Top of Page

InfoSecurity Professional INSIGHTS Archive

InfoSecurity Insights Banner

InfoSecurity Professional INSIGHTS is (ISC)²'s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity
practitioners in mind.



    October Insights

    Election Hacking: It’s Real and It’s Happening as You Read This


    The U.S. presidential election is just about a month away, and all eyes remain on voting security: from state-sponsored efforts to influence voters, to exploitable vulnerabilities that could cast doubt on election outcomes, to a pandemic preventing in-person voting in the interest of public safety. Read More

    August Insights

    Panacea or Placebo? Business Interruption Insurance (and Vulnerable VPNs) in the Wake of COVID-19


    Disaster recovery and business continuity spending rarely is an easy sell to a C-suite always seeking quick quantification of ROI. It tends to be one of the less glamorous expenses of a risk management plan that you hope you will never use. After all, who wants to go through a major fire or flood? And what about a pandemic? If you carry business insurance, will it be the magic pill for COVID-19 business losses? Read More

    June Insights

    The Real Threat to the Threat Intelligence Community


    If you’re an information security professional, you’ve likely at some point had to weigh the pros and cons of establishing a threat intelligence program at your organization. In my opinion, such a program can be valuable — if you know how to operationalize it. However, some of the common poor practices in the threat intelligence community today hinder the overall benefits that can be gained from participating in it. The following are some of the top grievances and how to address them. Read More

    April Insights

    Building a Cybersecurity Team: 5 Keys to Proper Vetting


    Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong? Read More

    February Insights

    Turning Users into Cyber Heroes


    A few years ago, P&G launched a marketing campaign for Colgate toothpaste in which it presented images of couples where male models all had stained teeth. So focused were viewers on the stains that few noticed other oddities in the photos, such as a man missing an ear, a woman with six fingers and another with an extra arm. To them, the stains were more obvious (and shocking) than some serious abnormalities (See below).

    Turning Users into Cyber Heroes

    In another example of quiet deception, after the business platform LinkedIn was infiltrated and its database leaked, users received emails about the breach with instructions to change their login credentials. Some of those emails were not legitimate, but users didn’t stop to look for discrepancies in the message or headers. Instead, they blindly filled out false forms that often included the same credentials they used for corporate access at work. That’s how cyber criminals were able to easily break into more networks and compromise additional databases once they’d cracked LinkedIn’s user database. Read More


    December Insights

    What (ISC)² Members Expect to be the Biggest Security Issues in 2020


    Folks, we’ve got a problem … lots of problems, actually.

    During the 2019 (ISC)² Security Congress in Orlando, we asked dozens of attendees, speakers and vendors what their top security concern would be during the first half of 2020. We got plenty of responses, from election security and data sprawl to IoT and the cybersecurity workforce shortage—and many, many more. Read More

    October Insights

    Resilient Preparations to Ease the Pain of Ransomware


    Because of the business his own company conducts—antivirus, password management, endpoint security and vulnerability scanning—F-Secure’s Mikko Hypponen believes his interpretation of the Geneva Conventions makes even F-Secure “a legitimate target for bombing in time of war.”

    What constitutes an act of war? Is responding to a cyberattack with military action disproportionate, or does it depend on what was attacked and its outcome? A cyberattack on a country heavily dependent on its technology may suffer disproportionally to one that is not. A power grid disruption may constitute a significant, long-term problem far out of scope from the underlying attack. Or the desired outcome may be to disable an opponent for quite some time. A guiding principle of warfare balanced with international humanitarian laws mandates that attacks be proportional in response. Read More

    August Insights

    Resilient Preparations to Ease the Pain of Ransomware


    Ransomware no longer captures the headlines that it did when WannaCry suddenly spanned the globe two years ago, but the category’s reign of disruption continues.

    Verizon’s 2019 Data Breach Investigations Report finds that ransomware is the second most prevalent type of malware. Dave Hylender, a senior risk analyst with Verizon, describes ransomware in 2019 as “prevalent and ubiquitous. It’s quite lucrative for the attacker; it’s high yield and low risk, and I don’t expect it to be going away soon.” Read More

    June Insights

    From Nursing to Cybersecurity: Marylyn Harris Keeps Protecting Patients


    For many years, Marylyn Harris, a former U.S. Army psychiatric nurse, disabled war veteran and founder of the nation’s first Women Veterans Business Center in Houston, thought networking meant meeting other professionals and exchanging business cards at special events. Now that she is transitioning to a new career in IT security, however, the word “networking” takes on a whole new meaning. Read More

    April Insights

    Look Before You Leap: What to Know Before Diving into Machine Learning


    IDC anticipates a $57.6 billion worldwide investment in cognitive and artificial intelligence (AI) by 2021, which means there’s a good chance your company is considering, if not already buying or building, AI and machine learning (ML) solutions. And not just to improve business processes; companies are also considering adding AI and ML solutions to security operations centers. Read More

    February Insights

    ‘Building’ a case for stronger IoT-related cybersecurity


    In an April 2018 presentation to the Wall Street Journal CEO Council Conference, Nicole Eagan, the CEO of Darktrace, reported that hackers had breached the automated thermostat of a casino aquarium and through it exfiltrated the casino’s high-roller database.

    While characterizing this story as one of the greatest fishing (sic) attacks ever elicits peals of laughter, it takes on considerable significance when one looks at the cybersecurity Wild West that is the Internet of Things (IoT). According to a study by Aruba Networks involving more than 3,000 companies, 84 percent of them had experienced some type of IoT breach. While some cybersecurity teams see IoT security as a current issue because of their organizations’ industry (e.g., the medical and high-technology fields have been early adopters), most mistakenly believe it will not affect them anytime soon. Read More


    December Insights

    A ROSE is a Rose…Or, a Fresh Way to Launch Phishing Attacks


    The next generation of phishing attacks is very complex, involving a number of fake personas across a range of social media platforms to entice your employees to circumvent your organization’s security. Are you ready?

    Increasing awareness of social engineering and phishing attacks has limited their effectiveness as easy attack vectors. In response, attackers have upped the ante. The method, dubbed ROSE (remote online social engineering), was discovered by Matt Wixey, a cybersecurity research lead at PwC U.K. It uses progressively more sophisticated and longer-term efforts, including self-referencing synthetic networks, multiple credible false personas and highly targeted and detailed reconnaissance. Read More

    October Insights

    Positive vs. Negative Security Models: A Different Way to Look at Endpoint Security


    When we think about cybersecurity, inevitably we end up talking about fighting the “badness” — malicious hackers, malware, cybercriminal syndicates and malevolent nation-state actors. Whether with signatures, heuristics or machine learning models, we attempt to identify and block that “badness.” Today that approach is unable to achieve anywhere close to 100 percent efficacy, largely because the amount of “badness” is practically infinite. Read More

    August Insights

    The True Cost of Certificate Authority Trials: Can You Trust Them?

    By Rodrigo Calvo, CISSP

    Recently, some colleagues and I were able to verify a phishing attack that used a valid TLS certificate and a powerful name (Microsoft) as a cover. The chosen attack vector was Office 365 (aka O365) and the goal was to gain users’ credentials by sending a targeted campaign to specific user groups. Read More

    June Insights

    Four Reasons Healthcare Remains a Huge Target


    Online scammers are increasingly targeting the healthcare industry, as revealed in the 2018 HIMSS Cybersecurity Survey. Phishing in particular is a predominant concern for healthcare stakeholders, as it can be a very effective means for eliciting information and/or delivering a malicious payload. Read More

    April Insights

    A Security Framework that Anyone – and Everyone – Can Follow

    By Shahin Kamruzzaman

    In a business start-up, the entrepreneur usually is a one-person band, taking on all kinds of work including IT. As the business grows and becomes increasingly dependent on IT infrastructure, the entrepreneur may not be able or willing to handle the challenges of IT security, vulnerability, risk management framework and privacy law. To provide the new business owner guidance on security needs, I’ve created a simple approach to basic IT security. Read More

    February Insights


    By William Nana Fabu, CISSP

    It’s time to move vulnerability management to the front of the line. Of the many data breaches that have made news headlines in recent years, 44 percent were successful due to the presence of non-remediated vulnerabilities. Today, from board members to customers, everyone wants to know how vulnerable the company is. Read More


    December Insights

    Do You Have What It Takes to Lead in 2018?

    By Dr. Richard N. Knepp, CISSP

    Every security professional, as part of continuous self-improvement, should periodically take stock of what they will need to become a leader in the future – perhaps the very near future. This is a great time to critically analyze yourself and determine how you need to improve your leadership skills in the coming year, to set yourself up for an outstanding security career in the years and decades ahead. Read More

    October Insights

    Bridging the Governance Gap

    By Jack Pelikan, CISSP, CISA, CPA

    During a recent industry roundtable, an audit executive solicited advice on how best to address questions from board members regarding cybersecurity, such as “Are the systems secure?” and “What is the likelihood of a breach?” While these questions are common and asked with noble intent, they also may indicate a disconnect between management and the board on cybersecurity matters. Read More

    August Insights

    Web Security 101: Proxies with HTTPS Inspection, Working Together

    By Douglas Foster

    Web proxies with HTTPS inspection provide important layers for any network defense-in-depth strategy. They provide a first-stage defense against inappropriate usage and malicious web content, a second-stage defense against email containing hostile links, and a tertiary defense against infected machines seeking a command-and-control server. A simple proxy implementation will inspect and protect unencrypted traffic, while HTTPS inspection evaluates encrypted traffic...  Read More

    June Insights

    Digitizing the Geneva Convention: Justice on the High (Cyber) Seas

    By Jeff Bauer, CISSP

    “Those unable to catalog the past are doomed to repeat it.” 
                                                         –Lemony Snicket, A Series of Unfortunate Events

    When navigating the pitfalls of network security and transnational issues, great insight can be achieved by reviewing historical precedents that evolve in response to changing conditions and technologies, such as the law of the sea... Read More

    April Insights

    How to Build an Assessment Framework for IT Suppliers

    By Rabei Hassan

    Almost every business relies on suppliers to provide or manage an IT service, including storage and business data processing. It is crucial to those businesses that confidentiality, availability and integrity are maintained for all services and data managed by a vendor. 

    In some cases, businesses could be legally obligated to ensure that stored or processed data by a supplier is secure. Furthermore, ISO 27001 mandates protection of an organization’s assets accessible by suppliers. Therefore, it is so important to have a third-party assessment framework to help your organization identify, assess and manage information security risks relevant to vendors and suppliers... Read More

    February Insights

    Let’s Train Consumers – and Companies – to Think of Passwords Differently

    By Dimitri Fousekis

    It’s a new year and yet already 2017 has a familiar ring to it with big breaches and their fallout still in the headlines. And at the heart of many of these cyber heists and data thefts is one of security’s biggest (and unfortunately perennial) vulnerabilities: passwords... Read More


    Make SOPs and Runbooks a Top Priority in 2017
    By Raj Goel

    “When I say that the company’s prosperity rests on such things as our sixty-six-steps-to-clean-a-room manual, I’m not exaggerating.” 
    -- J.W. Marriott Jr.

