InfoSecurity Professional Magazine Sept Oct2014

SECURING THE 'LIFEBLOOD OF TECHNOLOGY'
InfoSecurity
PROFESSIONAL
SEPTEMBER/OCTOBER 2014
A Publication for the (ISC)2 Membership
COMMUNITY!
A QUARTER CENTURY OF BUILDING INFORMATION

SECURITY CAREERS AND CAMARADERIE
Privacy + Security
Ransomware on the Rise
Tapping into
Threat Intelligence
A 'Colossus' Problem
isc2.org facebook.com/isc2fb twitter.com/ISC2
Las Vegas | October 2729, 2014

The Venetian and the Palazzo Congress Center
Join us for the McAfee FOCUS 14 Security Conference:

Empowering the Connected World, brought to you by Intel Security.
Use promo code FOCUS214 to get $100 off the prevailing rate.
FOCUS 14 will offer a program packed with valuable
and timely content on the changing security landscape.
Participate in technical deep dives and breakout
sessions to help you better manage the security
networks within your organization.
Conference Highlights
Use promo code FOCUS214 when registering to get

$100 off the prevailing rate.
75+ technical breakout sessions: Learn about the

latest security innovations from McAfee technical
experts, our customers, partners, and other likeminded professionals.
Visit http://mcaf.ee/focus
to learn more
www.McAfee.com/FOCUS14
Follow us at #McAfeeFOCUS
Keynotes: Hear from Condoleezza Rice,

US Secretary of State 20052009, and other
McAfee senior executives.
Networking: Engage with some of the best minds

in the industryIT managers and executives, McAfee
Labs researchers, and product specialists.
Other conference highlights: Benefit from Targeted
Group Meetings, a partner expo, CPE credit
and training opportunities, a private concert by
Def Leppard on the final evening, and much more.
Contents
VOLUME 7 ISSUE 5
DEPARTMENTS
4
EDITORS NOTE
Then and Now
BY ANNE SAITA
EXECUTIVE LETTER
Coming Down Harder

On Software
Finding it increasingly
hard to handle big data
security? PAGE 30
FEATURES
BY VEHBI TASAR
FIELD NOTES
More ways to learn the

language of privacy;
(ISC)2 Colombia Chapter;
Asia-Pacific Information Security Leadership
Achievement recipients;
this year's (ISC)2 Foundation scholarship recipients
PROFESSIONAL DEVELOPMENT
16
The InfoSec Professional: 25 Years in the Making
As (ISC)2 celebrates its silver anniversary, we look at what has

happened since its first credentialthe CISSPwas introduced.
BY ANNE SAITA
MALWARE
20
Data Held Hostage

Despite recent efforts to disrupt malware developers using extortion
for financial gain, ransomware is on the rise. BY TOM TOLLERTON
14
MODERATOR'S CORNER
Let's Share
BY BRANDON DUNLAP
35 GIVING CORNER
Living the
Scholar's Life
BY JULIE PEELER
37
2020 VISION
RISK MANAGEMENT
25
Getting 'Left of the Hack'

It's easy to become so focused on whats happening inside your network that you neglect the outside actors that may be preying on your
weaknesses. Learn how to know thy enemy better. BY RANDY BORUM
DATA SECURITY
30
Keeping Big Data Within Your Control

Learn how to best manage the risks and rewards of the vast amounts
of data being generated as the information economy accelerates.
BY COLLEEN FRYE
A cybersecurity instructor
asks if it's time to start
viewing risk differently.
4
AD INDEX
Cover Image by JOHN KUCZALA

Illustration (above) by
PETER AND MARIA HOEY
InfoSecurity Professional is published by Twirling Tiger Press Incorporated, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: [email protected]. The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on
the issues discussed as of the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system,
or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other product, service or certification names are registered marks or trademarks of the International
Information Systems Security Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies
mentioned herein may be the trademarks of their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint
materials, please email [email protected]. To request advertising information, please email [email protected]. 2014 (ISC)2 Incorporated. All rights
reserved.
3 InfoSecurity Professional September/October 2014
RE TURN TO
CONTENTS
Editors Note
OPPORTUNITIES TO
'SPREAD THE WORD'
WENTY-FIVE YEARS AGO, I was a young mother teach-
ing Eskimos and Aleuts, among many others, on an Alaskan island. Little did I know, thousands of miles away, a
consortium was convening to help shape an industry. That
group, of course, would become (ISC)2.
The information security professional of today has far different duties
and expectations than the one recruited into the field in the late 1980s and
early 1990sbefore widespread adoption of the personal computer and the
World Wide Web. Todays information security professional not only must
manage the growing risks arising from the latest technologies, but keep up
with privacy rules and regulations, and speak the business language.
Todays practitioners also are evangelists, helping
to spread the word on privacy and security best
practices. Each October provides an opportunity to
better educate our communities as part of National
Cyber Security Awareness Month (NCSAM). The
now-international movement is widely embraced
at (ISC)2.
Youll no doubt be seeing more consumer- and
industry-specific articles, blog posts, podcasts, and
videos featuring (ISC)2 leaders and members during
NCSAM. Were kicking off NCSAM at our annual
Security Congress event. Each week during the
month of October, well distribute a list of cybersecurity awareness tips for children, parents, seniors,
Anne Saita, editor-inhomeowners, CEOs, and software developers.
chief, lives and works
Ill be attending ASIS 2014/(ISC)2 Security Conin Southern California.
gress in Atlanta this month and hope to meet some
of you in person. Thank you all for doing your part
to keep us all a little safer.
ANNE SAITA [email protected]
ADVERTISER INDEX
Rob Andrew Photography
For information about advertising in this publication, please contact Tim Garon at [email protected].
McAfee................................................................... 2
Trend Micro..........................................................24
Security Compass................................................ 5
Promisec...............................................................29
Walden University................................................ 7
Guidance Software.............................................32
Bit9...........................................................................9
Symantec..............................................................38
Microsoft............................................................... 11
(ISC)2. ...................................................................39
Capella University...............................................15
CA Technologies................................................ 40
(ISC)2. ....................................................................21
(ISC)2 MANAGEMENT TEAM

EXECUTIVE PUBLISHER
Elise Yacobellis
727-785-0189 x4088
[email protected]
DIRECTOR, MEMBERSHIP
RELATIONS AND SERVICES
Erich Kron, CISSP-ISSAP
727-785-0189 x4070
[email protected]
SENIOR MANAGER OF
MEMBERSHIP MARKETING
AND MEDIA SERVICES
Jessica Smith
727-785-0189 x4063
[email protected]
PUBLISHER
Timothy Garon
508-529-6103
[email protected]
MANAGER, GLOBAL
COMMUNICATIONS
Amanda DAlessandro
727-785-0189 x4021
[email protected]
MEMBERSHIP MEDIA
SERVICES ASSISTANT
Michelle Fuhrmann
727-785-0189 x4055
[email protected]
SALES TEAM
EVENTS SALES MANAGER
Jennifer Hunt
781-685-4667 [email protected]
REGIONAL SALES MANAGER
Lisa O'Connell
781-460-2105
[email protected]
EDITORIAL ADVISORY BOARD
Elise Yacobellis (ISC)2
Erich Kron (ISC)2
Javvad Malik EMEA
J.J. Thompson U.S.A.
Carlos Canoto South America
Dr. Meng-Chow Kang Asia
TWIRLING TIGER PRESS INC.
EDITORIAL TEAM
EDITOR-IN-CHIEF
Anne Saita
[email protected]
ART DIRECTOR & PRODUCTION
Maureen Joyce
[email protected]
MANAGING EDITORS
Deborah Johnson
Lee Polevoi
www.twirlingtigerpress.com
RE TURN TO
CONTENTS
Do you have the

training & skills to hack
Security Compasss
Battle Room?
Battle School is an interactive and competitive program designed to teach

you about the physical and technical attacks one could attempt on a
companys security system. These challenges will prepare and train you to
compete in the battle room hack if you dare try.
There are four divisions physical, web, network, and mobile to test your
ability and knowledge of security hacking. After successfully completing the
four challenges you will raise your chances of conquering the battle room.
PHYSICAL DIVISION
Learn how to hack physical infrastructures such as door locks, key pads, and logic circuits.
WEB DIVISION
Gain an understanding of common website vulnerabilities, and common phishing
and social engineering tactics that attackers use to try and steal user information.
NETWORK DIVISION
Learn about dierent DDoS attack vectors by having access to a monitoring system
choose an appropriate DDoS attack in order to overwhelm that particular monitor.
MOBILE DIVISION
Through dierent examples you will learn how an NFC enabled
phone can be leveraged and how to stay protected.
BATTLE ROOM
After gaining skills from the four divisions, you will be able to attempt
a hack on the battle room - a safe environment to test your skills.
Experience the Battle School at (ISC) Security Congress 2014

www.securitycompass.com
THE LATEST
FROM (ISC)2S
LEADERSHIP
EXECUTIVE LETTER VEHBI TASAR
A MORE APP WAY

TO SECURE SOFTWARE
OFTWARE IS THE lifeblood of technology. Regardless of where we live and in which industry
we work, the devices, tools, and environments
we rely on daily all function because of the
embedded code programmed into a product.
Flawed, maliciously manipulated software is nothing new, but
the din from dissatisfied customers is growing louder with each
massive security breach making headlines. So is the growing influence of (ISC)2s Application Security Advisory Council (ASAC)
(https://www.isc2.org/ASAC/default.aspx), whose members are
committed to embedding security throughout the entire software
development lifecycle.
In 2010, the council (then a board) was comprised of people
from large companies who were asked to evangelize secure software within their companies. But with the advent of the Internet
of Things, even the smallest vendors now
can have a huge impact.
So weve expanded the ASAC to include
Vehbi Tasar is
more people with a passion for secure softDirector of Profesware assurance. That includes people like
sional Programs
Mikko Varpiola, a security researcher who
Development. He
can be reached at
is an expert on fuzz testinga technique
[email protected].
that is commonly used to test for security
problems in software.
Leading the ASAC is (ISC)2 Sacramento
Chapter Co-Founder and President Tony
Vargas, CSSLP, CISSP-ISSAP. Tony was instrumental in creating a large developer security awareness program at Cisco Systems.
Tony has also taught thousands of school
children, parents, and teachers about Internet security through the (ISC)2 Foundations
Safe and Secure Online program.
The councils work touches every area
and is woven into every one of (ISC)2s
certifications (not just the CSSLP), which

means the ASAC is working for all members
who create, purchase, use, and sell products
and services that run on software.
The list of council members continues to
grow as we recruit more people, particularly
from Asia and EMEA. ASAC members will
promote a culture that values security as a
core requirement of software among technology consumers and producers through
industry partnerships and advocacy via presentations, white papers, blog posts, articles,
and video interviews.
We hope this multimedia approach
convinces more companies to stop ignoring security essentials during the software
development process just because they are
unaware of the requirements and techniques of building security into software.
This makes life more difficult when exploited software vulnerabilities lead to stolen
identities, fraud, jobs losses, and severe
financial hardships.
Our ultimate goal is to make life easier
and safer for everyone. People think they can
solve security problems with compliance by
setting up predefined rules and then following them rigidly. That reduces the risks of
breaches, but it doesnt eliminate them.
I believe secure software will be a reality.
We just need to help those with the power
and influence to make it happen. Thats
what your fellow members on the (ISC)2
Application Software Advisory Council are
here to do.
RE TURN TO
CONTENTS
This is the unemployment rate

in the field of cyber security.
Answer the Call for Cyber Security Experts

With an IT Degree From Walden.
Doctor of Information Technology (D.I.T.)

