ISSUE NUMBER 20 An (ISC)2 Digital Publication www.isc2.

org

KEEPING UP WITH

NEXT GEN RISK MANAGEMENT

Nova Southeastern University admits students of any race, color, sexual orientation, and national or ethnic origin. Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associates, bachelors, masters, educational specialist, and doctoral degrees.

Information Security
Computer Science Information Systems

Educational Technology

Information Technology

The password to your future is NSU.

The Graduate School of Computer and Information Sciences at Nova Southeastern University offers forward-thinking educational programs to prepare students for leadership roles in information technology. Designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency, we offer rigorous educational programs with flexible formats for working professionals, state-of-the-art facilities, and a distinguished faculty. In this diverse and dynamic field, our graduates are achieving success in the military, government departments, and universities nationwide, as well as at top companies.

HOW WE STAND OUT

Designated a National Center of Academic Excellence in Information Assurance Education by the U.S. government since 2005 Pioneer of online education since 1984 Earn your graduate certificate, masters degree, or Ph.D degree in information security IEEE members receive tuition discounts Apply today and advance your career at: www.scis.nova.edu/isc

NSU-CIS-6622 Info Security Professional LO2

issue 20
2012
VOLUME 4

18
10
COVER PHOTO BY COLIN ANDERSON; ABOVE ILLUSTRATION BY MICHAEL AUSTIN

[features]
Keeping up with Next-Gen Risk
The risk-management model is changing rapidly, as technology, data, and security regulations grow.
BY PETER FRETTY

3 4 6 20 22 24

[alsoinside]
Executive Letter From the desk of (ISC)2s Global Communications Manager, Sarah Bohne. Views and Reviews Highlights from (ISC)2s event moderator, Brandon Dunlap. Member News Read up on the latest happenings with (ISC)2 and its worldwide members. Q&A Patrick C. Miller, founder, president and CEO of Energy Sector Security Consortium, Inc. Chapter Passport Chapter Leaders Convene in Philadelphia, Penn., U.S.

Cyber-Secure Culture in 2013

Moderators Corner

14

Teaching Moment: From Fairy Tales to Info Security

Stories can be used to teach ethics or communicating infosec information.
BY KERRY ANDERSON

FYI

Mastering Security and Innovation

18

Filling the (Soft) Skills Gap

A balance of technical and soft skills boosts your career options.
BY COLLEEN FRYE

Voices of Thanks

Be Aware of Security Awareness

Global Insight Are security processes practiced routinely at your organization? BY PEDRO D. NAVARRO, CISSP.

InfoSecurity Professional is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on the issues discussed as of the date of publication. No part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other (ISC)2 product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information, please email tgaron@isc2.org. 2012 (ISC)2 Incorporated. All rights reserved.

ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

Leaders see opportunity where others see obstacles.

While BYOD can often bring on fear from the unknown, it can also provide organizations with enormous opportunity, such as cost-saving benefits. CISSP-ISSMPs have the proven technical knowledge and experience to capitalize on these opportunities and effectively lead their business through the adoption of BYOD while continuously mitigating risk. ISSMPs are vital to an organizations successestablishing, presenting and governing security policies, leading incident handling and breach mitigation teams, and more. On April 1, 2013, the ISSMP domains will change to reflect the most current work performed by and knowledge required for an ISSMP.

Learn about the ISSMP changes

executive letter
FROM THE DESK OF THE (ISC)2 GLOBAL COMMUNICATIONS MANAGER

SARAH BOHNE, GLOBAL COMMUNICATIONS MANAGER, SAYS (ISC) 2 ANTICIPATES SIGNIFICANT GROWTH ON MANY FRONTS IN SUPPORT OF CYBER SECURITY PROFESSIONALS.
AS THE GLOBAL SHORTAGE for cyber security professionals continues unabated, (ISC)2 is building programs to enhance the workforce of today and foster the workforce of tomorrow. By inspiring a culture of cyber security responsibility within both professional and local communities, a workforce is emerging that will be able to adapt and respond to evolving threats and challenges. Through programs like (ISC) Chapters, the (ISC) Foundation Scholarship and Safe and Secure Online programs, the networking, mentoring, professional development, and public education opportunities that are critical to ensuring a safe and secure cyber world are available to more prospective professionals than ever before. The Chapter program, which began just 14 months ago, now consists of more than 70 local chapters around the world. More importantly, we anticipate considerable Chapter growth (hopefully 50 new chapters) in 2013. The Chapters are designed to meet the professional development, community, and networking needs of our membership at a local level. The Chapters are also the launch pad for our efforts to help fill the professional pipeline. In September, we announced a NextGen program aimed at attracting new people to the industry and providing opportunities for education, networking and mentorship, which dovetails with the mission of many (ISC) Chapters. Currently, nine of them have designated a NextGen Liaison who will program events and sessions aimed at newcomers of any age. Although the content will be driven by individual chapters, (ISC) will facilitate the programs and provide support materials. The program will be expanded to all interested chapters in early 2013, and we encourage the participation of experienced professionals who are interested in mentoring. Scholarships are another way were helping fill the industry pipeline: the (ISC) Foundation granted US$120,000 in undergraduate and faculty scholarships in 2012 and will increase that to US$145,000 in 2013. Cyber security awareness is a large component of

A Cyber-Secure Culture in 2013

our social responsibility efforts in the form of the (ISC) Foundation Safe and Secure Online program. At the conclusion of National Cyber Security Awareness Month in the U.S. and Canada and Get Safe Online Week in the U.K. in October, (ISC) member volunteers had reached 85,000 students worldwide with a message of responsible digital citizenship (read more in the Giving Corner on pg 9). Members receive special training to deliver an interactive presentation that teaches children ages 7-14 how to protect themselves online while introducing them to a potential career in cyber security. The (ISC) Foundation recently launched a Safe and Secure Online presentation tailored for parents and teachers in an effort to equip caregivers with the knowledge to reinforce responsible online behavior at home and in the classroom. Volunteers earn continuing professional education credits for the training video and presenting in the classroom or at other group functions. The program is currently active in four countries (Canada, Hong Kong, U.S., and U.K.), and we hope to expand our reach into more countries next year to educate thousands more children, parents, and teachers. Other 2013 events you can look forward to include an expanded 3rd annual Security Congress. Also watch for the release of the bi-annual (ISC) Global Information Security Workforce Study (GISWS). The GISWS is the largest study of its kind and provides detailed insight into important career trends and opportunities within the information security profession. Look for the findings on the Foundation website www.isc2cares.org, at the end of February. Also look for an expanded 3rd annual (ISC) Security Congress and a new mission statement that describes how (ISC) and its members are working every day to inspire a safe and secure cyber world. Best regards, Sarah Bohne (ISC)2 Global Communications Manager 3

ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

moderators corner
VIEWS AND REVIEWS FROM (ISC)2'S EVENT MODERATOR

2012: A Year of Accomplishments

WITH 2012 RECEDING in the rear view mirror, I am struck with a sense of wonder at what we have managed to accomplish this year. You may recall, in my last column I introduced you to a new, online educational offering from (ISC)2: The Security Briefings Series. These monthly, one-hour webinars allow us to focus on a single theme over several months, discussing the various facets of what are often very thorny problems. Attendance and feedback from these first sessions have been fantastic. Your constructive criticism has helped us refine the programming, and I am eager to continue building on this success throughout 2013. Keep the comments coming! We reached another significant milestone this year with the second annual Security Congress. Standing on the foundation of last years event in Orlando, Fla., U.S.A., I had the pleasure to meet and chat with many of you in Philadelphia, Penn., U.S.A. this year, where we, once again, shared the stage with our partner, ASIS. As is often the case with such events, the hallway track offered up information that was just as fascinating as the official program. Whats more, the opportunity to make new professional connections was at an all-time high, thanks to a dramatic increase in attendance. Topics such as bring your own device (BYOD) and cloud dominated the agenda once again, and some interesting newcomers to the field brought out some amazing insights. Namely, I had the pleasure of introducing the Orlando Doctrine, which Ive been working on with my longtime friend and colleague Spencer Wilcox. Finally, a notable infosec celebrity Javvad Malik appeared at this years Congress. You may remember his Benefits of Being a CISSP video from last year, which was a big hit within our community of practitioners. You can catch his (soon-to-be) award-winning documentary. As we head into 2013, Im looking forward to catching up with many of you at our Security Leadership Series live events, on the web for our roundtables and e-symposiums, and, of course, at the 2013 Security Congress in Chicago, Ill., U.S.A. As always, lets keep it interactive. I look forward to continuing the conversation. Brandon Dunlap Managing Director of Research, Brightfly bsdunlap@brightfly.com www.brightfly.com

Management Team Elise Yacobellis Executive Publisher 727-683-0782 n eyacobellis@isc2.org Timothy Garon Publisher 508-529-6103 n tgaron@isc2.org Marc G. Thompson Associate Publisher 703-637-4408 n mthompson@isc2.org Amanda DAlessandro Corporate Communications Specialist 727-785-0189 x242 adalessandro@isc2.org Sarah Bohne Global Communications Manager 616-719-9113 n sbohne@isc2.org Sales Team Jennifer Hunt Events Sales Manager 781-685-4667 n jhunt@isc2.org Lisa O'Connell Regional Sales Manager 781-460-2105 n loconnell@isc2.org IDG Media Team Charles Lee Vice President, Custom Solutions Group Alison Lutes Project Manager Joyce Chutchian Editor 508-628-4823 jchutchian@idgenterprise.com Kim Han Art Director Lisa Stevenson Production Manager

A DV E R T I S E R I N D E X ASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 5 (ISC)2 . . . . . . . . . p . 2; p . 8; p . 21; Back Cover Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . p . 12 NOVA Southeast . . . . . Inside Front Cover RSA Europe . . . . . . . . . . . . . . . . . . . . . . . p . 23 For information about advertising in this publication, please contact Tim Garon at tgaron@isc2 .org .

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

STRATEGIC. SMART. SECURE.

Todays smart, strategic solutions mesh together all aspects of logical and physical security. The convergence of technologies and systems needed to make us more secure demand that industry professionals operate at the very top of their game. ASIS 2013, the worlds most influential security event, will deliver the forward-thinking solutions and up-to-date intelligence security professionals need to face challenges and mitigate risk. Ready to cut through the clutter and map out a more secure future? Well see you and your most pressing questions in Chicago.

ASIS INTERNATIONAL
SeMinar and exhibitS

59th AnnuAl

September

2427

COLOCATED EVENT

McCorMiCk PlaCe, ChiCago, il

For information visit www.asisonline.org or call +1.703.519.6200.

fy
D O YO U K N O W S O M E O N E

(ISC)2 MEMBER NEWS

Career Guidance for Aspiring Infosec Pros

who is interested in a career in information security but doesnt know where to start? The new (ISC)2 NextGen program was created just for them. The group provides a platform for aspiring and emerging security professionals to join the information security workforce. It is open to aspiring and active cyber security professionals age 35 and under, looking to bolster their careers and deepen connections with the professional community. The program also offers experienced professionals an opportunity to provide expertise and guidance through mentorship. Eight (ISC)2 chapters are participating in the pilot program, with a full rollout planned for early 2013. Chapters that are currently participating include:
n Colombo, Sri Lanka Chapter (Sri Lanka) n Manitoba/Saskatchewan Chapter (Canada) n National Capital Region Chapter (Washington, D.C., U.S.) n New Jersey Chapter (U.S.) n Omaha Lincoln Chapter (Nebraska, U.S.) n Sacramento Chapter (California, U.S.) n Sao Paulo Chapter (Brazil) n Tampa Bay Chapter (Florida, U.S.)
PHOTO BY MULTI-BITS/ THE IMAGE BANK

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

Congratulations to the 2012 (ISC)2 U.S. Government Information Security Leadership Award recipients
(ISC) 2 IS PROUD TO PRESENT the recipients of our ninth annual U.S. Government

Information Security Leadership Awards program. CATEGORY: COMMUNITY AWARENESS AWARD RECIPIENT: The U.S. Federal Aviation Administration (FAA) Awareness, Training and Evaluations Division Team, led by Nancy Hendricks, CISSP, information systems security specialist PROJECT: The AIS-200 Team achieved quantifiable results in support of various administrative requirements, including a six-month campaign to ensure that at least 95 percent of the user population completed annual awareness training. CATEGORY: FEDERAL CONTRACTOR AWARD RECIPIENT: The U.S. Department of Defenses Joint Capability Technology Demonstration (JCTD) Adaptive Red Team, led by David Rohret, CEH, Security+, CHFI, ECSA/LPT, CNDA, senior principal systems engineer, CSC PROJECT: In response to a request to replicate how real-world hackers, cyber armies and cyber criminals would attack the DoD, the JCTD ART developed a process for applying goal-oriented scenarios through the adversarys eyes, attacking and assessing from every approach to determine the most likely attack vector based on the greatest impact. CATEGORY: PROCESS/POLICY AWARD RECIPIENT: Janet Stevens, PMP, chief information officer, USDA Food Safety and Inspection Service (FSIS), Information Assurance Division (IAD) PROJECT: Janet has dedicated herself to ensuring that every member of the FSIS community, from security officers to office staff, is aware of cyber security. Through an innovative use of social media and contributions to organizational publications, Janet provides her agency with in-depth explanations of cyber security issues and practices, and updates on the latest IAD news. CATEGORY: TECHNOLOGY IMPROVEMENT AWARD RECIPIENT: The U.S. Air Forces Military Satellite Communications (MILSATCOM) Systems Directorates Host Based Security System (HBSS) Pilot Integration Team, led by Steven Martin, CISM, information assurance manager PROJECT: By formulating, documenting and completing a proof of concept as a pathfinder model for future implementation, the team integrated the HBSS baseline on a Space Mission System in less than two months. CATEGORY: WORKFORCE IMPROVEMENT AWARD RECIPIENT: The U.S. Army Reserves Information Operations Command (AROIC) Cyber Warrior Training Development Team led by Col. John Diaz, CISSP, CRISC, professional engineer and commander PROJECT: This 10-person team implemented a training strategy that systematically trains and transforms AROIC soldiers into elite, combat-ready cyber warriors who are called upon to protect, monitor, analyze, detect and respond to unauthorized activity on the Armys information systems and computer networks.

