ISSC Security


IT Security                                

IT Governance                                        

Top FAQs                                 

Training & Videos                                   

False Rejection or False Negative

posted 18 May 2010, 05:01 by Kanav Gupta

Now imagine that Sally has the same laptop.  She has registered her fingerprint on the system.  The next day she tries to use this for authentication. Unfortunately, the system rejects her fingerprint. It returns a negative match as though Sally's fingerprint isn't actually her finger even though it's the same finger she used the day before.

False Acceptance or False Positive

posted 18 May 2010, 05:00 by Kanav Gupta

This is when a system inaccurately identifies someone as someone else.  For example, imagine that Attacker Al steals Sally's laptop. The laptop has a fingerprint scanner for authentication with Sally's fingerprint.  Attacker Al tries his fingerprint and it works.  It accepts his fingerprint even though it shouldn't. It returns a positive match as though his fingerprint is the same as Sally's even though this is obviously false.

Spot Cooling

posted 13 Mar 2010, 23:29 by Kanav Gupta

A type of computer system cooling where individual system components have their own cooling systems in place.

Cybersecurity Enhancement Act

posted 5 Feb 2010, 14:07 by Kanav Gupta

The first major cybersecurity bill to be passed by either house in the 111th Congress, the Cybersecurity Enhancement Act, was approved by a 422-to-5 vote in the House on Thursday. The measure, HR 4061, goes to the Senate.

Rep. Dan Lipinski, the Illinois Democrat who is the bill's main sponsor, said on the House floor that cybersecurity is an important issue that affects people in their everyday lives. "The amount of time all of us spend on the Internet, the vulnerabilities that are out there, hopefully through this work, we can really make things better, make our Internet more secure, so we have fewer problems with attacks, not just on government but on individuals," Lipinski said.

Provisions of the measure, which the Congressional Budget Office estimates would cost $639 million from fiscal years 2010 to 2014 period and $320 million thereafter, would help the federal government develop a skilled cybersecurity workforce, coordinate and prioritize federal cybersecurity research and development, improve the transfer of cybersecurity technologies to the marketplace and promote cybersecurity education and awareness for the public.

If enacted into the law, the measure also would strengthen the role of the National Institute of Standards and Technology in shaping the way the federal government and the nation address cybersecurity. The bill's sponsors contend the vast majority of cybersecurity breaches occur because current best practices aren't followed. The measure orders NIST to develop and implement a public cybersecurity awareness and education program to encourage the more widespread adoption of best practices.

Click to Get Updates on the Latest Information Security News

Also, the sponsors contend, the federal government representation in the development of international cybersecurity technical standards is incomplete and uncoordinated. As recommended in the President Obama's Cyberspace Policy Review, this bill would require NIST to develop a plan to ensure representation in all important international cybersecurity technical standards development initiatives and that this representation works from one coordinated federal government strategy.

The Cybersecurity Enhancement Act also would reauthorize the National Science Foundation's cybersecurity research program and the trustworthy computing initiative that assures safe configuration of government computers as well as formally establish the Scholarship for Service program, which provides funding to colleges and universities to award scholarships to students in the information assurance and computer security fields in exchange for their service in the federal government after they have completed their training.

In addition, the bill would require federal agencies participating in the Networking and Information Technology Research and Development program to implement a strategic plan to guide their cybersecurity research and development efforts. The Networking and Information Technology Research and Development program is the government's primary initiative to coordinate its unclassified networking and IT R&D investments. Thirteen federal agencies, including all of the large science and technology agencies, are formal members of the program while other federal organizations participate in its activities.

HR 4061 also would require the Obama administration to conduct an assessment of cybersecurity workforce needs across the federal government as well as order the director of the White Office of Science and Technology Policy to assemble a university-industry task force to discover new models for implementing collaborative R&D.

Protocol Analyzer Modes

posted 1 Jan 2010, 23:58 by Kanav Gupta

The two modes of a protocol analyzer are promiscuous and non-promiscuous:
  • Non-promiscuous. In non-promiscuous mode, the protocol analyzer can only capture traffic addressed to the system (including broadcasts), or coming from the system.  In other words, it can't capture unicast traffic between two other hosts.
  • Promiscuous. In pomiscuous mode, the protocol analyzer can capture any and all traffic that reaches it's NIC.  Attackers would use a protocol analyzer in promiscuous mode. 
Wireshark is a protocol analyzer that can be download for free and will work in both promiscuous mode and non-promiscuous mode. When a protocol analyzer is operating in promiscuous mode, it gives telltale signs on the network. Should not be run on a live network without permissions. 

Protocol Analyzer

posted 31 Dec 2009, 21:46 by Kanav Gupta

A protocol analyzer can be used to capture data packets as they travel across the network if the data is sent "in the clear" or unencrypted. 
One of the early protocol analyzers was called Sniffer Network Analyzer and it became so popular protocol analyzers in general are commonly called "sniffers." Wireshark is a popular protocol analyzer that you can download for free today. Because protocol analyzers are so readily available to attackers, network administrators need to carefully consider allowing any sensitve data (such as passwords) from being sent across the network in clear text. Protocol analyzers can also be used by administrators to analyze traffic on the network. As an example, a protocol analyzer can detect malformed packets or other types of network attacks.

Creating a Culture of Security

posted 30 Dec 2009, 00:39 by Kanav Gupta

How to define the security program, adopt best practices, assign roles and responsibilities. How to determine what needs to be protected, identify threats to security and privacy of information assets, manage remediation of weaknesses. How to offer new employee training, ongoing user awareness, security staff education/certification. How to create an effective incident response plan, law enforcement notification, customer breach notification, forensics and preservation of evidence.
  • Develop the Security Program and Policy. 
  • Manage Security Risks. 
  • Provide User Awareness, Training and Education. 
  • Respond to Incidents. 
  • Plan for Security. 
  • Organize for Security. 
  • Establish and Enforce System Access Controls. 
  • Implement Configuration Management Process. 
  • Monitor Security Posture. 
  • Plan for Contingencies. 

Electronic Evidence & e-Discovery

posted 30 Dec 2009, 00:33 by Kanav Gupta

Provide the organization up to date information and documents on: 
  • Compliance with Federal Electronically Stored Information (ESI) standards. 
  • Real life case studies and examples - Do's and Don'ts. 
  • Actual e-Discovery documents and samples. 
The challenges for organizations are that Electronically Stored Information (ESI) standards: 
  • Is often stored in greater volume than hard documents. 
  • Is dynamic and often can be modified simply by turning off a computer. 
  • Can be incomprehensible when taken out of context. 
  • Often contains meta-data that offers greater context to the information. 

Information Security and Risk Management

posted 27 Dec 2009, 04:10 by Kanav Gupta   [ updated 27 Dec 2009, 04:14 ]

  • Security Program
  • Security Controls
  • The Elements of Security
Core Information Security Principles
  • Confidentiality
  • Integrity
  • Availability
Information Security Management Governance
  • Security Governance
  • Security Policies, Procedures, Standards, Guidelines, and Baselines
  • Oraganizational Security Models
Organizational Behavior
  • Organizational Structure Evolution
  • Best Practices
  • Security Roles and Responsibilities
  • Reporting Model
  • Enterprisewide Security Oversight
Security Awareness, Training, and Education
  • Conducting A Formal Security Awareness Training
  • Awareness Activities and Methods
Information Risk Management
  • Risk Management Concepts
  • Risk Handling Strategies
  • Risk Assessment/Analysis
Information Classification
  • Introduction
  • Classification Types
  • Guidelines for Information Classification
  • Criteria for Information Classification
  • Data Classification Procedures
  • Classification Controls
  • Basic Concepts
  • Professional Code of Ethics
  • Example Topics in Computer Ethics
  • Common Computer Ethics Fallacies
  • Hacking and Hacktivism 

Physical and Environmental Security

posted 27 Dec 2009, 02:21 by Kanav Gupta   [ updated 29 Dec 2009, 08:28 ]

  • Physical (Environmental) Security Challenges
  • Threats and Vulnerabilities 
  • Threat Types 
  • Vulnerabilities 
Site Location 
  • Site Fabric and Infrastructure 
  • The Layered Defense Model  
  • Physical Considerations
  • Working with Others to Achieve Physical and Procedural Security
  • Physical and Procedural Security Methods, Tools, and Techniques
  • Procedural Controls
  • Infrastructure Support Systems
  • Fire Prevention, Detection, and Suppression
  • Boundary Protection
  • Building Entry Points
  • Keys and Locking Systems
  • Walls, Doors, and Windows
  • Access Controls
  • Closed-Circuit Television (CCTV)
  • Intrusion Detection Systems
  • Portable Device Security
  • Asset and Risk Registers

Information Protection and Management Services 
  • Managed Services
  • Audits, Drills, Exercises, and Testing
  • Vulnerability and Penetration Tests
  • Maintenance and Service Issues
  • Education, Training, and Awarenes

1-10 of 26