The IT Detective – Tale of a data breach

November 21, 2017 at 5:03 pm | Posted in cybersecurity, Knowledge | Leave a comment
Tags: ,

Of all the IT detective agencies in all the towns in all the world, she walked into mine. She was blonde, beautiful, and had eyes so blue they would scorch your soul. And I knew just how much that would hurt. See, I was in love with her once. Hey, maybe I’m still in love with her. How could I not be? She knew her way around a secure IT password policy and she worked for a major credit reporting agency. Even though she was the life of the party, I knew she was all business where it counted.

One look at her and my heart started banging like a bad platter on a Seagate hard drive, but I knew I had to play it cool. “Hello, pretty lady.” I said. “What brings you to my office?”

“Hi there, handsome fella’,” she replied. “I hear you’re investigating that big data hack from September. I figured I’d come looking for you before you came looking for me.”

“A lot of people’s Personal Identifiable Information (PII) was stolen,” I said. “People were outraged. They were mad, and they want answers. They want to know why it happened, and what to do next. And I want to give them those answers.”

“Well, I don’t work for Transfaxian anymore. And I had nothing to do with that data breach,” she insisted. “I just want to help you help the people who got hurt.”

She said she had nothing to do with it, but the timing of her departure was a little too coincidental. Still, if she was willing to sing, I was willing to play backup, so I invited her to Sam’s Pub to tell her story.

Casablanca1942_610_678x380_01252016035421

When she walked into the bar, she lit that dark room up like the activity lights on an overworked Cisco router. Sam poured us some drinks, I tossed him a quarter for the jukebox, and he played our favorite song. It was time to grill this pretty lady. Did I have an axe to grind? Maybe I did. We were a nice couple for a while, but work got in the way.  I spent so much time investigating data breaches that it affected me day and night. How could it not? Who can sleep when their PII is being sold on the dark web?

I was stuck in a dark cloud and depressed.  She got tired of being ignored, and kicked me to the curb. But before the first question came out of my mouth, she flashed me a smile. You know, the smile that melts the most frozen of hearts and makes you feel at ease. The last time I smiled like that, I’d just pulled off a flawless two-day security audit.

“So,” I said. “Why were the hackers able to get the Social Security numbers, birth dates, addresses and some driver’s license numbers?”

“I just know what I read in the papers,” she said. “They knew there was an unpatched flaw with Apache Struts CVE-2017-5638, but their own security team couldn’t find the flaw to fix it.”

“So they knew!” I nearly yelled. I knew she hated black olives, zero-day attacks, and unpatched servers, and when I raised my voice, I could see tears in her eyes.

“Yes, they knew,” she whispered. “But I was just another hard-working sales person trying to make a quota.”

She was one of the best sales people ever; she once sent me a postcard from Cancun after she won a sales contest. I knew this lady could pull the wool over my eyes if I wasn’t careful.

“Did you always use two-factor authentication?” I asked carefully. “When you logged into your computer or a company website, did you have to enter a username and password plus a random 4-8 character one-time code?”

She frowned. “No, I just put in my username and password when I booted up my computer or logged on to the website. I didn’t need anything else.”

“What was your password?” I asked.

“What was yours?” she responded coldly.

“Your name plus the date we met, hashtag smiley face.”

“So, at least 10 characters with numbers and special characters?” she said. “Yes, we followed that standard.”

“Ah, but how often did you change it?”

“It was supposed to be 60 days, but I changed mine every 45 days,” she said.

Clearly, it was time for harder questions. “Did your department use email to send documents like PDFs, Word files, or Excel files as attachments to other employees? Not to customers or people on the outside?” I asked. She looked away. I could see she was stalling. “Or did you use some kind of cloud storage, like SharePoint or Google drive, and just email links to the document locations?”

“Okay, okay. We emailed attachments to other department members all the time. It’s not a crime, even if it can leave cached copies on servers outside our firewall,” she snapped. Like she was a dancer in another life, and she was dancing fast now. “We didn’t use shared storage. I guess we could have emailed the links instead of emailing the documents to other team members, but we didn’t.”

“Did anyone in your department ever get phished by a hacker?”

She looked offended. “We were smart. We had great email filters. Email from customers came to the inbox, and email from spammers went to the spam folder.”

When she talked security, it drove me crazy, and it crushed me that we were not together anymore. I reminded her, “It’s a lot easier than you think to get phished, pretty lady.”

“Well, not me. I followed the company’s rules. I always used the VPN when I was on the road or in the coffee shop. And we were pretty restricted on our laptops. We couldn’t open our personal email accounts on Gmail or Outlook or Hotmail. Oh, and we weren’t supposed to use social media on the laptops.”

“You expect me to believe that?” I pressed.

“Okay, fine. So I would sometimes check Facebook or hit an Ann Taylor sale online,” she said. If she was wearing Ann Taylor now, nobody wore it better than her.

“I just worked a big case involving some Nigerian hackers,” I explained. “They used a company’s email account to send fake invoices to customers that used routing numbers for a bank in Nigeria. The customers paid the invoice, but the Nigerians got the money. Did anybody get hit with ransomware at your company, as far as you know? Or did you hear talk about any other kinds of security issues?”

“No way. The security was tight,” she said.

“Okay, so what if someone at Transfaxian lost their corporate cell phone?”

“They did a remote wipe. You lost the phone, but the data was gone. I didn’t lose sleep over it,” she said coolly.

“Did you ever have to back up your laptop?” I said.

“No, why would I? Most of my work was saved in the corporate app. I never had a device fail on me. I like to play the odds,” she said with a devilish grin.

“Well, how often did your corporate IT department apply Windows updates to your laptop?” I asked. “Large companies typically push updates to their employees on their own schedule. The credit bureau hack was possible because your company did NOT update an Apache server. Do you remember being asked to reboot your computer during the work day on a regular basis?”

“I know I occasionally had to reboot for updates. Sure. I thought we were on top of the security fixes, but I’m really not an expert,” she said sadly. “You believe me, don’t you? It wasn’t my fault. I heard some big-shot officers traded their stock and walked away with a fortune. All I walked away with was a coffee mug and a red Swingline stapler.”

“I believe you, pretty lady. However, there are folks out there who are just trying to make it in this world, trying to see if a little sun will shine on their dreams. So what do you want me to tell those hardworking stiffs who are running scared because their PII is exposed?”

She took a deep breath. “Tell ‘em, you should keep your credit frozen for the rest of your life. Or until they come up with a new kind of credit fix. Freezing your credit will keep you as safe as possible. Right now my former company says they’ll waive any fee to place, lift, or remove a security freeze through January 31, 2018.

“Other than that, make sure to join a service that lets you monitor your credit on a regular basis. I personally use Credit Karma. You also need to know that in the next few months, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Oh, and tell people to read the Ouch! Security Awareness newsletter so they can learn to protect themselves,” she finished.

“That’s a nice speech, but it doesn’t address how the hackers got in,” I said. Her face turned red and that firecracker personality that I’d fallen for came to life. “So what would YOU have done, big shot?” she challenged.

“That’s a hard fix, but an easy answer,” I replied. “After all, that’s why they call me the IT Detective.”

  •  Hide the version and OS identity from errors whether you are running Apache or another server. When an attacker types a nonexistent URL on your server, the version of the server can be displayed in the error message. On an Apache server, you can turn the ServerSignature off to stop the server version to being seen during an error.
  • If your web page will accept comments from customers, validate those comments to prevent cross-site scripting (XSS) attacks.
  • Explicitly parameterize queries to prevent SQL injection attacks to prevent an attacker from using a web form field or URL parameter to gain access to or manipulate your database.
  • And for heaven’s sake, keep your software updated on your server, including third-party software.

When the hail of bullets stopped, she waved away the smoke and said, “I was your bleeding heart. I was your crying fool, but you loved your IT detective job more than me.”

