On our previous seminar for IT/CS intern students like me, the speaker tends to share his knowledge about basic accounting concepts. The importance of basic accounting concepts on our course is that we will be more competitive and gain an additional knowledge which we can use in our future job. We are IT students who will become programmers and software developers someday or we might establish our own company in the near future. It is important that we know the basic debit/credit in accounting if we are going to create an accounting program or software but for me basic accounting concepts is not enough when you plan to be a accounting programs developer instead use it as a starting point for further studies about accounting concepts. Because the more knowledge on accounting plus the skills on programming, you will definitely develop an effective accounting program.

Once you applied accounting concepts and programming it will surely gives you a nice income. I still remember what my former professor told us about his experienced when he was still applying for a job, he applied in an organization/company as a programmer but when he was interviewed, the interviewee asked him if he had a background on accounting he answered none, obviously he did not passed the interview because of that simple question, so he advised us to take basic accounting course as early as now because maybe we might also encounter the same problem he encountered before.

Fake Profile Pictures

Online dating is now a very popular way to meet a partner. Match.com & eHarmony are very popular dating web sites and claim that 1 of every 5 marriage (in Western world?) are from dating sites.

But on thing that goes unsaid is the amount of scams that happen on these sites. There are many “romance scammers” on these sites. Below are examples of face profile pictures that these con artists use to lure you in.

http://ic-girl.blogspot.com/2009/03/cewek-cantik-dari-medan.html

How and Why I became a romance scammer on filipinoheart.com

*The following is a real event that has been re-written from the original for clarity with names changed to protect those who were willing to come forward… the real ludivina yasay is a lady that scammed me lol. The original author of this story is not named but she really did do this. I may post the original (and change the names) for now you get a simulation of a REAL event.. the emails in this post is real, the story is real.*

My name is Ludivina Yasay. I am from Cebu City, Philippines. About a year ago, I scammed an American named Matt T. I met him on a popular dating website called filipinocupid.com (filipinoheart.com in the Philippines). Over the course of 8 months, I took about $3000 dollars from him.

Why did I do it?
I needed money.

How did I do it?
I gained his trust, told him what he wanted to hear and he believed me. He fell in love then gave me money.

How it all began
After graduating college, I could not find a job. Jobs are REALLY hard to get in certain parts of the Philippines. Places like General Santos, Cebu City and many other places have many people and very little jobs available. Many families can barely afford to pay rent, utilities or even eat. Even with a college degree, I could not find a job for over a year.

I started searching for jobs online. While in the Internet café, I over heard two people talking about how they would get money via Western Union from a person they were chatting with. While I was trying to unsuccessfully get jobs each day, they were getting paid from some guys online.

Filipino Heart Scam Ring
I found out my friend was involved in the same people I had seen in the Internet cafe. She explained to me what was going on. She told me that they would find guys from the United States on dating sites. They used a fake profile on Filipino cupid, flirt with these men, start a relationship, then get money. This ring of Filipino heart scammers were mostly gay men.

They told me that they do it so much that they are actually able to buy home, cars and live very well in the Philippines.

Since my family and I were struggling, I decided to do it. I create a fake account with a picture of a model. I had a set of pictures. Very quickly I had a guy who was interested, Matt T.

We began to talk and I told him everything he wanted to hear. I told him that I was looking for a guy who is serious, I told him I was attracted to him. I told him anything to make him feel good. I didn’t care about him he is just a stranger. I just need money.

How I got the Money
Message to Matt:

hope you have a very nice day today… its have a wonderful today when i found you.. i fill always happy when you respond to my email.. and i fill that your a guy i that god given me and i know in my heart your the right one for me…. hope we could chat soon. i miss to chat w you.. take care….. love”

from MATT:

That is very sweet. I look forward to taking the time to know you better. I want to know the dreams and wishes of your heart.

After a short time, he started to trust me so we were starting to speak like friends. When I mention to him that my family does not have enough to eat he is concerned for me.. his “friend”. I did not ask for money directly. When I mention I am in trouble, he offered to send me money. I pretend to be reluctant, then took the money.

