Thursday, November 30, 2023

Introduction to RMF

Training Overview The Risk Management Framework (RMF) for DoD IT training program provides students with a comprehensive working knowledge of RMF including DoD policies and procedures, along with the practical guidance needed to successfully implement them. The full four-day program consists of RMF for DoD IT Fundamentals (one day), followed by RMF for DoD IT In Depth (three days). • RMF for DoD IT Fundamentals (Day 1) provides an overview of information security and risk management and proceeds to a high-level view of RMF for DoD IT. Discussion is centered on RMF for DoD IT policies, roles and responsibilities, along with key publications from DoD, the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS). The class includes high-level discussion of the RMF for DoD IT “life cycle”, including security authorization (aka. certification and accreditation), along with the RMF documentation package and security controls. • RMF for DoD IT In-Depth (Days 2-4) expands on these topics at a level of detail that enables practitioners to immediately apply the training to their daily work. Each student will gain an in depth knowledge of the relevant DoD, NIST and CNSS publications along with the practical guidance needed to implement them in the work environment. Each phase of the seven step RMF life cycle is covered in detail, as is each component of the corresponding documentation package. NIST Special Publication (SP) 800-53 Security Controls, along with corresponding assessment procedures, are covered in detail, as are CNSS Instruction 1253 “enhancements”. Individual and group activities are used to reinforce key concepts

Sunday, September 6, 2015

Apple IPhone Accounts Hacked Using KeyRaider Malware

Palo Alto Networks and Weip Tech have uncovered a hack that involves over 225,000 Apple IPhone accounts so far. This hack is accomplished with a malware called KeyRaider on jailbroken IOs devices. It is reported that "the malware intercepts iTunes traffic to steal data from random user accounts, whose devices have been compromised through installation of malware-ridden jailbreak apps from untrusted sources." Compromised accounts could ultimately be charged with bogus purchases by the attacker. Here is a link to an article that explains how to detect if your device has the virus and how to remove it.

http://www.ibtimes.co.uk/how-detect-eliminate-keyraider-malware-jailbroken-ios-device-1518567

Saturday, September 5, 2015

Memory Leaks and C, C++

Greetings,

I just wanted to review some quick facts about security architecture and design, more specifically memory leaks. Its concept you should be familiar with if you plan on taking the Security+, CISSP, etc.

Characteristics of Memory Leaks

When programs are written in object oriented programming languages programmers need to allocation memory space for each object that is created in the program. Once the object is no longer required by the program its memory space should be de-allocated to free up memory resources for the system to use. Some programming languages does leaves that to the programmer to accomplish herself. Other languages provide that capability automatically with a built-in garbage collector. When programs are poorly written with objects using up memory and never releasing the memory back to the system we call this a memory leak. The memory leaks are considered a vulnerability and if discovered by hackers they can be exploited to crash the system in a denial of service attack.

One thing to keep in mind about memory leaks is that they are common in languages that have no built-in automatic garbage collection. Languages such as C and C++ lack a built-in automatic garbage collector and leaves it to the programmer to manage memory allocation. Java, C#, Haskell and a host of other modern languages automatically get rid of objects that are no longer required by the application. It is encourage to use the programming languages that have garbage collection automatically. Even experienced programmers can have a memory bugs in a program that contain thousands of lines of code.

If you are taking the CISSP examination just remember that memory leaks are common in C, C++, and other languages that lack an automatic garbage collector and it is uncommon with Java, C#, and other languages that do have built-in garbage collection.

20 Must Have Skills for Information Security Professionals


Here are 20 most important skills Information Security Professionals should have according to O*NetOnline.org:


Critical Thinking — Using logic and reasoning to identify the strengths and weaknesses of alternative solutions, conclusions or approaches to problems.

Reading Comprehension — Understanding written sentences and paragraphs in work related documents.

Complex Problem Solving — Identifying complex problems and reviewing related information to develop and evaluate options and implement solutions.

Speaking — Talking to others to convey information effectively.

Active Listening — Giving full attention to what other people are saying, taking time to understand the points being made, asking questions as appropriate, and not interrupting at inappropriate times.

Writing — Communicating effectively in writing as appropriate for the needs of the audience.

Judgment and Decision Making — Considering the relative costs and benefits of potential actions to choose the most appropriate one.

Time Management — Managing one's own time and the time of others.

Active Learning — Understanding the implications of new information for both current and future problem-solving and decision-making.

Monitoring — Monitoring/Assessing performance of yourself, other individuals, or organizations to make improvements or take corrective action.

Systems Analysis — Determining how a system should work and how changes in conditions, operations, and the environment will affect outcomes.

Management of Personnel Resources — Motivating, developing, and directing people as they work, identifying the best people for the job.

Systems Evaluation — Identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.

Coordination — Adjusting actions in relation to others' actions.

Instructing — Teaching others how to do something.

Negotiation — Bringing others together and trying to reconcile differences.

Operation Monitoring — Watching gauges, dials, or other indicators to make sure a machine is working properly.

Quality Control Analysis — Conducting tests and inspections of products, services, or processes to evaluate quality or performance.

Service Orientation — Actively looking for ways to help people.

Social Perceptiveness — Being aware of others' reactions and understanding why they react as they do.


Reference: http://www.onetonline.org/link/summary/15-1122.00

Friday, September 4, 2015

One Reason to Pay Cash at the Gas Pump

Today while I was at the gas pump I noticed a skimmer. I wanted to write about it to make you guys aware of this scam. To be safe its better to pay cash at the pump.

skimmer video

Certified Cloud Security Professional CCSP

I have decided to pursue a certificate in Cloud Security. All data and applications are living in the cloud now days. Pretty soon even the operating systems will be on the cloud too.

It's cool that (ISC)2 has teamed up with Cloud Security Alliance (CSA)to create the CCSP credential. I plan on doing consulting working in information security. This credential will definitely help me demonstrate my knowledge about cloud security.


Certified Information Security Professional

It's official, I'm a CISSP now. After several weeks of study and review, I took the exam for the first time and passed. I was sweating bullets that morning for six hours long thinking to myself that I failed the test. I was surprised to see the words "congratulation" on the piece of paper the proctors give out at the end of the exam. Too bad ISC2 does not give out a score--I really want to know how well I did on the exam. I felt like I did poorly but that might just be me being too hard on myself. I think I might have over studied for this test even.

One thing I would recommend to CISSP candidates is to consider free study guides first before spending thousands on training seminars. You can save money by self-studying. This is already an expensive exam to pay for. Now, if your employer is paying for your training then by all means take advantage of it. The reason I'm recommending for self-study is because the topics and sub-topics are not that complicated. This exam is a "mile wide and an inch deep". If you can find enough time to go over all the material thoroughly then you will most likely pass it.

To all those planning on taking the CISSP exam good luck.