Pros and Cons of Information Security Certifications

This week we discussed, among other things, job descriptions and certifications.  We all had our own views about available certifications.  It is apparent that many times these certifications are not only desired by employers, but many times they are required.  While we were discussing this this week, I ran across the article "Pros and Cons of Information Security Certifications" on the SearchSecurity site. 

In this piece they also state that one of the questions they are most frequently asked, by both prospective and currently enrolled students, ask which security certifications would be best in or to be competitive in the information security field.  The response to this question is far more complex than one would think, and is therefore there is no simple response.  However, the real question students should be asking have more to deal with the value that certificates provide for a security professionals career.  There is no Holy Grail of security certifications.  The most important thing for one to do is to understand what certifications represent and what they do not, as well as understanding that certifications have both pros and cons.

One of the more exciting things about information security is that the knowledge in the discipline is constantly and rapidly changing.  This is both positive and negative for the information security profession.   While one we get to enjoy an ever changing landscape, this is also the cause for the us to have to keep our skills and knowledge updated.  Unlike other sciences where challenges are presented by nature, our challenges lie in people.  People can be our adversaries and highly motivated to cause damage.  These highly motivated people only need find one weakness in order to exploit a system and gain access to any information they desire.  So we need to find those weaknesses and strengthen them.  This is why when security education in practice is considered, security professionals do not have a straight forward, static reply.  The information security professionals career is dynamic.

So one wonders where certificates fit into all this.  According to this author, certificates should be viewed as a measurement of master in ones career in the profession of information security other than as an end.  Security professionals are less dependent on memorization and passing a certification and more dependent on the ability to learn and think independently.  The author feels that professional development in security is much more about continuing one's education and keeping one's skills and knowledge current than about certifications and all the letters they add behind one's name.

This is not to be taken as saying that certifications are not important.  Certifications have a place.  For some, a certification provides motivation to learn something new while the eventual completion of the test is gives them visual verification of what they have learned.  Certifications can also be used for measurements in employment.  In some cases, employees can earn more money by earning certifications.  In some cases, employers require certification as a condition of employment.  Many of these certifications require periodic renewals as well as continuing education in order to maintain them.

The best certification to get is the one that will help one continue to learn and stay current on what is happening in the security realm.  It is best to always keep in mind that a certification is a milestone, not the end of the road.

Reference

Jacobson, D. a. (Unknown). SearchSecurity - Pros and Cons of Information Security Certifications. Retrieved from techtarget.com: http://searchsecurity.techtarget.com/opinion/Pros-and-Cons-of-Information-Security-Certifications

 

South Carolina's Recent State Tax Return Breach

So, this week's reading discussed Firewalls and encryption.  Very ironic considering the piece seen on the MSN front page on Wednesday afternoon.  "Data Breach Targets 3.6M taxpayers" the headline screamed from the screen.  Naturally, being inquisitive as I am, and considering my current Degree pursuit, I had to click on the headline and get the details.  As I read, I had to shake my head.

Apparently, citizens that have filed a South Carolina tax return anytime since 1998 are at risk of having their identity stolen.  Hackers accessed the state Department of Revenue server in August of this year and accessed 3.6 million Social Security numbers and 387,000 debit and credit cards.  Five thousand of those debit and credit cards were expired, and the Department claims that the rest were expired.

However, the 3.6 million Americans who had their Social Security numbers stolen will have to monitor their credit for many years to come.  These people include children who do not even know what a Social Security number is, yet they may end up learning the hard way because of this breach. 

Apparently hackers like to target state and local governments who are either unwilling or unable to sufficiently secure their information.  From late September through mid-October of this year damaging hacks were reported by the City of Burlington, WA, the Centers for Medicare and Medicaid Services in Baltimore, MD, the town Council of Chapel Hill, NC, the Robeson County Board of elections in Lumberton, NC, the Brightline Interactive, Army chief of Public Affairs office in Alexandria, VA, the City of Tulsa, OK, and the town of Willimantic, CT, and these are just the entities that have willingly disclosed breaches.

Only one in four State Chief Information Security Officers nationwide report that they are confident in the ability of their State to stand against an attack on data from an external cyberattack.

In the South Carolina instance, the State has negotiated a $12 deal with Experian in order to provide the affected people, who sign up, a free year of credit monitoring, a lifetime of fraud resolution with personalized assistance if an account is opened in their name.  This offier also applies to children that have been effected.

Of course, that State has recommended that victims immeddiatly begin to monitor their credit reports, and bank and credit card accounts for any suspicious activities.