Falling in Love & telling the truth
Everytime I mention my troubles, he offered money. After a while we started getting closer and closer and he is giving me more and more money. The funny thing is I never even really asked him.. I just gained his trust and he offered when I said I am in trouble.

He told me about how he is getting a divorce with his wife. He told me He has two kids. He told me how he is lonely lately and all about his life. Over the months, he help me anytime I needed it. He helped me move to another city, find a job and even explained how I can help him with a business he runs and pay me!

We started to really get close and even fall in love. Over time, I realized that I really love him and do not want to live a lie. As a practicing Catholic, it was hard for me to accept this lie.

I went to church and did confession. The priest told me I should tell him the truth.

The closer we got the more I realize I cannot do this anymore to him. He thinks I am some other woman. One night he told me he wants me to be his girl friend. So I decided to tell him the truth.

I told him my real name, showed him my real picture. He was upset that I had lied to him for so long. I was not sure if he would ever talk to me again after I told him the truth. But I wanted him to know the truth.

I wonder if I can gain his trust back. I feel that I hurt the only man I will ever love.

I regret what I did to him. More than anything else, I don’t want to lose him.

me with picture of CAP notificaiton

How to get a certification

- ISC2 Certified Authorization Professional (ISC2 CAP)
- Risk Management Certification
- Passing Score 700 out of 1000 points (125 questions on the test *25 test questions not counted toward the results)
- Application Fee: $419
- Verify 2 years experience in this field
- Endorsement Form
- Answer questions to criminal history and background
- Other Info: its a CBT, 3 hours to test, based on NIST 800 series

How Hard is the CAP Exam

I just took the ISC2 Certified Authorization Professional test (CAP Exam). I just want to give others who are about to take this test some idea of what they are up against. I noticed there is not a lot of Security Professionals talking about it. I keep hearing that there are only *1000 CAP certified people on Earth (circa 2011). I don’t think its because of the difficulty level (lol.. i mean i would not call it an EASY test, but its no CISSP or CCIE.. btw CCIE has about 25,000 certified as of about 2010 individuals on early despite being around for since 1993… according to Cisco, “fewer than 3% of Cisco certified individuals attain CCIE certification”). I think there are so few CAP certified people because its not a well know certification and its in a specialized field. Perhaps the numbers of CAP certified individuals will always be low.

My overall impression is that it is much harder than Security+ but much easier than CISSP. If you have recent experience with DoD Information Assurance Certification & Accreditation Process (DIACAP) you should have an easy time grasping the National Institute of Standards & Technology (NIST) Special Publication 800 series concepts allowing you to pass the CAP exam. I would say the same about all the C&A frameworks, NIACAP, NISPOM, DCID 6/3, DITSCAP etc. If you know the certification & accreditation process well than you will pick up risk management framework fast. If you have been doing the NIST C&A and/or Risk Management Framework, the test should be a mere refresher course for you and a couple of weeks of reviewing NIST 800 regulations and OMBs you already know might be enough for you to pass the CAP Exam and get this certifications. You should know, however, that quite a bit has changed since 2009 in the certification & accreditation process of getting authorization.

The test is in the style of the CISSP in that you must choose what is MOST right in many cases. All questions are 4-multiple choice type questions.

Study Material for the Certified Authorization Professional

One of my biggest issues about the CAP material is that is has almost NO decent study material. There is “The CISSP and CAP prep guide” by Russell Dean & Ronald L. Krutz, this is the ONLY book I have found aside from one or two lame ebooks (as of 2011).

What I used to get a CAP Certification

The very first thing you should do is become a member of Isc2.org and download the ISC2 CAP Candidate Information Bulletin. The CAP Exam CIB breaks down all the objectives that you need to be knowledgeable in.

Read and/or be very familiar with the following NIST & OMB documents:
- NIST 800-37
- NIST 800-53
- NIST 800-53A
- NIST 800-64
- NIST 800-30
- NIST 800-100
- NIST 800-83
- NIST 800-53
OMB circular A-130
Privacy Act of 1974
FISMA Act of 2002
**The full list of documents & regs to be familiar with are located in CAP CIB

Another great resource is practice tests. Ucertify.com has GREAT content for the CAP, some of the best you will find for the Certified Authorization Professional.