M.S. in Information Technology
B.S. in Computer Information Systems
And more
Offering specializations such as Cyber Security, Health Informatics,

and Software Engineering, our degree programs can give you the
skills you need to join the field.
Visit us at Booth#4951 at (ISC)2

Security Congress 2014 in Atlanta
Sept. 29Oct. 2!
Recognized Quality
Get Credit for Your Professional Certifications.

Certified Information Systems Security Professional(CISSP)
ISACA Certified Information Security Manager (CISM)
Project Management Professional (PMP)
Explore our programs at WaldenU.edu/cybersecurity.

*Source: International Information Systems Security Certification Consortium, 2013 Global Information Security Workforce Study. Available online at https://www.isc2.org/GISWSRSA2013.
FIELD
EDITED BY ANNE SAITA
NOTES
A ROUNDUP OF WHATS HAPPENING IN (ISC)2 COMMUNITIES
MORE PRIVACY EDUCATION

OPPORTUNITIES FOR MEMBERS
Photograph FranckreporteriStock
(ISC)2 and IAPP form an alliance to bring more privacy

resources and services to the collective membership
(ISC)2 and the International Association of Privacy

Professionals (IAPP) are forming an alliance to foster
a global mission that will resonate with professionals
in both the privacy and information security realms.
While there are similarities between (ISC)2 and IAPP,
the differences weigh in as pluses for members of both
organizations.
The (ISC)2 and IAPP alliance is a dynamic meeting of the minds, says (ISC)2 Executive Director W.
Hord Tipton, CISSP, Along with our shared principles
and understanding of our organizations globally, this
collaboration will provide added resources and services
for our collective members, as well as information
security and privacy professionals worldwide.
The alliance between (ISC)2 and IAPP will yield
enhanced benefits for members of both organizations,
including webinars, jointly hosted events for chapters,
and continuing professional education. The relationship will kick off with a joint panel on the convergence
of privacy and security at the IAPP conference in
March 2015.
Founded in 2000 and headquartered in Portsmouth, N.H., the IAPP is a not-for-profit association
with members in 83 countries.

The IAPP helps define, support
and improve the privacy profession
through networking, education and
certification. As the largest global
information privacy community and
resource, IAPP helps practitioners
develop and advance their careers
and organizations manage and protect their data.
IAPP developed and launched
the first broad-based credentialing
program in information privacy,
the Certified Information Privacy
Professional (CIPP), and the Certified Information Privacy Manager (CIPM), the first
and only global certification program in privacy program management. The Certified Information Privacy
Technologist (CIPT) is also the first and only certification of its kind worldwide. The CIPT is designed
for technology professionals so that they can secure
data privacy at all stages of IT product and service
lifecycles.
The CIPP, CIPM and CIPT are the leading privacy
certifications for thousands of professionals around
the world who serve the data protection, information
auditing, information security, and legal compliance
and/or risk management needs of their organizations.
Similar to (ISC)2, IAPP offers a full suite of educational and professional development services and holds annual conferences that are recognized internationally
as the leading forums for privacy policy and practice.
Through this alliance between IAPP and (ISC)2,
we will be able to provide a broad spectrum approach
to our educational and professional development services and expand our reach on issues related to privacy
and information security policies and practices, says
Trevor Hughes, IAPP President and CEO.
RE TURN TO
CONTENTS
What drew you to the information

security profession?
MEMBER SPOTLIGHT ON
WILLIAM NANA FABU

William Nana Fabu, CISSP, came
to the United States in 2004 from
his native Cameroon, Africa and
now works in information security
for the financial sector. Working
in the U.S.A. in a heavily regulated
industry has led him to pay more
attention to the weak state of security in Africa, which he says is in an
embryonic state at best.
After working as a banking systems

integrator and MIS officer for many
years in Africa, when I joined the
workforce in the U.S., I was ready to
explore a challenging and relatively
new field in the IT world. Information security was a great choice for
me. I was lucky to be offered a job
in the identity and access management field and later in the firewall
team. I really enjoyed the challeng-
es and rapid
changes of the
field, and I still
do today.
William Nana Fabu
How would you describe the state

of information security in your
homeland?
It gives me shivers to think theres

no tangible information security
program in Cameroon or personnel to put in place some kind of
rudimentary security CONTINUED
structure. Fortunately, ON PAGE 10
RE TURN TO
CONTENTS
FIELD NOTES
CONTINUED
FROM PAGE 9
GLOBAL SPOTLIGHT: (ISC)2 COLOMBIA CHAPTER
MEMBERS SEE STRONG INTEREST

IN CHILD INTERNET SAFETY
HE BOGOTA-BASED (ISC)2 Colombia Chapter, which
serves members throughout the country, celebrated its

first anniversary on July 30, 2013. The Chapter formed
to promote the interest, awareness and training on issues
related to information security and ongoing development of professionals
working in Colombia.
The Chapter offers
members the opportunity
to grow professionally, learn
new concepts, best practices
and technologies, and work
in different environments.
Colombian Chapter members have the ultimate aim
(ISC)2 COLOMBIA CHAPTER
of providing their knowledge
CONTACT INFORMATION:
and experience in informa CONTACT: William Halaby, president
tion security to support the
EMAIL: [email protected] or
Colombian government with
[email protected]
programs for the community
WEBSITE: http://isc2capitulocolombia.org
at large. At present, there are
27 members, with plans to add at least one member a month.
The Chapter has sponsored several events on topics such as challenges in digital investigations; the evolution in security for payment
devices; and the new version of the ISO 27001 standard.
On May 29, the Colombia Chapter hosted an event, Building a Secure
Digital Environment for Colombian Children, sponsored by BBVA and
Symantec. The event promoted ways for children to protect themselves
while they use the Internet. The main speaker was Col. Freddy Bautista, who heads Cybercrime of the Colombian National Policy. Other
speakers included a Ministry of Information and Telecommunications
official, an expert in computer law, and a representative from an association dedicated to child protection.
The topic and keynotes proved a popular subject, with the event
drawing 130 attendees.
Through its efforts to build a local chapter and gain recognition in
the community, Chapter leadership now plans to host monthly conferences and semi-annual events regarding security and privacy.
we are seeing more partnerships

between U.S. companies and their
counterparts across Africa through
the wonderful tool that is the
Internet. But much more is needed
to build secure systems, and now.
What impact does this lack of
attention in developing countries
have on a global scale?
We (the developed countries)

look for the best systems, the best
algorithms, the best technicians,
and the best programs to make
sure that our security bastion
can stand the most challenging
attack. But on the other side of
the equation is the fast growth of
bad guys operating outside our
walled-up communities. We dont
yet fully grasp the sophisticated
threats that exploit the weakest
link of our global security model
less developed countries.
What do you suggest be done?
I know we have a shortage of information security professionals

within our bastion, but we need
to spread the security culture
and awareness beyond our own
borders and create more ambassadors worldwide to empower
those with weak or no information security training.
Members of (ISC)2 have the
resources to share this knowledge.
We have the tools to train. We
have the tools to build security
solutions.
Everything starts with awareness campaigns, followed by
training programs that a capable
team of professionals need to
fight the bad guys before theyve
perfected their damaging techniques and tactics.
RE TURN TO
CONTENTS
ACKNOWLEDGING LEADERSHIP
ACHIEVEMENT IN ASIA-PACIFIC REGION
CONGRATULATIONS TO THIS year's (ISC)2 Asian-Pacific Information Security Leadership Achievement recipients, who were honored
at a recent gala in Beijing, China.
You can learn more details about each honoree and showcased
project at www.isc2.org/isla.
Senior Information Security Professional

Category Showcased Honoree
Dr. Daisuke Inoue Director of Cybersecurity Laboratory, Network
Security Research Institute, National Institute of Information and
Communications Technology (Japan)
Showcased Project: DAEDALUS: Novel Alert System based on Largescale Darknet Monitoring
Senior Information Security Professional
Category Showcased Honoree
Hae-Sul Choi CEO, WATCH I SYSTEM INC.
Showcased Project: Contribution to Convergence Managed Threat

Defense System for Korea Army Cyber Security (South Korea)
Information Security Practitioner Category Showcased Honoree
Anan Sony CISSP, CISA, ITIL Expert, manager (Consulting Service
Department), ACIS Professional Center Co., Ltd. (Thailand)
Showcased Project: Internet Banking and Mobile Banking Security
Assessment
Managerial Professional for an Information Security
Project Category Showcased Honoree
Lal Dias MBA, MBCS, CITP, chief executive officer, Sri Lanka Computer Emergency Readiness Team, Coordination Centre (Sri Lanka)
Showcased Project: Establishment of Bank CSIRT (Computer Security
Incident Response Team) in Sri Lanka
2014 Community Service Star
Dr. Yuejin Du Director, National Engineering Lab for Cyber Security
Emergency Response Technology (China)
Community Service Star Project: Cyber Security Public Education
Program
For 2025, 4.75 billion people online with

3.75 billion from emerging economies,
could lead to three different global
scenarios.
Microsofts Cyberspace 2025: Todays
Decisions, Tomorrows Terrain looks over
the horizon, beyond technical trends, and
attempts to anticipate future catalysts for
change and equip policy makers for
tomorrows digital landscape.
Download the scenarios

that will forecast a global
PEAK, PLATEAU, or
CANYON for innovation at
Cyberspace2025.com
RE TURN TO
CONTENTS
FIELD NOTES
(ISC)2 WOMEN POWER UP