“I was in love with you once, you know,” I told her. “And I’ll always take the blame for why we split. I’m no good at being noble, but it doesn’t take much to see that the problems of two people don’t amount to a hill of beans in a crazy world where people’s PII is being stolen every day. Someday, maybe you’ll understand that.”

She tossed a $50 bill on the bar and stood up. “It’s time to move on, time to get going. What lies ahead, I have no way of knowing. But I told you what you wanted. So this is goodbye, handsome fella.”

“Goodbye, pretty lady,” I said. We hugged. I did not want to let go, but I did.

As I watched her walk away, I knew two things:

She would always have a piece of my heart, and the data breaches would continue. My job would never get any easier. When the most vulnerable piece of any network is the user, it just makes my job harder. It comes with the territory.

I ordered another drink, tossed out another quarter for the jukebox, and said, “Play that song again, Sam.”

313e5679fa35d8fa9f63dd415b238c6b

Stay safe,

George Monsalvatge

 

Transcender webinar: Understanding Big Data

October 19, 2017 at 9:00 am | Posted in Transcender news | Leave a comment
Tags: , ,

Big Data is gathered from nearly everyone and affects almost every aspect of modern life, from health care to hotels and from consumer trends to traffic gridlock. Vast amounts of information is now easily accessible and shared freely among companies, but the average person has little conception of their own contributions to Big Data, or how it affects them in their daily life.

Join our Oracle certification and industry expert, John Brooks, for a free 45-minute webinar on Wednesday, October 25, 2017, at 11:00 am CST.  We will cover the definition, uses, and importance of Big Data in our economy, and explain its increasing significance to our society as a whole. We’ll also mention the main applications that are used in Big Data crunching and point the novice certification-seeker toward the best options in this growing career field.

To register for this FREE webinar, click here. (Your contact information will never be sold or transferred.)

Happy webinaring!

-the Transcender Team

Upgrading to the MCSA Windows 10 and announcing the retirement of Windows 7 exams

October 6, 2017 at 12:04 pm | Posted in Microsoft, Certification Paths | 2 Comments
Tags: , , , ,

Hi, can I still upgrade from windows 8.1 to MCSA 10, by taking 70-697?

While researching this reader’s question, I went to the Microsoft certification site and discovered that the MCSA: Windows 8/8.1 was no longer listed anywhere on the site, including in the retired certifications list. The only desktop MCSA described is the Windows 10 MCSA.

I’m confident that the information we reported in November 2016 is no longer current, and students should look at the Microsoft site first to determine which exam to take.

I also reached out to Microsoft regarding the exams for MCSA: Windows 10. Their official response was that it was no longer possible to upgrade from the Windows 8 certification. The only way to achieve a MCSA: Windows 10 is  to pass two exams, 70-697 and 70-698. Passing only one of these exams earns you the MCP (Microsoft Certified Professional), but nothing more.

The death of desktop certs

If you look at the most recent Microsoft certification paths, you’ll see that the MCSA: Windows 10 is listed as a point on the path to MCSE: Mobility.

mcse 2017

Once you’ve earned the MCSA, taking one more “elective” exam (70-398, 70-695, or 70-696) will earn you the MCSE: Mobility credential. Current and future Microsoft certifications will be divided into the following categories that reflect Microsoft’s move away from local installation:

  • Mobility
  • Cloud
  • Productivity
  • Data
  • App Builder
  • Business
Grab your Windows 7 certification while you still can

After a long, hard run, Microsoft has finally released retirement dates for Windows 7 certifications. All of the following exams will expire on July 31, 2018:

70-680: Windows 7, Configuring
70-685: Windows 7, Enterprise Desktop Support Technician
70-686: Windows 7, Enterprise Desktop Administrator

As of this writing, each of these exams earns the MCP, but no credit toward an MCSA or MCSE.

Happy certifying!

-George Monsalvatge

All Things Being Equifax: A Cybersecurity Awareness PSA

October 4, 2017 at 10:29 am | Posted in cybersecurity | 2 Comments
Tags: , , , , , ,

Over 9 billion data records have been lost or stolen since 2013. In fact, experts believe nearly 5.5 million records are exposed every day. It’s no longer a question of whether a company has been compromised, but when it will happen, and how consumers can take steps to protect their data.

