Day: October 28, 2015

It’s fun being a techie in the security industry, and it’s even more fun to help create certs for CompTIA. Sometimes, though, it feels as if you’ve entered what I call the acronym jumble.

Over the past few months, my product management team and I have spoken at various venues about a range of topics; mostly security. It has been extremely enlightening to work with actual practitioners to navigate the alphabet soup of the security world.

For example, you have technical acronyms such as DDOS, APT and RSA. But that’s just the techie perspective. When you add in the government language, such as DoD 8140, and then start adding certification product lingo, things get even more complicated.

CompTIA recently held its annual EMEA Member & Partner Conference, which I attended. EMEA –there’s another acronym. But wait, there’s more: One day I was on a conference call when someone said, with a straight face, “Well, now that we have thatTCP/IP question answered, I’ll IM someone in the OPS team about putting the ITF exam in IBT so that the people in the DoD can go through QA.” I had to put myself on mute so folks wouldn’t hear me chuckle a bit.

Right around that week, I got an e-mail from – no fooling – the IRS. Yes, folks, the United States Internal Revenue Service. For those of you not familiar with how taxes work in the U.S., the IRS contact you if they see, well, any discrepancies in your taxes. Of all of the letters that can rise up to the top of the alphabet soup of your life, the letters I, R and S just aren’t the ones you want to see. But thankfully, the e-mail I received wasn’t an audit. It was a kind note from Tim Martin, chief of the testing section of the IRS. He’s a techie, not an IRS auditor. In fact, it turns out he does volunteer work for another organization in the IT alphabet soup called AFCEA, a non-profit that promotes best practices in the IT profession through conferences. Tim was contacting us because he wanted someone from the CompTIA team to speak about the state of security in 2015.

Earlier this year, my colleague Patrick Lane visited Hill Airforce Base in Utah and gave a presentation to AFCEA members. I then spoke at AFCEA West in San Diego, and again at the Baltimore Defensive Cyber Operations conference later on. But my journey into getting to know security at a practitioner level didn’t end there. While there, I heard about the DON CIO, CINCPAC and other acronyms.

Since then, my team and I have met with enterprise CIOs and conversed with Navy CPOs. It just doesn’t stop. A month ago, I gave a presentation at the FCC with the title “Broadband Providers and Good Faith Steps.” It appears that the FCC is still working out its responsibilities with respect to the FTC. They’re looking to find ways that they can help people in the U.S. secure their privacy once their data has been captured by service providers. It felt good to represent the industry there, even when one of the directors told an inside joke about some L3 people – that’s director-level people to you and me.

I was recently able to spend some time with Tony Sager, formerly of the NSA and now with the CIS. Tony and I hosted a webinar in which we discussed the current state of security. He stressed the importance of a team-based approach rather than relying on that “security wizard” or the “scruffy IT type.” It was fascinating to spend time with these people because I learned more about how institutions in the U.S. apply security.

While all of this was stewing my mind, I had a chance to attend the Spiceworld conference, a conference in Austin, Texas, put together by our friends at Spiceworks. One of my co-workers at CompTIA, Rob Winchester, had been talking up this conference for years, and we got a chance to present. The presentation I gave was called, “Persistent Threats, Custom Frameworks: A Practical Guide to Network Security.” I had a great time, mainly because I was able to mingle with techies who get things done.

Sure, we were all engaging in acronym-speak. There was plenty of talk about new protocols and exactly where they mapped to the OSI/RM. And while I was at Spiceworld, I had a minor epiphany while I was talking with a group of security workers about implementing VPNs. One of the admins in the group worked for a homebuilding company in Utah. He said it was a struggle getting his company to invest in security measures. He was worried that some of their intellectual property and a few other areas could be at risk and wanted to address the problem.

I promised I’d send him a few things that our research team was able to create, as well as an article I had written for Linux Pro Magazine about creating custom security frameworks and mapping open source security tools to it. He was grateful.

Behind all the information and acronyms we use every day, we are all looking for a compelling, clear narrative. It doesn’t matter if you’re a director at the FCC, a guy at the IRS who volunteers for AFCEA or someone who has been tasked with enabling proper VPN access to his CEO’s home office outside of the company DMZ.