    As I look into my crystal ball, 2017 looks a lot like 2016. We’ll still be short-staffed, and making new hires will be a challenge in spite of, or because of, information security’s near 100 percent employment. Breaches will get bigger and attack vectors will expand. On a more positive note, we’ll still have jobs: an unending queue of tickets, upgrades, projects and meetings.

    So, how do you deliver better quality of service, reduce response times, and make your users, management and board happier next year? By increasing staff productivity.

    First, let’s consider the cost when there’s a lack or loss of productivity in the workplace, based on my own experiences and research:

     1) If performing a task costs you X hours and Y dollars, fixing mistakes and having to re-do that work adds 150 to 300 percent more hours and dollars to the original costs.
     2) Those mistakes and do-overs also cost you user trust, client trust, sleepless nights, and make life miserable for everyone involved.
     3) Removing productivity loss by standardizing staff training, ticket-handling procedures and customer service processes (yes, we’re all in the customer service business!) has increased our team productivity by 40 percent over the past three years.

    Increasing Productivity without Working More Hours

    The secret to increasing productivity, good service, and making staff, users, management and stakeholders happy is delivering consistent service. What does consistent service mean? Things are done using standards, processes and checklists so that you, your staff and your clients get the same or similar results every time.

    Once you look at your existing tickets or open issues, you’ll realize that approximately 70 to 90 percent of what we do is a repeatable, reproducible process: 

    • Checking firewall logs for anomalies? Systematize it.
    • Checking backups? Systematize.
    • Setting up desktops, phones, servers, networks, widgets? Systematize.
    • Training new hires? Give them runbooks.

    Most of us are familiar, at least in theory, with standard operating procedures, or SOPs. A runbook is a collection of organized SOPs. As business expert T. Harv Eker once said, “How you do anything is how you do everything.” 

    In our world, consistently creating and, importantly, using SOPs and runbooks shows how to do something repeatedly, without deviation or failure. It also means any changes or updates are reflected in these “living documents” that are routinely reviewed instead of gathering dust on a shelf or in a shared folder. 

    Need another reason? How about this: No great brand thrives without building SOPs. 

    Another way to think of it is to consider an SOP as a recipe:

     • It shows how to configure tools. 
     • It shows how to respond to alerts. 
     • It provides specific steps to investigate an event. 
     • It outlines how to set up that desktop. 

    A runbook is more like a cookbook, a collection of all the recipes organized thematically.

    Proof of Concept for a Stronger SOP Culture

    My company is a managed services provider and managed security service provider for New York City-based hedge fund, private equity and construction companies. These are highly regulated, highly process-driven industries with exceptionally high demands for uptime, reliability and service excellence.

    Here are several ways that adopting a formal SOP culture has led to major productivity gains, which also translates into cost savings that make our clients happy.

    Client Onboarding

    Before: It used to take us 20 hours per server to onboard a client. If a client had, say, six servers, that translated to 120 hours or three to four weeks of onboarding time, with frequent errors, dropped balls and delays.
    After: Soon after we began developing SOPs, project plans and checklists, we reduced the per-server onboarding time to six hours per server, which translated to two people working together for 18 hours each, or two calendar days. 

    Firewall Deployments

    Before: Firewall installations used to take 60 hours, including time spent on errors, missed configuration items, unasked questions, etc.
    After: Firewall deployments were reduced to 20 hours without any “dropped balls.”

    Synology SAN Setup

    Before: Synology SAN setups with ISCSI and round-robin ISCSI setups used to take 12 hours of our senior systems administrator’s time.
    After: The same setup now takes four hours, and we are using newer, lower-cost staff to implement them.

    Daily Backups and Security Reviews

    Before: Checking backups daily was reserved for “backups technicians,” while daily security reviews were reserved for the security staff.
    After: By systematizing the Daily Backups Review (DBR) and the Daily Security Review (DSR) processes, we are able to train our entire technical team in performing DBRs and DSRs. If the primary DBR/DSR person is unavailable, anyone else on the team can complete these mission-critical processes daily. It also means we get a fresh pair of eyes on the processes on a regular basis as we rotate the responsibility, and that has made our DBR and DSR processes significantly stronger.

    Semi-annual Disaster Recovery Tests

    Before: Until four years ago, we couldn’t fathom performing annual, much less semi-annual, disaster recovery tests for every one of our clients. The amount of planning, time, manpower and vendors involved seemed insurmountable. If we were lucky, we got one or two of these tests done each year.
    After: After adopting an SOP Culture, we mandated semi-annual DR tests for all clients. We have performed 68 DR tests in the past three years, with 66 being completely error-free, and two exposing gaps in documentation, processes and systemic issues that were subsequently resolved.

    So, as you can see, since adopting a culture of standardization that’s developed documents and been deployed throughout our organization, we’ve lowered our internal expenses, delivered better, more consistent service, and/or increased staff training by implementing cross-training. 

    How We Became Better at our Jobs

    As a 22-year-old IT services company, I thought we had processes and documentation nailed. After all, we do this stuff for a living, so we must be good, right?


    Despite our best efforts, most of our documentation was scattered. It was held in Word docs, Excel files, project plans, emails, Post-it notes, and critical information buried in people’s heads. Scattered or inconsistent documentation and processes is no way to run a business or department, and it causes an incredible amount of stress. It also leads to working long days, staff burnout and high turnover.

    How did we go from working 80-hour, thankless weeks to 50-hour, highly productive ones? (Yeah, I wish I could say we work 40-hour weeks or four-hour weeks like that Tim Ferriss guy, but that’s just not our reality.) By embedding SOPs and runbooks into what we call SOPCULTURE, we reduced staff turnover, reduced staff burnout, and increased revenues and profits.

    Today, we are a much healthier company with a happier workforce because:

     • We create SOPs for everything, from the simplest task (setting up signatures in Outlook) to the most complex.

     • We live by the SOPCULTURE mantra in which you are either:
       a. using a SOP unmodified
       b. updating an existing SOP
       c. creating a brand new SOP
       d. working for some other firm (yeah, we fire people for not following/using SOPs)

     • After we had developed 1,000 SOPs, we identified the 70 most critical SOPs that our technical team needs to be competent in the field. We compiled that into our “New Hire Technical Training Runbook,” which clocks in at 1,672 legal pages, outlining detailed, step-by-step recipes on what we expect everyone on the technical team to be able to accomplish.

     • We identified the 15 SOPs our marketing teams need to execute on a regular basis.

     • We bake our SOP Culture into our hiring process. Once we identify promising candidates, we interview them, check their qualifications, and require them to submit sample or existing SOPs.

    Like any culture shift, creating a SOP mentality takes time and enormous effort. But I can tell you from personal experience, it is worth it — for you, your company and your clients.

    Raj Goel is CEO of Brainlink and can be reached at to learn more about SOPs.

    Some additional resources to get you on the way to developing your SOP Culture: 


    SOP Word template:  

    Member Q&A: 5 Minutes with … Tushar Gokhale

    An excerpt of this Q&A appears in the November-December issue of InfoSecurity Professional magazine.

    Tushar Gokhale lives in Dallas, Texas, but grew up in Mumbai, India. The cybersecurity specialist has been part of (ISC)2 for more than two years and is the newest member of our Editorial Advisory Board.

    When did you know you wanted a career in information security?

    After I completed my bachelor studies in electronics and telecommunication engineering, I started working as a network and communications engineer. I worked on several network design and technology projects, such as implementation of routers, firewalls, intrusion detection and prevention systems, etc. At that junction, I decided to start learning more about information technology security and eventually pursued a career in information security. 

    After realizing that was your chosen path, how easy or difficult was it to gain entry?

    I must say, it was a little difficult. Specifically in India, I remember information security was considered a branch of IT and a potential candidate for information security was expected to be best at information technology most times. An entry-level career as an information security professional was a little difficult, as in most industries and sectors, security concepts and security implementations were considered child projects of IT implementations.

    What have been the biggest hurdles in your current career?

    Transitioning my career from a network and communications engineer to an information security specialist was the biggest hurdle. It was more difficult than I thought it would be. Further, elevating my career path by focusing on being a technology security professional to business security professional was another challenge.

    You're originally from India. What part of the nation are you from, and how has living in India, and still visiting, impacted your career?

    I am from Mumbai (often termed the financial capital of India), which is located in western India's State of Maharashtra. There is always huge demand for great talent across all sectors and industries in Mumbai. I started my professional career in Mumbai and later moved to the United States to pursue a formal education in the field of information security. My information security professional contributions to the financial and insurance sector in Mumbai provided the groundwork for my current work in the United States and internationally. I believe the more diverse and international your experience is, the more rewarded you are. 

    What are you most proud of accomplishing with the group to date?

    Every achievement and contribution I make to the information security community makes me feel satisfied. That includes doing my small part to help nurture others in the information security profession. I'm proud to have earned a master's degree in information security, continue to advance in my professional career, and volunteer as a peer reviewer for academic and professional security journals and magazines. I've also been an instructor for security courses, judged cybersecurity contests, and held other roles that I believe contribute to making our community and industry better. 

    What do you believe are some misconceptions about the cybersecurity workforce in India?

    Not only India, but a majority of developing nations still consider cybersecurity as only a technology challenge. Also, another misconception is that only those with a technology background and significant amount of technical experience can advance to a career in cybersecurity. This may not always be true. While cybersecurity could still be technical at its core, in a wider context it is a business challenge and overlaps with governance, risk, compliance and business in addition to technology.

    What advice do you have for someone in your industry who is just starting a career in IT security?

    Listen, read, learn and digest everything you can about IT security through magazines, newsletters, conferences, etc. Focus on a specific area of IT security where you believe you can excel. You should not only be aware of multiple domains of information security, but you should also become an expert in one or more specific domains when it comes to your IT security career goals. 

    What about someone who is already in the field, but wants to raise their professional profile?

    First and foremost, identify your strengths and have your professional goals streamlined in your mind. Additionally, look for learning opportunities in the field of IT security through certifications, courses, or even a formal education in cybersecurity. Specialized learning in IT security, in line with your professional experience and contribution, can help you go farther in the field. 

    If a member was to vacation in the part of India where you grew up, what is at least one "must see" event or tourist thing to do?

