)² because membership also offers valuable information about compensation when navigating job offers.

“It’s important to be knowledgeable about what you are worth, and (ISC)² resources helped me realize my market value,” she said.

Certification gives you a global network

Sanchita Tiwari, an information security analyst based in Des Moines, was fascinated by how risk and system vulnerabilities posed a threat to technological advancement. A career in security seemed like the right opportunity to delve deeper and explore that area.

Tiwari decided to pursue the CISSP because it is “one of the coveted certifications in information security, gauging your overall understanding of the domain.”

For Tiwari, becoming an Associate of (ISC)² gave her the ability to critically analyze and understand security-related pain points and challenges in the real world. It also helped her get a foot in the door with employers.

“If you apply for any security job, they all recognize the CISSP,” she said.

One of the most valuable benefits of (ISC)² membership, according to Tiwari, is the access she has to a network of certified professionals all over the globe.

“You can talk to a lot of people in different countries, so your network isn’t just limited to your own city. You can share experiences on (ISC)² forums and get feedback,” she said.

“Or if you’re trying to do something in your organization, you can talk to people who have already done that. It offers networking in an extended fashion and I am learning peers from all over the world. It’s very valuable.”


Thursday, 11 June 2020

Report: Cybersecurity Understaffing Lowers Ability to Handle Cyber Threats

ISC2 Certification, ISC2 Learning, ISC2 Guides, ISC2 Exam Prep, ISC2 Prep
Understaffing in cybersecurity teams remains a major challenge for organizations, with 62% of respondents in a recent ISACA survey saying they are struggling with it. And even though the number of understaffed organizations fell by seven percentage points from last year, staffing issues are making some organizations more vulnerable to cyberattacks.

Concerns over the ability to respond to threats are widespread, according to ISACA’s State of Cybersecurity 2020 Survey Part 2 report, which gathered responses from 2,000 respondents in 102 countries. Only 21% of respondents in “significantly understaffed” organizations say they are completely or very confident in their organization’s ability to respond to threats, while those who designate their cybersecurity teams as “appropriately staffed” have a 50% confidence level.

The relationship between staffing and preparedness to deal with threats is well understood, so it isn’t surprising that understaffed security teams have less confidence in their ability to protect their organizations.

Unfortunately, the prospects for filling cybersecurity vacancies are slim for many organizations. The cybersecurity profession is in the midst of an acute shortage of qualified workers. (ISC)²'s 2019  Cybersecurity Workforce Study put the estimate of a global shortage at 4.07 million.

Imminent Threats

Not only do cybersecurity professionals worry about their ability to respond to attacks, but many also believe cyberattacks are imminent. Slightly more than half of respondents (53%) in the ISACA survey believe their organization is likely to experience one within 12 months.

And though attacks appear to be increasing at a slower pace than in the past, according to the study, the upward trend continues. As it does, the study revealed some disturbing practices. Most respondents (62%) believe their organizations fail to report cybercrimes, even when legally or contractually obligated to do so.

ISC2 Certification, ISC2 Learning, ISC2 Guides, ISC2 Exam Prep, ISC2 Prep
Other research completed since the start of the COVID-19 pandemic reveals that attacks are up, as cybercriminals try to exploit the sudden, steep increase in work-from-home numbers. This echoes the findings of the (ISC)² COVID-19 Cybersecurity Pulse Survey, in which 23% of respondents indicated they had seen an increase in security incidents during the pandemic, some as much as double the normal volume. The ISACA study revealed that the most common types of attack are social engineering (15%), advanced persistent threats (10%) and ransomware and unpatched systems (both 9%).

Organizations that struggle to fill vacant cybersecurity positions appear to be more vulnerable. The study found that 42% of them are experiencing more attacks this year. In addition, 35% of respondents in companies taking three months to hire cybersecurity workers reported an increase in attacks, as did 38% of those taking taking six months or more.

The (ISC)² Cybersecurity Workforce Study outlines four key strategies organizations should consider in recruiting and building strong cybersecurity teams.

