Final Post
So, last post; time for a look back. Over the last twelve weeks, I've posted on a wide variety of Infosec related current events from a pretty wide variety of sources. I have to say that I've mostly regurgitated other peoples articles, but usually interesting ones with some relevance to the course.
In the Social Engineering course I took, the instructor had us post to a weekly journal that only the individual student and the instructor could access. I feel like this relative privacy enable me to be more open about how the course was going and any issues I was having. On the other hand, using this blog format allows for cross feeding news, ideas, and view points across the entire class, so there are advantages to both approaches.
Good luck and Good night -- to all of us.
Mark V2
Saturday, November 16, 2013
Sunday, November 10, 2013
I'd like to to share with you my own experience with the CISSP certification--for what its worth.
I'd been working in the IS business for about 10yrs when the new DoD 8570-1 requirement came out in late '05. I really didn't want to get the certification because I was afraid that I'd be tagged forever as an "IS" guy and there are other fields I'd like to work in. However, I was working for Lockheed Martin at the time, and they insisted that I get the cert, due to the 8570 requirement. I studied three different books for about 3 months. The book I used the last few days before my test to quiz myself, (believe it or not) was the "CISSP for Dummies" book.
The test took over 4 hours and was, by FAR, the hardest test I've ever taken. I felt like I was taking the bar to be a lawyer. There wasn't a single question that I felt like had a clear-cut easy answer. Every answer seemed like it was both partially correct and partially incorrect. Selecting the "best" answer was sometimes based on one word or clause.
As you may know, ISC2 doesn't give you any feedback on how you did on the test, if you pass--they just tell you that you passed. I have no idea if I made it by one point or 100.
Since I got the certification, the amount of respect I get when dealing with other IS professions does seem higher, but I was right about the "IS Tag"--I will probably never be able to get a job in the straight engineering or IT operations/sustainment fields unless I'm willing to take a BIG pay cut and start at a junior level. I think having my CISSP probably added $12k to my annual salary when I left Lockheed and was hired by BAE, so financially it was definitely worth it, but being an "IS professional" is not my dream career.
So there you go--one CISSP's experience.
v/r
Mark V2
Tuesday, October 29, 2013
Fascinating article breaking down users into generational groups and analyzing their attitudes, methods of learning, using tech, and security.
I work in with a group of engineers ranging from the 68 yr old traditionalist to the 22 year old millennial and every group in between--this analysis rings true and provides real insight to me. Especially paragraph number 2.
Your user's are NOT all the same and you can't/shouldn't treat them like they are. As I've said repeatedly, nothing can be simple in this business, there are no simple, cookie-cutter answers. You have to tailor to the conditions, and the map is NOT the terrain!
Read it here: http://www.darkreading.com/privacy/tech-insight-enterprise-securitys-overlo/240163181
"Good Night and Good Luck" to us all,
Mark V2
I work in with a group of engineers ranging from the 68 yr old traditionalist to the 22 year old millennial and every group in between--this analysis rings true and provides real insight to me. Especially paragraph number 2.
Your user's are NOT all the same and you can't/shouldn't treat them like they are. As I've said repeatedly, nothing can be simple in this business, there are no simple, cookie-cutter answers. You have to tailor to the conditions, and the map is NOT the terrain!
Read it here: http://www.darkreading.com/privacy/tech-insight-enterprise-securitys-overlo/240163181
"Good Night and Good Luck" to us all,
Mark V2
Sunday, October 27, 2013
So, another week, another blog post. More zero-days, more products and services being flogged by vendors, more doom and gloom.
I was going to post a couple of links about 10 common IT risk assessment mistakes and an early review of the new NIST cybersecurity framework, but, well, meh. Small beer.
Instead, I going to post a link to one of my favorite science websites:
That wild man is actually Doctor Ethan Siegel, PhD, Theoretical Astrophysics, and he also wears a kilt! His blog has won multiple awards for being one of the best "science" blogs out there. He's really, really good at explaining physics, usually with fantastic graphics and pictures, and I really enjoy his weekly articles. This weekend's "Diversion" is about a much larger type of risk--our impending collision with this:
That's the Andromeda Galaxy. If you want to know more about the "Andromeda Project" you have to go here and read the whole article.
Enjoy!
"Good luck and Good night"
Mark V2
I was going to post a couple of links about 10 common IT risk assessment mistakes and an early review of the new NIST cybersecurity framework, but, well, meh. Small beer.
Instead, I going to post a link to one of my favorite science websites:
That wild man is actually Doctor Ethan Siegel, PhD, Theoretical Astrophysics, and he also wears a kilt! His blog has won multiple awards for being one of the best "science" blogs out there. He's really, really good at explaining physics, usually with fantastic graphics and pictures, and I really enjoy his weekly articles. This weekend's "Diversion" is about a much larger type of risk--our impending collision with this:
That's the Andromeda Galaxy. If you want to know more about the "Andromeda Project" you have to go here and read the whole article.
Enjoy!
"Good luck and Good night"
Mark V2
Sunday, October 20, 2013
If, like me, you know a bit about computers and maybe a (very little) bit about security, you probably get asked by friends and family to help them with their computers. Everything from "What AV should I use?" to "I think my computer has a virus--can you fix it for me?"
Well, last week, while I was on my unplanned, unfunded, government mandated "vacation", a friend of mine, Mike, threw me a new one: "My small business network is not working and I'm not sure why. Can you help me? " I've never been asked to help with a whole network (albeit a small one) before. I told him I'd try--as long as he promised not to sue me if I screwed it up. It's a lawn care service, with a router, 3 hosts, a web server, a multi-function printer, and some storage.
After a quick initial investigation I determined that he had lots of problems: really bad design (as in not designed, more like just grew), no real security, lots of malware, including bot software, trojans, and key-loggers. After cleaning the infections I wasn't sure what to do next, so of course, I went searching the internet. And I found this...
The Manageable Network Plan from these guys...
(I know, right!)
Well, last week, while I was on my unplanned, unfunded, government mandated "vacation", a friend of mine, Mike, threw me a new one: "My small business network is not working and I'm not sure why. Can you help me? " I've never been asked to help with a whole network (albeit a small one) before. I told him I'd try--as long as he promised not to sue me if I screwed it up. It's a lawn care service, with a router, 3 hosts, a web server, a multi-function printer, and some storage.
After a quick initial investigation I determined that he had lots of problems: really bad design (as in not designed, more like just grew), no real security, lots of malware, including bot software, trojans, and key-loggers. After cleaning the infections I wasn't sure what to do next, so of course, I went searching the internet. And I found this...
The Manageable Network Plan from these guys...
(I know, right!)
and I really, really like it. It's a step-by-step guide on how to (re-)gain control of a network and and protect it, in easy to understand non-technical language.
Here it is in pictorial form:
So, Mike and I are implementing the plan. We're on Milestone 3 and I'm researching some affordable options for improving the architecture.
Unfortunately, I have to go back to work tomorrow, so I won't be able to devote as much time as I'd like, (can't believe I said that!) but Mike's pretty committed, so I'm optimistic that we will, eventually, finish all eight milestones. I'll let you know.
"Good Luck and Good Night"!
v/r
Mark V2
Sunday, October 6, 2013
Confession time. Due to the government idiocy, I was furloughed without pay this week. As a result, I haven't been paying attention to the InfoSec news much. I've been somewhat depressed, and didn't do a good job of establishing an alternate routine. I even lost track of what day it was and completely forgot about class on Thursday!
I did do a quick scan of my favorite InfoSec news and blog sites and ran across this article on InfoSec Island that I think is worth sharing:
Industry's First Social Risk Guide Released
From the guest blog of Vince Schiavone:"Avoiding #FAIL provides a in-depth understanding of the complex, multidimensional dangers of social risk and how companies can implement an effective advanced threat detection solution to mitigate resulting damage to revenue and reputation and ultimately protect and preserve the business."
