Posts

Understanding Vulnerability, Threat & Risk

Image
Consider the following two examples: There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner. An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in these systems as there is no authentication (simply stated – no username, password) mechanism to log in the systems. What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security. Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile env

8 Important Cybersecurity lessons to learn from Avengers

Image
1. Security isn’t just one person’s responsibility - To be truly effective, we need to develop a culture of security that transforms it into a company-wide effort. In most organizations, it is believed that security is either the responsibility of the security administrator or the chief security officer. It is the responsibility of everyone in the organization from the foot soldier to the king. 2. Hackers Hail from All Over the world (maybe even beyond) – Your hacker can hail from any part of the world. The organization can be attacked from any part of the world and this cannot be limited to just your district or state or country your organization is based out of. Well, Thanos was nowhere from this world and still he wanted something from Earth. 3. You need to be a team player – Security team needs to work with various cross-functional teams to achieve results. Avengers is what team means and you need to be a team player and keep aside your differences to ensur

Blog Updates for the Reader

Image
Thank you for being a part of this journey with me. Your love and affection have helped me to continuously improve myself and write about information security both in general and related to the CISSP and SSCP exam. I have been thinking about the future course of this blog and based on analysis of the previously published blog posts and reader’s feedback through various channels, going forward, the blog would be segregated into the following major categories. 1. Opinion – This would be a column where I would be sharing my viewpoints giving relevant examples. 2. Technology/ Cybersecurity Series – This would be 3/5-part series on upcoming technologies, process improvements to help you understand the technology/process in a simple manner and then instigate you to think about security concerns in those topics. 3. Exam Related Updates / Course Content – All details about the exam updates/happenings and the entire course material of SSCP & CISSP exam will be posted

CISSP Domain 8 Changes - 2018 vs 2015

Image
Domain 8 also sees very little change in terms of course content. 2015 Exam Outline 2018 Exam Outline Understand and apply security in the Software Development Life Cycle (SDLC) Development methodologies Maturity models Operation and maintenance Change management Integrated product team Understand and integrate security in the Software Development Life Cycle (SDLC) Development methodologies Maturity models Operation and maintenance Change management Integrated product team #No Change Enforce security controls in development environments Security of the software environments Security weaknesses and vulnerabilities at the source-code level Configuration management as an aspect of secure coding Security of code repositories Security of application programming interfaces Identify and apply security controls in development environments Security of the software environments Configuration

CISSP Domain 7 Changes - 2018 vs 2015

Image
As you will see below, there is almost no change in content for this domain. Subjects such as Industry Standards, Asset management, and Duress have been added. 2015 Exam Outline 2018 Exam Outline Understand and support investigations Evidence collection and handling Reporting and documenting Investigative techniques Digital forensics Understand and support investigations Evidence collection and handling Reporting and documentation Investigative techniques Digital forensics tools, tactics, and procedures #No Change Understand requirements for investigation types Operational Criminal Civil Regulatory Electronic Discovery Understand requirements for investigation types Administrative Criminal Civil Regulatory Industry standards #No Change. Removal of e-discovery. Conduct logging and monitoring activities Intrusion detection and prevention Security Information and Event Manage

CISSP Domain 6 Changes - 2018 vs 2015

Image
Overall Result: Extremely Minor Changes 2015 Exam Outline 2018 Exam Outline Design and validate assessment and test strategies Design and validate assessment, test, and audit strategies Internal External Third-party   #Minor Change Conduct security control testing Vulnerability assessment Penetration testing Log reviews Synthetic transactions Code review and testing Misuse case testing Test coverage analysis Interface testing Conduct security control testing Vulnerability assessment Penetration testing Log reviews Synthetic transactions Code review and testing Misuse case testing Test coverage analysis Interface testing   #No Change Collect security process data (e.g., management and operational) Account management Management review Key performance and risk indicators Backup verification data Training and awareness Disaster Recovery (DR) and Business