IN SC MAGAZINE LIST
(ISC)2 Board member Jennifer Minella (right),
and Application Security Advisory Council
member Katie Moussouris (below), are among
the women listed in SC Magazines 10 Women in
Security Power Players.
Minella is VP of engineering at Carolina Advanced
Digital and, according to the
magazine, one of four principals helping drive business
strategy and execution of initiatives ranging from
engineering to marketing and communications.
Moussouris is the chief policy officer of
HackerOne, which helps clients with responsible
disclosure of vulnerabilities. She told the magazine that she works toward the public good to legitimize and promote
security research to help make the Internet safer for everyone.
Recognized for their long-term contributions to IT security, the two
women are joined by honorees Becky Bace, Lisa Foreman, Stacey Halota,
Kristin Lovejoy, Samara Moore, Wendy Nather, Hemma Prafullchandra,
and Patricia Titus.
CPEs
When submitting CPEs for (ISC)2s InfoSecurity

Professional magazine, please choose the CPE Type:
(ISC)2s InfoSecurity Professional Magazine Quiz
(Group A Only), which will automatically assign 2
Group A CPEs.
https://live.blueskybroadcast.com/bsb/client/CL_
DEFAULT.asp?Client=411114&PCAT=7777&CAT=8883
TOASTING TOGETHER
Weve been celebrating

(ISC)2s silver anniversary with member and
chapter receptions and conferences all around the globe. If you
plan to attend our fourth annual
Security Congress in Atlanta,
come celebrate with us at a special member reception that starts
at 6 p.m. on Tuesday, Sept. 30, at
the Omni Hotel (next to the convention center). Enjoy beer tastings from local breweries, games,
lots of food and the chance to get
to know some of the 600 other
(ISC)2 members and staff who
are expected to attend.
One thing we know for sure: security always comes with

a price. It is either privacy, or, most of the time, usability.
And it seems that nobody is voluntarily willing to pay
this price.
SORIN MUSTACA, CSSLP, Product Manager for Avira, from his (ISC)2 blog post Why We Continue to Fail on Cybersecurity
RE TURN TO
CONTENTS
2014 (ISC)2 CYBER SECURITY SCHOLARS
WORKING TO FILL THE GAPS IN CYBER SECURITY EDUCATION

CONGRATULATIONS to this years (ISC)2 Foundation Cyber Security Scholars! Heres a list of recipients for the Womens,
Graduate, and Undergraduate Scholarships. Kudos also to those who earned a Faculty Certification Exam Voucher. To
learn more about the Cyber Security student scholars, turn to pages 35-36.
Scholarship Awarded
Name
Country of Birth
Institution Enrolled
Womens
M. Alexis Greenidge
U.S.A.
American Intercontinental University
Womens
Sreedevi Sreekandan
India
University of Texas, San Antonio
Womens
Shruti Gupta
India
Purdue University
Graduate
Scott Ruoti
U.S.A.
Brigham Young University
Graduate
Mark ONeill
U.S.A.
Brigham Young University
Graduate
Anna Truss
Turkmenistan
Excelsior College
Graduate
Lokesh Pidawekar
India
Northeastern University
Graduate
Chunyue Du
China
Carnegie Mellon University
Graduate
Cheryl Devaney
U.S.A.
Duquesne University
Graduate
Pratibha Dohare
India
Carnegie Mellon University
Undergraduate
Saradha Kannan
India
Lewis University
Undergraduate
Christopher Goes
U.S.A.
University of Idaho
Undergraduate
Kyle Murbach
U.S.A.
Rochester Institute of Technology
Undergraduate
Lassine Cherif
Ivory Coast
University of the District of Columbia
Undergraduate
Dulce Gonzalez
Mexico
Governors State University
Undergraduate
Robin Saunders
U.S.A.
River Valley Community College
Undergraduate
Katherine McGinn
U.S.A.
University of Maryland University College
Undergraduate
Fumi Honda
U.S.A.
Stony Brook University
Undergraduate
Rose Reinlib
U.S.A.
University of North Carolina at Charlotte
Undergraduate
Yue Zhu
China
University of Connecticut
Undergraduate
Samantha Houston
U.S.A.
Sam Houston State University
Undergraduate
Patrick Katamba
Uganda
London Metropolitan University
Faculty Exam Voucher
Eamon Doherty
U.S.A.
Fairleigh Dickinson University
Mohamed Kazi
United Kingdom
Higher Colleges of Technology
Louay Karadsheh
Kuwait
ECPI University
Tahir Abbas
Pakistan
Lahore School of Accountancy and Finance
Rizwan Ahmad
Pakistan
Manukau Institute of Technology
Helio DeCastro
Sao Tome and Principe
ITT-Technical Institute
Diane Murphy
United Kingdom
Marymount University
Timothy Perez
U.S.A.
Brandman University
Vivek Gupta
India
Surendera Group of Institutions, Sri Ganganagar
Donna Schaeffer
U.S.A.
Marymount University
Trevor Chandler
U.S.A.
Houston Community College
RE TURN TO
CONTENTS
TEACHABLE
MOMENTS FROM
(ISC)2 SECURE
WEBINARS
AND EVENTS
MODERATORS CORNER BRANDON DUNLAP
NEW OPPORTUNITIES FOR

INFORMATION SHARING
ERHAPS THE BIGGEST benefit of being part of
the (ISC)2 community is the information sharing

that takes place, both formally and informally.
Whether it is through the ThinkT@nk roundtables and other Security Leadership Series
sessions or through the hallway track at industry events, we
are a community of professionals coming together to elevate
the state of the art.
Over the summer months, we have discussed new ways of
sharing information among the professional community and new
ways to extend that sharing outside of our community. To that
end, we are piloting a couple of ideas through the end of the year.
First up, in support of (ISC)2s newest credentials, we are
introducing a new webinar series, From the Trenches. During
this one-hour panel, we will have frank discussions with practitioners on topics pertaining to forensics and healthcare, providing
specific learning opportunities in support of
the Certified Cyber Forensics Professional
(CCFPSM) and Healthcare Information SeBrandon Dunlap is
curity and Privacy Professional (HCISPPSM)
Managing Director
credentials.
of Research for
If you, the member community, find
Seattle-based
Brightfly. He can
value in these credential-specific sessions,
be reached at
then we will kick off 2015 in earnest by
bsdunlap@brightfly.
adding these to our educational calendar.
com.
As always, we look for your honest feedback
on both of these exciting new tracks as they
develop over the next quarter.
Our second pilot offering is a bit unique.
Realizing that busy security professionals
cant always attend one-hour webinars but
would still benefit from panelists valuable
insights, we will condense these sessions
into short summaries, available on the (ISC)2
website. Maybe youll choose to read the
summaries to catch the highlights, then
listen to the webcast archive to hear the

whole conversation. Or perhaps youll attend
the live webinar, then grab the summary
to share with your boss and colleagues.
Either way, this provides a useful reference
for learning, as well as a vehicle for further
sharing.
Over the summer

months, we have
discussed new ways
of sharing information
among the profes sional community
and to extend that
sharing outside of
our community.
Of course, in order to earn the CPE
credits, you still must attend webinars or
live events. My hope is that youll find this
a useful service worth continuing.
As your host and moderator for these
events, I am always on the lookout for new
ways to add value to your membership and
the profession as a whole. To better serve
your needs, I encourage you to reach out
and let me know what you think of these
two ideas.
Until next time, I look forward to continuing the conversation.
RE TURN TO
CONTENTS
37%
The projected growth rate for the information

security analyst profession between 2012 and 2020
Source: Bureau of LaBor STaTiSTicS, 2014
Do you have what it takes to answer the call?

elevate your information security career with one of capellas new MS in information
assurance and Security options: Digital Forensics | Network Defense
Your future is waiting. Start now. capeLLa.edu/iSc2 or 1.866.670.8737

See graduation rates, median student debt, and other information at www.capellaresults.com/
outcomes.asp.
AccreditAtion: Capella University is accredited by the Higher Learning Commission.
cApellA University: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis, MN
55402, 1.888.CAPELLA (227.3552), www.capella.edu. Copyright 2014. Capella University. 14-7778
PROFESSIONAL
DEVELOPMENT
SECURITY + PRIVACY =
FUTURE SUCCESS
TOMORROWS
PROFESSIONALS
WILL BRIDGE TWO
FIELDS THAT MOST
COMPANIES AND
CONSUMERS
ALREADY BELIEVE
ARE THE SAME
BY ANNE SAITA
Learn more about how members

will benefit from a new partnership between (ISC)2 and IAPP on
page 8.
Photograph SnvviStock
HEN W. HORD TIPTON became CIO of

the U.S. Department of the Interior in
December 2001, the security staff worked
on one floor, and the privacy folks were
on another. Another 11 specialists were
scattered between the two.
They basically never talked to each other, recalls Tipton, executive
director of (ISC)2 for the past six years.
Tipton knew such a siloed setup could slow improvements to both data
protection and staff members professional growth, so he pushed for more
collaboration and dual-disciplinary teams. By the time he left the Department of the Interior more than five years later, the security and privacy
staff members were working as one unit.
Such a convergence is now happening on a more global scale as governments, consumers, and companies demand much more from those specializing in privacy, and in general and industry-specific security.
Its incredibly clear that data in the information economy and emerging
technologies are driving not only new and wonderful things for society,
but also risks we hadnt expected or understood previously, says Trevor
Hughes, president and CEO of the International Association CONTINUED
of Privacy Professionals (IAPP).
ON PAGE 18
RE TURN TO
CONTENTS
TODAYS INFORMATION SECURITY PROFESSIONAL
25
YEARS
IN THE MAKING
(ISC)2's new partnership with IAPP is the latest alliance to best prepare members
for the information security challenges aheadjust as its founders envisioned.
number of CISSPs around the world
0
68,978
94,437
wasn t 1994
t
s
e
t
t
s
t h e f i r i st e r e d u n t i l
ad min
YEAR 1989
YEAR 2010
YEAR 2014*
information security
professionals by gender
*as of 7/31/14
4,612
That's how many CISSP exams took

place in December 2010 the deadline for DoD 8570, which required
U.S. federal government employees,
contractors and vendors involved in
information assurance to be certified
in information security. The mandate
was first introduced in 2007.
CSSLP
Named one of the hottest security

certifications in 2014 by InfoWorld
magazine, with a 40 percent growth

in premium pay during the past 12
months.
It also tied for second-highest paying
IT security certification, according to
IT research firm Foote Partners, LLC.
11% female
SOURCE: (ISC)2 Foundation Report "Agents of

Change: Women in the Information Security
Profession
89% male
RE TURN TO
CONTENTS
CONTINUED
FROM PAGE 16
Many of those risks fall under broad titles of privacy and security, he continues. We frequently use
the terms interchangeably, but there is a distinction
between the two fields.
Indeed, security is a technology-driven field, while
privacy relies heavily on law, policy, and compliance.
But to succeed and move up the career ladder, those
working in either profession must become proficient,
if not fluent, in both worlds to provide appropriate risk
mitigation in the era of cloud computing, big data, and
the Internet of Everything.
As a result, (ISC)2 members seeking certifications
or renewing their certs will soon find more materials
on the privacy side of data security. The newest version
of the CISSP coursework and exam (coming out in Q1
2015), for instance, will include more depth in privacy.
Its not that we try to make a privacy professional
out of the CISSP, but they must have a platform of basics
to understand what they need to know in privacy. And
they can go deeper in that if they choose, Tipton said.
Nowhere is the merge more apparent than in one
of (ISC)2s newest credential programsthe HealthCare Information Security and Privacy Professional
(HCISPP), which gives equal weight to security,
privacy, and risk.
And, according to Tipton, nowhere is reassurance
more necessary than in patient medical privacy, where
research indicates hundreds of thousandsif not
millionsof people with terminal or life-threatening
illnesses, particularly cancer and HIV/AIDS, refuse to
see a doctor for fear their confidential health data will
be exposed.
This loss of trust from the public is something that
weve got to turn around, he says. If people do not
trust us because of the risks that we take and ensuing
breaches, or the lack of due diligence or due care of
their data, then no solution is going to work.
Eventually, hed like to see certifications of completion for privacy and security programs grace healthcare facilities walls the way college diplomas do. We
need to press the point that our healthcare facilities
should be as proud of having people in their offices
qualified in privacy and security, so their patients are
assured theyve invested in training people in this very
important aspect.
Organizations must also consider the penalties for
failing to educate their IT staff continually in data
security and data privacy.
We want data to do amazing things for usand

it canbut it will create enormous risks for organizations and disasters for individuals if we dont do it
properly, Hughes says.
He adds that lack of resources is no excuse.
We stand to gain enormously

as a society with the informa tion economy that we see
before us.
TREVOR HUGHES, president and CEO,
International Association of Privacy Professionals
Nobody has enough time or enough budget, but

the reality is the march of technology will not slow,
he says. So either you as an individual in your career
or within your organization will fall behind, if not suffer significantly, if you are not staying ahead of these
things.
Its also a matter of survival.
We stand to gain enormously as a society with the
information economy that we see before us, Hughes
says. Innovations such as cloud computing, big data,
and the growth of smart devices and wearable computing hold great promise to improve lives.
However, that potential will not be realized unless
we get information security and information privacy
right, he says. Consumers will not adopt technologies if they dont trust them. They will not embrace
companies if they dont trust them and have confidence they will do the right things with their data.
Both Hughes and Tipton believe those who study and
understand both information security and information
privacy will not only build consumer trust but also extract the greatest value from promising innovations.
I think security professionals, if they are to succeed, maintain, or move ahead, cannot do their jobs
without enhanced knowledge of privacy, Tipton says.
They will come up short if they dont broaden their
education in the privacy arena, given that its risen
to be such a hot topic in the world in which we now
live.
ANNE SAITA is editor-in- chief of InfoSecurity Professional.
RE TURN TO
CONTENTS
TODAYS INFORMATION SECURITY PROFESSIONAL
study this
Y E AR 20 0 4*
*First (ISC)2 Global Information Security

Workforce Study conducted and published
PROFILE OF 5,371 RESPONDENTS:
Carry a variety of titles, including security consultant,

security manager, director of security, and chief information
security officer, with the majority of respondents being male
Possess an average of 13 years of general IT experience, along
with an average of 7 years of security experience
Hold multiple security-related certifications, including one
vendor-neutral and one or more vendor-specific certifications
Receive an average of 10 days of information securityrelated
training each year
YEAR 2013*
*Latest GISW Study

PROFILE OF 12,396 RESPONDENTS:
More than 80 percent had no change in employer or

employment in the past year
Number of professionals expected to grow by more than
11 percent annually over the next five years
Fifty-six percent believe there is a workforce shortage,
compared to two percent that believe there is a surplus
Broad understanding of the security field was the #1 factor in
contributing to career success; followed by communication skills
Nearly 70 percent view certification as a reliable indicator of
competency
global reach
(ISC)2 members now live and work in
169 countries. More than 87,000 of
the 100,000+ members are located
in the following 10 countries:
(ISC)2 credentials
an IT professional is
likely to have in 2014
1

Certified Information Systems

Security Professional (CISSP)
Established: 1994
Systems Security Certified

Practitioner (SSCP)
Established: 2001
Information Systems Security

Architecture Professional
(CISSP-ISSAP)
Established: 2003
4

5


Engineering Professional
(CISSP-ISSEP)
Established: 2003
Certified Authorization
Professional (CAP)
Established: 2005
7

8

Certified Secure Software

Lifecycle Professional (CSSLP)
Established: 2013
HealthCare Information Security and Privacy Practitioner

(HCISPP) Established: 2013
Established: 2003

Management Professional
(CISSP-ISSMP)
Established: 2008
Certified Cyber Forensics

Professional (CCFP)
United States................................. 64,655
Netherlands.......................................1,698
United Kingdom............................... 4,987
India......................................................1,698
Canada.................................................4,473
Hong Kong.......................................... 1,441
Republic of Korea.............................3,551
Japan.....................................................1,436
Australia.............................................. 1,778
Germany............................................. 1,344
RE TURN TO
CONTENTS
MALWARE
DATA HELD
HOSTAGE
BY TOM TOLLERTON
Despite recent efforts to disrupt malware

developers from using extortion for
financial gain, ransomware is on the rise
N JUNE 2, 2014, the United
States Department of Justice

announced that a covert
public-private initiative
dubbed Operation Tovar
had disrupted criminal activities emanating from the
Gameover ZeuS botnet.
At the time, Gameover
included as many as 1 million compromised Windows
machines. It served as a platform for malicious activity, including command and control (C&C) servers
for Cryptolocker, the notorious malware that employs
strong encryption to prevent users from accessing important files until they pay a ransom.
Operation Tovar demonstrates that law enforcement, intelligence agencies, and private sector experts
are sharing information about very real threats to consumers and working together to reduce cybercrime.
But security professionals can neither boast, nor
even assume, that disabling a single botnet infrastructure has eradicated the threat. It merely buys time
and helps reduce risks until the next threat emerges.
And in the case of ransomware like Cryptolocker, the
momentum remains on cybercriminals side.
ILLUSTRATION BY ENRICO VARRASSO
RE TURN TO
CONTENTS
THE STANDARD
in
CYBER FORENSICS
Cyber forensic knowledge requirements have expanded and evolved just as

the nature of digital information has, requiring cyber forensics professionals to
understand far more than just hard drive and intrusion analysis.
The Certified Cyber Forensics Professional (CCFPSM) indicates a standard of
expertise in forensics techniques and procedures, standards of practice, and
legal and ethical principles to assure accurate, complete and reliable digital
evidence admissible to a court of law.
DOWNLOAD the
CCFP Snapshot
Do you have what it takes

to become a CCFP?
Hostage-Taking 101
ansomware is not a new concept, but in the

past year, new variants of the malware that
can hold your data hostage have established
themselves as lucrative alternatives to more
traditional means of stealing financial data and passwords.
The premise is simple. A user opens an infected
email attachment, and the malicious software installs
itself on the victims computer and silently encrypts
valuable files. Once encryption is completed, users
are informed of the encryption and receive specific
instructions for paying a ransom in order to receive
the key to decrypt the files.
The ransom for restoring full access to systems and
data is currently only a few hundred dollars per infected
computer, which makes restoration within reach for
almost all users or companies whose computers are
compromised.
The low payment, combined with the ease of
deployment and high infection rate, has resulted in
an extremely attractive revenue stream for cybercriminals.
One of the unique characteristics separating ransomware from other forms of malicious software, like
spyware and credential-stealing Trojans, is the intentional interaction between the attacker and the victim.
More traditional forms of malware are typically designed to maintain a fully silent existence, forcing us
to rely almost exclusively upon our antivirus software
and system configurations to alert us to successful
infection.
Ransomware, on the other hand, specifically
demands the attention of the systems user in order
to achieve the attackers objective.
A large window or wallpaper is splashed in front
of the user explaining how the users data has been
locked. To fuel user anxieties, count-down timers
embedded in the pop-up window slowly tick their way
down to zero, while canned text warns users that their
files will be forever unrecoverable unless they deposit a
sum of money before the timer expires into an account
belonging to the attacker.
This threat is not limited to consumers personal
computers.
Business computers represent even more valuable
targets to attackers, as the data stored on corporate
computer systems are likely critical to the operation
of the organization. Also, a network of computers

presents additional potential targets.
There have been breach response cases where Cryptolocker or a newer variant, Cryptowall, has ignored
the files on the users local hard drive and immediately
scanned and began encrypting files on mapped network file shares.
Some well-known anti-malware solutions fail to
discover the malware prior to infection, and attempts
to clean a system after infection can often be incomplete. Crypto-ransomware is known to create multiple
processes on a Windows system and can recreate a
terminated process if not all are eliminated during
the initial attempt.
Innovation Leads to Escalation
peration Tovar and the disruption of

the Cryptolocker command and control infrastructure demonstrate that the
cat-and-mouse game between security
professionals and cyber-criminals is alive and well
in the ransomware space. As this issue goes to press,
malware researchers are discovering new spam surges
that suggest criminals are attempting to rebuild the
powerful Gameover botnet using code with similar
features.
Similarly, while UK-based anti-malware research
and consulting firm Sophos has observed a virtual
elimination of the Cryptolocker variant of ransomware
(thanks to the Gameover botnet disruption), it has also
seen an increase in new variants of encryption-based
ransomware.
New variants like Cryptowall, Cryptorbit, and
CryptoDefense leverage at least some of the same
code as the now dated Cryptolocker. And security
research site Malware Must Die notes that a development kit for creating various crypto-based ransomware can be purchased online, suggesting additional
variants may not be far behind.
Mobile is the New Target
alware developers are already showing

significant interest in the mobile platform
as smartphones and tablets become effective complements or even replacements
for workstation computers.
RE TURN TO
CONTENTS
Multiple variants of ransomware targeting the Android platform are circulating the Internet. The Koler
Trojan has demonstrated resilience and is not bound to
a particular geographic location or language. Typically,
users are redirected from an intentionally infected
website and prompted to install an app (generally
focused on providing quick access to adult content)
which quickly passes unique identifier information
about the device to a C&C server. Similar to PC variants, a popup will appear that impairs a users ability
to access the device. SimplLocker, Reveton, and other
ACTIONS TO
PREVENT A
RANSOMWARE
ATTACK
1. Beef Up User Security. Infection
starts with a compromised user. Avoiding the installation of malicious software altogether is the best prevention
of ransomware, yet unsuspecting and
inherently trusting users continue to
click on suspicious links and open email
attachments from people they dont
know, immediately exposing their computer systems to the risk of infection.
Combined with administrative privileges, a malicious file can often install unauthorized software that is difficult to
eradicate. If this recommendation could
be executed perfectly, there would be
no fear of system infection. Unfortunately, human beings will always be the
weakest link in the security chain, so we
must rely upon the effective implementation of additional layers of protection.
2. Run Offline Backups. An important
part of IT governance, regardless of
the risk of ransomware, is the frequent
completion of data backup processes.
The latest variants of Cryptolocker and
other ransomware have the ability to
variants work in much the same way.

Even the Apple iOS platform, widely considered the
most secure platform on the mobile market, has seen
cybercriminals attempt to exploit user trust.
While the Apple iOS platform is closed by default
(prohibiting non-Apple approved applications from
being installed), a successful May 2014 attack concentrated primarily in Australia that locked both iOS
devices and Mac computers, reportedly leveraged
compromised iCloud accounts. Potentially exploiting
weak user passwords, this attack further demon-
BY TOM TOLLERTON
seek out external hard drives or thumb

drives that may be connected to the
computer and encrypt backup files
alongside primary files. There are cases
in which the ransomware has identified
and encrypted files within mapped
folders associated with centralized
network file servers and cloud services
like Dropbox. Its important to conduct
backups to external drives or mapped
file shares and disconnect them from
the computer. Alternatively, backups
can be performed to a remote location
using software that doesnt rely upon
traditional Windows drive mapping.
3. Limit Administrative Privileges.
Usually for reasons of convenience
or lack of awareness, general users
Windows login accounts often inadvertently have administrative privileges.
Administrative privileges grant a user
and any application they run control
over a computer to perform tasks, such
as changing configurations, disabling
anti-malware software, and installing
unauthorized software. It is this administrative privilege that Cryptolocker and
other ransomware variants rely upon to
execute their malicious functions and
block access to the users files. Limiting
privileges associated with a general
users account reduces the opportunity for ransomware to complete its
mission.
4. Limit Applications. Application

white-listing is a Windows feature that
allows IT administrators to limit the
nature of applications that are allowed
to be installed on a particular system.
If properly configured, white lists can
prevent a user from activating a ransomware installation by unknowingly
clicking on a malicious file.
5. Install Anti-malware Software.
While extremely helpful, anti-malware
software cannot be considered an
organizations only defense against
ransomware. Basic best practice
controls like ensuring that anti-malware
software is installed with real-time
scanning enabled can at least make
users and system administrators aware
of a potential infection. Signature files
should, of course, be updated regularly.
6. Increase Security for Mobile
Devices. Most end users dont have
the same concerns for the security of
their mobile devices as they do for their
PCs. Security professionals must make
extra effort to impress upon users the
importance of employing the same
defenses used in securing computer
workstations. Further, only downloading and installing apps from Android,
Windows, and iTunes stores helps
prevent malicious code from running
on the devices.
RE TURN TO
CONTENTS
strates that the threat of ransomware starts with basic

user awareness controls for protecting systems and
security.
Establishing Cyber Barricades
here are several steps you canand in many

ways, already shouldtake to reduce the risk
of you or your enterprise becoming victim to
ransomware (see Suggestions for Ransomware
Prevention, p. 23).
While it remains an option, most security consultants advise victims not to pay any ransom associated
with an infection. There is always a chance that you
might not be able to access your system or data, despite following payment instructions.
Infections could be dependent upon communication
with command and control or payment servers to
unlock the system or deliver the decryption key. If this

communication cannot be established, the system may
not unlock, making the decryption key unretrievable.
Further, increasing attackers revenue only encourages the expanded use of this malware. And if a victim
pays the ransom, they set themselves up as an attractive target in the future.
When it comes to ransomware, its important that
security professionals help organizational leadership
stay calm and encourage them to take a risk-based approach to addressing the potential loss of data control
and preventing ransomware infections.
TOM TOLLERTON, CISSP, CISA, GCIH, QSA is a cybersecurity, digital forensics, and incident response consultant with
Dixon Hughes Goodman LLP. He provides data breach response
services, as well as security testing, audit, and compliance procedures. Tom can be reached at [email protected].
RE TURN TO
CONTENTS
RISK MANAGEMENT
GETTING
LEFT OF
THE HACK
HONING YOUR CYBER INTELLIGENCE

CAN THWART INTRUDERS
BY RANDY BORUM
HEN IT COMES to information

security, it is easy to become so
focused on whats happening
inside your network that you
neglect the outside actors that
may be preying on your weaknesses. The knowledge of our adversaries intentions, capabilities and activities in the cyber domain,
or cyber intelligence, enables us to intervene before an attack
occursor to get left of the hack. Intelligence collection and
analysis provide essential tools for staying ahead of the adversary.
Photograph StocksnapperiStock
RE TURN TO
CONTENTS
Although the term intelligence may be unfamiliar or unclear to many traditional cybersecurity
practitioners, both NISTs National Cybersecurity
Framework (http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm) and DHSs Task Force
on CyberSkills (http://www.dhs.gov/homeland-security-advisory-council-0) emphasize the value of the
intelligence function.
Intelligence is not just a national security activity.
It concerns a range of organizations in the private
and public sectors. At the broadest level, intelligence
might be thought of as actionable knowledge, but as
John Felker, director of Cyber Intelligence Strategy
for Hewlett-Packard (Palo Alto, Calif., U.S.A.), points
out, intelligence for cybersecurity is more than 1s and
0s. Felker also co-chairs a national task force on cyber
intelligence for the Intelligence and National Security
Alliance (INSA) (http://www.insaonline.org).
Intelligence is not just a

national security activity.
It concerns a range of
organizations in the private
and public sectors.
The Cyber Intelligence Task Force uses a common
three-part framework to describe the different levels
at which actionable knowledge influences decisions
and activities within an enterprise. The three overlapping levels are strategic, operational, and tactical (see
Cyber Intelligence Task Force's Three-Part Framework,
p. 27). The defining features of each level are based on
the intended consumer, decision requirements, timeframe, adversary characterization, collection scope
and methods.
The strategic level focuses on setting an organizations mission, direction, and objectives and developing a plan for how the organization will achieve those
objectives. Intelligence collection broadly assesses
the threat landscape for macro trends (e.g., political,
social, economic) affecting the industry and the organization and discerns who the bad guys are, what they
want to achieve, why, and how they will likely attempt
to achieve those aims.
The operational level focuses on enabling and sustaining day-to-day operations and output, including logistics. At this level, cyber intelligence looks at the organizations internal operations and collateral partners and
at external threats posing the greatest risk to business
continuity and with the greatest potential business impact. Those analyses inform risk-based decisions about
resource allocation and defensive actions.
The tactical level focuses on the specific steps and
actions the organization takes to protect assets, maintain continuity, and restore operations. In the cyber
domain, the tactical level is where on-the-network
actions take place and malicious actors and network
defenders maneuver actively against each other.
Intelligence examines the technical/logical tactics,
techniques and procedures (TTP) used to target the
organization.
The three-level frameworkstrategic, operational,
and tacticalilluminates the big picture of cyber
intelligence. Too often, threat intelligence focuses
only on the tactical level: the technical dimensions of
an attack such as implants, tools, and artifacts. There
is no question that this information is valuable, but
it is only one dimension of actionable information in
cyber defense. Cyber intelligence must collect and
analyze more than network logs; it must go beyond
the network.
Developing Smart Defenses

Cyber intelligence should drive the cybersecurity
mission and form the foundation of effective cyber
defense. An intelligence-led approach can transform
the organization from a reactive to a proactive security/risk management posture.
With finely honed cyber intelligence, an organization can align valued assets with prioritized threats
and available resources. Troy Mattern, deputy head of
cyber security for Zurich Insurance Group, describes
the traditional cyber defense posture as a Maginot
Line, a static approach in which the central guiding
principle is to defend everywhere.
Mattern says that risk-based, intelligence-driven
security allows you to focus not just on generic threats
and risks but your threats and risks. You have to know
the specific risks that threaten your organization and
develop your strategy around them. You cant do that
without intelligence.
RE TURN TO
CONTENTS

CYBER INTELLIGENCE TASK FORCES THREE-PART FRAMEWORK
Strategic Cyber
Intelligence is:
1
2
3
Produced for senior leaders at the C-Suite level in both private and public sectors;
Used to maintain a competitive advantage and to inform the development of
organizational/national strategy and policy that will direct the organization, often
over the long term (3+ years);
Collected broadly within the sector to which the organization belongs and likely includes complementary sectors (e.g.,
R&D and manufacturing, supply chain);
Focused broadly on threat vectors and adversaries that include nation and non-nation state actors with intent and
capability and on contextual political, economic, social trends; and
Generally non-technical in nature, focusing instead on inter/intra sector trend analysis, stated and unstated objectives of
nation and non-state actors, and other strategic indicators.
Operational Cyber
Intelligence is:

Produced for executive managers in IT and security, such as the CIO and CISO;
Used to inform risk-based decisions about resource allocation and activity to maintain
business continuity and prevent disruption, often for the foreseeable near-term;
Collected with an emphasis on the specific organization/enterprise and operations

to include partners, suppliers, competitors, customers and other trust relationships;
Focused on targeted, opportunistic, and persistent vectors that pose the greatest risk to business continuity and that
would have the greatest business impact; and
Blends technical and non-technical collection to explore and prioritize organization-specific threats, the mechanisms and
signatures of potential attacks, and the vulnerability of the organization's layered defense.
Tactical Cyber
Intelligence is:
Produced for incident response teams;

Used to restore operations quickly and collect relevant evidence about the attack in
an immediate timeframe;
Collected with more of an internal emphasis on the organization/enterprise personnel,

assets, and networks (inside the wire);
Focused on understanding and analyzing the adversarys use of technical/logical tactics, techniques and procedures
(TTP) to target the organization; and
Generally more technical in nature focusing on the implants, tools, delivery mechanisms, and technical/logical artifacts
of an attack.
A Roadmap to Cyber Intelligence

At the core of a risk-based, intelligence-driven security approach is a function that continuously collects,
processes, analyzes, and disseminates information
about the vulnerability of valued assets in relation to
the risk posed by internal and external threats and
uses that information to guide its decisions and operations. There are several steps organizations can take to
achieve an intelligence-led approach to cyber defense.

