IT Security Certification (Part 2)
According to a survey by InfoSecurity magazine that stated IT professionals’ average salaries overall decreased by 5.5%, while those in IT security increased by 3.1% show that experience in security is a valuable skill.
Furthermore, The US Department of Defense (DoD) Directive 8570.1-M requires every part-time or full-time military member or defense contractor that has access to a privileged DoD system to be held by trained and CERTIFIED personnel in a commercial certification to enhance Information Assurance (IA) of the US Department of Defense’s (DoD) information, information systems, and networks.
So how important is it to be certified if you want to work in the IT Security field? I would say important.
Being certified displays competency in IT security related terms and concepts. As a hiring manager, who has to interview over 100 candidates, having someone who speaks the IT Security language is helpful.
When looking into certification, you have vendor neutral and vendor specific IT security certifications. Below are a list of some of the more popular certifications:
Security+
Requires: 1 Exam
Approximate Cost = $199 ($149 for CompTIA members)
Application Security
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
GIAC Secure Software Programmer – Java (GSSP – JAVA)
GIAC Secure Software Programmer – .NET
The Show the software developer to think like an attacker
Auditing
ISACA CISA
GIAC Security Audit Essentials
Management
CISSP
CISM
Penetration Testing
CEH
GIAC’s Certified Intrusion Analyst
Certified Penetration Tester (CPT)
Certified Expert Penetration Tester (CEPT)
Wireless
Certified Wireless Security Professional (CWSP)
Windows Security
GIAC Certified Windows Security Administrator (GCWN)
Computer Forensics
CHFI
ACE
EnCe
Foote Partners’ “IT Skills and Certification Pay Index – Q3 2011 edition” indicates that the following security certifications translate into the highest pay premiums:
Certified Information Systems Security Professional (CISSP)
Information Systems Security Engineering Professional (CISSP/ISSEP)
GIAC Secure Software Programmer –.NET
CyberSecurity Forensic Analyst
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Cisco Security Solutions and Design Specialist
GIAC Reverse Engineering Malware (GREM)
GIAC Secure Software Programmer –Java
GIAC Systems and Network Auditor (GSNA)
Information Systems Security Architecture Professional (CISSP/ISSAP)
Security Certified Network Architect
Check Point Certified Master Architect (CCMA)
The Federal System’s Need for a Security Assessment Process, Part 2: Categories of Security Assessments
Security assessments can fall into many categories and an organization’s core competency often dictates which ones management is more interested in conducting. For example, an organization that has an external presence may be very interested in how they appear to the outside world and how well they are protecting their internal resources from external entities trying to harm them. Whereas, another governmental institution maybe more concerned with their internal security posture and controls as compared to how they appear to the outside world. They may have a pressing need to verify internal access control, password compliance and proper network segmentation as opposed to what protocols are accessible from the public network. The actual type of assessment performed usually depends on the organization’s mission as well as their overall security need.
In addition, the availability of suitable security assessment equipment, technical skills and resources available to the agency plays a big part as well. Such security assessment categories include the basic security assessment, an in-depth security assessment, external vulnerability security assessment and the internal vulnerability security assessment.
Whether the assessment is conduct by internal organizational employees or outsourced through an external contractor, the results from each assessment category will provide insight to verify the level of security on network resources. The following security assessment categories have been further defined below.
Basic Security Assessment – The objective of a Basic Security Assessment is to give the agency a fundamental understanding of its security posture as a whole in three key areas: Administrative, Physical and Technical. It is meant to point out possible areas of weakness with a walk through of the facility and a briefing at the end. It is not an in-depth study, rather, a basic first step in protecting information.
In-depth Security Assessment – The In-depth security assessment is a comprehensive study of the security of the agency. An examination of all policies, procedures, hardware and software configurations, workstations, servers, websites and mail servers are examined. The results will then be presented via a written report of the findings. This type of assessment will provide the agency with a thorough understanding of how it has complied with FISMA regulations.
External Vulnerability Security Assessment – An External Vulnerability Security Assessment will test the agency’s network from the outside in respects to a “hacker’s point-of-view”. Often the assessor uses the same tools used by external malicious individuals to try to compromise a network.