    I am from Mumbai, which is often called "the city that never sleeps" and has a lot to offer. Be it rainy season, festival, or sports (cricket), I think one should experience and feel the spirit of the city and its crowd. Enjoy Mumbai rains if you are in Mumbai during rainy season. Enjoy local food and festivals like Holi, Ganapati and Diwali if you are in Mumbai during festival season. If you happen to watch and experience a cricket match during your stay, you will enjoy it, too, since the sport is celebrated much like a festival, with a lot of joy and enthusiasm.


    NSA Digital Badge

    2016 Volume 6, Issue 5

    Biometrics: An Idea Whose Time May Never Come 

    By Michael Wegner


    Biometrics has fascinated me since I was a youngster reading works by Isaac Asimov and Robert Heinlein, and watching Gene Roddenberry's Star Trek. Imagine, a building or a spaceship that opened doors because it knew who you were and that you were authorized to enter an area. 

    Then, near the turn of the century, this biometric business was no longer science fiction - it was here and we could see it and touch it! (Pardon the pun.) Retina and fingerprint scans were being used by machines to recognize people, although sometimes with mixed results.  

    The accuracy, or inaccuracy, of these systems related to the number of data points the scanner could read, quantify, and compare to the stored data. In a typical fingerprint scan, the system checks for a digit's loops, whorls, ridges, etc.(1) The features found are turned into numbers and then stored away to use as the "password." 

    Next time through, the system reads the digit using the same method, computing the numerical representation of what it finds and comparing it to the database of scanned information. If it finds a match, that must be you. Or him. Or maybe her. Fingerprints may be unique, but a small scanned portion of a print might be common to many prints.

    The systems were limited by how many points they could scan, store and compare in a reasonable amount of time. Let's face it, no one is going to sit around for 45 minutes waiting to enter a door or log on to a computer. But those shortcomings were just a bit of computing power away from being quashed, and Moore's Law would certainly take care of any problems. It was only a matter of time. 

    Sure enough, today retina, iris and fingerprint scanners are fairly reliable. Fingerprint scanning typically uses 60 to 70 different points of data, while iris scans use upward of 200 points.(2) Facial recognition is the next frontier, and that's moving along at an astonishing rate. We now have robots that can identify a person using a library of facial scans.(3) Some newer laptops use the built-in camera to scan your face and authenticate you as a valid user. 

    But in the meantime, black-hat hackers also have made great advances. They now almost routinely collect information on thousands of people at one time, then either utilize the data or sell it. That information often consists of passwords (or password hashes) people used on a hacked network or website. Many - probably most - websites and businesses are very good about advising you if your password was stolen or if their systems were compromised in a way that enabled password theft. When you get a notice like that, your first action should be to change your password.

    But what if instead of a password you were using a fingerprint? You could change the digit you're using, I guess. Most of us have nine others to use, and if you're wearing easily removable shoes and are really flexible, you can add another 10 digits to the cause.

    Your options are much more limited with retina and iris scans, not to mention facial recognition scans. Simply making a new scan of the finger or retina won't work unless the scan pattern or something else changes, and that isn't going to happen with most software systems. Why? While some researchers write their own scan routines, most everyone uses a commercial library of software routines to perform the scan, compute and store the results, and authenticate later. So until the libraries change, the scanning tools remain unchanged and a scan of the same finger will yield the same results. You will need to supply a different finger, eye or face.

    Alas, thieves on the network aren't our only concern. Using high-tech cameras, it is now possible to capture a fingerprint from several feet away!  Capturing irises using the same or a similar method can't be far off, and who knows what will happen to advance retina scans.

    Even if software manages to stay ahead of the game and capture more and more data points, if someone has a library of actual fingerprint photographs and a 3-D printer, in reality they have a finger to use to scan and authenticate. Some advanced fingerprint scanners now check for a pulse(4), so printed plastic fingers will have to get more sophisticated, possibly adding a small bulb pump at the end connected to a few "veins" and "arteries" in the plastic digit.

    I'm sure it won't be long before fake irises are created and printed on contact lenses to fool iris scanners. And while it may be quite a while before fake retinas are created, if the retina scan data is stolen, your only choice is the other eye. 

    All of this leads us back to two-factor authentication using something you have (a card, a finger, an eye) and something you know (a password) to gain access to your website, room, data … or spaceship. It's much easier to lose a card than a finger (amateur teppanyaki chefs an exception), but it's much easier to replace a lost card than it is a finger, at least for now.  

    Although the idea of using only biometrics for authentication sounds cool and sexy, it doesn't look like it will replace two-factor authentication any time soon, if ever. As the technology allowing us to use biometric authentication gets better and better, so does the technology to defeat it.

    Now quick, beam me up before someone steals my transporter image.

    Michael Wegner, CISSP, is an IT security administrator for an Alabama medical center. He can be reached at .


    5 Minutes with Mary N. Chaney

    An excerpt of this Q&A appears in the September/October issue of InfoSecurity Professional.

    Pennsylvania resident Mary N. Chaney is originally from Cincinnati and has been an (ISC)2 member for eight years. A lawyer and former FBI special agent, she currently is director of worldwide information security for Johnson & Johnson.

    What made you want to pursue a career in information security?

    Information security was a natural fit for me. As an information systems major with a law degree and as a former federal cyber-crime investigator, I took to the field like a fish to water. I continue to remain excited and thrilled about the industry and look forward to offering my services on how to shape it going forward.

    Which was more difficult - passing the bar or passing the CISSP exam?

    Sorry, (ISC)2, but the Texas Bar was 2.5 days: one full day of multiple choice, one full day of written essay, and a half day of all Texas Law, essay and multiple choice. No comparison - the Bar exam was harder!

    In what way[s] does your legal career help with your cybersecurity one?

    My legal career has helped me tremendously in my career in cybersecurity. Being able to articulate how the information security controls put in place help protect (or not) the legal culpability of a company in the aftermath of an incident has proven to be one of the more powerful tools in my arsenal. Sitting in the room and being able to translate between lawyers, technologists, regulators and law enforcement is a wonderful skill to have.

    What was it like being a special agent for the FBI?

    Being a special agent for the FBI and investigating cybercrime was a great experience. Not only did I investigate cyber, but I was able to do some pretty cool things outside of cyber. But I can't tell you what they were! 

    Being a federal investigator and determining exactly how a crime is committed is the ultimate root cause analysis.  Thinking like a criminal is important in cybersecurity because ultimately, there is a human behind every crime. If you can understand their motivation, you have a good shot at knowing how to protect yourself.

    How difficult was it to transition from the public to the private sector?

    It was not as difficult as I thought it would be. Large companies like my former employer, GE Capital, and my current employer, Johnson & Johnson, work similarly to the government. The biggest difference I can see is the focus. Data is a top concern of the government. Classifying and treating data based on its classification is the first step in many of the security controls that are put in place. With the popularity of big data, data analytics and cloud computing, it is more and more difficult for private organizations to classify and identify effectively their most important data in order to ensure appropriate controls are put in place.

    I read that one of the first things you did after becoming an (ISC)2 member was to become involved in Safe and Secure Online. What has that experience been like?

    It has always been great. The materials have only gotten better since the inception of the program, and I strongly recommend getting involved. To be fair, I have not had much time to do as much as I did in the first couple of years as a CISSP. But being able to speak to children about cyber dangers, as well as to parents about what to look out for, is very rewarding.

    What do you believe is the biggest cybersecurity issue for children and their parents today?

    The biggest issue for parents is not monitoring the content/access kids have to technology from the time they give them a device. My poor kids are 11 and nine and have iPads of their own, but they can't get to anything on those devices without my consent. Plus, they have to listen to mommy lecture them about creating secure passwords, geo tagging, knowing who you are talking to online, never giving out our home address, etc.

    Kids are kids, they are curious and believe that they are smarter and more savvy. A healthy bit of fear about the dangers of technology will always help!

    You're also involved with the International Consortium of Minority Cybersecurity Professionals (ICMCP). What do you think it's going to take to bring more diversity to the information security workforce?

    As with many things, bringing awareness to the issues are important. Acknowledging that there are unconscious biases that exist toward women and minorities in cybersecurity, as well as the broader IT community, is a paramount step. We as professionals must have the courage to challenge those biases when we observe them and to work to change the entire culture of science, technology, engineering and math (STEM) to be more inclusive.

    Through my participation and passion about working with ICMCP, I hope to help shed light on the challenges minorities and women face when charting a successful career path in cybersecurity. In addition, I want to help come up with effective and creative solutions for increasing interest in this challenging, demanding and exciting world.

    If you had to start all over again, is there anything you'd do differently?

    Absolutely not. I have had the pleasure of being and doing some great things while following my dreams, and I would not change a thing.

    NSA Focus Area Badges

    2016 Volume 6, Issue 4 

    The Road to a Robust Trust Protection Platform

    By William Nana Fabu

    For years, security professionals have been looking for ways to keep information out of reach of unauthorized users. Encryption is an ideal way to do this. Within the encryption domain, the public key infrastructure (PKI) certificate has become the foundation of what I call the Trust Protection Platform.

    A robust Trust Protection Platform is now a must, regardless of your industry. Your certificates and keys are of paramount importance to the security of your environment and must be under your control all the time.

    As information security professionals, we continually ask ourselves, "What does it take to have a functional and efficient Trust Protection Platform?" The answer, I believe, is closely linked to a well-managed certificate base.

    Where are the certificates and keys?

    Today, in most industries where data is found both at rest and in transit, a certificate is involved. Let's say all governing bodies and the security protocols require that the security team encrypts data all the time and only makes it available in clear text to the designated recipient. This implies that you must install at least a certificate on most, if not all, of your systems to build a secure connection with any other connected system or end user. This translates into a large amount of keys and certificates (digital entities) you have to manage across your infrastructure. A comprehensive, accurate inventory of these digital entities is the foundation of a strong management program.

    You cannot rely on all your system and application owners to give you the list of all the certificates they have in their system. Rather, you can use a discovery tool that queries all your nodes and builds a comprehensive list of certificates and keys. It is the beginning of a long journey toward an efficient Trust Protection Platform.

    What did I just do?!

    Now that you've taken that initial step to determine which certificates reside in your system and where, you need to look more closely at the nature of these certificates. Ask yourself:

    • Where are all these certificates coming from?
    • Are these good certificates?
    • Do they comply with industry and security standards?
    • Who owns these certificates?
    • When do they expire?
    • What do I report to management?

    Let's tackle each of these questions in a little more depth.

    Where are these certificates coming from?

    When getting ready for your discovery, make sure you select a good tool that will gather as much information as possible on the certificates and keys, as well as information on the host where they reside (see section on tools below).

    Some tools provide information on third-party certificates and keys shared with your institution. This intel is handy when it is time to rotate the certificates and keys, as it's always good to be the first to send an email to a B2B partner regarding the expiration of a mutually shared certificate.

