Even though cybersecurity considerations have become part of the mergers and acquisitions (M&A) process, data breaches remain commonplace at acquired companies, raising suspicions that cybersecurity doesn’t get as much attention as it should, according to a recent TechCrunch article. “The fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats,” the article says. The author makes it a point to mention that “past or potential cyber threats are no longer ignored... Continue reading

The nonprofit Center for Cyber Safety and Education (Center) launched a new “Garfield Virtual” internet safety program for distance learning. “Schools worldwide are choosing to continue their classes online. This poses two challenges: looking for quality online educational programs and teaching vital internet safety to students. Garfield for virtual classrooms does both,” says Patrick Craven, Director of the Center. Garfield Virtual allows teachers to introduce digital citizenship education in a fun and engaging environment without having to acquire additional software. The program is based on the Center’s printed award-winning Garfield’s Cyber Safety Adventures Educator Kit targeting children ages 6 to... Continue reading

While election security has been a concern for many countries, the possibility of cybersecurity threat impacting the U.S. presidential election is of top concern. (ISC)² member Dr. Carnell Council, CISSP addresses the multiple steps in the voting process that could face vulnerabilities and how each step can be better secured. With different systems, networks and devices come a different set of vulnerabilities. Dr. Council's full article can be found in Security Magazine. Continue reading

As published in the July/August 2020 edition of InfoSecurity Professional Magazine By Michael M. Hanna, CISSP Defenders of the cyber domain carry a significant weight because of the demands placed upon them. In addition to the technical skills needed to protect companies and entire communities, cybersecurity professionals must have the know-how to protect information systems and data that support national security requirements, critical infrastructure and/or sensitive customer details. Our actions directly serve to protect and sup-port our families, significant others, friends and colleagues. These responsibilities surely carry a weight for us all and incur considerable stress. How could they not?... Continue reading

Cybercrime is one of the greatest threats to business Security breaches are becoming more targeted and costly. IBM estimates that the average cost of a data breach in the United States being $8.19 million. In the U.K., the government’s Cyber Security Breaches Survey 2019 shows that one in three businesses (32%) suffered an attack or breach in the previous 12 months. As businesses adopt emerging technologies to boost their productivity, enhance collaboration and minimize spending, they open themselves to new risks and challenges. The overall business risk has increased because of the expanding threat landscape. Cyber criminals are also leveraging... Continue reading

Last month we announced our keynote speakers for Security Congress – Bruce Schneier, Graham Cluley and Juliette Kayyem – and now the full agenda has been released! As you get excited for the first ever virtual Security Congress, let’s take a look back at a few of our top sessions from 2019. Getting Started with SDL Steven B. Lipner, CISSP, who is the Executive Director for SAFECODE, shared how practitioners can use the security development lifecycle (SDL) if they’re operating in small-to-midsized organizations. The Future of Digital Identity in the Era of Digital Transformation With digital transformation being a top... Continue reading

As published in the July/August 2020 edition of InfoSecurity Professional Magazine By Deborah Johnson How to stay sane and manage stress during a most unusual time, no matter where you live and work. Every day, cybersecurity professionals face pressure, from the daily demands of protecting data and people’s privacy to the worst-case scenarios of a breach’s financial and reputational repercussions. That’s nothing we didn’t already know. But what’s changed in the past six months is the level and severity of those demands since the world’s response to COVID-19 required companies, citizens and cybersecurity professionals to abruptly pivot in almost all... Continue reading

The (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) certification has earned a place in a list of 10 IT certifications with the most increased value over the past year. Researcher Foote Partners collected compensation data from more than 3,300 employers in the U.S. and Canada to compile the list as part of its 2020 IT Skills and Certifications Pay Index report. The index calculates certification value based on the percentage of salary that accounts for a certification. CSSLP holders earn 13% on top of their base salary, according to the research. The index gives holders – or those planning to... Continue reading

Alert fatigue, password change resistance, and poor cyberhygiene are just a few of the challenges that security specialists face. Human beings do not like being forced into habits, even when it is for their own well-being or that of the organization they work for. It’s a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it’s introduced to us by others. Humans are guided in part by instinct and reflex. So if we cannot perceive danger through our physical senses, then we cannot process it accurately. When it comes to cyberhygiene activities,... Continue reading

The Catch-22 that has affected the cybersecurity profession since its inception remains a serious problem, according to a newly released report. To get a job in cybersecurity, many organizations require hands-on experience, but gaining that experience requires having a previous cybersecurity position in the first place. This conundrum is a challenge cybersecurity talent is fighting to overcome. The report is based on a study of 327 cybersecurity professionals in late 2019 and early 2020 by the Enterprise Strategy Group (ESG) for the Information Systems Security Association (ISSA). The findings underscore the need for more training and certification, and more creative... Continue reading

In a world that is constantly changing, the immediate future of emerging technologies looks exciting and promising. Rapid advances over the next five years may help humanity solve some of the biggest challenges like the climate crisis, our ability to cure illnesses, understanding the universe and our microcosmos, and improving productivity through business automation. Despite the obvious benefits technology brings, it has also created many cybersecurity and privacy challenges. The overall business risk has increased because of the changing and expanding threat landscape. Cyber criminals are also leveraging these technologies to launch their malicious actions, which are more sophisticated than... Continue reading

By Paul Lanois, SSCP, CIPP, CIPT, CIPM On Tuesday, July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it has brought its first enforcement action pursuant to the NYDFS Cybersecurity Regulation against a large title insurer, First American Title Insurance Company (“the Company”), alleging multiple failures to protect their consumers' sensitive personal information. According to the Statement of Charges and Notice of Hearing issued by the NYDFS, the Company maintained a database with millions of documents containing sensitive personal information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts,... Continue reading

Cybersecurity is becoming increasingly important as more businesses collect, share, and use more and more data as part of their practices. The news headlines have been dominated by security incidents affecting the personal data of millions of people around the world. The importance of cybersecurity is underscored by the cost of a breach, with IBM estimating the average cost of a data breach in the United States being $8.19 million. Zero unemployment is not a dream! The cybersecurity industry has a zero percent unemployment, which make it an attractive statistic. It certainly is a great reason for everyone, either IT... Continue reading

As we look forward to (ISC)² Security Congress 2020 on November 16-18, we are continuing to highlight a few of last year’s sessions to review so you know what to expect for the upcoming digital conference. You can also earn CPEs for viewing these sessions if you weren’t able to attend last year’s conference. Trends in Cloud Security: Where We're Going, We Don't Need Roads Cloud security remains one of the most popular tracks at Security Congress. In this session, Liz Tesch from Microsoft examines the current state of security in a hybrid cloud environment, discusses cloud security tools and... Continue reading

Software glitches like the Y2K bug and its recent echoes, such as the New York City parking meter failure serve to remind us of the complacency that often settles into organizational culture, and which allows security threats to turn into full-on failures. The New York City parking meter failure was soon eclipsed by the enormity of the COVID-19 pandemic, which has occupied the world’s attention ever since. But this story should not be forgotten, because it has roots that extend far back into the past and – more importantly – has serious implications for computing and threat management far into... Continue reading

By AJ Yawn, CISSP Introduction Amazon Web Services (AWS) is the market-leading cloud service provider for many reasons. One of the reasons for its market share is the breadth and depth of security services available to organizations hosted on AWS. With new services being released almost daily, it is understandable for security practitioners to get lost in the many options to secure your AWS account. AWS CloudTrail is one of these services that are commonly underused but fairly simple to set up and critical for security governance, detection, and incident response. What is CloudTrail, and Why Does it Matter? AWS... Continue reading

As published in the May/June 2020 edition of InfoSecurity Professional Magazine. BY JASON McDOWELL, CISSP Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong? Plenty. With the exception of companies that specialize in information security, accurate valuation of the cybersecurity role in many companies is still very challenging, and many managers lack even a basic understanding of what cybersecurity professionals do... Continue reading

Professionalizing the world of cybersecurity education and training is a major focus area for the UK Government, especially in the new realities we find ourselves in. It included plans in its National Cyber Security Strategy in 2016 to develop the cyber security profession, including creating a UK Cyber Security Council to focus on professional development, professional ethics, thought leadership, influence and outreach. Late last year, the Department for Digital, Culture, Media and Sport commissioned the creation of the Council through a consortium of cyber security professional bodies – including (ISC)² –known as the Cyber Security Alliance. (ISC)² has been diligently... Continue reading

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP In February 2020, we put together our thoughts on Security Predictions for the upcoming year in a two-part series (Part 1, Part 2). Little did we know that COVID-19 would happen and change the way that folks work in our organizations, nor we as security practitioners work. In our original blog, we suggested that the following issues would be of concern to the industry: Data Privacy changes Lack of secure coding practices 5G and WiFi-6 Phasing out passwords Lack of perimeters Backups and their role with ransomware We believe... Continue reading

As published in the May/June 2020 edition of InfoSecurity Professional Magazine. By Anne Saita In 2012, a Fortune 500 oil and gas company joined the early adopters migrating assets and business processes to “the cloud.” Corporate executives’ biggest security concern then was the potential for a rogue administrator from a chosen cloud service provider to pilfer all of its data. “That was the big fear at the time,” explained Jon-Michael C. Brook, CISSP, CCSK, a principal at Guide Holdings who consulted with the company during its initial cloud migration. “They weren’t as worried about errors that they might make; they... Continue reading

As we look forward to (ISC)2 Security Congress 2020 on November 16-18, we are continuing to highlight a few of last year’s sessions to review so you know what to expect for the upcoming digital conference. You can also earn CPEs for viewing these sessions if you weren’t able to attend last year’s conference. Preparing for Cyber War: Learnings from Responding to Disruptive Breaches Charles Carmakal and Jermey Koppen, both from Mandiant, share real world case studies of threat actors and their motivations of money, fame and power. They share the importance of investigating attacks by both internal and external... Continue reading

If you’re looking for ways to fulfill your CPE requirements, it doesn’t get much more convenient than the Professional Development Institute (PDI), a portfolio of timely and relevant continuing education courses that are provided to (ISC)2 members as part of their membership benefits. The latest addition – available now – to the on-demand library of 36 courses is a Lab course titled “Security Analysis with SPARTA,” which is aimed at security practitioners and anyone looking to implement the penetration testing execution standard (PTES) and the tools and processes found within SPARTA and security assessment tools. SPARTA’s design automates many common... Continue reading

By AJ Yawn, CISSP FedEx. Booz Allen Hamilton. Republican National Committee. Dow Jones & Co. Verizon Wireless. Time Warner Cable. WalMart. These eight organizations all have the same thing in common: Leaky S3 buckets that were misconfigured and exposed sensitive customer data. Amazon S3 (or Simple Storage Service) bucket misconfigurations and breaches continue to show up in cybersecurity publications. A disappointing fact considering how newsworthy these breaches have been. Amazon S3 is an object storage service on Amazon Web Services (AWS) that provides customers with infinitely scalable and durable storage for websites, mobile applications, backup and restore, and many other... Continue reading

We recently announced that this year’s (ISC)² Security Congress will take place entirely virtually. The decision was made as COVID-19 cases continue to surge around the globe in the interest of safety of attendees, speakers, sponsors and staff. This year’s event will include three days of sessions from top security experts November 16-18. We’ll announce the sessions – including the timing of the programming – soon, but in the meantime, many sessions from the 2019 event are available online completely free. Get a taste of what Security Congress 2020 will have to offer, while getting ahead on your CPEs by... Continue reading