Final Post
So, last post; time for a look back. Over the last twelve weeks, I've posted on a wide variety of Infosec related current events from a pretty wide variety of sources. I have to say that I've mostly regurgitated other peoples articles, but usually interesting ones with some relevance to the course.
In the Social Engineering course I took, the instructor had us post to a weekly journal that only the individual student and the instructor could access. I feel like this relative privacy enable me to be more open about how the course was going and any issues I was having. On the other hand, using this blog format allows for cross feeding news, ideas, and view points across the entire class, so there are advantages to both approaches.
Good luck and Good night -- to all of us.
Mark V2
Saturday, November 16, 2013
Sunday, November 10, 2013
I'd like to to share with you my own experience with the CISSP certification--for what its worth.
I'd been working in the IS business for about 10yrs when the new DoD 8570-1 requirement came out in late '05. I really didn't want to get the certification because I was afraid that I'd be tagged forever as an "IS" guy and there are other fields I'd like to work in. However, I was working for Lockheed Martin at the time, and they insisted that I get the cert, due to the 8570 requirement. I studied three different books for about 3 months. The book I used the last few days before my test to quiz myself, (believe it or not) was the "CISSP for Dummies" book.
The test took over 4 hours and was, by FAR, the hardest test I've ever taken. I felt like I was taking the bar to be a lawyer. There wasn't a single question that I felt like had a clear-cut easy answer. Every answer seemed like it was both partially correct and partially incorrect. Selecting the "best" answer was sometimes based on one word or clause.
As you may know, ISC2 doesn't give you any feedback on how you did on the test, if you pass--they just tell you that you passed. I have no idea if I made it by one point or 100.
Since I got the certification, the amount of respect I get when dealing with other IS professions does seem higher, but I was right about the "IS Tag"--I will probably never be able to get a job in the straight engineering or IT operations/sustainment fields unless I'm willing to take a BIG pay cut and start at a junior level. I think having my CISSP probably added $12k to my annual salary when I left Lockheed and was hired by BAE, so financially it was definitely worth it, but being an "IS professional" is not my dream career.
So there you go--one CISSP's experience.
v/r
Mark V2
Tuesday, October 29, 2013
Fascinating article breaking down users into generational groups and analyzing their attitudes, methods of learning, using tech, and security.
I work in with a group of engineers ranging from the 68 yr old traditionalist to the 22 year old millennial and every group in between--this analysis rings true and provides real insight to me. Especially paragraph number 2.
Your user's are NOT all the same and you can't/shouldn't treat them like they are. As I've said repeatedly, nothing can be simple in this business, there are no simple, cookie-cutter answers. You have to tailor to the conditions, and the map is NOT the terrain!
Read it here: http://www.darkreading.com/privacy/tech-insight-enterprise-securitys-overlo/240163181
"Good Night and Good Luck" to us all,
Mark V2
I work in with a group of engineers ranging from the 68 yr old traditionalist to the 22 year old millennial and every group in between--this analysis rings true and provides real insight to me. Especially paragraph number 2.
Your user's are NOT all the same and you can't/shouldn't treat them like they are. As I've said repeatedly, nothing can be simple in this business, there are no simple, cookie-cutter answers. You have to tailor to the conditions, and the map is NOT the terrain!
Read it here: http://www.darkreading.com/privacy/tech-insight-enterprise-securitys-overlo/240163181
"Good Night and Good Luck" to us all,
Mark V2
Sunday, October 27, 2013
So, another week, another blog post. More zero-days, more products and services being flogged by vendors, more doom and gloom.
I was going to post a couple of links about 10 common IT risk assessment mistakes and an early review of the new NIST cybersecurity framework, but, well, meh. Small beer.
Instead, I going to post a link to one of my favorite science websites:
That wild man is actually Doctor Ethan Siegel, PhD, Theoretical Astrophysics, and he also wears a kilt! His blog has won multiple awards for being one of the best "science" blogs out there. He's really, really good at explaining physics, usually with fantastic graphics and pictures, and I really enjoy his weekly articles. This weekend's "Diversion" is about a much larger type of risk--our impending collision with this:
That's the Andromeda Galaxy. If you want to know more about the "Andromeda Project" you have to go here and read the whole article.
Enjoy!
"Good luck and Good night"
Mark V2
I was going to post a couple of links about 10 common IT risk assessment mistakes and an early review of the new NIST cybersecurity framework, but, well, meh. Small beer.
Instead, I going to post a link to one of my favorite science websites:
That wild man is actually Doctor Ethan Siegel, PhD, Theoretical Astrophysics, and he also wears a kilt! His blog has won multiple awards for being one of the best "science" blogs out there. He's really, really good at explaining physics, usually with fantastic graphics and pictures, and I really enjoy his weekly articles. This weekend's "Diversion" is about a much larger type of risk--our impending collision with this:
That's the Andromeda Galaxy. If you want to know more about the "Andromeda Project" you have to go here and read the whole article.
Enjoy!