In my mind, that narrative is based on some standard that everyone can understand and implement, at least eventually; is flexible, yet not open to interpretation; is embraced by the world; is scalable; allows individuals to create custom solutions and security frameworks; and enables people to learn how to secure systems easily by applying themselves with hands-on learning.

The common theme that ties together this alphabet soup is certification. It helps set the narrative in motion. People are looking for coherence. Certification standards can help bring about that coherence.

James Stanger is Senior Director, Product Development, Skills Certification at CompTIA.

[CompTIA]

There are a lot of differing opinions when it comes to developing an app for your business, but nobody argues about the efficacy of a well-developed app. The arguments focus more on how to develop quality apps without spending tons of money. If you have little-to-no budget for your app and still want the results to be phenomenal, your back is up against the wall. There is very little room for error and you need a plan.

Helpful Tips and Strategies
Your exact approach to developing an app on a budget will depend on how much money you have to spend, what industry you are targeting, and how conducive your business is to a mobile app. With that being said, the following helpful tips and strategies are transferable:

1. Develop a Prototype Before Hiring a Programmer

Hiring a programmer immediately can exhaust your budget and limit your flexibility. Why not start with a simple prototype? Using a tool like Invision, all you have to do is “upload your designs and add hotspots to transform your static screens into clickable, interactive prototypes complete with gestures, transitions, and animations.” In other words, you can easily build an app without having to understand coding. Once you get something you like, you can hire and show the programmer exactly how you want the app to look and function.

2. Aim for Simplicity and Functionality

Many businesses mess up when they try to overcomplicate things and create an over-the-top, appealing app. Time and time again, it has been shown that customers appreciate simplicity and functionality over complex features. This is good news for you, as you really do not have a budget to design complex features. Focus on core functionality before considering extra features.

3. Do not Pay for Things You Do not Need

Programmers will probably try to sell you on different features, but stay grounded and do not pay for things you do not need. For example, does your app really need push notifications? This simple feature could add a significant amount to your overall project cost. By eliminating this superfluous feature, you can spend money on the things that really add value.

4. Ask for Funding in Return for Ad Space

Who says you have to work within a tight budget? You may be able to increase your budget by finding investors who are willing to exchange capital in return for guaranteed ad space inside your app. This is beneficial for both parties and can allow you to add some additional features you would not be able to afford otherwise.

5. Do not Rush Things

Finally, it is important that you do not rush things. When you are working within a tight timeframe, you end up spending more and making mistakes. Give yourself time and make sure you are testing the app and gathering feedback before putting it on the market. It is much easier to start with a functional app than it is to release a poorly performing one and be forced to make dozens of tweaks and updates. Here are some helpful tips for getting feedback.

Let Loose and Have Some Fun
Developing a mobile app should be fun and exciting. Do not stress over the small details, and make sure you are open to new ideas as you go. It would be very rare that your final version would look identical to your initial prototype. As you go, you will learn about the app, what users are looking for, and what does and does not work. At the end of the day–even with a small budget–you should be able to develop a functional, engaging app that people enjoy using.

Larry Alton
Freelance Writer

[ISACA Now Blog]

IT security has become one of the most important focal points in private and public sectors. As the rise of cyber-threats impact the way we protect private data and prevent breaches that can cost into the billions of dollars to fix, the need for qualified IT security professionals is more pressing than ever before.

The demand for skilled professionals has been growing more than 10 percent each year, according to a survey conducted by (ISC)2, a non-profit association of IT professionals based in Clearwater, Florida. And the U.S. Bureau of Labor Statistics expects employment of IT security analysts to grow by almost 40 percent by 2022 – a rate higher than most other high-tech careers.

Eddie Schwarz, international vice president of the ISACA, has almost 30 years of experience in the IT world. He’s watched as the industry has converted to wireless, evolved into mobile and faced unique challenges in communicating between the back office and boardroom, In recent years, one of the most pressing issues he’s had to face is how to educate the next generation of IT analysts in up-to-date security compliance.

“Over the last seven years, we’ve seen advanced threats increase,” said Schwarz, who admits that many hackers have moved from more traditional types of crime to cyber-crime. “Cyber-terrorism isn’t going away. It’s actually getting worse and will continue to get worse in the foreseeable future. It affects everyone.”

According to Schwarz, the rate at which technology advances has a lot to do with the rise of the most devastating cyber-threats, particularly as the mobile industry skyrockets. “Everything is Internet-connected now,” says Schwarz, “which opens a lot of questions as tech marches faster and faster ahead.”