Areas to Spend a LOT of time on:

I would definitely know and fully understand the Risk Management Framework (800-37). You need to know the tasks on each of the six steps of the Risk Management Framework (800-37). System Development Lifecycle is also HUGE on this test(800-64). I would know how Risk Management Framework lines up with SDLC and Risk Assessment process (800-37, 64, 30). Risk Assessment process, Risk Management Framework and SDLC are all interconnected. You should know how they work together. Tasks that are done at each stage and step in all those process and what role does each task is a need to know. Roles and Responsibilities should be fully understood and memorized. Although everyone of the steps in the Risk Management framework are covered pretty good, I feel like the following two steps were beaten to death: Continuous Monitoring & assessments (security control assessor)

The test is computer based and randomized so you might get a completely different set of subject areas. Your best bet is to study what is in the CAP-CIB and use a bunch of practice tests.

What I DID NOT see on the Exam:

I was surprised not to see anything on the NIACAP, DIACAP, FITSAP, DCID 6/3 and DITSCAP. I was fully expecting it and prepared for it. Many of the practice test go on and on about Project/Program Management subject areas. But the only question I recall on that had to do with knowing the role of a Program Manager… thats about it.

Pro & CON on the ISC2 CAP Cert

CONS: I feel like the CAP is currently (2011) not in great demand. If you do a search on any job database (monster, indeed, simplyhired) you see that there are not many employees listing it as a requirement. For example, a 2011 search on isc2 CAP anywhere in the US gives 49 results — http://jobsearch.monster.com/search/?q=isc2-cap
I also think that the certification is WAY over priced. Its $419 which I think is even more than the ISC2 CISSP concentrations.
There is almost no study material for it.

PROS: Covers very important risk management framework material. Its computer based, so the results are instant. Its good lead up and practice for the ISSEP. The ISSEP covers a lot of what is in the CAP. NIST will get increasingly more important as DoD, NSA and other national security system agencies take on the NIST.

*CAP Exam: CAP certified people in the world (circa 2011):
Canada 6
Germany 1
Korea, Republic of 2
Puerto Rico 2
United States 997
reference: https://www.isc2.org/member-counts.aspx#cap

**Certification Authorization Professional Candidate Information Bulletin is on ISC2.org. May have to be a member to get the document

Dear Friend,

Thank you so much for your response to my email. It is only natural that you be a bit apprehensive haven received such a mail from somebody that you barely know. Therefore I would want to start by properly intimating you of who I really am. My name is Ho Chen Tung Foreign operations Hang Seng Bank Ltd. (Hong Kong). Moreover, I believe that you will be anxious to know the kind of business proposition that I have in stock for you. Well, I am soliciting your assistance to be able to transfer a huge amount of money US$21,300,000.00 from my bank that is lying idle with no one ever coming to lay claim to it. Before I go ahead let me tell you how the funds came into existence in the first place.

We had a client sometime ago by the name of Mr. Fayez Abdulaziz Abiri from Iraq and he was a member of the Iraqi forces and also a business man. He made a fixed numbered deposit with a value of US$18,796,000.00 only for 24 calendar months in my branch and this was before the USA and Iraq war.

When the 24 calendar months elapsed, we sent a notification to him so he will advice if still want to extend his term of deposit or not but we did not hear from him. After sometime we tried contacting him again and still there was no reply from him. As his banking officer, I decided to carry out my own investigation as to the where about of Mr. Fayez Abdulaziz Abiri only to find out Fayez Abdulaziz Abiri had died of Kidney infection at Mukaradeeb where his personal oil well was.

