FREE Ways to Earn Continuing Professional Education (CPE) Credits for Your InfoSec Certification

You have earned your certification!  Congratulations!

Qualifying for, and studying for an InfoSec exam is not an easy task, and you should be proud of your accomplishment. But once the glow of accomplishment has worn off and you have framed your certificate, there is the nagging problem of earning the Continuing Professional Education (CPE) credits to remain in good standing in your organization.

For some folks this is an easy task.  Credits may be earned through the simple act of attending conferences and meetings of sponsored chapter organizations.  However, many of these meetings and conferences are not free. This presents a problem for a newly certified professional who may not have the money to attend these events.

Fortunately, there are plenty of free ways to earn your CPEs.

To avoid having the CPE rejected, one should fully understand the intent of the requirement. The reason for the CPE is to stay abreast of new developments and to remain active in the InfoSec community.  While some of the certifying authorities are very strict about the subject matter, others are more permissive.  For example, if you have a Certification from the EC-Council as a Certified Ethical Hacker, they insist that all your CPE credits are related to InfoSec, so if you submit a CPE for a general book about Ethics, it will be rejected unless it has a chapter that specifically addresses “Computer Ethics”.  On the other hand, if you have a certification from ISC2, they will freely accept a CPE for study of general ethics.  This is not a criticism of either organization; it is presented to illustrate the differences in certifying authorities.

Some CPE credits are classified into different categories.  ISC2 has different credits for the “core” disciplines (such as the ten domains of the CISSP) which they call “Type A” credits, and alternate “Type B” credits.  Type B credits could be just about any field of knowledge that shows that you are committed to learning.  For example, if you study a foreign language, you may submit that for a type B credit.  Have you brushed up on your math skills lately?  Claim a type B credit.

If you carry a certification that requires 120 CPE Credits over 3 years, the math breaks down very easily to just 3.33 hours a month over 36 months.  This means that you can clock 1 hour each week and still end up with a surplus!  This sounds like a lot, but it is easily manageable.

Here are some recognized methods for CPE credit.

One of the simplest methods is to install a podcast app on your mobile device and subscribe to some podcasts related to your certification and the podcasts will be ready when you are. No need to visit each podcast URL site hunting for what’s new; you can browse from your app. If you listen to as little as 15 minutes over 4 days, that is an hour for that week.  Webcasts are also available (and most are provided for replay if you cannot attend the live webcast).

Some excellent podcasts include (in no specific order):
PaulDotCom.com “Drunken Security” and “Security Weekly”. http://www.PaulDotCom.com (also available on video athttp://securityweekly.com/watch )

BrightTalk: Offering webcasts from notable organizations such as SANS and other reputable InfoSec vendors. https://www.brighttalk.com/

Steve Gibson’s “Security Now!” broadcast on “The Week In Tech” (TWIT). Gibson also makes his entire webcast available in multiple formats, including text transcripts.
https://www.grc.com/securitynow.htm

Down the Security Rabbit Hole: http://podcast.wh1t3rabbit.net/

Bank Info Security http://www.bankinfosecurity.com/ – You can achieve InfoSec benefits from this site even if you do not work at a bank.

This is by no means a comprehensive list, so please seek whatever educational avenues that work best for you. Most important is to try to go beyond your own area of expertise.  Take your weakest topics and focus on strengthening them.

The worst that can happen is that the CPE is rejected, in which case you may appeal the rejection, or it is “audited”.  People shudder when they hear the word “audit”.  Will the auditors come to your house with subpoenas and start searching through your closets?  No, the audit process is nothing like that at all.  It is generally an E-Mail notice to which you may respond with further information about the CPE that you submit.  The easiest way to avoid the audit process is to take some notes while you are listening to a presentation.  If the podcast offers transcripts or slides, those may be submitted for verification as well.

As you can see, the CPE credits are easy to maintain, and like the doctors, attorneys, and accountants, it helps us to keep current in our field and advances the maturity of the InfoSec profession.

Bob Covello, CISSP, C|EH
Sandy Tyson, CISSP

[Source: (ISC)²]

The New Face of Data Security Professionals: Women

A new report states that women possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

A new report states that though women make up just 11 percent of the global information security workforce, they possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

Market research firm Frost & Sullivan interviewed 5,814 information security professionals for “Agents of Change: Women in the Information Security Profession,” which is sponsored by (ISC)2 and Symantec. Respondents came from businesses that had workforces of more than 500 employees.

The research reveals that women’s tendency to have strong communication skills and a broad understanding of the security field are essential to enhancing information security. It also notes that the industry is poised for transition and that women could be natural leaders.

“One of the major conclusions in the research is that this industry is changing significantly, and women are in a good position to lead that change as well as thrive in the changed environment,” wrote Julie Peeler, (ISC)2 foundation director, in an email to Baseline. “For example, the information security industry was initially defined as a subfield in information technology; now the industry is evolving to include legal issues, risk assessment and compliance issues, and with that redefinition of the industry, new sets of skills are desired.”