Study on the GO
S T U DY I N G F O R T H E C I S S P

credential has never been more convenient. The first four domains (Access Control, Telecommunications & Network Security, Information Security Governance & Risk Management, and Software Development Security) of the Guide to the CISSP CBK, Third Edition are now available in iBook format. Now you have the flexibility to choose only the domains that you need while studying from the convenience of your iPad, iPhone or iPod.

New Award for 2013 GISLA Program

We are also pleased to announce the creation of a new GISLA to honor Lynn F. McNulty, CISSP, who passed away in June 2012, but whose innovation, influence, and commitment to government information security will be felt for years to come. The (ISC)2 Lynn F. McNulty Tribute GISLA will recognize a member of the U.S. federal information security community who upholds McNultys legacy as a visionary and innovator through outstanding service and commitment. The first recipient will be hand-chosen by the (ISC)2 U.S. Government Advisory Board for Cyber Security (GABCS) and recognized at the 2013 GISLA ceremony.
INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

Graduate with More than Academic Credentials

department at the University of Warwicks Cyber Security and Management program can now attend a three-day (ISC)2 CISSP Compact course and become Associate members of (ISC)2. This opportunity is the result of WMGs Academic Affiliate Agreement with (ISC)2 to support the entry of its MSc in cyber security and management graduates into the workforce. Upon graduation, students are armed with both academic credentials and Associate of (ISC)2 status, along with the opportunity to train for the CISSP credential. Through WMG, the University of Warwick is the second university in the U.K. to support its MSc program graduates with an (ISC)2 credential program, following Royal Holloway College at the University of London.
G R A D U AT E S O F T H E W A R W I C K M A N U FA C T U R I N G G R O U P ( W M G )

CALL for SPEAKERS

(ISC) Security Congress Categories:
Compliance, Regulation & Governance Threats - Inside and Out Cloud Security Swiss Army Knife -General topics of interest in Information Security Application Security Mobile Security/Social Networking Software Assurance Malware Government Security

Colocated with

S b T d Submit Today

September 24-27
Chicago, IL McCormick Place
8
INFOSECURITY PROFESSIONAL
ISSUE NUMBER 20

SECURITY CONGRESS

Giving Corner
T H E PA S T Y E A R H A S B E E N A P R O D U C T I V E Y E A R ,

with numerous successful program launches that touch

the lives of so many people worldwide. With every experience, whether its determining scholarship recipients, brainstorming for new Safe and Secure Online programs, or expanding our volunteer opportunities, we find that we are able to improve upon each existing program and strive for more outreach, service, and enrichment the next time around. Our (ISC)2 Foundation Committee comprises board members and regional advisory board members worldwide. It was formed to improve the impact our programs have on members, on vulnerable publics, and on the industry as a whole. They are also tasked with helping the Foundation gather the human and financial resources needed to boost program impact, and to form useful strategic alliances.

SAFE AND SECURE ONLINE

One such strategic alliance is with National Cyber Security Awareness Month in the U.S.A. and Canada, and with Get Safe Online Week in the U.K., both held annually in October. Teams of volunteers focused their efforts in this important month to reach almost 9,000 children and 1,200 parents.

WHATS AHEAD IN 2013

2013 Global Information Security Workforce Study: Alas, the (ISC)2 2013 GISWS is almost complete! Look for results of the survey in the Spring issue of InfoSecurity Professional magazine. The study has given us valuable insight into the specific skills sets within cyber security that make up most of the gap in the workforce. We will also take a deep dive into cloud security, secure software development, and issues surrounding BYOD.

SCHOLARSHIPS
The (ISC)2 Foundation Scholarship program is growing faster than ever. Thanks to the generous donations of our members and from the corporations who match donations, this year we awarded four scholarships to women in Tanzania, Taiwan, Singapore, and the U.S. We also awarded exam vouchers to 11 faculty members from around the world to increase the knowledge level of those charged with educating the future information security workforce. Remember, many of our scholarship recipients would not have the opportunity to remain in school without the help of members donations, and corporations who have charitable gift-matching programs. Be sure to be on the lookout for our annual appeal email. You could make a big (secure) difference in many lives and many ways by donating to support scholarships or the Safe and Secure Online program in 2013.

Dont forget to take the quiz and earn CPEs: http://bit.ly/ShTroh

For a list of events (ISC) 2 is either hosting or sponsoring, visit www.isc2.org

For more information or to donate, visit https://www.isc2cares.org. Happy New Year! Julie Peeler Director, (ISC)2 Foundation

ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

KEEPING UP WITH NEXT-GEN

by PETER FRETTY

RISK

The model of risk management is quickly changing as technology, data, and security regulations increase.

10

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

 MANAGEMENT

Risk management is nothing new for CISOs.

In fact, the formula for calculation (risk = likelihood x impact) is time-tested, universally accepted and relatively simple. However, in todays data-laden, tech-driven world, the landscape is altering with significantly more compliance regulations as well as an increased number of threats. While fundamentals have not changed, what has changed is that there are more opportunities to exercise risk transference, which means there are more opportunities to push your risk burden onto someone else, explains Ben Tomhave, principal consultant with Overland Park, Kan., U.S.-based governance, risk management and compliance solution provider LockPath. To do so effectively, however, means having a sharp legal team that can work to ensure that the contract has appropriate provisions to accomplish a risk transference objective, as well as strong brand management and customer rapport to help defuse any sort of negative flashback that may ensue from a security incident at one of your providers, he says.

Understanding Evolving Vulnerabilities

While most understand how to calculate the impact variable of the equation, the changing model of technology, including the proliferation of mobile and cloud-based content delivery, means organizations are now in danger of losing an understanding of the assets they own, which is a key requirement to understanding the portion of the risk equation, explains John Linkous, chief security and compliance officer with Acton, Mass., U.S.-based eIQnetworks. Finding known vulnerabilities involves regular, consistent vulnerability scanning and will tell you what youre able to know. And, the more in-depth the vulnerability scanning exercise, the more vulnerabilities will be discovered. After discovering known vulnerabilities, signature-based tools such as host-based antivirus and network-based intrusion detection and prevention (IDS/IPS) technologies provide CISOs with a relative measurement of how often exploitation of these vulnerabilities occurs across the environment. This yields a number that approximates the likelihood variable of the risk equation, he says. Detection is much harder for vulnerabilities not easily encapsulated within signature-based detection methods. Its possible to detect some unknown vulnerabilities when theyre actually being exploited by looking at anomalies within the environment, says Linkous. Security professionals can use this information to forensically track down the root cause of these abnormalities and determine if an unknown vulnerability is the culprit. Understanding what is actually at risk is the starting point that is often overlooked, explains Tomhave. Today, much attention is paid to various threats such as APT, but its still relatively rare to find an organization that has a good understanding of what it is they are actually protecting, he says. Starting with a comprehensive assessment and understanding of ones assets including people, processes and technology is immensely important. Without knowing what keeps the lights on, it is impossible to formulate a reasonable strategy for ensuring business continuity and survival.
ISSUE NUMBER 20

PHOTO BY COLIN ANDERSON

INFOSECURITY PROFESSIONAL

11

A CISO can only determine the organizations security risk level by performing a true security risk assessment that focuses in on determining the actual security risks to the organization, explains Doug Landoll, author of The Security Risk Assessment Handbook. This can be accomplished by improving the standard practice of dividing the controls among those responsible and sending out a questionnaire seeking those in charge of the controls to somehow give an honest representation of their strength. According to Landoll, an improved data gathering component of the security risk assessment would seek information about controls using the five key data-gathering methods: review documents, interview key staff, inspect controls, observe behavior and test controls. This assessment should provide the CISO with the information needed to create a near-term and long-term security strategy for the organization. Whether conscious or not, there is a strong human tendency to make the data support our beliefs or desires, he says. All too often, a security risk assessment is merely a paper exercise used to support the already-determined strategy. Of all the responsibilities of the CISO, setting the security strategy based on corporate objec-

tives and the realities of the current threat environment and existing controls is the most important.

Managing through Mobility

As one of the fasting growing trends, mobility introduces interesting wrinkles into risk management. With mobile technology, the concept of the internal network changes drastically. Even though mobile devices are end-points just like fixed workstations, they are connecting over new types of networks including 3G/4G cellular and Wi-Fi, with more proprietary operating systems and users with more direct control over the devices, Linkous says. Theres also a mix of personal and corporate data on the devices, resulting in a higher asset value for both the organization and the individual. As such, less direct control exists over data and systems. We must instead put our trust in third parties, and are oftentimes at the mercy of lawyerswho may or may not understand security and risk managementto craft reasonable contractual terms, Tomhave says. There are now many heightened areas of concern, such as right to

Is your organization ready for the cloud?

Find the answer with the free Cloud Security Readiness Tool.

A short survey and custom report helps you understand and improve your current IT state, identify industry regulation and compliance requirements, and evaluate the benefits of cloud adoption. www.micosoft.com/trustedcloud

12

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

audit, the monitoring and detection capabilities available, access to reports, the ability to conduct an incident or forensics response, and the ability to ensure that your corporate policies are being enforced.

Seeing Storm Clouds

The cloud presents unique challenges. Most notably for organizations is the challenge of no longer owning the tangible assets that store, process or transmit their data. Cloud service providers loathe providing contractual requirements for security of cloud-based assets and data, because to do so impacts their ability to remain agile with technology provisioning and deployment. Issues such as geographic location of data, lack of standard security data APIs for cloud environments, and different provisioning and management standards for cloud infrastructure between various providers means organizations that choose the cloud are going to effectively give up substantial amounts of control related to the likelihood variable of the risk equation, says Linkous. According to Rob Ayoub, security strategist at Sunnyvale, Calif., U.S.-based Fortinet, companies with data in public clouds have to shift their risk management to auditing the security of the provider and ensuring the availability of services. Because most cloud providers dont allow for organizations to test their security, a lot of the risk management moves to contracts and legal protections, he says.

The best risk management solutions use automated testing tools to help fill the gaps left by audits, as well as to integrate into often-overlooked areas like the development environment and developer activities.
risk register doesnt require a fancy, proprietary application, although many such products exist; it can be managed effectively using a spreadsheet or a consumer database tool, but needs to contain the basics for each asset including an identification of individual threats, the likelihood and impact of each of those threats occurring, mitigation and contingency, he says. Of course, a risk register is useless without having a comprehensive understanding of all information assets and what theyre worth. Its the lack of this critical information that allows exploited vulnerabilities to go so long before theyre detected in many environments. According to Tomhave, the best risk management solutions use automated testing tools to help fill the gaps left by audits, as well as to integrate into often-overlooked areas like the development environment and developer activities. A risk management program should have insight into the monitoring and detection system to help provide oversight and governance to the operational teams as part of keeping the business aligned to the risk strategy, he says. Its also important to remember that help doesnt necessarily mean an expensive third-party vendor, explains Linkous. For instance, the federal government offers free resources to help organizations get a handle on information risk through the National Institute of Standards and Technology (NIST). Specifically, risk management models (NIST SP800-37), security controls frameworks (NIST SP800-53), and technical recommendations (NIST FIPS publications) for implementing specific security controls such as authentication and encryption are quite extensive. Peter Fretty is a freelance business and technology journalist based in Michigan.
ISSUE NUMBER 20

Accounting for Big Data

With regard to big data, the news is better, explains Tomhave. We oftentimes know how to conduct analysis on a given silo of data. Our challenge, then, lies in how to aggregate those silos in a meaningful way, he says. This is where tools like GRC come to bear, allowing us to have better insight into risk factors, and thus to chart a more comprehensive, better informed risk management strategy. Big data highlights the need to be diligent about understanding the security requirements and controls over sensitive data, Landoll explains. Incredibly large caches of this data makes for some rather eye-opening risk calculations, he says. The cost of inaccurate data and poor measure techniques has been exacerbated.