    Make sure you scan your entire environment. You may be surprised to find certificates and keys in the least expected zones of your network. This also gives you an idea as to the pervasiveness of private keys that employees are storing on their desktops, which could trigger an emergency cleanup of your environment.

    Are these good certificates?

    To define a clear and simple policy for certificates and key management, you must work with your information security team that owns the policies. Be sure to incorporate both industry standards and the realities of your own institution into those policies. Once you define the policy, classify the certificates you discovered based upon their compliance with the policy. It is crucial you do this before you contact any potential certificate owners so you can avoid provoking justification for all the noncompliant certificates and keys. You need to know the exact compliance state of your Trust Protection Platform in order to evaluate the workload and build a comprehensive action plan with a well-defined priority.

    As you do this, pay attention to the following criteria:

    • Signing algorithm - note that SHA-1 is out of the question
    • Private key length
    • Expiration date
    • Certificate authority
    • Wildcard certificates
    • Orphan keys
    • Shared keys
    • Self-signed certificates
    • Unknown certificate authority

    These criteria take us to the next question.

    Do they comply with industry and security standards?

    Take the time to sort your discovery based on the criteria listed above and get some figures that tell the story of your digital entities. Do not be overwhelmed by a dark situation. Instead, use it as a selling point to garner management's support and engage everyone in the "cleansing" process. The reality is that you need to turn this situation into a good one using all the tools and the participation of all the IT teams and system owners. There are reporting templates online that can help you build a convincing case.

    Always make sure you do not try to lower the prescribed standards. Only provide exceptions to cases that are not remediable (but make a note to follow up on them). Remember that auditors can access your reports and need to see the compliance increase gradually.

    Who owns these certificates?

    By default, no one wants to be the owner of a certificate. This is why, when you get the discovery data, you must look at the certificate's associations and start contacting the asset owners. A good CMDB (configuration management database) helps associate assets with owners. Note that valuable information on the certificates or keys generally comes from the system owner. This is one of the most difficult tasks in certificate and key management, but if you spend enough time and you have the right support from management and your IT partners, you end up with a solid Trust Protection Platform. Be prepared to send multiple emails and initiate multiple calls.

    Also use the expiration dates to your advantage. No one wants to see his or her system go down because of a certificate or key that was not renewed in time. Employees surely will contact you, most likely when the policy dictates that a designated system should generate all the certificates, and a designated certificate authority (CA) should sign them.

    When do they expire?

    This question is a blessing and a challenge.

    It is a blessing because, as stated above, when a certificate is getting close to its expiration, everyone, and particularly system owners, wants to make sure it is renewed to avoid any outage. Therefore, by sending out an expiration report, the "real" owners shall contact you to take action on the certificate. Do not forget to update the certificate with the owner's information and move the certificate to the appropriate group and policy.

    The challenge is the short window before the expiration and the fact that not everyone will be familiar with these certificates (as a result of employee rotation, old systems, unsupported applications, etc.). Do not hesitate to escalate the expiration notification to the highest level to get some traction on the rotation of the certificate or key.

    What do I report to management?

    The success of your project relies heavily on management support. Therefore, report on all aspects of the project. Send emails to management with details on the cleaning process. After some time, with the information you gathered on the certificate and key owners (targeted audience), you can start reducing your distribution list. Use the tool you are working with to generate all the reports possible and distribute these reports to management with a short and to-the-point summary.

    Always make sure you report on the progress. Going from 1,000 unknown certificates to 100 is a very big deal, and you need to share this information with management to let them know you are on the right path, and how they can continue to assist you.

    Divide your project into multiple phases that are easily accomplished. Start from the perimeter and get deeper into your infrastructure. Build a priority list and start working on the tier 1 systems.

    Remember that you were once blind, and now you can see. That is, you were able to clean the environment with the help of your IT partners and the support of management. Therefore, escalate any item that is out of your authority and follow up until you close the item.

    The right tool to use

    Generally, most CAs have a portal to generate and manage the certificates they issue. In most cases, though, you will have more than one CA. Also, be sure to take into account all the self-signed certificates and those certificates that unknown and untrusted CAs signed.

    You therefore need a tool that builds a layer above your existing infrastructure and works with all the CAs and types of certificates and keys existing in your digital universe. There are many solutions on the market, but I strongly suggest you go with one of those located in the top right of Gartner's Magic Quadrant. Why? Because it likely means many  security professionals use one of those solutions, and more CAs and other digital authorities will build APIs to work with them.

    Take some time, go through your normal due diligence, and make sure you get the solution that permits you to manage at least 70 percent of your digital universe. Remember that after you discover a certificate, it has nowhere to hide anymore. Also remember that any rogue certificate is an open door to your network and valuable data. Keep your systems environment clean.

    An ideal solution will help automate the full life cycle of a digital entity:

    • Certificate and key discovery (inventory)
    • Certificate, key request and generation (provisioning)
    • Certificate and key installation
    • Certificate and key monitoring (expiration and compliance)
    • Certificate and key revocation

    Managing your certificates and keys cannot be done manually. You need to look for a good solution and evaluate all the functionalities it provides. You also need to involve others in this process. Your IT partners and management are essential to helping you negotiate all the sharp turns and bumps on the road to a robust Trust Protection Platform.

    William Nana Fabu, CISSP, is an (ISC)2 member based in the Atlanta area and who works in financial services. He originally is from Cameroon and is a past contributor to InfoSecurity Professional magazine.


    5 Minutes with Jason Sachowski

    An abbreviated version of this Q&A appears in the July-August issue of InfoSecurity Professional magazine.

    Jason Sachowski lives in Toronto, Ontario, Canada and is originally from Dryden in Ontario. He is the director of Security Forensics and Civil Investigations at Scotiabank and has been an (ISC)2 member for nine years.

    When you were 10, what did you want to be when you grew up?

    So I went back into the "School Day Treasures" book my mother kept and found that I really wanted to be Spider-Man. Appears that when I found out superhero training was not part of the elementary school curriculum, I gave up on that dream. The following year, I set my sights on becoming a police officer.

    When did you realize you wanted to pursue a career in information security?

    Going through high school in the mid-1990s, there weren't a great deal of technology-based courses being offered. As graduation approached, I applied for both journalism/communication and film studies at a variety of university and college programs. After several rejections, I decided to go back for one more year of high school to focus on law and policing. From there, I went on to study physical security management at Fleming College in Peterborough, Ontario, Canada. 

    In my graduating year, I was speaking with the program coordinator about career options, where I learned about a new program being offered by Fleming College called Computer Security and Investigation. After doing some research, I came to learn what information security and digital forensics were all about, so I decided to give the program a try. It was probably well into my second year of the Computer Security and Investigation program when I started to think that this could really turn into a career, but I was still hesitant because there really weren't a lot of jobs in the market for digital forensics. It wasn't until my last semester when I was placed on my "work term" when I came to realize that this is what I wanted to do as a career. And, well, the rest is history.

    How did you become an (ISC)2 member?

    I had just started in the first role of my information security career where I was doing a lot of hands-on technical work. I was looking around for ways I could start making a name for myself and showing my peers what I know. While speaking with a colleague, I was told to look at the Systems Security Certified Practitioner (SSCP) accreditation. In 2008, I passed the exam and became an official (ISC)2 member, which I feel was the milestone that catapulted me to where I am today.

    The financial industry is a prime target for cyber attacks and therefore a bellwether for both problems and solutions. What do you see happening within the banking industry in terms of preventing emerging and existing threats?

    There are really a few sides of the spectrum when it comes to emerging and existing threats. The first is centered on the global changes happening in the way we conduct business. The digital transformation most organizations are experiencing is driving them to re-evaluate their business models and become more agile in finding new ways to meet customer demands that don't tie them down to the traditional "brick-and-mortar" approach. 

    The second is how we - as security professionals and everyday users - go about making sure we protect our personal and otherwise confidential information in an always connected and technology-driven society. With  demand growing for organizations to provide their increasingly mobile customer bases with products that are accessible at any time and from anywhere, the lines once separating the different types of information (e.g., banking, social media) are getting blurred as devices become "smarter" and provide users with greater functionality. 

    Lastly, at the CEIC 2015 conference, I attended a keynote by Brian Krebs, where he was discussing his perspectives and insights into cyber crime and cybercriminals. During the Q&A session, I was able to ask him, from everything he has seen to date, what he thought the future held for cyber crime. He responded by describing how today's cybercriminals execute attacks independent of each other and with little knowledge of their victims. Soon, we'll see cybercriminals become much more coordinated in their efforts and have heightened contextual awareness of their victims, which means that cyber attacks will be better planned, executed, and specific data targeted for exfiltration.

    Why did you decide to become involved in Safe and Secure Online?

    When I was growing up, technology was not as prevalent as it is with today's youth. We used physical interactions to communicate, which meant that all of our actions, behaviors and words were done in real time and had a much more immediate impact. As a father, I'm watching my kids grow up with the infinite knowledge of the internet at their fingertips but not truly understanding the inherent risks of how, through technology, we are becoming more dissociated from the traditional interactions of a society. When I was approached about bringing the Safe and Secure Online program into Canada, I jumped at the opportunity to educate children about cyberbullying and cybersecurity. In 2011, I had the honor of presenting the very first Safe and Secure Online program in Canada, which has not only helped to educate our youth but has also given me an appreciation of how important it is to include this type of curriculum in our school systems.

    And what have you done to help promote internet safety among children?

    As part of bringing the Safe and Secure Online program into Canada, we partnered with the Toronto school board to bring this education and awareness to thousands of elementary school children right from kindergarten on up. We focus on the importance of knowing what activity, information and content are appropriate for the internet. We also discuss some elements of computer security so children understand what they can do to make sure when they or anybody else using technology are protected from computer or online threats. Aside from these, I think the most important topic we discuss is cyberbullying: what is it, how it affects everybody involved, and what can be done to prevent it from happening. Even though cyberbullying is one of the many topics being taught, it has been the most rewarding experience because of how we are able to bring such heightened awareness to the problem and make such a positive impact.

    Given all the ways children can now access the internet at school and at home, what is the most important tip you have for teachers, parents or guardians in keeping children safe?

    With the Safe and Secure Online program, not only have we targeted children but we've taken opportunities to educate teachers, parents and guardians about internet/computer safety and cyberbullying. The most important thing we communicate during these sessions is the importance for teachers, parents and guardians to properly educate themselves so that they can continue reinforcing the need for children to be safe and secure. One tip for parents and guardians is to establish a set of rules or guidelines for their children when it comes to using the internet or any technology. A sample rule would be to have children write down all of their passwords (e.g., social media, email, devices) on a piece of paper, seal the paper in an envelope, write their name and label as "password," and hang it on the fridge door. By doing this, parents and guardians will have access to the children's profiles if needed, and the children will know that they are helping to protect themselves but also that the privacy of their profiles is maintained in the sealed envelope.