Some of these questions IT pros should be asking: How can I protect our mobile data? And what skills will I need to secure information as cyber-terrorism becomes an even bigger threat?

“We need people with the knowledge, skills and capabilities to feel safe and secure,” Schwarz explains. “But there’s a gap in knowledge and skills showing that there aren’t enough people that are experts in this field.”

Here’s What You Need to Know

Asher DeMetz of Sungard AS, an IT company with headquarters in Wayne, Pennsylvania, contributed a column to Forbes magazine about the most critical IT security skills needed on the corporate level today. “Lack of security is an issue in every corporation,” DeMetz said. “You want to build a targeted security strategy. To do so requires having a specific security skill-set.” He says that these skills may be found in-house or through a managed service provider.

The most important skill for any IT security pro right now is being able to set up a successful security program. As corporate leaders are becoming more aware of the need to bulk up security measures, they will inevitably look to a security manager to develop programs designed to reduce risks based on a customized environment. Because not every company is the same, the approach one takes to developing a security plan will not be the same either.

A theoretical approach to security may sound great in the boardroom, but it will only goes so far in protecting important data. A security pro, in addition to having a plan, also needs to be able to implement programs company-wide. In some ways, this can be the most challenging step in any security measure; as it can be difficult having longtime employees change the way they operate in traditional settings.

But everyone must be on board with a security plan, which should include not only hardware and networks within the office but also handhelds and mobile devices that are linked to the company, but exist outside of the network. A security manager must also be able to get the program set up and to manage it on a continual basis.

DeMetz said that in addition to day-to-day operations, being able to audit the system is critical to ensuring that it works. Not only are there compliance laws to consider, regular testing of the system will let the team know if the protocols are working and if there are any areas that need improvement.

In this case, ethical hacking could mean the difference between a risking a breach or staving off an attack. So, in addition to understanding how to keep data safe, a security expert should also be able to try and penetrate the system. Ethical hacking can indicate areas that could be at risk before a breach even happens.

In a worst-case scenario, a professional also needs to be able to respond to an attack immediately. “You’ll need to have the skills available to immediately address and remediate the problem,” says DeMetz. There is no waiting when a data breach occurs.

More Demand, More Money

Schwarz said IT professionals with these skills will be among the best-paid, most sought after analysts in the industry. “Cybersecurity is one of the hot fields today,” he says. Interestingly, he said that while a background in computer science helps to move into the field, it’s not necessary. He personally sees more and more professionals rising in the ranks from diverse educational backgrounds.

More than having a degree in computer science, employers are looking for people who can show they’ve gone through performance-based testing and exercised skills, said Schwarz, who was actually a fine art major before moving into IT. “They want to see that if the company is getting hacked, that you know what to do,” he said. “It also requires a desire to figure out what’s going on and understand why things are going wrong and what can be done to fix it.”

He said that for many years, the IT world was focused on a single generalized skill-set that may not always fit the bill when it comes to preventing cyber-terrorism. In fact, having more diversified skills may actually be a bonus for thinking outside the box and anticipating how to prevent hacking at some of the most respected organizations around the world.

“There’s no universal formula,” Schwarz said. But top IT pros should seek out companies and organizations where IT security is taken seriously. In banking, for example, as much as 15 percent of budgets are often directed toward cyber-security. “If an organization has a reliance on information – and most do at this point – and they don’t take cybersecurity seriously they have their heads in the sand.”

Click here to learn about the CompTIA Security+ certification and here to learn about the CompTIA Advanced Security Practitioner certification.

Natalie Hope McDonald is a writer and editor based in Philadelphia.

[CompTIA]

F-22 Raptor stealth fighters tore across the tranquil, picturesque desert sky of Hill Air Force Base in northern Utah as Patrick Lane, senior manager of product management at CompTIA, prepared to discuss high-level IT security with a conference room full of information assurance workers. He took in the sights, awed by the planes’ high-tech acrobatics; they flew at what seemed like impossibly slow speeds, then impossibly fast ones, banked and turned on a dime over the mountain-ringed valley abutting the Great Salt Lake. It was breathtaking, all the more so because of the danger involved. Hill Air Force Base is one of the few live-fire Air Force training ranges in the country.