Read More:


Tuesday, 9 June 2020

Advantages Of Network Security

Network Security, ISC2 Certification, ISC2 Exam Prep, ISC2 Study Materials

The need for having Network Security cannot be denied. With a Network Security System, all the files, data & personal information are kept safe and protected from unauthorized access from people present on the network and people outside it. That is the reason why it is widely used in offices, banks, and many other organizations. The provisions and policies of Network Security help the network administrator to monitor any kind of misuse, modification or unauthorized access of a computer network. Thus, a number of cyber attacks and other harmful activities are prevented.

Advantages Of Network Security

- Network Security helps in protecting personal data of clients existing on network.

- Network Security facilitates protection of information that is shared between computers on the network.

- Hacking attempts or virus / spyware attacks from the internet will not be able to harm physical computers. External possible attacks are prevented.

- Network Security provides different levels of access. If there are various computers attached to a network, there may be some computers that may have greater access to information than others.

- Private networks can be provided protection from external attacks by closing them off from internet. Network Security makes them safe from virus attacks, etc.

Saturday, 6 June 2020

Four steps to hiring the best CISO in an IoT world

CISO, ISC2 Exam Prep, ISC2 Guides, ISC2 Tutorial and Material, ISC2 Learning

Of all the new technology processes shaping the next wave of digital transformation, perhaps none is more prominent than the Internet of Things (IoT). As Phil Celestini, senior vice president and chief security and risk officer at Syniverse reports, this technology is spawning a new ecosystem of interconnected networks and data transactions that is rapidly expanding and redefining how we do business.

But what’s often overlooked is that the IoT is also an internet of shared services and data. This fact is one of the biggest challenges for companies looking to integrate their businesses with the IoT, and at the same time ensure that attack vectors and associated risks are addressed. These defences involve various skill sets and teams led by the chief information security officer (CISO).

From a risk perspective, in fact, the public internet was never designed to be a secure environment. It was conceived as a network with built-in redundancy for academics and researchers to share data, not protect access to it. Consequently, it’s more a best-effort network than the best-in-class network needed to ensure the confidentiality, integrity and availability of transactions. Since the IoT’s premise is built upon connectivity, a malevolent attack that compromises this connectivity has the potential to wreak unprecedented havoc. Having the right leadership to drive your information security team’s success in defending against such havoc is crucial.

With this in mind, businesses must strike the right balance between staying secure and leveraging innovation to take advantage of advances like the IoT. A crucial part of this starts with selecting the best CISO, something I did several months ago with great success. Here are four factors I have considered when assessing candidates for the CISO position, based on more than 35 years of experience in high-risk operations and overseeing various facets of security for businesses, the FBI, intelligence community, and military.

4 factors for hiring a CISO

◉ Security is in the title, but won’t be the only job: Security should be treated as a service that needs to be operated as a business within your business. That means CISOs need to understand their company’s strategy, business objectives and risks to truly provide value. In addition, there are benchmarks, best practices, and regulations that will dictate how information technology and data are to be secured. In this respect, CISOs can provide security and market insights that sales and marketing teams can use to create a strong corporate story about security posture to make your company stand out from the competition.

◉ CISOs should openly communicate with the C-suite: A culture of security is supported by factors like how an organisation is aligned and how reporting is structured. When it comes to enterprise risk, a CISO should report as directly as possible to the C-suite. There will be differences based on an organisation’s size and maturity, but the closer access to the CEO is, the less “filtered” critical conversations will be. Risk-based decisions that a CISO needs elevated to the C-suite can sometimes be difficult to communicate to senior leaders, because those decisions will affect other stakeholders and rarely happen in a vacuum.

◉ ‘Security’ has broadened: Twenty years ago, it was common to work in an organisation where “security” meant having someone in IT managing a firewall. But marketplace dynamics and consumer demands have since influenced how businesses operate and driven the need for professional information security staffs. Today, outside factors like regulations, legal requirements, and customer demands drive the need for robust security just to stay in business. CISOs should be armed with this knowledge and the right budget to enable them to define their security strategy in the realistic context of their business’s finances and objectives.

◉ The best CISOs are the best students: CISOs need to be technically skilled, strong leaders and astute business managers. The CISO role is a journey, and good CISOs must be committed lifelong learners. The industry never stops evolving along with technology, which means threat vectors will continue to become more complex, as will data privacy laws and a host of other external “influencers” on the CISO’s role. This generates a constant need to maintain and refresh knowledge in order to adhere to sound risk-management practices.

