Domain: cccure.org
Stories and comments across the archive that link to cccure.org.
Comments · 5
-
Re:CISSP
-
Re:Which link contains the story of interest?Sometimes it's hard to find the story, isn't it? Maybe that's just to spread the Slashdot effect out a bit.
jeremycec writes " Evidently, nothing's been resolved since 2001 , when this happened the first time. In these Memorandum Opinion and Preliminary Injunction documents from Judge Royce C. Lamberth of the U.S. District Court for Washington, D.C., we see how the court stepped in to pull the plug on a system, which, through its abject lack of due care, left someone's important financial information wide open to attackers. According to the former CIO of the Bureau of Indian Affairs: 'For all practical purposes, we have no security, we have no infrastructure,
... Our entire network has no, firewalls on it. I don't like running a network that can be breached by a high school kid.' So, when the BIA could get no relief through Interior's IT Dept., it went to the courts. Source: Government Computer News " -
Five easy steps.
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture. -
Don't abandon biometrics, focus on better systemFacial recognition is not accurate.
The most accurate method right now, and least intrusive is Iris scans.
What you want is to have a False Acceptance Rate and False and False Rejection Rate percentage equal.
For further reading, check out the Open CISSP study guide site section for the Access Control Systems and Methodology CBK section.
-
CISSP & GIACTo paraphrase Bruce Schneier Security is a set of procesess and a means of approach for systems.
I can vouch for the CISSP certification from (isc)2 as reinforcing this view of security. The CISSP is a significant valuator for businesses, who can be confident that candidates with this certification are literate in both technology and business considerations. This certification is exactly that: a CERTIFICATION. It is not a vendor technology program. It can be likened to a CPA designation for auditors and accountants.
The GIAC certifications from SANS are an excellent instruction in the working mechanisms of security technology. The curricula and basis for certification by SANS are under continous revision and are the most current in the industry.
The fact is that the CISSP is currently highly valued by employers as a valid assesment of domain awareness, best-practice assesment and professionalism. To combine this with specific GIAC tracks is a good way to identify formidable security personnel.
CISSP candidacy requires 3-5 years of work experience in one of the 10 domains identified. Additionally, (isc)2 will require a BS in an associated major, beginning in 2003. Studying for this is no piece of cake!
Some resources:http://www.cissp.com/default.html
CISSP Library of Free Study References
The CISSP Open Study Guide