Internal Vulnerability Security Assessment – This type of assessment occurs inside the organization’s network. It is essential in understanding how and why hackers, viruses and worms spread so quickly through an organization once a breach has occurred. The results of this assessment can aid in providing additional measures to prevent an incident from spreading to critical areas. The same tools used in the External Vulnerability Security Assessment are often used in the Internal Vulnerability Security Assessment as well for real world simulation and accuracy.
Read the rest here.
Read part 1 here.
Hackademic
Hackademic
June 29-July 1, 2012
Clayton Hall Conference Center
University of Delaware, Newark, DE
http://www.hackademic.info
——————————
Information
——————————
Hackademic is a three day security conference that aims to bring together the hacking community and members from the academic community in order to learn from each others successes and failures.
Hosted by the IEEE Reliability Society, this innagural event will be held in the Clayton Hall conference facility at the University of Delaware in Newark DE. Everything about the conference, from the venue to the speakers to the schedule, is structured to facilitate collaboration and information sharing between attendees. Whether you?re an academic researcher looking to for ways to transfer your technology in to industry, a hacker who wants to present your ideas to an audience of professionals, or someone interested in learning the latest in information security, Hackademic will be a valuable investment of your time and energy.
——————————
CFP
——————————
The IEEE Reliability Society is now soliciting papers for Hackademic, to be held June 29-July 1, 2012, at the Clayton Hall Conference Center at the University of Delaware, in Newark, Delaware.
The first annual Hackademic Conference aims to bridge the gap between information security researchers operating inside academia and independent researchers often referred to as ?hackers.? Hackademic exits to facilitate communication and idea sharing by bringing these two communities together in one place. Hackademic will cover the latest security research as well as topics of interest to research professionals
Specific areas of interest include but are not limited to:
? Hardware analysis
? Virtualization-based security
? Infrastructure and SCADA security
? Attacks and defenses for cloud-based applications
? Exploit mitigation
? Vulnerability discovery techniques
? Novel vulnerabilities and attacks
? Observations from academia
? Technology transfer
? Case studies in security startups
Submissions should include:
? Author/Presenters Names and Bios (limited to 150 words)
? A detailed abstract or outline of your work
Submissions should be entered through the Hackademic EasyChair Submission site:
https://www.easychair.org/conferences/?conf=ha2012
Each submission will be reviewed by at least three independent reviewers and evaluated based on its originality, significance, and clarity.
If Accepted:
A separate 1000 word summary is required with your final submission. This will be published in the Hackademic Conference Magazine to be handed out at the conference. Summaries should be submitted as a Microsoft Word document.
Full papers and/or slides will be made available to attendees after the conference via the Hackademic website. Papers should be in the form of Adobe PDF file and are to be limited to a maximum length of 6 pages.
Further information on where to submit these items will be communicated upon acceptance.
Important Dates:
CFP closes: Friday, May 11, 2012
Notification of acceptance: Friday, May 25, 2012
Submission of 1000 word summary: Friday, June 8, 2012
Submission of final presentation (to include slides and/or full paper): Thursday, June 28, 2012
——————————
Contact
——————————
info (at) hackademic (dot) info [email concealed]
http://www.hackademic.info
EU-U.S. Joint Statement on Data Protection by European Commission Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson
WASHINGTON, March 19, 2012 /PRNewswire-USNewswire/ — Today’s High Level Conference on Privacy and Protection of Personal Data, held simultaneously in Washington, DC and Brussels with the participation of Vice-President Viviane Reding and Secretary John Bryson, represents an important opportunity to deepen our transatlantic dialogue on commercial data privacy issues. The United States and the European Union clearly share a commitment to promoting the rights of individuals to have their personal data protected and to facilitating interoperability of our commercial data privacy regimes.
The European Union and the United States are global leaders in protecting individual freedoms, including privacy, while at the same time fostering innovation and trade that are so critical to the world economy, notably in the present times. Stronger transatlantic cooperation in the field of data protection will enhance consumer trust and promote the continued growth of the global Internet economy and the evolving digital transatlantic common market. This work will also encourage innovation and entrepreneurship and support the jobs and growth agenda as outlined by President Obama and Presidents Van Rompuy and Barroso at the November 28, 2011 U.S.-EU Summit.