But what brought Lane to Hill Air Force Base was a facet of national security more intangible than such impressive machines. Invited to speak on behalf of the Armed Forces Communications and Electronics Association, he was there to present on unauthorized network entry, newly evolving malware threats and the tools an advance IT pro can use to fight both.

Lane’s visit to Hill Air Force Base’s is but one of the steps he’s taken to increase the nation’s level of cybersecurity preparedness, a critical goal given disconcerting news about both the increasing sophistication of malware and its increasingly invasive uses. For Lane, there is only one solution to the growing problem – the CompTIA Advanced Security Practitioner (CASP) certification.

Lane said, “If [someone has] a CASP certification, they can be hired by a state – hopefully by the U.S. – to fight the fight that’s going on all around us.”

So what, exactly, is that fight? While there has been no out-and-out declaration of cyber-war by one state against another, there has nevertheless been a proliferation of hacking cases targeting both state and corporate enterprises suspected to have been ​executed by nation-state actors. The spate of point-of-sale malware attacks that plagued U.S. retail enterprises over the past few years seems to have, according to Lane, given way to espionage malware focused on gaining access to and harvesting intellectual property and state secrets.

Recent headlines reflect this. The hack of Sony’s email servers, which led to the theft and public release of private emails between Sony employees, celebrities and others, was eventually attributed to North Korea – though North Korea denies involvement. More recently, some have pointed the finger at China regarding a breach at the U.S. Office of Personnel Management (OPM) that resulted in the personal data of at least four million current, prospective and former federal employees – possibly up to 18 million people – being compromised. The attack appears to have been under way for a protracted period of time and the fallout from it remains to be seen.

The obvious similarity between these two attacks is the alleged involvement of state actors. But these attacks also both used a specific type of technology. The espionage malware used in both attacks represents a newer, more sophisticated form of cyber-attack known as an advanced persistent threat (APT). APTs are adept at infiltrating, then residing undetected on networks. They can hide themselves in the essential APIs of a system, quietly sending information back to a command-and-control server.

“Whereas it used to be [hackers would] walk up, break the window, walk in and leave, now it’s almost as if someone broke into your house and is waiting in the cabinet,” Lane said.

Lane sees hope, though, for the government wrapping its mind around this malware model. That’s where CASP comes in.

Unlike some other certifications, CASP is meant to assess – in addition to the knowledge of specific tools – experience. It tests the sort of deductions an IT professional with 10 years of overall IT experience or five years of security experience should be able to make.

“[CASP] is unique because we’re focusing on the people [who] are actually going to have to sit there and figure out the problem and try to fix it,” Lane said. “Our certification is built to assess workers [who] have a chance of defeating these attacks or at least scattering them.”

Lane is similarly confident that cyberattacks on government infrastructure, like what occurred with OPM, could be limited with widespread CASP certification.

“What you’re trying to defend against is the hacker’s ability to extract targeted information,” Lane said. “In theory, if you had a bunch of CASP guys there [in the case of OPM], they would have been using CASP ideas. They would have understood that users are the biggest problem as far as launching malware into networks. So you would hope that the attack would have been detected and stopped before the breach took place.”

The U.S. military sees the importance of having a certification that assesses an IT professional’s ability to identify and combat advanced persistent threats. CASP was developed at the request of the U.S. Navy and since then it has been adopted by the broader Department of Defense for Directive 8570.01-M.

The CompTIA advisory committee for CASP, which is constantly revising the requirements for the certification to make sure its skills assessment remains on the cutting edge, features some of the biggest names in technology, business and government. Target, RICOH, the U.S. Navy Center for Information Dominance and the U.S. Department of Veterans Affairs are only a few of the names on the list. These organizations contribute their hands-on cybersecurity expertise to the CASP exam.

And so, despite cyberattacks growing in target size and technical sophistication, according to Lane, it’s possible to stay ahead of these threats. If these attacks can be understood as acts of quiet aggression in a pervasive, decentralized cyber war, Lane believes that CASP will play a big role in making sure it’s a war we can win.

“To tell you the truth, the stuff that they’re doing isn’t difficult to stop, necessarily,” Lane said. “You just have to figure out what they’re doing.”

Matthew Stern is a freelance writer based in Chicago who covers information technology, retail and various other topics and industries.

[CompTIA]