    What else are you actively involved in at (ISC)2?

    After I became an (ISC)2 member, I was looking for ways to further establish myself as an information security professional and also to network with other professionals around the world. In speaking with a colleague, I learned about an opportunity to get involved with (ISC)2 as a subject-matter expert for the ongoing development of the Systems Security Certified Practitioner (SSCP) exam. From there, I branched out and over the years became involved in exam development for the Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture (ISSAP), Certified Secure Software Lifecycle Professional (CSSLP) and Certified Cyber Forensic Professional (CCFP) certifications. While participating in these forums, I got to network with other professionals, which eventually led to me getting involved with Safe and Secure Online and becoming a contributing author in the former North American Advisory Board Executive Writers Bureau (NAAB-EWB).

    I hear you released a book. What's it about, and how difficult was it to find the time to write it?

    Yes! I'm pretty excited about it. The book is titled Implementing Digital Forensic Readiness: From Reactive to Proactive Process, which was released in February 2016 through Syngress/Elsevier. At a high level, the book details how to proactively maximize the use of electronically stored information to reduce the cost of digital forensic investigations. The book was written from a non-technical, business perspective and is intended as an implementation guide for organizations to enhance their readiness capabilities with regard to managing business risks, such as validating or reducing the impact of cyber crime, supporting litigation matters or demonstrating regulatory compliance.

    Prior to this book, I was writing articles and blogs for both the NAAB-EWB as well as DarkReading (, where the style of writing is very non-academic and can be drafted in a matter of hours. 

    When it came time to sit down and write this book, I found that following a similar approach did not work because of the how the book content needed to be planned out, researched, and much more academically structured. Even though I had figured out my strategy to getting the book written, it still required a significant amount of time and dedication to finishing it on schedule. Essentially, any free time I had was spent on the keyboard typing out 100, 200 or 300 or more words.

    So you're from Canada. How do you deal with the long winters?

    Growing up in Dryden, which is located about seven hours north of Minneapolis, winters were much longer and colder than here in Toronto. As a kid, I remember my parents having to keep our vehicles plugged in to the electrical outlets so the engine would start. When it came to temperatures below -30ºC (-22ºF), we would tend to hibernate inside and play with our action figures, Legos, etc. Now that I live in the Toronto area, winters are not as cold but are still Canadian winters in the sense that they are long. Since the temperature is milder, we're not so confined indoors all winter and have more chances to get outdoors. There hasn't been a great deal of snow in recent years, so we've been spending our time outdoors by getting exercise walking around the Toronto Zoo.

    If members were to visit your country, what are one or two things they need to do or eat to have a truly Canadian experience?

    Canada is so multicultural that depending on what region you visit or with whom you talk, you're most likely to get a different response. For me, growing up in a rural part of Canada, having traveled across the country and back and later moving into such a suburban area, I've had so many different experiences and tried all kinds of foods. While I think the staple of Canadian food culture is putting maple syrup on just about everything, I would have to pick the BeaverTail - which is hand-stretched pastry, shaped like a beaver tail, then fried and topped with sweet confections - as the food to try. In fact, BeaverTails are so famous that even U.S. President Barack Obama stopped for one when he visited Canada back in 2009.  

    In terms of a true Canadian experience, there are always landmarks such as the CN Tower or Niagara Falls that come to mind. But to me, a true Canadian experience doesn't exist within the cities or tourist centres; it's located in the wilderness. Combining fishing across multiple seasons, my summer experience would be a fly-in fishing trip to a remote northern location, and my winter experience would be ice fishing in a wooden hut in the middle of a lake.

    NSA Focus Area BadgesUSD-LogoUSDBannerAd

    2016 Volume 6, Issue 2 

    Our Machines May Be Outwitting Us

    The devices we rely on are getting smarter - but are we?  That and other warnings from information security experts at this year's RSA Conference

    BY Deborah Johnson    

    Security. Safety. Trust.

    Vulnerabilities. Threats. Attacks.

    Those were the recurring themes at this year's RSA Conference in San Francisco's Moscone Center, where 40,000 cybersecurity practitioners and more than 500 tech companies gathered to share ideas and offer potential solutions to the challenges facing the industry.

    As a first-time RSA attendee, I was captivated by the wealth of knowledge and experience on hand. With such a vast amount of brain power in one place, surely, one would think, the hackers don't stand a chance. Add to that the hardware and software on display, all aimed at getting at the "bad guys." We (the good guys) have got to be winning!

    Actually, no. Not according to some of the industry leaders on hand. 

    "Our problem is not a technology problem. Our adversaries are not beating us because they have better technology. They are beating us because they are more creative," declared Amit Yoran, RSA's president.

    "Devices are becoming smarter, and we're becoming more stupid," warned Hadi Nahari, vice president/security CTO at Brocade Communications, Inc.

    Those two assertions were eye-opening for me. I had thought that since "we," the larger society of brains who created (and continue to innovate) our cyber-dominated world, were in control. That "we," I had to remember, included the good guys (most of us) and the bad guys. So, yes, maybe we were in control, mostly, but it depended on which hat was being worn - white or black.

    The Conference offered hundreds of panels, presentations, roundtables and forums. I divided my time between the panels on professional development (how to build a strong security team, how to create a strong security culture in an organization) and presentations on threats and solutions and what the future may hold. I listened to (mostly) engaging, intelligent and savvy speakers, the aforementioned Amit Yoran and Hadi Nahari among them. 

    Armed with the latest information on our cyber vulnerabilities, I ventured out to the exhibition floors, two enormous spaces filled with the latest in programs, applications and equipment to help us protect our cyber lives and information and root out the bad guys. The exhibitors love to talk about their wares, and all it took was a question to get them going. What did I learn? The massive (and lucrative) security software business is finding more niches in which to offer its services. For instance, if your company outsources its HR duties and you want to make sure the vendor you hire is doing what he/she is supposed to from a security standpoint, there's a company to monitor the vendor for you. Or, say your company has a call center, and you want to root out fraudulent callers. There are services that will listen in and track down the fake callers. That's just a tiny sample of what's being sold on the showroom floor.

    What it all boils down to is "trust." As consumers, we need to trust that our information, our work products, our very identities are safe. As cyber experts, each of you is trying to make that a reality.

    But, and here is the snag - the fly in the ointment - the burr under the saddle:  What about "privacy?" 

    The Apple vs. FBI controversy was definitely top of mind. The issue was batted around in just about every venue. As I expected, most participants that I heard (both on and off stage) believed that Apple should stand firm, that the U.S. government was asking for something what would set a dangerous precedent, one that would imperil all of our privacy rights.

    Which led me to ponder the whole issue of just how private our cyber information is anyway. In reality, anything we say online through social media is out there. When it comes to our banking, our taxes, our email, we like to think they are all private unto us (unless you're doing this work on your workplace computer). But, is it really? Who at my bank sees my records? What clerk at the IRS sees my tax return? And, of course, anyone can see my Facebook and Twitter postings. So far, I don't mind.  

    But, all these tools that are being developed to monitor, to vet, to put controls on who has access to what are only as good as the people using them. And I'm not just worried about invaders absconding with my bank account. I also think about entities that can use the information they collect for their own benefit at my expense, say, an employer who doesn't agree with my political opinions. Or an organization (university, association, etc.) that may not appreciate my religious beliefs.  Am I being paranoid? Perhaps, just a little.

    What I can do is hope that most of those 40,000 cyber experts and practitioners - and the thousands more worldwide - are indeed working for the "greater good."

    For my part, I'm changing all my passwords.

    Deborah Johnson is managing editor of InfoSecurity Professional magazine.                                                                                

     5 Minutes with Lt. Col. Husin Jazri (Retired)

    A shorter version of this Q&A appeared in the March-April issue of InfoSecurity Professional magazine.

    Lt. Col. Husin Jazri (Retired), CISSP, is originally from Kuala Lumpur, Malaysia but now resides in Windhoek, Namibia, where he is an associate professor in computer science and informatics at Namibia University of Science and Technology. He has been an (ISC)2 member since 2002. You can reach him at or

    How did you first become interested in information security as a career?

    I become involved in information security when I started my first job as a commissioned officer in the Royal Signal Corps of the Malaysian Armed Forces in 1987, after completing a bachelor's degree in engineering from the University of Hartford in Connecticut (U.S.A.). I was fortunate the university selected me as one of its Armed Forces scholars. I have to admit that the American education system has shaped strongly my thinking process.

    What would you consider your career high point[s] to date?

    Briefly, my career has been divided into four areas: military service; government service; business development; and research and academic. Each one has had both high points and challenges. The first period was military service. During this time, I subscribed to the hypothesis that technology is an enabler and game changer to the organization. With this belief, I had been tasked to bring an information and communication technology culture into the military force, and it was a big challenge then, when most of the seniors were seasoned counter-insurgency combatants.

    I had to overcome their hesitations and prove that changes can be positive if taken appropriately. The successes came with the formation of appropriate establishments within the military force, and I received a service excellence award and fast promotions as a result. That was roughly a 12-year effort, and from this experience, I learned that every change has its timing, and we must keep on challenging in order to succeed.

    My second career area was with government-related companies, i.e., a research institution that lead to the formation of a national cyber security institution. The culture within this realm was different than I experienced in the military arena. Thus, I realized we needed a new form of a cybersecurity agency at the national level - this time not fashioned from regulatory and bureaucratic perspectives, but rather from science and technology perspectives. As such, I focused on research, experimentation and innovation to address the dynamic threats of the cyber world. This was very exciting, since traditional security environments subscribed to an autocratic culture where command and control is fully exercised. We can never address the problems in the cyber world effectively, however, using this model.

    Science and technology, R&D and innovation flourish better in a non-autocratic culture. This hypothesis led to the formation of a cybersecurity agency with science, technology and innovation at the forefront. I was privileged to lead this agency for 12 years, from cradle to adulthood. As a result of my efforts, I received the (ISC)2 Harold F. Tipton Lifetime Achievement Award and many other honors. The sweetest memory is being able to visit the White House under the invitation of [board member] Howard Schmidt when he was the cybersecurity advisor to President Barak Obama.

    My third career area was working with business enterprises. The challenges were different. I found that no matter how wonderful our ideas were, and how good or secure our solution was, they had to fall back on business fundamentals, namely supply and demand, customers' perceptions, resource limitations and time constraints. I was able to serve at least five cybersecurity companies -- two of them outside Malaysia. By this time, I realized that business success is not entirely due to your own effort; many external factors come into play, such as being at the right place at the right time and knowing the right people. Despite many challenges, I received a prestigious Platinum Award by the Industry Association in Malaysia.

