IT Security Blog

There are three reasons why we fail at leveraging technology in education. First, we are undoubtedly missing the root cause of the systemic failure. It’s not content, it’s context. The content must be made meaningful to the learner. Second, we’ve failed to apply the fat tail principles of mass customization. Anchoring a concept for a learner is unique to each student. While Kahn Academy and the edX initiatives show how expansive the net is for provisioning content, we’re still missing the point that technology must address.

Finally, learning occurs at specific moments in specific context – and this includes space/time issues. Simply put, if my screen and keyboard are the source of massively complex communications systems including email, Facebook, alarms, alerts, notifications, etc. it is by definition, the worst possible tool for isolated and focused attention to a complex subject. If you want to study, you need an isolation mode for your computer. If you really ask most of our students why they end up in a live week-long course, it’s for isolation from daily interruptions.

For technology to make significant changes in our education we need to move the focus from content to context. It’s great to enroll 155,000 students but success is measured in the output of a system, not the inputs. A 4.6% success rate is a starting point but it’s also an indicator of the real challenges that lie ahead.

If modern computer security issues require new competencies in the labor force, our works cut out for us for years to come.

What do we mean by context exactly and why do we believe teaching contextual based is better than content?

By context, I mean three things. First, we need to understand the where/when for studying. We should all know and understand that the "interrupt machines" that drive our always-on communications (PCs, smart phones, tablets) are the very worst possible devices for a learning context until we redesign the flow to function in this context.

Second, context is the reference point, and anchoring that provides relativity and explains new ideas in relationship to things the learner already knows. Third, context is the application of ideas, terms or concepts to situations the learner understands.

When EdX can provide learner context, the claim of “revolutionary” will once again belong to Boston. I’m not trying to argue that we do a better job than MIT in our boot camps, but we're not going to make a mark on the educational demands in the security industry until we to begin taking the content in the world, often from our most renowned and respected sources, and creating context.

This context and training is fundamental to technology deployment and adaption. Failure to develop appropriate human capital is also one of the greatest (though frequently ignored) risk factors for most systems. For over three decades, I’ve been involved with early stage and start-up tech companies. To bring a new technology to market we had to teach new concepts and practices – often to a quite hostile audience. Running worldwide sales at Novell required a global education campaign on what a LAN was, how it might be deployed and it’s economic benefits. We quickly learned that the shortest path to a sale was to educate our customers and to do this we had to translate our features and benefits into direct comparisons with mini-computers. We had to anchor these new ideas in a context the customer understood. We had to make the message relevant to the customer. We had to motivate the learner (customer).

Why were we messing around with PCs and LANs when a mini-computer provides centralized management?

Why do we ever have to adapt to what's “new” and make changes?

Without knowing why something is important, without knowing how a concept or idea relates to what you already know, without motivation, it’s hard to make successful changes. It’s hard to learn something new out of context.

Over the past month, thoughts about the education paradigm have been something like the modern 4th of July fireworks — always a big bang and a new twist. I’ve followed the MIT/Harvard EdX online class of 155,000 students. I even thought about the incredible process of trying to grade the exams and student authentication challenges. If you’re not familiar with this project, you should be. MIT launched their intro to electronics class online with 155,000 enrollments! That’s a BIG classroom. Sounds like we’ve hit on an educational breakthrough!

Well, maybe it's not a complete breakthrough. It turns out that 7,154 completed and passed the course. Our own pass rate on CISSP boot camps is dramatically better than MIT and Harvard’s. In fact, the real fallout came between the open enrollment period and the first exam. If you've ever taught college, you know what the first cut looks like. It's a wake up call. Here, the class dropped by over 70%! A large audience WANTS to learn, but they need ongoing motivation — coaching, nudging, pushing and cajoling to keep them going.

What EdX did is profound. It’s a radical change in how we think about education globally but we need to be clear about what we know. We know there's a huge appetite for learning. However, content isn't the constraint. It's context.

 - KWK

The Certified Information Systems Security Professional (CISSP) certification continues to be THE widely recognized credential for broad information security expertise. The certification requires that the student obtain a wide range of security knowledge, making passing scores on the exam challenging, regardless of the level of security experience the individual has. The fact that the exam has recently gone on-line does not make it any less challenging.

If you are the type of individual that prefers instructor-led training over alternate methods of learning, then you need to consider the following items when searching for a good training partner. We have heard many stories of students that have paid for training programs that just have not worked for them. This isn’t necessarily due to a poor training program, but rather the training style or option was not suitable for the way they learn.

There are however, a few items we believe you should look for when exploring instructor-led training options:

1. Ensure the learning meets your learning needs.
The course needs to provide a solid foundation of security knowledge mapped to the domains of the Common Body of Knowledge (referred to as the CBK). Make sure that the course has relevant, updated materials. Find out what book is being used and whether or not the instructor includes custom content. Find out what the custom content consists of and whether or not it meets your needs. Some providers offer a pre-training program as well that will definitely help to prepare you for the upcoming classes. Be sure to take advantage of any additional materials being offered but ensure they are updated frequently.

2. Validate instructor credentials.
Instructors need to be able to adequately instruct on all of the security domains. Make sure he/she is an expert in all the security domains, check certification credentials obviously, but also find out how long they have been teaching and/or where they have worked in the past and gained their knowledge.

3. Evaluate the supplementary study materials.
With the amount of information you will need to cover for the CISSP, you will need to review materials learned. Make sure that the training provides you with supplementary review materials and strategies on how to study in order to be able to more effectively answer the exam questions. The exam content can be tricky and understanding the types of questions asked and how to study in order to prepare is key. They exam can be quite subjective in nature and you will need to understand how to determine the best answer out of four equally as good answers.

4. Make sure mentoring and practice exams are part of the course.
Make sure that the course includes plenty of practice opportunities. Instructor’s should be able to provide you with additional practice test questions and/or mentor you through some of the questions and provide tips and tricks, so you get a feel for the type of questions and how to be able to effectively answer them.

5. Choose a company that stands behind their guarantee.
Figure out what kind of guarantee it is and for how long the guarantee is actually valid. A guarantee is not necessarily going to provide you with the money back depending upon the training provider, but if the training provider stands behind their guarantee, they will provide you with the ability to take the class again and will go beyond that to provide you with mentor-ship and additional materials to ensure your success.

So, what is risk? What does it mean? We can define risk as the possibility that bad, unplanned or unexpected things happen. It implies, most often, after the fact, that something could have been done about the “risk” to prevent the bad things. In many of the most disastrous events, there were clear warnings and a multitude of actions that should have been taken.

Risks can be mitigated. Risky activities can be reduced and safeguards can be implemented.  Why then do we continue to see disastrous events in the papers that could have been avoided? Simply put, Western societies seem to have forgotten about it. We ended the twentieth century with a growing belief that all of the critical issues of the world had been solved. Resources would be efficiently allocated through free competitive markets and social issues resolved by the universal adaption of democratic practices. But this myopia, which took fifty years to develop, will likely take more than a decade to change and many organizations don’t have the resources to manage it effectively.

So, where do we start? We believe it should become an automated process. Identify and develop some key fundamental steps to help define your risk management strategy. Keep it simple at the beginning so you can measure and mitigate effectively and develop a more detailed plan as you learn and identify more risks.

 Steps in a simple risk management strategy:

1. Identify the potential risks. List all of the different scenarios that could potentially go wrong.
2. Develop a measurement tool to gauge the impact and severity of the risk. Ask yourself what is the probability of the risk happening and what is the impact.
3. Develop alternative solutions to the various risk scenarios:
   Identify the possible ways to mitigate the risk while measuring the effectiveness and budget restrictions.
4. Determine remediation solutions to be used and implement Allocate the needed resources and obtain management buy-in
5. Continuously monitor results. Develop a monitoring schedule. You must check frequently to ensure your plan is working? Identify any needed changes or updates based on threat and risk assessment criteria.

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

1.       In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?

2.       I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.

3.       Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.

4.       Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.

5.       Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.

6.       Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to the false pages, without warning, without suspicion. This information is then used for political and financial gain, all fueling the machine and allowing further attacks to break down the fragile system we all hold dear.

APTs are one of many emerging threats on the frontlines of IT security. Other hot topics in the industry include Cloud Computing security, new challenges in Cryptography, and emerging Exploits. Even business related aspects of IT are changing rapidly such as the many improvements to be made to Risk Management procedures all influenced by the recent natural disasters on the east coast along with the 10 year anniversary of 9/11.

So many emerging topics, so little time.

But there is hope for security professionals. IP³ now offers an all new way for security professionals to learn about all of these new emerging threats and technologies and at the same time keep up on their certifications by earning valuable CPEs, all for an incredible price, wrapped up in a package that fits the lifestyle of the even the busiest IT security professional.

Click here for more information on IP³ Inc.’s industry first CPE ToGo program.

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet. 

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in Vivek Kundr's Federal Cloud Computing Strategy.