Monday, December 19, 2011

DHS Cybersecurity Strategy and New California eCrime Unit

WASHINGTON - JANUARY 08:  The Department of Ho...
Image by Getty Images via @daylife
A couple of interesting items within the information security world...

I. The Department of Homeland Security has released a new cybersecurity strategy document with a two-pronged approach:
  1. Protecting critical infrastructure today
  2. Building a more secure cybersecurity ecosystem for the future
Download the Blueprint for a Secure Cyber Future document (PDF).

II. California Attorney General Kamala D. Harris has announced the creation of a new eCrime Unit to investigate and prosecute technology crime.

"The primary mission of the eCrime Unit is to investigate and prosecute multi-jurisdictional criminal organizations, networks, and groups that perpetrate identity theft crimes, use an electronic device or network to facilitate a crime, or commit a crime targeting an electronic device, network or intellectual property." READ MORE

Wednesday, December 14, 2011

America the Vulnerable

Interesting approach to computer security
Image by formalfallacy @ Dublin (Victor) via Flickr

During my commute to and from work I recently began listening to the audiobook, "America the Vulnerable: New Technology and the Next Threat to National Security" by Joel Brenner, narrated by Lloyd James. The audiobook was downloaded from Audible.com.

I’m currently half-way through the unabridged audio and am enjoying it. The book is an eye-opening reminder of what many of us within the InfoSec industry are already aware of as we analyze security events on a daily basis. American national security, our economy, physical and energy infrastructure, financial system and our own privacy are at risk and that if security isn't built into our systems, our systems won't be secure. From what I’ve listened to so far, Brenner does a good job of laying out the cyber-threat facing the United States.

I hope to finish the audiobook by the end of this week as I’m interested in hearing what Brenner has to prescribe as a solution to the problem. Though I have yet to finish the audiobook, I recommend it as a must read for anyone interested or with career in cybersecurity.

Monday, December 12, 2011

New Reader Poll - CISSP Exam

CISSP Logo
Image via Wikipedia
I just posted a reader poll that's now viewable on the right-hand column of this blog. I want to get opinions from those of you that have your CISSP certification. There are two questions in the poll:

  1. If you are a CISSP, did your employer at the time encourage you to take the CISSP exam? (Yes/No)
  2. If you are a CISSP, did your employer pay for you to take the CISSP exam, or did you? (Employer paid/you paid)

The poll can also be accessed directly from here.

As for the value of a CISSP vs. other certifications ... that's for yet another posting.

The Pony in the Dung Heap Joke

Is the glass half empty or half full? The pess...
Image via Wikipedia

I recently came across a humorous, yet insightful, joke. You may have heard it before. It's the pony in the dung heap. Last week I read it for the first time within, "How Ronald Reagan Changed My Life", by Peter Robinson. Here's an exert from the book containing the joke:

-----BEGIN EXERT------

Chapter One 
The Pony In the Dung Heap 
When Life Buries You, Dig 
Journal Entry, June 2002:


Over lunch today I asked Ed Meese about one of Reagan's favorite jokes. "The pony joke?" Meese replied. "Sure I remember it. If I heard him tell it once, I heard him tell it a thousand times."


The joke concerns twin boys of five or six. Worried that the boys had developed extreme personalities -- one was a total pessimist, the other a total optimist -- their parents took them to a psychiatrist.


First the psychiatrist treated the pessimist. Trying to brighten his outlook, the psychiatrist took him to a room piled to the ceiling with brand-new toys. But instead of yelping with delight, the little boy burst into tears. "What's the matter?" the psychiatrist asked, baffled. "Don't you want to play with any of the toys?" "Yes," the little boy bawled, "but if I did I'd only break them."


Next the psychiatrist treated the optimist. Trying to dampen his out look, the psychiatrist took him to a room piled to the ceiling with horse manure. But instead of wrinkling his nose in disgust, the optimist emitted just the yelp of delight the psychiatrist had been hoping to hear from his brother, the pessimist. Then he clambered to the top of the pile, dropped to his knees, and began gleefully digging out scoop after scoop with his bare hands. "What do you think you're doing?" the psychiatrist asked, just as baffled by the optimist as he had been by the pessimist. "With all this manure," the little boy replied, beaming, "there must be a pony in here somewhere!"


"Reagan told the joke so often," Meese said, chuckling, "that it got to be kind of a joke with the rest of us. Whenever something would go wrong, somebody on the staff would be sure to say, "There must be a pony in here somewhere.'"

-----END EXERT------

It's a great joke to tell ourselves when we're feeling buried under heaps of work and life responsibilities as a reminder to persevere and make the best out of any given moment. For me, it'll take a lifetime to fully grasp, and even then, I might not have made it an automatic process and I'll still see "the glass half empty" at times.


Friday, December 9, 2011

Free Security Awareness Training - Part 5 of 5

Class 1: Explosives
Image via Wikipedia
Today's post concludes the series of five posts whereby I wanted to give you links to 25 security awareness courses and videos that are publicly available.

I strongly believe that security awareness training is an essential component to good security. Throwing money and technology at the security problem might be worthwhile in the early stages of maturity of an originzatzion's information security program. However, the problem with this approach is that there are diminishing returns; more technology becomes less and less effective at improving security. Something needs to improve beyond installing and patching technology on a daily basis, forever running around attempting to deal with security incidents and emerging threats and doing work simply for work's sake. The human dimension is a critical part of this, and security awareness training helps sharpen this human component; the HumanOS.
  1. Analytical Investigative Tools (Multijurisdictional Counterdrug Task Force Training)
    1. What Every Law Enforcement Officer Should Know About DNA Evidence – Investigators and Evidence Technicians (DNA Initiative)
    2. Food Security Training (US Food and Drug Administration)
    3. Explosives, Booby Traps and Bomb Threat Management (Multijurisdictional Counterdrug Task Force Training)
    4. HAZMAT Transportation Security Awareness Training (Dangerous Goods International)

    Thursday, December 8, 2011

    Free Security Awareness Training - Part 4 of 5

    A U.S. Coast Guardsman searches for survivors ...
    Image via Wikipedia
    This week I'm sharing with you links to 25 security awareness training sites. The training links are being broken up into groups of five, published within five separate postings. Today we reach the forth set of training links for an accumulative total of 20.

    The 2008 information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value, such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.” Security awareness training helps address the second item.
    "The security discipline has so far been skewed toward technology - firewalls, ID management, intrusion detection - instead of a risk analysis and proactive intelligence gathering. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy. We have to start addressing the human element of information security, not just the technological one; it i only then that companies will stop being punching bags." - PricewaterhouseCoopers
    Below is the next set of security awareness training links.
    1. The History of Bio-Terrorism (Center for Disease Control and Prevention)
    2. Detecting Bio-Terror (Center for Public Health Preparedness)
    3. Radiological Terrorism: Just in Time Training for Hospital Clinicians (Center for Disease Control and Prevention)
    4. Nuclear Terrorism: Pathways & Prevention (Center for Public Health Preparedness)
    5. Preparedness & Community Response to Pandemics (Center for Public Health Preparedness)

    Wednesday, December 7, 2011

    Free Security Awareness Training - Part 3 of 5

    The flood in Pirna.
    Image via Wikipedia
    This week I'm passing on to you links to 25 free security awareness training sites. Why is security awareness training important? Fundamentally, security is about people. Having worked within the information security world for the past 15 years, it's become very clear that the best defense to internal and external threats is not technology by itself. Rather, people need to have the mindset that helps them to automatically take actions that support security, not circumvent or undermine it. Security awareness training helps raise awareness so as to begin making this a natural mindset that influences behavior.
    "No one wants security; they want the benefits of security. A homeowner does not want the finest deadbolt on the front door because of the excellence of its engineering; they want a comfortable, happy place in which to live." - Steve Hunt
    Below are the next five training links. This now brings us to a total of 15 trainings out of the 25 I promised to give you by the end of this week.
    1. OPPSEC (United States Marine Corps)
    2. Intelligence Analysis Web-based Training (Anacapa Sciences)
    3. SAEDA (553G-NG0001-A) (Espionage Awareness) (United States Army)
    4. Are You Ready? An In-depth Guide to Citizen Preparedness FEMA/EMI Course IS-22 (FEMA)
    5. Personal Preparedness (Center for Public Health Preparedness)

    Tuesday, December 6, 2011

    Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523)

    United States House Permanent Select Committee...
    Image via Wikipedia

    The House Intelligence Committee held a closed-door markup of a bill (HR 3523) with the intention to improve cybersecurity through enabling the federal government to share classified cyber threat information with businesses. To quote two of the primary proponents:
    "There is an economic cyber war going on today against US companies." ... "There are two types of companies in this country, those who know they've been hacked, and those who don't know they've been hacked. Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property." -- Chairman of The Permanent Select Committee on Intelligence, Congressman Mike Rogers (R-MI)
    "We simply can't stand by if we have the ability to help American companies protect themselves. Sharing information about cyber threats is a critical step to preventing them. This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems. The bill maintains vital protections for privacy and civil liberties without any new federal spending, regulations or unfunded mandates." -- The committee's ranking member, Congressman Dutch Ruppersberger (D-MD)

    Free Security Awareness Training - Part 2 of 5

    A graphic representation of the four phases in...
    Image via Wikipedia
    This week my goal is to pass along to you links to 25 free security awareness trainings. The trainings are being divided up into groups of five and published in a series of five separate postings. The first set of training links was published yesterday.

    As promised, below is the second set of five trainings.

    1. Anti-Terrorism Awareness Level-1 (Defense Technical Information Center - US DoD)
    2. The Seven Signs of Terrorism (Michigan State Police via YouTube)
    3. AWR-187 Terrorism and WMD Awareness in the Workplace (Rural Domestic Preparedness Consortium)
    4. Kentucky Terrorism Response & Preparedness (University of Kentucky)
    5. Prevention and Deterrence of Terrorist Acts (National Center for Biomedical Research and Training)

    Monday, December 5, 2011

    Free Security Awareness Training - Part 1 of 5

    Poster produced in the US warning the public a...
    Image via Wikipedia

    As a security profesional I believe it's essential that we maintain security awareness and an understanding of the threats we face. Education often isn't cheap and the reality is that for many employers funding for training and education is very limited.

    Fortunately, we're entering into the holiday season, which is a time of giving, and what I'm giving you are 25 security awareness courses and videos that are publicly available. Okay - maybe not the most exciting gift, but it fits the budget.

    I will publish a series of five posts and each post will have links to five training resources. The security awareness courses may be completed online (or on CD-ROM) and are provided without cost to you. This study program is designed to provide you with a broad security awareness. There will be overlap in training that will help you to build depth of knowledge and to emphasize important areas. I emphasize "broad". The material covers many of the domains within security, some of it IT Security, and some of the material may seem a bit Rambo'esque or even doom-and-gloom.

    There are several separate agencies and organizations that are offering the courses. Certificates of training can be printed following completion of the courses. You can enroll in any individual course, or if you're more highly motivated, aim for completing all of them. Personally, I believe that anyone who completes all of the courses will become a much more valuable security asset to their employer as well as their community.

    Bring out the leftover turkey, stuffing and cranberry sauce ... it's time to cram in some free security awareness classes!

    1. Phishing Awareness (Defense Information Systems Agency - US DoD)
    2. Personally Identifiable Information (PII) (Defense Information Systems Agency - US DoD)
    3. Security & Privacy Awareness Training (National Institute of Health Information)
    4. Information Assurance Awareness (Defense Information Systems Agency - US DoD)
    5. Information Assurance Awareness shorts (Defense Information Systems Agency - US DoD)