Approach Cyber Defense as a Dynamic, Ongoing

Process: After WWI, France built the Maginot
Line, a massive fortified wall, along its border

with Germany. The rationale for building the
Maginot Line was very similar to the rationale
for deploying firewalls todayto provide time for
their army to mobilize in the event of attack. But
in response to the Line, the Germans just changed
their attack strategy. They adopted an approach
based on speed and surprise rather than direct,
frontal assault. The Germans went around the fortress and attacked France from Belgium. The Line
did not falter, but by itself, it could not defend
against the intrusion.
RE TURN TO
CONTENTS
Just as the Maginot Line could not defend

against ever-changing intrusions, neither can firewalls. Information security methods have evolved
considerably since the early days of broad, static
perimeter defense. Security assessment and response must be a continuous process, and security
mechanisms must be multi-layered and dynamically deployed. Adversaries adapt, and they will
prevail without a dynamic defense.

Look Beyond the Network: Most security teams
say that they monitor threat intelligence, but

those activities occur almost exclusively on the
network. Organizations must widen their collection aperture for threat intelligence. Intrusion
indicators are often found only after the adversary
is already inside the wire.
Understand the Attack: The intrusion is just the
endpoint of a longer and more complex process

of planning and preparation that has come to
be known as the Cyber Kill Chain. Originally
articulated by Lockheed Martin, it describes the
phases of a cyber attack:
Reconnaissance
Weaponization
Deliver
Exploit
Install
Command & Control
Act on Objectives
Discerning attack activity before an intrusion
requires off-network information. Relevant data
may come from specific network activity, global

cyber activity, organizational policy and action,
industry/sector trends, or from geopolitical events.
It can be open source, proprietary, or classified.
What matters most is that it the information is
timely, actionable and relevant.
Map Your Threat Surface: Each organization has
its own risk profile based on the assets it possesses and the competitors or adversaries vying for
their space. This combination is the organizations
threat surface. First, the organization must
assess and prioritize its assets, analyzing security
risks and vulnerabilities in all sections. Then, the

organization can assess and characterize its adversaries and competitors, their intentions, their
objectives, their methodologies and their opportunities on a continuous basis.
Total Alignment Needed: Effective security
requires clear priorities and alignment among

the security team, as well as executive and senior
management involvement. Cyber intelligence analysts can provide information about assets exposure and vulnerability, but ultimately, prioritizing
value, business impact (e.g., loss and disruption),
and risk tolerance are executive decisions.
An Evolving Discipline
Cyber intelligence continues to evolve as a discipline
and an area of practice. Some companies have created
sophisticated capabilities, with dedicated personnel
integrated across the enterprise working at strategic,
operational and tactical levels. Others, however, may
have no analytic capacity but serve a security function
that is compartmented and gathers intelligence only
from their CERT feeds. A range of vendors and firms
has emerged over the past several years offering cyber
intelligence solutions for companies that cannot create
their own.
Cyber intelligence continues

to evolve as a discipline and
an area of practice.
A number of groups also continue their work to
advance the science and practice of cyber intelligence.
In addition to the INSA Task Force, researchers and
analysts at Carnegie Mellon Universitys Software Engineering Institute (SEI) (http://www.sei.cmu.edu) are
an active cadre of professionals seeking to shape and
expand the discipline of cyber intelligence.
In 2012, the SEI team developed the Cyber Intelligence Tradecraft Project (http://sei.cmu.edu/about/
organization/etc/citp.cfm) to explore best practices
used within different industry sectors. Extending the
Tradecraft Project, this summer, SEI launched the
RE TURN TO
CONTENTS
Cyber Intelligence Research Consortium (http://www.

sei.cmu.edu/about/organization/etc/overview.cfm), a
collective of cross-sector institutions working to improve collection and analytic methodologies, technologies and practices in cyber intelligence.
Moving Toward the Cyber Intelligence Future

Most information security professionals would say that
they have a risk assessment and management approach. Some even say they use threat intelligence,
but in reality, they have no systematic intelligence
capability at all.
Without an inventory of requirements and a collection management process, organizations cannot focus
or prioritize the cyber threat information they collect.
This makes for a noisy stream of threat information,
within which the most useful data becomes more
difficult to identify. Some try to cope by subscribing

to as many feeds as possible and hoping information
relevant to them will appear in the mixbut that
approach is profoundly inefficient.
Cyber intelligence capabilities can make any cybersecurity enterprise more proactive and effective. By
understanding their threat surface and looking well
beyond the network, organizations can take on an
intelligence-led approach to cyber defense and make
it a dynamic, ongoing part of their culture.
DR. RANDY BORUM is a professor and the coordinator for
Strategy and Intelligence Studies in the School of Information
and Academic Coordinator for Cybersecurity at the University
of South Florida. Additionally, he developed one the first
systematic, graduate-level, academic programs of study in
Cyber Intelligence and serves on INSAs Cyber Intelligence
Task Force.
Promisec: because complete detection

at your endpoints is a must.
Promisec Integrity is the first cloud based security,
compliance and system management suite built
for the unique needs of your business.
Come see
what we see...
Come visit us at Booth 5045
FREE for 30
days.
Get a FREE Promisec Integrity health check. Receive

immediate and comprehensive visibility into all of
your endpoints without installing any agents.
www.promisec.com
RE TURN TO
CONTENTS
DATA SECURITY
SECURING THE COLOSSUS
KEEPING BIG DATA UNDER YOUR CONTROL BY COLLEEN FRYE
ERABYTES OF DATA, petrabytes, exabytesmassive
ILLUSTRATION BY
PETER AND MARIA HOEY
amounts of information are being collected and

parsed daily by more and more entities. As big data
becomes the commonality in business, the challenge
to infosecurity professionals to secure the data is
growing exponentially.
According to Gartner, Inc., the technology research
and advisory firm headquartered in Stamford, Conn.,
U.S.A., big data is high-volume, high-velocity and
RE TURN TO
CONTENTS
high-variety information assets that demand costeffective, innovative forms of information processing
for enhanced insight and decision making. For businesses, the ability to analyze big data will become a
key basis of competition, predicted McKinsey Global
Institute in a 2011 report (http://www.mckinsey.com/
insights/business_technology/big_data_the_next_
frontier_for_innovation). And if you look at Apple,
Google, Amazon and Walmart, to name a few, its
clear that competition now has boots on the ground.
For information security professionals, big data is
the yin and the yang, says Larry Ponemon, CIPP,
chairman and founder of the Michigan-based Ponemon Institute LLC, a research organization focused
on privacy, data protection, and information security
policy. On one hand, it creates a lot of risk. But if you
harness the information properly, you can get a lot of
value to help you understand your security environment
in ways you can never imagine, and you can focus
resources there.
The Bigger the Bucket, the Greater the Risks

Big data is not a new problem for infosecurity, according to Bill Sieglein, founder of CISO Executive
Network, a Maryland-based peer-to-peer professional
organization, but rather an expansion of an existing
problem. Weve determined that it isnt a whole lot
different than any other regulated data in our environment; weve just created more data. All of our same
policies apply; weve just got a bigger bucket to protect.
Its a richer target for adversaries, so it puts us in a
higher-risk category.
Chris Apgar, CISSP, agrees: Big data shouldnt
make their life harder if theyre doing what they
should be doing all along. Apgar is CEO and president
of Apgar & Associates, LLC in Portland, Ore., U.S.A.,
a security consultancy to healthcare organizations. He
adds, More due diligence is necessary when vetting
a [third-party] vendor, and suggests checking with
that vendor on an annual basis to demonstrate their
security posture.
Keeping It Private
Privacy is one of the big issues with big data, says Ponemon. You collect information, and unbeknownst to
consumers, it is suddenly in the hands of a third-party
data organization. A big dilemma many organizations

are facing now is how to honor the commitment they
made when they collected the data.
The collection and subsequent combinations of
these large data sets also puts businesses at risk of
violating privacy and compliance regulations. Sieglein
says its not necessarily the collection of gobs of data
thats the problem, but rather its putting that data together that becomes toxic. Separately, data may not
have fallen under any regulated requirements and is
not categorized as protected health information (PHI)
or personally identifiable information (PII). But if you
now have name, social security number and address
all in one bucket, thats called PII. It didnt used to be
PII, but now its subject to state laws, and you have to
start protecting it.
" All of our same policies

apply; weve just got a
bigger bucket to protect.
Its a richer target for
adversaries, so it puts us
in a higher-risk category.
BILL SIEGLEIN, founder, CISO Executive Network
On top of privacy concerns, John Pescatore,

director of emerging security trends at SANS Institute, points out that two of the biggest challenges to
protecting big data are people and immature technology. Every new technology invariably starts with very
little security built in, and over time, it becomes more
secure. Hadoop [the Apache open source framework
for processing big data] is a good example. Its an early
model that is great for doing big data functions faster,
and oh yeah, we grafted security on.
The people issue is what Pescatore calls the
Snowden risk. He explains, The typical technology used in big data gives every DBA and analyst full
access to everything. So a marketing person who uses
this data for malfeasance is an example of an insider
overusing their privileges, he explains. Conversely,
bad guys who phish that marketing guy and get control of his PC is an example of an outsider threat.
RE TURN TO
CONTENTS
Defense of the DataA Case Study

Cardinal Health, a healthcare services company based
in Dublin, Ohio, U.S.A., began incubating the concept
of big data in the enterprise architecture lab more
than two years ago. Jeff Graham, Cardinals senior
advisor, Data Analytics, Enterprise Architecture, is on
the front line: Since then, weve been using it in a lot
of places to help us understand click-stream analysis
on our customer website and for clinical research. The
goal with big data is to increase our analytics agility.
Big data allows us to do this in a cost-effective way
because it allows our data scientists to dig in deeper.
Cardinal generates a lot of data internally, as well as
purchases third-party data, and takes advantage of
free and open resources available from sites such as
data.gov and medicare.gov.
The strategy for securing big data falls more on
the process side than on the technology side, explains

Graham: You have to be careful of the three Vs of
big datavolume, velocity, variety. With new data
processing engines like Hadoop, you have to make
sure everyone in the group understands what HIPAA
and PHI data meansfrom the business analyst to the
data scientist. Education of all the team members is
the most crucial. You can have technology, but if you
dont have people who understand what security is,
you will have issues.
Cardinal is using the Hortonworks distribution of
Hadoop, which has three different levels of security:
the hardware level, the network level, and within
Hortonworks itself. Cardinal is also using the big data
analytics tool from Datameer, which Graham says also
has a security layer.
In addition to being attached at the hip to Car-
Right now
Im worried we have
been breached and
dont even know it
EnCase Analytics empowers
you to detect hidden threats.
Visit us at (ISC)2 Security Congress
Booth #5146
www.encase.com
Right Now
You Need EnCase
RE TURN TO
CONTENTS
dinals director of security, Grahams department

partnered with human resources to develop training
material for anyone working with data inside Hadoop.
Workers are tested on the material, which is refreshed
as appropriate, he explains.
Graham adds that Cardinal has also established policies for transferring data with external parties, such
as utilizing secure FTP. And internal requests for data
brought into Hadoop go through a centralized governance board. Ninety percent of our data is not data
that needs to be secured, but we want to make sure
were covered. Governance plays a huge part in this.
" Accurate anomaly detection

is the key to detecting
threats/breaches.
SREERANGA RAJAN, director, Fujitsu Laboratories of America
Tools Needed to Fit the New Paradigm

Although traditional security tools are not designed to
handle big data, Larry Ponemon warns that its hard to
stop the tidal wave. We do things that are convenient,
and then we repent, he says, paraphrasing musician
Bob Dylan.
Accurate anomaly detection is the key to detecting
threats/breaches, advises Sreeranga Rajan, director,
Software Systems, at Sunnyvale, Calif.-based Fujitsu
Laboratories of America. With big data, there are typically very many varieties of unstructured data sources
across which correlation and anomaly detection has to
be performed. Traditionally, intrusion detection and
SIEM [security information and event management]
tools can process only structured data. Therefore,
intrusion detection and SIEM tools cannot scale up
to the demands of big data.
Rajan is co-chair of the Cloud Security Alliances
Big Data Working Group. In its report, Expanded
Top 10 Big Data Security and Privacy Challenges,
April 2013, the working group identified these top 10
challenges:
1. Secure computations in distributed programming frameworks
2. Security best practices for non-relational data
stores
3.
4.
5.
6.
Secure data storage and transactions logs

End-point input validation/filtering
Real-time security monitoring
Scalable and composable privacy-preserving
data mining and analytics
7. Cryptographically enforced data-centric
security
8. Granular access control
9. Granular audits
10. Data provenance
Knowing the risks can help when going down the

big data path, particularly when choosing a third
party, says Chris Apgar. One of Apgars clients is a
vendor that provides data to large healthcare entities.
He relates how a large client of that vendor adopted
the CSAs threat list and added things to it to cover
themselves, from the physical security of the data to
disaster recovery, and told the vendor to prove youve
done all these things. The client also requested the
vendor be SSAE 16 compliant, he says (SSAE 16 is
an auditing standard for services organizations; it
replaced SAS 70).
Fighting Cybercrime with Big Data Tools

Looking ahead, it wont be just the marketing department and data scientists who will be using big data
tools, experts say, but infosecurity will start to add big
data analytics to its arsenal. Gartner predicts that by
2016, 25 percent of large global companies will have
adopted big data analytics for at least one security or
fraud detection use case.
The Big Data Analytics in Cyber Defensestudy
(http://www.ponemon.org/library/big-data-analytics-in-cyber-defense), sponsored by Teradata (an analytic
data platforms, marketing applications, and services
company, based in Dayton, Ohio, U.S.A.) and conducted by Ponemon Institute, revealed the following:
56 percent of respondents (IT and IT security
practitioners) are aware of the technologies
that provide big data analytics;
61 percent say they will solve pressing security
issues, but only 35 percent have them;
82 percent of respondents would like big
data analytics combined with anti-virus/
RE TURN TO
CONTENTS
anti-malware; and
80 percent say anti-DoS/DDoS would make
their organizations more secure.
The study also concluded that big data analytics,

combined with security technologies, will give organizations a stronger cyber defense posture.
The CSAs Big Data Working Group projects that in
the area of intrusion detection, the next generation of
SIEM tools will include big data analytics. Security
analytics tools address two of the top 10 challenges,
namely, real-time security monitoring [and] scalable
and composable privacy-preserving data mining and
analytics, predicts Fujitsu Labs Rajan.
Security officers want to get their hands on anything that will help them assess their security posture
in real time, adds Bill Sieglein, citing their use of analytics tools like Splunk and SIEM provider LogRhythm
Labs.
" Security officers want to get

their hands on anything that
will help them assess their
security posture in real time.
BILL SIEGLEIN, founder, CISO Executive Network
Thats exactly whats starting to happen at Cardinal

Health. Jeff Graham explains that his group began
analyzing the logs from Datameer and Hortonworks
with the original intent of determining which data
sets and transformations were the most helpfulwho
was generating the most useful data sets, and who
was using them. Then they realized they could use the
analysis for integrity monitoring and started with intrusion detection. If certain trends can give us insight
into potential for abuse, that part is pretty neat. We
started this a while back to support reasons for having
different data sets, and it turned into so much more.
Yet Sieglein suggests treading carefully with big
data security analytics. The security folks are also a
culprit in that they want to collect as much information as they can. The danger is if there is data in the
log information that is regulated or privacy-related.
STEPS TO
IMPROVING
BIG DATA
SECURITY
In addition to knowing the risks, the SANS

Institutes John Pescatore suggests some
other steps organizations can take to beef
up big data security:
Upgrade to newer distributions of Hadoop,

which keep improving the security model.
Use the critical security controls identified by

the Council on Cyber Security (http://www.
counciloncybersecurity.org) as guidelines to
basic security hygieneDo we know if patches to Hadoop or the analytics [tool] have been
installed? Have we minimized privileges? Its
all Security 101, but big data was rushed in [to
organizations].
While there are now numerous vendors selling

security tools for big data, it is not yet a mature
market, and those just getting started with big
data may want to get their architecture and
hygiene in place and wait for the second phase
of these products.
Were almost as bad as the marketing folks we scream

at all the time.
So while privacy regulations remain in flux and
tools are still maturing, big data is here to stay, says
Sieglein. Companies understand the value [of big
data], so security and privacy officers have to advise
management continually on what they should be doing
to protect data, knowing that the regulators will be
coming down heavy handed in the next few years,
especially as it pertains to consumer data.
Risk and rewardthe yin and the yang of which
Ponemon speaks.
COLLEEN FRYE is a freelance writer and regular contributor
to InfoSecurity Professional.
RE TURN TO
CONTENTS
Giving Corner
FOSTERING GOODWILL, EDUCATION, AND RESEARCH INITIATIVES
2014 (ISC)2 CYBER SECURITY SCHOLARS
BY JULIE PEELER
UDGING FROM THIS years recipients of the 2014

(ISC)2 Foundation Cyber Security Scholarships,
passion, dedication, drive, and determination are
never in short supply for those seeking a career in
information security. But funds to finish their formal education are often hard to come by. Thats why
we created these scholarships, which ultimately help
bridge the gap in the workforce for qualified information security
professionals.
I am so inspired by this years winners in the Womens, Graduate,
and Undergraduate categories, many of whom shared expressions
of gratitude and a glimpse of their pasts, present, and promising
futures.
A full list of scholars is available in Field
Notes on page 13. Here are responses from
some of this years recipients, all of whom
said they were honored by the recognition
and show of support they received from the
(ISC)2 community.
Julie Peeler is the

(ISC)2 Foundation
Director. She can
be reached at
[email protected].
Shruti Gupta, India (Womens)

The scholarship offers the
opportunity to continue with my
graduate studies, allowing me
to contribute more toward the
information security realm. It will help me
focus on my research and fulfill my dreams
of becoming a Ph.D. The CISSP certification
will enable me to join the elite ranks of highly
skilled infosec practitioners, greatly benefiting my career.
M. Alexis Greenidge, U.S.A. (Womens)
Freedom in a world of security. A seeming paradox, but
the scholarship frees up my
finances so that the degree
that I am going for is more
manageable. As a single parent with two children currently in college,
this is a tremendous help to my family. It
relieves the stress that comes along with

debt. Unfortunately, education is very costly
in our country, but with foundations like
yours, it makes a great impact on my life.
I am sure that every recipient has been
honored and has been positively impacted
in more ways than one.
Sreedevi Sreekandan, India (Womens)
I consider this scholarship
a recognition and approval
of my decision to specialize
in cybersecurity as part of
my continuing education.
The scholarship committee
also recognized the hard work I put into
the first year of the graduate level course
work. On a personal level, I believe this
award also shows the Foundations commitment to bring more women into the cybersecurity profession and to extend a helping
hand in their journey to become a confident
and knowledgeable IT security professional.
I hope this award will continue to encourage women all over the world to take a
keen interest in cybersecurity education
in future.
Cheryl Devaney, U.S.A. (Graduate)
The assistance provided by
the (ISC) Foundation allows
me to pursue research within
the field of information
security while completing a
Master of Science degree in
information systems management. I hope
to pursue a career in information security
after completing my degree, and the funding provided will give me the opportunity to
gain vital experience within this field while
a student.
RE TURN TO
CONTENTS
Anna Truss, Turkmenistan (Graduate)