The rapid growth of IoT devices and applications dependent on the public internet is opening a new era in connectivity – and vulnerability. As businesses seize the opportunities of this era, they risk leaving commercial data and systems exposed to a public internet never intended for that purpose.

Ultimately, companies that want to conduct business and transfer data with certainty, security and privacy must have a security strategy to protect their operations from the public internet, and a critical part of this strategy involves finding the right CISO. The four factors here offer a useful foundation for informing this process.


Thursday, 4 June 2020

10 Critical Skills for the Cybersecurity Workforce

cloud security, cybersecurity certifications, cybersecurity training, cybersecurity workforce, network security, Operations Security

With breach rates growing and cyberattacks becoming a daily occurrence for business, IT leaders are looking to beef up their security teams. This is good news for anyone who is considering a career in information security. But as new talent begins to navigate breaking into the field, many may wonder: What skills should I focus on developing for a security career?

Most security hiring managers are looking for a blend of skills and backgrounds. Here are 10 things you need to enter the cybersecurity workforce today.

1. Technical prowess

While some career paths in security may not require technical skills, many demand a clear and solid understanding of the tools and tech required. Whether learned through an educational program or on the job, you should be able to speak knowledgably about technologies such as encryption, automation, web monitoring, authentication, analytics and others.

2. Business understanding

Gone are the days when security was simply the “department of no” and spent its time enforcing rules that hindered business operations. CISOs, and their teams, are now expected to implement a security strategy that helps forward the business mission and demonstrates ROI. Without some understanding of business, you will be hard-pressed to make the case for why executive management should invest in your security project.

3. Cloud

Cloud is exploding and it is no longer a matter of if, but when an organization turns to cloud for various workloads to save money and minimize complexity. Some knowledge of cloud and cloud architecture is now key in the security department because once the CIO decides to invest in cloud, you will be called upon to figure out how best to secure it.

4. DevSecOps

DevSecOps is another growing trend in security. It is the practice of integrating security into the DevOps process at the outset. Many believe it is the future of how security will work with the rest of IT in an organization and will change the way technology drives business innovation. Don’t get caught without at least some understanding of DevSecOps when you hit the job market.

5. Project management

Security pros also need to be project managers. There is the daily work of risk mitigation and then longer-term initiatives that security teams must work on before they deploy a new tool, technology or process.

6. Threat detection

It is critical to understand the current threat landscape and how it evolves and changes each day. Threat detection is also a vital skill because many threats go undetected on a network for weeks, or even months, before they are discovered. Understanding the fundamentals and techniques used for threat detection will be an important part of working on a forward-thinking, proactive security team.

7. Forensics

cloud security, cybersecurity certifications, cybersecurity training, cybersecurity workforce, network security, Operations Security
Security is not just about preventing incidents. It is also about learning from them if they happen in order to stop them from happening again. Security professionals should understand the tools and investigative methods used in digital forensics in the aftermath of an incident.

8. Hacking

Ethical hacking is an extremely valuable skill set in security now. The ability to deconstruct systems and find vulnerabilities is another way to help your organization identify its security holes and shore up defenses.

9. People skills

The security team is often expected to evangelize security’s message throughout an organization. Today’s security pros must be able to work with all members of the organization to enhance awareness and help everyone understand how to best keep the company safe.

10. Passion

Security is not a career for the faint of heart. It has one of the highest burnout rates there is among professions. But the people who work in security often do it because it is meaningful work with an important purpose, and they are passionate about helping to secure their organization.

Tuesday, 2 June 2020

In support of federal legislation to support our cybersecurity workforce

ISC2 Study Materials, ISC2 Learning, ISC2 Tutorial and Materials, ISC2 Exam Prep

(ISC)² has sent a letter to Senator Jacky Rosen (D-NV) in support of proposed bipartisan legislation that would direct the Secretary of Commerce, in coordination with relevant agencies, to establish “grand challenge” competitions to achieve high-priority breakthroughs in cybersecurity, including expanding our cybersecurity workforce, defending against artificial intelligence threats, and protecting our nation against cyberattacks.