Women’s emphasis on the importance of training, as indicated in the study, shows that they believe education is critical across a workforce, not just for select security professionals. In fact, in seven out of eight categories—including those for cloud computing, mobile device management and information risk management—women were stronger advocates than men for workforce training. Only in one category, forensics, did women and men emphasize workforce education equally.

In addition, female information security professionals reported that they were more likely to spend time handling governance, risk and compliance (GRC) issues. This responsibility typically requires planning across different departments and that may aptly fit women’s communication skill sets.

“When we look at where the field is heading in the future and how the lines are being blurred to includes things like risk management and GRC, the number-one sought-after skill set is that of a security analyst,” Peeler said. “By and large, women are more likely to possess this skill set than men.”

The research also reports that women are more likely than men to be employed in occupations such as technical or security advisors or consultants, executives, and project or operations managers, while men are more likely to be employed as security engineers, security systems administrators, network administrators, and network, security or software architects. The study also showed than more male respondents had undergraduate degrees in computer and information sciences, engineering and engineering technologies. In contrast, female respondents had more degrees in business, math, the social sciences and communications.

Peeler wrote that she once spoke with a senior executive at a large firm who told her, “I’d rather recruit someone with a liberal arts [degree] because I can teach them the IT skills, but I can’t always teach an IT person the human skills.” In response, she pointed out that “companies need to be flexible in their recruiting practices and policies.”

Peeler believes that women security professionals can have a positive impact on end-user compliance. Women’s understanding of human behavior could enable them to “apply those skills when trying to get compliance from end users,” she explained.

Women information security professionals may also thrive as leaders in an organization because they often have the diverse background and skills necessary to bridge the communication gap with departments and employees outside the IT and security organizations.

“Communication skills are paramount in your ability to sell security policy and risk management within an organization,” she concluded.

[Source: Baseline]

5 Surprising Security Gains Achieved From Security Analytics

Getting the most out of big data sets and seemingly unrelated security information

Ericka Chickowski

As more CISOs begin to lean on data scientists to discover new threats in security feeds and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which in turn in offers a better understanding of security risks and faster response times.

But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.

1. Uncover Data Leaks You’d Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.

“The one that comes up regularly is that they discover leaks that have been ongoing for some time,” says Matthew Gardiner, senior product marketing manager for RSA.

As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even a data that’s being stolen by a crime syndicate.

“They’re just leaks caused by data moving out of the enterprises to places the organization didn’t know about, didn’t expect and maybe doesn’t like,” he explains. “The question then is figuring out what to do about that flow of data at that point.” [Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

2. Sniff Out Questions You Didn’t Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools makes it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.

“Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible,” says Dan Hubbard, CTO of OpenDNS. “Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible.”

What’s more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.

“They start to ask good questions, so it gives a different perspective on not only what you should be looking at but how you should be looking at it,” says Ron Schlecht, managing partner for security service provider BTB Security. “It’s a good way to collaborate with different business leaders and it starts to pull together why security is important to the overall organization.”

3. Make Connections Between Data Sources You Might Not Have Made Before
Often times security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.

“Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies,” says Corey Lanum, general manager for North America at Cambridge Intelligence. “When I’m working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection.”

For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records and the like.

“After loading in their crime reports and pawn shop records, we immediately started to see connections,” Lanum says. “It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software.”

This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information and so on.

4. Discover operational IT issues you never knew were there
The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow and efficiency department-wide.

“One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program,” Schlecht says.

For example, when he worked in-house years ago he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company’s applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.

5. Find policy violations you didn’t know were happening
Another beneficial surprise offered up from analytics–one that can often be a bit of a double-edged sword–is the discovery of policy violations across the organization. They won’t always necessarily be malicious, but they’re there and the difficult thing about it is that once the team has seen these violations, it can’t unsee them no matter how inconvenient response may be.

“You hear about rogue cloud services and with analytics you’ll see they’re very real,” Gardiner says. “It’s beneficial because you have better visibility, but you can’t be an ostrich once you see it. You have to do something about it and make the determination of whether it’s important and whether you have to investigate it and respond.”

[Source: DarkReading]

SCADA Researcher Drops Zero-Day, ICS-CERT Issues Advisory

Flaw could allow an attacker to crash or remotely execute code on Web-based SCADA software product

Kelly Jackson Higgins

S4x14 CONFERENCE — Miami – A well-known and prolific ICS/SCADA vulnerability researcher here today revealed a zero-day flaw in a Web server-based system used for monitoring, controlling, and viewing devices and systems in process control environments.

Luigi Auriemma, CEO of Malta-based zero-day vulnerability provider and penetration testing firm ReVuln, showed a proof-of-concept for executing a buffer overflow attack on Ecava’s IntegraXor software, which is used in human machine interfaces (HMIs) for SCADA systems.

The ICS-CERT responded later in the day with a security alert on the zero-day vulnerability, and requested that Ecava confirm the bug and provide mitigation. Ecava as of this posting had not responded publicly, nor had it responded to an email inquiry by Dark Reading.