    The fourth area is my current career in research and academics. I now have the chance to document key experiences into papers, journals and conference publications. A good part of this experience is to be able to conceptualize real-life experiences and to share them with students. I am a proponent of people-process-technology interactions, and my research focuses on information security in this context. This type of research is needed here, in Africa, as it may not be as big an issue in the developed world.

    What prompted you move to Namibia?

    Mainly, the opportunity to apply my career experiences in the academic world and to live in a part of the world where information security education is strongly needed intrigued me. In this regard, I must thank Professor Jill Slay [a former (ISC)2 Asia-Pacific  Advisory Council member] and the Namibia University of Science and Technology for giving me the chance to be part of this dynamic academic team. I am very grateful and honored to serve this institution and interact with so many friendly people from Africa.

    How is it different to teach students in a classroom than entry-level employees in a company?

    Students in a classroom environment have different motivations than employees in a company.  It takes more effort to convince them of a point of view, as they are free to adopt it or quietly walk away. Their primary motivation is to perform well on exams and to acquire knowledge. I enjoy engaging matured students and working students as they better relate to what is being taught.

    As for employees, they are subjected to company policies, rules and regulations. Their motivation is based upon compliance and feasibility to implement.

    You've mentioned that more attention needs to be focused on southern African regions and nations. Why is this?  

    The region is represented by 15 countries with a regional development agreement called Southern African Development Communities (SADC).  These countries are developing at a rapid pace, and I cannot overstate the dire need for effective cybersecurity regulations, governance and best practices.

    What would you like to do to bring more attention (and resources) to this region?

    First, I would like to call upon members of (ISC)2, especially those with influences in their workplaces, to consider Southern Africa as a strategic region to explore. Attention and resources can come in many innovative ways, ranging from academic works, pure and applied research, collaborative and mixed research, volunteerism, experience exploration, commercial expansion and the like.

    Secondly, I would urge (ISC)2 as an organization to consider having a presence in this region through collaboration with suitable institutional champions in each of these countries. For instance, (ISC)2 could partner with the local government on collaborative research projects and awareness programs such as Safe and Secure Online, and collaborate with the Namibia University of Science and Technology to conduct online Review Seminars and online certification exams.

    What do you like to do to relax outside of work?

    At any possible opportunity, I like to get closer to nature and enjoy the beautiful landscapes and wild animals of Namibia, which I would say are a hidden treasure of the world.

    I have been to some amazing places in Namibia, including Swakopmund, Etosha National Park, Walvis Bay, Luderitz, just to name a few. I would like to visit Cape Town, Victoria Falls, the beaches of Mauritius and many more places when the opportunity arises.

    If you could recommend one place everyone should visit at least once in their lifetime, what would it be, and why?

    For nature lovers, Namibia is well-known for its Etosha National Park, a safari park that would enable (ISC)2 members to get closer to nature while spending time with family members. Zambia and Zimbabwe are well known for Victoria Falls, one of the natural wonders of the world. South Africa is home to beautiful Cape Town for relaxing and waka-waka dancing. Mauritius has beautiful beaches and aloha greetings. Each and every one of these SADC countries has a unique feature worth visiting at least once in a lifetime. 

    Thus, I urge (ISC)2 members to look for every possible opportunity to come to this part of Africa and experience it for yourself. There's no other place in the world like it.






    2016 Volume 6, Issue 1

    Analog vs. Digital:  The Great Divide

    By Gordon Merrill

    To the horror of everyone working there, the bank on the corner of Main and 32nd streets was just robbed at gunpoint by three men wearing ski masks. Very stereotypical, I know, but work with me here. What follows may surprise you.

    To the dismay of the bank personnel, there are no police cars or sirens, no detectives, no request to view camera videos and very little concern by anyone outside the bank.  The bank just lost hundreds of thousands of dollars, and now, without any police activity and no one seemingly racing to help, angry customers are asking bank officials, "What do you intend to do about this?" Meantime, news reporters at the door want to know why the bank was "so lax" as to allow these gunmen with automatic weapons to run off with customers' assets. 

    Sound absurd? Well, it happens almost daily. The reason you don't recognize it is this is the difference in how the world responds to a digital crime versus a regular (analog) crime. Why is that? And, why do we allow it?

    When there is a physical robbery, no one questions if the bank should have had better security or if the bank had sufficiently tried to foil the crime. Instead, the bank is viewed as one of the slate of victims, and those responsible for these crimes are sought, found, tried, convicted and punished. If the poor robber had only thought to go home and sit on his couch and hack into the bank to steal the funds, in most cases he would have been able to get away with it; foil the investigators; make it too difficult to investigate; and watch as law enforcement drops the case.

    This is in no way intended to disparage our members of law enforcement. It does, however, highlight that they seem to have a growing cybercrime caseload and too few resources. This is especially true if the case crosses countries to international targets where, in some cases, there is little or no cooperation from the other authorities. So why in the digital world is the other victim - the bank - criminalized and bank officials are charged, fined, or even jailed instead of the real criminals? 

    Somehow, we quit looking at crimes the same way after the introduction of digital. The last great overall federal privacy legislation designed strictly to protect personal privacy was enacted before personal computers were popular or cell phones were even invented. So, let's look at this a little differently, assuming that we had similar protections for all our digital transactions as we do for our analog ones. How much different would the same bank scene look applying analog laws and crime scene investigation principles to a digital robbery?

    To the horror of everyone working there, the bank on the corner of Main and 32nd streets has just been robbed by several simultaneous hacking techniques that breach the bank's digital defenses. Soon after sounding the alarm, the police arrive, followed shortly by the FBI to investigate the federal crime of bank robbery. The police secure the crime scene and export data from the data center for forensic review. In this scenario, the bank workers and management are still viewed as victims, not criminals, because someone broke in and stole from the bank.

    Following the same line of reasoning, I guess in the analog world, if someone broke into your home and stole your new flat-screen TV, the burglars would be found and charged. But, in the digital world, the homeowner would be charged for not having the most up-to-date alarm system. 

    Or, consider the farmer with a barbed wire electric fence and numerous "No Trespassing" signs. One day, a drunk driver plows through the fence and gets out of his car, where he is injured by a charging bull. Do you want to guess who the criminal in each situation is? In the analog world, the drunk driver would be; in the digital world, it would be the farmer. 

    So, back to one of the original questions: How did we get to this point, and why do we allow it to continue? Some of the most profitable businesses in this economy are those that gather all kinds of data on you and me and sell it, without our permission to gather it, store it or sell it. Maybe these operations have lobbied to keep the laws as an analog rule of law only. Has the ability to openly buy and sell private citizen data made it too profitable to regulate? And has that lack of regulation of anything above an analog level made us impotent to regulate and prosecute the true criminals in digital or cyber crimes?

    Information security professionals have an uphill battle trying to shore up their defenses with only analog regulations behind them. They face not only true cybercrime threats but also civil penalties when they are victimized by criminals we can't pursue and are outnumbered to defend. Maybe the foundation of the whole system of personal privacy laws is upside down, but that sounds like a whole different article.

    Gordon Merrill, CISSP, MSIA, is a cybersecurity professional whose career spans more than three decades and has taken him to 48 states and six foreign countries. Gordon's information assurance background has included working for major computer companies, managing IT projects for Fortune 250 companies in the risk management field, owning a business and working as a private consultant. He has chaired the information technology department at a local college and served as primary instructor for the Bachelors Information System Security Department, instructing students in all the CISSP domains. Gordon's experience and research have him most worried about eroding personal privacy and lack of potential for real data integrity.



    5 Minutes with Geraldo Fonseca

    Geraldo Fonseca is an IT security coordinator who lives and works in Rio de Janeiro and has been an (ISC)2 member for seven years. He currently serves on the (ISC)2 Latin America Advisory Council.

    What's it like to live and work in Rio de Janeiro right now, with the Summer Olympics just months away?

    The city has been turned upside down. There are countless transit modifications, public transportation reorganization and construction all over the city. There are dozens of improvements underway to the subway and bus systems, and the government is installing a new light rail system that will run through most of downtown Rio and building new tunnels and overpasses. The city's electric grid is also being upgraded in order to increase its reliability during the Summer Games. Finally, the Olympic venues themselves are mostly still under construction, which means that in some areas, the streets are filled with heavy vehicles and machinery.

    As a commuter, my typical trip from home to work went from less than 40 minutes to more than an hour.

    How have the recent World Cup and upcoming Olympics changed the city and the region?

    The interventions I mentioned have turned the city's already complicated traffic situation into a chaotic one. I do think most of the citizens understand that this is a temporary burden, and the projected improvements to the city's infrastructure are well worth the hassle.

    The official estimate is that Brazil received around 1 million international tourists during the World Cup, which had venues in 12 different states during a more than month-long period. The city of Rio de Janeiro alone is expected to receive something between 300,000 and 500,000 international tourists during the two weeks of the Olympic Games (this does not even take into account the Paralympic Games). This, of course, means a lot of income for the local economy, and it has stimulated investments in the airports, hotel chains, public areas, etc.

    In what ways has all of this international attention impacted information security professionals in Rio de Janeiro?

    I wouldn't say the impact is restricted to Rio, since many companies directly involved in the Olympic Games organization are not based in the city. The visibility that the event will bring to the city is quite big, and many organizations have made investments in their teams and infrastructure to reduce the cyber threats that will likely emerge during the games. That, along with the general awareness that the big cybersecurity incidents of the last couple of years have created, has stirred up the market a bit and helped create some interesting opportunities, despite the poor economic performance the country has shown in the same period. 

    How is working in Brazil different than in other parts of South America?

    Unfortunately, my experience working with other South American professionals is somewhat limited, but I would risk saying that South (and Latin) American countries share many cultural aspects, the most noticeable one probably being that we are generally very altruistic in our professional relationships.

    How did you become a professional in information security?

    I guess I am one of the late '90s cases of being "a sysadmin that deals with firewalls." Since then, I have dedicated my career to information security.

    How important is your (ISC)2 credential to your career?

    In Brazil, the CISSP bears a lot more "weight" than in the United States. I believe this is because the number of certified professionals is much smaller here than in the U.S. There were even fewer CISSPs in Brazil back in 2008 when I earned my certification. I used to say that being a CISSP does not change who you are as a professional, but it surely does give you an advantage when an employer is comparing your resume to that of someone who is not certified.

    What is something people might be surprised to learn about you?

    I guess that at first, people might consider me an earnest and maybe even a grave person, but I think it's just the way I deal with my shyness. My wife says that it has nothing to do with shyness; it is just another way I find to be sarcastic. Well… she is probably right.

