Infosecurity Professional - Issue 9 - ISC
Infosecurity Professional - Issue 9 - ISC
Infosecurity Professional - Issue 9 - ISC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
issue number 9<br />
An (<strong>ISC</strong>) 2 Digital Publication<br />
www.isc2.org<br />
Unlocking Security<br />
Awareness<br />
Experts say that human behavior<br />
must be factored into information<br />
security awareness strategies.
issue number 9<br />
An (<strong>ISC</strong>) 2 Digital Publication<br />
www.isc2.org<br />
Unlocking Security<br />
Awareness<br />
Experts say that human behavior<br />
must be factored into information<br />
security awareness strategies.
issue 9<br />
2010 VOLUME 1<br />
14<br />
To view this issue<br />
online, visit www.isc2<br />
.infosecpromag.com<br />
COVER ILLUSTRATION BY SASHIMI/THEISPOT; ABOVE ILLUSTRATION BY CURTIS PARKER/THEISPOT<br />
<br />
8 <br />
Experts say that information<br />
security professionals must<br />
consider human behavior when<br />
it comes to security awareness.<br />
BY MAGGIE STARVISH<br />
14 <br />
Your organization probably has an<br />
incident response plan. But how<br />
do you know if it’s appropriate<br />
for all types of incidents?<br />
BY MARIE LINGBLOM<br />
17 <br />
This article offers advice on how<br />
to convince your manager to send<br />
you to a conference, and what to<br />
do when you get there.<br />
BY CHRIS GRECO<br />
<br />
3 <br />
From the desk of (<strong>ISC</strong>) 2 ’s former Vice<br />
Chairperson. BY HOWARD SCHMIDT<br />
5 <br />
Read up on what (<strong>ISC</strong>) 2 members<br />
worldwide and the organization itself are doing.<br />
<br />
19 <br />
Certifications can boost pay and career<br />
prospects for information security professionals.<br />
BY EFRAIN V<strong>ISC</strong>AROLASAGA<br />
20 <br />
A convergence of physical and cybersecurity<br />
systems and solutions is taking place. BY LUCIUS LOBO<br />
InfoSecurity <strong>Professional</strong> is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication<br />
represents the views and opinions of the respective authors and may not represent the views and opinions of (<strong>ISC</strong>) 2 on the issues discussed as of the date of publication. No part of this document may be<br />
reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written<br />
permission of (<strong>ISC</strong>) 2 . (<strong>ISC</strong>) 2 , the (<strong>ISC</strong>) 2 digital logo and all other (<strong>ISC</strong>) 2 product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification<br />
Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription<br />
information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information,<br />
please email tgaron@isc2.org. © 2010 (<strong>ISC</strong>) 2 Incorporated. All rights reserved.<br />
ISSUE NUMBER 9 INFOSECURITY PROFESSIONAL 1
Looking for a deal?<br />
Looking for career advice?<br />
Looking for free information?<br />
Check out the hot deals and<br />
free resources at the<br />
(<strong>ISC</strong>) 2® Market Square!<br />
Now available on the<br />
Online (<strong>ISC</strong>) 2 Resource Guide.<br />
http://resourceguide.isc2.org<br />
*** 2010 hardcopy also now available! ***<br />
Management Team<br />
Elise Yacobellis<br />
Executive Publisher<br />
727 683-0782 n eyacobellis@isc2.org<br />
Timothy Garon<br />
Publisher<br />
508 529-6103 n tgaron@isc2.org<br />
Marc G. Thompson<br />
Associate Publisher<br />
703 637-4408 n mthompson@isc2.org<br />
Amanda D’Alessandro<br />
Communications Coordinator<br />
727 785-0189 x242<br />
adalessandro@isc2.org<br />
Sarah Bohne<br />
Director of Communications and<br />
Member Services<br />
727 785-0189 x236 n sbohne@isc2.org<br />
Judy Livers<br />
Senior Manager of Marketing Development<br />
727 785-0189 x239 n jlivers@isc2.org<br />
Sales Team<br />
Christa Collins<br />
Regional Sales Manager<br />
U.S. Southeast and Midwest<br />
352 563-5264 n ccollins@isc2.org<br />
Gordon Hunt<br />
Regional Sales Manager<br />
U.S. West Coast and Asia<br />
949 366-3192 n ghunt@isc2.org<br />
Jennifer Hunt<br />
Events Sales Manager<br />
781 685-4667 n jhunt@isc2.org<br />
IDG Media Team<br />
Charles Lee<br />
Vice President, Custom Solutions Group<br />
Amy Freeman<br />
Project Manager n afreeman@isc2.org<br />
Anne Taylor<br />
Managing Editor n ataylor@isc2.org<br />
Kim Han<br />
Art Director<br />
Lisa Stevenson<br />
Associate Production Manager<br />
Don’t forget to take the quiz<br />
and earn CPEs:<br />
http://bit.ly/9bcmfD<br />
For a list of<br />
events (iSC) 2 is<br />
either hosting or<br />
sponsoring, visit<br />
www.isc2.org/<br />
events<br />
ADVERTiSER inDEx<br />
CRC Press. .........................p. 4<br />
DRII ..............................p. 16<br />
IEEE ..............................p. 6<br />
ISACA. ......................Back Cover<br />
(<strong>ISC</strong>) 2 .......... Inside Front Cover; p. 13;<br />
. . . . . . . . . . . . . . . . . . . . . . Inside Back Cover<br />
Norwich University .................p. 11<br />
Nova University.. . . . . . . . . . . . . . . . . . . . . .p. 7<br />
SCIPP ............................p. 10<br />
For information about advertising in this<br />
publication, please contact Tim Garon at<br />
tgaron@isc2.org.<br />
2 InfoSecurIty ProfeSSIonal ISSUE NUmBER 9
executive letter<br />
From the desk of the former (isc) 2 vice chairperson<br />
A Look at 2010's Challenges<br />
howard schmidt offers advice and areas of focus<br />
for information security professionals.<br />
Prior to taking on his new role as U.S. White House<br />
Cybersecurity Coordinator, Howard Schmidt spoke<br />
with InfoSecurity <strong>Professional</strong> about information<br />
security issues and challenges for the year ahead.<br />
There are several key issues that I think are,<br />
or should be, top of mind for information security<br />
professionals this year.<br />
One of the major problems<br />
we’re dealing with is<br />
vulnerability management.<br />
There are more vulnerabilities,<br />
usually in software, than<br />
we can possibly manage. We<br />
need to do what we can to<br />
identify and remediate these<br />
weaknesses before they are<br />
exploited, but we also need to<br />
create next-generation software<br />
to reduce the potential<br />
for vulnerabilities. Our Certified<br />
Secure Software Lifecycle<br />
<strong>Professional</strong> (CSSLP®)<br />
credential is a powerful first<br />
step toward ensuring that<br />
new software is resilient and secure.<br />
Another area of focus should be on moving the<br />
security battlefield from end users to us, the professionals.<br />
We can’t expect end users to be security<br />
experts, able to distinguish among the conflicting<br />
messages they receive. For example, we tell our colleagues<br />
not to click on suspicious links; but then they<br />
get e-mails that look to be from someone they know—<br />
perhaps a LinkedIn invitation—and those messages<br />
contain malware. We must help end users to be aware<br />
of security issues. And we need to put mechanisms in<br />
place to protect our systems and data.<br />
We’re fortunate to have a variety of operating<br />
systems and tens of thousands of applications to get<br />
work done, even on mobile devices. In this diverse<br />
environment, we have to provide consistency, protect<br />
privacy, increase security and reduce malware<br />
incidents. To do this, we must implement best practices<br />
when we build and deploy applications and systems.<br />
Strong authentication is<br />
also critical. We must move<br />
from static user identity and<br />
passwords to an environment<br />
where two-factor identity is<br />
the standard.<br />
Finally, we need to take<br />
a global view of cybercrime.<br />
International investigations<br />
must become more fluid and<br />
cooperative. We need to send a<br />
clear message that we will find,<br />
prosecute and convict cybercriminals<br />
(whose resources<br />
and abilities are better than<br />
ever and rapidly improving).<br />
We must do our best to keep<br />
the bad guys out; but if they get in, we must protect<br />
any evidence for prosecution.<br />
It will be another challenging year. I encourage<br />
you to network with your peers and share your ideas<br />
to make this world a safer place.<br />
Sincerely,<br />
Prof. Howard A. Schmidt<br />
CISSP, CSSLP, Fellow of (<strong>ISC</strong>)²<br />
Former Vice Chairperson of the<br />
(<strong>ISC</strong>)² Board of Directors<br />
issue number 9 InfoSecurity <strong>Professional</strong> 3
Always Evolving Resources<br />
from Auerbach / CRC Press<br />
– publishers of the Harold Tipton Certification Book Series –<br />
While today’s info-security threats may be bolder and more complex, we<br />
have the tools, resources, and expertise to keep you more than a step ahead<br />
of any sort of malfeasance, whether it comes from outside or within.<br />
Vulnerability Management<br />
Park Foreman, GroupM, New York<br />
Shows how much easier it is to protect against a threat than<br />
clean up in the aftermath of an attack<br />
Catalog no. K10093, August 2009, 347 pp., $79.95 / $63.96<br />
Data Protection<br />
Governance, Risk Management, and Compliance<br />
David G. Hill, Mesabi Group LLC, Westwood, Massachusetts<br />
Discusses existing and emerging data protection technologies<br />
including forcloud computing, storage tiering, server<br />
virtualization, and green computing.<br />
Catalog no. K10353, August 2009, 330 pp.,, $69.95 / $55.96<br />
Cyber Fraud<br />
Tactics, Techniques and Procedures<br />
James Graham, Verisign iDefense Security Intelligence<br />
Services, Dulles, Virginia<br />
Exposes the patterns and operations of the cyber criminal<br />
with an insider’s look<br />
Catalog no. AU9127, April 2009, 520 pp., $79.95 / $63.96<br />
Information Security Management<br />
Concepts and Practice<br />
Bel G. Raggad, Pace University, Pleasantville, New York<br />
Illustrates how to audits that conforms with the ISO 17799<br />
the new ISO 27001<br />
Catalog no. AU7854, January 2010, c. 568 pp., $79.95 / $63.96<br />
The Executive MBA in Information Security<br />
John J. Trinckes, Jr., Hampton, Florida<br />
Allows busy executives to get up to speed on what it takes<br />
to develop an effective efficient info security program<br />
Catalog no. K10501, October 2009, 352 pp., $69.95 / $55.96<br />
Information Security Management Handbook<br />
2009 CD-ROM Edition<br />
Edited by<br />
Harold F. Tipton, CISSP, HFT Associates, Villa Park, California<br />
Micki Krause, CISSP, Pacific Life Insurance Company,<br />
Newport Beach, California<br />
Includes all three volumes of the sixth edition print version<br />
plus material that has never appeared in the print.<br />
Catalog no. AU0984, July 2009, CD-ROM, $199.95 / $159.96<br />
Order securely online at www.crcpress.com • Free Standard Shipping on All Orders<br />
*Enter promo code 601LA at checkout to receive your discount.<br />
Offer good through January 31, 2010
(<strong>ISC</strong>) 2<br />
MEMBER<br />
NEWS<br />
(<strong>ISC</strong>)² Hires<br />
First ISO<br />
ILLUSTRATION BY YEWKEO<br />
( I S C ) ² R E C E N T LY made<br />
Christopher Trautwein,<br />
CISSP, CISM, its first<br />
information security officer.<br />
Previously, Trautwein was<br />
an IT consultant for (<strong>ISC</strong>)²<br />
and played an integral role in<br />
the organization’s customer<br />
relationship management<br />
project. In his new role, he<br />
is responsible for the protection<br />
of all of (<strong>ISC</strong>)²’s data<br />
privacy and security policies.<br />
Trautwein has more than<br />
14 years of experience in<br />
information security. Before<br />
joining (<strong>ISC</strong>)², he served as<br />
a director for Sunera LLC<br />
in its Information Security<br />
and Network Services<br />
consulting practice, and as<br />
senior security engineer<br />
for Check Point Software<br />
Technologies and<br />
R<strong>ISC</strong>management.<br />
A Presidential Appointment<br />
( I S C ) 2 I S P R O U D<br />
to announce that<br />
one of its board<br />
members, Prof.<br />
Howard A. Schmidt,<br />
CISSP, CSSLP, Fellow of (<strong>ISC</strong>)2, has<br />
been named the U.S. White House<br />
Cybersecurity Coordinator. Schmidt,<br />
who has served on (<strong>ISC</strong>)2’s board<br />
since 2004 and was vice chairperson<br />
of the board in 2009, will oversee<br />
cybersecurity activities across the<br />
U.S. government.<br />
“Howard will have regular access<br />
to the President and serve as a key<br />
member of his National Security<br />
Staff,” said John Brennan, Assistant to<br />
the President for Homeland Security<br />
and Counterterrorism, in a statement.<br />
“He will also work closely with<br />
his economic team to ensure that our<br />
cybersecurity efforts keep the Nation<br />
secure and prosperous.”<br />
“(<strong>ISC</strong>)2 has worked together with<br />
Howard on many important global<br />
and national information security<br />
workforce initiatives throughout<br />
the years and has always valued his<br />
insight and counsel,” said W. Hord<br />
Tipton, CISSP-ISSEP, CAP, CISA,<br />
executive director for (<strong>ISC</strong>) 2 . “We<br />
look forward to working with Howard<br />
in his new role as he undertakes<br />
the critical task of developing the<br />
government and national information<br />
security workforce program.”<br />
ISSUE NUMBER 9 INFOSECURITY PROFESSIONAL 5
Volunteer Session<br />
at RSA<br />
A R E YO U I N T E R E S T E D I N E D U CAT I N G C H I L D R E N in your community<br />
about how to protect themselves online, all while earning CPEs? Then join<br />
(<strong>ISC</strong>)² at the Safe and Secure Online Volunteer Education Session at the<br />
RSA 2010 Conference in San Francisco on March 3 from 5-6 p.m. PST to find<br />
out how to become a volunteer. You’ll also get an overview of the presentation<br />
materials that current program<br />
volunteers deliver in classrooms.<br />
Other benefits include:<br />
■ The in-person session can<br />
be attended in lieu of completing<br />
the online preparation<br />
video and passing the<br />
quiz afterward.<br />
■ The session will be conducted<br />
by (<strong>ISC</strong>)²'s volunteer<br />
mentor for the U.S. Safe and<br />
Secure Online program.<br />
■ There will be opportunities<br />
to ask questions and<br />
get advice from program<br />
volunteers and (<strong>ISC</strong>)² staff.<br />
■ Attendees earn one CPE.<br />
■ There will be complimentary<br />
snacks and refreshments.<br />
To sign up, e-mail<br />
safeandsecure@isc2<br />
.org with your first and<br />
last name and (<strong>ISC</strong>)²<br />
member number.<br />
ŸŸŸ<br />
New<br />
Milestone<br />
(<strong>ISC</strong>)² has now reached<br />
the 10,000-member<br />
mark in the<br />
Asia-Pacific region.<br />
ŸŸŸ<br />
Have you gained access to<br />
Biometrics Certification?<br />
Access is now being granted to<br />
qualified Biometrics <strong>Professional</strong>s.<br />
IEEE, along with some of the world’s leading biometrics experts,<br />
has developed a new certification and training program for biometrics<br />
professionals and their organizations. The IEEE Certified Biometrics<br />
<strong>Professional</strong> TM (CBP) program focuses on the relevant knowledge and<br />
skills needed to apply biometrics to real-world challenges and applications.<br />
Certification: Earning the IEEE CBP designation allows biometrics<br />
professionals to demonstrate proficiency and establish credibility.<br />
Training: The IEEE CBP Learning System combines print materials<br />
and interactive online software – ideal for job training, professional<br />
development, or preparing for the CBP exam.<br />
To gain access to more details, visit<br />
www.IEEEBiometricsCertification.org.<br />
Ÿ<br />
Up-To-The-<br />
Minute News<br />
You can follow (<strong>ISC</strong>)² on Twitter<br />
and YouTube:<br />
www.twitter.com/isc2<br />
www.youtube.com/isc2tv<br />
6 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9
The password<br />
to your future<br />
is NSU.<br />
<br />
designated a National Center of Academic Excellence<br />
in Information Assurance Education by the U.S.<br />
government since 2005<br />
pioneer of online education since 1984<br />
earn your graduate certificate, master’s degree, or<br />
Ph.D. degree in information security<br />
IEEE members receive tuition discounts<br />
<br />
Computer Science<br />
Educational Technology<br />
Information Security<br />
Information Systems<br />
Information Technology<br />
Apply today and advance your career.<br />
scisinfo@nova.edu<br />
www.scis.nova.edu/isc<br />
Our beautiful, 300-acre main campus<br />
Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associate’s, bachelor’s,<br />
master’s, educational specialist, and doctoral degrees. • Nova Southeastern University admits students of any race, color, sexual orientation, and national or ethnic origin.<br />
01-138-10PGA
I LLUSTRATION BY E UG E N P/SH UTTE RSTOCK<br />
Sherri Davidoff used to rob banks. She’d get up in the morning, put on a nice<br />
business suit, walk into the heavily secured offices of large financial institutions and<br />
walk out—through the front door—with their computers.<br />
Davidoff isn’t a felon, however; she’s a principal in the Montana office of Lake<br />
Missoula Group LLC, a security consulting firm specializing in penetration testing,<br />
forensics, network assessment and security awareness training. Her “thefts” were<br />
tests of the strength of banks’ security systems, and they serve as a reminder of just<br />
how weak those systems can be.<br />
One day, technology may make it impossible for a thief to pick up and walk off<br />
with a computer. That fact doesn’t necessarily mean future computers will be any<br />
more secure than today’s are. That’s because there’s something technology can’t control:<br />
the human element.<br />
“Technology for the most part doesn’t fail,” says Dow Williamson, CISSP, CSSLP<br />
and executive director of SCIPP International, which develops, delivers and manages<br />
security awareness credential and certification programs. “It’s the human being<br />
that causes the problem,” he says.<br />
The human concept of acceptable behavior, for example, played a big role in the<br />
success of Davidoff ’s bank larcenies. “We’ve been trained since we were young to<br />
hold the door for people,” she says. “We feel bad letting [it] slam on them.” Likewise,<br />
it can feel awkward to confront a young, well-dressed female who looks like she<br />
8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9
illustration by SASHIMI/theispot<br />
belongs—even if she is walking out the<br />
door with an office computer.<br />
“The human being is the most precious<br />
asset a company has, and the most<br />
dangerous thing,” says Martin Smith,<br />
founder of The Security Company<br />
(International) Ltd., a U.K.-based firm<br />
that helps implement security awareness<br />
campaigns to achieve long-term, sustainable<br />
changes in employee behavior.<br />
There isn’t a computer program<br />
in existence that can counter human<br />
nature, but there are ways to address the<br />
effect of human nature on the security of<br />
your organization’s information. What<br />
follows is a look at what works and what<br />
doesn’t when it comes to the human side<br />
of technology.<br />
Where We Go Wrong<br />
Geordie Stewart, an IT security consultant<br />
with London-based Risk Intelligence,<br />
which specializes in information<br />
security management, took a close look<br />
at the human factor in his thesis for<br />
the Master of Science degree at Royal<br />
Holloway college, Maximising the<br />
Effectiveness of Information Security<br />
Awareness Using Marketing and Psychology<br />
Principles.<br />
“There are three main problems<br />
with how information security<br />
awareness techniques are commonly<br />
implemented,” he says.<br />
The first problem revolves<br />
around awareness versus<br />
culture. “Information security<br />
awareness is based on<br />
a narrow assumption that<br />
if only someone was aware<br />
of the risk or threat, then their<br />
behavior would change,” Stewart<br />
says. “The reality is that people<br />
may well be aware of the risk but feel<br />
constrained by other factors, such as<br />
entrenched business culture.”<br />
The second problem is that information<br />
security professionals don’t realize<br />
information security awareness is all<br />
about marketing—targeted marketing:<br />
Mouse mats and motivational posters<br />
don’t cut it. “Unfortunately, it’s much<br />
easier to roll out screen savers with messages<br />
cut and pasted from the organization’s<br />
security policy,” Stewart says.<br />
What does work are campaigns involving<br />
“audience research, careful targeting<br />
of communications, and measuring the<br />
outcome,” he adds.<br />
It’s in measuring outcomes that the<br />
third problem lies. “The benefit of awareness<br />
campaigns isn’t actually awareness,”<br />
Stewart says. “The benefit is in someone<br />
behaving differently in a way that benefits<br />
the organization’s overall risk profile.”<br />
In other words, knowing an employee is<br />
aware of a company’s password policy<br />
isn’t the same thing as knowing whether<br />
he or she follows it.<br />
Smith thinks the problem with implementing<br />
information security isn’t so<br />
much in the method used as in the fact<br />
that it’s information security professionals<br />
doing the implementing. “You’re asking<br />
computer people to solve a people<br />
problem, which doesn’t make sense,” he<br />
says. “I am tired of dealing with CISOs<br />
who don’t understand the need of<br />
addressing the people part of it.” In addition,<br />
as the techniques of criminals get<br />
simpler, the ways in which organizations<br />
respond get more complex: “The patient<br />
is dying of the common cold due to poor<br />
nursing, and yet the doctors are concen-<br />
Experts say that information<br />
security professionals<br />
must consider human<br />
behavior when it comes<br />
to security awareness,<br />
Maggie Starvish writes.<br />
ISSUE NUMBER 9 InfoSecurity <strong>Professional</strong> 9
trating on brain surgery,” he explains.<br />
“Humans are part of the IT infrastructure,<br />
and the big mistake we’ve<br />
been making so far is to consider them<br />
separate,” Davidoff says. She places more<br />
of the blame on business executives,<br />
however. “The problem with managing<br />
employees is managing the motivation of<br />
the company itself,” she says. And at this<br />
point, many companies are motivated to<br />
create policy—not enforce it. “They’re<br />
still in the position that if numbers get<br />
stolen and nobody finds out about it<br />
outside of the organization, they don’t<br />
care—because they don’t have an incentive<br />
to,” she adds.<br />
How To Get It Right<br />
Although it’s impossible to write a<br />
string of code that will stop someone<br />
in marketing from spilling company<br />
secrets, there are ways to address the<br />
human side of security. Stewart recommends<br />
using psychology—specifically,<br />
Use yoUr CIssP to save tIme<br />
and money.<br />
Qualify and redeem one seminar waiver for a savings of approximately $5,000.<br />
This program can be completed in as little as 15 months.<br />
Developed and taught by leaders in the field and backed by 189 years of<br />
academic heritage, this program enhances your technical and business<br />
management expertise as you gain consultancy experience through an<br />
organization-wide integrated information security project. Customize your<br />
degree with a specialization in either Business Continuity Management or<br />
Managing Cyber Crime and Digital Incidents.<br />
Norwich University was among the first 23 institutions to receive<br />
the National Security Agency’s designation as a Center of Academic Excellence<br />
in Information Assurance Education.<br />
To learn more please visit<br />
www.msia.norwich.edu/isc<br />
operant conditioning—to promote real<br />
behavioral change.<br />
In layman’s terms, operant conditioning<br />
is like the carrot-and-stick model<br />
of reward and punishment for behavior:<br />
You push for information security<br />
compliance by either punishing bad<br />
behavior or rewarding good. Operant<br />
conditioning shows that the effects of<br />
punishments and rewards are not symmetrical.<br />
Punishments must be consistently<br />
applied to be effective, whereas<br />
rewards can still be effective even if they<br />
are rare or intermittent.<br />
Stewart posits that you’re better off<br />
focusing on rewards. “Fear and the<br />
threat of sanctions are incentives not<br />
to report incidents,” he says. Another<br />
problem with the stick approach is that<br />
the punishment must be consistent to be<br />
effective—something that can be tough<br />
for many organizations. “Noncompliance<br />
may be difficult to detect, or punishment<br />
may not be viable for some user<br />
groups, such as customers,” Stewart says.<br />
“The use of praise or reward offers an<br />
organization a way of avoiding expensive<br />
auditing systems to consistently detect<br />
noncompliant behavior,” he says.<br />
Williamson agrees the carrot is the<br />
better option. “Rather than saying, ‘If<br />
you do this bad thing, here’s what will<br />
happen,’ we have found just the opposite<br />
to be effective,” he says. Take passwords<br />
as an example: Instead of punishing<br />
employees for using “12345” as a password,<br />
he recommends providing examples<br />
of what good passwords are—and<br />
rewarding employees who then follow<br />
those examples.<br />
It’s helpful to appeal to employees<br />
on a human level. Such security training<br />
“should describe how it will benefit<br />
the employee personally as opposed to<br />
the company,” Williamson says. “The<br />
same security countermeasures or the<br />
same best business practices that you’re<br />
asking your employees to practice at<br />
work—they should really practice those<br />
in their homes as well.” Rather than tell<br />
users to be wary of unfamiliar e-mail<br />
because it could negatively affect the<br />
company’s bottom line, explain to them<br />
that such behavior will ultimately affect<br />
their own.<br />
Smith uses similar tactics, but takes<br />
things a step further, appealing to a per-<br />
ISSUE NUMBER 9 InfoSecurity <strong>Professional</strong> 11<br />
IA 4.625X7_ May 28 09.indd 1<br />
5/28/09 9:59:01 AM
son’s social position. “Breaches in the U.K.<br />
in the last few years have made people anxious,”<br />
he says. “They don’t want to be the<br />
ones who have done things wrong. So you<br />
say to them, ‘You don’t want to be the one<br />
to screw up.’” Overall, Smith believes it’s<br />
important to treat workers with respect:<br />
“They’re not crooked or harmful; they’re<br />
just busy and ignorant,” he says.<br />
Incentives are another driver of<br />
behavioral change. “We have a society<br />
where people get up and go to work and<br />
do the same things every day because<br />
incentives are in place to make them<br />
want to do that,” Davidoff says. “Those<br />
ahead of time, but not when it will actually<br />
occur. Employees are told in advance<br />
that they’ll be rewarded if they don’t fall<br />
for her scam. Interestingly, the incentive<br />
model works both ways: One of the<br />
tactics Davidoff uses to entice people<br />
to click on her phony e-mails is to offer<br />
them a free iPod if they do.<br />
“The key message is know your audience,”<br />
Stewart says. He recommends<br />
researching personnel statistics to see<br />
which demographics have the potential<br />
for creating the most risk—allowing you<br />
to, for example, direct more of your security<br />
training resources to the 20-year-old<br />
“If you don’t know who exactly is causing the risk,<br />
what their perceptions are and how they best<br />
communicate, then your awareness activities<br />
will be like golfing in the dark.”<br />
— Geordie Stewart, IT security consultant, Risk Intelligence<br />
incentives aren’t in place for making<br />
them want to behave in a secure fashion<br />
around IT.”<br />
To illustrate her point, she offers this<br />
example: The cultural acceptance of the<br />
practice of washing one’s hands to prevent<br />
infection took hundreds of years to<br />
develop because there wasn’t an instant,<br />
personal, negative consequence to not<br />
washing them. “It’s the same with computers,”<br />
she says. “When you click on [an<br />
infected] picture of [actress and singer<br />
Jennifer Lopez], your computer doesn’t<br />
immediately blow up; it maybe gets a bit<br />
slow. Someone else’s information gets<br />
stolen, and it never comes back to hurt<br />
the individual person.”<br />
Taking Awareness Action<br />
But it doesn’t have to take hundreds of<br />
years to get employees to prevent the<br />
spread of spam or malware. “Security<br />
works best when people are unaware of<br />
it,” Davidoff says.<br />
Davidoff recommends using awareness<br />
training. For example, organizations<br />
hire her to “phish” their employees.<br />
She tells personnel about the exercise<br />
males in the organization, as opposed to<br />
50-year-old females.<br />
“Many information security professionals<br />
fail to recognize that information<br />
security awareness is, in fact, a marketing<br />
campaign,” Stewart adds. “Marketing<br />
campaigns involve audience research,<br />
careful targeting of communications,<br />
and numerous ways of measuring outcomes.<br />
Branding a mouse mat with a<br />
generic information security message of<br />
the day doesn’t achieve any of these.”<br />
Security professionals also should<br />
examine attitudes and beliefs in their<br />
organization that support or undermine<br />
compliance. “Is there a belief that antivirus<br />
[software] completely protects you<br />
from the Internet? Is there an attitude that<br />
it’s acceptable for employees to store personal<br />
content on their work computers?”<br />
Stewart asks. Getting information security<br />
compliance is that much harder when<br />
employees have different ideas of what<br />
information security is at the outset.<br />
As for metrics, information security<br />
professionals must move away from<br />
asking compliance-related questions to<br />
gauge the success of a security campaign.<br />
“Did you see the poster?” and “Have you<br />
read the policy?” are questions whose<br />
answers are poor predictors of behavior.<br />
“Instead, quantifiable metrics need<br />
to be found that are related to the actual<br />
behavior that causes risk. For example,<br />
if you’re conducting an awareness campaign<br />
on password-sharing, then you<br />
need to find a way to measure concurrent<br />
logons in the systems you are trying<br />
to protect,” Stewart says.<br />
Finally, take a close look at communication:<br />
what style works best for your<br />
organization? A good security awareness<br />
campaign has its resources concentrated<br />
on areas of the most benefit,<br />
with format and presentation adjusted<br />
accordingly. For example, some audiences<br />
prefer to ask questions, while<br />
some just want the facts.<br />
“Organizations must decide which<br />
user behavior they most care about and<br />
focus their efforts to control that risk,”<br />
Stewart says. “If you don’t know who<br />
exactly is causing the risk, what their<br />
perceptions are and how they best communicate,<br />
then your awareness activities<br />
will be like golfing in the dark,” Stewart<br />
says. “You’re not sure what you’ve<br />
accomplished, your caddy is tired and<br />
everyone just wants it to be over so they<br />
can go home.”<br />
Hackers the world over understand<br />
how human nature affects employee<br />
behavior; it’s time information security<br />
professionals did, too. “We’re coming<br />
around to needing a balance between<br />
technological countermeasures and<br />
change in behavior countermeasures,”<br />
says Williamson.<br />
Maggie Starvish is a freelance editor and<br />
writer based in Massachusetts.<br />
12 InfoSecurity <strong>Professional</strong> ISSUE NUMBER 9
Global Security now<br />
has a common address<br />
Don’t miss out on the conversation! See what thousands of (<strong>ISC</strong>) 2® members have already<br />
discovered, by joining InterSeC today. With a few clicks you can register and start building<br />
your personal community, without the noise and clutter of other open social networking sites.<br />
That’s right, InterSeC is purpose-built for the information security field, so you can be sure<br />
that everyone is governed by a similar code of ethics and has the same passion and interest.<br />
Meet other professionals from across the world or down the street, participate in one of<br />
over 50 groups or start your own blog. With InterSeC, you are bound to find someone who<br />
thinks like you.<br />
www.isc2intersec.com
You’ve probably developed, or are part of, an information<br />
security incident response strategy. However, are you sure<br />
your response is appropriate, asks Marie Lingblom?<br />
ILLUSTRATION BY CURTIS PARKER/THEISPOT<br />
SECURITY INCIDENTS VARY IN SIZE AND SCOPE,<br />
from a single employee downloading pornography on a<br />
company computer to a sophisticated hacking organization<br />
breaking into server banks to scoop up sensitive corporate<br />
data. So, how do you know whether you have the right<br />
response ready?<br />
There isn’t one single solution or path, says Rob Lee, director<br />
of MANDIANT, an information security company in<br />
Washington, D.C. that works with private and government<br />
organizations on issues ranging from vulnerability auditing<br />
to the implementation of incident response policy programs.<br />
“We’ve essentially been told, even from the vendors, that all<br />
you need to do is buy your appliances, set up your lines of<br />
defense from the perimeters and you’ll be fine,” he says. “But<br />
that’s not true. It’s much more complex than that.”<br />
One of the best ways to gauge the appropriateness of your<br />
incident response plan is to practice, practice, practice. “It’s<br />
always amazing to me that, especially compared with disaster<br />
response and recovery, you don’t see a whole lot of companies<br />
that will do something as simple as a quarterly, or even annual,<br />
dry run (of their incident response plan),” says Jim Hansen,<br />
managing director at Mansfield Sales Partners, a business sales<br />
consulting company. “To make those decisions in the heat of<br />
battle is really tough, and the stakes are just too high.”<br />
14 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9
First Things First<br />
Rich Baich, CISSP, CISM, and principal<br />
at Deloitte & Touche LLP, was CISO with<br />
data broker ChoicePoint in 2005 when a<br />
significant case of fraud at the company<br />
unleashed a firestorm.<br />
Baich says the fraud stemmed from a<br />
Nigerian national who entered the U.S.<br />
illegally and obtained a business license<br />
using doctored phone and utility bills, and<br />
then became a valid user of ChoicePoint’s<br />
credit service. Once he was an authorized<br />
customer, he was able to access enough<br />
personal information—such as names,<br />
addresses and Social Security numbers—<br />
to carry out malicious, fraudulent acts<br />
including identity theft.<br />
“That was a direct relationship with<br />
someone who became a valid user of<br />
credit services,” says Baich. “And it was<br />
one of the shots heard around the world.”<br />
Published reports indicate the breach<br />
compromised the information of an<br />
estimated 163,000 people and resulted in<br />
800 cases of identity fraud. ChoicePoint<br />
was ordered to pay $10 million in civil<br />
penalties, and $5 million to consumers.<br />
One of the biggest lessons Baich<br />
learned: to institute an appropriate incident<br />
response and assemble the best<br />
team, you must clearly spell out what an<br />
incident is. “How an organization defines<br />
an incident is at the core of how they<br />
develop a response program,” he says.<br />
Brandon Dunlap, managing director<br />
of research at Brightfly, an information<br />
security advisory and research firm,<br />
agrees. He suggests defining each type of<br />
incident—from an employee participating<br />
in online gambling at work to a major<br />
denial-of-service attack—and then using<br />
those definitions to create a “triage map.”<br />
The map should describe each type of<br />
incident, the individuals or teams who<br />
should be involved in the response, and<br />
the processes included in the response.<br />
“The point of the triage map is to<br />
ensure that your countermeasures are<br />
commensurate with what is at risk,” says<br />
Dunlap. An employee downloading pornography,<br />
for example, would not likely<br />
carry the same risk as a hack attack on<br />
the company servers.<br />
Early Detection is Critical<br />
Once your plan is defined, you should<br />
focus on early detection.<br />
In the past year, MANDIANT has<br />
responded to approximately 40 incidents<br />
involving everything from financerelated<br />
attacks to advanced persistent<br />
threats that are extremely complex in<br />
nature and that attack both commercial<br />
and government systems. If you want<br />
to catch these “cancers” early, Lee says,<br />
“50 percent of your time and discussions<br />
should be focused on determining<br />
whether you are detecting properly.”<br />
Typically, law enforcement is first to<br />
detect a data breach and report it to a<br />
business—and often the first to leak it to<br />
the press due to data breach notification<br />
laws. Lee suggests building relationships<br />
with law enforcement now, rather than in<br />
the midst of an incident. A side benefit is<br />
that they may be working on cybercrime<br />
investigations, and this knowledge could<br />
better help you prepare.<br />
But so much the better if your company<br />
is able to detect an incident first.<br />
Early internal detection gives you control<br />
in terms of mitigating damage to<br />
your business, partners and customers.<br />
(For instance, negative press surrounding<br />
the ChoicePoint incident harmed<br />
the company’s reputation and led to an<br />
immediate 10 percent drop in its stock<br />
value.) “You must have individuals manning<br />
your systems who are truly dedicated<br />
to monitoring your network for<br />
potential evil that is out there and running<br />
rampant,” says Lee.<br />
Lee suggests housing all applications<br />
and resources in one building. This centralized<br />
approach requires a cultural shift<br />
and “a ton of work,” he adds. For instance,<br />
the infrastructure group often manages<br />
company firewalls, while the security<br />
group manages intrusion detection centers.<br />
“These two groups don’t typically<br />
talk to one another,” Lee says. “So how<br />
can you correlate data between them?”<br />
Letting go of certain gear and services<br />
is a necessary part of the process.<br />
“When [someone else] takes over it can<br />
be like swallowing a bitter pill, but it’s the<br />
only way to effectively monitor your network,”<br />
says Lee.<br />
The Response Team<br />
Hansen advises putting together a security<br />
team that works together seamlessly<br />
and executes quickly because “time is,<br />
The Ingredients to Incident Response<br />
Rich Baich, principal at Deloitte & Touche LLP, says organizations are more proficient at<br />
declaring and responding to incidents because they do a better job of fusing disparate<br />
data. According to Baich, the next level of maturity requires an organization to have<br />
appropriate intelligence collection techniques in place to collect data and perform<br />
analysis to be proactive in their approach rather than reactive. He defines appropriate<br />
incident response as the practice of detecting a problem, determining its cause,<br />
minimizing the damage it causes, resolving the problem, and documenting each step<br />
of the response for future reference.<br />
“Keep it simple, and check off each box as you respond to these incidents. That allows<br />
you to gather a proper chain of evidence if there’s a need to prosecute someone,” he says.<br />
“Good, diligent practices not only demonstrate a focused response, but also allow you to<br />
go back and review for lessons learned, or identify critical steps that were missed.”<br />
Following are what Baich considers essential steps for an immediate data breach<br />
response action plan:<br />
1. Assemble the response team<br />
2. Review and evaluate the report prepared by the investigation team<br />
3. Isolate and contain the incident<br />
4. Determine the level of severity<br />
5. Assess the legal and financial consequences<br />
6. Implement escalation and notification procedures<br />
ISSUE NUMBER 9 InfoSecurity <strong>Professional</strong> 15
frankly, your enemy.” The more time<br />
passes, the more information criminals<br />
can access in your systems—and the<br />
more damage they can do.<br />
As an example, Hansen describes a<br />
client he has worked with over the past<br />
several years that continues to be the<br />
target of serious efforts to break into<br />
its network by persons outside the U.S.<br />
“One of the things that I don’t think any<br />
organization anticipates, and it shows in<br />
this case, is how long this response and<br />
recovery effort really takes,” he says. “It<br />
can go on for ages if the attacker is determined,<br />
persistent and has a goal for getting<br />
in there.”<br />
Include people from key business and<br />
technology areas from the top to the bottom<br />
of the company when building the<br />
team, but for agility’s sake only include<br />
employees who have specific roles and<br />
tasks. You should also consider involving<br />
people who can manage the appropriate<br />
notification of partners, customers and<br />
law enforcement.<br />
The goal should be to simplify your<br />
response team, Baich says. Key to that is<br />
having an inventory of the appropriate<br />
skills of team members—data reporting,<br />
data collection and analysis—and<br />
multiple ways to communicate, such as<br />
e-mails, instant messaging, handheld<br />
devices, etc. Call on an outside vendor if<br />
you don’t have the appropriate skills inhouse,<br />
says Baich.<br />
As for who leads the team, Baich suggests<br />
a seasoned business executive with<br />
some operational background. “That’s<br />
not necessarily the CISO because the<br />
incident may not be a technology issue,”<br />
he says. The ChoicePoint incident is a<br />
good example of that distinction.<br />
Are you<br />
Certified?<br />
CBCA (Certified Business Continuity Auditor)<br />
CBCLA (Certified Business Continuity Lead Auditor)<br />
Special Benefits for (<strong>ISC</strong>)2<br />
When you apply for either<br />
level of auditor certification<br />
through DRI International, your<br />
CISSP classification fulfills the<br />
requirements for experience and<br />
reference checks.<br />
(<strong>ISC</strong>)2 members receive a 10%<br />
discount on auditor and all DRI<br />
International BCP training. Just<br />
let us know that you are a<br />
member in good standing at time<br />
of registration to receive your<br />
discount.<br />
www.drii.org<br />
866-542-3744<br />
Become a Certified Business Continuity<br />
Auditor / Lead Auditor<br />
The workshop covers relevant standards, laws and<br />
regulations, the process of risk assessment, vulnerability<br />
analysis, loss prevention, risk mitigation, and the<br />
development, implementation, testing and maintenance of<br />
emergency management and business continuity plans and<br />
procedures. Course materials delve into existing legal and<br />
regulatory requirements, as well as standards including IX-<br />
110-53 (PS-Prep), NFPA-1600 and BS-25999.<br />
Upon completion of the workshop and passing the unique<br />
qualifying exam, participants will be able for apply to for<br />
either designation based on practical experience.<br />
There are no prerequisites for taking the course and exam.<br />
If you are already certified, these are unique certifications<br />
and may be held together with existing certifications.<br />
Get Started Immediately. Click to Register Today!<br />
Feb 8-12 in Las Vegas, NV - OR - Apr 26-30 in Atlantic City, NJ<br />
LAW & INDUSTRY SUPPORT<br />
Businesses should tap into information<br />
from investigations and reports on<br />
trends in cybercrime from law enforcement<br />
resources. For example, the U.S.<br />
Department of Justice, the U.S. Postal<br />
Inspection Service, the U.S. Secret Service<br />
and the Federal Trade Commission<br />
collaborate on public efforts to combat<br />
cybercrime. They also work with<br />
international partners such as Interpol,<br />
an international police organization<br />
with working groups on cybercrime in<br />
Africa, the Americas, Asia, the South<br />
Pacific, Europe, the Middle East and<br />
North Africa.<br />
Equally as important, says Lee, is to<br />
know what your peers are doing. The<br />
financial services industry, for instance,<br />
has formed a variety of groups (such as<br />
the Financial Services Technology Consortium)<br />
in response to severe and frequent<br />
breaches. Other examples include<br />
the Business Software Alliance and the<br />
Software and Information Industry<br />
Association. These groups share information<br />
and ideas to help deal with and<br />
protect against data breaches.<br />
“You definitely want to get involved<br />
with other groups and hear viewpoints<br />
of other organizations, particularly when<br />
it comes to the complexities of the ethical<br />
and legal sides of this issue,” says Lee.<br />
“It’s safe to assume you’re not the only<br />
one dealing with this, and there’s a lot out<br />
there in terms of best practices that can<br />
be learned.”<br />
Marie Lingblom is a freelance technology<br />
editor and writer based in Massachusetts.<br />
16 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9
Conference<br />
photo by mammamaart/istockphoto<br />
Here’s how to<br />
convince your<br />
manager to<br />
send you to a<br />
conference—and<br />
what to do when<br />
you get there.<br />
By Chris Greco<br />
calling<br />
For many information security professionals,<br />
attending conferences and tradeshows is part of the job. These events provide<br />
opportunities to learn about new technology, practices, techniques and systems,<br />