Not every data breach is the same. Sometimes the stolen data is already public, like your name and street address, or is encrypted to prevent its use by thieves. The most dangerous breaches expose plaintext data (data that is not encrypted or otherwise obscured) and PII (personally identifiable information), such as a government ID with an associated date of birth and legal name.

The recent Equifax breach is a serious security concern because of its breathtaking scope and sensitivity. The stolen data included social security numbers, driver’s license numbers, and other PII as well as credit card numbers. Unlike a username and password, PII is meant to uniquely identify you for your entire life and (usually) can’t be changed. If it’s exposed, you face an ongoing threat of identity fraud.

So what can you do in the wake of such a massive breach? What follows are the best security practices we can recommend, including advice from an actual (anonymous) employee of a big-three credit bureau.

(ETA: as sharp-eyed reader Carol points out, there are actually four credit agencies, though Innovis is typically omitted from these types of list. We have updated the post to add Innovis’ contact information as well.)

Continue Reading All Things Being Equifax: A Cybersecurity Awareness PSA…

The Great Password Debate – Where we disagree about password resets and failures (Part 3)

September 20, 2017 at 3:30 pm | Posted in cybersecurity, Knowledge, Technical Tips | Leave a comment
Tags: ,

This post is part three of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 2 here.

In the Great Password debate that has been generated by the latest NIST guidelines, we (the trainers and experts on the Transcender team) find we agree with some recommendations and disagree with others. In our previous post, Josh discussed the way password complexity has been found less secure than longer passwords made up of simple words. In this post, we (Robin Abernathy, Ann Lang, and Troy McMillan) want to discuss NIST’s new guidelines for password resets (password age) and responding to password failure/account lockout (failed authentication).

Among the otherwise sound advice in the Digital Identity Guidelines (NIST SP 800-63B), we did pick out three points that cause us some consternation:

  • Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (Section 5.1.1.2)
  • Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100. (Section 5.2.2)
  • When the subscriber successfully authenticates, the verifier SHOULD disregard any previous failed attempts for that user from the same IP address. (Section 5.2.2)
Love it a long time, or leave it every 30-60 days?

How many of you out there work for a company that requires you to change your password at a regular interval, usually every 60 or 90 days? Bullet point 1 states that this is no longer necessary.

Troy says: I disagree with this recommendation. I contend that changing the password at regular intervals DOES increase security because it shortens the amount of time it is available for disclosure. The logic behind this new NIST rule is based a failure of how people implement it, not a failure of the concept of password age. In other words, the concept fails because the users do not use unique or secure passwords. They usually choose a new password that’s similar to the previous passwords with a few character changes. This issue would be resolved with proper security awareness training and policy enforcement. Also, there are solutions out there that can prevent users from creating a password that is too close to a previous password. So while we understand what NIST is trying to do with this change, I personally don’t agree with it.

Ann says: I disagree somewhat. The theory is that if you’re ALSO making people choose much longer, easier-to-remember character strings for passwords, like IlikebigpasswordsandIcannotlie! Twoyears beforeI changeit lala hooray!, then you still have the advantage of the password being much, much harder to crack or guess from a mathematical standpoint. After reading through their breakdown of Authenticator Assurance Levels (AAL), I’d be okay following their password age recommendations for any site that’s operating at AAL2 or above.

(For what it’s worth, Microsoft’s 2016 Password Guidance for IT Administrators both counsels you to lose the mandatory periodic password reset, AND to educate users on choosing appropriate passwords and banning commonly used passwords.) Continue Reading The Great Password Debate – Where we disagree about password resets and failures (Part 3)…

The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black

September 8, 2017 at 4:03 pm | Posted in cybersecurity, Knowledge, Technical Tips | 1 Comment
Tags: , , , , ,

This post is part two of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 1 here.

