tag:blogger.com,1999:blog-30740854130097183702024-02-08T09:35:11.846-08:00Information System Security IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-3074085413009718370.post-57990517231192909632023-11-30T17:33:00.000-08:002023-11-30T17:33:32.630-08:00Introduction to RMFTraining Overview
The Risk Management Framework (RMF) for DoD IT training program provides students with a comprehensive working
knowledge of RMF including DoD policies and procedures, along with the practical guidance needed to successfully
implement them. The full four-day program consists of RMF for DoD IT Fundamentals (one day), followed by RMF for DoD
IT In Depth (three days).
• RMF for DoD IT Fundamentals (Day 1) provides an overview of information security and risk management and
proceeds to a high-level view of RMF for DoD IT. Discussion is centered on RMF for DoD IT policies, roles and
responsibilities, along with key publications from DoD, the National Institute of Standards and Technology (NIST)
and the Committee on National Security Systems (CNSS). The class includes high-level discussion of the RMF for
DoD IT “life cycle”, including security authorization (aka. certification and accreditation), along with the RMF
documentation package and security controls.
• RMF for DoD IT In-Depth (Days 2-4) expands on these topics at a level of detail that enables practitioners to
immediately apply the training to their daily work. Each student will gain an in depth knowledge of the relevant DoD,
NIST and CNSS publications along with the practical guidance needed to implement them in the work environment.
Each phase of the seven step RMF life cycle is covered in detail, as is each component of the corresponding
documentation package. NIST Special Publication (SP) 800-53 Security Controls, along with corresponding
assessment procedures, are covered in detail, as are CNSS Instruction 1253 “enhancements”. Individual and group
activities are used to reinforce key conceptsIT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-57612507914056475712015-09-06T01:53:00.001-07:002015-09-06T01:53:42.063-07:00Apple IPhone Accounts Hacked Using KeyRaider MalwarePalo Alto Networks and Weip Tech have uncovered a hack that involves over 225,000 Apple IPhone accounts so far. This hack is accomplished with a malware called KeyRaider on jailbroken IOs devices. It is reported that "the malware intercepts iTunes traffic to steal data from random user accounts, whose devices have been compromised through installation of malware-ridden jailbreak apps from untrusted sources." Compromised accounts could ultimately be charged with bogus purchases by the attacker. Here is a link to an article that explains how to detect if your device has the virus and how to remove it. <br />
<br />
<a href="http://www.ibtimes.co.uk/how-detect-eliminate-keyraider-malware-jailbroken-ios-device-1518567">http://www.ibtimes.co.uk/how-detect-eliminate-keyraider-malware-jailbroken-ios-device-1518567</a>IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-16782410976087382552015-09-05T14:49:00.001-07:002015-09-05T14:49:32.502-07:00Memory Leaks and C, C++Greetings,<br />
<br />
I just wanted to review some quick facts about security architecture and design, more specifically memory leaks. Its concept you should be familiar with if you plan on taking the Security+, CISSP, etc.<br />
<br />
<b>Characteristics of Memory Leaks</b><br />
<br />
When programs are written in object oriented programming languages programmers need to allocation memory space for each object that is created in the program. Once the object is no longer required by the program its memory space should be de-allocated to free up memory resources for the system to use. Some programming languages does leaves that to the programmer to accomplish herself. Other languages provide that capability automatically with a built-in garbage collector. When programs are poorly written with objects using up memory and never releasing the memory back to the system we call this a memory leak. The memory leaks are considered a vulnerability and if discovered by hackers they can be exploited to crash the system in a denial of service attack.<br />
<br />
One thing to keep in mind about memory leaks is that they are common in languages that have no built-in automatic garbage collection. Languages such as C and C++ lack a built-in automatic garbage collector and leaves it to the programmer to manage memory allocation. Java, C#, Haskell and a host of other modern languages automatically get rid of objects that are no longer required by the application. It is encourage to use the programming languages that have garbage collection automatically. Even experienced programmers can have a memory bugs in a program that contain thousands of lines of code. <br />
<br />
If you are taking the CISSP examination just remember that memory leaks are common in C, C++, and other languages that lack an automatic garbage collector and it is uncommon with Java, C#, and other languages that do have built-in garbage collection.IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-9382227563363168942015-09-05T01:43:00.006-07:002015-09-05T01:45:19.072-07:0020 Must Have Skills for Information Security Professionals<br />
Here are 20 most important skills Information Security Professionals should have according to O*NetOnline.org:<br />
<br />
<br />
<b>Critical Thinking </b>— Using logic and reasoning to identify the strengths and weaknesses of alternative solutions, conclusions or approaches to problems. <br />
<br />
<b>Reading Comprehension </b>— Understanding written sentences and paragraphs in work related documents. <br />
<br />
