Monday, August 17, 2009

Want To Become A Cyber Warrior?

Cyber security has become critical as our lives are being placed more and more on the Internet and interconnected computing systems. Therefore, it will take an army of skilled new comers to the Information Security field to protect and defend internet & computer usage for society.

One solution to satisfy the need

The US Cyber Challenge


Encouraging young people to develop the aptitude and skills to become the core of a strong cybersecurity community.

The US Cyber Challenge is looking for 10,000 young Americans with the skills to fill the ranks of cyber security practitioners, researchers, and warriors. Some will become the top guns in cyber security. The program will nurture and develop their skills, give them access to advanced education and exercises, and where appropriate, enable them to be recognized by colleges and employers where their skills can be of the greatest value to the nation.

Competitions Available

Digital Forensics Skills learned by youth

  • Challenges with a solution well known to experienced examiners (e.g. File Signatures, Suspicious Software, Hashing Metadata, etc.)
  • Challenges with a solution, but having a degree of difficulty (e.g. Data Hiding, File Headers, Passwords, Registry, etc.)
  • Difficult challenges that may have a solution, but it is not well known (e.g. Encryption, Parsing, etc.)
  • Challenges with no known solution (e.g. Communication Recovery/Parsing, Concealment of information within computer files, etc.)

Finally, the best of the candidates will be brought into federal agencies like the National Security Agency, the FBI, DoD DC3, US‐CERT, and US Department of Energy Laboratories, all of which are helping to make this program effective.

To enable employers to find promising candidates, the program will include a web site where outstanding candidates from this challenge and other related challenges are illuminated with profiles in common, easy‐to‐assess formats. No names will be provided to ensure candidate privacy, but when reputable employers find candidates.






Wednesday, August 12, 2009

The Security Triad

For those interested in getting in to the Information Security Field, you must first become aware of the Security Triad. You goal as an Information Security Professional is to ensure CIA.


  • Confidentiality
  • Integrity
  • Accessibility

Social Media, Your Party

For those building a Brand. Social Media should be fun, its a party among friends of friends. You never have to hear again: "you should of been there". Mix up your conversations so you don't bore your guests and build your network of people who will tell others about the cool parties you host!

Five Practical Tips for Performing Risk Assessments

I cam across CISOHandbook.com and found this site to be very informative and easy to read for Information Security Professionals. The following article stood out and I decided to share it on my blog.

Five Practical Tips for Performing Risk Assessments

by Mike Gentile, Ron Collette, and the CISOHandbook.com Team


Risk Assessments are one of the most powerful tools in the arsenal of the security professional. They provide tremendous value when performed correctly, but can have severely detrimental effects when they are not. This article will provide some quick and easy considerations for getting the most out of them within your environment.

1. Measure the Scope of the Risk Assessments That You are Currently Conducting

Most current security programs conduct some form of risk assessment on a regular basis. The issue arises when all risk assessments are treated as identical. For example, an enterprise-wide risk assessment that focuses solely on risks within applications is vastly different than a risk assessment that evaluates risks associated with the operating system on one server for an individual business unit. Though this may seem obvious, in our experience many people within security programs and especially people outside of them still view risk assessments as the same thing regardless of scope. This can lead to gaps between what is expected of the review (from a risk perspective) and what was actually reviewed. Additionally, this can often lead to difficulties with trending of risk over time, another important item we will talk more about in a minute.

2. Use Risk Assessments to Enable Business Decisions

We believe one of the strongest uses for risk assessments is to provide a business with the right type of information regarding security risks in order to enable informed business decision. This is the objective of a risk assessment. In your risk assessments, be sure to focus the message so that they can be consumed by those that do not understand the nuances of security. So in other words, put the reports from risk assessments in business speak, not security jargon.

3. Make a Conscious Decision Regarding the Risk Model Employed in the Assessment

This one becomes especially important if your organization relies upon vendors to perform the assessment. Vendors can be valuable in terms of providing the necessary skill-sets, but there are also some downsides. Vendors often bring proprietary risk evaluation techniques and unique nomenclature to their deliverables. The use of unique terms, language, or techniques can add confusion to the message delivery process, particularly those that are not security focused. A classic example in these situations is the frustration a vendor feels when the client fails to understand the message and value of their work. The other danger to using proprietary risk methodologies and nomenclature is that it commits the organization to its continued use in order to facilitate useful trending information.

4. Focus on the Trending Elements of the Risk Assessment

One of the most important elements of measuring risk is to demonstrate the changes within an organization over time. By the way, we did not make these rules, we bring this one up because we have never, and we mean never, met a Board of Directors or Management Team who have not wanted some type of trending after they review assessment data. It is just the way it is.

Even slight variances in the type of assessment or methodology employed can negatively influence the trending characteristics of the data. When an assessment does not have the capability for tending, it often leads others to question the credibility of the analysis. It can also put you in a bind if you get a request for trending, but can't deliver because of the data you collected or the type of assessment.

When designing an assessment, focus on meaningful forms of measurement that will enable future trending. This is usually best accomplished by taking the time to identify what you want to measure first, and then build an assessment to meet those needs. This should seem simple because it is. When you do not take the time up front, your end result can be much more painful.

5. Ensure the Goal Matches the Approach of the Assessment

Another easy one, but this piece of advice is often missed. Before performing any type of risk assessment, try to establish the primary goals and objectives for the assessment and the future use of the information. A useful technique to aid in this exercise is to identify what you believe the result of the assessment will be by your target audience before performing any work. We have witnessed many occasions where a security officer has gotten themselves into hot water by not considering the end result of their use of an assessment prior to its implementation. They begin by attempting to bring awareness to a security weakness in a particular area, only to find that not only did they get awareness to the issue, but also highly angered the decisions makers in that area through the negative publicity. In these situations, if they simply were more careful in how they approached the assessment, either in its design or approach, they could save themselves a lot of unnecessary trouble and make it easier to reach their true assessment goals. By the way, we are not saying that you should avoid the use of risk assessments, in fact quite the contrary. Just be sure to consider your goals for using one and whether the end result of the review will meet those objectives. In other words, think it through or it can be career limiting.


There is obviously a multitude of ways to approach a risk assessment, but hopefully this will provide you a couple of tips in aiding your efforts when conducting one for you organization.

Get Expert Advice!