Which of the following two passwords is more secure?

p@$w0RdCh34Tr#
ILikeSimplePasswordsICanRememberAndUseNotComplex

The first password is 14 characters long, well over the recommended minimum of 8 characters. It also meets many, if not all, of common password complexity requirements: it contains multiple special characters like @ and $, numbers like 3 and 4, and mixes uppercase and lowercase letters in for good measure. It does not contain a username or any repeated characters. At the Password Meter, I get the following rating:

password1_strength

The second password is a lot longer (over 3x), clocking in at 48 characters. If you think that is crazy long, section 5.1.1.2 of the new NIST  800-63B Special Publication suggests passwords of least 64 characters! But this password is pretty awful when it comes to complexity: it has no special characters or numbers, and it contains easy-to-read dictionary words. So you’d expect a really low score from the Password Meter.

But you’d be wrong:

password2_strength

What is going on? In a nutshell, according to the latest research, password size matters more than character complexity, even if the password strings together easy-to-read words. This is a harsh truth, to be sure, and the reason why requires a quick trip back to mathematical set theory and the world of bike lock combinations.

Continue Reading The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black…

The Great Password Debate (Part 1)

August 22, 2017 at 4:49 pm | Posted in cybersecurity, Knowledge | 1 Comment
Tags: , ,

Are you overwhelmed by having to remember too many passwords? Why do some experts recommend using special characters like %, $, or @? Do you really have to change your password every 90 days? Which password method will keep your accounts and data safe from hackers?

Do you ever just feel like you’ve fallen into the password abyss?

Welcome to our new blog series, “The Great Password Debate!”

If you’re sick and tired of being sick and tired of keeping up with password complexity advice — which says to maintain dozens of unique special-character passwords that change every 90 days — you’re not alone. Bill Burr, who helped first come up with these password standards for National Institute of Standards and Technology (NIST), is right there in the password abyss with you:

I have maybe 200 passwords. I can’t remember all those obviously […] It’s probably better to do fairly long passwords that are phrases or something like that that you can remember than to try to get people to do lots of funny characters.

Currently, most authenticators make users create a combination of numbers, letters and symbols for a “safe” password. However, Mr. Burr has stated recently that he believes making passwords more complicated is NOT the best way to protect your information. He now recommends longer, simpler, and more unique phrases—and, apparently, so do the recently updated NIST standards.

So, what are you to do? Go with the tried and true methods of the past ten years, or step out with the new password approach? In our upcoming blog posts, we’ll delve into this issue, presenting various password rules and seeing how they compare with the latest suggestions from security experts. It promises to be a very L1v3LY D38473.

Stay tuned…

Shahara Ruth

OMG, my refrigerator got hacked!

August 10, 2017 at 9:39 am | Posted in Uncategorized | Leave a comment

Years ago I started worrying about getting a virus on my laptop. More recently I began worrying about getting a virus on my iPhone. As of 2017, my new fear is that my smart refrigerator can send spam – or worse.

Last year a photograph of a smart refrigerator displaying an adult site on the display floor of a major retailer went viral. (I tried to find and credit the original source; it was posted on John McAfee’s twitter feed but it’s not clear whether it’s his photo.)

BadRatedFridge

We live in a golden age. You can change the temperature in your house from a remote location by simply using your phone to access your Internet-connected thermostat in your home. But who else can connect to this device?

HandsOnLabs

Connected devices or smart devices, referred to as The Internet of Things (IoT) devices, have simplified our lives more than we could ever imagine – or so their manufacturers claim. IoT devices have moved beyond home alarm systems to control home automation components like electric lights, HVAC systems, robotic vacuums, ovens, refrigerators, freezers, and even water faucets.

IoT devices are used in medical devices such as heart rate monitors, blood pressure monitors, pacemakers, and hospital equipment. IoT devices in automobiles send and receive information to the device manufacturer or update the equipment components. They let us know remotely if our brakes are worn, if it’s time for an oil change, or if it’s time to change our cabin filter. We’ve come a long way from the diagnostic port on a 1973 VW which could tell you if your alternator was charging your battery properly.