The proposed Cyber Leap Act of 2020 can be read here:

In a press release issued by Senator Rosen, who is a member of the Committee on Commerce, Science, and Transportation, she said about the bill:

“We put our nation at risk if we don’t invest in our cybersecurity workforce and infrastructure. As our world becomes more digitized, I’m proud to help introduce this bill to assist our nation in developing a cybersecurity workforce with the skills needed to protect and maintain information systems and improve critical federal agencies’ security and safety.”

(ISC)² applauds these efforts to further strengthen our nation’s cybersecurity workforce by getting creative and issuing challenges. The text of the letter of support, signed by CEO David Shearer, follows. 

“Dear Senator Rosen:

ISC2 Study Materials, ISC2 Learning, ISC2 Tutorial and Materials, ISC2 Exam Prep
I am writing on behalf of (ISC)² to express our support for your proposed Cyber Leap Act of 2020 that will compel the Secretary of Commerce to establish national cybersecurity grand challenges whose goals would include empowering our citizens with digital literacy to make safe and secure decisions online, and developing a cybersecurity workforce with measurable skills to protect our information systems.

As the world’s largest nonprofit association of certified cybersecurity professionals, we are acutely aware of the shortage of trained cybersecurity workers and the skills gap that exists. According to the 2019 (ISC)² Cybersecurity Workforce Study, there is a widening gap of cybersecurity professionals globally. This includes a shortage of nearly 500,000 professionals here in the U.S. alone. By combining our U.S. cybersecurity workforce estimates, which indicate a current workforce of 804,700, and this gap data, we can calculate that the cybersecurity workforce needs to grow by 62% in order to meet the demands of U.S. businesses today. With more than 150,000 members worldwide, we are committed to expanding and strengthening the cybersecurity workforce.

We also applaud the additional focus points of the Act on building resilient systems that raise adversary costs, and on reducing cybersecurity risks to Federal networks and systems.

Thank you for your leadership on this critical issue and we look forward to supporting this important legislation.”


Saturday, 30 May 2020

Study: Pandemic Boosts Cybersecurity Demand

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Exam Prep

Demand is up for cybersecurity solutions and services as businesses try to cope with the effects of the COVID-19 pandemic. In a survey of technology firms, industry association CompTIA found that customer inquiries regarding cybersecurity were up by 36% in April -- second only to inquiries about communications, collaboration and A/V technologies.

The increased demand for cybersecurity and collaboration technologies makes sense in light of the sudden increase in work-from-home (WFH) numbers. The ranks of remote workers shot up as a result of stay-at-home and lockdown directives issued by governments in efforts to manage the spread of COVID-19. Recent (ISC)2 research indicates that 96% of organizations moved some staff to remote work during the first several weeks of the COVID-19 pandemic, while 47% did so for all employees.

The urgency to set up remote working environments for employees caught many businesses unprepared, and has led to serious concerns among cybersecurity professionals about their organizations’ security. An ISACA poll of IT leaders found that 87% believe the outbreak has increased data protection and privacy risks.

And in (ISC)2’s own poll about the effects of the pandemic, 23% of respondents say security incidents have increased, with some reporting that incidents have surged as much as 100%. This is a clear indication that cyber attackers are looking to exploit the new work practices necessitated by the pandemic.

Technology Outlook

Nearly two-thirds of respondents in the CompTIA poll believe businesses may start getting back on track by August, and 46% are generally upbeat about business prospects. While some technology service providers are getting customer requests to restructure contracts or payment terms, interest in technologies such as cybersecurity and collaboration bodes well for technology providers.

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Exam Prep

Even after lockdown and stay-at-home directives are lifted, companies may opt to keep more employees working at home than pre-pandemic. And they will need to invest in cybersecurity to protect those employees and business data. 

"In general, security needs are going to increase because of a growth in the attack surface," (ISC)2 CIO Bruce Beam, CISSP, recently told Dark Reading. "I don't see a company backing off on it. I think security is going to not only maintain but grow as we move through this.”

In the (ISC)2 survey, some cybersecurity professionals expressed concern about their organizations putting business expediency ahead of security concerns, especially considering nearly half of them (47%) had been reassigned to non-security related work. The CompTIA findings, however, are encouraging in that they show businesses are generally attuned to cybersecurity needs.