Ive been through a lot of challenges
throughout my life to get to where I am
now, and getting this scholarship will
definitely help me achieve my goals in
life. One of my many goals is to receive
a Master of Science degree in cybersecurity. This scholarship, for me, is not the end but
rather the beginning of a brighter future.
Lokesh Pidawekar, India (Graduate)
My interest and passion for learning in
the field of information security grows
day by day. I had spent more than
three years implementing system and
network security controls for various
clients. The Masters program in information assurance has given me deep understanding
of information security and related issues. Along with
my current graduate program schedule, the (ISC)2
scholarship will help me conduct extensive research
and design secure systems to fight against cybercrime.
I would like to dedicate my efforts in securing open
source software and APIs to prevent any further security breaches due to vulnerabilities like Heartbleed.
This scholarship will also help me in designing security solutions as part of my capstone project and will be
able to serve in the security community.
half majors in five years: computer science, psychology,

and business. Stony Brook University has a Center
for Cyber Security; I will take full advantage of the
resources here and give back by using my cross-disciplinary perspective to solve complex problems for
society. Thank you!
Katherine McGinn, U.S.A. (Undergraduate)
Receiving this scholarship affords me
the ability to focus on my studies and
not be overwhelmed with managing
tuition costs. I can continue with my
cybersecurity program at University of
Maryland University College with ease.
Thank you to the (ISC)2 Foundation Information Security Scholarship Program! I am proud to be a member
of the (ISC)2 organization.
Dulce Gonzalez, Mexico (Undergraduate)
This scholarship is a wonderful reminder to me that good things do happen
to good people. This scholarship is a
reminder of the endless possibilities out
there for me. Being a first generation
college student has been a struggle,
but now I am more motivated than ever to follow my
dreams and conquer my goals.
Robin Saunders, U.S.A. (Undergraduate)

In addition to easing the financial
strain of my senior year at River Valley
Community College, this scholarship
reinforces my belief that the pursuit
of scholastic successas grueling as
it may be at timesdoes not go unacknowledged. This award allows me to focus on my
career and intellectual development. Not only has it
allowed me to finish my Associate degree, but this
scholarship also acknowledges all the work I have
done thus far and that I will continue to do in the
future.
Samantha Houston, U.S.A. (Undergraduate)

I am so grateful to receive the (ISC)2
Foundation Undergraduate Scholarship
because it is a stepping stone on my
path to success in the field of cybersecurity. It is an investment in my future
and will help me to further my studies
and gain experience that I would not have had otherwise. Many times I have questioned how I am going
to afford to continue my education and see my career
ambitions become a reality, but the support of this
scholarship has helped alleviate those worries and
given me confidence that I am making the right
decision about what to do with the rest of my life.
Fumi Honda, U.S.A. (Undergraduate)

Theres a saying in my culture that you
must first help yourself before others
do. I am very grateful that someone out
there, namely the (ISC)2 Foundation,
would help fund my education. I can
then focus more on learning as much as
I can during my prime years. I plan to have two and a
Lassine Cherif, Ivory Coast (Undergraduate)

By selecting me, the (ISC)2 Foundation
gave me a luxury of focusing on my education rather than worrying about how to pay
for it. It gives me a unique opportunity to
obtain both a degree and a globally recognized certification; skills that I need to achieve my goal which is
help secure cyberspace.
RE TURN TO
CONTENTS
2020 Vision
A ROUNDUP OF MEMBERS
AND INDUSTRY EXPERTS
PREDICTIONS
BY BEN MALISOW
RISKY BUSINESS
Is it time to just suck it up when

it comes to data security?
Image KieferpixiStock
he Target
breach, the
VAs massive
inadvertent
disclosure,
the TJX hack, Sonys disastrous
loss of almost all data associated
with PSN users, Choicepoints
data theft by internal actorsall
these incidents have something in
common: an almost total dearth
of appreciable consequences.
Nobody went to jail. And punitive monetary judgments were
less significant than other external factors. For instance, Sony
claimed that the financial impact
of their breach was less than that
of an earthquake in Japan that
same year.
Its heresy to say this in our

industry, but the pragmatic way
to address security risks might be
the least expensive, most cost-effective technique: risk acceptance.
In other words, just suck it up.
The costs of implementing
security measures that actually
wellsecure the data theyre
intended to protect are massive,
both in terms of capital investment and decreased operational
capability. And the means to realistically transfer data security risk
simply have not manifested in any
meaningful way. Underwriters are
understandably reticent to predict
potential foreseen threats. And,
without assurance that insurers
will pony up the costs of damages, who would purchase those
instruments?
Of course, there are statutory
requirements for data protection,

but weve seen even the federal
government, including agencies
with their own enforcement arms
(yes, IRS, were looking at you),
fail to adhere to even basic security precautionsand not suffer any
significant adverse consequences.
Proving a good-faith effort to
comply with legislative mandates
is sufficient to absolve liability,
and good-faith efforts are far less
expensive than actual security. If
you max the min requirements,
that suffices. If the minimum
wasnt good enough, it wouldnt
be the minimum.
Liability is the name of the
game. Why havent customers
risen up and decried this carelessness, this callous treatment
of their precious information? In
years past, the industry held that
customers didnt understand the
value of what they were losing,
that they didnt grasp the inherent
price and cost of their own data.
That assertion probably no longer
holds. This one might be more apt:
customers dont care because they
dont have to. Victims of credit
card theft are not held liable for
illegal transactions, by statute,
beyond a negligible minimum
expense. Why care if someone
steals your card, if you dont have
to pay for it?
This is why PCI is driven not
by statute, but by those with the
most to lose from credit card
breachesand probably why its
more strict and sensible than regulatory attempts at the same goal.
So, when mitigation efforts are
not cost-effective, and transfer-
RE TURN TO
CONTENTS
ence is not feasible, what response is left?

By 2020, we might see everyone, from businesses
to government agencies to consumers, just put away
their fears of data theft and dispose of their addiction
to expensive security solutions in exchange for the
most practical of approaches: know that engaging in
data-driven transactions incurs an element of risk.
That risk can be minimized but never eliminated. Its
important to simply accept the chances of risk and
go on about their lives without worrying about it or
expending effort and money to alleviate it.
Its what we all already do with a carthe place
were most likely, by far, to die.
BEN MALISOW is a freelance consultant who conducts training
and instruction. He has taught computer science and technology
in Las Vegas and college-level English, information security, and
computer security courses throughout the United States.
NEXT ISSUE What will be the biggest security and/or privacy
issue[s] by 2020, particularly in the healthcare industry? Send a
paragraph or two to [email protected] by Oct. 15, 2014.
2020 VISION READER RESPONSE BIG DATA

THE INTERNET OF EVERYTHING controlled by
a smart phone, as the trend seems to be (home
alarm systems, thermostats, home locks, automobilesone of the auto companies some months
ago demonstrated in a commercial a remote start
capability from a distant airport with Internet
accessetc.) really scares me.Companies and
people know how to build functional applications,
but they do not know how to build secure applications, and it does not help when the operating
systems for these phones are not secure by design,
and, in many cases, are not updated (this is particularly a problem for Android, where the phone
vendors, not Google, control the decision to issue
OS updates for a particular model of phone). My
secondary concern is that you have your pick of
vendor to collect the data for all of the things done
through those applicationsGoogle, Apple, or
Microsoft.
JEFFREY HARRIS, CISSP, New York
Information is the key to protecting information. Thats why our security solutions
are backed by world-class intelligence to help you identify threats in real time and
keep your information safe. Learn more at symantec.com/security-intelligence
When you can do it safely, you can do it all.
#GoKnow
Go ahead, youve got
Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
RE TURN TO
CONTENTS
CSSLP is the only

certification that validates
your knowledge and
experience in secure software
development practices.
Get the credential that recognizes your

application security expertise. Sign up
for our FREE webcast series and nd out
what you need to know.
education.isc2.org/csslp-webcast
Preventing Security Breaches

by Eliminating the Need to
Transmit and Store Passwords
Learn More

InfoSecurity Professional Magazine Sept Oct2014

Uploaded by

Copyright:

Available Formats

InfoSecurity Professional Magazine Sept Oct2014

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

InfoSecurity Professional Magazine Sept Oct2014

Uploaded by

Copyright:

Available Formats

SECURING THE 'LIFEBLOOD OF TECHNOLOGY'

A Publication for the (ISC)2 Membership

A QUARTER CENTURY OF BUILDING INFORMATION

isc2.org facebook.com/isc2fb twitter.com/ISC2

Las Vegas | October 2729, 2014

Join us for the McAfee FOCUS 14 Security Conference:

Use promo code FOCUS214 when registering to get

75+ technical breakout sessions: Learn about the

Keynotes: Hear from Condoleezza Rice,

Networking: Engage with some of the best minds

Then and Now

Coming Down Harder

More ways to learn the

The InfoSec Professional: 25 Years in the Making

As (ISC)2 celebrates its silver anniversary, we look at what has

Data Held Hostage

Getting 'Left of the Hack'

Keeping Big Data Within Your Control

Cover Image by JOHN KUCZALA

3 InfoSecurity Professional September/October 2014

WENTY-FIVE YEARS AGO, I was a young mother teach-

4 InfoSecurity Professional September/October 2014

(ISC)2 MANAGEMENT TEAM

Do you have the

Battle School is an interactive and competitive program designed to teach

Experience the Battle School at (ISC) Security Congress 2014

EXECUTIVE LETTER VEHBI TASAR

A MORE APP WAY

certifications (not just the CSSLP), which

6 InfoSecurity Professional September/October 2014

This is the unemployment rate

Answer the Call for Cyber Security Experts

Doctor of Information Technology (D.I.T.)

Offering specializations such as Cyber Security, Health Informatics,

Visit us at Booth#4951 at (ISC)2

Get Credit for Your Professional Certifications.

Explore our programs at WaldenU.edu/cybersecurity.

EDITED BY ANNE SAITA

A ROUNDUP OF WHATS HAPPENING IN (ISC)2 COMMUNITIES

MORE PRIVACY EDUCATION

(ISC)2 and IAPP form an alliance to bring more privacy

(ISC)2 and the International Association of Privacy

with members in 83 countries.

8 InfoSecurity Professional September/October 2014

What drew you to the information

WILLIAM NANA FABU

After working as a banking systems

William Nana Fabu

How would you describe the state

It gives me shivers to think theres

9 InfoSecurity Professional September/October 2014

GLOBAL SPOTLIGHT: (ISC)2 COLOMBIA CHAPTER

MEMBERS SEE STRONG INTEREST

HE BOGOTA-BASED (ISC)2 Colombia Chapter, which

serves members throughout the country, celebrated its

we are seeing more partnerships

We (the developed countries)

I know we have a shortage of information security professionals

10 InfoSecurity Professional September/October 2014

Senior Information Security Professional