    What do you do to reduce stress from work?

    I like to travel with my family as often as possible. We especially love going to the beach. I also learned a few years ago that brewing your own beer, although demanding work, is a pleasant and rewarding hobby that involves a lot of research, experimenting and community interaction.

    I've heard Mardi Gras is also big in Rio. What's it like to be working in security when that time of year comes around?

    Ahhhhh, Carnival!!! I could mention impressive numbers, like 2.3 million people on the first day of one of the street festivals alone. But that would not do justice to the five-day event that practically halts all the nation's activity. It is said to be the largest popular celebration in the world, and the word "unspeakable" is often and very accurately used to describe it. Of course, it is a thriving period for phishing and general scams involving the theme.

    If you could recommend one thing every tourist should do while in Rio, what would it be?

    That is a hard one. The Santa Teresa district is the go-to place for local restaurants and pubs. And if after dinner and a few drinks you are still game, take a five-minute taxi ride to the Lapa district and spend the rest of the night in one of many nightclubs.

    The obvious touristic destinations in Rio will keep you busy for a few days, including Sugar Loaf, Corcovado, Maracanã Stadium, the central beaches like Ipanema and Copacabana and more. But if you are in for more than a few days, you should definitely explore seaside cities like Buzios to the east and Angra dos Reis to the west.

    An abbreviated version of this Q&A appeared in the January/February issue of InfoSecurity Professional. 


    2015 Volume 5, Issue 6

    Tending to Information Security Trends

    Portents and Fantasies for 2016

    By Ben Malisow

    We've seen a great many impressive IT security activities in 2015: some breaches that exposed and absconded with considerable swaths of PII and financial data, some supposed intrusions that exposed people of significance to embarrassment and ridicule, and some vaguely ridiculous "accidental" failures that resulted in widespread violation of policy and law. 

    Essentially, this was pretty much like any other year.

    With recent history in mind, I would like to offer my predictions and wish list for the coming year in terms of IT products and trends.

    The New Malware Fight Club: Malicious Coders vs. Online Data and App Hosts

    WISH: Someone will point out that the definition of malware is software that sits on a machine, hogging system and network resources, performing covert functions so computers can't detect and eliminate it, calling back to the mothership for updates and instructions. It also does not come with an annual subscription fee.

    PREDICTION: Malware has been and will continue to be a problem for the foreseeable future. All the current anti-malware toolset vendors will continue to update their products to stay competitive in a cutthroat field that always has room for new entrants. Anti-malware suites residing on servers and hosts and in the cloud will continue to run in the background of each system, performing covert functions so criminals cannot detect and subvert them, and they will reach back to the vendor for continual updates and enhancements.

    The current model is lacking. It's basically a pay-for-our-list-of-known-vulnerabilities format, doled out by a few vendors who have excellent marketing divisions. In many ways, this misses the point entirely. A zero-day exploit is just a vulnerability that the research teams and pro-am hacking world has not yet stumbled upon, and thus they can never include them in the definitions and suites that they sell for the purpose. So, all we're really buying when we purchase antivirus "protection" is a set of known malware.

    For decades, we've heard promises of heuristic and algorithmic malware recognition tools that are behavior-based instead of definition-based. But, thus far, these have also been lacking. They all too readily provide false-positive reports that hinder operations, especially when they are allowed to function automatically to shut down ports or stifle activity that the tool decides is suspect. More often, the organizations that have purchased the tool disable these capabilities, because, in the eyes of the tool the difference between operational software and traffic is indistinct from that of malware.  

    Moreover, the true problem with trying to obviate the threat of malware is that most current malware attacks do not occur in stasis, with some script randomly infecting an environmentUsers introduce them into the environment, in many cases by users actually circumventing whatever countermeasures or policies are in place to prevent just such an occurrence. These, then, are not malware attacks, per se. Rather, they are social engineering attacks, and the vector just happens to be malware.

    Are we going to keep chasing our tails in this arena and continue to allow malware designers and exploiters to beat us up? I don't think so, or, at least, not to the degree we once were. We're going to be outsourcing the malware fight to our online data and app hosts. As we move more into the cloud, it's the hosts that are going to have to detect and combat malware, and they're going to have a much easier time of it, because the controls they can put in place to prevent unknown/suspect software from running on their systems are much more flexible. And the best part? SLAs will ensure that infections will be at the expense of the host, so your organization is doubly protected by risk mitigation and transfer.

    Batten Down for the Next Big Breach

    WISH: We, as information security experts, consultants and practitioners, could proselytize to our customers and the public at large that a defensive security posture - protecting everything at all costs - is not only cost-prohibitive but self-defeating and bound to eventually fail. Instead, it may be better to adopt a reactionary stance, where we are breach-ready, and we deal with each event and incident as it occurs, in a professional, timely and rational manner.

    PREDICTION: Breaches will occur, some of them rather publicly. Both the media and security experts from outside the organization will expound on how the organization failed to meet the needs of its stakeholders, including the community, the citizenry, and humanity in general. Authorities from within the organization will release statements explaining that the breach was the result of an advanced attacker using sophisticated means of illicit ingress, and they will fire some executive personnel.

    I love the work of the folks over at the "Down the Security Rabbithole" podcast []. Indeed, you'll see that a lot of my positions dovetail with theirs. Groupthink? Perhaps. I like to believe we're all just smart enough to come to the same conclusions. DtSR drives home this point on a regular basis: We're trying to protect everything, and we're behaving as if any breach, regardless of magnitude or type, is tragic. This is counterproductive. We all know that 100 percent security is strictly the stuff of fantasy, so creating a security posture where we define failure as "any loss" is simply designing it to fail. While security practitioners often like to couch our work in terms of military metaphors, this is one area where it's best not to do so. In this, unlike military strategy, it is better to be reactive.

    Patients Continue Circumventing Their Own Privacy Protections

     PREDICTION: As healthcare records continue to be a viable, underprotected target for attackers, governments will create additional protective regulation. At the same time, the potential victims these new regulations are designed to protect will undermine them by posting photos of their foot surgeries on Facebook.

    We, as security professionals, are very concerned about disclosures of medical records; our concern comes from both habit and legislative mandate. This fear is probably misplaced. It originated from the possibility that an individual might face social and financial penalties if their medical records were disclosed. For instance, an employer might not hire a candidate if they were found to have a certain medical condition, or an insurer might only offer coverage at exorbitant rates for pre-existing conditions. Thankfully, these worries largely have not materialized in any concrete or uniform way in anything other than anecdotal numbers.  

    Moreover, with today's health reform, everyone's medical records have already been disclosed to the government, which is often the largest employer in certain fields and regions, as well as the largest insurer, and also the entity that seems mostly likely to lose your information in a breach.  

    Ultimately, people don't seem to care about disclosing their health information: they do it willingly and loudly. And there seems to be (forgive the pun) no ill effect.  

    WISH: We all could just get over the notion that personal privacy is even a thing anymore, especially in terms of medical data.

    Arcane Laws Will Continue to Confound Law Enforcement

    PREDICTION: We'll see more legal brawls based on legislation created with good intent but no concept of human nature or the law of unintended consequences. These archaic laws will then be the basis of confusing prosecutions, such as the case of Cormega Copening [], a minor whom authorities arrested for having naked pictures of himself, but whom prosecutors have chosen to try as an adult.

    WISH: The best thing security professionals can do is to convince everyone who will listen that any new laws regarding technology should be put on hold for at least a generation before adoption. We need to find out how the society is actually going to make use of the technology before we attempt to "control" it.

    Honestly, legislation always trails tech, and tech-centric laws are almost uniformly lacking. It's going to take a while to expunge the precedents set by the old laws and eliminate them from case law, even after we strike them from active regulation. This is going to be a tough slog; we're looking at least at decades to sort through the mess.

    The Call is Coming from Inside Your Security Program

    PREDICTION: The greatest threats will continue to be insiders, and the greatest insider threats will continue to be IT and information security professionals.

    WISH: Someone will devise an app that allows monitoring of employees' bank, PayPal and Bitcoin accounts and notifies management of any substantive changes. And employers will buy it and make compliance a requirement of employment.

    Okay, okay. Civil liberties being what they are, it isn't going to happen. At least not next year.

    The people who think they know better (that is, us) are always going to know just enough to think they can get away with breaking the rules. Often, that's the case - for a while, anyway.

    Bigger Phish to Catch

    PREDICTION: Phishing will continue to be a thing.

    WISH: Haptic output devices will finally reach the point where security teams can hit a button and actually have a user's system slap the user in the face whenever the user even glances at an email with a subject line that includes the terms "online lottery," "update banking information" or "Dearest Friend."

    Alas, this is yet again not something that will abate anytime soon. The programmed human urges for resource acquisition, sex and personal acclaim (all fed by phisherfolk) will always, always, always trump rational thinking, sound judgment and training (which we beg for). We will never convince all users to avoid phishing, because a certain percentage will always succumb. Again, it's better to be reactive to this threat.

    You Just May Get What You Wish For

    WISH: People will prohibit self-proclaimed infosecurity experts from churning out wish lists and predictions at the end of each year.

    PREDICTION: They'll still do it.

    BONUS PREDICTION: Something will happen that nobody predicted, and everyone will quickly say how they've been predicting that for years.

    I know no more than any of you and a lot less than most. Hopefully, I'm not really saying anything you don't already know and haven't already said yourself. But, sometimes, it's just good to commiserate about the future as we have about the past. Oddly, that can be reassuring in its own way. 

    Ben Malisow is a contributor to Insights and InfoSecurity Professional. He refuses to be held accountable for anything that doesn't come true in 2016.


    5 Minutes

    5 Minutes with Tamer 'Tom' Gamali

    An excerpt of this Q&A appears in the November/December issue of InfoSecurity Professional magazine. Here is the session in its entirety.

    Tamer "Tom" Gamali is the CISO of the National Bank of Kuwait and has been a member of (ISC)2 for more than 10 years.

    What did you want as a career when you were 10?

    Probably like many young boys, I started life with my heart set on being a pilot.

    How did you get your first "big break" in information security?

    Working at Intel, I was always envious of the security team and very interested in the type of work they did. Intel was expanding the team in the UK in the 2000s based on an increase in cyber-related activity, and I jumped at the chance to be part of it.

    Since becoming a CISO, what has surprised you the most - in good and bad ways - about the role?

    The role has evolved dramatically over the last 10 years, mainly from residing within and focused on IT to supporting the entire organization. This requires a more business-savvy CISO with strong communication skills, rather than the old-school technician that can't relate to people in other areas of the business.

    In terms of security risks and rewards, how is working in the financial industry different than some other industries?

    The risks are high. For example, the regulatory and compliance factors certainly have greater significance than in most other sectors. It is a rewarding role; however, at times, the risks associated with the role may be questionable.