It is obvious that you would now want to ask if Mr. Abdulaziz Abiri did not have a next of kin. Interestingly, he did not leave a next of kin on his official document. In fact I asked him some time ago if he was sure that he will not want to include a next of kin in our record and he told me that none of his relative is aware of the account and he wish that it remain so. And to date this money has accumulated interest. Therefore, nineteen million five Hundred Thousand United State Dollars is still lying in my bank and no one will ever come forward to claim it. However, according to the laws of my country at the expiration of six {6} years the funds will revert to the ownership of the Hong Kong Government if nobody applies to claim the funds. Against this backdrop, my suggestion to you is that I will like you as a foreigner to stand as the next of kin to Fayez Abdulaziz Abiri so that you will be able to receive his funds.

If you are interested in doing this business with me, please go ahead and contact me again with you full names, contact address and telephone numbers. I want you to know that I have carefully planned out the modalities of this business and I will be intimating you of it upon confirmation that you are willing to move ahead with me. You will be made the next of kin thereby putting you the position to inherit this huge amount.

Finally, I need you to know that I have evaluated the risk involved in this deal and I guarantee that if you follow my instructions religiously, it will be hazard free. As far as I am concerned it is worth undertaking and I implore you to come along with me because the reward will be great for both of us.

I anticipate hearing from you again soon and I hope it will be positive because I really want us to work together as partners in harnessing this once in a life time opportunity.

Regards.
Ho Chen Tung.

Thanks

Jim Ovia is a real person and Zenith Bank is a real Nigerian bank. There is a scam flooding the Internet using Zenith to profit.

Picture of Jim Ovia

Many scammers (definitely not all) on the Internet are from third world countries. The case listed below is a scam coming from West Africa. We can assume that the use of actual banks and people from Nigeria that this scam is based in Nigeria. The following scam alludes to a real bank in Nigeria called Zenith. It also mentions Jim Ovia, a real person, who is a former CEO of Zenith bank.

From Reader:

I have been sending money by Western Union a very large sum of money to a Jim Ovia of Zenth Bank for help in geting 2.5 millinon dollars. Now if I have not been dealing with this man someone else has beeing using his name and title.

I have read a Biography of Jim Ovia on the internet and after learing what
a wire transfer is I feel like I have been scamed bad cause I have been sending the money through Western Union.

nmw

Always research and double check unsolicited (and solicited) claims of wealth on the Internet and in your inbox. Most things are not what they appear to be on the Internet. Your trust should be hard earned especially on the ‘Net. Some signs of the foul play will include (but will not be limited to):

Use of free email such as .gmail and .hotmail: Remember scammers do not typically have the resources to devote to setting up an email box and website that looks legit so they will use everything free that they can.

BAD ENGLISH: If they have very poor grammar, it is an indication that they probably don’t have the education to be put in a place where they would be responsible for other people’s money particularly an English client.

Check the links of the email: Some emails look like the come from the real “paypal” or the real “Zenith Bank” but it is actually what is called “phishing”. The email has all the official logos and letterhead but the links lead to fake sites. If you look “under the hood” of the email, you will find the real URLs and IP address. You may also see the use of free email. If you go into the email and “Show Original” or “Show source” you will see where email actually came from, where it is being forwarded to and where the links go to.

If it looks to good to be true, it probably is. This is an axiom that is an unfortunate truth due to human greed and selfishness.

Head of Agency
The Head of Agency is also known as the Chief Executive Officer. This role is the highest level executive senior officer within an organization. They have ultimate responsible for the providing information security protection. The level of protection must be at the same level as the importance of the information. The Department of Defense equivanent is a DoD Head of component (i.e. Secretary of the Army).

image of secretary army john mchugh

Risk Executive Function
The Risk Executive Function’s main focus is the overall risk to the entire organization. They create a risk strategy for the organization that guides mission/business process and system-level risk assessments. The Risk Executive Function is and important role for Tier 1 activities of managing risk of information systems IAW NIST SP 800-39.

CIO
Chief Information Officer is an organizational official responsible for (1) designating a senior information security officer; (2) developing and maintaining information security policies; (3) ensure that those with responsibilities in system security have proper training.

Information Owner/Steward
“The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.” NIST SP 800-37 The Information Owner must coodinate with the Information System Owner (DoD PM equivalent) for decisions involving the overall system.