Cyber protection requirements are no less relevant just because fewer people are working in offices. As we’ve seen, research has shown that threats are up because cybercriminals see the higher WFH numbers as a new opportunity. It is therefore critical that businesses continue to invest in the technology and staff they need to keep threat actors at bay.


Thursday, 28 May 2020

5 Ways to Break Down the Cybersecurity Experience Barrier

ISC2 Certification, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Exam Prep
Appropriate experience is one of the biggest hurdles to overcome when trying to land a job in information security. In fact, a poll from Tripwire finds most job seekers (80%) say they need more experience to be considered for many of the roles they apply for in infosec. The survey, conducted via Twitter, also found lack of certification or appropriate training (20%) were other issues keeping people from security jobs.

There’s no question landing that first gig in security can be difficult. But there are practical ways to stand out and get the attention of hiring managers, even without a lot of experience on your resume. Here are 5 tips to break down the experience barrier and shine as a security job applicant.

Train on your own

Self-guided teaching can offer many opportunities to show you know your stuff and provides you with great material to discuss in a job interview. Some ways to learn on your own time is by teaching yourself coding, or constructing computer and security systems and then breaking them down or hacking them for practice.

You can also seek out contests or training opportunities that are open to all levels of knowledge and get experience with hacking and security problem solving. Participating in community-based contests is also a great way to get to know others who share a security focus.

Over time, as your education and confidence grow, you can also experiment with looking for vulnerabilities in open source software and participate in bug bounties. Keeping track of your work so you can demonstrate how these efforts paid off will make you stand out in a job application.

Find an internship

An internship can offer you practical experience learning the skills and working on the kinds of projects you aspire to focus on in a professional environment. It’s also an excellent opportunity to make connections and possibly even earn a recommendation that will get your foot in the door to an actual job in the future. Seek out internships or volunteer opportunities at organizations with a mission you believe in, or in a role that inspires you.

Look for opportunities in your current school or job

If you’re currently a student, one of the first places to find opportunities to get experience is in your school. It could be at an internship, as previously mentioned, or on campus. Does your school have an IT team with a focus on security? Learn more about what they are doing and see if they are open to letting you work with them on a volunteer basis.

ISC2 Certification, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Exam Prep

The same goes for any full- or part-time job you currently have. If you’re not working in security, look for opportunities at your present employer to switch gears and find security projects that will enhance your resume. It may mean working more hours, but what you gain in relevant, on-the-job experience will be worth it in the long run.

Mine your association connections

Join an association and network with members. Go to local chapter meetings or hang out in online forums and get to know others there. There should be a varying number of people with multiple levels of experience and expertise in these groups. These connections will be invaluable for learning about the job scene in your neck of the woods. And, if you can be helpful to others by answering questions and offering information, it will go a long way in gained trusted and respected resources in your security community that could help you land your next security role.

Get certified

Getting the right certification will also help you demonstrate your commitment to the field of security without years of on-the-job experience. Through the Associate of (ISC)² program, you can take any (ISC)2 certification exam without the required work experience. When you pass, you become an Associate of (ISC)² as you work to achieve full certification. Along the way, you receive exclusive (ISC)² resources to help you learn, grow and thrive throughout your journey.


Tuesday, 26 May 2020

How to Demystify And Improve Data Scientist Careers and Productivity

Dell EMC Study, Dell EMC Tutorial and Material, Dell EMC Guides, Dell EMC Exam Prep

Companies in a wide range of industries have a pressing need for data scientists.

But these companies are having difficulties understanding what a data scientist does and what value they would bring to their businesses.

As a result, companies are having a hard time finding data scientists. And data scientists are finding it difficult to land satisfying careers in the data science field.

Skills required of “true” data scientists

To understand better the causes of these employment challenges, it’s important to have a clear definition of the types of skills and responsibilities a full-fledged true data scientist needs to possess. In essence, a data scientist must be able to lead a data project from its origins to its completion.

There are several steps in this process:

· understanding the data project in the context of the overall business;

· defining what business problem the project wants to solve or questions it should answer;

· preparing the data for analysis;

· creating data models;

· writing software programs;

· enabling the data to be packaged and visualized for easier understanding;

· evaluating, testing, and interpreting the data;

· ensuring accuracy;

· creating a data product;

· measuring and scoring the data product results; and

· deriving meaningful business insights from the data.

True data scientists can perform all these tasks. But they’re tough to find. The steps in this process require a broad spectrum of analytical, functional, and organizational skills.

Many people who call themselves data scientists don’t possess the skills or experience to perform all these tasks. Oftentimes they have about half of these capabilities or less.

Employers struggle to understand their data needs

Compounding these problems, employers struggle defining what their data needs are and how a data scientist can help them solve their problems and answer key business questions. But they still believe they need data scientists to stay competitive.

It doesn’t help remedy this situation that companies use data scientists for a wide range of disparate projects. One company may need a data scientist to run a project with five-to-ten people involved, while another requires 100. And the data project goals are often different.

There is no set way all data scientists must perform regardless of what company he or she works for. “Apples to apples” comparisons in data scientist skill sets rarely exist.

Employees are struggling to understand what data scientist roles suit them

As a consequence of all this complexity, companies remain too ambiguous and uncertain for employees pursuing data scientist careers to make sound, well-informed decisions on the positions.

Too frequently, these professionals struggle to find positions where they can develop and practice the full lifecycle skills required to be a data scientist who can “do it all.”

Too often they end up in narrow roles that only require them to perform smaller subsets of data science responsibilities, but not the entire end-to-end process. They quickly get bored or frustrated because the “data scientist” positions they hoped they signed up for were not data science jobs in the truest sense.

These positions can be career limiting and stifling, sometimes monotonous, and oftentimes not in line with the company’s expectations based on lack of available data, technology misalignment, or too many cooks in the kitchen.

Companies need to figure out why they need data scientists

To help solve these problems, companies need to hold off on opening positions for the sake of not being behind the curve. Before doing so, they should figure out exactly why they need to hire a data scientist.

They need to ask themselves probing questions up front about what data scientists can do and how they add value to their company.

Corporate job descriptions should be precise and candid about what types of data scientist skills they need – and don’t need. Candidates want transparency about this.

To entice candidates to join them, companies should offer them opportunities to do more on-the-job training on all the skills required to lead data science projects from start to finish.

Employees need clarity on exactly what skills they will develop

For their part, employees should ask employers detailed questions about the specific tasks they will be asked to do. Better to know up front that the role does not really require a full spectrum of data scientist capabilities before accepting one – if their goal is to be a true data scientist.

Saturday, 23 May 2020

Bank On It

ISC2 Tutorial and Material, ISC2 Learning, ISC2 Certification, ISC2 Exam Prep
In May 2018, two major banks in Canada—Bank of Montreal and Canadian Imperial Bank of Commerce—received email threats from malicious hackers claiming to have gained access to customers’ sensitive information. The attackers demanded $1 million in cryptocurrency from each bank or they would publicly release customers’ information. The successful attacks on these banks led to 90,000 customers’ account information being compromised and an undisclosed amount of money lost as the result of the security breaches.

In recent years, the global banking sector has been the main target of severe cyberattacks. This, of course, is largely due to the enormous assets and sensitive information managed by this sector—and most others globally. (See Figure 1, p XX.)

Figure 1 Title: Estimate of Global Financial Losses Attributable to Cyberattacks

Region Region GDP (USD, trillions)  Cybercrime Cost (USD, billions)  Cybercrime Loss (GDP%) 
North America 20.2 140 to 175 0.69 to 0.87%
Europe and Central Asia  20.3 160 to 180  0.79 to 0.89% 
East Asia & the Pacific  22.5  120 to 200  0.53 to 0.89% 
South Asia  2.9  7 to 15  0.24 to 0.52% 
Latin America and the Caribbean  5.3  15 to 30  0.28 to 0.57% 
Sub-Saharan Africa  1.5  1 to 3 0.07 to 0.20% 
MENA  3.1  2 to 5  0.06 to 0.16% 
World  75.8  445 to 608  0.59 to 0.80% 