    Have you always worked in Kuwait? If not, where else have you lived and worked, and how is Kuwait different?

    As part of the Middle East and an oil-rich Gulf state, Kuwait certainly has its own unique culture, and this obviously impacts the way business happens. There is much more focus on relationships and trust in doing business here than in other countries.

    How important is your (ISC)2 credential to your career?

    Having been a CISSP for more than 10 years, this is a very well-recognized certification, which is almost an industry benchmark for security competency. I have obtained other credentials in the past, but the CISSP is the only professional credential that I have maintained during my career.

    What do you do to reduce stress from work?

    To relax, I like to go running and scuba dive. The weather in this region is conducive to an active outdoor lifestyle for most of the year.

    If you could talk to your 10-year-old self all those years ago, what advice would you offer your younger self - knowing what you now know about the future?

    First, I would tell myself to listen to the advice from older people. Unfortunately, it's easy to ignore the value of that advice until you reach that age and start providing it.

    Symantec BannerSymantec Logo 2

    Latest Issue: 2015 Volume 5, Issue 5 

    It's More Than Just the Firewall -Today's Challenges for Security Professionals

    By Raj Kaushik

    I watch as my daughter blows soap bubbles in our backyard. The sparkling bubbles exist for brief moments then innocently disappear as if they were never there.  They call to mind many of today's cyber crimes - the momentary hacks and invasions that disappear, launched with great malice, stealing the name, fame, character, wealth or peace of mind of the victim. No one is secure today - not even in boardrooms or bedrooms.

    In September 2014, Hollywood was rocked by a scandalous leak of celebrity nude images.  Among the victims were Jennifer Lawrence, Rihanna, Kim Kardashian and Kirsten Dunst. The images were seemingly first posted by a Twitter user, but in less than an hour, they spread like a wildfire.

    On October 3, 2014, J.P. Morgan Chase admitted that a cyberattack over the summer may have compromised information about 76 million households and 7 million customers of its small business clients.  In the past, companies like Walmart, Home Depot, Target, Apple, Sony's Play Station Network, Epsilon and Neiman Marcus have proven vulnerable to data security breaches.

    More recently, cheating spouses are in the spotlight after their personal information was publicized following a high-profile hack of the Ashley Madison Website.

    The New Landscape for Security Professionals

    Security professionals face new challenges in protecting data.  Until recently, their role typically was limited to the technology of firewall, virus and Trojan attacks. It was a tick-mark scenario that helped CEOs brag about having the right people in charge of their IT security. At best, it was about meeting the compliance requirements and legal obligations.  However, it is evident that Data Loss Prevention (DLP) systems, Internet monitoring tools and similar technological controls have failed to stop a growing number of data breaches. For that reason, we need to examine the human factor closely.

    According to  IBM's 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error.  Vormetric, Inc.'s 2013 white paper, The Insider Threat: How Privileged Users Put Critical Data at Risk, supports this contention.  In research conducted by Federal Computer Week and cited in this report, 59 percent of respondents agree "most of our internal IT security threats are innocent mistakes without malicious intent."

    Those mistakes are often the results of employees trying to "simplify" business.  In its  2012 Global Study on Mobility Risks, The Ponemon Institute surveyed 4,600 IT professionals from 12 countries.  Fifty-nine percent of respondents reported that employees circumvent or disengage security features like passwords and key locks. Adding to this alarming trend, 51 percent of the study's responding organizations experienced data loss from employees using unsecured mobile devices, including USBs, tablets and smartphones.

    The Human Factor

    Attaching the wrong documents, emailing documents to unintended recipients, copying data onto USB drives, transferring data to a personal computer, opening an email infected with malware, disclosing credentials or simply clicking on authentic-looking sites - these are common mistakes that any employee - even those who've received security awareness training - can make.

    But most employees seem to be convinced that the responsibility of IT security lies within the security team. They assume that existing controls are more than sufficient to safeguard corporate interests and also to nullify the impact of the mistakes they might make.

    Many employees don't seem to recognize the value of the data on their devices.  A  2014 survey conducted by Absolute Software Corporation revealed that nearly two-thirds of employees estimate the corporate data stored on their mobile devices is worth $500 or less. 

    But the cost of a mistake, whether it is innocent or deliberate, is huge. 

    In its 2014 report, Net Losses: Estimating the Global Cost of Cybercrime, McAfee states that the "likely annual cost to the global economy from cybercrime is more than $400 billion." And individual companies are paying the price, as reported in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM and conducted by The Ponemon Institute.  According to the report, the average cost of data breach to a company was $3.5 million, a 15 percent hike from the previous year.

    The data breaches are bound to increase, particularly with the rise of big data, cloud and mobile computing.  The new trend demands security professionals not hide behind the firewall but to emerge and venture into enterprise risk management and governance. Security professional have to be more than vulnerability detectors and patch managers. They need to understand corporate culture, human behavior and elements of effective communications.

    A Possible Way to Improve Our Jobs

    Today, the biggest challenge facing security professionals is how to alleviate, it not eliminate, human errors. The key is securing the participation of all employees in the process. 

    In ancient Greece, successful commanders' most successful strategy on the battlefield was using hoplites in a tight formation called the phalanx. Each man protected both himself and partially his neighbor with his large circular shield, carried on his left arm, effectively minimizing the exposure to an enemy's arsenal. On the same lines, security professionals need to involve all employees, provide a training shield to everyone, and create an organic, conscious and adaptable protection strategy.

    Here's a potential roadmap to do just that.

    1. Include employees when developing a risk and content management strategy.
    2. Understand employees' daily challenges to ensure the solutions meet their requirements and eliminate the need for circumventing security features.
    3. Organize formal training for employees so they are sensitive and forewarned to the consequences of breaches.
    4. Involve decision-makers, as they need to better perceive the real threats and consequences and allocate budget accordingly.
    5. Persistently implement recommended security controls organization-wide. Security must not be a half-hearted, one-shot deal.

    If security professionals do not adapt to continuously changing corporate landscapes and fail to teach security responsibility to every user, consumers and businesses alike will be left wondering why data breaches continue to occur. The solution lies within all of us. 

    Trained as a physicist and with a Ph.D. in Science Museum Studies, Raj Kaushik entered the field of IT in 2000. For the past 15 years, he has been involved in design, development and post-delivery management of enterprise applications. Raj has written numerous research and technical papers and popular science articles.


    5 Minutes with Eugene Tawiah

    An excerpt of this Q&A appears in the September/October issue of InfoSecurity Professional magazine. Here is the session in its entirety.

    Eugene Tawiah, CISSP, is a New York City native who turned an "unhealthy obsession" with 2600 into a successful career in information security and compliance. He's been a member of (ISC)2 since November 2013.

    What made you decide to start a security company? And when did you make that decision?

    I've been interested in information security since 1992, when a network administrator introduced me to 2600 meetings in the Citicorp building in Manhattan and a book titled TCP/IP. I met the admin when I volunteered at a local ISP (Dorsai Embassy) and received dial-up access to a Solaris shell account. It was the unknown and the desire to know that fueled my drive.

    It wasn't until that network administrator (Frank Clark) disconnected my connection at home over an IRC disagreement that I saw the power of a network administrator. I wasn't given root access, but I made it my mission to figure out how to gain it. 2600 was the door. I was great at my hobby, and at one point, I developed an unhealthy obsession with it. Unexpectedly, it turned into a career. 

    How did you get your first "big break" in information security?

    Hmm...I owe my 'big break' credit to the media. I co-hosted an online cyber security-focused gray hat 'radio' show called Parse in 1996 at Pseudo Networks in lower Manhattan. A New York Times reporter (Anthony Lappe) said Howard Stern caught the show, and he wanted to see what we were all about. I broke my No. 1 rule at the time, which was "don't talk to the media", and I spoke to the media. That front-page Tech piece led to many more media pieces. The sudden attention from my 15 minutes of fame gave rise to my consulting life and my company, Complex Technologies 1.0.

    So you're a Jersey boy, yes? How long have you lived and worked in the state, and what keeps you there?

    Awww...yeah, Joisey. I'm actually from Queens, NY. I first arrived in New Jersey fresh out of college (2003), where I was invited to join an IT consulting company. I eventually left that company and New Jersey, only to return two years later to start a family.

    New Jersey is a bit slower in pace than New York City: more house for your buck, less pavement and less crowded. I think it was avoiding the crowd and high energy that really did it. I wouldn't mind moving south to Atlanta or North Carolina; however, work keeps me local. It took time to build my book of business, and I'm not sure I have what's needed mentally to start over in another state.

    A lot of members dream of starting a company and are entrepreneurial in spirit. Any tips on what it takes to actually succeed in this business?

    I come across a lot of members who perform services on the side but don't feel it's enough to take the plunge. Having been there myself, I offer a few (non-comprehensive) bits of advice.

    First, have at least six months to a years' worth of expenses saved, so you won't be stressed during the early days of no income.

    Also, take time to learn the other hats you will be wearing, including:

    • How to sell yourself and your services
    • How to manage a sales team
    • How will you manage accounts payable/receivables
    • Hire a virtual assistant so you can manage your time wisely
    • Consult a corporate tax preparer and attorney and have them review your planned corporate structure and any contracts you intend to have your clients sign

    It wasn't until I started consulting full-time that the opportunities and deals started to increase. There's a certain limited ceiling that you hit when you attempt to run a business on the side while holding another full-time job.                                                        

    How did you become involved in (ISC)2?

    I've always known about (ISC)2; however, it wasn't until after I obtained my CISSP that I truly became involved with the organization. I now make sure I attend local chapter events and participate in free online events such as the security briefings and various seminars. 

    How important is your CISSP to your career?

    My CISSP is very important to my career, as it is the icing on the cake. I have plenty of experience; however, this well-respected certification adds a layer of validation and credibility that opens doors, starts conversations. 

    What's your favorite security conference, and why?

    So many, yet if I had to pick one, it would be Defcon in Las Vegas each summer. It comes at nowhere near the cost of Black Hat that usually runs around the same time in the same city. It has plenty of good, vendor-neutral, engaging talks to learn from. You interact with people at all different levels and specialties. There are plenty of other events going on to keep you busy. It's an event for the true information security tech at heart. I first went in 1998, and I've watched it grow, so I may be a bit biased.

    What do you do to reduce stress from work?

    I shop and visit the race track when stressed from work. I tend to look for new electronic gadgets to buy. If it's the weekend, I have a heavy foot when it comes to my car and motorcycle, so I try to visit the race track, where the only thing on my mind are my turns and acceleration.

    Where do you see yourself in 10 years?

    I see myself in a CISO role in a large, well-known enterprise or in a fast-growing startup.

     Capella University