In short, IoT is big business, and everybody wants to cash in. IBM has rolled out a bunch of commercials promoting the IBM Watson IoT.

If you have watched a TV show or movie recently, it seems that any nerdy character with a bad haircut, an unfortunate tattoo, and an earring who can speak a complete sentence without using the words “like” and “you know” can hack into every security camera or device in a building. That’s fiction, but what about reality? IoT devices are notorious for lacking integrated security. Most of them just have a userid and password as credentials.

NetgearSetup

Criminals, identity thieves, or just plain pranksters would love to disarm your alarm system, steal your information, or just make your life miserable by hacking into an IoT device. An IoT device can be compromised in two ways:

  • An IoT device can be told to do what it is not supposed to do. A networked component in your smart TV could become part of a botnet attack. As hackers demonstrated to Jeep, an IoT device in an automobile may be hacked so that attackers can disable the power braking system.
  • IoT devices can be told to do what they are supposed to do, but at the wrong frequency. These attacks could include turning on the water or the lights in your house at the wrong time, flooding your basement or leaving it well-lit for thieves.

Every device or software may have flaws. A flaw that nobody else knows about is referred to as a “zero-day exploit.” According to a WikiLeaks report, the CIA has a set of tools to hack IoT devices via “zero-day exploits.” One zero-day exploit lets you activate the microphone on a smart TV or other device to remotely record conversations. According to the report, the CIA has many zero-day exploits for Android and Apple iOS devices. Who else has this set of tools? A government agency could use them to spy on their own citizens, or a rival nation, or even disrupt an election of another country. I am looking at you, Vladimir Putin.

VladimirPutin

According to Gartner Inc, there will be over 20 billion IoT devices by 2020. There is consumer demand for these IoT devices. Consumers want it simple and fast, and device manufacturers do not want to make these device overly complicated out of the fear that consumers won’t buy them. Adding additional security to these devices is not generally in the device manufacturers’ best interest if they want to increase sales. However, technology always changes. Devices, unlike computers, rarely have the ability to accept a patch or update. WiFi routers may have firmware updates, but not all Internet-connected devices do. This leaves the consumer at a security disadvantage. Worse, it leaves them open to hacking.

What can the consumer do?

Most users do not change the default security on devices. WiFi routers’ passwords are rarely changed out of the box by the average consumer; nor are the passwords of security cameras. If you think the password is like your front door, you should lock your front door, and for heaven’s sake, change the default password.

You should try to practice good password hygiene.

  • Avoid reusing credentials – Use different passwords and user IDs for your different devices. How in the world can I keep up with all these passwords? I can barely remember my daughter’s birthday or the security code for my ATM card. You can get a password manager app and install it on your phone.
  • Change passwords frequently – Passwords can become stale. Your roommate that moved out two months ago knows your WiFi password, and so does his ex-girlfriend. It might be time to change a few passwords.
  • Make the passwords strong – The passwords should be at least 15 characters. You should have a mix of uppercase, lowercase, numbers, and special characters. You can make the passwords out of a phrase, song lyric, or something that you can remember. For example, take a look at the following:
    • Ih8DaNew0rle@ns$aintz translation ”I hate the New Orleans Saints”
    • Its@Sm@11W0rld@fterA11 translation “It’s a small world after all”
    • A7thN@tionArmy#C0u1dNtH0ldMeB@ck translation “A seven nation army couldn’t hold me back”
    • WhyD0e$MyC@tP00p1nD@Corner translation “Why does my cat poop in the corner?”

It’s a given that the average consumer might not consider security a priority with an IoT device. However, the IoT goes beyond consumer devices. If a device can be accessed via Bluetooth, WiFi, or any other wireless technology, it is vulnerable and could be compromised – and that includes crucial healthcare devices. Medical device maker Johnson and Johnson had to reveal to over 100,000 patients that a hacker could exploit one of their insulin pumps. We are not talking about refrigerators and security cameras anymore. We are now talking about people’s lives and well being. It may no longer be a spy-novel plot device to suppose an assassin could remotely speed up a pacemaker or stop a medical implant from working.