Source: Lewis, “Economic Impact of Cybercrime—No Slowing Down,” 2018

At the Information Systems Security and Assurance Management department of Concordia University of Edmonton in Canada, we recently completed a study of 25 large-scale, North American banking security breaches over the past decade. Following a root cause analysis for each security breach, we conducted a literature review of some major information security-related frameworks and standards—including NIST 800-53 (R5), ISO 27001:2013,  ISO 27032:2012, COBIT 2019, the Office of the Superintendent of Financial Institutions’ (OSFI Canada) cybersecurity assessment-guide, and the Cloud Security Alliance’s Cloud Control Matrix (V. 3.0.1)—in order to compile a list of more than 50 cybersecurity best practices that could have mitigated these 25 banking cybersecurity breaches.

The following is a condensed version of these research-based best practices. Please note that this compilation is by no means comprehensive, but it could serve as a useful checklist and/or discussion points for information systems auditors and cybersecurity professionals in the banking industry and many (if not most) other sectors, including retail, service and manufacturing.


1. The mission, vision, core values, business strategies, and objectives of the enterprise should be well defined, prioritized and documented.

2. Both management and its board of directors should ensure that the enterprise maintains full adherence to all legal and regulatory requirements in order to avoid sanctions and to help reduce incidents of large-scale security breaches.

3. Management and the board of directors must ensure that the IT and audit functions within the enterprise receive the needed resources in order to effectively and proactively protect the enterprise from security breaches. As such, information systems’ security-related capacity management plan, which details the required resources to meet current and future cybersecurity needs, should be presented to the management and to the board of directors for review and discussion with the information security team and the audit department.

Policy Management

4. The enterprise information security policies should be defined, approved and implemented by management and communicated clearly to all stakeholders in such a way that all employees and stakeholders fully understand their roles and responsibilities to keep the enterprise secure.

5. Management should implement periodic reviews of information security policies to ensure they remain relevant.

Training and Education

6. Management should ensure that all employees and business partners are properly trained to carry out their assigned duties and responsibilities related to cybersecurity policies, procedures, and other related agreements through the implementation of a robust and continual information security training program.

7. Customers should also be sensitized to prudent cybersecurity practices through an effective and consistent information security awareness program.

Risk Management Considerations

8. Management should invest an appropriate amount to implement a comprehensive and relevant information system security-related framework.

9. Management should also be committed to ensuring that the implemented framework and risk management procedures continue to achieve their intended outcomes and objectives.

10. Approved risk management processes should be properly documented and communicated to all stakeholders.

ISC2 Tutorial and Material, ISC2 Learning, ISC2 Certification, ISC2 Exam Prep

Access Control (Physical and Logical)

11. A defense-in-depth approach in terms of the physical security of assets should be adopted that includes effective use of controls such as CCTV cameras, motion detectors, security personnel, locks, trap doors, fences, bollards, and smoke/fire detection mechanisms, just to name a few.

12. Access to physical assets should be adequately restricted, and all access to such assets should be documented and reviewed on a regular basis.

13. Appropriate remote access configurations and connections procedures should be established, implemented, documented, and monitored continuously.

14. All remote maintenance efforts on systems should be approved and logged in order to prevent unauthorized access.

15. An appropriate access control architecture, based on the enterprises’ information access and security needs, should be implemented and continuously monitored.

16. An appropriate password policy detailing mandates for password complexity, expiration, account lock out, password reset procedures, minimum and maximum password age, as well as the use of password random generators, one-time passwords and strong authentication (such as the use of biometrics) for critical systems needs to be drafted, implemented, and reviewed at regular intervals.

17. Access control should also be based on the principle of least privilege. Auditors should also ensure that previous access privileges for employees do not result in an access control scope creep.

18. Access control logs must be properly set up and reviewed on a consistent basis.

Disaster Recovery (D/R) Considerations

19. Detailed and appropriate disaster recovery and business continuity policies, procedures and processes should be developed, properly communicated, and reviewed on a regular basis (ex: yearly) based on lessons learned, test results, and/or environmental changes.

20. D/R plans should be regularly tested and updated on an annual basis.

21. D/R related documents, such as call trees, should be updated on a regular basis.

22. Critical systems need to be clearly identified and should be given top priority in terms of expedient approach to get them back up and running as quickly as possible.