I think this sounds like a timely and worthwhile book--This is a topic that needs a lot of work, beyond the current "Be careful what you share" panacea. I plan on looking for it.
"Good Night and Good Luck" to us all.
Mark V2
Sunday, September 29, 2013
Two items caught my eye this week. The first is a great example of one of the big risks you should consider when outsourcing your data or services to the cloud, as I discussed in my presentation about DRaaS in class two weeks ago:
Solutionary SERT to Produce Daily Threat Intelligence Blog Series During National Cybersecurity Awareness Month
A Nirvanix Post Mortem - Why There's No Replacement For Due Diligence
My key take-away sentence: "The bottom line is that no one cares about your data more than you do – there is no replacement for a robust due diligence process and robust thought about avoiding reliance on any one vendor." (emphasis added)
Read the article here: http://www.forbes.com/sites/benkepes/2013/09/28/a-nirvanix-post-mortem-why-theres-no-replacement-for-due-diligence/
The other article is from a local Omaha company:
Solutionary SERT to Produce Daily Threat Intelligence Blog Series During National Cybersecurity Awareness Month
"Throughout October, blog topics will include the following:
- Malware Mondays: Focusing on the latest malware trends and cyberattacks targeting enterprise networks.
- Tip Tuesdays: Featuring tips from SERT on the actions that IT security professionals can take to best secure their enterprise networks.
- White Hat Wednesdays: Profiling SERT researchers to give the IT security community a closer look at the people behind the intelligence.
- Thoughtful Thursdays: Offering predictions about the future of cybertrends and attacks, including such topics as malware, mobile security and hacktivism.
- Follow Friday: Providing review and analysis of the week's cybersecurity headlines. "
I think this sounds cool and plan on checking the blog each week here: http://www.solutionary.com/resource-center/blog/tags/National-Cyber-Security-Awareness-Month.
I'll let you know if I think it lives up to the hype.
"Good night and good luck" to us all.
Mark V2
Sunday, September 22, 2013
Well, that didn't take long.
"Hackers from the Chaos Computer Club (CCC) say they have successfully bypassed the biometric security of Apple's recently released TouchID on an iPhone 5s."(Mike Lennon, Security Week, 21 Sep 2013)
See the complete article on how they did it here: http://www.infosecisland.com/blogview/23397-Hackers-Defeat-Apples-TouchID-on-an-iPhone-5S.html
On the dirty tricks front (NSA) there weren't any new revelations this week, just reaction:
"Security firm RSA sent an advisory to their developer customers warning against use of a toolkit that employs an NIST encryption algorithm by default that is suspected to have been “backdoored” by the NSA." (Anthony Freed, InfoSec Island, 21 Sep 2013)
This is an example of the damage to trust I believe the NSA has wrought, and trust in the strength of the encryption algorithms used to secure so much of the underpinnings of the internet is vital. I don't think the Law of Unintended Consequences has run it's course yet.
"Goodnight and goodluck"--to all of us.
Mark V2
Sunday, September 15, 2013
League of government sneaks and cheaters (LoGSC)
Continuing my rant from last week, what does this headline:
have in common with this one:
New York Times provides new details about NSA backdoor in crypto spec
other than that they're both from Ars Technica?
They're both reports about the abuse of power in the pursuit of lofty goals (national security). Next the abuses will be in pursuit of base goals (the preservation of power), if history is any guide. I'm not saying there's anyway back-I believe we're already over the precipice. I'm just pointing out the road signs as we slide by, into a dark and ugly future. The wheel turns.
Or maybe not: NIST: "we are not deliberately... working to undermine or weaken encryption." At least one government agency, and it's still one of my favorites, doesn't appear to be in the League....yet.
Maybe I'm a cynic, or have read too much dystopian sci-fi, but I'm reminded of this poem, by William Butler Yeats:
The Second Coming
Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity.
Surely some revelation is at hand;
Surely the Second Coming is at hand.