<b>Complex Problem Solving</b> — Identifying complex problems and reviewing related information to develop and evaluate options and implement solutions. <br />
<br />
<b>Speaking </b>— Talking to others to convey information effectively. <br />
<br />
<b>Active Listening</b> — Giving full attention to what other people are saying, taking time to understand the points being made, asking questions as appropriate, and not interrupting at inappropriate times. <br />
<br />
<b>Writing</b> — Communicating effectively in writing as appropriate for the needs of the audience. <br />
<br />
<b>Judgment and Decision Making </b>— Considering the relative costs and benefits of potential actions to choose the most appropriate one. <br />
<br />
<b>Time Management</b> — Managing one's own time and the time of others. <br />
<br />
<b>Active Learning </b>— Understanding the implications of new information for both current and future problem-solving and decision-making. <br />
<br />
<b>Monitoring </b>— Monitoring/Assessing performance of yourself, other individuals, or organizations to make improvements or take corrective action. <br />
<br />
<b>Systems Analysis</b> — Determining how a system should work and how changes in conditions, operations, and the environment will affect outcomes. <br />
<br />
<b>Management of Personnel Resources</b> — Motivating, developing, and directing people as they work, identifying the best people for the job. <br />
<br />
<b>Systems Evaluation </b>— Identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system. <br />
<br />
<b>Coordination</b> — Adjusting actions in relation to others' actions. <br />
<br />
<b>Instructing </b>— Teaching others how to do something. <br />
<br />
<b>Negotiation</b> — Bringing others together and trying to reconcile differences. <br />
<br />
<b>Operation Monitoring</b> — Watching gauges, dials, or other indicators to make sure a machine is working properly. <br />
<br />
<b>Quality Control Analysis </b>— Conducting tests and inspections of products, services, or processes to evaluate quality or performance. <br />
<br />
<b>Service Orientation</b> — Actively looking for ways to help people. <br />
<br />
<b>Social Perceptiveness </b>— Being aware of others' reactions and understanding why they react as they do. <br />
<br />
<br />
Reference: <a href="http://www.onetonline.org/link/summary/15-1122.00">http://www.onetonline.org/link/summary/15-1122.00</a>IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-69461510679539506162015-09-04T20:39:00.000-07:002015-09-04T20:57:15.251-07:00One Reason to Pay Cash at the Gas PumpToday while I was at the gas pump I noticed a skimmer. I wanted to write about it to make you guys aware of this scam. To be safe its better to pay cash at the pump.<br />
<br />
<a href="https://youtu.be/G_aH50Tn8Fo">skimmer video</a><br />
<iframe width="560" height="315" src="https://www.youtube.com/embed/G_aH50Tn8Fo" frameborder="0" allowfullscreen></iframe>IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-28650890810379666812015-09-04T01:12:00.000-07:002015-09-04T01:24:49.944-07:00Certified Cloud Security Professional CCSPI have decided to pursue a certificate in Cloud Security. All data and applications are living in the cloud now days. Pretty soon even the operating systems will be on the cloud too.<br />
<br />
It's cool that (ISC)2 has teamed up with Cloud Security Alliance (CSA)to create the CCSP credential. I plan on doing consulting working in information security. This credential will definitely help me demonstrate my knowledge about cloud security. <br />
<br />
<br />
<a href="https://youtu.be/dfOLKfrx0sY"></a>IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-15818653091454711092015-09-04T00:10:00.000-07:002015-09-04T00:10:04.108-07:00Certified Information Security ProfessionalIt's official, I'm a CISSP now. After several weeks of study and review, I took the exam for the first time and passed. I was sweating bullets that morning for six hours long thinking to myself that I failed the test. I was surprised to see the words "congratulation" on the piece of paper the proctors give out at the end of the exam. Too bad ISC2 does not give out a score--I really want to know how well I did on the exam. I felt like I did poorly but that might just be me being too hard on myself. I think I might have over studied for this test even. <br />
<br />
One thing I would recommend to CISSP candidates is to consider free study guides first before spending thousands on training seminars. You can save money by self-studying. This is already an expensive exam to pay for. Now, if your employer is paying for your training then by all means take advantage of it. The reason I'm recommending for self-study is because the topics and sub-topics are not that complicated. This exam is a "mile wide and an inch deep". If you can find enough time to go over all the material thoroughly then you will most likely pass it. <br />
<br />
To all those planning on taking the CISSP exam good luck. IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-88995837963773875892013-06-23T20:20:00.002-07:002013-06-23T20:20:29.689-07:00NSA Whistleblower Edward Snowden is Proof that Humans Are the Weakest Link in Security SystemsI've said it before in my other blog posts that regardless how secured you think a system is, there is always the chance of a compremise. You would think that out of all people the CIA would have known this.For this post, I'm going to focus on the biggest reason for system vulnerbility--humans. Internal controls may be put in place to mitigate risks and employees for whatever reasons will find ways to circumvent the controls. The computers, network devices, and softwares will malfunction here and there, but when you come their efficiency with humans hardware and software are more reliable. <br />