A financial institution spends a significant portion of its IT budget on security. Healthcare providers only spend about 6% of their IT budget on security, and it is usually applied after the device is designed rather than being integrated into the device.

Who knows if there is a zero-day exploit in a medical device right now? It may take years for manufacturers to find them all. Who knows if a hacker found the exploit first? If it’s difficult for an automobile manufacturer to replace an electric window motor in a mandated recall, it will be extremely difficult to replace a medical device that has been installed and then recalled due to IoT insecurity. Technology has gone down a road that can bring us great prosperity and better health. We need to make sure that the potholes are paved and road is secure from bandits.

Until next time,

George Monsalvatge

Join us for a FREE Transcender webinar: Protecting your personal information online

July 14, 2017 at 8:22 am | Posted in Transcender news | Leave a comment
Tags: , ,

Your private, personal information should be just that. Unfortunately, in today’s cyber world, your personal data has become an asset to be bought, sold, or stolen. Despite using complex passwords or securing your accounts, your data is always at risk from unscrupulous individuals or organizations. A new industry of cyber-middlemen don’t even want to hack your data themselves – they’ll just steal it and sell it to the people who do.

Industry expert George Monsalvatge will explain how your personal data is a monetary asset for both legal and illegal businesses. He’ll go over strategies to help protect your personal information from hackers, as well as explain the common and not-so-obvious tricks that scammers use to gain access to your information. He’ll discuss the ways that your “digital data profile” is inferred from your public and not-so-public online behaviors. Finally, he’ll mention the careers available today in the field of cyber security and how you can prepare for them.

Learn more about protecting yourself from data thieves by attending this FREE webinar, “Protecting Your Personal Information.” The webinar will be presented Wednesday, July 26th, from 12-1, EDT.

To register for the event please use this link: Webinar Registration Link

This is one presentation that you don’t want to miss!

Logical Operations’ CyberSec First Responder (CFR-210) Certification Is Now U.S. DoD-8570 Compliant

July 7, 2017 at 1:15 pm | Posted in cybersecurity, Knowledge, Logical Operations, Vendor news | Leave a comment
Tags: , , ,

Logical Operations has announced that the CyberSec First Responder (CFR) certification is now approved by the United States Department of Defense (DoD) as DoD Directive 8570 compliant. CFR is now an approved Baseline Certification for the CSSP Analyst and CSSP Incident Responder categories, and verifies the skills necessary to perform these job functions.

The CyberSec First Responder certification exam (CFR-210) tests the cybersecurity practitioner’s ability to prevent, detect, analyze, and respond to security breaches in the organization.  Transcender is the authorized practice test provider for the CFR-210 and provides the CFR-210 practice exam, which includes 260 practice questions and over 300 flash cards covering the exam’s four main objectives:

  • Analyze Threats
  • Design Secure Computing and Network Environments
  • Proactively Defend Networks
  • Respond/Investigate Cybersecurity Incidents

According to Joe Mignano, VP of Channels for Logical Operations, the DoD approval “allows individuals fulfilling crucial information assurance functions for the United States government or their contractors to validate their Analyst and Incident Responder job skills with our certification program.”

The CFR certification already met the ANSI/ISO/IEC 17024 standard and was accredited by ANSI (American National Standards Institute) in 2016.

Logical Operations also provides a CFR training course, developed to prepare IT professionals with the knowledge, ability, and skills necessary to provide for the defense of those information systems in a cybersecurity context – including protection, detection, analysis, investigation, and response processes.

U.S. Department of Defense Directive 8570 provides guidance and procedures for the training, certification, and management of all DoD employees involved with Information Assurance functions in their line of duty.  Other providers of certifications that meet DoD Directive 8570 are Cisco, Computing Technology Industry Association (CompTIA), EC-Council, International Information Systems Security Certifications Consortium (ISC)2, Information Systems Audit and Control Association (ISACA), and Global Information Assurance Certification (GIAC).

 

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: