Infosecurity Professional - Issue 9 - ISC

issue number 9
An (ISC) 2 Digital Publication
www.isc2.org
Unlocking Security
Awareness
Experts say that human behavior
must be factored into information
security awareness strategies.

issue number 9
An (ISC) 2 Digital Publication
www.isc2.org
Unlocking Security
Awareness
Experts say that human behavior
must be factored into information
security awareness strategies.

issue 9
2010 VOLUME 1
14
To view this issue
online, visit www.isc2
.infosecpromag.com
COVER ILLUSTRATION BY SASHIMI/THEISPOT; ABOVE ILLUSTRATION BY CURTIS PARKER/THEISPOT
8
Experts say that information
security professionals must
consider human behavior when
it comes to security awareness.
BY MAGGIE STARVISH
14
Your organization probably has an
incident response plan. But how
do you know if it’s appropriate
for all types of incidents?
BY MARIE LINGBLOM
17
This article offers advice on how
to convince your manager to send
you to a conference, and what to
do when you get there.
BY CHRIS GRECO
3
From the desk of (ISC) 2 ’s former Vice
Chairperson. BY HOWARD SCHMIDT
5
Read up on what (ISC) 2 members
worldwide and the organization itself are doing.
19
Certifications can boost pay and career
prospects for information security professionals.
BY EFRAIN VISCAROLASAGA
20
A convergence of physical and cybersecurity
systems and solutions is taking place. BY LUCIUS LOBO
InfoSecurity Professional is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication
represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC) 2 on the issues discussed as of the date of publication. No part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written
permission of (ISC) 2 . (ISC) 2 , the (ISC) 2 digital logo and all other (ISC) 2 product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification
Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription
information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information,
please email tgaron@isc2.org. © 2010 (ISC) 2 Incorporated. All rights reserved.
ISSUE NUMBER 9 INFOSECURITY PROFESSIONAL 1

Looking for a deal?
Looking for career advice?
Looking for free information?
Check out the hot deals and
free resources at the
(ISC) 2® Market Square!
Now available on the
Online (ISC) 2 Resource Guide.
http://resourceguide.isc2.org
*** 2010 hardcopy also now available! ***
Management Team
Elise Yacobellis
Executive Publisher
727 683-0782 n eyacobellis@isc2.org
Timothy Garon
Publisher
508 529-6103 n tgaron@isc2.org
Marc G. Thompson
Associate Publisher
703 637-4408 n mthompson@isc2.org
Amanda D’Alessandro
Communications Coordinator
727 785-0189 x242
adalessandro@isc2.org
Sarah Bohne
Director of Communications and
Member Services
727 785-0189 x236 n sbohne@isc2.org
Judy Livers
Senior Manager of Marketing Development
727 785-0189 x239 n jlivers@isc2.org
Sales Team
Christa Collins
Regional Sales Manager
U.S. Southeast and Midwest
352 563-5264 n ccollins@isc2.org
Gordon Hunt
Regional Sales Manager
U.S. West Coast and Asia
949 366-3192 n ghunt@isc2.org
Jennifer Hunt
Events Sales Manager
781 685-4667 n jhunt@isc2.org
IDG Media Team
Charles Lee
Vice President, Custom Solutions Group
Amy Freeman
Project Manager n afreeman@isc2.org
Anne Taylor
Managing Editor n ataylor@isc2.org
Kim Han
Art Director
Lisa Stevenson
Associate Production Manager
Don’t forget to take the quiz
and earn CPEs:
http://bit.ly/9bcmfD
For a list of
events (iSC) 2 is
either hosting or
sponsoring, visit
www.isc2.org/
events
ADVERTiSER inDEx
CRC Press. .........................p. 4
DRII ..............................p. 16
IEEE ..............................p. 6
ISACA. ......................Back Cover
(ISC) 2 .......... Inside Front Cover; p. 13;
. . . . . . . . . . . . . . . . . . . . . . Inside Back Cover
Norwich University .................p. 11
Nova University.. . . . . . . . . . . . . . . . . . . . . .p. 7
SCIPP ............................p. 10
For information about advertising in this
publication, please contact Tim Garon at
tgaron@isc2.org.
2 InfoSecurIty ProfeSSIonal ISSUE NUmBER 9

executive letter
From the desk of the former (isc) 2 vice chairperson
A Look at 2010's Challenges
howard schmidt offers advice and areas of focus
for information security professionals.
Prior to taking on his new role as U.S. White House
Cybersecurity Coordinator, Howard Schmidt spoke
with InfoSecurity Professional about information
security issues and challenges for the year ahead.
There are several key issues that I think are,
or should be, top of mind for information security
professionals this year.
One of the major problems
we’re dealing with is
vulnerability management.
There are more vulnerabilities,
usually in software, than
we can possibly manage. We
need to do what we can to
identify and remediate these
weaknesses before they are
exploited, but we also need to
create next-generation software
to reduce the potential
for vulnerabilities. Our Certified
Secure Software Lifecycle
Professional (CSSLP®)
credential is a powerful first
step toward ensuring that
new software is resilient and secure.
Another area of focus should be on moving the
security battlefield from end users to us, the professionals.
We can’t expect end users to be security
experts, able to distinguish among the conflicting
messages they receive. For example, we tell our colleagues
not to click on suspicious links; but then they
get e-mails that look to be from someone they know—
perhaps a LinkedIn invitation—and those messages
contain malware. We must help end users to be aware
of security issues. And we need to put mechanisms in
place to protect our systems and data.
We’re fortunate to have a variety of operating
systems and tens of thousands of applications to get
work done, even on mobile devices. In this diverse
environment, we have to provide consistency, protect
privacy, increase security and reduce malware
incidents. To do this, we must implement best practices
when we build and deploy applications and systems.
Strong authentication is
also critical. We must move
from static user identity and
passwords to an environment
where two-factor identity is
the standard.
Finally, we need to take
a global view of cybercrime.
International investigations
must become more fluid and
cooperative. We need to send a
clear message that we will find,
prosecute and convict cybercriminals
(whose resources
and abilities are better than
ever and rapidly improving).
We must do our best to keep
the bad guys out; but if they get in, we must protect
any evidence for prosecution.
It will be another challenging year. I encourage
you to network with your peers and share your ideas
to make this world a safer place.
Sincerely,
Prof. Howard A. Schmidt
CISSP, CSSLP, Fellow of (ISC)²
Former Vice Chairperson of the
(ISC)² Board of Directors
issue number 9 InfoSecurity Professional 3

Always Evolving Resources
from Auerbach / CRC Press
– publishers of the Harold Tipton Certification Book Series –
While today’s info-security threats may be bolder and more complex, we
have the tools, resources, and expertise to keep you more than a step ahead
of any sort of malfeasance, whether it comes from outside or within.
Vulnerability Management
Park Foreman, GroupM, New York
Shows how much easier it is to protect against a threat than
clean up in the aftermath of an attack
Catalog no. K10093, August 2009, 347 pp., $79.95 / $63.96
Data Protection
Governance, Risk Management, and Compliance
David G. Hill, Mesabi Group LLC, Westwood, Massachusetts
Discusses existing and emerging data protection technologies
including forcloud computing, storage tiering, server
virtualization, and green computing.
Catalog no. K10353, August 2009, 330 pp.,, $69.95 / $55.96
Cyber Fraud
Tactics, Techniques and Procedures
James Graham, Verisign iDefense Security Intelligence
Services, Dulles, Virginia
Exposes the patterns and operations of the cyber criminal
with an insider’s look
Catalog no. AU9127, April 2009, 520 pp., $79.95 / $63.96
Information Security Management
Concepts and Practice
Bel G. Raggad, Pace University, Pleasantville, New York
Illustrates how to audits that conforms with the ISO 17799
the new ISO 27001
Catalog no. AU7854, January 2010, c. 568 pp., $79.95 / $63.96
The Executive MBA in Information Security
John J. Trinckes, Jr., Hampton, Florida
Allows busy executives to get up to speed on what it takes
to develop an effective efficient info security program
Catalog no. K10501, October 2009, 352 pp., $69.95 / $55.96
Information Security Management Handbook
2009 CD-ROM Edition
Edited by
Harold F. Tipton, CISSP, HFT Associates, Villa Park, California
Micki Krause, CISSP, Pacific Life Insurance Company,
Newport Beach, California
Includes all three volumes of the sixth edition print version
plus material that has never appeared in the print.
Catalog no. AU0984, July 2009, CD-ROM, $199.95 / $159.96
Order securely online at www.crcpress.com • Free Standard Shipping on All Orders
*Enter promo code 601LA at checkout to receive your discount.
Offer good through January 31, 2010

(ISC) 2
MEMBER
NEWS
(ISC)² Hires
First ISO
ILLUSTRATION BY YEWKEO
( I S C ) ² R E C E N T LY made
Christopher Trautwein,
CISSP, CISM, its first
information security officer.
Previously, Trautwein was
an IT consultant for (ISC)²
and played an integral role in
the organization’s customer
relationship management
project. In his new role, he
is responsible for the protection
of all of (ISC)²’s data
privacy and security policies.
Trautwein has more than
14 years of experience in
information security. Before
joining (ISC)², he served as
a director for Sunera LLC
in its Information Security
and Network Services
consulting practice, and as
senior security engineer
for Check Point Software
Technologies and
RISCmanagement.
A Presidential Appointment
( I S C ) 2 I S P R O U D
to announce that
one of its board
members, Prof.
Howard A. Schmidt,
CISSP, CSSLP, Fellow of (ISC)2, has
been named the U.S. White House
Cybersecurity Coordinator. Schmidt,
who has served on (ISC)2’s board
since 2004 and was vice chairperson
of the board in 2009, will oversee
cybersecurity activities across the
U.S. government.
“Howard will have regular access
to the President and serve as a key
member of his National Security
Staff,” said John Brennan, Assistant to
the President for Homeland Security
and Counterterrorism, in a statement.
“He will also work closely with
his economic team to ensure that our
cybersecurity efforts keep the Nation
secure and prosperous.”
“(ISC)2 has worked together with
Howard on many important global
and national information security
workforce initiatives throughout
the years and has always valued his
insight and counsel,” said W. Hord
Tipton, CISSP-ISSEP, CAP, CISA,
executive director for (ISC) 2 . “We
look forward to working with Howard
in his new role as he undertakes
the critical task of developing the
government and national information
security workforce program.”
ISSUE NUMBER 9 INFOSECURITY PROFESSIONAL 5

Volunteer Session
at RSA
A R E YO U I N T E R E S T E D I N E D U CAT I N G C H I L D R E N in your community
about how to protect themselves online, all while earning CPEs? Then join
(ISC)² at the Safe and Secure Online Volunteer Education Session at the
RSA 2010 Conference in San Francisco on March 3 from 5-6 p.m. PST to find
out how to become a volunteer. You’ll also get an overview of the presentation
materials that current program
volunteers deliver in classrooms.
Other benefits include:
■ The in-person session can
be attended in lieu of completing
the online preparation
video and passing the
quiz afterward.
■ The session will be conducted
by (ISC)²'s volunteer
mentor for the U.S. Safe and
Secure Online program.
■ There will be opportunities
to ask questions and
get advice from program
volunteers and (ISC)² staff.
■ Attendees earn one CPE.
■ There will be complimentary
snacks and refreshments.
To sign up, e-mail
safeandsecure@isc2
.org with your first and
last name and (ISC)²
member number.
ŸŸŸ
New
Milestone
(ISC)² has now reached
the 10,000-member
mark in the
Asia-Pacific region.
ŸŸŸ
Have you gained access to
Biometrics Certification?
Access is now being granted to
qualified Biometrics Professionals.
IEEE, along with some of the world’s leading biometrics experts,
has developed a new certification and training program for biometrics
professionals and their organizations. The IEEE Certified Biometrics
Professional TM (CBP) program focuses on the relevant knowledge and
skills needed to apply biometrics to real-world challenges and applications.
Certification: Earning the IEEE CBP designation allows biometrics
professionals to demonstrate proficiency and establish credibility.
Training: The IEEE CBP Learning System combines print materials
and interactive online software – ideal for job training, professional
development, or preparing for the CBP exam.
To gain access to more details, visit
www.IEEEBiometricsCertification.org.
Ÿ
Up-To-The-
Minute News
You can follow (ISC)² on Twitter
and YouTube:
www.twitter.com/isc2
www.youtube.com/isc2tv
6 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9

The password
to your future
is NSU.
designated a National Center of Academic Excellence
in Information Assurance Education by the U.S.
government since 2005
pioneer of online education since 1984
earn your graduate certificate, master’s degree, or
Ph.D. degree in information security
IEEE members receive tuition discounts
Computer Science
Educational Technology
Information Security
Information Systems
Information Technology
Apply today and advance your career.
scisinfo@nova.edu
www.scis.nova.edu/isc
Our beautiful, 300-acre main campus
Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associate’s, bachelor’s,
master’s, educational specialist, and doctoral degrees. • Nova Southeastern University admits students of any race, color, sexual orientation, and national or ethnic origin.
01-138-10PGA

I LLUSTRATION BY E UG E N P/SH UTTE RSTOCK
Sherri Davidoff used to rob banks. She’d get up in the morning, put on a nice
business suit, walk into the heavily secured offices of large financial institutions and
walk out—through the front door—with their computers.
Davidoff isn’t a felon, however; she’s a principal in the Montana office of Lake
Missoula Group LLC, a security consulting firm specializing in penetration testing,
forensics, network assessment and security awareness training. Her “thefts” were
tests of the strength of banks’ security systems, and they serve as a reminder of just
how weak those systems can be.
One day, technology may make it impossible for a thief to pick up and walk off
with a computer. That fact doesn’t necessarily mean future computers will be any
more secure than today’s are. That’s because there’s something technology can’t control:
the human element.
“Technology for the most part doesn’t fail,” says Dow Williamson, CISSP, CSSLP
and executive director of SCIPP International, which develops, delivers and manages
security awareness credential and certification programs. “It’s the human being
that causes the problem,” he says.
The human concept of acceptable behavior, for example, played a big role in the
success of Davidoff ’s bank larcenies. “We’ve been trained since we were young to
hold the door for people,” she says. “We feel bad letting [it] slam on them.” Likewise,
it can feel awkward to confront a young, well-dressed female who looks like she
8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9

illustration by SASHIMI/theispot
belongs—even if she is walking out the
door with an office computer.
“The human being is the most precious
asset a company has, and the most
dangerous thing,” says Martin Smith,
founder of The Security Company
(International) Ltd., a U.K.-based firm
that helps implement security awareness
campaigns to achieve long-term, sustainable
changes in employee behavior.
There isn’t a computer program
in existence that can counter human
nature, but there are ways to address the
effect of human nature on the security of
your organization’s information. What
follows is a look at what works and what
doesn’t when it comes to the human side
of technology.
Where We Go Wrong
Geordie Stewart, an IT security consultant
with London-based Risk Intelligence,
which specializes in information
security management, took a close look
at the human factor in his thesis for
the Master of Science degree at Royal
Holloway college, Maximising the
Effectiveness of Information Security
Awareness Using Marketing and Psychology
Principles.
“There are three main problems
with how information security
awareness techniques are commonly
implemented,” he says.
The first problem revolves
around awareness versus
culture. “Information security
awareness is based on
a narrow assumption that
if only someone was aware
of the risk or threat, then their
behavior would change,” Stewart
says. “The reality is that people
may well be aware of the risk but feel
constrained by other factors, such as
entrenched business culture.”
The second problem is that information
security professionals don’t realize
information security awareness is all
about marketing—targeted marketing:
Mouse mats and motivational posters
don’t cut it. “Unfortunately, it’s much
easier to roll out screen savers with messages
cut and pasted from the organization’s
security policy,” Stewart says.
What does work are campaigns involving
“audience research, careful targeting
of communications, and measuring the
outcome,” he adds.
It’s in measuring outcomes that the
third problem lies. “The benefit of awareness
campaigns isn’t actually awareness,”
Stewart says. “The benefit is in someone
behaving differently in a way that benefits
the organization’s overall risk profile.”
In other words, knowing an employee is
aware of a company’s password policy
isn’t the same thing as knowing whether
he or she follows it.
Smith thinks the problem with implementing
information security isn’t so
much in the method used as in the fact
that it’s information security professionals
doing the implementing. “You’re asking
computer people to solve a people
problem, which doesn’t make sense,” he
says. “I am tired of dealing with CISOs
who don’t understand the need of
addressing the people part of it.” In addition,
as the techniques of criminals get
simpler, the ways in which organizations
respond get more complex: “The patient
is dying of the common cold due to poor
nursing, and yet the doctors are concen-
Experts say that information
security professionals
must consider human
behavior when it comes
to security awareness,
Maggie Starvish writes.
ISSUE NUMBER 9 InfoSecurity Professional 9

trating on brain surgery,” he explains.
“Humans are part of the IT infrastructure,
and the big mistake we’ve
been making so far is to consider them
separate,” Davidoff says. She places more
of the blame on business executives,
however. “The problem with managing
employees is managing the motivation of
the company itself,” she says. And at this
point, many companies are motivated to
create policy—not enforce it. “They’re
still in the position that if numbers get
stolen and nobody finds out about it
outside of the organization, they don’t
care—because they don’t have an incentive
to,” she adds.
How To Get It Right
Although it’s impossible to write a
string of code that will stop someone
in marketing from spilling company
secrets, there are ways to address the
human side of security. Stewart recommends
using psychology—specifically,
Use yoUr CIssP to save tIme
and money.
Qualify and redeem one seminar waiver for a savings of approximately $5,000.
This program can be completed in as little as 15 months.
Developed and taught by leaders in the field and backed by 189 years of
academic heritage, this program enhances your technical and business
management expertise as you gain consultancy experience through an
organization-wide integrated information security project. Customize your
degree with a specialization in either Business Continuity Management or
Managing Cyber Crime and Digital Incidents.
Norwich University was among the first 23 institutions to receive
the National Security Agency’s designation as a Center of Academic Excellence
in Information Assurance Education.
To learn more please visit
www.msia.norwich.edu/isc
operant conditioning—to promote real
behavioral change.
In layman’s terms, operant conditioning
is like the carrot-and-stick model
of reward and punishment for behavior:
You push for information security
compliance by either punishing bad
behavior or rewarding good. Operant
conditioning shows that the effects of
punishments and rewards are not symmetrical.
Punishments must be consistently
applied to be effective, whereas
rewards can still be effective even if they
are rare or intermittent.
Stewart posits that you’re better off
focusing on rewards. “Fear and the
threat of sanctions are incentives not
to report incidents,” he says. Another
problem with the stick approach is that
the punishment must be consistent to be
effective—something that can be tough
for many organizations. “Noncompliance
may be difficult to detect, or punishment
may not be viable for some user
groups, such as customers,” Stewart says.
“The use of praise or reward offers an
organization a way of avoiding expensive
auditing systems to consistently detect
noncompliant behavior,” he says.
Williamson agrees the carrot is the
better option. “Rather than saying, ‘If
you do this bad thing, here’s what will
happen,’ we have found just the opposite
to be effective,” he says. Take passwords
as an example: Instead of punishing
employees for using “12345” as a password,
he recommends providing examples
of what good passwords are—and
rewarding employees who then follow
those examples.
It’s helpful to appeal to employees
on a human level. Such security training
“should describe how it will benefit
the employee personally as opposed to
the company,” Williamson says. “The
same security countermeasures or the
same best business practices that you’re
asking your employees to practice at
work—they should really practice those
in their homes as well.” Rather than tell
users to be wary of unfamiliar e-mail
because it could negatively affect the
company’s bottom line, explain to them
that such behavior will ultimately affect
their own.
Smith uses similar tactics, but takes
things a step further, appealing to a per-
ISSUE NUMBER 9 InfoSecurity Professional 11
IA 4.625X7_ May 28 09.indd 1
5/28/09 9:59:01 AM

son’s social position. “Breaches in the U.K.
in the last few years have made people anxious,”
he says. “They don’t want to be the
ones who have done things wrong. So you
say to them, ‘You don’t want to be the one
to screw up.’” Overall, Smith believes it’s
important to treat workers with respect:
“They’re not crooked or harmful; they’re
just busy and ignorant,” he says.
Incentives are another driver of
behavioral change. “We have a society
where people get up and go to work and
do the same things every day because
incentives are in place to make them
want to do that,” Davidoff says. “Those
ahead of time, but not when it will actually
occur. Employees are told in advance
that they’ll be rewarded if they don’t fall
for her scam. Interestingly, the incentive
model works both ways: One of the
tactics Davidoff uses to entice people
to click on her phony e-mails is to offer
them a free iPod if they do.
“The key message is know your audience,”
Stewart says. He recommends
researching personnel statistics to see
which demographics have the potential
for creating the most risk—allowing you
to, for example, direct more of your security
training resources to the 20-year-old
“If you don’t know who exactly is causing the risk,
what their perceptions are and how they best
communicate, then your awareness activities
will be like golfing in the dark.”
— Geordie Stewart, IT security consultant, Risk Intelligence
incentives aren’t in place for making
them want to behave in a secure fashion
around IT.”
To illustrate her point, she offers this
example: The cultural acceptance of the
practice of washing one’s hands to prevent
infection took hundreds of years to
develop because there wasn’t an instant,
personal, negative consequence to not
washing them. “It’s the same with computers,”
she says. “When you click on [an
infected] picture of [actress and singer
Jennifer Lopez], your computer doesn’t
immediately blow up; it maybe gets a bit
slow. Someone else’s information gets
stolen, and it never comes back to hurt
the individual person.”
Taking Awareness Action
But it doesn’t have to take hundreds of
years to get employees to prevent the
spread of spam or malware. “Security
works best when people are unaware of
it,” Davidoff says.
Davidoff recommends using awareness
training. For example, organizations
hire her to “phish” their employees.
She tells personnel about the exercise
males in the organization, as opposed to
50-year-old females.
“Many information security professionals
fail to recognize that information
security awareness is, in fact, a marketing
campaign,” Stewart adds. “Marketing
campaigns involve audience research,
careful targeting of communications,
and numerous ways of measuring outcomes.
Branding a mouse mat with a
generic information security message of
the day doesn’t achieve any of these.”
Security professionals also should
examine attitudes and beliefs in their
organization that support or undermine
compliance. “Is there a belief that antivirus
[software] completely protects you
from the Internet? Is there an attitude that
it’s acceptable for employees to store personal
content on their work computers?”
Stewart asks. Getting information security
compliance is that much harder when
employees have different ideas of what
information security is at the outset.
As for metrics, information security
professionals must move away from
asking compliance-related questions to
gauge the success of a security campaign.
“Did you see the poster?” and “Have you
read the policy?” are questions whose
answers are poor predictors of behavior.
“Instead, quantifiable metrics need
to be found that are related to the actual
behavior that causes risk. For example,
if you’re conducting an awareness campaign
on password-sharing, then you
need to find a way to measure concurrent
logons in the systems you are trying
to protect,” Stewart says.
Finally, take a close look at communication:
what style works best for your
organization? A good security awareness
campaign has its resources concentrated
on areas of the most benefit,
with format and presentation adjusted
accordingly. For example, some audiences
prefer to ask questions, while
some just want the facts.
“Organizations must decide which
user behavior they most care about and
focus their efforts to control that risk,”
Stewart says. “If you don’t know who
exactly is causing the risk, what their
perceptions are and how they best communicate,
then your awareness activities
will be like golfing in the dark,” Stewart
says. “You’re not sure what you’ve
accomplished, your caddy is tired and
everyone just wants it to be over so they
can go home.”
Hackers the world over understand
how human nature affects employee
behavior; it’s time information security
professionals did, too. “We’re coming
around to needing a balance between
technological countermeasures and
change in behavior countermeasures,”
says Williamson.
Maggie Starvish is a freelance editor and
writer based in Massachusetts.
12 InfoSecurity Professional ISSUE NUMBER 9

Global Security now
has a common address
Don’t miss out on the conversation! See what thousands of (ISC) 2® members have already
discovered, by joining InterSeC today. With a few clicks you can register and start building
your personal community, without the noise and clutter of other open social networking sites.
That’s right, InterSeC is purpose-built for the information security field, so you can be sure
that everyone is governed by a similar code of ethics and has the same passion and interest.
Meet other professionals from across the world or down the street, participate in one of
over 50 groups or start your own blog. With InterSeC, you are bound to find someone who
thinks like you.
www.isc2intersec.com

You’ve probably developed, or are part of, an information
security incident response strategy. However, are you sure
your response is appropriate, asks Marie Lingblom?
ILLUSTRATION BY CURTIS PARKER/THEISPOT
SECURITY INCIDENTS VARY IN SIZE AND SCOPE,
from a single employee downloading pornography on a
company computer to a sophisticated hacking organization
breaking into server banks to scoop up sensitive corporate
data. So, how do you know whether you have the right
response ready?
There isn’t one single solution or path, says Rob Lee, director
of MANDIANT, an information security company in
Washington, D.C. that works with private and government
organizations on issues ranging from vulnerability auditing
to the implementation of incident response policy programs.
“We’ve essentially been told, even from the vendors, that all
you need to do is buy your appliances, set up your lines of
defense from the perimeters and you’ll be fine,” he says. “But
that’s not true. It’s much more complex than that.”
One of the best ways to gauge the appropriateness of your
incident response plan is to practice, practice, practice. “It’s
always amazing to me that, especially compared with disaster
response and recovery, you don’t see a whole lot of companies
that will do something as simple as a quarterly, or even annual,
dry run (of their incident response plan),” says Jim Hansen,
managing director at Mansfield Sales Partners, a business sales
consulting company. “To make those decisions in the heat of
battle is really tough, and the stakes are just too high.”
14 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9

First Things First
Rich Baich, CISSP, CISM, and principal
at Deloitte & Touche LLP, was CISO with
data broker ChoicePoint in 2005 when a
significant case of fraud at the company
unleashed a firestorm.
Baich says the fraud stemmed from a
Nigerian national who entered the U.S.
illegally and obtained a business license
using doctored phone and utility bills, and
then became a valid user of ChoicePoint’s
credit service. Once he was an authorized
customer, he was able to access enough
personal information—such as names,
addresses and Social Security numbers—
to carry out malicious, fraudulent acts
including identity theft.
“That was a direct relationship with
someone who became a valid user of
credit services,” says Baich. “And it was
one of the shots heard around the world.”
Published reports indicate the breach
compromised the information of an
estimated 163,000 people and resulted in
800 cases of identity fraud. ChoicePoint
was ordered to pay $10 million in civil
penalties, and $5 million to consumers.
One of the biggest lessons Baich
learned: to institute an appropriate incident
response and assemble the best
team, you must clearly spell out what an
incident is. “How an organization defines
an incident is at the core of how they
develop a response program,” he says.
Brandon Dunlap, managing director
of research at Brightfly, an information
security advisory and research firm,
agrees. He suggests defining each type of
incident—from an employee participating
in online gambling at work to a major
denial-of-service attack—and then using
those definitions to create a “triage map.”
The map should describe each type of
incident, the individuals or teams who
should be involved in the response, and
the processes included in the response.
“The point of the triage map is to
ensure that your countermeasures are
commensurate with what is at risk,” says
Dunlap. An employee downloading pornography,
for example, would not likely
carry the same risk as a hack attack on
the company servers.
Early Detection is Critical
Once your plan is defined, you should
focus on early detection.
In the past year, MANDIANT has
responded to approximately 40 incidents
involving everything from financerelated
attacks to advanced persistent
threats that are extremely complex in
nature and that attack both commercial
and government systems. If you want
to catch these “cancers” early, Lee says,
“50 percent of your time and discussions
should be focused on determining
whether you are detecting properly.”
Typically, law enforcement is first to
detect a data breach and report it to a
business—and often the first to leak it to
the press due to data breach notification
laws. Lee suggests building relationships
with law enforcement now, rather than in
the midst of an incident. A side benefit is
that they may be working on cybercrime
investigations, and this knowledge could
better help you prepare.
But so much the better if your company
is able to detect an incident first.
Early internal detection gives you control
in terms of mitigating damage to
your business, partners and customers.
(For instance, negative press surrounding
the ChoicePoint incident harmed
the company’s reputation and led to an
immediate 10 percent drop in its stock
value.) “You must have individuals manning
your systems who are truly dedicated
to monitoring your network for
potential evil that is out there and running
rampant,” says Lee.
Lee suggests housing all applications
and resources in one building. This centralized
approach requires a cultural shift
and “a ton of work,” he adds. For instance,
the infrastructure group often manages
company firewalls, while the security
group manages intrusion detection centers.
“These two groups don’t typically
talk to one another,” Lee says. “So how
can you correlate data between them?”
Letting go of certain gear and services
is a necessary part of the process.
“When [someone else] takes over it can
be like swallowing a bitter pill, but it’s the
only way to effectively monitor your network,”
says Lee.
The Response Team
Hansen advises putting together a security
team that works together seamlessly
and executes quickly because “time is,
The Ingredients to Incident Response
Rich Baich, principal at Deloitte & Touche LLP, says organizations are more proficient at
declaring and responding to incidents because they do a better job of fusing disparate
data. According to Baich, the next level of maturity requires an organization to have
appropriate intelligence collection techniques in place to collect data and perform
analysis to be proactive in their approach rather than reactive. He defines appropriate
incident response as the practice of detecting a problem, determining its cause,
minimizing the damage it causes, resolving the problem, and documenting each step
of the response for future reference.
“Keep it simple, and check off each box as you respond to these incidents. That allows
you to gather a proper chain of evidence if there’s a need to prosecute someone,” he says.
“Good, diligent practices not only demonstrate a focused response, but also allow you to
go back and review for lessons learned, or identify critical steps that were missed.”
Following are what Baich considers essential steps for an immediate data breach
response action plan:
1. Assemble the response team
2. Review and evaluate the report prepared by the investigation team
3. Isolate and contain the incident
4. Determine the level of severity
5. Assess the legal and financial consequences
6. Implement escalation and notification procedures
ISSUE NUMBER 9 InfoSecurity Professional 15

frankly, your enemy.” The more time
passes, the more information criminals
can access in your systems—and the
more damage they can do.
As an example, Hansen describes a
client he has worked with over the past
several years that continues to be the
target of serious efforts to break into
its network by persons outside the U.S.
“One of the things that I don’t think any
organization anticipates, and it shows in
this case, is how long this response and
recovery effort really takes,” he says. “It
can go on for ages if the attacker is determined,
persistent and has a goal for getting
in there.”
Include people from key business and
technology areas from the top to the bottom
of the company when building the
team, but for agility’s sake only include
employees who have specific roles and
tasks. You should also consider involving
people who can manage the appropriate
notification of partners, customers and
law enforcement.
The goal should be to simplify your
response team, Baich says. Key to that is
having an inventory of the appropriate
skills of team members—data reporting,
data collection and analysis—and
multiple ways to communicate, such as
e-mails, instant messaging, handheld
devices, etc. Call on an outside vendor if
you don’t have the appropriate skills inhouse,
says Baich.
As for who leads the team, Baich suggests
a seasoned business executive with
some operational background. “That’s
not necessarily the CISO because the
incident may not be a technology issue,”
he says. The ChoicePoint incident is a
good example of that distinction.
Are you
Certified?
CBCA (Certified Business Continuity Auditor)
CBCLA (Certified Business Continuity Lead Auditor)
Special Benefits for (ISC)2
When you apply for either
level of auditor certification
through DRI International, your
CISSP classification fulfills the
requirements for experience and
reference checks.
(ISC)2 members receive a 10%
discount on auditor and all DRI
International BCP training. Just
let us know that you are a
member in good standing at time
of registration to receive your
discount.
www.drii.org
866-542-3744
Become a Certified Business Continuity
Auditor / Lead Auditor
The workshop covers relevant standards, laws and
regulations, the process of risk assessment, vulnerability
analysis, loss prevention, risk mitigation, and the
development, implementation, testing and maintenance of
emergency management and business continuity plans and
procedures. Course materials delve into existing legal and
regulatory requirements, as well as standards including IX-
110-53 (PS-Prep), NFPA-1600 and BS-25999.
Upon completion of the workshop and passing the unique
qualifying exam, participants will be able for apply to for
either designation based on practical experience.
There are no prerequisites for taking the course and exam.
If you are already certified, these are unique certifications
and may be held together with existing certifications.
Get Started Immediately. Click to Register Today!
Feb 8-12 in Las Vegas, NV - OR - Apr 26-30 in Atlantic City, NJ
LAW & INDUSTRY SUPPORT
Businesses should tap into information
from investigations and reports on
trends in cybercrime from law enforcement
resources. For example, the U.S.
Department of Justice, the U.S. Postal
Inspection Service, the U.S. Secret Service
and the Federal Trade Commission
collaborate on public efforts to combat
cybercrime. They also work with
international partners such as Interpol,
an international police organization
with working groups on cybercrime in
Africa, the Americas, Asia, the South
Pacific, Europe, the Middle East and
North Africa.
Equally as important, says Lee, is to
know what your peers are doing. The
financial services industry, for instance,
has formed a variety of groups (such as
the Financial Services Technology Consortium)
in response to severe and frequent
breaches. Other examples include
the Business Software Alliance and the
Software and Information Industry
Association. These groups share information
and ideas to help deal with and
protect against data breaches.
“You definitely want to get involved
with other groups and hear viewpoints
of other organizations, particularly when
it comes to the complexities of the ethical
and legal sides of this issue,” says Lee.
“It’s safe to assume you’re not the only
one dealing with this, and there’s a lot out
there in terms of best practices that can
be learned.”
Marie Lingblom is a freelance technology
editor and writer based in Massachusetts.
16 INFOSECURITY PROFESSIONAL ISSUE NUMBER 9

Conference
photo by mammamaart/istockphoto
Here’s how to
convince your
manager to
send you to a
conference—and
what to do when
you get there.
By Chris Greco
calling
For many information security professionals,
attending conferences and tradeshows is part of the job. These events provide
opportunities to learn about new technology, practices, techniques and systems,
and the chance to meet and share experiences with peers.
But conferences can be tiring when there are back-to-back sessions and workshops.
And if your company has limited the amount of time you can be at the
event, the pressure builds to get the most out of the experience—especially if
you’re expected to report back to colleagues on the latest news and trends.
Here are some simple steps to get the most out of conferences and assure your
manager that attending them is truly beneficial to the workplace.
4 Get Prepared
Take a look at the agenda ahead of time (it’s usually on the conference Website; if
not, contact the organization by phone) and highlight any sessions that interest you
and/or may be of interest to your workplace. Share the agenda with your manager
and explain how the sessions will enhance your contributions to the company.
If possible, review the attendance list and point to other attendees in your area
of specialization. Be careful—this is a double-edged sword. Your manager may
decide to just get the conference notes from other attendees, which means you
will need to prove why your notes will be better.
4 Get Involved
If the conference is calling for individuals to present papers, submit a paper—it
gives you the opportunity to show your manager that you are committed. I have
submitted and presented papers on topics ranging from project management
ISSUE NUMBER 9 InfoSecurity Professional 17

Each year, (ISC) 2 participates in more than
50 conferences and trade events around the
world. On behalf of its members, (ISC) 2 works
with the organizers of each event to secure the
most valuable discounts available for attendees. To
learn more about these discounts and obtain the
application codes, visit www.isc2.org/events and
search for events in your region. Typically, multiple
discounts cannot be combined.
In addition, (ISC) 2 Security Leadership
events are free for members. Upcoming
dates include:
San Antonio, TX: March 16
Philadelphia, PA: April 8
Chicago, IL: May 11
Washington, D.C.: May 24 and 25
*
Visit www.isc2.org/events for updates
on Security Leadership events in Boston,
Dallas, Baltimore, Seattle, Marina del Rey
and Charlotte later this year.
to password security.
If your paper doesn’t make the cut, you can volunteer in
other ways. Conferences may allow individuals to edit papers,
make speaker introductions and/or perform administrative
duties. These tasks help keep the conference costs down and
give others the opportunity to get involved.
4 Get Networking
It’s important to build your contacts at conferences, not only
for the long-term growth of your career, but also for day-to-day
technology and information security advice. Here are some
easy ways to meet new people:
n Almost everyone will have a name tag with their company’s
name, too. Use that as a conversation starting point. For
example, at one conference I met a person who worked at
an insurance company I was a client of. He wanted to hear
what I thought of the company’s Website, and I wanted to
know how the firm kept information private and secure.
We traded information and e-mails. Remember that many
people get nervous in social situations; just saying “hello”
or asking about their company are excellent ways to get a
conversation going.
n Volunteering at conferences is a powerful way to network.
For example, by handing out feedback surveys you can
informally and quickly meet many people. Introducing
a speaker gives you a quick public relations opportunity:
about 30 seconds with a microphone to talk about yourself
and your company.
n Most of the conferences include meal breaks, which are a
great time to meet people. If nothing else, you’ll overhear
conversations on the latest news, trends and technologies,
or how someone is dealing with a particular information
security challenge. You might even be able to chime in on
the discussion.
4 Get Writing
Take notes at all different times during the conference: the
speaker sessions, open sessions, lunch meetings, breakout
groups—even off-the-cuff discussions at networking sessions.
Spend some time at the end of each day reviewing your notes
and creating a concise summary to e-mail to your manager.
These daily summaries should focus on who you’ve met, what
you’ve learned, and how those people and ideas can benefit the
company. Not only does this demonstrate you are involved in
the conference, it may give your manager some good ideas for
upcoming initiatives.
4 Get Real
The present fiscal reality means you may not be able to attend
a particular conference, no matter how much you prepare.
Before spending money on conferences, many companies
want to know the ROI.
To overcome financial concerns, start small. If the organization
behind a large international conference has a local chapter,
attend one of their forums or meetings. For example, if you
can’t make the annual RSA Conference in San Francisco or
London, try to attend a networking meeting closer to home.
You can also gain specialized knowledge—on topics such as
security risks, capacity management or audits—through Webinars.
Make sure to stay current on information in whichever
specialty you choose. Sooner or later, your company’s conference
budget will loosen, and by having an established knowledge
base, you’ll have stronger justification for being sent to a
large, international conference on the topic.
Another alternative is for you to pay for part of the conference.
Sometimes a willingness to help goes a long way. But
remember, you are going to the conference to gain insight and
information. If all you want to do is have fun, then it might be
best to just take a vacation.
4 Get Going!
Going to a conference can be overwhelming, but you can
make it a valuable experience for you and your organization.
Some conference sites provide ready-made reasons you should
attend. For example, the Computer Measurement Group offers
tips on how to justify attending its conference (www.cmg.org/
conference/justify.html). It also offers a one-day special. And if
your paper is chosen for presentation, attendance on presentation
day is free.
Getting involved can bring some great benefits. It’s up to
you to get going.
Chris Greco, CISSP, PMP, is a public service IT specialist and
program manager based in Maryland. He can be reached at
grectech@att.net.
18 InfoSecurity Professional ISSUE NUMBER 9