"Good luck and Good night"
Mark V2
Sunday, October 20, 2013
If, like me, you know a bit about computers and maybe a (very little) bit about security, you probably get asked by friends and family to help them with their computers. Everything from "What AV should I use?" to "I think my computer has a virus--can you fix it for me?"
Well, last week, while I was on my unplanned, unfunded, government mandated "vacation", a friend of mine, Mike, threw me a new one: "My small business network is not working and I'm not sure why. Can you help me? " I've never been asked to help with a whole network (albeit a small one) before. I told him I'd try--as long as he promised not to sue me if I screwed it up. It's a lawn care service, with a router, 3 hosts, a web server, a multi-function printer, and some storage.
After a quick initial investigation I determined that he had lots of problems: really bad design (as in not designed, more like just grew), no real security, lots of malware, including bot software, trojans, and key-loggers. After cleaning the infections I wasn't sure what to do next, so of course, I went searching the internet. And I found this...
The Manageable Network Plan from these guys...
(I know, right!)
Well, last week, while I was on my unplanned, unfunded, government mandated "vacation", a friend of mine, Mike, threw me a new one: "My small business network is not working and I'm not sure why. Can you help me? " I've never been asked to help with a whole network (albeit a small one) before. I told him I'd try--as long as he promised not to sue me if I screwed it up. It's a lawn care service, with a router, 3 hosts, a web server, a multi-function printer, and some storage.
After a quick initial investigation I determined that he had lots of problems: really bad design (as in not designed, more like just grew), no real security, lots of malware, including bot software, trojans, and key-loggers. After cleaning the infections I wasn't sure what to do next, so of course, I went searching the internet. And I found this...
The Manageable Network Plan from these guys...
(I know, right!)
and I really, really like it. It's a step-by-step guide on how to (re-)gain control of a network and and protect it, in easy to understand non-technical language.
Here it is in pictorial form:
So, Mike and I are implementing the plan. We're on Milestone 3 and I'm researching some affordable options for improving the architecture.
Unfortunately, I have to go back to work tomorrow, so I won't be able to devote as much time as I'd like, (can't believe I said that!) but Mike's pretty committed, so I'm optimistic that we will, eventually, finish all eight milestones. I'll let you know.
"Good Luck and Good Night"!
v/r
Mark V2
Sunday, October 6, 2013
Confession time. Due to the government idiocy, I was furloughed without pay this week. As a result, I haven't been paying attention to the InfoSec news much. I've been somewhat depressed, and didn't do a good job of establishing an alternate routine. I even lost track of what day it was and completely forgot about class on Thursday!
I did do a quick scan of my favorite InfoSec news and blog sites and ran across this article on InfoSec Island that I think is worth sharing:
Industry's First Social Risk Guide Released
From the guest blog of Vince Schiavone:"Avoiding #FAIL provides a in-depth understanding of the complex, multidimensional dangers of social risk and how companies can implement an effective advanced threat detection solution to mitigate resulting damage to revenue and reputation and ultimately protect and preserve the business."
I think this sounds like a timely and worthwhile book--This is a topic that needs a lot of work, beyond the current "Be careful what you share" panacea. I plan on looking for it.
"Good Night and Good Luck" to us all.
Mark V2
Sunday, September 29, 2013
Two items caught my eye this week. The first is a great example of one of the big risks you should consider when outsourcing your data or services to the cloud, as I discussed in my presentation about DRaaS in class two weeks ago:
Solutionary SERT to Produce Daily Threat Intelligence Blog Series During National Cybersecurity Awareness Month
A Nirvanix Post Mortem - Why There's No Replacement For Due Diligence
My key take-away sentence: "The bottom line is that no one cares about your data more than you do – there is no replacement for a robust due diligence process and robust thought about avoiding reliance on any one vendor." (emphasis added)
Read the article here: http://www.forbes.com/sites/benkepes/2013/09/28/a-nirvanix-post-mortem-why-theres-no-replacement-for-due-diligence/
The other article is from a local Omaha company:
Solutionary SERT to Produce Daily Threat Intelligence Blog Series During National Cybersecurity Awareness Month
"Throughout October, blog topics will include the following:
- Malware Mondays: Focusing on the latest malware trends and cyberattacks targeting enterprise networks.
- Tip Tuesdays: Featuring tips from SERT on the actions that IT security professionals can take to best secure their enterprise networks.
- White Hat Wednesdays: Profiling SERT researchers to give the IT security community a closer look at the people behind the intelligence.
- Thoughtful Thursdays: Offering predictions about the future of cybertrends and attacks, including such topics as malware, mobile security and hacktivism.
- Follow Friday: Providing review and analysis of the week's cybersecurity headlines. "
I think this sounds cool and plan on checking the blog each week here: http://www.solutionary.com/resource-center/blog/tags/National-Cyber-Security-Awareness-Month.
I'll let you know if I think it lives up to the hype.
"Good night and good luck" to us all.
Mark V2
Subscribe to:
Posts (Atom)