Day: August 7, 2015

Posted on

CSXP: An Exciting New Career Resource for Cybersecurity Professionals

Today marks the launch of the CSX Practitioner (CSXP) certification exam. For the first time, cybersecurity professionals can now obtain a vendor-neutral, performance-based cyber certification.

With Cybersecurity Nexus (CSX), ISACA has made a commitment. Through training, guidance, education and credentialing, we will help develop a skilled cybersecurity workforce to reduce the global skills gap, and we will provide resources for cyber professionals at every level of their careers. CSXP is one way we are fulfilling that commitment.

Research shows that the majority of employers—nearly 7 in 10—are requiring cybersecurity job candidates to hold a certification. They are also looking for candidates with hands-on skills. When a prospective employee has CSXP, it indicates that they fulfill both of those criteria and that he or she has the skills needed to help protect the organization.

To earn CSXP, candidates must pass an exam in a state-of-the-art, adaptive, performance-based cyber laboratory environment. The exam measures skills and abilities in a virtual setting using real-world cyber security scenarios. Registration is now open for the exam, and a beta test rate is available for those who take the exam and complete a survey by 1 October 2015.

Very soon, ISACA’s CSX will offer cyber training and certifications for all skill levels and specialties:

  • Cybersecurity Fundamentals Certificate—Knowledge-based certificate that demonstrates a foundational understanding of cybersecurity (currently available)
  • CSX Practitioner—Demonstrates ability to be a first responder to cyber incidents, following established procedures and defined processes. CSXP indicates firewall, patching and anti-virus experience, as well as the ability to implement common security controls and perform vulnerability scans and analysis. (currently available)
  • CSX Specialist—Demonstrates effective skills and deep knowledge in one or more of the five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover (coming soon)
  • CSX Expert—Demonstrates ability of a master/expert-level cybersecurity professional who can identify, analyze, respond to and mitigate complex cybersecurity incidents (coming soon)
  • Certified Information Security Manager—Demonstrates the ability to manage, design, oversee and assess an enterprise’s information security program (currently available)

It is an exciting time of opportunity for cyber professionals. Companies and government organizations need you more than ever. As you grow your career in this area, know that we are here for you—we will help you stand out, grow your career and connect with a global community of cybersecurity experts.

Christos Dimitriadis, Ph.D., CISA, CISM, CRISC
2015-2016 ISACA International President

[ISACA]

Posted on

Old Vulnerabilities: The Stuff of Cybersecurity Nightmares

“As a security professional, what keeps you up at night?

I get this question all the time when speaking at various security events. There are a myriad of security-related problems that keep me up at night, but the one that weighs on my mind most is the sheer number of old vulnerabilities — we’re talking vulnerabilities at least a year old or more — that are still being successfully exploited.

According to Secunia, more than 15,000 vulnerabilities were discovered across nearly 4,000 products in 2014 alone.

So, why does this bother me so much? Because exposing yourself to risk through old vulnerabilities is unnecessary.

Vendors typically release patches for the most severe CVEs very quickly after they’re discovered, with 83 percent releasing them on the same day as disclosure. I’d like to say that, in light of this information, there’s no reason for organizations to be susceptible to old vulnerabilities, but that’s not entirely true.

Problems arise when there are so many patches per month or year that IT simply cannot keep up, as well as when vulnerable software runs on systems so critical that any downtime would endanger employee safety or cost the company millions of dollars in lost productivity. The vulnerability problem becomes an insurmountable obstacle that gets perpetually more difficult to tackle with each passing day. However, there are processes and technologies available to help solve these problems.

In a previous post, I explained how to go about making applications more secure. At the risk of being repetitive, I’m going to harp on the same points I made in that post, but only because software vulnerabilities are a serious problem that affect everyone, from your CEO to your mom.

Vendors can certainly do more to make sure fewer vulnerabilities reach production, by practicing secure coding and software development life cycles, and using web application firewalls. However, software vulnerabilities are a fact of life, and we’re not going to eradicate them anytime soon. Knowing this, enterprise software customers can do some things to protect themselves:

  • Segment your network. Architect it using the Zero Trust methodology, and make sure you know exactly which applications, users, data, and devices are traversing which segments.
  • Secure each segment with technologies that target multiple stages in the attack lifecycle, so that attackers are forced to spend the time and resources to craft completely new zero-day exploits and malware, and brand new command and control domains. Cyber criminals won’t be so set on attacking you if it’s cost-prohibitive or requires too much time and attention.
  • Use an intrusion prevention system whose signatures can stop more than a single exploit. Just like skinning a cat, there are many ways to exploit a vulnerability, so your protection must protect the vulnerability itself, regardless of which exploit is used.

Let’s stop attackers in their tracks — or at least make it difficult to poke holes in the software we use.

Find out more about Palo Alto Networks Intrusion Prevention System here.

[Palo Alto Networks Blog]

English
English
Exit mobile version