<br />
In Edward Snowden case, he rationalized that he had justification to violate his organization's policy. NSA may have some shortcoming that violates the public's privacy, but I think Snowden went about this the wrong way. Just my humble opinion. Was Edward Snowden ethically right or wrong for leaking details of classified NSA mass surveillance program? Its hard for me to really answer that. The lesson to learn here is that people in your organization will be the most likely cause of information leaks. People will always rationalize to justify the reason for violating company policy. <br />
<br />
Some may argue that Edward Snowden just wanted publicity or some may say he was genuinely looking out for the American public. I say beware of who you trust with your information.<br />
IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-13924611401513571842013-06-23T16:50:00.004-07:002013-06-23T16:50:53.798-07:00The Alphabet Soup of Security Regulations (SOX, GLBA, PCI-DSS, HIPAA)The alphabet soup of security regulations (SOX, GLBA, PCI-DSS, HIPAA) is evidence of the growing concern of security issues with every organization, government agency, corporation, and military unit. Organizations need to protect their market share, customers, bottom line, follow the regulations, and still maintain their competitive edge. It pays to be familiar with the all the various security regulations because they provide guidelines to protect the public and help corporation be socially responsible. Here is a list of some of the regulations and their descriptions.<br />
<br />
<b>SOX</b><br />
<br />
SOX is short for Sarbanes-Oxley Act of 2002. After the collapse of the fruadulent Enron and WorldCom, Senators Sarbanes and Oxley helped passed this securities law to protect investors. This bill affects IT because corporations that reports to the Securities Exchange Commission often use information technology and information systems to complete the company's financial accounting and reporting. SOX ensures that corporate have internal controls in place ensure the propare recording of accounting information and to mitigate the risk of fraud.<br />
<br />
<b>GLBA</b><br />
<br />
GLBA is short for Gramm-Leach-Bliley Act of 1999. The regulation requires that financial institutions to develop privacy notices and give their customers the option to restrict financial institutions from sharing their information with nonaffiliated third parties. There should be a written security policy in place the explains how customers information is being kept confidential.<br />
<b>PCI-DSS</b><br />
<br />
PCI-DSS stands for Payment Card Industry Data Security Standard. This standard applies to all businesses that process, transmit, store, and accepts credit card data. There are 12 core requirements to follow which I may write about in future blogs.<br />
<br />
<b>HIPAA</b><br />
<br />
Health Insurance Portability and Accountability Act (HIPPA) is a federal regulation enacted to standardize the handling of medical information by medical professionals and organizations. HIPPA provides the necessary framework and guidelines to ensure security, integrity, and privacy of patient's information. Fines for violation of this regulation can as much as $50,000 and one year in prison. The amount can go up to $250,000 and ten years in prison if the violation was do willingly and intentionally under false pretenses.<br />
<br />
This is just a quick overview of the some of the major information security regulations and standards but the many more. I think every information security practitioner needs to become familiar with the laws, directives, and regulations in computer and information security to be able better serve their clients. On my next post, I will talk about the various certifications that are available for information security practitioners.<br />
IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-51155510239958857152013-06-21T12:45:00.000-07:002013-06-23T15:15:43.081-07:00The CIA of Information SecurityIn information security, CIA is a popular acronym that describes the three objectives of information security: confidentiality, integrity, and availability. There should also be a balance between them as well. <b>Confidentiality</b> is the objective of keeping the user's information private. The user could be a customer, client, patient, etc. Some times confidentiality is required by law to have the individual's information confidential such as HIPAA for the medical field and some times it is a matter of being ethical and following best practice. As information security becomes more of a concern for the average user companies need to consider protecting their client's information as their corporate social responsibility initiative.<br />
<br />
<b>Integrity</b> means that the information remains in tact. Whether its done intentionally or accidentally, providing stakeholders with incorrect information may have a huge impact on the bottom line of a business. Corporations may have to pay fines to SEC for misstatements; they may lose investors because of reduced confidence. Inaccurate information also increase information risk in which decision makers make decisions based on inaccurate information. Information security strives to ensure the accuracy of the data that people rely to be decision. As an example, think of a medical doctor verify the patient and the surgical operation that is to be performed. You could imagine the type error that could happen if the medical information system inaccurately display a patient for the wrong operation procedure. Another example is bank account information being mixed up.<br />
<br />