Senior Information Security Officer
The SISO is directly responsible to the CIO. They’re focus is the information security of the organization’s data. They act as a liaison between CIO and the Authorizing Official. The DoD equivalent (circa 2010) is known as the Senior Information Assurance Officer (SIAO).

Authorizing Official
AO formally accepts the risk of a system in the Implementation/Assessment phase of the System Development Lifecycle and Step 5, Authorization step of the Risk Management Framework.

Common Control Provider

“The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls.” NIST SP 800-37. A common control is a security controls that covers multiple information systems within and organization. Examples of common controls: Incident Response, Network boundary protection (firewalls, IDS/IPS).

Information System Owner
“The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.” NIST SP 800-37

Information System Security Engineer
“The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities.” NIST SP 800-37 The ISSE implements security into the design of systems. The ISSE is often a consultant or Subject Matter Expert who focus is applying information assurance frameworks and regulations in an information system.

Information System Security Officer
This role is initiated at the Initial phase of the System Development Lifecycle (SDLC). “The information system security officer
is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner” NIST SP 800-37. This role has been called and Information Assurance Officer (IAO) within the Department of Defense. Within the DoD this role is appointed by the Information Assurance Manager (IAM). Also known as the Information System Security Manager (ISSM). The ISSM is often responsible to over site and being a supervisor of ISSO positions.

Security Control Assessor
“The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls” NIST SP 800-37.

The NIST & DoD have very similar roles with different names:

The increasing urbanity of modern information system allows the information and communication technologies to be utilized in different actions. In fact, the educational institutions are one of the leading users of computer applications in order to manage student data.

Student Record System (SRS) is a computer application that deals with the generation, collection, organization, storage, retrieval and dissemination of recorded knowledge. SRS provide capabilities for entering student information, building a student record and managing other student – related data needs in the school.

In the light of recent high profile cases there is increased emphasis being placed on all institutions to be able to demonstrate good record management. The effective management of records ensures sound decisions based on full, accurate and up-to-date information and by ensuring that the underlying principles behind those decisions can be traced, scrutinized and justified as necessary.

This breakthrough gave way to the development of databases which became useful for storing data for important information.
In the development of database management system, the organization of storage of data was prioritized. A DBMS controls the creation, maintenance and use of the database storage structures of educational institutions of their users. It allows institutions to place control of institution wide database development in the hands of Database Administrators (DBAs) and other specialists.

An SRS provide the following benefits:
1. It helps facilitate decisions about courses students should take and assist with problems that may arise
2. It assist with monitoring accountability and future planning
3. It helps teachers make instructional decisions and to obtain specific information that may assist in working with a student
4. It helps evaluate the success of various programs in a certain curriculum

Filipinocupid.com (also known as “philippine heart”, “filipino heart”, “filipina cupid”, or fc, fh for short) is a dating site. Although, philippine cupid is focused on Filipino men and women, there is huge presence of westerners there (mostly European & American males). The on line dating interface of the site is similar to the every grown genre of race specific dating sites (i.e. thai cupid, japan cupid, korean cupid, dominican cupid, columbian cupid, latina cupid, caribbean cupid and all the other cupid dating sites).

Philippine culture can be found among the profiles of the members, however the language on the site is almost exclusively English (with some spanish, french, italian and almost no tagalog). Western men will quickly see that they are the primary target of many (if not most) of the filipinas on filipino cupid. The same cannot be said of some of the other “cupid dating” sites.

Although the site is completely legitimate, popular and well done, members should be careful of the MANY date scams, romance scams and fake date profiles on the site.

NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training

NIST SP 800-5, Building an Information Technology Security Awareness & Training Program


The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO – Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager – tactical deployment, development and maintenance of the IT security & awareness program.
Managers – responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users – largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.


800-50 calls learning a “continuum”. The continuum of learning starts awareness and builds into education.
Awareness – awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.


Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training – is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies – 800-50

Education – combines multidisciplinary areas into a common body of knowledge.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50