NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training

NIST SP 800-5, Building an Information Technology Security Awareness & Training Program


The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO – Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager – tactical deployment, development and maintenance of the IT security & awareness program.
Managers – responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users – largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.


800-50 calls learning a “continuum”. The continuum of learning starts awareness and builds into education.
Awareness – awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.


Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training – is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies – 800-50

Education – combines multidisciplinary areas into a common body of knowledge.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
– gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

Scientists Create First Memristor: Missing Fourth Electronic Circuit Element
For the former, Williams says scientists can now think about fabricating a new type of non-volatile random access memory (RAM) – or memory chips that don’t forget what power state they were in when a computer is shut off.

That’s the big problem with DRAM today, he says. “When you turn the power off on your PC, the DRAM forgets what was there. So the next time you turn the power on you’ve got to sit there and wait while all of this stuff that you need to run your computer is loaded into the DRAM from the hard disk.”

With non-volatile RAM, that process would be instantaneous and your PC would be in the same state as when you turned it off.

Scientists also envision building other types of circuits in which the memristor would be used as an analog device.

Indeed, Leon himself noted the similarity between his own predictions of the properties for a memristor and what was then known about synapses in the brain. One of his suggestions was that you could perhaps do some type of neuronal computing using memristors.

But this got me thinking, what does this mean for forensics? Won’t it be easier to know exactly what a criminal was up to before the cops busted his door down? How long does the data say in the memristor RAM? I’m certain there would be ways to erase the memristor RAM memory at intervals.. maybe even encrypt the memristor data. One might even be able to use normal RAM as a front end and the memoristor an optional back up. There might also be really cool (scary) spy equipment planted in your system or clamped easily to a bit of wire on your CAT5 LAN cable that would capture all packets.

Up until recently, I’ve done security my entire adult life very reluctantly.  I started off in the military as Security Policemen (now called security forces).  I was a security specialist and was groomed into law enforcement.  The description sounded like special forces.  And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do.  Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).

I had about five years learning every aspect of physical security.  I later “cross trained” into communications expecting to do some hardcore technical stuff.  And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything.  My experience in the military made it easier for me to pass the CISSP which covers a little of everything.

These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations. 

Tags: CISSP, security, how,

As I think about how many common public speaking mistakes I made out of nervousness, it makes me laugh. I repeated things like “um”, “and what not”, “that kind of stuff”. I studdered and stammered.

I did my best so I still feel good about what I did. It is actually volunteer work for the local ISSA chapter as well as a way to get “CPEs” or Continued Professional Education points toward my CISSP certification (have to get 120 in the course of 3 years).

It was actually a really good refresher course for me. I love helping people so it was a pleasure to put out some helpful material to fellow Information Security professionals, but I need to get better at public speaking.

Our local Information System Security Association Chapter here in the Springs puts on certification classes a few times a year for Comptia Security+ and the CISSP. I hope that they eventually drum up enough interest for certified ethical hacker course.

I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects. 

I'm excited about the training because I feel like I will really be
able to help people ace this test.  Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it. 

It really is just basic technical information security
stuff.   There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement. 

Don't sweat this test.  Especially if you've studied.

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to.”

System Security Engineers tasks:
  Discover Information Protection Needs
  Define system Security Requirements
  Design System Security Architectures
  Develop Detailed Security Design
  Implement System Security
  Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
  System Security Engineering
  Certification and Accreditation
  Technical Managment
  U.S. Government Information Assurance Regulations 

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
www.nsa.gov
www.isc2.org

His other very true point:

“The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers.  I feel like I’ve mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don’t study, I fail.  I’ve learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the “best” answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I’ve taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin’ comparison… NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs.  And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry.  With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I’d failed.  I started trying to think of ways I’d pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the ”congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp. 

This is the best online CISSP resource I have found: www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

ASIS seems to be composed of a lot of physical security professionals (ie protecting critical infrastructure).  Where ISSA assists its members in attaining CISSP, forensics certs and the Security+, ASIS concentrates on  Certified Protection Professional (CPP),  Physical Security Professional (PSP), and   Professional Certified Investigator (PCI).  

With my background in physical security, I fit right into their world.  I plan on attending one of their meetings in the future. 

Between ASIS and ISSA members we filled an auditorium.  With that kind of networking something big is begining to happen in Colorado.

Todays presentation of a smart card readers system had a lot of cross over appeal for both information security professionals and physical security professionals alike.

The Security+ is NOTHING compared to the CISSP.  I've yet to take the actual CISSP cert test, but as I've been studying it is VERY clear that these tests are from different planets.  It is like comparing the Comptia N+ to cisco's CCNP or CCIE… o.k. maybe not CCIE, but CCNP for sure.

I've been studying to take the CISSP on and off for about a year due to a fairly full plate.  I plan on taking the test in the next few months so I've started reading up on some practice questions.  My orginal plan was to get a Security+ cert so that I could prepare for the CISSP.  As I've been reading the practice questions on CISSP I'm finding that the Security+ is simply not robust enough to even come close to helping me study for the CISSP.

Once I take the actual CISSP I'll be able to make a better assessment, though.

One of the most helpful items I found on was a Security+ cheat sheet.  It is a very concentrated view of all five security+ domains and makes for a great study reference.