I just begin to wonder, with this occurring over and over when will Government entities and businesses realize how at risk their data is.  Information security seems to be the last thought and the last place anyone wants to invest money, giving hackers the opportunity to ruin the everyday man's credit.

References

Datko, K. (2012, October 30). MSN Money. Retrieved from msn.com: http://money.msn.com/saving-money-tips/post.aspx?post=99d34310-0d33-44f2-9981-b2dc18667074

Mobile app virtualization eases deployment headaches for IT

Once again, I am going to write this week about something that was moved to the forefront of my mind on the way to pick my daughter up from class a week or so ago, but something that not only do I see daily, but we all see daily.

I was on my way back to campus last week to pick my daughter up after class and as I set at stoplight after stoplight, I kind of smiled to myself as I realized that every person crossing the street in front of me, walking down the sidewalk, practically every person, everywhere we go, has a cell phone in their hand, either texting, talking, listening to their music, or who knows what else.  Just to think, when I was that age, cell phones weren't even a thought we had.  We were still having conversations on phones attached to walls.  We were just moving into the cordless phones with the pull up antennas, remember those?

So with that thought, came the thought that it seems to me that it won't be long before desktop systems are left along the wayside.  I remember thinking I never wanted a laptop, I would stick with my desktop.  What a workhorse.  There was no way they could get all that in a laptop.  Well, I now don't know what I would do without a laptop.  The ability to sit in bed and do homework.  Oh, heaven must be something like this.  LOL!

So with the proliferation of mobile devices into our lives, it only makes sense that the next frontier for takeover, if not already taken over, is the work environment.

So far organizations seem to be handling it many ways.  There are organizations that distribute mobile devices to employees, there are organizations that are allowing employees to bring their own devices to work, and there are organizations that are combining these camps.

However, it is handled, it is imperative for organizations to jump on the mobile band wagon one way or another.  I ran across this article, Mobile app virtualization eases deployment headaches for IT, and thought it would prove for a good discussion.

There are three stages for successful mobile deployment according to this piece.  The firs stage is the delivery of existing apps to mobile devices in a virtualized manner.  This step is a necessary bridge technology due an organization's investments in Windows 7 and applications that have not been built for mobile environments. 

The second stage is to take existing applications and turn them into cross-platform mobile apps.  The third and final step is to decouple the data from the application and choose the appropriate application for the platform or devices being utilized.  When all these stages are completed, IT can then pipe the data from the data center directly into the application.

As we know, mobile devices have proliferated our society and it has also forced organizations to rethink their information systems.  While organizations do not have to make a total move to mobility, it is going to become a huge consideration for organizations as their employees increasingly demand the ability to become mobile.  Mobility has become a catalyst for change, not only at home, but also in business.

Furbush, J. (2012, October 24). SearchConsumerization. Retrieved from techtarget.com: http://searchconsumerization.techtarget.com/news/2240169175/Mobile-app-virtualization-eases-deployment-headaches-for-IT

Information Security Risk Analysis

Our chapter this week discussed risk analysis, asset valuation, and other topics associated with risk analysis.  I found an article discussing a hybrid of qualitative and quantitative risk analysis.

Threat can be defined as the result of an Actor, a Motivation and an exploitable Vulnerability. Risk can be defined as the product of a Threat, Probability and Business Impact.

NIST SP800-30 discusses a series of steps that should be carried out during a Risk Analysis, or Risk Assessment. The steps as noted below, are a hybrid of quantitative and qualitative analysis. When a quantity is known, that quantity should be included, when threats, risks, or assets are subjective, scenarios should be developed. ‘High / Med / Low’ can be substituted for figures in both likelihood and impact assessments.

The object of a Risk Analysis is to rate the current exposure of the organization and a resulting plan to institute controls to mitigate some or all of that risk.

Loss expectancy is calculated for each asset vulnerability during a Quantitative Risk Analysis. Each asset must be valued (AV), and the exposure (as a %) of that asset, as related to each particular vulnerability in question, must also be calculated.   Said formula is noted below:

Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)

The organization should then estimate the number of occurrences, annually, of the particular loss. The resulting number can be a whole number or a fraction if the event occurs less than once per year. The Annual Rate of Occurrence (ARO) can be predicted based on historical figures. It is essentially the balance of the adversary capability against the countermeasures (controls) put in place by the Security Manager.