career corner
professional advice for your career
A Career Bright Spot
Certifications can boost pay and career prospects,
reports Efrain Viscarolasaga.
Security is a priority for most organizations,
so information security is a bright spot among IT careers—despite the
current recession. Recruiters report that workers with an information
security background are still in
high demand, and because the
industry changes constantly,
employers are looking for professionals
with experience in the
latest trends, from international
data protection to biometrics.
Information security professionals
can bolster their resumes and
their careers with certifications.
A recent survey by CompTIA,
a global nonprofit IT research
firm, reported that 37 percent
of 1,500 responding IT workers
intend to pursue a security
certification over the next five
years, while another 18 percent
will seek a certification related to
ethical hacking. Thirteen percent
will pursue some type of computer
forensics certification.
“Because a lot of people are
not employed, many are taking
the opportunity to become more
certified,” says Rebecca Virtanen,
a senior technical recruiter for
Boston-based AVID Technical
Resources Inc. “And for higherlevel
positions, some [employers]
will only consider candidates
with certain certifications.”
Senraj Soundararajan, president
of technology resources
provider Ivesia Solutions Inc.,
says the trend is similar on an
international level. In India, for
example, where the number of
applicants far exceeds the number
of available positions, employers
often exclude applicants without
certifications.
Certifications lead to better,
higher paying jobs for candidates,
and stronger career opportunities
for those who are already
employed. According to Foote
Partners’ recent IT Skills and
Certification Pay Index, security
certifications premium pay has
increased by 2.4 percent since the
beginning of the recession, while
the premium pay of other IT
certifications has dropped by an
average of 6.5 percent. The survey
also lists the leading topics
in security certification: security
architecture; forensics; incident
handling and analysis; intrusion
analysis; auditing; ethical hacking;
network security; secure
software development; and security
management.
Foote Partners president
David Foote is bullish on the security
sector. “Bar none, for shortand
long-range IT job security,
the smartest place to be in 2010
is security. Pay and demand for
security skills have risen steadily
since 2007 and headcount has
not diminished despite economic
hard times,” he says.
Whether you’re looking for
work, hoping to solidify your
current position, or trying to
grow your career, certifications
can help. And the time to get
started is now.
Efrain Viscarolasaga is a freelance
business and technology journalist
based in New Hampshire.
photo top by moodboard/corbis
issue number 9 Infosecurity Professional 19

global insight
international information security perspectives
Physical & Cybersecurity
A convergence of physical and cybersecurity systems
and solutions is taking place, says Lucius Lobo.
Physical security—such as human guards,
physical entry barriers, and remote surveillance
using closed-circuit television (CCTV) and access
control devices—is one of the oldest forms of protecting
assets. But remote surveillance mechanisms
have been hampered by a lack of real-time response;
for example, large installations using multiple
CCTVs cannot be easily monitored in real time.
Global spending on physical security is expected
to exceed $100 billion in the next 10 years. The
majority of this investment is estimated to be in
enhancing homeland security and for using IPbased
surveillance for the physical security perimeters
of large organizations, residential campuses,
hotels, and oil and gas installations.
IP-based surveillance involves the integration of
physical security solutions on IP networks without
further investments in or changes to existing infrastructure.
Organizations can extend their IT rolebased
administration to physical security solutions.
Physical Security Information Management systems
facilitate the correlation of events and depict
pattern analysis of security violations from both IT
and physical security domains.
Moving remote surveillance infrastructure and
systems from analog to IP, coupled with a growth
in technologies that analyze, integrate and remotely
transfer sensor information over wide distances, has
led to surveillance improvements. Similar to cybersecurity,
physical security violations can now be
treated as events, and monitored at central stations.
For example, if people were detected entering a
location from an exit point, a video analytic solution
would trigger an alert to a remote station, where
the event would be analyzed and action would be
taken. Previously, one would have to post guards
at each entry or exit point, monitor cameras at the
location, or install door alarms.
This technology shift will consolidate physical
and cybersecurity into a single function—though
the former will be governed independently of the
latter, primarily through facility management teams.
Because the core network is shared, IP-based physical
security infrastructure will be subject to cyber
threats. This has several implications:
n Audit measures such as vulnerability assessment
and penetration testing will need to cover physical
security infrastructure and technologies.
n The significant use of IP-based surveillance technologies
will require security specialists who
can integrate systems and configure the analytic
components of these technologies.
n Security personnel must be able to respond to
physical as well as cyber intrusions. In the next
one to two years, information security professionals
will command a salary premium if they
have experience in both areas because there is
a shortfall of technology consultants with these
skills.
Lucius Lobo, CISSP, is Director,
Security Consulting at Tech Mahindra
Limited, a global systems integrator
and business transformation
con sulting firm. He is based
in Mumbai and can be reached at
lucius@TechMahindra.com.
photo top by George Diebold
20 InfoSecurity Professional issue number 9

Security must be considered at
every stage of development.
Watch Video
Securing
the SDLC:
A Business Perspective
www.isc2.org/csslpvideo
In the world of software development, security measures
must be implemented within each phase of the software
lifecycle. Yes, build it right in. Our offspring are too
vulnerable and the threats to them too consistent to
work any differently. To learn what to do, become an
(ISC) 2® Certified Secure Software Lifecycle Professional
(CSSLP ® ). Simply attend a CSSLP Education Program,
they’re available worldwide, then take the CSSLP exam.
Remember, Mother Nature takes pride in giving her
members ways to protect themselves. We can learn a
lot from her.
www.isc2.org/csslp
Connect with us!
www.isc2intersec.com
twitter.com/isc2
youtube.com/isc2tv

The one security blanket you won’t
be embarrassed to take to work.
ISACA ® Certifications
ISACA certifications increase your value
to employers and clients.
Being a CISA ® , CISM ® and/or CGEIT ® :
‰ Counts in the hiring process.
‰ Enhances your credibility and recognition.
‰ Boosts your earning potential.
Register for the 12 June 2010 exam
Final registration deadline—7 April 2010
Secure Your Career: Get Certified.
Visit www.isaca.org/certification.