This is a defining moment for global personal data protection and privacy policy and for achieving further interoperability of our systems on a high level of protection. On January 25, 2012, the European Commission adopted legislative proposals to reform and strengthen the fundamental right to data protection and unify the EU’s data protection laws and enforcement rules. On February 23, 2012, the United States released its privacy blueprint, including the Consumer Privacy Bill of Rights. President Obama emphasized the Administration’s commitment to privacy in the U.S., and called for Congress to pass legislation that applies the Consumer Privacy Bill of Rights to commercial sectors not subject to existing Federal data privacy laws and development of enforceable codes of conduct through multistakeholder processes.
Stakeholders in the U.S. are very interested in the ongoing data protection reform in the European Union – notably in the proposal for a “one-stop-shop” and a consistent regulatory level playing field across all EU Member States. Additionally, as expressed in the Obama Administration’s privacy blueprint, the United States is committed to engaging with the European Union and other international partners to increase interoperability in privacy laws and regulations, and to enhance enforcement cooperation. The European Union is following new privacy developments in the United States closely. Both parties are committed to working together and with other international partners to create mutual recognition frameworks that protect privacy. Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Both parties recognize that while regulatory regimes may differ between the U.S. and Europe, the common principles at the heart of both systems, now re-affirmed by the developments in the U.S., provide a basis for advancing their dialog to resolve shared privacy challenges. This mutual interest shows there is added value for the enhanced EU-U.S.-dialogue launched with today’s data protection conference.
We hope to also work with international stakeholders towards a global consensus on how to tackle emerging privacy issues.
In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework. This Framework, which has been in place since 2000, is a useful starting point for further interoperability. Since its inception, over 3,000 companies have self-certified to the Framework to demonstrate their commitment to privacy protection and to facilitate transatlantic trade. The European Commission and the Department of Commerce look forward to continued close U.S.-EU collaboration to ensure the continued operation and progressive updates to this Framework. As the EU and the United States continue to work on significant revisions to their respective privacy frameworks over the next several years, the two sides will endeavor to find mechanisms that will foster the free flow of data across the Atlantic. Both parties are committed to work towards solutions based on non-discrimination and mutual recognition when it comes to personal data protection issues which could serve as frameworks for global interoperability that can promote innovation, the free flow of goods and services, and privacy protection around the world. The EU and the United States remain dedicated to the operation of the Safe Harbor Framework – as well as to our continued cooperation with the Commission to address issues as they arise – as a means to allow companies to transfer data from the EU to the United States, and as a tool to promote transatlantic trade and economic growth.
While this conference was convened to discuss commercial data privacy questions and not issues of exchanges of information related to law enforcement, we note that our Presidents announced at the November 2011 Summit that the U.S. and the EU are determined to finalize negotiations on a comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism.
SOURCE: PRNEWSWIRE.com
Security Bulletin: MS12-020 high-risk vulnerability in the RDP (Remote Desktop)
On March 14, 2012, Microsoft released a critical software patch that fixes a very high-risk vulnerability in the RDP (Remote Desktop) service installed on most Windows-based systems. The vulnerability may allow the execution of malicious code by sending a malformed packet to an RDP enabled system.
Security Bulletin: MS12-020
Description: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
Rating: Critical
Action: Reboot Required
The issue became very critical when the proof-of-concept exploit code for the MS12-020 RDP vulnerability was leaked. It has been suspected Microsoft has a leak or somewhere in its MAPP information-sharing program.
Be sure to move on this quickly folks…
Below is a video demo:
SANS Security West 2012 is coming to San Diego, CA
SANS is presenting nine days of training that will take place at our Manchester Grand Hyatt campus, May 10-18. With more than 20 courses offered in security management, IT audit, IT security, and computer forensics, register now to take the training you need!
Security West 2012 will feature the following special evening event:
The Emerging Threat: Panel Discussion with Dr. Eric Cole
Panelists: Krag Brotby, Eric Conrad, Jason Fossen, Jeff Frisk, Bryce Galbraith, Paul Henry, David Hoelzer, Kevin Johnson, Fred Kerby, Rob Lee, Mike Poor, Seth Misenar, Peter Szczepankiewicz, James Shewmaker, Lance Spitzner, John Strand, Chad Tilbury, Josh Wright, Lenny Zeltser
Saturday May 12:
7:15pm – 8:15pm (Discussion focusing on hardware)
8:15pm – 9:15pm (Discussion focusing on software)
For complete training event details please visit: http://www.sans.org/info/101039
*** Save $150 off your registration with referral code: Refer_SecOrb ***