The Second Coming! Hardly are those words out
When a vast image out of Spiritus Mundi
Troubles my sight: somewhere in sands of the desert
A shape with lion body and the head of a man,
A gaze blank and pitiless as the sun,
Is moving its slow thighs, while all about it
Reel shadows of the indignant desert birds.
The darkness drops again; but now I know
That twenty centuries of stony sleep
Were vexed to nightmare by a rocking cradle,
And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?
To paraphrase the poignant words of Edward R. Murrow, "Goodnight and goodluck"--to all of us.
Mark V2
Friday, September 6, 2013
So the top InfoSec news of the week has to be the revelation that not only has the NSA been scooping up all the inter-bits, everywhere, all the time, but that they can decrypt all most all of them. They do this not only by (limited) brute-force cracking, but by "acquiring" commercial keys, by hook or by crook.
What chafes my butt about this is that to paraphrase Pres. Obama, we HAD this "public discussion" back in the '90s when NSA wanted to require the CLIPPER chip. The subject was debated, extensively, by all stake-holders, and the DEMOCRATIC decision was that we valued our privacy more than the government's need to provide security.
Apparently, the NSA decided they are above the law, and so they subverted the will of the people and reached their goals anyway.
"Power tends to corrupt, and absolute power corrupts absolutely." - Lord Acton
What chafes my butt about this is that to paraphrase Pres. Obama, we HAD this "public discussion" back in the '90s when NSA wanted to require the CLIPPER chip. The subject was debated, extensively, by all stake-holders, and the DEMOCRATIC decision was that we valued our privacy more than the government's need to provide security.
Apparently, the NSA decided they are above the law, and so they subverted the will of the people and reached their goals anyway.
"Power tends to corrupt, and absolute power corrupts absolutely." - Lord Acton
Monday, August 26, 2013
Dear Reader,
Why are you here? At this blog site I mean, not the existential "Why am I here?"
If you're sure you have nothing better to do at the moment than to read this blog, then:
Welcome! Here you will find random musings generally, usually--but probably not exclusively--related to what's happening in the exciting world of Information Security, and my journey/ odyssey / trials as I complete a masters degree in Cyber Security at Bellevue University, Bellevue Nebraska.
Let me begin by introducing myself. I prefer the appellation "V2" which can be pronounced as vee-two or as vee-squared. Makes no difference. I'm retired from the USAF after 23 years and I'm using my GI Bill to attend school.
I've been a Certified Information Systems Security Professional (CISSP) since 2006, and have been working in what the DoD calls Information Assurance (IA) since 1984. You probably know the field as Information Security or INFOSEC for short. It's supposition on my part, but I believe the DoD started calling it IA to differentiate it from all the other "SECS" they already have: COMSEC, OPSEC, PERSEC, etc.
Anyway, I intend to post my thoughts about current events in INFOSEC at least weekly. I will try to make them humorous and engaging, but considering the content, pleas don't judge me too harshly.
Mark V2
Why are you here? At this blog site I mean, not the existential "Why am I here?"
If you're sure you have nothing better to do at the moment than to read this blog, then:
Welcome! Here you will find random musings generally, usually--but probably not exclusively--related to what's happening in the exciting world of Information Security, and my journey/ odyssey / trials as I complete a masters degree in Cyber Security at Bellevue University, Bellevue Nebraska.
Let me begin by introducing myself. I prefer the appellation "V2" which can be pronounced as vee-two or as vee-squared. Makes no difference. I'm retired from the USAF after 23 years and I'm using my GI Bill to attend school.
I've been a Certified Information Systems Security Professional (CISSP) since 2006, and have been working in what the DoD calls Information Assurance (IA) since 1984. You probably know the field as Information Security or INFOSEC for short. It's supposition on my part, but I believe the DoD started calling it IA to differentiate it from all the other "SECS" they already have: COMSEC, OPSEC, PERSEC, etc.
Anyway, I intend to post my thoughts about current events in INFOSEC at least weekly. I will try to make them humorous and engaging, but considering the content, pleas don't judge me too harshly.
Mark V2
Subscribe to:
Comments (Atom)