Referencing our earlier noted flow chart, the Asset and Vulnerability are used to calculate the Single Loss Expectancy (SLE) and the Threat, Threat Actor, Controls and Security Manager are used to estimate the Annual Rate of Occurrence (ARO).


The final calculation – Annual Loss Expectancy (ALE) – is a numeric approximation of risk. The resulting percentage can be utilized to help the business decide whether the risk should be:

➢ avoided – through changing business process
➢ mitigated – through introduction of countermeasures
➢ accepted – because the cost of avoidance or mitigation outweighs the ALE

Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)

When the cost of adoption is less than Annual Loss Expectancy for any single threat, countermeasures or risk avoidance measures should be discussed.  Countermeasures or Risk Avoidance measures should only be considered if the cost of adoption is less than the Annual Loss Expectancy for the particular threat.


REFERENCES

Maniscalchi. (2010, May 17). Digital Threat - Information Security Analysis. Retrieved October 2012, from digitalthreat.net.  http://www.digitalthreat.net/2010/05/information-security-risk-analysis/#

Endangered IT Species

For this week's blog, I am going a little off kilter.  I have recently relocated and am having a difficult time finding work.  I know between the economy and my lack of experience, it is more difficult finding something, but it is very frustrating.  I have gone back to school, received my Bachelor's Degree, am working on my Graduate Degree, interned for a little over a year with TD Ameritrade, and still find myself on the "lack of experience" train.

It is frustrating.  How are we to get experience if we are not given the chance.  Yes, I have a year's worth of experience, but it is very difficult finding something with so little experience.  Another thing hampering my job search is the fact that although it has been said that IT security specialists will be in high demand in the near future, I am not seeing that yet.

I received an e-mail that discussed the 9 most endangered IT species in a whimsical manner that I found interesting and I will relay here.

The piece was entitled "The most 9 endangered species in IT.  The IT job landscape is evolving quickly.  Here's how to avoid IT extinction".  It discussed positions that IT Specialists see in jeopardy and how to adjust to keep from getting pushed out of the field.

The first endangered species is the brown-nosed naysayer which this piece describes as person who commanded all tech decisions with the simple word "no" in the name of security and/or budget concerns.  However, with the new "bring your own device" revolution hitting the business world, along with cloud services, this "species" is now harmless and will soon find itself phased out of the business environment.  In order to avoid extinction, it is recommended this species begin practicing the word "yes" and embrace this new revolution.  It is further recommended this species assist in developing a mobile device management strategy and policy for the enforcement of social media use.

The next endangered species is the data center dinosaur which is described as the person with an in-depth knowledge and understanding of particular types of software, coding language, or development methodologies.  These specialists are now becoming replaced by people who are flexible generalists that have a broader skill set.  In order to avoid extinction, it is recommended this species broaden and diversity their knowledge base.

Next is the red-bellied repair tech.  This species was once a common sight in offices making sure desktops were up and running.  However, with the decreasing costs of hardware and the gaining popularity of inexpensive mobile devices, they have become unneeded.  It is recommended this species consider server maintenance to stay vital to an Organization.  A person that has the ability to quickly diagnose hardware issues and errors in a server environment will have work for many upcoming years.

Next we have the lesser-spotted system administrator.  This one surprised me.  Systems Administrators have played an important role in the IT world by keeping the end user systems up-to-date and operable.    However, in recent years these roles have been outsourced, leaving the remaining numbers in peril.  With the increasing dependency on cloud computing, their presence will be needed even less.  Small and mid-size organizations will be the first to cut this species in an attempt to shore up budget constraints.  This species may not disappear entirely, as these tasks will migrate to cloud companies where demand is higher and competition stiffer.  It is recommended that this species become security gurus or data analytics experts, as these are tow fields that are growing and will continue to do so for some time.

Next we have the pink-crested credentialist.  While the Credentialist is rare but can still be found in HR departments, it's duties have been reduced by IT pros with more skills and experience. It is recommended this species adapt to engineer/programmer type work or creating their own intellectual property in order to stay relevant.

Next is the common web designer.  In the not too distant past Organizations had web designers coming out their ears; those numbers are down to a handful of experts.  With the increased use of automated site-creation tools and sophisticated marketing, this species is quickly declining.  It is recommended this species focus on mobile devices.

Next is the woolly unix mammoth.  This species was once the dominant species but are quickly becoming replaced by faster and less expensive Linux boxes.  In order to avoid extinction, it is recommended this species become experts on applications that can migrate to Linux and know which ones need to remain on Sun in order to lead their Organizations during the migration.