HR Considerations

23. The human resources department is the first line of defense for information systems security’s weakest link, namely employees. As such, the HR hiring and performance evaluation procedures, such as thorough background checks, should be established and followed consistently.

24. The HR department should also ensure that the enterprise’s non-disclosure requirements and information security policies are read and understood by all employees.

Audit Considerations

25. Management should ensure that the internal/information systems audit activity is properly structured and implemented. These include the creation of an audit charter and appropriate reporting mechanisms to management and the board of directors.

26. Audit policies and procedures should be documented and reviewed on a regular basis based on lessons learned from data security breaches and previous audit results and experiences.

27. Audit activities should be risk-based and continual in nature throughout the enterprise in order to ensure that appropriate controls, based on a defense-in-depth approach, are implemented and that such controls continue to remain effective as the business environment continues to change and evolve.

28. The audit activities should also entail regular scanning of the enterprise’s website(s), applications, and third-party plugins. Regular penetration testing in high-risk enterprises, such as banks, should be considered as a proactive approach to prevent future data breaches. Such penetration tests should only be conducted by highly qualified penetration testing teams, not by the enterprises’ audit team unless its members are qualified to conduct penetration testing activities.

29. Disaster recovery plans should be continually reviewed, along with its periodic testing results, to ensure that the enterprise maintains the capabilities to resume full operations as quickly as possible when needed.

30. Secure input data validation processes to prevent common attacks, such as SQL injection and parameter tampering on websites, should be tested regularly.

Continuous Monitoring

31. Continuous monitoring should be effectively incorporated as an effective and integral part of the control process in order to help both auditors and information security specialists within the enterprise to detect security-related anomalies.

32. Audit trails and exception reports should be reviewed consistently by not only the audit team, but also by experienced information systems personnel as appropriate.

33. Audit logs and exception reports should be secured in order to prevent unauthorized access to them.

System and Data Lifecycle Management

34. Management should ensure that an accurate and comprehensive inventory of information system-related assets (hardware, software, applications, data, intellectual properties, etc.) is created and kept up to date.

35. All inventories assets should be classified based on risk and criticality.

36. Appropriate procedures for handling and managing all assets throughout their lifecycles are identified, documented, properly communicated, and consistently enforced.

37. Change management policies, procedures, and processes should be developed, implemented, and strictly enforced.

38. All changes/modifications/major updates to servers, software, and applications should be reviewed and approved by an appropriate committee prior to implementation with proper contingency plans in place, in case an intended change does not proceed as planned.

Removable Media and BYOD Devices

39. A comprehensive removable disks and BYOD devices policy and procedures should be established, documented, and strictly enforced through a continual monitoring approach.

40. In high risk departments, employees should require appropriate written approvals to use removable media or BYOD devices based on their job functions.

41. Sensitive information on removable media or BYOD devices should be encrypted, and whenever possible such devices should also be equipped with a remote data deletion mechanism.

Network Security

42. An appropriate and framework-based information systems’ security architectural approach should be devised and implemented. This includes system and network segmentation, physically, and logically.

43. Network performance and protocols baselines must be well defined and reviewed regularly in order for the cybersecurity team and/or intrusion detection systems to detect system anomalies quickly and effectively.

44. An effective and appropriate network defense-in-depth using appropriate technologies approach should be devised and implemented. These include the effective use of anti-malware software, firewalls, and intrusion detection or prevention systems as appropriate.

45. All sensitive data should be encrypted while at rest, in transit, or at end points.

46. An effective cryptographic key management approach must be established and followed.

47. All systems should be properly hardened by disabling unneeded services, closing unused ports, and updating default passwords.

48. Effective mechanisms should be in place to ensure that all systems are updated effectively and expediently with the latest patches and security updates.

49. Procedures and processes involved in the configuration of servers, websites, routers, firewalls, networks, and switches should be documented and reviewed by the cybersecurity and/or the audit team to help prevent errors that could lead to unauthorized access.

50. An important and sometimes neglected area is the related network security risks associated with third-party information systems and cybersecurity practices. As such, all third-party information systems should also be subjected to appropriate security standards, requirements, and controls assessed at the beginning of a business relationship and ensuing regular audits.