and the chance to meet and share experiences with peers.<br />
But conferences can be tiring when there are back-to-back sessions and workshops.<br />
And if your company has limited the amount of time you can be at the<br />
event, the pressure builds to get the most out of the experience—especially if<br />
you’re expected to report back to colleagues on the latest news and trends.<br />
Here are some simple steps to get the most out of conferences and assure your<br />
manager that attending them is truly beneficial to the workplace.<br />
4 Get Prepared<br />
Take a look at the agenda ahead of time (it’s usually on the conference Website; if<br />
not, contact the organization by phone) and highlight any sessions that interest you<br />
and/or may be of interest to your workplace. Share the agenda with your manager<br />
and explain how the sessions will enhance your contributions to the company.<br />
If possible, review the attendance list and point to other attendees in your area<br />
of specialization. Be careful—this is a double-edged sword. Your manager may<br />
decide to just get the conference notes from other attendees, which means you<br />
will need to prove why your notes will be better.<br />
4 Get Involved<br />
If the conference is calling for individuals to present papers, submit a paper—it<br />
gives you the opportunity to show your manager that you are committed. I have<br />
submitted and presented papers on topics ranging from project management<br />
ISSUE NUMBER 9 InfoSecurity <strong>Professional</strong> 17
Each year, (<strong>ISC</strong>) 2 participates in more than<br />
50 conferences and trade events around the<br />
world. On behalf of its members, (<strong>ISC</strong>) 2 works<br />
with the organizers of each event to secure the<br />
most valuable discounts available for attendees. To<br />
learn more about these discounts and obtain the<br />
application codes, visit www.isc2.org/events and<br />
search for events in your region. Typically, multiple<br />
discounts cannot be combined.<br />
In addition, (<strong>ISC</strong>) 2 Security Leadership<br />
events are free for members. Upcoming<br />
dates include:<br />
San Antonio, TX: March 16<br />
Philadelphia, PA: April 8<br />
Chicago, IL: May 11<br />
Washington, D.C.: May 24 and 25<br />
*<br />
Visit www.isc2.org/events for updates<br />
on Security Leadership events in Boston,<br />
Dallas, Baltimore, Seattle, Marina del Rey<br />
and Charlotte later this year.<br />
to password security.<br />
If your paper doesn’t make the cut, you can volunteer in<br />
other ways. Conferences may allow individuals to edit papers,<br />
make speaker introductions and/or perform administrative<br />
duties. These tasks help keep the conference costs down and<br />
give others the opportunity to get involved.<br />
4 Get Networking<br />
It’s important to build your contacts at conferences, not only<br />
for the long-term growth of your career, but also for day-to-day<br />
technology and information security advice. Here are some<br />
easy ways to meet new people:<br />
n Almost everyone will have a name tag with their company’s<br />
name, too. Use that as a conversation starting point. For<br />
example, at one conference I met a person who worked at<br />
an insurance company I was a client of. He wanted to hear<br />
what I thought of the company’s Website, and I wanted to<br />
know how the firm kept information private and secure.<br />
We traded information and e-mails. Remember that many<br />
people get nervous in social situations; just saying “hello”<br />
or asking about their company are excellent ways to get a<br />
conversation going.<br />
n Volunteering at conferences is a powerful way to network.<br />
For example, by handing out feedback surveys you can<br />
informally and quickly meet many people. Introducing<br />
a speaker gives you a quick public relations opportunity:<br />
about 30 seconds with a microphone to talk about yourself<br />
and your company.<br />
n Most of the conferences include meal breaks, which are a<br />
great time to meet people. If nothing else, you’ll overhear<br />
conversations on the latest news, trends and technologies,<br />
or how someone is dealing with a particular information<br />
security challenge. You might even be able to chime in on<br />
the discussion.<br />
4 Get Writing<br />
Take notes at all different times during the conference: the<br />
speaker sessions, open sessions, lunch meetings, breakout<br />
groups—even off-the-cuff discussions at networking sessions.<br />
Spend some time at the end of each day reviewing your notes<br />
and creating a concise summary to e-mail to your manager.<br />
These daily summaries should focus on who you’ve met, what<br />
you’ve learned, and how those people and ideas can benefit the<br />
company. Not only does this demonstrate you are involved in<br />
the conference, it may give your manager some good ideas for<br />
upcoming initiatives.<br />
4 Get Real<br />
The present fiscal reality means you may not be able to attend<br />
a particular conference, no matter how much you prepare.<br />
Before spending money on conferences, many companies<br />
want to know the ROI.<br />
To overcome financial concerns, start small. If the organization<br />
behind a large international conference has a local chapter,<br />
attend one of their forums or meetings. For example, if you<br />
can’t make the annual RSA Conference in San Francisco or<br />
London, try to attend a networking meeting closer to home.<br />
You can also gain specialized knowledge—on topics such as<br />
security risks, capacity management or audits—through Webinars.<br />
Make sure to stay current on information in whichever<br />
specialty you choose. Sooner or later, your company’s conference<br />
budget will loosen, and by having an established knowledge<br />
base, you’ll have stronger justification for being sent to a<br />
large, international conference on the topic.<br />
Another alternative is for you to pay for part of the conference.<br />
Sometimes a willingness to help goes a long way. But<br />
remember, you are going to the conference to gain insight and<br />
information. If all you want to do is have fun, then it might be<br />
best to just take a vacation.<br />
4 Get Going!<br />
Going to a conference can be overwhelming, but you can<br />
make it a valuable experience for you and your organization.<br />
Some conference sites provide ready-made reasons you should<br />
attend. For example, the Computer Measurement Group offers<br />
tips on how to justify attending its conference (www.cmg.org/<br />
conference/justify.html). It also offers a one-day special. And if<br />
your paper is chosen for presentation, attendance on presentation<br />
day is free.<br />
Getting involved can bring some great benefits. It’s up to<br />
you to get going.<br />
Chris Greco, CISSP, PMP, is a public service IT specialist and<br />
program manager based in Maryland. He can be reached at<br />
grectech@att.net.<br />
18 InfoSecurity <strong>Professional</strong> ISSUE NUMBER 9
career corner<br />
professional advice for your career<br />
A Career Bright Spot<br />
Certifications can boost pay and career prospects,<br />
reports Efrain Viscarolasaga.<br />
Security is a priority for most organizations,<br />
so information security is a bright spot among IT careers—despite the<br />
current recession. Recruiters report that workers with an information<br />
security background are still in<br />
high demand, and because the<br />
industry changes constantly,<br />
employers are looking for professionals<br />
with experience in the<br />
latest trends, from international<br />
data protection to biometrics.<br />
Information security professionals<br />
can bolster their resumes and<br />
their careers with certifications.<br />
A recent survey by CompTIA,<br />
a global nonprofit IT research<br />
firm, reported that 37 percent<br />
of 1,500 responding IT workers<br />
intend to pursue a security<br />
certification over the next five<br />
years, while another 18 percent<br />
will seek a certification related to<br />
ethical hacking. Thirteen percent<br />
will pursue some type of computer<br />
forensics certification.<br />
“Because a lot of people are<br />
not employed, many are taking<br />
the opportunity to become more<br />
certified,” says Rebecca Virtanen,<br />
a senior technical recruiter for<br />
Boston-based AVID Technical<br />
Resources Inc. “And for higherlevel<br />
positions, some [employers]<br />
will only consider candidates<br />
with certain certifications.”<br />
Senraj Soundararajan, president<br />
of technology resources<br />
provider Ivesia Solutions Inc.,<br />
says the trend is similar on an<br />
international level. In India, for<br />
example, where the number of<br />
applicants far exceeds the number<br />
of available positions, employers<br />
often exclude applicants without<br />
certifications.<br />
Certifications lead to better,<br />
higher paying jobs for candidates,<br />
and stronger career opportunities<br />
for those who are already<br />
employed. According to Foote<br />
Partners’ recent IT Skills and<br />
Certification Pay Index, security<br />
certifications premium pay has<br />
increased by 2.4 percent since the<br />
beginning of the recession, while<br />
the premium pay of other IT<br />
certifications has dropped by an<br />
average of 6.5 percent. The survey<br />
also lists the leading topics<br />
in security certification: security<br />
architecture; forensics; incident<br />
handling and analysis; intrusion<br />
analysis; auditing; ethical hacking;<br />
network security; secure<br />
software development; and security<br />
management.<br />
Foote Partners president<br />
David Foote is bullish on the security<br />
sector. “Bar none, for shortand<br />
long-range IT job security,<br />
the smartest place to be in 2010<br />
is security. Pay and demand for<br />
security skills have risen steadily<br />
since 2007 and headcount has<br />
not diminished despite economic<br />
hard times,” he says.<br />
Whether you’re looking for<br />
work, hoping to solidify your<br />
current position, or trying to<br />
grow your career, certifications<br />
can help. And the time to get<br />
started is now.<br />
Efrain Viscarolasaga is a freelance<br />
business and technology journalist<br />
based in New Hampshire.<br />
photo top by moodboard/corbis<br />
issue number 9 <strong>Infosecurity</strong> <strong>Professional</strong> 19
global insight<br />
international information security perspectives<br />
Physical & Cybersecurity<br />
A convergence of physical and cybersecurity systems<br />
and solutions is taking place, says Lucius Lobo.<br />
Physical security—such as human guards,<br />
physical entry barriers, and remote surveillance<br />
using closed-circuit television (CCTV) and access<br />
control devices—is one of the oldest forms of protecting<br />
assets. But remote surveillance mechanisms<br />
have been hampered by a lack of real-time response;<br />
for example, large installations using multiple<br />
CCTVs cannot be easily monitored in real time.<br />
Global spending on physical security is expected<br />
to exceed $100 billion in the next 10 years. The<br />
majority of this investment is estimated to be in<br />
enhancing homeland security and for using IPbased<br />
surveillance for the physical security perimeters<br />
of large organizations, residential campuses,<br />
hotels, and oil and gas installations.<br />
IP-based surveillance involves the integration of<br />
physical security solutions on IP networks without<br />
further investments in or changes to existing infrastructure.<br />
Organizations can extend their IT rolebased<br />
administration to physical security solutions.<br />
Physical Security Information Management systems<br />
facilitate the correlation of events and depict<br />
pattern analysis of security violations from both IT<br />
and physical security domains.<br />
Moving remote surveillance infrastructure and<br />
systems from analog to IP, coupled with a growth<br />
in technologies that analyze, integrate and remotely<br />
transfer sensor information over wide distances, has<br />
led to surveillance improvements. Similar to cybersecurity,<br />
physical security violations can now be<br />
treated as events, and monitored at central stations.<br />
For example, if people were detected entering a<br />
location from an exit point, a video analytic solution<br />
would trigger an alert to a remote station, where<br />
the event would be analyzed and action would be<br />
taken. Previously, one would have to post guards<br />
at each entry or exit point, monitor cameras at the<br />
location, or install door alarms.<br />
This technology shift will consolidate physical<br />
and cybersecurity into a single function—though<br />
the former will be governed independently of the<br />
latter, primarily through facility management teams.<br />
Because the core network is shared, IP-based physical<br />
security infrastructure will be subject to cyber<br />
threats. This has several implications:<br />
n Audit measures such as vulnerability assessment<br />
and penetration testing will need to cover physical<br />
security infrastructure and technologies.<br />
n The significant use of IP-based surveillance technologies<br />
will require security specialists who<br />
can integrate systems and configure the analytic<br />
components of these technologies.<br />
n Security personnel must be able to respond to<br />
physical as well as cyber intrusions. In the next<br />
one to two years, information security professionals<br />
will command a salary premium if they<br />
have experience in both areas because there is<br />
a shortfall of technology consultants with these<br />
skills.<br />
Lucius Lobo, CISSP, is Director,<br />
Security Consulting at Tech Mahindra<br />
Limited, a global systems integrator<br />
and business transformation<br />
con sulting firm. He is based<br />
in Mumbai and can be reached at<br />
lucius@TechMahindra.com.<br />
photo top by George Diebold<br />
20 InfoSecurity <strong>Professional</strong> issue number 9
Security must be considered at<br />
every stage of development.<br />
Watch Video<br />
Securing<br />
the SDLC:<br />
A Business Perspective<br />
www.isc2.org/csslpvideo<br />
In the world of software development, security measures<br />
must be implemented within each phase of the software<br />
lifecycle. Yes, build it right in. Our offspring are too<br />
vulnerable and the threats to them too consistent to<br />
work any differently. To learn what to do, become an<br />
(<strong>ISC</strong>) 2® Certified Secure Software Lifecycle <strong>Professional</strong><br />
(CSSLP ® ). Simply attend a CSSLP Education Program,<br />
they’re available worldwide, then take the CSSLP exam.<br />
Remember, Mother Nature takes pride in giving her<br />
members ways to protect themselves. We can learn a<br />
lot from her.<br />
www.isc2.org/csslp<br />
Connect with us!<br />
www.isc2intersec.com<br />
twitter.com/isc2<br />
youtube.com/isc2tv
The one security blanket you won’t<br />
be embarrassed to take to work.<br />
ISACA ® Certifications<br />
ISACA certifications increase your value<br />
to employers and clients.<br />
Being a CISA ® , CISM ® and/or CGEIT ® :<br />
‰ Counts in the hiring process.<br />
‰ Enhances your credibility and recognition.<br />
‰ Boosts your earning potential.<br />
Register for the 12 June 2010 exam<br />
Final registration deadline—7 April 2010<br />
Secure Your Career: Get Certified.<br />
Visit www.isaca.org/certification.