Next is the purple-tufted programmer.  Programmers that have gained their experience in Cobol or Fortran are a dying breed, but they are not the only ones.  IT pros that are mainly code hackers will quickly find themselves unneeded.  If one would prefer to write code as a career should be ready to do it as a software engineer.  In order to survive, it is recommended this species expand their knowledge base and align their skills with the adjusting needs of business, which means finding themselves as integrators of business logic, cloud tools, and more or they may find themselves extinct.

Finally, we have the ridge-backed technocrat.  This species has relied on building technology silos and policies.  This territory has now become overrun with business managers that no longer require approval for technology purchases.  In order to remain relevant, it is suggested this species need to start working with other teams in order to make things more efficient and assist the application experts in saving money.

While this article took a whimsical look at the changing demands in IT, some of it was surprising.  I guess the biggest surprise was the System Admins.  When I interned, this department is pretty big.  It seems strange that these people would no longer be needed as they are the ones that keep the Organization running on a day-to-day basis.

However, it was nice to see that a recommendation of Information Security was offered.  So, I guess I'm on the right track, I just have to be patient, and hopefully I will find the right job.

Keep your fingers crossed for me, and if you have any hints or advice, please, let me know.  I am open for anything because right now I'm looking at a sales associate position with Sprint.  Argh!

Tynan, D. (2012, October 11). The 9 most endangered species in IT. The IT job landscape is evolving quickly. Here's how to avoid IT extinction. Inforworld .

http://www.infoworld.com/slideshow/68348/the-9-most-endangered-species-in-it-204556#slide1

Attempt to cut down on cell phone thefts

This week's discussion was brought to mind by some discussion on my weekly forum posting in my Management of Information Security Class.  During this discussion I was reminded of something I had just caught the tail end of on the news a month or so ago, or it seemed anyway.  Come to find out, it looks like it was back in April, but I still find it interesting.  I suppose it was probably brought to the forefront of my mind again as my daughter lost her phone about a week ago, we did find it, she left it on the roof of the car when I she got in after class one rainy day last week.  That phone stayed on top of the car for about five miles and three turns.  When we finally realized it was gone, we retraced our steps, and found it about a block from the end of our trip, of course we started at the beginning to retrace our steps.  Anyway, she has a Samsung Galaxy SII and has been singing its praises.  All the phone ended up with was a cracked glass.  It probably wouldn't have cracked had it not been laying on top of a rock and been run over at least once.  Other than that, it works great!  So, anyway, onto the discussion about cutting down on the thefts of cell phones.

Both the piece I read, "FCC, Cellphone Companies Work Together to deter Cellphone Theft" mentioned that cellphone theft has not only increased, but has become an increasingly violent crime.  The FCC and cellphone companies have now come together and began to work together to make it more difficult to use a stolen cellphone.

The parties have agreed to establish a database that will allow stolen phones to be shut off based on an IMEI number.  These numbes are unique to cellphones, much like automobile VIN numbers.  By using the database, carriers will have the ability to permanently block a cell phone that has been reported stolen from being activated on the network.

The goal of this agreement is to make a stolen cell phone worthless.  New York Senator Charles Schumer is also working on a bill that will make the tampering of an IMEI number a federal crime.

With the increased use of smart phones, there has been an increase in the number of thefts, with thefts occurring in schools, during rush hour, in broad daylight; thefts occurring outside the norm.

At this time it is fairly easy to use a stolen cell phone.  The SIM card is usually disabled in a stolen cell phone, but is simple enough to get a new SIM card and reactivate the stolen phone.  This ease has assisted the growth of a black market for stolen cell phones.

It is nice to see the Government and the providers working together to try to decrease these thefts.  I have had one cell phone stolen and lost another.  I don't know if anyone decided to try to use them, don't care.  The biggest thing was the disruption caused by not having the phone.  I think the more we rely on our smartphones, and the smarter they become, the more personal information they are going to have, so I don't know if targeting this one issue of the theft is the way to go about it, but at least it is a start.  I never realized, until I saw some of the recorded thefts on the news, how violent thieves have become when attempting to steal a cell phone, it would be nice to have some of that violence reduced as well.  If the phones cannot be utilized after they are stolen, there will be a decrease in the violent thefts.

Newsroom, W. (2012, April 10). FCC, Cellphone Companies Work Toether to Deter Cellphone Theft. WNYC News, pp. http://www.wnyc.org/articles/wnyc-news/2012/apr/10/fcc-cellphone-companies-work-together-stop-cellphone-theft/.