About Shon Harris
Security Assessments & Testing
Risk Governance & Compliance
Security Enterprise Architecture & Implementation
Incident Handling & Response
Human-Based Cyber Defense
Shon Harris CISSP Training
CISSP On-Demand Video Web-Based Training
CISSP Exam Simulator
Self Study Materials
CISSP Online Training
CISSP Exam Simulator
CISSP All-In-One Exam Guide 8th Edition
CISSP Practice Exams 5th Edition
CISSP Flash Cards
Why Choose Human Element Training
Exam Pass Guarantee
> Executive Blog
Articles, thoughts, and case studies from the Human Element staff.
Is Defense-in-Depth a Myth?
Defense-in-depth teaches us that information security is best implemented using layers of defense. It is based on a military strategy that seeks to prevent the advance of an adversary with a series of defenses, starting at the perimeter and working inwards to the asset that requires protection.
Human Element believes this approach may work on the battlefield for which it was designed, but it doesn’t work in information security – at least not any more. Why? Two reasons:
First, today’s attacks do not usually start at the perimeter. They can begin anywhere. A SQL injection attack originates well inside the firewalls and can compromise an entire enterprise. Another example: A user receives a USB drive from a “vendor” and plugs it into his laptop – unaware of the malware the USB is carrying. Here’s a frequent one attackers take advantage of: A network appliance is installed without changing the manufacturer’s default admin password. We all know the stories. All of these are inside-the-firewall attacks.
Second, people are the weakest link in securing the enterprise, and people operate at every layer of the defensive scheme. One mistake by a user or by security operations personnel can compromise the entire enterprise.
Today, effective security must follow an inside-out approach. Every function within an enterprise must each have its own application of the principals of security: risk management, access control, least privilege, data integrity & protection, monitoring & reporting, and human-based vulnerability mitigation.
Changes to the CISSP Exam
In 2014 interactive hotspot and drag and drop questions were added to the CISSP exam. These question types attempt to test one’s knowledge from a different perspective compared to a more traditional text-based multiple answer question format. Hotspots are graphical in nature and require the test taker to understand the concepts of the question from a practical aspect. You will have to point to the correct component within the graphic to answer the exam question. The drag and drop questions are not as drastically different compared to the hotspot questions. These just require the exam taker to choose the correct answer and drag it to the right location. Human Element has hundreds of these hotspot and drag and drop CISSP exam questions and added them to the current CISSP Certification Exam Simulator product.
Soft and Chewy on the Inside Makes the Perimeter Irrelevant
A CISO liked to describe her enterprise as “hard and crunchy on the outside, soft and chewy on the inside”. She was proud of her perimeter defenses and felt her firewalls and IDS were so well implemented she could get away with weak security within. After all, she said her company couldn’t afford to secure everything, so she focused on the perimeter.
Such is the dilemma of the modern CISO. The problem with her approach is it wasn’t risk-based. She focused on the perimeter without understanding where her greatest risks were. In her case her business bought goods internationally, therefore the employees communicated extensively via email with international clients. This was a situation ripe for phishing or spear phishing attacks. Her uninformed employees would routinely click on emailed attachments originating from unknown (untrusted) external users. Many of these emails contained exploits which spread throughout the network, giving away sensitive information and serving as a launch-point for other attacks. Her soft and chewy inside was easy pickings.
If only her employees understood how to properly defend against such attacks. A program of repetitive tactile exercises would help them understand how to recognize such emails so they would know what to do if they received one. Better yet, if the employees were involved in the process of creating and implementing good security practices at the company they would care more about security as a whole.
Information Technology Infrastructure Library (ITIL) and Six Sigma
Security products and processes must be integrated into the business side of a company effectively. Different process management models have been developed for the information security industry to address this need. The Information Technology Infrastructure Library (ITIL) is a set of best practices for IT service management. ITIL was created to allow technology to be properly managed in a corporate setting because of the increased dependence on technology to meet business needs. ITIL is a customizable framework that provides goals, activities to achieve these goals, and input and output values for each process. Since security is commonly provided through technology, security has been integrated into this framework to help ensure that the security technology a company implements meets its business units’ needs.
Six Sigma is a process improvement methodology that was developed by Motorola with the goal of identifying and removing defects in the company’s manufacturing processes. The goal of this methodology is to improve process quality by using statistical methods that measure operation efficiency and associated defects. The maturity of a process is represented by a sigma rating, which indicates the percentage of defects that the process contains. Some organizations use Six Sigma to improve security assurance by measuring success factors of different security controls and processes.
ITIL and Six Sigma are not as prevalent on the CISSP exam as the Capability Maturity Model Integration (CMMI). CMMI is a process improvement model that came from the engineering world but is commonly used by organizations as a roadmap to allow for controlled, incremental improvements within their security programs.
Don’t Touch that USB Drive – You Don’t Know Where It’s Been!
An associate was the controller of an east coast defense contractor. She told me a story about a security breach they had – it’s an interesting story because we’ve heard many variations of this same breach through the years.
The company’s HR department wanted to hand out swag at an upcoming recruiting event. They decided to have USB drives printed with their logo on the side and they put their employment application and benefits files on the drives, which they handed out at the event.
Unfortunately they did this without taking the proper precautions. It seems they bought the USB drives online from a firm in China. I’ll bet you know what happened next.
By the time they realized there was malware on the USB drives, they had infected several hundred systems on their network and countless systems belonging to the poor people at the recruiting event. It seems that the company had trained their technical employees about this kind of attack, but not their HR staff. A perfect, and unfortunate, example of human-based vulnerabilities in action.
Common Practices That Produce Unexpected Results
I read a recent article from the Harvard Business Review that listed the most common cybersecurity safeguards that are less effective against insiders than against outsiders. I thought I’d share this list :
Access Controls - Rules that prohibit people from using corporate devices for personal tasks will not keep them from stealing assets.
Vulnerability Management - Security patches and virus checkers will not prevent or detect access by malevolent authorized employees or third parties using stolen credentials.
Strong Boundary Protection - Putting critical assets inside a hardened perimeter will not prevent theft by those authorized to access the protected systems.
Password Policy - Mandating complex or frequently changed passwords means that they often end up stored in places that are easy pickings for someone with physical access.
Awareness Programs - Simply requiring employees to attend a class or read the company’s IT security policy annually will not magically confer cyberawareness on them. Nor will it prevent staff members from taking harmful actions.
Thanks to authors David Upton and Sadie Creese for these reminders that prevailing practices need to always be evolving in today's threat environment.
About ISO/IEC 27000
Organizations and corporations had to start the process of developing organization-wide security programs in the late 1990’s as the issues of security increased in importance. The security program blueprint that was available at that time was called the British Standard 7799 (BS7799). This British standard outlined how an information security management system (ISMS) (aka security program) was to be developed and maintained. This British standard served as the de facto standard and was improved upon over the years by the International Organization of Standardization (ISO). Today organizations around the world use the ISO/IEC 27000 series as their roadmap on how to implement an ISMS throughout an organization.
The ISO/IEC 27000 series is made up of best practices on how to build and implement internal programs as in risk management, incident management, governance, application security, metrics, auditing and more. Organizations can become certified based upon these standards to illustrate their strong security posture to their customers and business partners. Some of the core standards that make up this ISO series are listed below;
ISO/IEC 27000 — ISMS Overview and Vocabulary
ISO/IEC 27001 — ISMS Requirements
ISO/IEC 27002 — Security Management
ISO/IEC 27003 — ISMS Implementation
ISO/IEC 27004 — ISMS Measurement
ISO/IEC 27005 — Risk Management
ISO/IEC 27006 — Certification Requirements
ISO/IEC 27007 — ISMS Auditing
ISO/IEC 27008 — Guidance for Auditors
ISO/IEC 27011 — Telecommunications Organizations
ISO/IEC 27014 — Information Security Governance
ISO/IEC 27031 — Business Continuity
ISO/IEC 27033 — Network Security
ISO/IEC 27034 — Application Security
ISO/IEC 27035 — Incident Management
ISO/IEC 27037 — Digital Evidence Collection and Preservation
ISO/IEC 27799 — Health Organizations
It is common for organizations to seek an ISO/IEC 27001 certification by an accredited third party. The third party assesses the organization against the ISMS requirements laid out in ISO/IEC 27001 and attests to the organization’s compliance level. Just as (ISC)2 attests to a person’s security knowledge once he passes the CISSP exam, the third party attests to the security practices within the boundaries of the company it evaluates.
Some Of Our Many Satisfied Customers: