NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training

NIST SP 800-5, Building an Information Technology Security Awareness & Training Program


The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO – Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager – tactical deployment, development and maintenance of the IT security & awareness program.
Managers – responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users – largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.


800-50 calls learning a “continuum”. The continuum of learning starts awareness and builds into education.
Awareness – awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.


Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training – is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies – 800-50

Education – combines multidisciplinary areas into a common body of knowledge.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50

Porn is given some sort of false taboo label. Its black labeled and looked down upon but somehow the porn industry manages to make billions and billions of dollars internationally.

Moral dilemma aside, porn sites have been given a very bad rap due to the huge amount of virus’ put out by malware sites. Lately there have been an uprising of really good virus free porn sites.

And here are just a few:

xvideos
xhamster
redtube
youporn
pornhub
youjizz

*all .com

These are free sites. No membership necessary. And, equally important, they are virus free. These sites make money on the ADs.
My one complaint about them is the pop-under promoting their live cam sites. I am HATE pop-unders. But they are harmless on the sites listed. They have to make money some how.

What is Social Security Death Records? Social Security death Records consist of information on a deceased person. This includes first and last name, date of birth, date of death, residential status and last known address. These records provide an overview for different surveys and meeting the personal requirements.

Why people want social Security Death Records? The reason behind searching these records differ from one person to another. Some people might need it for their personal reference to find their ancestor’s history or to find their lost friend. Another use of death records is for commercial purpose by different companies. These companies require these records for various surveys to find the accurate death rates. Some companies also keep this information with them to further provide it to different private and public sectors. Other purposes of maintaining these records is to prevent fraud so that no one can misuse the identity of a deceased person. This helps in decreasing criminal activities.

Which resources should concern people? There are millions of resources providing Social security death records. Here are few reliable resources to get information related to death records in the form of death index:
• Social Security Death Index- This is very reliable resource of US citizens that holds around 74 million records. This record provides with records of those person died after 1962. The death certificate issued includes a social security number for accurate identification. This allows one to indicate date of birth, place of birth and proper names of their ancestors. One can find this index over internet on searching on sites like Ancestry.com to know the exact family history.
• Free Ancestry Search- Many companies are providing free online search for death records with a great sense of accuracy. One can search of Familylink.com for free search and obtaining better results.
• Death Records Search- One can take the help of online databases through links such as Death-records.net for valuable information. What one has to do is search according to the location and number provided.
• AllvitalRecords.com- One can search on the following link by just entering the name of their ancestor. To obtain a healthy search try to make it location wise, this will help to get accurate results.

Unfortunately Social Security Records are often used in identity theft and fraud.

Google has taken steps toward protecting is users from malware and phishing attacks by alerting webmasters of malicious content and bad URLs.

Now Google offers a service for Network Administartors that allows system owners to receive early notifications for malicious content on their network. Its called “Google Safe Browsing Alerts“. As an example of how powerful this can be, imagine an Internet Service Provider have such a service.

I can already hear the “nayers of google” crying, “what about the privacy of the networks and your users?” To this I say, “SHUT THE HELL UP!” Google loves you. Google died for your sins. Repent, for the kingdom of Google is at hand.
http://safebrowsingalerts.googlelabs.com/

That is all.

http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html

ipad security hole

My job as the resident “security guy” places me at the butt of jokes that serve as the passive aggressive means of venting the frustration that my co-workers feel about the strict military and DoD policies. Security is almost never appreciated until an information system’s security is broken or breached. And even then solutions only come after blame and public humiliation.

Why did so many important government figures decide to risk using the new iPad without proper military grade testing and scrutiny is the biggest question. I would expect a start up in Silicon Valley to grab an iPad the first day it comes out but not U.S. military organization in the middle of two wars.

more here:

http://money.cnn.com/2010/06/09/technology/iPad_email_breach/index.htm?postversion=2010061009

http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed

Basically, someone creates a innocent looking extension or plug-in, they distribute it and the innocent looking plug-in/extension sends your personal information to where ever.

How can a person avoid this?! I guess the safest way would be to not use ANY plug-ins and extensions.. but that is over kill.
I know that I am pretty paranoid about WordPress extensions/plug-ins but the open source community is pretty good about peer reviewing, testing and reviewing some of the more popular plug-ins. When it comes to software I depend heavily on reviews of others who have used the product. If there are no reviews (even on forums or dev/plug-in sites), I usually consider the app to risky.

Sometimes what I do is try the app/extension/plug-in on a site/blog I don’t care as much about. In the case of browser plug-ins, I use a single trusted browser with minimal plug-ins to do important sensitive/personal transactions. Most of the stuff I do on the web does not require so much scrutiny.

Unfortunately, there is always a risk with plug-ins, apps, and extensions. All we can really do is manage the risk, by being careful and suspicious.

Thanks Mr. Grech for the knowledge.

Hello,

If you want a job fast I would suggest checking out simplyhired.com. I would also put my resume out on Monster.com, if you have not already done so. If you want a security job the security+ is the way to go, but also consider doing a search on monster and simplyhired to look at the skills and certifications that employers are looking for. Pay particular attension to keywords and phrases that they are using. You will know the keywords/phrase because they are repeated in nearly every resume for your chosen career path and/or job title.

How I get Jobs Fast
For example, in my career “system security engineer” and “information security officer” I see the following keywords/phrases over and over: security clearance, cissp, 8500, diacap. If noticed that when I have these keywords on my resume, I get calls almost DAILY from all over the US. Here is how you can do the same:
1) Find a good job title that fits what you do or what you want to do
2) Do a search for that job title [use google, simplyhired.com, monster.com, dice.com or any other search engine/job database]
– Read through the job results and try to find keywords/phrases that seem to be in most or all of the jobs listed
3) Try to get as many of the applicable keywords/phrases in your resume
– Either have the skills required for the chosen job title or begin working toward them
– I am not suggesting that you put lies on your resume, you’ll have to look for job titles that you have experience & skills in
– Don’t mess with stuff that completely out of your league or level of expertise, be honest on your resume
– Sometimes employers will take you if you are willing to learn the skills or earn the require certification/degree in a certain time frame. Put that on your resume.
4) Put your resume [with keywords/phrases in place] online, as many places as you can

Research Employer Demand in certain locations
I am from California and I have been trying for years to find a decent job (for what I do) there. They’ve got them in southern California but almost none in Northern. California seems to be lacking jobs and then they don’t want to pay comparable to the cost of living there. I noticed that Cali has a LOT of networking jobs. If you type in CCNP in simplyhired.com for Cali, you’ll find a lot of good paying jobs. The problem is that CCNP is a very difficult certification to get (or so I’ve heard).

I would recommend checking out what sort of IT skills employers are looking for in the area you want to work. For example, even though I have lots of certifications, most of the ones that I have [that are still active lol] won’t help me for moving back to Northern California. I researched it and found that they are mostly looking for Network Engineers [as of 2006-2010] and my Cisco routing and switching skills are still developing.

Play Capitalisms Game: Start a Business
Another option is to start your own business. This may sound daunting, but believe it or not my website elamb.org qualifies as a business. It took me about 1 year to get it making money, but now it makes between $400 – 800/month without me even looking at it. It has made as much as 2k and I know people who make more in a month then many people make in a year with their blogs. It is becoming harder and harder to be an employee. Companies do the bare minimum to take care of employees, the economy goes in a recession (or worse) and hard working people can not find a job and the value of the dollar flutuates on a downward spiral. It seems the only way to be comfortable in this new “capitalism” is to have multiple streams of income.

If you are interested, start at your states business page and here

Thanks,
Rob E.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

– Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.

An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.

DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.

If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).