<b>Availability</b> ensures that the information is there when users of the system need it. Some companies would lose millions because their online store website is down for a few hours. Denial of Service (DoS) is one type of attack that focus on making systems unavailable to users. Additional backup servers are needed as part of a company's disaster recovery plan or contingency plan.<br />
<br />
When you think of securing a system think of the security principles CIA--confidentiality, integrity, and availability.IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-54103550384378492662013-06-15T20:07:00.001-07:002013-06-15T20:07:12.453-07:00It Should Be Called Pass PhrasePassword is a misnomer. If you actually use a word from the dictionary as your password to any account, you are making life easy for hackers. As a best practice, systems administrators should ensure their organization has a good password policy as its security baseline. The policy should be taught to all users and enforced.<br />
<br />
Audits should be conducted using popular password creacking utilities such as Cain & Abel, John the Ripper, and Crack. The age of the password should be kept for a maximum of 60 days. The risk of dictionary attacks and brute force (when a hacker uses special software to guess a password) can be minimized if passwords are complex and changed frequently.<br />
<br />
Keep in mind that your password should be based on a passphase instead of dictionary words, pets name, favorate teams, birthday months, etc. Also, remember all accounts and systems that you log in to are potentially important even thought it does not appear to have valuable information. Email accounts can be used to reset other accounts such as bank accountants. Accounts for social media sites such as facebook could be use to withdraw information from your friends and family by posing as you.<br />
<br />
Here are some components of a good pass-"phrase":<br />
<br />
<ul>
<li>Should be at least fifteen characters long</li>
<li>At least two of the characters should be uppercase (A-Z)</li>
<li>At least two of the characters should be lowercase (a-z)</li>
<li>At least two of the characters should be numbers (0-9)</li>
<li>At least tow or the characters should be special characters or punctuation marks )(*&^%$#@!?</li>
<li>No real words</li>
<li>Not the same as the login name or real first last name</li>
<li>Should be changed frequently</li>
</ul>
Example:<br />
<br />
phrase: I love twitter and facebook<br />
<br />
passphrase: !Lov3Twitt3r&FB <br />
<br />
It would take password-cracking tools centuries to crack this passphrase and its easy for the user to remember.<br />
<br />
IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-11465283315015154842013-06-14T21:23:00.001-07:002013-06-14T21:55:21.330-07:00I Like My Security System to be Like My Cake: Multi-layeredI'll tell you right now there is no system out there that is 100% secured for being hacked. "Black hat" hackers usually try a number of attacks until they find a vulnerbility with the system, then they exploit it. Security professionals have to counter all the various attacks by building up a security system that is multi-layed.<br />
<br />
It pays to be able to think like the so-call "black hat" hacker. In fact security professionals should consider themselves as hackers and learn as much as possible from the hacking community with an open mind. How else are you going to be able to know what the bad guys are up to and be prepared to counter their attacks. <br />
<br />
The layered approach is fitting for most modern information security threats. Training staff on general security concepts such as social engineering, phishing, vishing, shoulder surfing, dumpster diving and common email and online hoaxs should be the first layer to your organizations information security. Well writing policies, standards, guidelines, and procedures is another layer. Using the most up-to-date technology for encrypting confidential information is yet another layer. There are many more layers such as testing and applying updates regularly, having a security baseline, intrusion detection, system hardening, etc. The list of layers can go on endlessly.<br />
<br />
Even though there are no garantees that an information system will be 100% secured, we can make it near impossible for it to be compromised.IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0tag:blogger.com,1999:blog-3074085413009718370.post-59622805579232823972013-06-14T20:48:00.001-07:002013-06-14T21:55:08.918-07:00Welcome to My Blog on Computer Information System SecurityMy name is Mike Cesaire, I'm an IT professional with over ten years of information system security experience. I have dealt with many aspects of computer and information security which I will be blogging about. I have passed the Security+ certification, therefore I'm certified by CompTIA. I haven't taken the CISSP or CISA yet, but I will keep you post when I do.<br />
<br />
My intended audience are information technology students, information security professionals, or any one interested in information system security. I will share my knowledge, opinions, and experiences with all my readers. I will take the time to read all comments. Please ask lots of questions so I can address them in my blog posts.<br />
<br />
In my blogs, I will discuss topics such as access control; telecommunications and network security; information security governance and risk management; software development security; cryptography; security architecture and design; operations security; business continuity and disaster recovery planning; legal, regulations, and compliance; and physical/environmental security.IT Cypherhttp://www.blogger.com/profile/12698615566313448849noreply@blogger.com0