The IntegraXor line is used in process control environments in 38 countries, mainly in the U.K., U.S., Australia, Poland, Canada, and Estonia, according to ICS-CERT.

Auriemma says the stack buffer overflow bug causes the system to crash, but could in some cases allow an attacker to run malicious code remotely. “It was quite simple to find and even simpler to exploit,” he says.

Ecava is no stranger to the SCADA research community. The Malaysia-based software company in July announced a controversial bug bounty program that gives away points towards its software license rather than the standard cash reward that other such vendor vulnerability programs offer researchers. “It’s already difficult for a vendor to attract researchers with offers like money, and it’s even more difficult in this case because the researcher needs to spend time for points or the license,” Auriemma says.

He says he decided to disclose the buffer overflow bug in IntegraXor he had found because it was “a perfect example of a stack overflow vulnerability.”

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Auriemma and Donato Ferrante, co-founder and security researcher with ReVuln, here also gave an update on their SCADA Shield prototype product, which provides an alternative to applying ICS/SCADA vendor patches. SCADA Shield is basically hot-patching utility that performs in-memory patching without having to power down the systems. Traditional patching typically requires a shutdown of the system and thus poses an unpalatable option for many plants.

There’s now an intrusion detection system (IDS) feature in SCADA Shield, Ferrante says.

“It’s [SCADA Shield] a proactive solution that combines information from our internal vulnerability [research] and exploit prevention techniques,” Ferrante says. It’s built to mitigate specific classes of vulnerabilities, including stack and heap overflow, directory traversal, file inclusion/overwrite, use-after-free, and injection flaws. SCADA Shield is still under development.

[Source: DarkReading]

41% of Federal Workers Have Unsafe Mobile Habits

Mobility has the potential to open up gaping security holes in the perimeter of enterprises – but in the government vertical that potential has become reality, according to new research.

A full 41% of the government employees in a Cisco-sponsoredassessment survey from Mobile Work Exchange were found to be putting themselves and their agencies at risk with existing mobile device habits. They are practicing potentially dangerous behaviors, including the use of public Wi-Fi (31%), a lack of multifactor authentication or data encryption (52%) and failure to use passwords on mobile devices for work (25%). Even when employees do use a password, nearly one in three admits to using an “easy” password and 6% of those admit to having it written down.

“When you consider the sensitive nature of information government employees have access to, it is worrying to see that employees are still opening themselves up to such high levels of risk,” said Matt Bancroft, CEO for mobile security specialist Mobile Helix, in an email to Infosecurity. “Using public networks, having weak passwords (or no password at all!), downloading personal app and losing devices all expose ways in which data can fall into the wrong hands.”

He added, “This report shows that even in highly regulated areas, where employees are working within a framework of tight policies and procedures in relation to security, users will always find a way to bypass security if it makes life easier for them.”

This is a particular issue considering the scale of mobile use: report noted that 90% of government employee respondents use at least one mobile device – laptop, smartphone, and/or tablet – for work purposes.

Ironically, many government respondents are taking basic steps to secure agency data for fixed endpoints. A majority (86%) lock their computer when away from their desk; additionally, 86% have a safe and alternative workplace compatible for work, and 78% always store files in a secure location.

Despite these secure actions, government employees are not showing the same caution for mobile devices.

There’s also a lack of a top-down security approach. When the appropriate security policies and procedures are in place and enforced, a mobile workforce can be a tremendous asset to a government agency. However, 57% of respondents who took the assessment from an agency/enterprise-wide perspective are failing to secure agency data, with gaps in mobile policies and security systems. Despite the Federal Digital Government Strategy, more than one in four government employees have not received mobile security training from their agencies.

Additionally, just 50% of respondents noted that their agencies have formal, employee-focused mobile device programs. Half of the agencies that took the assessment are missing fundamental mobile security steps, like utilizing a remote wipe function, or adding multifactor authentication or data encryption on mobile devices.

“In the near future, the number of mobile devices will exceed the world’s population, and by 2017, we expect more than 10 billion connected mobile devices,” said Larry Payne, Cisco vice president, U.S. Federal. “With the proliferation of devices, security continues to be a major concern. The 2014 Mobilometer Tracker study shows that 6% of government employees who use a mobile device for work say they have lost or misplaced their phone. In the average federal agency, that’s more than 3,500 chances for a security breach. Organizations need to take the necessary steps to protect their data and minimize the risk of data loss.”

Interestingly, the US federal government is not alone, as this is a common problem across public and private sector. And in many ways, the government performs better. About half (53%) of government agencies require employees to register mobile devices with the IT department, versus just 21% of private-sector organizations. And, only 15% of government respondents have downloaded a non-work-related app onto the mobile device they use for work, versus 60% of private-sector respondents.

“While the government is significantly safer than its counterparts, there is still much work to be done,” said Cindy Auten, general manager of Mobile Work Exchange. “Ensuring policies are being enforced is the best way to secure critical government data. Closing this gap equips government employees with the knowledge to thwart potential security breaches.”

[Source: InfoSecurity Magazine]

English
Exit mobile version