Assessing Tools and Finding Help

The number and types of tools is almost overwhelming. For instance, risk management packages from solutions providers like Archer and Agiliance, an array of vulnerability management tools from providers like Foundstone and Rapid7, configuration management tools like Policy Auditor or NetIQ, patch management offerings such as BigFix or SCCM, and incident response/forensics management from firms like Encase. However, before making any investments, Linkous recommends starting with an information risk register. A

INFOSECURITY PROFESSIONAL

13

From To

FAIRY TALES

TEACHING MOMENT:

INFO SECURITY

Telling stories can help users and IT professionals retain important security information.
by KERRY ANDERSON

14

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

I M AG E DAV I D J . & JA N I C E L . F R E N T C O LLECT I O N / C O R B I S

used story telling as a way to relate information. Stories can be used to teach ethics, relate examples of behavior and their consequences, communicate information, and provide entertainment as well. Storytelling has been used as a method of teaching, both formally and informally, even before written language existed1.
Storytelling offers many benefits, including using it as part of instruction in formal classes or training sessions. The reason: stories are fun; stories can effectively share knowledge in diverse groups; stories make it simple to communicate a message; and stories make the message more memorable.2 For several years, I ran a study group for various security certification examinations. Years later my participants would tell me that they remembered a 3-year-old concept because of a story I associated with it, such as my three year nephew attempting to send my manager an email using my VPN connection on my unlocked laptop (lesson: always lock your screen). The more vivid the image in the story, the better chance we have of remembering it. 4. Instructors can put their own personal twist on the basic presentation 5. Most of the well-known tales can be used to teach basic end-user security concepts or more advanced security mechanisms 6. A learning activity using another fairy tale to evaluate it for security themes could be used as a follow-up to the initial lecture portion of the session So Ive taken the liberty to analyze some popular fairy tales with the objective of developing various information security themes for use with basic end-users and advanced technology practitioners.

OR THOUSANDS OF YEARS, people have

FAIRY TALES AND INFORMATION SECURITY

1. Cinderella

I have had the pleasure of hearing Ira Winkler, the well-known information security expert and speaker, present at various conferences. He is a master of memorable presentation themes, such as "Everything I Need To Know About Security, I Learned From Watching Star Trek" and the use of the Wizard of Oz" story to discuss computer and network security. We can relate to these popular cultural images, and they make the concept easier to recall even years later. Six years later, I can still recall significant portions of Mr. Winklers presentations. It recently occurred to me that storytelling might serve as a vehicle for exploring information security themes and serve as instructional tools for conveying best practices. Using fairy tales as a teaching tool affords the following advantages, in addition to the basic benefits of using storytelling as an instructional mechanism: 1. Most individuals are familiar with the stories. 2. The stories lend themselves to vivid imagery by the teller. 3. It is an innovative approach to teaching security knowledge.

Mistreated stepdaughter is forced into a life of drudgery by evil stepmother and stepsisters. She wants to attend a royal ball to meet the handsome prince in search of a bride. However, she has no means to go until her fairy godmother transforms her ragged attire into a gorgeous gown with glass slippers. Unfortunately, the spell only lasts until midnight. She meets the prince and it is love at first sight. As midnight approaches, she flees and leaves behind one of her glass slippers. The prince hatches a plan to use the slipper to locate her by trying the slipper on all the maidens in his kingdom. It does not fit anyone but Cinderella because of her tiny feet. The shoe fits. The prince married her and they live happily ever after.
POTENTIAL SECURITY THEME(S)

Biometrics: The prince used a unique physical attribute to identify Cinderella. He searched his kingdom for a match, but only Cinderellas foot fit the tiny slipper. Perhaps the fairy godmother used some unique attributes of Cinderellas foot to create a slipper that would only conform to her foot, therefore
ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

15

trail of breadcrumbs to find their way back home, and lived happily ever.
POTENTIAL SECURITY THEME(S)

Both the third little pig and an organization need to practice defense in depth. The third little pig developed the scalding kettle defense to protect against an indirect attack that bypassed his primary brick house protection layer.

excluding all other potential maidens. Access Restrictions Based On Time: Cinderella is only able to access resources based on a specific period, i.e., prior to midnight. After that time had passed, she lost control of the assets, such as the pumpkin coach. Social Engineering/Penetration-Testing: Cinderellas regal garb allowed her to gain access to the castle and the event (ball). Her appearance allowed her to blend with the invited guests. In some versions of the tale, such as the popular television version, the prince assumes Cinderella is a princess and she does nothing to discourage that perception. If Cinderellas intention had been more nefarious, she could have used her ruse to steal assets, such as battle plans for a war or the royal jewels. She could even have injured attendees of the ball.

Biometrics: Hansel and Gretel used breadcrumbs as a navigation aid to retrace their steps. The term breadcrumb is commonly used for mechanisms that allow users to keep track of their locations within programs or websites. Tracing: Paths that messages take on networks can be traced from the initial source through many servers they took to reach the final destination IP address. Generally, on the Internet, everybody can be traced, no matter what they do or where they go because IP addresses are left on every server and every computer communicated with. While cyber criminals may use different techniques, such as anonymizer/ anonymous proxy to attempt to make activity on the Internet untraceable, many forensic experts may still be able to determine their activities. False Metrics: The old woman uses Hansels finger as a metric for how effective her efforts to fatten up the siblings is going. Hansel is able to substitute a bone for his finger and provides a false metric for the old womans monitoring efforts. Hackers often alter (or delete) logs and other monitoring files to disguise their real activities. The old woman is visually impaired, making it easier for Hansel to pull off his ruse. Sometimes, despite having the proper metrics and/or logs, an information security practitioner can fail to identify abnormal activity because they are myopic (shortsighted) and focus on specific risk areas. Social Engineering: The old woman lures the siblings into her home with food and kindness, but her intentions are malevolent. This is a social engineering technique called reciprocation3 in which the social engineer offers something of value, such as food, to solicit a behavior based on gratitude, such as staying and visiting with a person. When an individual receives something of value from people, we tend to want to reciprocate, often by complying with their requests.

3. Three Little Pigs

2. Hansel and Gretel

Hansel and Gretel were a brother and sister in search of food. They used a slice of bread to mark a path back to their home by leaving a trail of breadcrumbs. The siblings came upon a gingerbread house and partook of its tasty structure without permission. The owner, a kindly looking old woman, invited them in. She fed them. Hansel and Gretel did not initially realize that the old woman was fattening them up so she could eat them. The old women used the childrens finger to determine if the siblings were ready for slaughter. Hansel substituted a bone for a finger to fool the old women who had poor eyesight. The children eventually escaped after pushing the old woman into the oven. They took her jewels and food, then used the 16
INFOSECURITY PROFESSIONAL
ISSUE NUMBER 20

Three little pigs went out into the world to seek their fortunes. They needed appropriate housing. The first little pig used straw to construct his house because it was the easiest thing to do. The second little pig constructed his house out of sticks because it was easy to do, but a little bit stronger than straw. The third little pig considered security in his construction and used bricks to build his home. A big, bad wolf, who loved to eat little pigs, lived nearby. The wolf ordered the first little pig to let him in his straw house, but the little pig balked at the request. The wolf blew the house down. Then the wolf ordered the second little pig to let him in his house made of sticks, but the little pig balked at the request. The wolf blew the house down. The wolf then came to the third little pig and his brick house. The wolf ordered the third little pig to let him in, but the little pig balked at the request. The wolf huffed and puffed. However, try as he might, he could not blow down the brick house. The wolf decided to climb

onto the roof and crawl down the chimney. However, the pig had seen him him climbing onto the roof, so he boiled a large kettle of water in the fireplace. The wolf landed in the kettle of water, and was boiled to death. The third little pig lived happily ever after.
POTENTIAL SECURITY THEME(S)

Construct Strong Defenses: Defenses have to be appropriate to protect again known threats. The first and second little pigs should have constructed defenses adequate to withstand the known attack type used by the big bad wolf, his huffing and puffing. They both were eaten because they used weak defenses, namely straw and sticks, because they were easy, available, and likely cheap. Beware the Porous Perimeter: Even strong primary defenses may have some weakness necessary to sustain life or business activities. This is the porous perimeter. The third little pig needed to have a chimney to cook his food and heat his home. However, the chimney created a chink in the otherwise strong defense of his home. Luckily, the third little pig was aware of this risk and had a strategy to defend against attacks on this potential vulnerability.

Use Defense in Depth: You cannot depend on one defensive layer for complete protection from attackers. It is similar to depending totally on an enterprise firewall to defend against all cyber attacks without considering sidechannel attacks against mobile devices or web applications. Both the third little pig and an organization need to practice defense in depth. The third little pig developed the scalding kettle defense to protect against an indirect attack that bypassed his primary brick house protection layer.

USING CULTURAL IMAGES AS AN INSTRUCTION TOOL FOR INFORMATION SECURITY CONCEPTS

There are numerous ways to relate cultural knowledge to information security concepts. Fairy tales offer some widely known stories and provide the strong visual imagery to increase the potential for long-term retention of learning. As an adjunct college instructor and trainer for more than a decade, I frequently use examples based upon literature and entertainment to illustrate a point and make the concept more memorable. For example, when discussing the need to understand requirements before implementing security architecture, I often describe an episode of classic Star Trek called The Cage. In it a disfigured woman explains her appearance by saying, They rebuilt me. Everything works. But, they had never seen a human. They had no guide for putting me back together. It is possible to utilize this approach across visual, auditory, and kinesthetic learning styles4.

CLOSING THOUGHTS

Other approaches, such as demonstration, games, and video work well, but stories seem to work best. Once I explored the potential securityrelated themes that can be drawn from a story, I was pleasantly surprised by the amount of ideas that a single story generated.

Like many practitioners, I am always seeking innovative ways to relate information security concepts to avoid the perception that the material is dry. In the past, I have integrated stories from my own experience, as well as those of other practitioners. I favor stories with strong visual impact or unusual elements. I also include news stories related to the topic under discussion because they can act to illustrate both weak and best practices in information security management. Other approaches, such as demonstration, games, and video work well, but stories seem to work best. Once I explored the potential security-related themes that can be drawn from a story, I was pleasantly surprised by the amount of ideas that a single story generated. Initially, I had only one security concept per story, but I wound up with several concepts for each fairy tale I explored. There is a reason that these stories have lived on through the generations and why they remain relevant today. Kerry Anderson is a CISSP-ISSAP, ISSMP, CISA, CISM, CGEIT, CRISC, CFE, CSSLP, CCSK, MSIA and holds an MBA.
1 2

Egan, K. (1989). Teaching as storytelling. Chicago: University of Chicago Press Sole, D. and Wilson, D. Storytelling in organisations (2002) 3 Influence: The Psychology of Persuasion by Robert B. Cialdini (December 2006) 4 www.ldpride.net/learningstyles.MI.htm#Kinesthetic%20Learners:
ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

17

Filling the

(Soft) Skills

Gap

A balance of technical and soft skills opens doors to career advancement. COLLEEN FRYE
by

YOUR TECHNICAL SKILLS MAY OPEN THE DOOR TO AN INFOSEC CAREER, but
your soft skills will keep the door open to career advancement. Soft skills refer to a persons Emotional Intelligence Quotient (EQ), a cluster of personality traits and attributes such as verbal and written communication skills, conflict resolution and negotiation skills, listening skills, empathy, and more.

A signpost for EQ career trajectory typically comes at the three- to seven-year mark, says David Garcia, an executive recruiter in the Columbus, Ohio, area specializing in information security, information protection and IT audit. Thats where people need to decide what they want to do when they grow up. If you want to remain in a purely technical role, no harm, no foul. However, he tells recruits, if they want to get promoted, they will need soft skills. If youre happy with a technical role, it will largely limit a path to management if you dont have soft skills, says Jack Daniel, technical product manager at Tenable Network 18
INFOSECURITY PROFESSIONAL
ISSUE NUMBER 20

Security. Thats OK, he adds, but it does limit your options, and you have to stay on top of your technical skills so you can continue to find jobs and grow in your position. This balance of hard or technical skills with soft skills does not just apply to career advancement in infosec. In many fields at the entry level, technical skills will help open the door, possibly even more than soft skills, depending on the field and what is needed, says Lisa Prior, principal at Newton, Mass., U.S.-based Prior Consulting LLC, a firm that specializes in organizational and leadership effectiveness. But what we know is that after 10 years in a career, soft skills or skills

ILLUSTRATION BY MICHAEL AUSTIN

of emotional intelligence begin to matter more and technical skills become somewhat less important. According to the 2012 Talent Shortage Survey from ManpowerGroup, employers from around the world cited the top reasons for the difficulty in filling jobs as lack of available applications or no applicants (33%), lack of technical competencies or hard skills (33%), lack of experience (24%), and lack of employability skills or soft skills (18%). In the Americas, 15% of employers reported that applicants lack soft skills or employability skills. The top soft skills todays employees are lacking, according to U.S. employers, are enthusiasm and motivation, professionalism (personal appearance and punctuality), interpersonal skills, attention to detail, collaboration and team work ability, and flexibility, adaptability, and agility. Industry observers agree that the infosec field does tend to have a shortage of soft skills. We mention this quietly in the background; there is a sort of a nerd factor, says Bill Sieglein, founder and CEO of CISO Executive Network. We meet folks who are very talented in infosec, but in roundtables you can quickly identify who will rise and who will hit a ceiling. They communicate in a nerdy fashion and business doesnt understand. So what exactly are employers looking for? For CISOs, says Sieglein, Number one is the ability to communicate with business leaders, to translate complex security language to business language. The second is team skillsyou cant be a lone wolf. You have to rely on people across the company and communicate with staff. For infosec staff, it depends on the role, Garcia says. Some are very technical, such as reverse-malware engineering. The perfect person probably has a database background, hardcore software development skills, and has moved into security. But for someone responsible for PCI certification, he says, they not only have to have hard technical skills like encryption, but theyll be communicating on a daily basis to both technical and nontechnical people. The CISO interviewing them should be picturing them talking to business units or talking to the team that works for CIO. So they have to speak well, and write well. Daniel agrees. Public speaking and writing has a real impact on your career path. One of the ways you build up a reputation in the field is by writing, whether thats white papers, technical writing, blogs, webcasts or podcasts. He says infosec professionals can also hone writing and speaking skills at their local ISSA chapters or at regional conferences. Other key soft skills include being a good listener and possessing the ability to work well with others, Sieglein says. A sense of humor can also be valuable for those in publicfacing roles, says Daniel. Humor is part of the way you can soften a situation, he says, but warns, a little humor goes a long way, but it can be completely overdone. What an employer looks for is a fit for their culture, says Prior. If humor is part of that organizations culture, then its a quality theyll look for. The more desirable things are how you are at getting along with others, how effective you are at

TIPs for Boosting Your Soft Skills

Are soft skills innate, or can they be taught and mentored? Who you are might not change, but the assumptions you make can change. Your behaviors can change, along with your willingness to work on them and change with them, says Lisa Prior, principal at Prior Consulting LLC. The following are some suggestions for honing your soft skills:

Build your self-awareness. One of the best ways

to do that is to get feedback from others, says Prior. For example, she says, ask your colleagues how they think you handled a meeting, and what you could improve. And seek out literature that identifies key competencies that employers look for.

Do a gap analysis on yourself. Ask what skill sets

should I have, what do I have, and how do I bridge that gap. Say I need to learn to write reports. Take a class, make fake ones, and seek advice, says Jacquet.

Work on your presentation skills. If theres an

opportunity to be mentored, start acting as the representative of your security team in different situations, with guidance at first. You need to take a risk and get out there, advises Garcia.

Develop skills for handling conflict and

negotiating situations. Take ownership and responsibility for resolving issues, and make yourself the go-to person. Then pass it on, says Prior. The person whos willing to share and see someone else be successful becomes a future leader.

managing conflict. And that, she says, can come down to self-awareness. Self-awareness is one of the most important career skillsthe ability to understand how youre perceived in the workplace is critical to your success. Also, she says, do you take the initiative and have responsibility and ownership for resolving issues without a lot of direction? Do others come to you as the go-to person? Early in a career, those are skills that are important, and a characteristic that endures. For David M. Jacquet, president of InfoSecGroup, an infosec services consulting company in Portland, Maine, the bottom line for soft skills is, someone who knows how to interact with people. He adds, A lot of my guys talk to boards of directors; they cant be geeking out soft skills have got to be there. Colleen Frye is a freelance writer and editor in Franklin, Mass., U.S.
ISSUE NUMBER 20

INFOSECURITY PROFESSIONAL

19

EXPERTS ADDRESS TRENDING SECURITY TOPICS

Q&A

Mastering Security and Innovation

PATRICK C. MILLER is President and CEO of EnergySec, and Principal Investigator for the National Electric Sector Cybersecurity Organization (NESCO). Senior Managing Editor Joyce Chutchian spoke with Miller about trends in cybersecurity and the energy industry.
Q: Tell us about NESCO. Our organization is a nonprofit, grassroots association thats sharing security information among electric utilities. It started after the Sept. 11, 2001 terrorist attacks, when I worked for a power company in the Northwest. The Olympics were happening in Salt Lake, and after Sept. 11, all of the nearby utilities worked together to prevent a terrorist attack on the power system during the Olympics. In 2010, the Department of Energy offered NESCO funding, and we expanded the group to include federal agencies, vendors, and academic institutions. Our primary focus is building relationships. That is, we spend the bulk of the time doing faceto-face meetings. We meet at conferences. We call them our therapy sessions and ask what keeps them awake at night. Its all about the people. Were technology agnostic. Q: What keeps you up at night? Keeping the lights on. We have a spectrum of threats that run from very near-term to long-term future threats. Near term is non-government organizations. We have known terrorists, we have real, motivated organizations and countries that would like to perform high-impact attacks. Out on the horizon, we have long-term threats. The country with the best intellectual property and the energy supply to put it to use will be the next superpower. Q: What should security professionals be most concerned about? Were not very good with our soft skills. There are not enough of us and our knowledge transfer isnt very good; we need to be able to translate our discipline to the next generation. Were too nerdy. We need to find ways to communicate less in terms of ultra technical security speak, and more in terms of risk management. We should work on public speaking and writing capabilities. It may seem mundane and frightening to technical people, but it will advance our field. Q: What about the future? Some organizations are putting their grid operations elements in the cloud. You dont build a new electric grid or refinery quickly. Were taking something structural and slow-moving and applying warp speed innovation. That becomes mildly explosive. Its a challenging mix. We need to find a way to merge these things together in a secure, meaningful way. It wont be solved by a security wizard, or an innovation wizard alone. We need people who can speak both languages. In the future well have a new, hybrid set of people who can translate on both sides, who can advance the economy and business. Q: What is your advice for security professionals? We need to balance prevention, detection, and response. You dont rate a safe as unbreakable. You rate it as how long it will take to break into it with certain tools. Our landscape has changed. Prevention is not possible. In the Venn diagram, where prevention, detection, and response meet we need to move toward the overlapping area.

20

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

Advancing Information Security One Community at a Time

provide opportunities to:
Network with peers Exchange knowledge Meet industry experts Earn CPE credits Build leadership skills Support educational seminars Promote security awareness

CHAPTERS

Join or Start a Chapter Today!

www.isc2.org/chapters

chapter passport
MEMBERS CONNECT AND COLLABORATE

(ISC)2 Chapter Leaders Convene in Philadelphia

(ISC)2 HELD ITS FIRST LEADERSHIP MEETING with chartering and official (ISC)2 Chapter officers and delegates during the second annual (ISC)2 Security Congress in Philadelphia, Penn., U.S. Officers from nearly 20 chapters worldwide attended, including representatives from Argentina, Sao Paulo (Brazil), Switzerland, and several from the U.S. It was the first opportunity for chapter officers to meet face-to-face and learn about existing and new (ISC)2 Chapter programs and initiatives. Julie Peeler, (ISC) foundation director, discussed how the chapters can get involved with (ISC)2 Foundation programs, including hosting and mentoring scholarship recipients; volunteering for the Safe and Secure Online program for children, parents, and teachers; and donating to the Foundation to support these programs. As a Safe and Secure Online lead volunteer, Dan Waddell provided valuable insight and experience regarding his involvement and the positive impact it has made on thousands of children. And Mrs. Peeler reminded all (ISC) members and nonmembers alike to participate in the 2013 Global Information Security Workforce Study (GISWS). (ISC) also announced new initiatives in several chapters that are currently in development. Jerry Pittman, co-chair of the North American Advisory Board (NAAB), presented details about the (ISC) Advisory Board/Chapter Engagement Program (ABCEP), which provides a mechanism between the (ISC) Advisory Board members and chapter leaders to align common goals and objectives, and quickly and efficiently launch programs relevant and beneficial to the local
Julie Peeler, (ISC) 2 Foundation Director and Dan Waddell, Lead Volunteer for Safe and Secure Online and member of the North American Advisory Board (NAAB)

professional community. Sarah Bohne, (ISC) global communications manager, presented two of the initial chapter pilot programs: Executive Writers Bureau (EWB) and the NextGen program. Upon successful completion of the pilot phase, these programs will be expanded to advisory boards and chapters in other regions. (For more details, contact Sarah at sbohne@isc2.org.) Officers from the New Jersey, Philadelphia, and Sacramento (U.S.) Chapters served on a panel and presented their chapter programs and activities. In addition, they answered questions from the audience and provided advice. Officers enjoyed learning about experiences from other officers and were excited to learn about new programs. Heres what some of the attendees had to say: Thank you very much for organizing such a fantastic meeting for the people! We look forward to providing more input and efforts to the local chapter and the corporate work as well! Ron Zhang, New Jersey, U.S. Chapter Meetings like this, where chapters can discuss their problems, achievements, and possible solutions, go a long way in helping us all to succeed. Marc Noble, National Capital Region Chapter I really enjoyed the Leadership Meeting! It was good to see all of the energy and start-up information presented. Darren Singleton, Nashville, Tenn., U.S. Chapter

Download a copy of the (ISC) 2 Chapter Leadership Meeting presentation slides or watch videos at: www.isc2.org/chapter-leadership-2012.aspx.

Additional leadership meetings will be held in 2013. Visit (ISC) Chapters for more details.

22

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

Security in Knowledge

Mastering data. Securing the world.

before Friday, January 25, 2013

Save $400

Discover the Power of Information at RSA Conference

Cybercriminals are on the lookout to uncover security weaknesses in your organization anywhere and anyway they can. To stay one step ahead of threats you need access to the latest security innovations and insights. At RSA Conference 2013, you will learn from a diverse array of experts as they provide their perspectives on the state of the security ecosystem and uncover how understanding the bigger picture can prepare you. A delegate pass gives you access to:

21 dynamic tracks with 7 new ones including CISO

Viewpoints, Enterprise Defense and Security Mashup

450+ track and keynote speakers 350+ leading-edge exhibitors

in our expanded Expo

275+ information-packed sessions over ve days

Register Now!
www.rsaconference.com/isc2
Global Diamond Sponsors Global Platinum Sponsors Global Gold Sponsors Platinum Sponsors Silver Sponsors

Gold Sponsors

global insight
INTERNATIONAL INFORMATION SECURITY PERSPECTIVES

Be Aware of Security Awareness

YES WE KNOW. We information security professionals tend to be a little bit drastic sometimes when it comes to applying methods and controls. In fact, weve always known we are! Moreover, this task of constantly being aware of mitigating risk factors gives us an incredible amount of conscience that allows us to discern between how frustrating a security implementation could be versus convenience. In other words, the task of understanding the processes and risks associated with them is a fundamental part of the mission of an infosec professional. Therefore, it is necessary to consider all possible angles of a given situation in order to, whenever practicable, provide a solution that would minimize negative impacts to assets and therefore the enterprise. While the previous paragraph proves a literary intake for anyone who practices security methods routinely, the truth is, the majority, unfortunately, do not. Either they are not encouraged enough or they simply find them tedious or annoying. Security practices are yet to be commonly recognized in our day-today activities. If you still havent considered this a fact, then you should. This and nothing else is what makes the user feel reluctant to security measures. If we were able to adopt security practices as a culture or as something that was part of our actions and perhaps our thinking, they would not see them as an imposition but rather a method of protection for the common good. The fact that, the most common password used by global businesses is Password1 because it satisfies the default Microsoft Active Directory complexity setting, according to Trustwaves 2012 Global Security Report, indicates the lack of end-user security awareness. Thats why security awareness is so important. By no means are we saying this is the key to solve ALL of our issues, but merely fundamental to succeed in the implementation of a security plan. Of course, we already knew this, didnt we? Heres the catch: although the benefits of awareness are well known in our community, it seems to fall to the end of our priority list. Reactive oriented security layers take precedence over proactive when initiating security programs;

not only because they are the hands-on-operationalrelated ones the easiest and quickest ones to implement in comparison but business wise, they are the ones that allow you to present metrics and return on investment to management. After all, big shot executives like that, right? Many would argue that awareness is hard to implement because of the lack of support from management. Thats a tragic truth. Following is a list of suggested tasks for revitalizing or beginning awareness initiatives in your organization: Include strategic numbers in policies. Now that the company has agreed to implement a security program in the organization with no awareness budget of course be sure to include one or two subsections pertaining to awareness. For instance, in the Acceptable Information Resources Use Policy, make sure to include instructions for employees to turn off their PCs after a shift is over if its not necessary to leave it on. Screen savers to the rescue. If theres support for a security program within a company, a domain is likely already in place. Talk to the IT department and use your domain policies to set up the companys screen saver. Be creative with your messages! Use email. Send email messages to everyone in the company. Try to send insightful, but most of all, short messages. And it is not SPAM if you get consent from management and believe me you will if you ask them to base their decision on the fact that those messages a) could potentially save the company from an incident and b) they wont add a penny to the budget. Use the phone system. This is a long shot but worth a try. Record awareness tips to include on the phone system when calls are place on hold. Talk in person. Maybe you wont have time to prepare a 30-minute presentation about awareness, but EVERY time there is an opportunity, talk about safe practices and the importance of protecting the companys assets. Pedro D. Navarro, CISSP, coordinates PCI-DSS compliance and IT Incident Response for Asociacin Cibao de Ahorros y Prstamos, a financial institution in the Dominican Republic.

24

INFOSECURITY PROFESSIONAL

ISSUE NUMBER 20

Is your software open to attacks?

Slam the Door by Learning Best Practices for Securing the SDLC.

FREE
Receive a new webcast each week.
(ISC)2 members must stay current in the evolving world of software security. This series of webcasts will provide you with a new webcast each week focusing on securing a different phase of the software lifecycle. It will show you what security measures need to take place at the beginning in the requirements phase, how security must be built in the design phase, and how to test if the application is resilient enough to withstand attacks in the testing phase. Also, this series will feature a webcast on the value of the CSSLP and how to study for the exam.

Webcast on Securing the SDLC.

www.isc2.org/csslppreview.aspx

(ISC)2

Connect with us: www.isc2intersec .com www.twitter.com/isc2 www.facebook.com/csslp