Podcasts about nist

Measurement standards laboratory in the United States

  • 695PODCASTS
  • 1,413EPISODES
  • 36mAVG DURATION
  • 1DAILY NEW EPISODE
  • Oct 5, 2022LATEST
nist

POPULARITY

20152016201720182019202020212022

Categories



Best podcasts about nist

Show all podcasts related to nist

Latest podcast episodes about nist

The CyberPHIx: Meditology Services Podcast
The CyberPHIx Roundup: Industry News & Trends, 10/5/22

The CyberPHIx: Meditology Services Podcast

Play Episode Listen Later Oct 5, 2022 25:31


The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  New Ponemon study that links increased mortality rates and poorer patient outcomes following cyber attacks Massive third-party breach cripples Britain's National Health Service (NHS) via ransomware breach that takes down 111 services (akin to 911 services in the US) FBI warning and increased reporting of financial processing attacks against healthcare providers via phishing and social engineering Ambry Genetics settles class action lawsuit for $12.5m following 2020 breach of over 230,000 patient records OCR announces $300k settlement related to improper disposal of specimen containers with PHI on labels New FBI report on medical device security vulnerabilities and recommendations for healthcare organizations Updates on cyberwarfare trends stemming from the Russia/Ukraine conflict; Ukraine issues warning to allies of potential new cyberattacks from Russia President Biden signs new cybersecurity guidelines following CISA recommendations New federal cybersecurity requirements from the Office of Management and Budget (OMB) and NIST accreditation for third-party vendor risk management Healthcare sector leads all industries in fixing software security flaws; report highlights and analysis

ScanNetSecurity 最新セキュリティ情報
防衛省サイバーセキュリティ調達基準の元となった「NIST SP 800-171」とは

ScanNetSecurity 最新セキュリティ情報

Play Episode Listen Later Oct 3, 2022 0:16


 トレンドマイクロ株式会社は9月21日、防衛省のサイバーセキュリティ調達基準の元となった米国のサイバーセキュリティガイドライン「NIST SP 800-171」について、日本企業が取り組むべき対策を解説している。

IoT: The Internet of Threats
Does the Government's Cybersecurity Mouth Have Any Teeth in It? with Mariam Baksh, Staff Correspondent at Nextgov

IoT: The Internet of Threats

Play Episode Listen Later Oct 3, 2022 18:16


On this episode of the IoT: The Internet of Threats podcast, Mariam Baksh, Staff Reporter at Nextgov, joins podcast host Eric Greenwald to explore the evolution of cybersecurity regulation, from the Biden Administration's 2021 Executive Order on Improving the Nation's Cybersecurity to September's OMB Memorandum on software supply chain security.   Mariam and Eric discuss the cybersecurity goals of the administration, the merits of first-party versus third-party attestation, and the fine line that NIST walks between effecting change in cybersecurity versus overwhelming the resources of security practitioners and compliance personnel.     Interview with Mariam Baksh    Mariam Baksh is a staff reporter for Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. In her role at Nextgov, Mariam reports on the development of federal cybersecurity policy. Mariam has been covering technology governance since 2014 and earned her master's degree in journalism and public affairs from American University.    In this episode, Eric and Mariam discuss: Why the Biden administration issued last year's EO NIST's balancing act between improving cybersecurity and avoiding the imposition of costly requirements on companies The challenges involved in measuring cybersecurity performance The implications of a first-party vs. third-party attestation model The value of an SBOM and its growing role in cybersecurity regulation Whether the EO or the OMB memo will deliver any enforcement on the requirements they impose    Find Mariam on LinkedIn: Mariam Baksh: https://www.linkedin.com/in/mariam-baksh-99b1b428/   Learn more about Nextgov: https://www.linkedin.com/company/Nextgov/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/. Note: This interview has been edited for length and clarity.

Fantom Facts Society
September 11th with Richard Gage, AIA

Fantom Facts Society

Play Episode Listen Later Oct 2, 2022 109:20


Fantomfacts.comRichard Gage of RichardGage911.org joins the gang to discuss the Evidence presented by NIST and why over 3,000 architects and engineers disagree. . Richard Gage, AIA, Architect (richardgage911.org)9/11: Explosive Evidence - Experts Speak Out (Free 1-hour version) AE911Truth.org - YouTube Architects and Engineers: Solving the Mystery of Building 7 - w/ Ed Asner - YouTube 

Your Cyber Path: How to Get Your Dream Cybersecurity Job
EP 80: Risk Management Framework with Drew Church

Your Cyber Path: How to Get Your Dream Cybersecurity Job

Play Episode Listen Later Sep 30, 2022 66:26


https://www.yourcyberpath.com/80/ In this episode, Kip and Jason, along with special guest Drew Church, take a closer look at the NIST risk management framework to help facilitate selecting the right kind of security for your system and help clarify how to direct resources towards the right controls. Drew Church, RMF expert and global security strategist at Splunk, is here to talk about the different steps of RMF, the importance of preparation work, and understanding the bigger picture of what you want your system to accomplish. They also go through the seven steps of RMF in detail: prepare, categorize, select, implement, assess, authorize, and monitor, highlighting the best procedures and ways of going about completing each step, as RMF is highly structured. They also call attention to soft skills and how invaluable they are throughout your cybersecurity career. Drew and Jason also explain different terms, including STIGS, DIKW pyramid, and POAM, and their importance while developing the RMF. Finally, they go over various tips and tricks to make sure you are ready for your assessment, like knowing what your system is going to be graded on and maybe also testing beforehand, as well as having in mind that the assessors are not going to be experts in your system.  What You'll Learn ●     What is RMF (and what it's not)? ●     Are RMF and CSF the same? ●     What are the seven steps of the RMF? ●     How important is the DIKW pyramid in RMF? ●     What is the secret to success of system assessments against RMF controls? Relevant Websites For This Episode ●     www.YourCyberPath.com ●     www.nist.gov ●   www.splunk.com Other Relevant Episodes ●     Episode 62 - The NIST Cybersecurity Framework ●     Episode 56 - Cybersecurity Careers in the Defense Sector ●    Episode 22 - Impress Us with Your Resume Skills Section

Global I.Q. with Jim Falk
Managing Global Cyber Risks And Insurance

Global I.Q. with Jim Falk

Play Episode Listen Later Sep 30, 2022 56:28


Hacking is no longer a far-off, fictional plot from science fiction. We all participate in the digital world. The threats to individuals and their identities are real and inevitable; no person or corporation is exempt from identity theft or data breach. Last year, Microsoft was infiltrated by at least 10 different hacker groups as a result of software flaws and unsuspecting users. Cyber-tech leaders Shawn Wiora and Mike Echols will show Global Forum members how to manage cyber risks and be empowered to safely navigate the tech world.   About the Speakers: Mike Echoles headshotMike Echols is the CEO of IACI, a Kennedy Space Center nonprofit, and CEO of Max Cybersecurity LLC. Echols spent 10 years at the Department of Homeland Security in critical infrastructure protection and cybersecurity leadership and served as the point person for President Obama's Executive Order Promoting Private Sector Cybersecurity Information Sharing, Chair of the Communications Sector and Network Security Information Exchange, and designated federal official for the President's National Security Telecommunications Advisory Committee. Echols is a graduate of the National Preparedness Leadership Initiative – Harvard Kennedy School of Public Health, and the Federal Executive Institute.     Shawn Wiora headshotShawn Wiora is the co-founder and CEO of Maxxsure, a leading cyber risk quantification and blockchain company in DFW. Known as a cyber industry expert, Wiora has appeared in the Wall Street Journal, CIO.com, and CNNMoney and is a frequent keynote and conference speaker for SOX, PCI, NIST, and HIPAA. Additionally, he took the first healthcare company in the U.S. to the cloud, a company which received the designation of the most cyber-resilient healthcare company in the U.S. . . Do you believe in the importance of international education and connections? The nonprofit World Affairs Council of Dallas/Fort Worth is supported by gifts from people like you, who share our passion for engaging in dialogue on global affairs and building bridges of understanding. While the Council is not currently charging admission for virtual events, we ask you to please consider making a one-time or recurring gift to help us keep the conversation going through informative public programs and targeted events for students and teachers. Donate: https://www.dfwworld.org/donate

ConvoCourses
Convcourses Podcast: NIST 800 AC access controls cybersecurity training

ConvoCourses

Play Episode Listen Later Sep 29, 2022


See the video here: https://www.youtube.com/watch?v=1LkfH1TI3rk More training: http://convocourses.com https://securitycompliance.thinkific.com/courses/rmf-isso-nist-800-53-controls-book-2-nist-800-control-families-in-each-rmf-step      Today. I'm actually gonna train on access controls and documentation that goes with it.   So we're gonna be talking about something a little bit different. Normally what I do is I go through jobs, break all of those jobs down and then talk about like how to get the jobs. And then I break down what the employer wants to see. But today we're gonna do some actual training.  now, if you're interested in this training, if you want to go deeper, if you want to deep dive, cuz I'm only gonna cover like a few security controls, but if you want a deep dive, if you really want to know this stuff, then I have a couple of courses for you. I've got a risk management information system, security officer foundations course, if you want to actually know it from a scratch, like you, you're an it person. You, this is not for entry level type person. The risk management framework foundations is gonna assume that you have some level of it background. And from there I build on what you already know and it walks you through how to get into risk management framework, how to do the actual information system security officer work. So if you want to deep dive into this, go to combo courses.com and go check those courses out. I also have this what you're about to see as one slice of. Some of the stuff that I'm putting into a new course that I'm developing right now. And if you want to have a full blown, you want to really check it out. I've gotta free. The first port portion of the course is actually free right now. If you go to convo courses.com you sign in and you can actually see the context of what I'm talking about. And it's a lot of really good stuff, but right now let's get into access controls and some of the documentation. Let me see here. All right. So here are the access controls. These are actually, these are all the security controls and why you're seeing two sets of these is that one is from risk management framework, 37 version one and one. The bottom one is from version two. That's coming. That's already out right now, but there's a set of N 853 controls that are coming soon. And so that's what you're seeing right now on the screen. So the top one is from version four version. Is it version three or version four?  The top one you're seeing is from the current version of the 800 nest, 853 controls. The bottom one is the one that's in draft right now, but it should be out. I think this year is when they recently pushed it out to some other date. So anyway, so those are, that's what you're seeing. You're seeing access controls. You're seeing at controls, training controls, MP controls, media protection, physical controls, all these different controls, that I'm gonna cover all of these in the training, I'm gonna be releasing a month over month until we get all the way to the end. And then I also ask questions if you purchase the actual course, but right now we're gonna focus on just. AC controls and just a few of those AC controls, by the way. If it would take us, it is gonna be many lessons to actually break down all that just AC controls. There's 25 of 'em right now as up the time of this recording. All right. So first of all, what are access controls? So access controls are what an organization uses to control physical. Not it's just not, it's not just logical con controls, not just access to the information, but it also includes access to the system itself. So some of that is in there, but it also includes things like roles. My cats in here, this is live by the way. , this is gonna conclude things like role based privileges. It's gonna include things like.  Separation of duties. There's a lot of different things, but let's talk about access. What is access? It's the ability to make use of any system or resource. So somebody walks into your facility and they want access to your servers, right? They need access. So access control is the process of granting or denying specific requests and obtaining obtaining access  access, obtaining access to that information is what we're talking about here. And so the N 800 controls, actually it goes through a breakdown of how an organization goes about managing access to the information. All right. So these top six controls. Are some of the most important ones. And I talk about this in greater detail in the course, in the part of the free course, I talk a little bit about it, but I go in more depth in the one that's coming out. I'm gonna try to release it this month, but I talk about C one C two, and now we're gonna right now, we're gonna talk about C three, a C three access control three is access enforcement. So what is access enforcement? It is the organization's ability to implement the actual access control policies. So not only does your organization have to put a policy in place that talks about how to control access a C three says not you have to implement it. How have they implemented this the actual access. To the information like you're saying in this document that you have access controls. And you're saying that a person has to be trained before they come in. You're saying now, do you do it, are, is it implemented throughout your organization? All right. So that's what we're gonna talk about. All right. Let me show you what I'm talking about. You could follow along, feel free to follow along with me. If you like, what I'm doing is I am on this. Let me see if I can give you this link here. If you wanna follow along. Nope. I can't sign into the chat, but where I'm at is N dot it's nvd.n.gov. If you wanna follow along with me, that's where I'm at right now. So you go to Google and type in nvd.n.gov. You'll find it. And if you go to, once you get there,  you'll click on the families like this. Let me just show you real quick. Click on the families that this site has. All the families breaks each one down, as you can see here. And then I went to access controls and you got access control one, two, and now we're on three. So I'm clicking on three right here. If you wanna follow along, you can also just download the PDF, the N 853 PD PDFs PDF, and then look at 853 C three, and you'll find everything we're seeing right here. So what are we talking about here? This right here breaks down. What a C three is access enforcement. All right, so let's just look at the actual description here. Let me just make this a little bit bigger so we can read this together and then we're gonna interpret it. The information system. Enforces approved, authorized authorization for logical access to information and in and system resources in accordance with the applicable access control policy. All right, so let's break this down. So the information system enforces information system, what is an information system? It's a computer, it's a server. It's a workstation. It's a Cisco device. It's an internetworking device. It's a firewall information system covers all like that ground. It's a very general term, but it, where we're saying here, the C three says it enforces whatever system that is. Let's say it's a windows 6, 20 16 server. It enforces approved authorizations for logical access to the information system. So in other words, there's logical. What do we mean by logical? So there's technical. Things in place on the system that enforce what you have written in your security policy. That is what they're saying here. So logical access, I'll give you a specific example on our example of a server 2016 windows server, right? So a logical access would be, or enforcement of that logical access would be username and password. Simple enough. So if you written, if you, if your organization wrote in your policy that everyone who comes in has to have a username and the username has to be. 20 characters  the username has to fit a certain certain policy. And then the password has to fit certain policy. Password has to be 14 characters long has to use upper lowercase, all that stuff's in your policy, right? They're saying that you have to have implemented that into the actual server itself. And and before I show you how you, as an information system, security officer can actually check this out and make sure that the organization's doing it. Let's just deep dive into this a little bit further. All right. So in here it's lives finishing out the sentence. It says the information and system resource in in the, in accordance with applicable access control policies. Yeah. There. So there you go. The organization writes the policy and then the system has to actually implement what you said in the policy. That's what it's saying right here. That's really the name of the game here. So as an information system, security officer, I've been doing this for a long time. And the name of the game is the organization creates a policy, right? The policy states, what the rules are to having access to your environment. And then you're making sure as the information system, security officer, you are making sure that all of those policies are documented and they're that they're in place. And if they're not in place, you have. Work it out with the stakeholders. And one of the things that you can do is a plan of action and milestone, but that's for a whole nother discussion. Okay. So let's, this is look at a little bit more of this so we can get more details, supplemental guide. So this is a great supplemental guides are great because they put it in plain English. What they're saying here. So once again, if you're joining this late, this is AC three and I'm talking about we're interpreting it. And then we're talking about how to implement this as an information system security officer. All right. So let's get back into this. The supplemental guide says access control policies, and it says identified based policies, role based policy control, matrix cryptography. So these are some of the things you might put in your security control in your access control policy or your overall security policy. That's just why they're examples. They're just giving you some examples. So control. Access between activities, entities, or subjects. So they're talking about, here are some examples you might have cryptography that cryptographer cryptography might be between might be between the user object and a file. So they're trying to be the way they write these is try to be as general as possible so that the organization has the freedom to implement the level of security that they need for their environment. Cuz there's many kinds of environments. That's why they write these like this. All right. And they said, okay, give you an example of different kinds of entities, active entities and subjects, users or processes acting on behalf of users. Passive entities or objects. See just what I just said. So they're saying that the access control policy will have some sort of a role based or a cryptography or something between different objects within the environment. That's what they're saying here in this guidance, but let me show you, let's put this in action. Let's put this in action. Let me see, what can we do here? Okay. Where I'm at right now is what's called AC. We're on C three, but I'm on a document called 800 dash 53. A here's how you can determine whether or not your organization is actually implementing the AC three in access enforcement. You go to, this is just one of the things you can do by the way. One of the, one of the main things that I do, you go to 853, a. And 853 a is how you assess each one of the controls, all the controls, the act has every single one of the controls. So 853, a the reason why so useful is because when it's, whenever a system is assessed, this document is what they actually use. Or some parts of this document is what they might use name. The assessor might even not even know that they're using 853 a but all the assessment stuff comes from this source document. So it's very useful. Okay. So first of all, assessment objectives for a C three, determine if the information system forces approved authorizations for logical access is what we just read. So the assessor has to make sure that number one, You have a security policy, right? Or some kind of a policy and that a policy addresses access controls. Now the assessor, one of their objectives is to make sure that the logical, the technical security features that you put on your system are in place and they match what you, what was written by and approved by your organization, in the security policy. That's all they're doing. They're saying, okay. What do you have in your security policy? All right. Are you doing that on this window? 16, 20 16 server. Let's see. That's what they'll do. They'll just say, okay. Log into the system. You'll log into the system and it meets that just you logging in meets one of the access controls, because one of the access controls is that everybody will have a role. Everybody will have a username password. Everyone will have a role. And then what they might do is say, okay, log in.  Let me see you log in with a normal user account. And then they'll say, okay, now try to access this this file system that, that you're not supposed to access. They'll tell you to access, say the audit logs or something, a normal user shouldn't be able to access the audit logs. So that's the kind of things that they do now. Let me show you something else. Potential assessment methods and objectives. So this is things that a, an assessor can use to assess whether or not you have implemented a C three. You can either examine, you can interview or you can test, right? So normally for AC three, from what I've seen, they do two things. They look at your your access control policy, which is normally in your security policy. And then they see, they say, okay, let me see what you got. Let me see you do it. Let me see you access that system. Let me see you access the backup drives, and then they're determining whether or not you can. So that's one of the things that they do now. Let's go to another control here. Let's go to the next control. And I'm gonna go through a few controls here for you guys. Let's go to AC four and this is information flow enforcement. We're gonna talk very briefly about this one and won't spend a lot of time on it, but it is important just so you know, what is AC four information flow enforcement is the organization controlling the flow of data. And is it documented as an information system, security officer? Those are the main questions for AC four. So let's go ahead and let me show you what we're talking about here. We're gonna go to C4 and I'm still on nvd.n.gov. And I just want to, if you're joining me late, you can just, you can follow along if you want, but I'm on nvd.n.gov, 853. Here we are. We're gonna interpret it. And then I'm gonna show you how it's implemented, how some of the things that you can do to actually check on it. So AC controls, let's see, let's just go right to the description here. Here we are. And it says the information system we already described what the information system is enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on what the organization says, right? They don't the N doesn't tell you, tell the organization what those control policies, what you should. What elements should be controlled. They allow the organization to control. And that's why they say interconnection systems based on organization defined flow information flow policy. So the organization defines what the flow, the information flow is. And then you're suppo the informa. The organization has to enforce those policies that they put forth. So one of the main things that I have seen done to document information flow enforcement is a diagram. So a diagram that kind of maybe looks like this, it has firewalls. Let's go through this. This is on the N this is on cisco.com, by the way, network diagram, it has a DMZ, it has three servers in the DMZ, right? And we can see our DMZ is connected to a switch. The switch is. Connecting two different networks. Those networks are protected by these two different firewalls. Here's one land, but that's behind a firewall and it has some VPNs that are connected to the internet, right? So this one has more exposure than these ones over here. This is the inside of our organization. So this one's behind an internal firewall. So this is an external firewall and this is an internal firewall. And so this right here is showing what kind of flow enforcement we have. So we're just saying that our data just doesn't go out everywhere. It's controlled. We have a inter protected sanctum here with land computers, with all of our protected data on it. And then we have outside systems. We have a. We have a protection from the internet. So this is actually the internet. Maybe we have VPN clients that log in or guest accounts that can log in to certain limited resources that we have out there. But what we're saying with flow control is that we're our, data's not going anywhere, not I've seen this done and documented different ways. Another way that I've documented in the past, or I've seen other organizations documented is to just have a list of all of the land. If you have land and building five, a land and building seven and a land and building 10, you would just list out here's the lands. And here's what they connect to. You could have like in a spreadsheet and explain what's going on with those things. All right. So I'm gonna go ahead and move on from this one. And I'm going to address a couple of more access controls real quick. We're gonna go straight into.  these two right here. We're gonna talk about AC five separation of duties and ACC six privileged least privileged. These ones right here are probably the most overlooked security controls in the AC control family. And the reason I say that is because a lot of organizations, I go to one of the main vulnerabilities that they have is they either give too many permissions to users that don't need it, or they don't separate. They don't separate the different organization, organizational duties. And it's an easy one to do, especially if you're in a smaller, if you're in a smaller organization where you only have 10 users, a lot of times those 10 users will have 10 different hats. You know what I mean is your security guy will do all the administrator work and they'll do all the system analyst work. And then they'll also.  be making multimillion dollar choices for the whole organization that they don't, that's not separation of duties. And sometimes you don't really need, multiple people cuz you, you have five computers, five assets and you don't really need a bunch of people to do all these different jobs. So this is this one, these two right here are foundational. Like you, you real, the organization really needs to have these, but I notice a lot of people don't have them. Let's dive into what these actually mean. Cuz I realize I'm probably talking about stuff that you don't, you might not understand. So let's go back here. I'm on nvd.n.gov once again, and I'm going to go to families just to show you how I got here and I'm gonna go to AC controls and then I'm gonna go to. I'm gonna go to separation of duties. I just wanna explain what separation of duties is, and then we'll go to C six lease privilege. All right, here we are right here and I see some people joining me. Thanks for watching. I'll be answering questions after I cover these two items right here. All right. AC five separation of duties. What is separation of duties? What do you do with separation of duties? The organization? This is N 853. The organization, whatever organization you work for, this is what they will do. The organization operates organization, defined duties of individuals. What does this mean? Let me interpret it for. All right. So it says the organization, if it's the department of health and human services, if it's the department of agriculture, the department of labor and Maine, whatever organization it is the organization, let's say the department of health and human services separates whatever or whatever duties that they define. So the organization has to actually define different duties and then they separate the duties. So the N is not telling you, yay. Veely all sec, cyber security people can't do any kind of administrator work or administrator work. Can't do firewall work or a server guy. Can't be also be a firewall guy. That's not what they're saying. They're saying that where it makes sense. You're gonna separate duties apart. So if you have. And what you're trying to avoid is conflict of interest. That's what, the reason why you're trying to do it. And there's certain places where it makes sense. If you are in a very small organization, you don't really have to necessarily, if you don't have the resources to do it, or if there's no reason to do it, if you don't have a server that's controlling a thousand different systems or a hundred different systems, you probably don't really need separation to duties. You can have your ISSO, your information system, security guy also do some the firewall and also look at logs, and there's no conflict of interest, but if you have a whole bunch of computers systems and you, can't not even possibly track all the users on a day to day basis. And there's data. There's thousands of terabytes of data coming in now of your network. Yes. You probably even want to think about separation duties. You probably want to have a whole security unit that, that also watches the administrators and then separate administrator. That is controlled by a whole nother office. All right. Let's keep reading this and get an idea of what's going on. You have to document the separation of duties of these individuals that the organization has deemed necessary to have, right? So if you have a firewall team and you have a server team, you have to document that these are the individuals who control this. And these are the roles that control these items here. Define information system, access, authorizations to support separation of duties. So you're gonna define what level of access these people have.  and then what systems that they have access to. So that's what, in a nutshell, that's what you're doing. That's what separation of duties is. And like I said, I do see this one violated quite a bit. It's a kind of find it's a foundational best practice that you do in larger organizations, especially, or medium size organizations. Let's get a little bit more supplemental guidance on this separation of duties, addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activities without collusion. What does that mean? So think about it urine, a large organization like Lockheed Martin has a large contract with a. Health and human services. Now I don't have any pre I've never worked for Lockheed. I don't have any pre any kind of special information on either one of these things. I'm about to say this is pure speculation on my part. So if I accidentally guess it was an accident. Okay.  so anyway, Lockheed Martin I've never worked for  has a large contract with health and human services, they have a thousand computers and 10,000 users, right? So these 10,000 users let's say, are managed on on a server and on several different act active do active directory servers somebody, one of the administrators is doing something they shouldn't do. They are making new users over and over again. Why do we have 10,000 users? Somebody is making new users. . So in this case you would wanna have separation of duties so that this person who's abusing their power is monitored by a whole nother organization. This is just one example of separation of duties. By the way, you could have a security operations team. And what their job is to do is to watch everything on the network. They're not only watching data going in and out of the network, but they're also watching users. Maybe they have a flag set up to whenever somebody creates a new user, they can see who created the user, what account made that user, when did they made that user? And then, and maybe they even set up something like a justification, like a why? So every time you make a new user account, you have to make a justification and go through the SOC team. That is one way that you can make it so that these people aren't abusing their power. And that's what they're saying here. Separation of duties addresses the potential for abuse of author authorized privileges, cuz somebody could give themselves more privilege or they can make 15 other accounts and then make all those accounts, these secret backdoor user accounts that allow them in and in inside access. There's just so many different things you can do if you don't have separation of duties in a large environment. And that's really mainly what it's for. So you wanna do it when it's, when it makes sense to do it. All right. So I think we beat that dead horse. Let's keep going here. And then what we'll do is, ah, show you how you can document separation of duties. But for now let's talk about the next item, which is least privilege is this one right here. ACC six least privilege. Let's go into this one and talk about least privilege, access, control, least privilege. And if you're, if you don't have any context here, if you're, you just jumped on this live and you're like, man, what's what is he talking about? What is N special publication? 853 rev four. What is that? What's going on? If you're interested in actually knowing more about this kind of this field, this path, what I'm talking about is security compliance, specifically with N and I have a whole course. If you're interested, it's called risk management framework, information system, security officer foundations, and it talks about it talks about how to do security compliance using the N standard. But then I have another one coming out real soon. That talks about how to document everything I'm talking about to you. Now, I give you context of how it all works. I tell I'll break down different documentation and I'm gonna go through. All the families or most of the families, I don't know if I'm gonna cover all of them, but I'm gonna cover most of the families in that. In that course, that's coming out soon. So go ahead and check that out on combo courses.com. If you're interested. All right, let's keep going here. Least privilege. Now this one right here, this one's near and dear to my heart. This is something that many different organizations I would say most of the organizations that I've ever worked for violate this one. The reason why is because we as human beings are. We wanna do the least amount of work for the greatest amount of impact . So if there's a way that we can give somebody, if we have a really smart system administrator in our organization, and we want that server fixed this guy, who's really the smartest guy in the organization does Cisco routers, but we also want him, we just start giving this person all of these different privileges that they don't need. That's one of the things that happens with least privilege. Another thing we'll do, and, or especially in large organizations, is we will we'll have say a thousand different users, right? And the users don't really need, they only need to access their workstation, but they keep coming up with these different things that happen. Like maybe they have this annoying popup and we restricted their laptop to where they can only do their job. They can only, but they got this annoying popup. So every time they get this popup, they contact the help desk. And they're like, Hey, could you guys fix this popup after a while? The help desk is  okay. Forget it. Let's just give these guys local admin privileges so that they can fix it themselves. And then they tell 'em how to fix it. But they, and then it's just local admin privileges. What could possibly go wrong with that? A lot can go wrong with that.  that's another violation of least privilege. What is least privilege? Let's talk about it. The organization employs a principle of least privilege, allowing only authorized access for users which are necessary to accomplish the assigned tasks in accordance with the organization's mission or business function. What did I just say? So what I'm saying is you only give people the privileges that they need to do their job period, full stop. That's it that's what least privilege is.  the, like I said, the reason why this is violated is because we are lazy. We want to do the easiest thing possible, and it's harder to give people limited privileges when every time they need extra privileges, they have to go and ask, they gotta play mother may eye to go get access to the logs or this popup just keeps popping up. I wanna stop it. So lease privileges. It's one of the biggest issues I've that I've seen in organizations. Let's look at the supplemental guidance here, organizations the organization employs lease privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at a privileged level, no higher than necessary to accomplish the required organizational or business mission or business function. You only give the privileges that are needed to do the job period. So runaway privileges is one of the biggest issues in most organizations. I've in 90% of the organizations I've been to, this is the biggest violation, and this is the one that gets the most people in trouble. Let's talk about how to document these two controls that we just talked about here. What I'm gonna do is bring up, I'm gonna bring up a couple things. If you're doing risk management framework, documentation is the name of the game. We, the reason why we document so much. And I know I talked to some of my system, administrators who are very technical they're all their head is always, deep in the weeds on how to implement these systems or set up a new Linux server or whatever. So they don't have time for documentation a lot of times, or at least how they feel. But the reason why documentation is so important to somebody who does what I do, which is security compliance, is that if we don't have documentation, a lot of times we don't know who has privileges and who don't, we don't know what privileges are needed here or to this person or what role we even have sometimes. Organizations are so large that they don't even know what roles they have and they don't even know what roles have, what privileges and the reason why is because they didn't document it. So you have to make sure that you document and that's why it's so important. One of the biggest reasons why we have to document is is having a security baseline. If you don't document, you don't know what baseline you have. And a lot of times that's the reason why you have a legacy system out there on windows 2003 or windows 2000 or something like that in the year 2020, and then there's no support for that system. And so it's out there and you didn't even know it was out there. So that's why you have to document document. Let's talk about documentation here. So what I'm gonna do is I'm gonna bring up an example of how you would. These two controls. What this is here is a one example, one format of a system security plan. This is system security plan right here. And what we were just looking at is ACC six here's ACC six, right here, C six. And how will we document this? So in a system security plan, normally you have an implementation statement. And so that's what we're gonna put right here. And normally this thing will say, okay, did you tailored it in? What did you, is it implemented or not? Is it tailored in or is it tailored out? Meaning did you, it is implemented and if you didn't have it, let's say we didn't we know we need least privilege, but we don't have it. We would say. Now, keep in mind, this is just one way to document into a security plan. I there's also, here's a, let me just show you real quick, another way that you can document it like this. If you wanted to, this is a word document and this word documents a template. I've seen organizations do it like this before. A little easier to on the eyes. I think easier on the eyes, but harder to deal with when you have large amounts of data than a spreadsheet, spreadsheets, in my opinion are easier, but there's another level that's above this that most organizations, large organizations are going to, which is like a database. You put that stuff in a database and the re it's way easier to deal with in a database. Cause the more data that you have on these spreadsheets the more confusing it gets, the more you lose track of things. So what kind of control is it?  it's a common control inherited, which is something we talk about in the course. And then here's where we, the implementation statement comes in. So we would say something like this least let's say our organization is Lockheed gen general. I'm just making stuff up.  Adheres to the principle of least privilege by enforcing a global policy GPO. So that it's a technical way that they are enforcing all privileges throughout the whole environment. You're just saying what the organization is doing. This is how you document, you're not making this stuff up. All right. Let me just be very clear about this in the real world. What you okay. My head is covering this up. Let me just move myself outta the way here before I that's what I typed right there. So let me just be very clear. You're not making this stuff up as an information system, security officer, as a security compliance person, whether you work for the bank or the government or hospital, you're not making any of this stuff up. You're gathering the information from the organiz. So you, that means you have to bring in stakeholders. That's the people who do this stuff on a regular basis. That means it might even mean you're CIO. It might mean you're CFO. It might mean you're the actual people implementing it, the system administrators, or maybe you're the system administrator, or maybe it's already written in their, another policy somewhere else. You would grab that information and then you're gonna put it into this system. Security plan. All of our system security documents are focused on security. Like you might have, HR has their own documents. The architects guys have their own documents. The technical team have their wikis and their work instructions and their all that stuff. We are focused on the security features of this system. And so that's what we're doing. We're gathering from all these other existing documents where we can, and we're interp, we're putting those into pouring those into our system security. Plan now another place that's really good. Let me move my face here. Another place that's really good to document these security features is a security policy. A security policy is really good, cuz you can really break down. You can really break down each individual item with a security policy. I've got a C four, a C five, a C, 11, and many other things. So in the security policy, I can really focus in and say, here's what we have here and be very specific. And you're not making this stuff up. You're getting it from the actual people who know the system. So that's what you have to do as a system security person. And that's AC the AC controls in a nutshell. And like I said, if you're interested in this. You can go check out combo courses, if you want to deep dive into this kind of stuff. And now I'm gonna open up to any kind of questions that anybody has to let you know what's going on. Any questions whatsoever about anything we talked about is a great opportunity to talk about it. I see a few people here that's joined me a cyber security guy. How do you ever defeat your arrival hacker? So I think that it's, there's, that's not how that's not how I would format. That's not how I see it. That's not my perspective on how what's going on here. So what's going on is you're controlling your data as best your POS as possible in your organization. It's not, you're not defeating an individual person. This is just how I see it. This is not personal. The way I see it is I am working for my organization to protect their information. I'm working for their interest. So whatever their interest is I, that's what I'm protecting. And it's a team effort. It's not me against some random hacker out there. And then, from the hackers perspective, from the malicious criminal hackers perspective, cuz some hackers are good from a malicious attacker's perspective. It's not personal. They just, they have a mission too. And it's either money or it's, it is activism. Or, and they're not usually just going after one organization, they're going after many organizations and seeing what works and me as a cybersecurity guy, same thing. I'm just working for the interest of my organization. And it's a team effort. I'm working with several other people who. This guy does firewalls. This guy does vulnerability management. This other person is the CEO of the company. They have to manage all of the resources of the company. They have a fiduciary responsibility for the organization's information. So there's many different people working on this. It's not me against one lone hacker. And then from the hackers perspective, from the attacker's perspective, it's nothing personal. They just want to find the weakest link. And they're just usually what they'll do is they'll search the whole, a whole spectrum of the internet to look for the weakest link or to look for free information that's being given out there that they can use that information to infiltrate the weakest person who's out there. So that's it guys. If there's no other questions I'm going to. Go ahead and go, oh wait, I got somebody here. Let me see. They said I need a job and I don't have any information system security background coming from a Lenox system engineering background. What will be the best advice? What would be your advice? Please help me. This is easy. If you have a Lennox background you don't. So right now, even with the virus, even with all the stuff's happening, even with the lockdown, now it has slowed down. Like I, some of the employers that have talked to me said that there's right now, there's a free hiring freeze going on throughout. That's hiring freeze going on, for obvious reasons. You can't do interviews in person. You can't, you don't know what, we don't know how long this is gonna last. We don't know. For large organizations, they don't know what kind of what their fiscal year is gonna look like if they're losing sales, depends on what kind of industry they're in. But there's just a lot of uncertainty right now. So obviously the markets have slown down a lot. But that being said, people do still need information system, security officers. So if I were you, here's what I would do. If I were you, here's one of the things that, and I have a whole series about this, by the way, I would go to indeed.com. I've gotta, if you're interested in this, I got an entire series that talks about, I got a whole series that talks about how to market yourself and that's what it's all about. Marketing yourself. I would go to indeed.com. Here's one of the places I would go to Mr. Bun me golden. And then I will type in, I don't know what your skillset is, but you said Lenox is pretty hot. What kind of Linux is it? Red hat. You gotta be specific. Let's say red hat. I'm gonna assume you're a red hat, Lenox guy, red hat. I'm gonna assume you're a red hat administrator. All right. And where, what, where are you? Where are you at? Let's say you are I'm gonna assume you're in Texas, Houston, Texas. You're a red hat administrator. I have, I'd have to know more about what you have going on to, to actually help you out in a more realistic way. But I'm assuming you're a red hat administrator and that you have about five years of experience and you are in Houston, Texas, and I'm gonna go find jobs now. I'm assuming you're in the us. So now look at this. DC. And you're looking for a job. Come on, man. Come on, man. This always blows my mind. DC is one of the hottest areas for it, DC, Virginia, that whole area is hot. Like I, there's not almost, there's barely a week that goes by to somebody from from Washington. DC is not trying to contact me about a job. The thing is most of us it guys, and it's not your fault. Your profession is technical, right? We're not marketers thing is you wanna market your resume. You wanna market yourself. That's the key. That's the whole key to this whole thing. If you're interested in this, you have somebody else having you watching this kind of thing. I gotta you go to combo courses.com. You're gonna go check out my course. It talks about how to, how I've been able to have not only a job.  but a six figure job working from home for the last X years. And I'm not some freaking genius, man. I'm not some freaking prodigy. I'm not some freaking genius. The only thing that se separates me from other people is that I work really hard. That's it? I know having seen extremely brilliant people. I know I'm not one of those guys.  I know I'm not one of those guys, everything I do, I have to work my ass off for. So that said, and I, I have a level of success that allows me to take care of my family, my wife and kids and travel the world and do what I want, if, when I want, how I want. But anyway, okay. Back to your question, you said, how do I find a job? You're I'm assuming you're a red. Okay. So you said red hat, six and seven in Washington, DC. All right. So let's look at this. I would go.  indeed.com I would make, I would upload my resume. See this. It says, upload your resume. If you're following the law, if you're really hungry, man, you could, right now, I'm gonna show you how to do it. Upload your resume, fill this out. Don't just upload it. Fill out the complete profile. If you look at my course walks you through everything. What kind of key words to use, how to find the right keyword, all that kind of stuff. If you're not interested in that, you wanna get it for free. I'll show you right now, upload your resume. Fill out the entire profile. Alright. Put in all, every one of your skills in there don't even leave one out. Cuz there's a place where it allows you to put your skills in how to it allows you to put in all, every place you've ever worked. How many years of experience do you have if you don't mind me asking. Okay, so red hat administrator. Now look at this and let me show you something. . So if you look at this, it'll tell you who's hiring like right now. And these two places, one in Virginia, one in DC are hiring right now. Right now. It means they have an urgent hiring. They really need somebody who knows this stuff. So here's S AIC, SIS IIC is a good company, by the way. At least when I was doing it many years ago, the guy you got medical industry, you've got Linux. There's a couple of industries that lend themselves or four years, man. That's perfect. So there's a couple industries that really lend themselves to you work in almost anywhere in almost any industry. And one of those is Linux is super hot. It, somebody always need it needs it because they just don't. We just don't have enough people who know it now. So what I did was I clicked on this top one right here, and let's just break this thing apart. Let's look at this. So these guys will tell you what they need from you. If you don't fit this, then move on to the next thing. The magic of putting your resume into indeed.com, putting it, uploading it and putting all your skills is that after a while, indeed. Now it's not the best algorithm. I'm gonna show you a better one in a second, but it's but the thing about it is once you put your stuff in there, it will match up different jobs that fit your resume. So right here, as we're looking, we're being very active and we're looking at this job here they require a bachelor's degree. Do you have a bachelor's degree? If you have a bachelor's degree, guess what? This that's great. Good for you. Demonstrate experience with system engineering to include network design documentation installation. Now, like I said, if you don't fit this, go onto the next job. If you do apply. Now, if you put your resume in there, when you hit apply, now it'll take your resume and it sends it to them. let me show you what let's keep going here. All right. This one is Exel logic administrator remote. This is a remote position right here. Look at this. You just go through what requirements, what re skill requirements. And now they want Oracle. I don't know if Oracle, but if you don't know Oracle move on to the next one. We want Linux administrator. We want red hat administrator, S a I C. Now here's S CICS. One of their job pages here. Pretty good company. And let me see here. Yeah. See, look at this happiness score. I never seen that before.  I think I clicked the wrong thing here. We wanted, I wanted to actually see the job. So let's just go to the job itself of S a I. Okay. It's talking about a little bit about S a I C, and we're looking at the job screwed. This is what you do. If you're really hungry for a job, you go through every single one of these, every single one. And you find a match for you. But if you put your resume in, it does have to work for you because the hour room's gonna match you up with certain jobs, but you don't want to just wait for that. You wanna put that in there, let it do this work. And then you want to be extremely active and look at every one of these and look at which ones look at the duties. If you can do it, apply for it. If it's a really long drive, factor that into your final decision, you wanna probably find something closer to you, but don't rule it out, right? Don't like, I'm the type of person. If I need to feed my family, I'll work at freaking McDonald's man. I'll work the fries. And then at night I'll Moonlight and deliver pizzas, do what you gotta do. To take care of yourself and your family. You know what I mean? So let's go to the next one system administrator, but you don't have to do that. You're a Lenox administrator. You don't have to, you don't have to flip burgers. You don't have to, Lenox administrator is no joke and you have four years of experience. You should have a really good job right now. And I'm gonna show you how to get one. All right. So bottom line go through every one of these upload your resume, and then you can type in your location, your skillset right here, you can search 'em. But the big thing is to upload your resume. Now, lemme show you something else. LinkedIn. If you're in the us, LinkedIn is one of the best sites to find jobs. I'm gonna show you a better one after this, a better one than LinkedIn, in my personal opinion. couple better ones for LinkedIn. Now, in my course, I tell you exactly how I'm able to. Get so many job opportunities from LinkedIn. This, I don't have a lot of people who actively follow me here, but I could tell you most of the people who contact me, these are real opportunities for me. So what I did was what you're gonna do is you're gonna fill out, you're gonna sign up on LinkedIn and you're gonna fill completely fill out this profile, completely fill it out. And the more you fill it out, the more targeted that it will be the more targeted the traffic you're gonna get. The more targeted, the people who contact you, the technical recruiters that contact you the more targeted they'll be towards you. And that way more peop the most of the people who contact you will be legitimate jobs for you, fill it out. But here's another thing you can do.  red hat, Linux administrator. Look at this. You can join groups, right? Join groups. Here's another thing you can do. So you're gonna join groups. You're gonna make a complete profile. I hope you're taking notes. And then you're going to admin. We're gonna look for jobs. We just typed in red hat, Linux, admin, and these are all the other people who are also admins. Now look at this. I want you to take note of this. This guy came up number two. This means technical recruiters are literally typing this in red hat, Lennox administrator. And they're seeing this guy's face. Why is this guy number one? Think about it. Why is this guy? Number one? Why is he coming up? Why is everybody seeing this guy's face? Why is he getting so many job opportunities? He filled out his complete profile. That's why he filled this entire profile out. That's why he is getting so many jobs. That's what you have to do. Now, if I go to this next, now I'm actually looking for jobs here. So let's just keep scrolling. Now note how this is broken, broke down. So see it has, it starts off with other people. Then it talks about the jobs and then groups should be here somewhere. I'm looking. Yeah here's different. Oh, these are different companies. You can follow the companies. If you follow them every time they come out with a new something new they'll, it'll pop up in your messages or notifications. But what I'm looking for is jobs. I'm gonna say, see all, if you're following along. And once again, what we're gonna do is we're gonna go through every one of these, even though this says Kafka engineer, analyst, I'm gonna go see what this is. I don't know what this is. It says promoted. I usually avoid the promoted ones. Because they're paying for it, but that's fine. Even check those wounds out too. It's telling you where, what location? Oh, look, we didn't put our location in. Let's make sure we put our location. You said Washington, DC, Baltimore. Look at this Washington, Baltimore, one of the hottest places for jobs by the way. And they pay a great amount of money, especially if you're willing to travel. Okay. So this one is, I don't know if Splunk, but Splunk developer. Okay. So that's not what we want. Let's keep going. We want some more like Linux kind of administrator type work. This one's looking for sci clearance. I'm assuming that you don't know as you don't have that. That's a clearance. Not a lot of people have it. I don't have a Ts S C I, I don't think anymore. That's Splunk. Let's skip that one. Let's go to the next one. So if you, if it's obvious, you don't know that, just move on to the next one, but this one right here. this one deserves our in our time. Let's look at this one. What are they looking for now? Notice I'm just, I'll come back to this later. They're talking about what kind of business it is. It's women owned and all this kind of stuff. I'll come back to that right now. When I'm looking for is what is in the job description? Can I do it? Nope. Look at this. It says security. Does TSS C I clearance. I don't have a clearance, so let's keep it moving. Notice how I'm just going through these. If I don't if there's any indication I can't do the job I move on. And the reason why is because I got stuff to do, I need to find people who are a good fit for me. That's what we're doing. We're trying to find what's the best fit for our Linux red hat administrator in Washington, Baltimore. Is this even in the same right location, Virginia. Okay. I could drive there. Security plus requirements. Do you have a security plus, do you have any kind of security clearances? okay. I'm assuming not. And this is asking for Oracle stuff, so no, I'm gonna move on. This is how you do it right here. Now my, it looks like my search is not great. So what I'm gonna do is I'm gonna change my keyword here. I'm gonna go to, I'm gonna call this red hat, Linux administrate. Look at this man. I can barely spell you're a Lenux administrator and I'm a American with one language who can barely spell. And if I can get a job, you can get a job.  that's all I'm saying all. Okay. Look at this rest in Virginia. Okay. That's not too far from Washington. You're willing to make the drive, but security clearance. So we can't do that one. Let's keep going here. Security clearance. Raytheon. Raytheon is a, is an okay company.  They get a lot of contracts, so you'll see tons of jobs from these guys must be a us citizen and S sci clearance. Okay. Moving on now, I'm assuming that in the east coast, this is one of the problems we have is looking for jobs with that don't require clearance. So I'm moving on to general dynamics. Another very large company has 10,000 employees. Let's see here. Okay. Here we go. Scope of work. They explain to you what you, what they're expecting from you. Looking for requirements, education, no degree, 10 years of trip wire experience. Okay. If you don't have trip wire experience, let's move on. So you need to go through every one of these. After you make your profile. First thing you want to do go tod.com put in your profile, go to linkedin.com, make a profile. Once you make the profile, it starts to find jobs that fit you. The reason why this is coming up with stuff that fits me is because I have my pro I have my, I already have a very full profile there. So it's automatically searching things that fit me. So it's I'm having a hard time finding stuff that fits you. That's why it's very imperative that you do this. Okay. Let's look at these skills right here. They're saying in-depth knowledge of HBSS. Okay. Let's I'm assuming you all know that let's just keep going. Red hot platform and applications administrator. So I'm assuming this one's a software engineer, somewhat qualifications. This one might fit. You obtain a public trust clearance. Okay. So this one might fit you because. , they're not looking for a sci clearance, which not everybody can get or has, but public trust clearances just means that they'll do a background check on you and you don't have to be a us citizen. You could be a green car holder or whatever, but public trust is easier to get five years experience with red hat. You said four, you could still pull it off. I would still apply for it. I'd apply for this one. This one might be good for you. Actually, I would look at this one right here. Look at this co this is some stuff you can learn. Cold fusion. They're saying three to five years of WebSphere experience. If you have that, I'd apply for this one that we're getting closer. All right, let's keep going. Let's go. Keep going down here. You get the idea. You're gonna go through every one of these and try to find a match. All right. Try to find a match for you. If it doesn't, if it in anything's out of place, the closer you get to a match. You wanna apply for those jobs, right? The closer you get to a match, the better, because those are gonna be give you the most probability of actually getting an interview with them. Now, let me show you a couple of other places that are really good to apply for there's dice.com, which is probably the best technical place to find a job in the United States of America. So what you would do is go to dice.com and then type in red hat, Linux. You know what? Let's change it up. Let's type in Linux administrator. There we go right there. See this look at, take note of this. Look at this, see how this keyword popped up. That means this is highly searched and they have tons of jobs for this, but then they also have other job titles here, too. Linux administration, Linux administrator.  senior Linux administrator, an Sr senior administrator. There's many different ones. What you wanna do is click one of the ones that fit closest to you. Let's look at another keyword red hat. Let's see what pops up with, let red hat look at this. See all these keyword. These are the key words you want to use all these keywords right here. These ones that people are typing in these people that have hot jobs that you're looking for. But I wanna go back to Lenox administrator. And then this is the one right here. And then we gotta type in a location. You said Washington and Washington DC, boom, fine jobs. So y'all notice all these jobs. Look at it. Look how technical all these technical jobs. Look how this one's way better than indeed and way better than LinkedIn, as far as search options go for technical people. What another thing you wanna do is don't look for anything too old. If it's months old, then just forget it. This one's one hour, this one's nine days. This one's 12 hours, 12 hours, 10, 10 hours, two hours. These are just recently posted some of these, right? I said there was a hiring freeze, but look at this one hour, 16 days ago, 30 days ago, I would avoid these one. That's a long time. If it's after 30 days, I would not apply for that. But you never know, never know this one 11 hours ago, one day ago, one hour ago, Restin VA two days ago. That's not too far from where you live. Linux engineer, Linux, admin experience. You get the idea, but what you wanna do is make yourself a full blown profile.

Fintech in Focus
Stay a step ahead: Squashing cyberthreats in the workplace

Fintech in Focus

Play Episode Listen Later Sep 29, 2022 22:42


Cyber security has an essential role in keeping businesses around the world safe – now more than ever the art of protecting networks, devices, and data from unauthorized access is crucial. Companies need to ensure all their systems, network and data and infrastructure is safe and secure. In this episode, we speak to Tehzeeb Merchant, IT compliance and Risk Specialist and explore emerging cyber security trends, threats, vulnerabilities, and various ways to stay vigilant – both in business and privately. Note: The opinions expressed on Fintech in Focus News & Views are those of the speakers only, and do not necessarily reflect the views of Corpay or FLEETCOR Technologies Inc.  Acronym GlossaryChief Information Security Officer (CISO)International Organization for Standardization (ISO)International Electrotechnical Commission (IEC)National Institute of Standards and Technology (NIST)Internet of things (IoT)Indicators of compromise (IoC's)Multi-Factor Authentication (MFA)Control Objectives for Information and Related Technologies (COBIT)Center for Information Security (CIS)General Data Protection Regulation (GDPR)Payment Card Industry Data Security Standard (PCI/DSS)Denial of Service Attack (DDoS)Sourcehttps://www.business.com/articles/cybersecurity-risk-assessment/

Irish Tech News Audio Articles
CWSI to reduce identity risk for businesses with Microsoft Entra Permissions Management

Irish Tech News Audio Articles

Play Episode Listen Later Sep 28, 2022 4:44


CWSI, one of Europe's most experienced mobile and cloud security specialists, has announcesdit will reduce over-permission risks for businesses in Ireland and the UK with the launch of Microsoft Entra Permissions Management. CWSI is one of the first Microsoft partners to provide the solution, which it's introducing in response to increased multi-cloud adoption among its customers. Microsoft Entra acts as a unified permissions management tool for businesses, enabling them to automate privilege management across multiple cloud platforms in a consistent and thorough manner. It enables privilege management in both cloud infrastructure and Infrastructure as a Service (IaaS) platforms and is designed to support across Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP). The technology proactively monitors and remediates permission risks for any identity across multi-cloud environments in real-time, while mitigating over-privilege issues and ensuring compliance. It enables organisations to control their infrastructure, protect, verify, and govern data, and detect exposures in their security postures. It permits the benchmarking of the Cloud platform against proven industry standards such as CIS and NIST permitting real time monitoring of the risk surface by the CISO and security teams. The automation and tools provided ensure that companies are able to get the maximum capability across multiple vendors platforms through the normalization that Entra Permissons Management provides to the administrative user. Where gaps in training/certification and production/workload pressure brings the risk of error Entra Permissions Management reduces or removes these. CWSI's highly skilled and accredited Microsoft experts will provide ongoing managed support to customers following the deployment of the Entra Permissions Management solution. It can guide them through the stages, identifying the priorities, and deliver a hardened operational platform with minimal permission risk. CWSI is a five-time Microsoft Gold Partner and was recently named Microsoft Ireland's Partner of the Year 2022 for Security. CWSI launched its dedicated Microsoft Security and Endpoint Management practice in 2019 and since then, has invested more than €2.5 million in its ongoing development. Last year, it became the first Irish Managed Security Service Provider (MSSP), to become a member of the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed security service providers that have integrated their solutions with Microsoft security products to better defend against a world of increasing threats. Ronan Murphy, CEO, CWSI: “We're excited to deepen our partnership with Microsoft following the introduction of this innovative cloud solution to our Microsoft portfolio. It comes at a crucial time when the number of machine identities are growing rapidly, which is increasing the risk of breaches and over-privilege in organisations. High turnover rates and past employees retaining privileged access to data is also a major concern for businesses and this solution gives organisations better control over its permissions, ultimately reducing cyber risks. “Identity is the foundation of security and with the rapid acceleration of digital transformation, technology and the cloud now touch business operations on a daily basis. There are millions of interactions happening every second. Security challenges have become broader, and they require a broader solution – Microsoft Entra Permissions Management is enabling organisations to confidently reduce their risk in real-time.” See more stories here. More about Irish Tech News Irish Tech News are Ireland's No. 1 Online Tech Publication and often Ireland's No.1 Tech Podcast too. You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: If you'd like to be featured in an upcoming Podcast ema...

The Cybersecurity Readiness Podcast Series
Securely Migrating to the Cloud -- Insights from the American Cancer Society Experience

The Cybersecurity Readiness Podcast Series

Play Episode Listen Later Sep 28, 2022 43:31 Transcription Available


As more organizations embrace cloud-based services, securely migrating to the cloud is becoming an important capability. https://www.linkedin.com/in/keithaweller/ (Keith Weller), former Vice President, Enterprise Technology Services, American Cancer Society (ACS), spearheaded a highly successful migration initiative where they transitioned a 5000-square-foot donation processing on-premise data center to the cloud. Keith and his team completed the implementation on time (in eight weeks), under budget, and helped the organization realize savings of $18 million in real estate and $2 million in technology costs (projected over three years). In this podcast, Keith shares some highlights of this cloud migration best practice. Time Stamps 00:49 -- Keith, share some highlights of your professional journey. 03:27 -- Provide the listeners with a context for what led the American Cancer Society to consider moving to the cloud. 07:56 -- Based on a discussion that we were having to plan this podcast, you mentioned that you will have to get it done in about three months. Is that correct? 11:03 -- Is there anything else that you would like to share, by way of highlights, when you all were planning the migration and then implementing it? 15:52 -- Talking about the security aspect of the migration, you mentioned following the NIST cybersecurity framework, and complying with the PCI DSS requirements. During our planning meeting, you shared some of the accomplishments under the categories of identify, protect, detect, respond, and recover. Would you like to provide listeners with certain specifics, like what they should be mindful of when they have to undertake such an initiative? 18:04 -- You mentioned the migration vendor. I'm sure listeners might be curious to know how to identify such a vendor. And what factors go into the selection process? And how valuable did you find their service? 20:59 -- For this particular migration initiative, you all decided to go with Microsoft Azure. I assume that is because American Cancer Society was heavily invested in the Microsoft platform, and it made logical sense to stay with the same ecosystem to reduce application dependency-related challenges. Is that what your advice will be for organizations looking to identify a suitable cloud service provider? How should they go about the cloud vendor selection process? 23:15 -- Keith, what is your thought on the challenges that I gleaned from the State of the Cloud report? Do you agree with them? 28:25 -- I think that maybe the SLAs should be written up in a manner and a fashion whereby there should be more joint responsibility and joint accountability. The service provider and client should work as a team to ensure the data is safe, and secure, and there's a constant review to ensure the security level and posture are being maintained. What are your thoughts? 31:57 -- Anything in particular that you want to touch upon in the context of the phased migration effort? 37:47 -- So Keith, I'd like to give you the opportunity to say a few final words before we close our discussion for today. Memorable Keith Weller Quotes/Statements "Being in the cloud actually makes it a lot easier to govern your security, have better visibility of your assets, and make quicker security improvements." "If you're trying to do very challenging, time-constrained work, having everyone engaged and bought into the process is very important. And having a clear vision and goals is also important." "It would be nice if the three big cloud providers were more engaged as a team, securing data and helping make sure that they partner with their customers to ensure that's done right." "And it's not just infrastructure people, it's not just security people, but it's also important for Development and QA to understand those core principles of security." "Every dollar that's spent on operational costs is a dollar taken away from cancer research or services."...

Make Your Move with Gene Moran
#36: Achieving Personal Balance and Professional Success with Adrian Matute

Make Your Move with Gene Moran

Play Episode Listen Later Sep 26, 2022 16:40


H3 SUMMARY   A 27-year U.S. Army veteran, Adrian Matute worked as a detailed recruiter and later as a center commander at some of the largest recruiting centers in the country.    Today, Matute serves as a Senior Talent Acquisition Manager at Evoque, a portfolio company of Brookfield Infrastructure Partners, a renowned international infrastructure asset manager that owns and manages high-quality, long-lived assets in the utilities, transportation, midstream, and data sectors throughout North and South America, Asia Pacific, and Europe. In his role as a Senior Manager, Matute is looking to establish connections with and hire the best people in finance, accounting, human resources, sales support, customer success, account management, and cyber security.    Evoque provides local and international enterprises with an unmatched selection of services, connectivity, cloud engineering, and IT solutions across regions. In addition, the business serves a varied clientele of mid to large-size companies and hyper-scale clients from various industries, assisting them in adhering to rules like HIPAA, NIST, ISO, and others.       H3 EPISODE HIGHLIGHTS   00:00:23.770 – 00:02:56.230: Matute discusses his 27 years of military service, as well as the personal factors that influenced his decision to become a U.S. veteran. He eventually transitions from discussing his departure from the military to talking about his transition into a post-military career. 00:02:57.910 – 00:06:38.650: Matute discusses beginning his post-military career in sales with Cellular One and later Horizon Wireless. After facing much pressure amid an emerging tech bubble, Matute describes his transition over to Verizon Wireless. 00:08:14.890 – 00:12:35.640: Matute discusses how the transition to post-military life and career path has affected him, his family, and his ex-military peers. He emphasizes that achieving personal balance and professional success is never impossible -- that one needs to optimize their talents, self-control, and connections. Matute finalizes this point when he talks about his current job as a Senior Manager of Talent Acquisition for Evoque's Data Center Solutions department.     H3 Your Move   H3 Show resources: Be an early adopter and evolve for your benefit! To change the world, you must first change yours: genemoran.com/make-your-move/    Get all the resources from this episode on genemoran.com/e36.    Connect with Gene on linkedin.com/in/genemoran/ or visit genemoran.com.    Connect with Adrian Matute on his LinkedIn at linkedin.com/in/adrian-matute-47307bb6/ or visit his company website at www.evoquedcs.com/.

Technovation with Peter High (CIO, CTO, CDO, CXO Interviews)
The Future of Cybersecurity and Post-Quantum Encryption with NIST's Kevin Stine

Technovation with Peter High (CIO, CTO, CDO, CXO Interviews)

Play Episode Listen Later Sep 26, 2022 15:16


701: In a panel discussion from our September Metis Strategy Digital Symposium, Kevin Stine, the Chief of Applied Cybersecurity Division at the National Institute of Standards and Technology's Information Technology Laboratory, discusses the evolution of the cybersecurity landscape and the frameworks being adopted to manage this risk. Kevin talks specifically about the NIST Cybersecurity Framework, the new update the organization rolled out recently, and why global alignment is important to help US businesses remain competitive in global markets. Finally, he also talks about the future of cybersecurity, how companies are implementing better risk-management measurement capabilities, and why the introduction of quantum computing can pose a real threat to organizations.

ConvoCourses
Convocourses Podcast: NIST 800 Controls

ConvoCourses

Play Episode Listen Later Sep 25, 2022 97:53


https://www.youtube.com/watch?v=KW7gaKX_H0Y   RMF ISSO Controls: https://www.amazon.com/dp/B0B6QKT8DR SCA Course (early release) https://securitycompliance.thinkific.... 0:00 start of convocourses 02:23 Security Controls Book and SCA courses (no longer 2 usd) 07:13 Prepare for a SCA Interview (CVE - Common Vulnerabilities and Exposures 23:10) 26:51 Security Controls Book on Amazon & SCA course 34:48 Cyber Security is a great career move 40:19 ITJobs part 1 How Match My Resume with Job I want to Market My self 53:04 ITJobs part 2 Get the Actual Security Experience you did on your resume 59:09 Master Degree in Cybersecurity still no job 1:01:08 GRC and 8140 cybersecurity certifications 1:07:57 The Security Control Assessment Courses has started 1:10:20 Information Security gives Robust Cybersecurity Experience 1:12:06 How to Do CPEs for ISC2 CAP 1:22:51 Cyber security assessor role 1:36:28 Cybersecurity Community on Tiktok & the NIST 800 control book

Podcast s Martinem Barnou
David Švácha o misi v Afghánistánu, jeho půjčovně luxusních aut, podnikání a fitness

Podcast s Martinem Barnou

Play Episode Listen Later Sep 24, 2022 53:42


Odkazy na Davidovy firmy: www.dfitness.cz www.davidsvacha.cz www.drentcar.cz Be Effective Koukni na www.martinbarna.cz - koučing/videokurz, audiokniha, recepty, ebook, odkazy na můj Spotify/Apple Podcasts, Facebook, Instagram a další.

Resilient Cyber
S3E21: Josh Bressers - Securing Open Source Software

Resilient Cyber

Play Episode Listen Later Sep 23, 2022 34:42


Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?

Federal Newscast
Agriculture Department plants more seeds to grow its diversity and inclusion efforts

Federal Newscast

Play Episode Listen Later Sep 23, 2022 7:11 Transcription Available


(9/23/22) -- In today's Federal Newscast: USDA sprinkles some fertilizer on its growing efforts at diversity. An immigrant woman of color, who once ran DARPA and NIST, takes over the White House Office of Science and Technology Policy. And DoD thinks of new ways to help soldiers fight inflation.

ConvoCourses
Convocourses Podcast CCI on STIGs to RMF NIST 800 (2020 May)

ConvoCourses

Play Episode Listen Later Sep 20, 2022 32:22


Full video. May 2020 was crazy. https://www.youtube.com/watch?v=WnB2rdxQpwI&t=3s   Imagine cyber security and all our career paths being expanded into space as the space industry begins to expand. Imagine us having more opportunities in that. Industry. That's what we talk about a little bit on this podcast. We also go into details about CCIS. STIGs which is security, technical implementation guides and how those.  Interact with risk management framework, 800 and CIS controls. Now, this is an older podcast. Um, that I did in 2020, but a lot of it is still relevant. Hope you enjoy  Test test audio, test audio test. All right. This is gonna be a short one. I think, welcome to convo courses. My name is Bruce, and, um, wanna start off by, um, addressing, you know, what's going on right now, as far as the coronavirus and stuff. Uh, but we're gonna dive into, we're gonna keep it, uh, to combo courses and cybersecurity stuff. I know there's a lot of stuff, negative stuff happening right now. As far as the protests and, um, coronavirus, we're looking at a hundred thousand people, um, reported it as having died from coronavirus. We're looking at around the world, 6 million people infected millions, uh, million, at least in the us and all this stuff's going. And I want to, first of all, I'll send condolences to, to, uh, the people who have passed away from the coronavirus and people are suffering with it now. And if, and if you happen to be out there protesting or anything like that, I mean, just man, stay safe. Um, and, uh, That's all I'll say about that. You know, it's is a pretty heavy subject and, uh, I don't normally address that kind of stuff on this channel, but I just want to address it and make sure every everybody's being mindful, stay safe out there. You know, this coronavirus, stuff's still going on, take it serious. Um, at the very least try to protect other people. You know what I mean? Um, the people who are most vulnerable to this, to this. So, and that goes for, uh, our justice system too. Like, let's try to protect those who are vulnerable to, to the injustices and stuff like that. Listen, let's jump right into it. There is positive stuff happening right now. And I wanna, uh, talk about that stuff. That's that's occurring right now. Namely, I don't know if you've been watching it, but the recent. Astronauts coming from a commercial aircraft, uh, commercial space vehicle flying all the way up to the international space station and then linking up with it. And then this right here is, is really awesome because it opens up the private industry to start doing things like going to the moon, uh, or without the government. So that that's incredible bull. Uh, the reason why it's incredible for us, for it people, information system security people, especially is because that really expands our industry, the better the techno the technological field, the industries and technology do the, be the more opportunities for people like us, who are it? People, people who are are nerds, you know, people who are geeks, it people, uh, we get more job opportunities. Um, Um, an increase of salary and, and the whole nine yards. So this is a really positive thing. And just to give you an idea of how positive this is, is that of, of, since I've been outta the military and actually in the military, I did some, some stuff for, uh, operations that are, that had to do with space. But when I got out of the military, most of my jobs had to do with aerospace. Most of my jobs were with aerospace companies. So. It's a huge industry. And, um, and it needs, especially, it needs, uh, security compliance. Like they have to follow a very strict methodology. Right. And that's exactly what I do. And, and, and that's the stuff that I teach mostly, you know, and I, and I'll branch out to other things like certifications or more technical in the weeds type stuff. But I just wanted to address, like the reason why this is such a positive. Is that the more commercialized, the more accessible space and aerospace low or, or orbits, or even on the moon or Mars, the, the bigger and larger that industry gets. The more mark my words, don't take my word for it. Just watch history. Watch what happens as that, that industry expands and we are on the moon or we're on Mars, or we are on the wherever low earth or. They're gonna there more and more of these organizations are gonna crop up and more of them are gonna have to hire people like you and I, it people and security compliance people. So that's, it's a super positive thing. I know my, my daughter had been up all night watching all the news about the, the protests and the riots and how in some cities it's going pretty bad. Uh, and she says, why are you watching this live feed of NASA? You know,  instead of don't, you know, what's going on. I said, Hey, you know,  this might give us a way to get off earth  and she says, yeah, you know, you have a good point about that. so, I mean, if you, if you wanna be pessimistic about it, then this is, this is an optimist spin. Is that this is a way eventually, well, just leave. Like you don't like it here. You can just go somewhere else.  so, yeah, I just want to bring that up. It's it's um, something positive and, and that's why I see any kind of. Of stuff about the, the expansion of us in the space humans and the space is a positive thing, cuz the industry is gonna grow and uh, the more the industry grows, the more opportunities there are for, for us, especially because it's, it's private, that's even more opportunities for us. All right. So somebody asking me a question and I wanna address that. I don't wanna make this one too long, but one of the things I wanted to address.  and I'll get to questions after this. I got somebody who just jumped on Alice. How you doing? She says, uh, hi. Um, can I send you my resume and for you to look at, please, may I have your email? So here's my email address. Um, let me see if I can find my contact information. Let's just, oh, I see what happened. All right. Gimme. There it is right there. There is my email address. That's the best way to contact me. Let, just move this down a little bit, move it, move it down. Boom. Best way to contact me is right here. If you happen to be, have, uh, purchased one of my courses, then, um, I will definitely help you directly. That's one of the perks of Purchas purchasing it directly from combo courses.com is that I will help.  um, I don't have any kind of consulting or side things going on right now. I'm pretty new to this thing. So I, I haven't gotten into paid consulting or anything like that. So you have the benefit of catching me early when I'm doing it a lot, some stuff for free. So yeah, you can send me your, your resume, particularly if you've bought one of my, uh, courses, uh, on combo courses.com. If you've done that, please send me your resume. I will check it. I sometimes I'll even rearrange it for you. I'll just make suggestions on the resume to say, here's what you should do. You know, here's some key words you should consider and things like that. But if you're interested here, let me, let me just show you guys something real quick. I think this is a really good course, um, that I'm, that I made a while ago and I was super excited about it, cuz this concept is something that's really helped me out over the years. Here's my here's combo courses right here and I've, I've got many D. stuff like how to get in from scratch from cybersecurity, um, and how to do risk management framework. I've got free stuff here. Uh, but the one that, that Alice is asking me about is this one right here, resume marketing. This one I'm excited about because this, the techniques that I use here is exactly what has made me, uh, be able to constantly. Position, uh, positions and constantly get opportunities. And I still, even during the pandemic, even during an economic downturn, such as the one we're in now, and even in 2008, I was still continuously getting opportunities because of this, these techniques that I use here. So if you're considering getting into this and you want me to directly look at your resume, go ahead and check out the resume marketing for cyber security. And it, I don't just talk about cyber security. And it can also apply to you if you're in, in different industry, really, it can apply to anyone cuz the techniques absolutely work. And if you want an idea of what I'm talking about, it's building a profile it's researching, it's finding key, creating the resume. I walk you through all this stuff. And then I walk you through how, what tools I use online from career jet monster. And I also have something on interviewing and also. Uh, I will be adding more stuff to there that just like with all my courses, I add continuously add as, uh, as I find new things out or something comes up and I, and this is a, it is a really good thing for the course. I'll add it to, to that course or, or, or any relevant course that I'm talking about. So go ahead and check that out. And, uh, let's get into control correlation identifier. Somebody's been asking me about. , this is the reason I have not talked about it because this is kind of, uh, this one is a bit of a, this one's very specific to D department of defense and dissa. So, um, that's why it's kind of it's it's, it's it's out there. So, I mean, it's very specific, but what is it? Let's just talk about what this is real quick. Let me just get rid of this information here.  give me a second and now we'll be addressing questions after this, by the way. So just keep the questions coming in the, in the, um, chat and I will I'll get, get to that. All right. So a CCI or a control correlation identifier provides a standard identifier and description for each of the singular actionable statements. That comprise and information assurance, IA control or IA practice. IA is just another word for security control. That's what the department of defense calls it. CCI or control. Correlation identifier bridges the gap between high level policy expression and low level technical implementation. All right. I can explain this and there's, there's a lot more here that it talks about here, but I can explain it in clear terms of what it means, what the CCI does is a code that identifies specific tasks that you have to do on Lennox systems on windows systems on servers, on database. Very specific things you do on each one of these operating systems and it links these specific actions that you have to do to a risk management framework control, uh, to a security control. So I'll give you a specific, I'm gonna show you first off. Let me tell you what it is. And then I'm gonna show you, uh, in greater detail what it is. And, uh, I don't know how deep we'll go, but it'll, it should be very. What a CCI is when we're done. All right. So first off a specific example would be audit controls, like let's say on you're on a windows 2010 workstation, and you have been tasked to turn, turn on auditing on that system. Meaning event logs. It's gonna collect event logs for whenever somebody MIS authenticates, they, they type in their password wrong and it pops up as a Nope. This is not your. It will send an event, it'll record an event on the system and that's the control that we have to turn on. Right? Well, CCI would be assigned a specific number, like say CCI 0, 0 6 dash 5 53 or whatever that specific tag. Uh, we'll be identifying a, a re a specific action, which is turning on audit logs and that specific action ties to AU control one and AU control dash two. So now that might not make any sense if you've never done this before, but I'm going to show you, uh, a more specific example, couple examples.  um, let me, let me see if I can bring something up here. Got a couple of examples that I was just looking at. So bear with me. So this is stuff I downloaded from the site. If you wanna learn more, I just, I am on cyber dot mill slash STIGs slash CCI. That's where I'm at right here. So if you wanna just Google it, you can just Google. CCI STS. And you'll, you'll find this, right? So this is I'm on the dis is one of diss sites. That's why I'm I am. And I downloaded some of the stuff from here, which is, is not very helpful, to be honest with you. It's not very helpful. Um, uh, right now I'm looking for some examples that I actually had prepped. So just bear with me, give me a second and I will show you what I am talking about. Okay. Here's one of them. So this is, this is.  um, this is a system that, uh, had a STIG viewer ran on it. And what I wanna show you here, the relevant portion is this right here. This is a CCI. This right here. Can you, can you guys see that? Let me make sure you can see that. Okay. Yeah, you can see it. I made it bigger. CCI 0 0 1 8 1 2. And what is that? Right? What's the re the reference tells us here, it's referring to a specific event that the STIG viewer and okay. Context, a STIG is a security, technical implementation guide. What it does is it walks you through all the individual things that you have to do to secure a system. The department of defense, along with some other departments within the federal government and even some state organizations, they have this breakdown of everything that you need for best practice to secure a system, whether it's turn on audit logs, making sure you have multifactor authentication, making sure it's in a secure area and physical has certain physical security making sure it has a policy making sure, uh, you have GPOs turned on and you. You have control over your shared files, networking file protocols, making sure you have certain encryption turned on and or updated though. Each one of those things and there's that mil, thousands and thousands of others, maybe millions of others that are individual tasks on windows, on red hat, on every operating system. You can think. It has security controls. Right? And so what this department of defense does is they create these STIGs security, technical implementation guides that breaks down all the task and they made it so that it's, they made it easier for you to make like a, you can make a script that automatically goes through and fixes all that stuff for you. And they actually have some scripts that you can use to actually fix that stuff automatically. But this is a you're looking. Some stuff from an actual STIG. And it's the rule title. The thing that it's trying to fix is on a windows, 10 guy, uh, system, and it's for a windows installer will always install with elevated privileges. This must be disabled. So by default, a window system will automatically elevate privilege.  to, uh, to, they're trying to make it easier, more user friendly whenever you, uh, install something. So it just automatically gives elevated privileges. But the problem is that's an that's something that can be exploited. So the rule that the stick came up with best practice is to turn this off. So when you turn, when you turn the system on you installing it, it, you gotta go in there and turn it off. Okay. So discussion standard user accounts must not be granted elevated privileges. Because, and the reason for that is you want least privilege that what that means is, um, AC I'm not gonna remember C five. I think it is it's either AC five or C six. And I don't, I don't remember which one it is, but it's the standard of least privilege. Meaning you, you only give users. Standard users, privileged users, operational users. You only give users what they need to do their job. You don't give them anymore. So windows by default and even Lennox does this will give extra privileges that you don't necessarily need for this specific environment. Now, there may be instances where you, you can give more privileges. It just depends on the environment, but let's dive back into this. It says the standard user. Must not be granted elevated privileges, enable windows installer to elevate privileges. When installing applications can allow malicious persons or threat actors and applications to gain full control of the system. So if this thing is turned on, somebody with mal with malicious intent might exploit it by, by granting, elevating their own privilege. Right. So we have to disable this thing. That's what they're telling us. And then they tell us specifically how to do it, where to go in the actual system to disable, always install elevated privileges. And it's telling us to go to computer configuration, administrative F uh, template, windows, component, windows, installer, and then disable, always install with elevated privileges. And I hope that makes sense this right here, what everything I just read is a CCI. All right now, let's talk about how CCIS this specific task on a specific system links to N um, N uh, 800, uh, security compliance controls. All right, here it is right here. This reference explains it. So at first of all, it has a, it's a, has a, a unique identifier. Every single CCI has a unique identifier. In this case, a CCI 0 0 1 8 1. And what is it telling like in one sentences explains what it is. The information system, prohibits user installation of software without explicit privileges, uh, privileged status. That's what it does. And it links to, and the references, it tells you it links to this nest 853 rev four is going to rev five soon, cm, 11.  so cm is, is dealing with configuration management. Configuration management is dealing with, does our organization control? Does the security posture of our, of our or environment in layman's terms, in layman's terms? What I'm saying is a cm control is having a inventory of everything that's on your network. Like for example, in your own.  you know, you already know you got three computers, right? Your kid has a computer. Everybody has a cell phone and you have a router down in the basement. That's it? Right. If you suddenly were doing a scan on your network and you saw 15 other systems on your network, that would give you grounds to freak the hell out. Right.  cause that you don't know what's going on. So in the same way, an organization needs to know everything that's going on on their environment. They need to know what networking devices are on their network, all the nodes, what their IPS are, what systems they have, what vulnerabilities they have. They need to know all the software that's in their environment. Right. They need to know if there's wireless, if there's other connections coming into their. They need to know everything that's going on with their network. And that's where a cm control comes in. So cm is controlling your environment. That's all it is configuration management, managing my configuration of my organization's systems because we have very important stuff going on. That's that's cm. And so they're saying that this CCI links to this cm 11. So if we go down the. Let me see if there's anything I else I can show. Okay. Here's here's what I'm gonna do. I'm gonna actually bring up a STIG. This is a STIG viewer right here. This is an application you can download for free. Go to DISA a DISA dot mail, uh, or just Google a St. Viewer. And this is a automated it, it's basically a little app that will grab all of the security, uh, CCI. Everything you're supposed to do on a window system or on a Linnux system or a red hat, whatever system and says, okay, have you done these things? Right? So that's what we're looking at here. So I've already taken Liberty to downloading a windows 10, uh, security St. And one of these days I'm gonna make a whole course outta how to, how to do this. This is something I've been doing a long time, so I know, I definitely know how to do it. So here we. Um, and I can explain, break all this stuff down. It's it's pretty involved, um, special if you're going through all these. So this right here, what you're looking at is windows. Um, okay. This is not showing me, us everything. So I'm gonna make this a little smaller so you can see everything going on here. There you go. Hopefully that's clear to you. That's okay. There we go. Right there. So right here, we're looking at window. The last one I showed to you was an, was a screenshot. This is an actual STIG that I pulled down. Um, not from a client of mine or anything like that.  would not show that. So here's, so we're clear. This is just a random STIG that I downloaded from this dot mail. And then that's what we're looking at. This is generic. So, uh, what I wanna show you is. This first CCI, this is CCI 0 0 0. Here's where I'm getting the number from right here. If you could see my cursor where my curse was pointing, right, right there.  is CCI 0 0 0 360 6. Organization implements the security configuration. And what is it linked to? There's a few of them cm, six cm, uh, six do one, uh, and, uh, cm, six B what are we doing? What we're doing is looking at the domain. Joined systems. Must use windows 10, uh, enterprise edition, 64 version.  and it goes in a deeper discussion on what, what they're wanting want, what they're wanting as far as how to meet this particular, uh, STIG control and each one of these, the way they break it down. So, okay. Let's, let's do a little bit of a tour here. There's a couple of numbers here that, that I think you should know. So let's look at this one right here. This vulnerability, I. Vulnerability ID identifies each individual potential weakness of a system. It's saying that specifically the weakness, uh, on this system is this is X, right? And, and the rule name is attached to a w N windows 10 dash. right. And each, each one of these vulnerability IDs attached to a specific weakness that has been detect that, um, that needs to be addressed. Right. And so you can manually go through each one of these. So one of the things that you can do as an information system, security officer, one great tool you can use better than nothing is to run this stool, this run, this STIG viewer and have your system. By your side, right? You have your system right here. You have your system here and you're looking at each individual item manually going through one by one by one to fix everything on your system. Another thing you can do is, is run a, a script that fixes all these things automatically. Right. And, and I believe there's tools. I, I wanna say that there's, there's something called, um, uh, SCC or. Checker software that, that, uh, you can get from department of defense, that, that has something that will fix it. It'll scan your system. You, you load it on your, the affected system. Uh, and then you scan it'll scan and, and see what STS, what individual CCIS, what vulnerability IDs are not being met on your system. And then you would go through manually and fix every, all those items. Now. There's a couple of different things here. How does this help you? Um, as an information system, security officer, if you don't happen to be actually installing these things, how it helps you is that if you have the report from this thing, you'll be able to know, okay. When they did a scan, they found, let me just find that whole different CCI here, that we can talk about something that. So let's say you're only doing documentation. You can take something like this, this scan, and you could, uh, this would be like an artifact or a bit of evidence stating that this rule has been met. And how's the rule been met, you could say, right, right in here. It says, uh, that first of all, it is a windows ink workspace. Consider. Uh, uh, sorry. Uh, workstation ink works, windows, ink, workspace configured, but disallowed access, uh, above the lock. And it tells us how to secure it. Securing windows ink with, uh, which contains application and features oriented towards, uh, the pin towards pin comput. I, I have no idea what this is.  I have no idea. I have no idea what this is. This is some oh, pin, like the pin you E enter into the system. Okay. Okay. Okay. I'm just making more sense to me. So this is showing us how the scan, how, where it would be scanned at, like, what value is would you be looking for? So it's saying that you would go into the registry back into the system and then. If this was turned on, and if you're doing a scan, it would check for this item in the registry keys. That's what it's saying. That's how I'm understanding it. And it's saying the fix action is disable the convenience pin, uh, sign in. So we don't want you to be able to sign in with a pin because that's too easy to exploit. So here's how we fix that. That's that's what they're saying here. And it breaks it down exactly how you actually fix it. So. If you were doing the documentation for this, there's a couple things you could do. You could use this to explain what the weakness is. Let's say your organization didn't do it. You could use this to break down where we are not meeting specifically how, uh, what's going on. Or if you wanted to prove that it, that it's been fixed, you could go through and do a screenshot of what, of, of this feature, or if you were doing a.  you could run a scan and say, look, here it is right here. The windows 10 CC 0 0 0 3, 8 85 has been met. And that covers, uh, cm seven right there, CCM seven. So, and you could do that on many of these different items here that we have here and. go from, they run the gamut from going this one, C, C uh, S I 16, you got some AC IA controls, you got different controls. So it's telling you here in the CC, uh, in this reference where these map to each one of the security controls, and that's why super helpful you as an information security officer. If you happen to be one you're looking for, how can I. These security controls. How can, how does our organization meet this particular security control? So this is just one way. If you happen to have a window system or a Linux or whatever it is, right? Cause they have, they have these for every kind of system. All the main systems are, are, are covered by the STS. You can use this information to figure out if you guys are meeting this particular control or if you're not meeting control and how to. So I hope that that makes sense. Um, I kind of, I feel like we, we kind of went overboard with it, but at, at some point, what I would like to do is actually take a system and secure the system, using the STIGs using the SCC tools and everything, but that'll be a whole course cuz that, that all that stuff takes a bit of time and set up and all that kind of stuff. I'm actually setting up some stuff on the back end here, but um, it's gonna take me a while to set all that stuff up.  if there's any questions we can address those, but while you guys are coming up with questions, I would like to show you something else real quick. Uh, another very useful thing with ma with having a matrix or having these individual vulnerability IDs and CC eyes and all these things, or how they all come together is beautiful because there's something else where these same control. Map to, um, a more commercialized version of controls, which is CIS benchmark controls. These controls are used by a lot of private industry stuff, private industries, some banks, and some other industries actually use these controls rather than the nest controls.

IoT For All Podcast
The Importance of Global Standard for IoT Security | ioXt Alliance's Grace Burkard | Internet of Things Podcast

IoT For All Podcast

Play Episode Listen Later Sep 20, 2022 21:37


Grace introduces herself and the company before diving into more specifics of what the alliance offers. She describes how the certification process works and the importance of third-party testing. Grace then discusses who can join the alliance and the goals they have moving forward. She wraps up the podcast by talking high-level about the challenges she's seen in the IoT industry regarding security.Grace Burkard, Director of Operations at ioXt Alliance, spearheads ioXt's overall efforts in setting baseline security requirements to build a safer IoT world. Through her work with stakeholders and various international regulatory organizations like PSA Certified and NIST, Grace plays a crucial role in harmonizing and standardizing security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.ioXt is the Global Standard for IoT Security. Founded by leading technology and product manufacturing firms, ioXt is the only industry-led, global IoT product security and certification program. Through the ioXt Certification Program, IoT product manufacturers and developers can gain formal certification to the ioXt global standard. The certification profiles encompass ioXt Alliance's Security Pledge, which is the result of industries working together to set security standards that bring security, upgradability, and transparency to the market and directly into the hands of consumers. The program measures a product by each of the eight ioXt principles with clear guidelines for quantifying the appropriate level of security needed for a specific product. Once approved, the ioXt SmartCert informs end-users, retailers, and ecosystem partners that a product is secure. Products with the ioXt SmartCert give consumers and retailers greater confidence in a highly connected world.

ConvoCourses
Convocourses Podcast: Cybersecurity Consultant versus ISSO

ConvoCourses

Play Episode Listen Later Sep 18, 2022


http://convocourses.com   All right. I'm testing a new platform called stream yard, and this is convocourse's podcast. I'm gonna do about, I don't know, 20, 30 minutes to test this out and also to inform you guys of  a career move I recently made. I haven't really talked about this.  But about three months ago I was working as a cybersecurity consultant and that's much different from an information system, security officer. So in the past, Three four months.  I made a big Mo well, not really a big move. I I've, it's not a big move for me.  I've done both jobs before, but all I want to do is  compare the two kind of give you an idea of  what the differences are between  cyber security consultant. And what I'm going to be doing with information system security officer work, and  what's the daily life of both of those things. How do they compare and give you an idea of  which one you should choose before I start, you should know that  I own a site called combo courses where I teach cyber security compliance and  how to get in this field as a cyber security person. I've been doing this for 20 years, doing cyber security in  all forms of security, as well as some it information technology stuff  like being a system admin or network. Administrators, stuff like that. I've done a little bit of all that stuff.  But my specialty is really in security compliance. And so that's what I teach people to do. And. People ask me on YouTube, on, on TikTok questions. And I'll just go ahead and answer them and by the way, if you have any questions during this feel free to ask them and I'll do my best to answer. them sometimes we have such a great community that they'll actually answer the questions on my behalf. There're things I don't know. So, somebody, some other subject matter expert will jump in and then answer those questions and. My favorite times on this, on convo courses, because that's what convo courses in my mind is all about is about the community and us coming together, figuring things out. Okay. So, I wanted to tell you recently I made a huge move. I was working at a major telecommunications company that does cybersecurity on the side. They have a branch that does cybersecurity and    I did it because it was a great opportunity. One of my former coworkers.  Gave me a they referred me and brought me into the company. It was a great company. They had great benefits. It was some of the best benefits I've had outside the military.  It was decent pay and the only, probably bad thing was that there was a lot of travel and that eventually was the thing that got me out of there. And it was stressful too. And I was how having too many personal issues that happened at that at the time that I was working there, I worked for there for about two and a half, three years, and I was doing cyber security consulting for them. So, what we would do is we would. We bring our expertise to smaller companies.  We go to, and it's a lot of companies and banks and hospitals and healthcare industries that you probably use to be honest with you.  that? I Some of I was surprised were like, damn, I use this. We're doing security compliance for them. And   the security compliance it wasn't just security compliance.  It was basically, we would do a bunch of We would do a bunch of risk assessments and those risk assessments would be things like be we had 15… different risk assessments. So, 12, 12 to 15 different risk assessments, depending on what they chose. So we would do things like physical security assessments we would do. Of course, network security assessments. There was like three of those. We did cloud-based security assessments. We did…  We did wireless security assessments. We take all of those and we would give them an overall view of what their security looks like. And then we would prioritize where their major risks were. And then we would talk to the sea level or director or upper-level management to say, hey, this is where you should focus your energy because this is where we see the most risk. And the purpose of that was to reduce their. Their security any kind of vulnerabilities they have, and they can focus all their time, money, and energy and resources to that highest level of risk in their organization. That's what I was doing. And it wasn't too bad. I actually liked it.      I fit right in over there. The only I, we would do these reports, which were really easy for me, the. Challenging thing I found was sometimes the clients were a bit difficult to work with and it wasn't that they didn't know what they were doing or something like that. It was just very high strung because cybersecurity.  It could be very stressful because you're dealing with you.   If you have a vulnerability, a major vulnerability and you have to take that to the C CEO and say, Hey, we have. We have a bunch of legacy systems that are   in this area here, there's a lot of stress because you don't want to be the person that to, to barer of bad news, and we'd find those things and we'd say, Hey. You have this stuff going on. And there was just a lot of stress with that.  That's probably the hardest part of the whole thing.  The travel wouldn't have been a big deal if I hadn't had so many personal issues happening with my family, kids and everything that just all happened at once. So, I had to unfortunately had to leave because I actually really loved the people and everything. What did my daily life look like?     We were mostly going off east coast time for me, because that's where most of my clients were. They'd give us like two or three clients.  And then you would work directly with them. So, most of your day was coordinating.  The scans and the assessments that you'd have to do, if you had to go to their site, you'd have to coordinate that. And they expect you to go do that on your own.  It was very self-directed where it's you have the client, like you'd run the meetings with them. You'd coordinate when you're going to go there. You'd coordinate how many hours or  how much time it would take to get there and who you're gonna meet and all of that stuff you'd have to do. And then the scans, we had a, like a separate scan team. We'd work with the scan team. We'd work with the program. Managers we'd work with them and we'd put together this report to deliver. On a quarterly basis and sometimes annually, it depends on what kind of assessment it was. Because obviously you wouldn't do like a physical assessment every quarter. Because I didn't, that wouldn't really make any sense because it stuff doesn't change. But anyway, so that's what we would do. It is mostly meetings and coordination  and doing scans and reviewing the scans and then writing reports  that's your, that was your whole day as a cybersecurity consultant at this organization. I was with  where. The main thing we did was deliver these reports and we would do really, most of it was risk assessment type stuff. And I was very familiar with that because in the department of defense, we do a lot of security assessments and stuff.  So that's very different from where my main  core specialties are, which is security compliance. We would dabble a little bit in security compliance like every now and then. We  I would help them do like a PCI compliant  PCI audit or something like that  or we'd say, okay  here's how you, your system would fit into eight NIST 800 or here's how your system would fit into CIS controls. You do a little bit of that, but that wasn't really what we're, that would, it was separate from what we were doing was mostly risk assessment type stuff. So seeing where their risks are and determining that.  Now that brings us to the next thing, which is information system security officer. So information system security officer is more in compliance. It, the compliance space, security compliance and security compliance is making sure an organization is lined up with regulations, laws, industry standards. That doesn't have to be the federal government, which is mostly what I work with. It can be with  hospitals have a certain standard that they're supposed to meet. One of which is called HIPAA, where they have to make sure that they're protecting their patient's healthcare information and their digital records for the healthcare and stuff like that. Another example of industry standards would be PCI compliance.  That's protection of. Of  credit cards. So whenever  you are at a store and you're using your credit cards, they're supposed to have a separate network for those point of sale devices. So that doesn't touch,  say the wifi that's in the  that's for the staff or for  guest  to log in. So that has to be a separate protected network so that the credit card data has its has, is protected.  So separate from your. Other networks. That's just one of the things you have to do. Another things you have to do for PCI compliance is have the adequate  documentation for the security of the system. Like making sure that net, we have network diagrams and making sure you have  asset  and inventory of all the assets, things like that. Those are all    the types of things that you would have to do for PCI. And that's, those are just two examples, but you've got CIS compliance. You've got. ISO 27,001 compliance. You got many  different countries have their own security compliance and different industries like  have their own compliance. So my, my  specialty is in NIST 800.  Security compliance NIST 800  is what the federal government has created and adopted as the main source of security controls. Sec security controls is a set of security features that protect the organization's. Primary assets. That means like your main server that has all the social security numbers on it. Your  main server that has all the secret  secret data on it, the main server that's holding all  the maps of different parts of the world.  Those, that's what you call an asset. So those are just some of the examples of, and those are some of the difference. Now, one of the things that, what the daily, what it looks like from on a day to day basis for an is.  Just to  compare this versus  versus  the consulting I was doing. So it's also a lot of meetings. Security is a lot  of coordination. Cyber security is a lot of coordination with different organiz because  you're having to meet. Different  subject matter experts like you, you're not necessarily the person who's locking down the, those, that windows server. That's gonna be a server type person.  That's gonna be a person like a system admin who specializes in Linux, red hat, network, administration and windows  2019. Active directory servers  so  you are gonna coordinate with them. So in ISSO, that's what they do. They're coordinating with these different, the firewall guy, the  the privacy person.  They're coordinating with all these different people to make sure that the organization has a certain level of. So it is a lot of meetings. It's a lot of meetings with a lot of different people, and that's probably the main difference between  the meetings. Like an ISSO is gonna have a meeting with all kinds of people throughout the organization.  One organization, whereas a consultant is gonna have a meeting with just a few people at different organizations like me. I had  three or four clients at a, any given time and I would have to coordinate with the there's like a main point of contact. I would talk to big two or three main points of contact and every now and then  I'd meet like a C level exec, but I was talking to three or four different organizations. Whereas an ISSO is talking maybe one organization and there might be other sub organizations, but they're all one you're talking about many people in that organization. So you're going really deep in, in all of the details  and stuff and making sure that all the securities is  is in place. Now it wasn't, it's not like an enforcement role. Typically you are more like a news reporter. What I mean by that is a lot of people think that you're the police and you're gonna come and busting down doors and say, Hey, this, we gotta secure this server. That's not really  your job. Like you might point things out, but the person who has to be the enforcer is gonna be the management, because they're the ones, things come down from management. So they have to be the ones to enforce that stuff. Now  if you happen to be the voice piece, the mouthpiece to tell them, Hey, the CEO just said.  You're just a reporter. You're just reporting to them. Hey, this is what happened. We have to obey what is going on with this organization's policies. Here's what we have to do. So that's the main differences between a security consultant and information system, security officer. The reason why I quit my job as. A consultant and went over to, and now I'm going to back to information to security officers has more to do with. Not the work per se. It was, it is more like the travel, like the organization I was at was paid really good, had great. One of the best benefit packages I've ever had, but it was too much travel and I had too much stuff going on.    And I had too many clients, it was getting a little stressful plus I had family stuff I had to deal with. So that's the reason why  I transitioned over.  And now  I'm going to somewhere where it's a little bit more  It's gonna be  a better fit  for me and my new family situation. So that's  what's going on. Okay. I've got some questions here. Let me see for Mike. Thanks Mike, for your question. I really appreciate that. And Mike says  he says quick question  the ISSM role coming from being an ISSO. What is what's your suggestion? Quick question is S. A ism role coming from, are you gonna be doing an ISSM role from being an is O I'm assuming that's what you mean? So you were an ISSO and now you're about to be an ISS O  sorry. You were an is O you're about to be an ISSM that's I'm trying to interpret your questionnaire.  Any suggestions.  Yeah. So the biggest difference between these two roles is that  one is a manager information systems, creating manager.  You're gonna have more of  you're gonna have even more meetings.  I'm just gonna tell you like the differences. So an ISSO is more like they, they both have a lot of meetings, but an ISSOs has to be more in the weeds because ISSO has to be able to say, give an example of an issue.    A vulnerability comes down the vulnerability.  Is let's make something up.  A vulnerability is a zero day exploit on windows 2019 or something.  And  now the ISSO gets wind into this and that comes from the vulnerability team. Now they have to meet directly with the vulnerability team to figure out what's going on with this thing. And they might have to spend some time researching what the zero day exploit is.  What's the criticality of it. Like how quickly do we need to fix this thing? They have to be in the weed. So they have to go probably go to the CVE.  CVEs and then figure out what type of what this affects. And they have to probably look at  a list of every, all the systems that this is going to touch. And how quickly can we fix this? So there. And if so is more in the weeds in that they have to know  what is going on in a, on a technical level, they have to get more in the weeds and be more technical if you get what I mean.  They might not have to touch the system. A lot of times, they're not the ones implementing the security controls, but they're coordinating with the people who have to implement those security controls. Compared to that, to  an information system, security manager, their meetings are more with upper level people. So they're dealing with stuff that's more broad   and stuff. That's touching the entire organization and making sure you have enough making sure the security team has all the resources in that they need all the time and resources that they need to do their work. So your. Gonna have the same amount of meetings or more, but they're gonna be with upper level management from. Fields like you're gonna be talking to the it manager, the information technology manager who, whom  the network manager, the network engineering manager. You're gonna be talk, coordinate with them. And you guys are gonna be talking about like resources. How many resources do we have to do this work? Okay. We just had this zero date on windows, 2019. Do you guys have the resources and time to do this? How much time do you guys need to actually get this? So  you're talking about like on a broader scale, how do we manage the resources that our team needs to get this job done? And can we get it done and effectively  in a reasonable amount of time? And you're trying to, your main job is managing expectations to upper level management, the C level execs, the directors and all that stuff, managing their expectation. That is your main job, as well as taking care of the people  who are. You work for the ISSOs like your job is working for the, ISSOs managing the expectations of upper level management. So you're still in cyber security, but it's more of a management. You're not in the weeds. You're not having you. You'll never, you're not ever touching any technology. Whereas in ISSO they might have to touch something at some point like, and so they might have to touch the  EMA system where they're inputting information there, they might have to mess around with creating.  They might have to create a security policy, might help create the security policy review, the security policy. They might look at audit logs. They might. Help enable audit logs. They might be the person who's doing threat detection and stuff. The managers, they're not doing that kind of stuff. They're working on resources for the information system, security officers. So it's a great move because it is    is SMS are ma are legit managers. And so they're paid typically paid a lot more. They're paid more. And if you.  If you're a first time manager, you'll get, you should get a pay bump. But if you have been doing a management for a while, you get a significant  pay bump, like if you've been doing it for  a year or two, then you'll be able to like, if forever you move or. Those are the guys who eventually become directors. That's the path directly to directors and see C level execs and things like that who gets paid a lot of money. So  that's really good.  That's a really good move.  If that's the case, if that's what you're doing, then  that's awesome, man. And Mike says  got it. ISSOs  ISSO I worked  with EAs and C  C Sam  and tenable. Yep. Tenable NEIS and all that kind of stuff. That's right. Exactly. You got it. They're more hands on   and touching stuff. Whereas managers, they're not,  they're gonna ask about, Hey, you have access to eMASS. Okay, cool. Great.  They might look in there since, okay. Let's make sure that the system security plan is there. All right.  And any problems with the system security plan. Okay, good. There's no problems. Let's go  or, Hey  Does the new guy have access to EASs. Does the new guy have access to tenable? Okay, cool.  Or  let me help out. Make sure that we have, let me coordinate with the person who controls access to tenable to make sure the new guy has it. Okay. The new guy  we just have some people leave. Let's make sure  that person is not, no longer has access to eMASS or tenable stuff like that. That's the manager. They're not like putting things. Into EASs or running the scans necessarily.  Sometimes  I've been with some managers who did do that kind of stuff, but it was because they wanted to do it. And  they were very sharp, very technical, and they wanted to do it and they, but they te they totally didn't have to. And they had other things to do by the way. All right. Let me shift gears. If you guys have any questions, go ahead and feel free to, to ask me any questions. I'm testing out this new platform. That's why it all looks a little bit different. So if you want, have any questions whatsoever, feel free to ask me in the meantime, let me show you that I have  a book out called R MF is O where walks you through  it's a bird's eye view of what NIST 800 is all. And it's very quick, and this is actually the audio version, which is only like one hour long. And then also I've got  a deeper dive into the NIST 800 security controls, but I'm not hitting every single control. What I do is I hit the families and give you a practical understanding of what the families are and how you navigate those. And interpretation of the families of controls. And I focus from an ISSOs perspective. What parts of that family do you really need to know? That's the kind of stuff that I'm focusing on. And another thing you guys should know, if you didn't know already is I have a podcast here. It is right here. The podcast is, I'm doing the podcast right now. So this the type of stuff that you hear me talk about here is the kind of stuff that I actually is gonna be on the odd. But this, the difference is  on a podcast, you could just be in your car, on your commute and listen to it, or when you're cleaning or something like that, you can actually just listen to it. Listen to our conversation as we're, as you're doing your thing. So, that's the good thing about doing a podcast? I actually really like podcasts. I'm listening to one right now, learning a new language. And I really like it. Okay. Let me see. There's another question here from Mike. He says, can I book you for a consultant for my ISSO role  ISSO role  you know what  I'm actually in the middle of a couple of other consultations, you can email me  feel free to email me and I'll see if I can  find some. For you, I'm not saying no, but let me see what I can do. Here's my I'm gonna send you my contact. My contact is scrolling across the bottom. There is contact@convocourses.com. If you're interested in getting some kind of consulting and stuff like that, I'm  I'm getting back into the work field.  I'm not gonna be able to do as much consulting as I was doing before.  Because my hours are gonna get tapped, but Hey, who knows? Like maybe we can do it before I actually start my job right now. I'm going through the background.  The  background investigation process. Okay. I got another questions from. Mr.  Fernandez. He says, so I'm getting my bachelor's degree  in, in cyber security in December, I'm currently working on physical in wor working in physical security for government contracting. So I'm dealing with classified documents and D O D things  will. Will I be able to, okay, let me see the next rest of this question  to get an entry level is ISS O I think you mean ISS O job  in your opinion, yes or no. Okay. So L Ludwig  let me give you an example and I hope that my example  can give you an idea. First of all, short answer is yes. Okay. I know this because I actually start off in physical security myself. So  I was a. Security forces member in the air force. And basically what  I was really, I was a weapon expert. Like I don't even know if they have that, that it was called 3P0X1. That was my AFSC.  It's a specialty code that they have had in the military at that time.  I don't know if they I've been following it, but basically what I did was I was a weapon specialist  and. I guarded planes. I guarded    if the president came in to our base or whatever, I'd do that, I'd be on that detail.  Not much personnel security, to be honest, it was mostly garden resources. And then I also did some law enforcement. So I knew a lot about the UCMJ  use of force, all that kind of  weapons, training, combat training, all that work with the army and the Marines  and all branches and  different  countries.  Security people, but it was mostly physical security and I trans we call it cross train. I cross trained from physical security to cyber security. There's a lot of crossover. I was surprised to, to learn that.  Some I'll just tell you a few things that are gonna help you going from physical security over into cyber security into it in general. Number one  you are, you're gonna have a very sound understanding of security overall because it's not really that much. When you get into cyber security, it's just a lot of more layers and there's, it's more complex because you got defense in depth. Physical security still applies in cyber security, which is crazy. But when you think about it's common sense, if anybody can touch a system, then they own it. You can own a system. You can take the hard drive out, put it in another device you can use  password crackers you could use.  Oh man, you, you could  do forensics tools on it and then extract all the bits on it and figure out what people try to delete is that as a matter of fact, that's what forensics is all about.  And speaking of forensics  some of the laws that pertain to, to you, like  when you're talking about chain of custody, when you're talking about  Making sure that things that, that  things aren't tampered with during the investigations, all those things apply.  So some of the laws still apply.  What else applies, man?  Physical security checks, physical security assessments is it's. The concept is similar and actually is still used in cyber security. You has to still do physical security to make sure that the facility and the room that the information system resides in is protected so that all that stuff still applies. So it is gonna help you out. And then the main thing is that if you dealt with classified documentation before, and if you have a security clearance, all of that will also help you.   To get an entry level job in cyber security. And if specifically, in information to security officer, but any kind of entry level position, because you have a security clearance, if you have one  that helps. A lot of people confuse like security. They think that if you're in cyber security, you have to have a security clearance. No  that's not the case. Two different things. The security, they should just call it a clearance. It's very confusing. A clearance just does a background check on you to make sure that you are trustworthy to make sure that you don't have any criminal background that might that might. Cause a conflict of interest where you're working like a bank doesn't want somebody who robbed the bank. You know what I mean?    It's stuff like that.  A hospital probably doesn't want somebody who had malpractice it's stuff. Like they don't, there's certain criminal things that not to say that you  if you had some kind of. You had a case on you in the past that you couldn't work in cyber security? It's not what they're saying. It's basically, there's certain things that cause a conflict of interest. So I have to do a background check on you to make sure that there's nothing that might allow you to be exploited.  Or something that deems you as untrustworthy to do that particular job. So if you have a clearance  that really helps out a lot  if you've handled classified information before that actually helps you quite a bit as well, because some people don't have any experience with that and they don't know how that world works, but you knowing that, how that world works,  that helps you quite a bit. The main thing that you need to focus on now is technical. Because me going from physical security over to cyber security, that was the biggest challenge is learning all the terminology, learning information, technology, learning how computer works learning how Ram CPU and storage all works together. Learning how to protect those components of  information system. Those are the main things, all the layers  and the minutia  of learning networks, how to networks work  how you protect those networks, stuff like that. Porch protocols, and services. Those are the things that you need to be really focusing your mind on the security stuff will come very naturally to you. So the answer to your question is, yes, it will help you to get an entry level job when you get your, that bachelor's degree. Only thing I would recommend that you do while you're in school. And this is what I tell everybody is try to get experience. If you. Hands on technical experience, if you can. That means if you're whatever college you're going to, or if you happen to be in the military or wherever, whatever, wherever you're at, try to get hands on.  If you see the, we call them work group managers, fixing a computer, ask if you can help them out. If you can, if they will allow you to help them to fix that computer, whether it's update and virus, definitions, updating the security patches, whatever it is like even the simplest thing possible, even if it's putting the router in and plugging it in or whatever, you'll be able to put that on your resume. And the experience is what they really wanna see a degree is great. Certifications are great, but the experience is what they really wanna see.  Another thing is I would highly recommend that you, if you can, if you have the time, if you have the cycles to do it, some people do not is to get    a certification while you're working on your degree. Degree takes a pretty long time. And sometimes the degree helps you to get the degree. If they, if you're college or wherever you're going to has a degree, a certification program, I will go ahead and take it. It's not a waste of your time, especially if you get the comp Tia, any of the comp Tia ones. If you get any kind of cloud certification, if you get  any kind of networking certifications, those are all gonna help you out a bit, a lot on your resume. So I hope that answers your question. Okay. I've got another question here. It says  Mr. Fernandez says  and I'm a security plus certified I'm security plus certified, but I don't have  the most experience  with physical hardware. Okay. Yeah.  Yeah, that's what I'm saying is  go ahead and get as much. Experiences you can  with any aspect of information technology. And at this point, since you're new, anything will help you out. Like whether it's help desk type stuff, whether you're  Updating, like I said, virus, signatures, whether I, the reason why I keep bringing those up, because those are  the simplest things that kind of come up constantly over time. Like you've probably done it before you just don't it's something we do often so often that we don't even think about it, but that is something you can literally put on your resume. You just need to know  how to articul. Speaking of articulation, just to do a little transition here.  I'm working on a book right now, a new book. That's gonna tell you how to actually break down a resume.  How to, I have a course on this already. So  if you're interested  I'm not trying to cram anything down anybody's throat or anything, but I'm working on a book. That's a lot cheaper that. It'll be about 20 bucks or something like that. It'll have downloadable templates.  It's essentially this right here. This course right here is something  I've been using for a long time. And because of this, I haven't been without a job. I, this thing works like this process  that I've been doing, basically, all I did was to say, okay, how am I getting all these jobs? I literally get like 10 offers a day between LinkedIn. Messages on LinkedIn emails calls I'm literally getting anywhere from, it's not as much as it used to be before COVID and now we have some kind of  a downturn in the economy. So it's not as many as it used to be, but it's at least six messages a day. I get for different jobs and I'm just constantly getting undated with these opportunities. And so all I did was I condensed exactly how I'm able to do this into. Into a course. And I'm gonna make this into a book that tells you how to articulate your, any kind of.  Security, cyber security experience into  a workable template that is marketable to employers. So that is what I'm doing and it's coming, I'm working on it. I actually finished the first draft. I'm getting it edited right now. As we speak the first, book's gonna be a three, the four books series where I'm gonna break down. Not only how to market your resume and not only how to create the resume, not only a template so that you can use my mys as a sample and other people's resume as a sample. But I'm also what I'm gonna do is expand it out into other books that tells you how to get remote jobs. Because people ask me about that a lot and I'm gonna do one where it's talking about  the different categories of cyber security, because that's something I've found. People, the questions that they ask, I can tell they don't really know that there's different aspects of cybersecurity. So that is what I'm doing.  Mike says, I bought this course from you.  You need to update it. Oh, okay.   Yes, updates are on the way.  I'm working on  a whole bunch of stuff right now. So that's  when I'm not on these calls  that's what I'm.  Okay. If there's no more questions, guys, I'm going to, I'm gonna call it quits for the day and I'll see you guys next time. See you on the next one. Thanks for  thanks for jumping on this one. Thanks Mike. For all your questions. Appreciate it.  Appreciate all the questions and  and thanks, Mike. Thanks for the update, Mike.  I will get on that. I appreciate you later.    

Business of Tech
Fri Sep-16-2022: New rules for NIST compliance, security vendor reduction, and "act your wage"

Business of Tech

Play Episode Listen Later Sep 16, 2022 6:40


Three things to know today New rules for NIST compliance from the US government Gartner says leaders are reducing the number of security vendors AND Maybe quiet quitting is really act your wage   Do you want to get the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/   Support the show on Patreon:  https://patreon.com/mspradio/   Want our stuff?  Cool Merch?  Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com   Follow us on: Facebook: https://www.facebook.com/mspradionews/ Twitter: https://twitter.com/mspradionews/ Instagram: https://www.instagram.com/mspradio/ LinkedIn: https://www.linkedin.com/company/28908079/  

ConvoCourses
Convocourses Podcast: Get into cybersecurity by marketing yourself

ConvoCourses

Play Episode Listen Later Sep 15, 2022


  check out: convocourses.com : the cybersecurity jobs: resume marketing book is coming soon! Hey guys, this is Bruce and welcome to another podcast of pot of convo courses, where I'm gonna be talking to you. How to get in cyber security and how to market yourself. If you're interested in getting into a career field, that's gonna grow in the next five years, probably double to what it is right now, where you have job security and I've, I've never had to worry about whether or not I'm gonna get a job. If you are wanting more job security, then this is a great feel to get in. And you're talking to somebody who who's been doing this for 20 years,  I'm speaking to you from inside the industry. All right. So if you have any questions on Facebook, on YouTube, on TikTok live on podcast, then this is a great question. The time to ask any of your questions regarding it and cyber security. So let's keep it to that. I'm not interested in anything having to do. Anything except cyber security. So let's just keep it to cyber security questions. All right. That being said, let's get into this. If you didn't know, I am the owner and proprietor of combo courses.com. It's a site where it teaches you how to do site, get into cybersecurity. And specifically my sub, where I'm the subject matter expert is something called security compliance, security compliance has to do with if you've ever gone to a bank, if you've ever used a retail, if you ever used a point of sale device, if you ever gotten a, a card from the DMV, like all of those things require something called. security compliance that that's the rules and the regulations that go into an organization, cyber security. So not necessarily implementation of the cyber security, like firewalls or IPSS IDSS and all that kind of stuff. Not the technical implementation, but more like, how does this organization, whether it be a bank or your hospital, or your, or target or Walmart or whoever, how do they comply and keep security on their systems? That's what I do. And that's what I teach people how to do. I've been doing this for a very long time, specifically for the government, the federal government, but I've also done it in the private sector and I've done it in for states. I've done it for a little bit for other countries when it pertained to the us. So let's get into this. So we've got combo courses. I also wanted to tell you that I'm doing real steady podcasts on pod beam. If you're, if you wanna get some information on that just go to pod beam dot combo courses, dot pod beam.com. Enjoy me there. I'm doing lives every week. I'm putting out more content. If, if if you prefer to listen to this, or if you're at your job and you wanna listen and learn and stuff, this is a great opportunity for you to do that. And I'm open to any kind of questions you have specifically to this to this genre, to this area of my area of expertise. And a lot of, one of the good things about this community is that if I don't know something, somebody in this community, isn't a subject matter expert on that thing. And that's one of the things that I personally love about this community that we've been building. So let's get into this. I also wanna let you guys know, I have a book I'm gonna be breaking down and giving you a lot of the stuff that's in this book. Okay. So if you actually stay tuned for this, I'm gonna actually break down exactly how to mark yourself, how to get in this career path and how to level up if you happen to be an it person. If you happen to be a, a cable jockey, a person who's laying cable for people doing internet stuff. If you happen to be in areas like healthcare, if you happen to be in stuff like banking, this is a really good opportunity for you to transition into a career field that pays better. That has more security and has a lot of opportunities for the next 20, 30 years to come because cyber security is not going anywhere. Okay. And it's not all super technical. That's another MIS misconception about cyber security that I, that I like to dispel that myth. All right. So let's get into this. Let me show you guys what I've got going on. I've I'm writing a book right now that breaks down one of my main questions. So one of the main questions people ask me on TikTok on Facebook, on YouTube. Everywhere is Bruce. How do I get into this career field? Like I've been trying for years, maybe I'm in it. Maybe I'm in the hospital. Maybe I'm I'm in healthcare, I'm in this other industry and I'm trying to get into break into cyber security. I'm trying to break into it. So what I'm doing, if I could actually switch this thing over, let me see. So what I'm doing is a book where I'm gonna tell you how to get cyber security in it. This works also for any other career field as well, how to get into it.  and how to market yourself in, in this field. This is something that I've been using for years. This is not something that this is not theory for me. This is something I actually do in practice all the time. So it's gonna be a series where I'm gonna add lots and lots of value to you over the years as I released these books. But let me just get right into this. Okay. So here's the sections of the book. What I'm telling you is first of all, the expectations, what I've been able to do successfully, and then I break down all of the steps you're gonna take to actually put this stuff on your resume, particularly if you are in it, if you're in it, the good news is you can very quickly ramp up to cyber security by putting certain things in your resume. So one of the things I talk about. How to do an ATS style, resume ATS style resume means applic application tracking software. This is what most employers are using these days. If you happen to be putting your resume out there and you're not getting any traction, then it might be because the resume style that you have is not correct. And sometimes when you put your resume out there it's, if you make it harder on the employer to actually take your, the data in from your resume, you know, it's, they might look, look you over and look for somebody else. So I'm teaching you how to use in in fact, I'm just giving you a template. If you go to convo courses.com and look for my course, it actually has a free template you can download right now that has the template that I use. That's been successful over over the years. But so that's what I do. I tell you, look, here are the tools that you need to set up for this. Here's the places we're gonna be posting this, this your resume. And one of the main key features that I.  aside from the format and telling you how to do all that stuff is I actually show you how to do the keyword research. How do you find what career path to do, cuz that's a really important thing. You need to know what path you're doing because here's the thing you can see. There's misspellings in this book. This is a first, this is a rough draft. Okay.  what I do is I bang out the, I just write it as fast as I can. I take all the knowledge and I dump it into this book and then I go through it like two or three times and edit it myself. Then I get it, give it to an editor. So that's why you're, you might see some misspellings. There's some errors in here. Just ignore that stuff. That's gonna be cleaned up. As I release this, it's gonna be released on Amazon, on my, on my personal site on, and then I I'm gonna advertise it everywhere. Anyway. what I'm gonna show you, how to do is how to find a specific category of cyber security. Cuz this is one thing that some of the gurus out there and some of the subject matter experts and some of the pen testers and stuff, they don't talk about this. And one that's that this is a huge career field cyber security's huge. So you don't have just pen tester. You would think that cybersecurity is just a bunch of people in a closet hacking stuff. And that is not a, could not be further from the truth. This is actually a huge career field and it's getting deeper and deeper. And just to give you an example, like in my book here, I'm, I'm breaking down some of the categories that's coming from the government, the government broke down this what they did was they had this initiative where they broke down all of the main career paths of cybersecurity. It's called the national initiative. For cyber security, careers and studies. I know that's, that's a mouthful, but this is what they called it. Take that up, that issue up with the government of why they name stuff like this, but also known as nice, nice cyber cyber workforce. If you, if you Google that, you'll find this what I'm talking about right here. So what I'm breaking doing is breaking this down in a practical way that you can use this. So it breaks down things like securely and provision. So what does that mean? That's like people who architect and design. Secure systems. And then you got overseeing govern. That's kind of what I do. That's making sure that the, the system is secure, making sure that we manage the security and manage the the risk associated with that system. And it also goes into legal advice and then program management and all that kind of stuff. So as you, you could probably tell that that's not super technical or in the weeds or hands on type stuff. That's more like organizing, make sure the organization itself as a whole is doing what they're supposed to do. So cyber security is a huge field. Another area that we talk about is the, the hacking and the defense and actual people who are on the system you know, on the actual firewall, doing the configuration, putting the rules in those guys do exist. You know, I'm not saying sitting here saying that they're irrelevant or they don't exist. I'm saying this field is so huge that you've got people who are way in the weeds all the way down the mathematics. Right. Cause you've got people who do CR cyber they, they do cyber crime investigations, forensics. You also have people who are doing crypto cryptography. So that is also considered a part of cyber security by the way. And this thing that breaks down all those different areas that you would find these different these different categories. And then it breaks it down even further into specializations. So what my book is doing is gonna do and what I'm gonna show you how to do like a practical way to do this for yourself right now is what they do is they break it all the way down to work roles. And then once you figure out what work roles, the first thing you gotta do is figure out what part of cyber security you want go in. Cause it's not enough to say I want to go into cybersecurity. You gotta be like, I wanna go, I wanna be a pen tester. I wanna be, I wanna go into cryptography. I wanna go into forensics. I want to go in. I wanna do what Bruce does. I wanna do information system, security officer work. I wanna do compliance. You gotta be down to that granularity. And the only way for you to get there is for you to do some study on your keyword. Right? So that's one of the things I break down in this book. Now what I'm gonna do right now is show you exactly how I do this. So what I'm gonna do, like live right here right now. Let me just switch my screen here on TikTok. So what I'm gonna do right now is show you what I do. Okay. So there's three main sites in the us, okay. Three main sites. And, and this, this is different by the way, this is different for each country. If you wanna work in another country, you have to find a whole nother set of a whole nother set of sites to go through in the us. There's a top 10 group of sites that work the best. And just off the top three is gonna be LinkedIn dice and monster. So those three sites are the best sites that you can go through, go to, but there's like 10 or 20 others that you should definitely apply to. If you're trying to get a cyber security job, if you're trying to get really any job, cuz those are the top sites. Now, if you're in the nursing, if you are doing something completely different, like sanitation engineer, if you're doing something completely different, like civil engineering, there might be other sites and for your industry that are better for you, but you gotta do that research. I'm talking about cyber security. I'm trying to get you prepped to get into this field in cyber security, by knowing not only the key words, but also the top sites. Now the top sites for that we're talking about is monster LinkedIn and dice. And you can actually, and indeed is another really good one, but these are the sites I'm gonna show you real quick. So once you do your resume all, so once you, first of all, the first thing you need to do is figure out what keyword. Right. So let's say you did your research and you know, I want Bruce, I wanna go into forensics forensics. I'm gonna show you real quick, how you can find keywords for forensics. If you didn't, if you didn't know a lot about it, if you hadn't done research, if you're just starting out, you just go to the search engine and type in forensics. Now this is a very broad field. Like forensics itself is super broad. If you ever watch that show CSI, I don't really talk about computers much. They talk about dead bodies and, and extracting the maggots from the bodies and stuff like that. I mean, that's kind of a crude thing, but that's exactly what the talk dog entomology and all that kind of stuff. We're talking about computer science. So let's type in slip forensics computers. Now I happen to know that they call it digital forensics, but let's say you didn't know that. So you, I just typed in forensics and. See why? And it automatically came up with some keywords. This is how you do it. Now this works. If you're doing, if you're doing this with cyber security analyst, if you're doing information security, officer information, system, security, period cloud security, anything you, any kind of subject matter, you wanna do this also works for any other field. You wanna be in you just type in a little bit. And it starts to come up with some of the key words. So let's type, let's look at this one right here, computer forensics analysis. This is leading us down a rabbit hole of all the security keywords that we need for this particular career path. Now I'm gonna go ahead. I'm on monster.com, by the way. And now I'm searching for this career, but now where do we get the keyword? Once these jobs come up, I'll show you. So, another thing to note is the salaries. Now, if you didn't know, this salary is for information security analyst and they don't always sell the name. You notice the names, none of these are saying forensics. That's because that's, that's how this works. Like if you go into whether you're doing cryptography, whether you're doing whatever, it doesn't always have the exact name of the title of the role, the work role that you want. And that's why it's very important for you to do the research on your own to figure out what is in this career path. Okay. What are the key words? You can see a pattern already, information security analyst, information, security analysts cyber intrusion, detection, analysts. These are all analysts, right? Let's look at this one. Cyber forensics analysts. So all of these jobs have analysts work in them. Okay. That's why it's all, these are coming up. The key words are gonna be in the responsibilities, the requirements and the skills, and sometimes they'll have, okay. Yeah. Desired certifications. Just off of this right here. We can get the DNA.  that's associated with this particular job role this work role, right? Just off of this one thing right here, we can, we can pull a lot of different gold out of this right here. Now let me, let me just show you what I'm talking about in the responsibilities. What you wanna do you wanna read like four or five of these to get an idea of what this job is all about? First of all, cuz you might not even want to do it, right. You might have watched a CSI one too many times and you're like, oh, I wanna be a hacker. I wanna be, I wanna do forensic, like. It's the job is rarely what you think it is. You know what I mean? So you, you definitely wanna do your research and if you can talk to some, somebody like myself, who's been in this field for a while and ask their, ask them, like, how do you like it? You've been doing this for 20 years. How do you like doing this job? Is this something that you think I should do? What are the pros and cons? Those are the kind of questions you really want to ask. Let's get back into keywords. So if we're looking at keywords here, I'm seeing a couple off the top of my dome right here. If you see words like this, that you don't know what the hell it is, PCAP, that's a key right there. If you see there's a couple key tasks in here, stakeholders. There's a couple of key in here already, but you wanna read through responsibilities cuz you might, you might not even wanna do this job collects network, device, integrity, data and analyze signs of tampering and compromise. Okay. So signs of tampering and compromise is one of the things you do as a. As a forensics guy. Now let's look at, let's get a little deeper into this desired skills. Look at this. Now this is a gold mine of all kinds of keyword. See all this stuff right there. These right here are tools. It says you need to be experienced and proficient with the following tools in case FTK sift. These are all tools of the trade for a forensics guy. Very important. Like just like a plumber. Like if you are a plumber, there's certain tools that you need to know. Right? There's certain things that, that you basic things in that field that you need to know. If you don't know 'em you gotta get to know 'em right. Especially if you're brand new at this, you gotta get to know what those things are. Now I'm talking to people who might have a little bit of it experience or something like that. For forensics, you, you probably have to know, at least the basics. In it very, very important. So now let's get back into this. Let's get back into finding out key keyword here. So these are all key words right here. And now what you wanna do is take these. You got two things you can do from here. You could take this and put 'em into a copy of paste it into a, a blank text file. You can do that. Another thing you can do is put it into something called word art and word art. What it'll do word word art does is it makes a visual representation of what of what you found. So let me just show you what that, what I'm talking about, that word, art.com and it's, it's just a tool to kind of help you to, to visualize what's going on. So here's word. All right here, you can create your own. And it, it comes up with this site here and what you'll do is you'll input the words. You'll copy them and then import them in. So let's, let me just show you what I'm talking about. So we're gonna go to, I'm gonna go back here and I'm gonna copy and you wanna do this on two or three different jobs. I'm gonna copy this and we're gonna import what we just copied into word art. We're gonna import it now. They, they take it right here. So I just copied it. Boom. I, I put it in here and I'm gonna import these words and now what it is, parsed out every word that's in the text that I just downloaded. So what I do, let me backtrack a little bit. So what I did was, what I'm doing is I'm going through two or three of these different websites, two or three of these different jobs, and I'm gonna copy and paste those into a one file. One word document. Then I'm gonna take those and I'll put 'em into word art. And then we're gonna do get a visualization of what this looks like to see. What, what areas are the most important that we need to focus on tools. Look at this for so forensics, we can see that tools is mentioned a whole bunch of times out of this. Now this is kind of a light list. Like it's only mentioned twice, but you wanna get like four or five different ones and dump 'em in there, but you kind of see the idea of what is happening here. And then the tools that are mentioned the most is in case now, in case it is a forensics tool, that's very expensive. You might be able to get a free a free version of it, trial version to, to mess around with it. But this is not, this is not a cheap, this is one of the most expensive tools out there for forensics. So in case I'm very familiar with I'm familiar with that. It's used quite a bit in the government to. What they'll do is if, if somebody's done a crime on a computer, I could tell you some crazy stuff for forensics that's happened is it's pretty dark. I mean,  the stuff that they're, if you have a forensics guy in there, then whatever the hell's on my computer is pretty, it's pretty bad. Right? It's not something I could talk about without getting flagged by every, you can kind of come up with an idea of what it is, it's murder and it's, it's like stuff like that, right. Or worse or worse, think of something worse than that. So, anyway, so that's, what's on people's computers. It's just bad, man. Anyway, so in case what it'll do, one of the things it does is it'll take a hard drive that people, somebody has tried to clean, that they try to delete stuff and in case can see all the stuff they. The stuff's still on the computer after you delete it, by the way, even if you put it in the trash and then emptied the trash, it's still on the computer. And in case looks at the ones and zeros that were originally written on the disc, lifts those up, and then it can reconstruct those into files. Like if they had a image or a video or whatever, it can reconstruct those and give that to whoever's doing the investigation that they'll use for a court case or whatever. FTC, I believe does the same thing. It's like an open source ver version of in case if I'm not mistaken. And then there's some other tools here, but yeah, this just gives you an idea of how you can pinpoint different keywords that are in any kind of genre and any kind of anything that you're trying to do. So now that we know how to do keywords, the next thing we wanna do is put that in our resume. Now you don't wanna just put this in any resume. You wanna put it in a, at ATS style resume. Let me show you what I mean by that. So I have an example of that. In my book here. And I'm just gonna show you that real quick. And if you want an example of this, there's a couple things you can do. You can go and Google how to find a ATS style, resume those exact words. Or you can go to my site combo courses.com and look for a cyber security marketing course. And that has a free downloadable of what I'm about to show you. And it has the actual format that you can download it and use it for your own resume. ATS style resumes are so important because what the, and see I'm using word are here. I'm telling you how to do this. I'm walking you through it in this book. That's all the stuff that's gonna be in this book. That's coming here real soon. So I'm looking for the actual resumes. It's I got a lot of stuff in here. It's breaking down everything, every aspect of what I'm telling you right now, but in greater detail I'm I skipped over a whole bunch of stuff that you should, that you should know. . So I'm trying to find my ATS style resume in here. Man, where is it? Okay. ATS. It should be here. Okay. ATS style, resume all the sections. I'll give you an example of what that looks like. And then we go to there, here, here it is right here. All right. So here is example of a ATS style. Is this it? No, that's not it. Sorry about that. Yeah, this is it. This is it. See how simple this is. This is an ATS style resume. It's very, very simple. It's it's not got a lot of stuff in it, so it'll have the person's name. It doesn't have any kind that's and fancy. It's nothing fancy going on with this. Now you can make a fancy ATS style resume, you know, and I'm, I'm not wasting my time with that for this. I'm just telling you exactly how to do this. So you'll start off with the, the, a breakdown of what's going on a person, and then you'll put the your contact information and you'll put A breakdown of who you are. Another thing that I do in the summary by the way is I'll put, I'll put Hey, I wanna RO work remotely, cuz that's an opportunity for you to say that another thing you can do is say, Hey, I have a security clearance. Like you wanna put the security clearance right up top, if you can. So you can put that in the summary. So you right here, you just put summary, this is ATS style resume. This is it right here. You put the name, you put the contact information. You put a summary, you put education up top, you know, in this style right here. See how this is. And the reason why the format of this matters is because when your resume is when your resume is uploaded onto these sites, when if you put it on, indeed, that's another thing you need to do. You need to put it on. Indeed. You need to put it on monster dice. LinkedIn, you need to put it on as many sites. If you don't have a job, your job should be to put this on as many resume as sites as possible. That's what you should be doing. Okay. Another thing I show you how to do is how to protect yourself because another one thing that's happening right now, lately is these freaking scammers are scamming people to get their social security number so they can do identity theft and all that kind of stuff. So I've never felt fallen prey to that because the way that I do my resume, I don't put my real name. This is crazy. This is CRA I don't see anybody doing what I'm saying. I do not put my real name on the sites. Not I don't do that until I'm like on a screen, I'm talking to a screener, like maybe the second interview. Then they know my real name. They do not know my real name till I'm on the second interview a lot of times. Right? Cause I'm screening them as they're screening me. Like I'm screening the organization. As I do not put my real phone number. I do not put my real, I might even put a different email address, like a fake throwaway email. Like you can even do that. But I put a different name, an alias. I put an alias, something similar to my name, but it's not my actual name. I do not put my real phone number. I'll put like a, I'll use a Google voice. I tell you how to do all of this in this book. All right. All this is coming. Soon as I finish this, I've gotta do the first draft of this book. You can see all kind of misspellings and stuff in here. I'll write the book really fast and then I'll go through it and then edit and stuff like that. So I just wanted to tell you guys, like, I just wanna inform you, this is how I do it. And it's been working for me. I've not been without a job. I mean, we've, you know, we've had several different collapses in the economy where we have recessions. We've had like, that stuff does not affect me and I'm not trying. I mean, it affects me in like, okay, if I'm going to Walmart and the prices are higher or the gas is hot, jacked up or something. Yeah. That, that affects me obviously. But I'm talking about with a job.  I'm good. Like I'm always employed. And the reason why is because I'm in cyber security, I'm one of the I'm in one of the fastest growing industries in the world. And not only that, I stay ahead of the game by marketing myself. So I'm people are constantly contacting me about jobs and I'm not sent telling you this to two, my own horn. I'm telling you, you can do this two. You can do all the stuff I'm doing, too. Everything I just told you is what I do. Everything I just told you is what I do. And that's how I'm able to stay ahead of the game. I put, I, I have a dope resume with all the keywords for the industry I'm searching for. It's all over my it's all over my resume. It's in the, it's in the it's in the, the summary it's in the, it's in the, the actions that I've done for an organization and my work experience. It's in my skills. It's all throughout my resume. And then I put that out there. And here's another thing. If you are in it, If you are on a help desk, if you are laying cable for people, if you are in the hospital, if you are wherever you happen to be, if you've touched a computer before, okay, you have to put all the security stuff that you've done for that industry, you have to put all the stuff you've done, cuz that's really important. A lot of times what people will do, whether what they won't do is they won't put the cybersecurity actions that they have taken and, and that's a, that's really bad. So that's another huge thing that you have to do. Okay. So let me keep going here. I'm gonna answer a few questions. I'm not gonna stay on here too long, but if you have any questions, feel free. If you happen to be watching me feel free to ask me any questions that you have about getting in this industry about cybersecurity, about risk management framework, about security compliance, anything at all. I've been in this career field for a long time. I'm gonna tell you from the perspective of somebody who's been doing this for some time real world Examples, real world practical things that you can use to, to upload, to upgrade yourself. All right. I'm answering some questions on YouTube as I do once a week. And if you didn't know, I'm all on TikTok, I'm, I'm answering questions there. Very one-on-one type questions. I'm answering questions on my email. I'm doing work for people like helping people with their resumes. I do all that kind of stuff. If you're interested in that kind of thing, where I'm going way deeper and doing like a one on one, like just me and you corresponding, not like this kind of stuff you can text me at, you can email me at combo courses@contactcombocourses.com. Or you can go to con courses.com and find my contact information there. I'm out there. Let me answer a couple of these questions. Somebody said, watch one of my videos and said, this is a gold mine. Wow. I appreciate that. Great compliment. This is when I was doing a video about help desk to cyber security and trying to helping people, helping people with that. Somebody said, how can I purchase this book? Some old book that I wrote? If you didn't know, I've got some books out there on audio, on audible. So if you're interested in getting into, if you like, like listening to books, I listen to books quite a bit. And I just wanna tell you guys, I have a book out there. If you go to audible.com, if you happen to have it, if you don't have audible, actually you're in luck because they'll give you this. They'll give you like a free trial. But you can go just type in R MF. ISSO. And these are two of the books that I have right now over over four hours worth of content to listen to, if you're interested in this. This will also help you with cap a little. If you happen to be doing a certification in cap, it'll help you a little bit in security plus, but it's like a small portion of security plus. So it's not gonna help you that much, but cap, this helps you probably, this is 60% or more of the stuff that's on the test. It's not cater to you taking the test, but it will help you to understand like the practical implementation of risk management framework. So there's that if you're interested in listening to this, it's on audible, I'm also on Amazon, just type in, you can just type in Bruce Brown or you can type in NIST 800 control family. My book is out there as well. And then you can also order it directly from me on combo courses.com. This is the site right here, tons of free stuff here, by the way. I, people are really upset about selling products and things, but a lot of the stuff that I have on here is actually free. And if you go to YouTube, if you follow me on YouTube, it's just so much free stuff on there. Like a lot of the stuff I say on here, or that's on my website or that's in my books, it's there. You just gotta dig for it. You know, if you want a little bit deeper dive, then that's when you going to get the book or get the course itself. That's, you know, when you're serious about this, that's when you wanna start getting the book and, and getting in deeper in this and asking direct questions. Okay. Somebody ask me if you want to be an ISSO, what certification do you need? That is a great question. Let me break this down to you. So if so, work is normally for the federal government and let me just put you on some game right here. So if so, work. The federal government goes by something called 81 40. So 81 40 D O D 81 40 is a breakdown of what every contractor and government employee should have as far as certifications in order to get in this field faster. So what I'm doing right now is I'm actually showing you what 81 40 looks like, see this, what I'm like. And for those of you who are listening to me, I'll explain what you're seeing, what I'm, what we're seeing. So this is 81 40 and essentially it's approved baseline of certifications. It changes from time to time lately, every about six months that've been updating this. So there's a couple things here that I'm, that I'm not seeing. That's been either removed or added. In fact, let me see if I can go to the newer version of this. If you go to, oh, what is it? Dissa dot mill. Yeah. And you might see me. Okay, DISA dot mill. I think it is DISA dot mill, 81 40. They have the, one of the most up to date versions of this thing. I'm trying to look for 80. They used to call it eighty five seventy and it's a, it's all the approved certifications. So if you go by this list right here that we're looking at, this is a list of approved baseline certifications. Let me explain what this what's going on with this thing. If you can see this, if you can, let me make it a little bit bigger here, but I'll also explain it. So they have, they have this broken up by technical and management architects, analysts, and auditors. Okay. Those are the main categories. And let me just explain each one. So the the I a T means information assurance technical that just that's basic technical troubleshooting.  It might be designing or configuring systems. These certifications are needed. If you're a level one, a level one is basically like a help desk person. This is a person who has a, basically a one on one relationship to one customer at a time. They, somebody calls in and says, Hey, I have a trouble ticket. That means like something broken and they're, they're not connected to the internet. And they happen to be on the fourth floor. And then you, or you call 'em on online. Maybe they're, you know, you're a remote worker or whatever, but this is a first line of defense for people fixing computers, help desk customer service, field technician, one, that kind of thing. They will. They're expecting you to have an, a plus certification as listed here, a CCNA security, which is, that's a very hard security. That's a very hard certifi. I don't know why they put this here. I didn't make this. So keep that in mind.  network plus C and D, which I don't even know what that is. S S C P one of those things. That's I a T level one. That's. And remember I a T level one is a help desk person. Now, if you happen to be upper level, like let's say, not only do you do help desk stuff, but you also do some networking stuff like you might have, you might be responsible for fixing the network on a whole floor. This is like network engineers. This is like this is like people fixing a whole land, a local area network people who's responsible for a local area, a virtual local area network. So they're, they're kind of having to look at server issues as well as switching and networking problems locally, as well as like one on one customer support. So what certifications does an I a T level two and information assurance, technical level two need so that's a CCNA security plus CSA plus a CI. So all of these things security plus is a big one. These, these are the ones that they're looking for. Okay. When we're gonna get to the information system security officer in a second here, I'm just building up here so you can kind of understand what's going on now. I a T level three. So this is an enclave. Normally these guys are not only doing like one on they're kind of beyond the one on one type type of thing. Cuz their skill sets are so versatile that they're needed to do bigger things they're needed to do more like working with the architecture team, working directly with servers they're they're handling stuff. That's like. Local area network to local area network. So these guys have professional level search. They're very, very in the weeds, but also high enough level to where they have to know, see the bigger picture of what's going on with the network. They're doing enclave to enclave. That's like one lo local area network to another local area network and possibly WANs, which is a wide area network. And that's way more complex. So this is CCN P security. That's a very difficult certification, a professional level cer Cisco certification, a CSP, which is also a professional level cert that's no joke, a C S S P high level cyber security certification. And then some others G C I H, which is incident handling. And I, they just added this one CCS P, which is, I think, a cloud, a cloud certification from ISE two squared. I think, I believe that's what it is. Okay. Now let's get into I ISO and the ISO, if you didn't know, is a information system security. So that is kind of what I do. And I can kind of give you in an, in a nutshell, like what an ISO, an information security person does. So this job is typically your day looks like this. You're doing a lot of meetings. That's what your day looks like. It's a lot of meetings because you're, you're talking to other people within your organization, stakeholders, you're, you don't have to be a, a subject matter expert in say, firewalls, you don't have to be a subject matter expert in say networking or routers and stuff, but you do have to know enough to be dangerous. Like you do have to know enough to communicate what is happening with the organization. Your responsibility, as an information system, security officer is to manage the risk is to help the organization to manage the risks of the organization so they can maintain their security posture. Now you might be like, Bruce, what the hell are you? Are you talking about what are you? Let me spit it in layman's terms. That means. The, the organization has a certain level of security and they need to maintain that. And what does that mean? Like, think about it. Windows is constantly changing. It's constantly having upgrade to patches. There's constantly vulnerabilities coming out. There's constantly new education that needs to happen with the users. There's all these new threats that are happening from day to day. Everything's constantly changing in it. Well, that's where an information system security officer comes in because our job is to make sure that no matter what changes happen, the organization stays compliant and stays secure at a certain level. It's very challenging, especially if the organization has a lot of different technologies or also very large or organization with lots of stuff going on. So let's get back into what actual certifications does this information system security officer need. And I'm gonna show you here right now. So let's go back to the 81 40, so 81 40 up here is an is. So is considered a, a manager type role. Okay. It's a manager type role because you're dealing with, you're not just doing in the weed stuff, fixing computers. You're not just working with firewall. They might have you do some stuff like that. But your time is mostly spent coordinating with the organization to make sure that the organization is doing what they're supposed to do. I said organization. So you're, you're talking to C level execs. You're talking to upper level managers. You're talking to the, to the system, administrators, you're talking to users, you're talking to user reps. You might even be talking to the customer. So it's a lot of meeting. So if it's a manager type role, you gotta be able to communicate effectively. So a cap, a cap is a, a certified authorization professional. So what they do is exactly what I'm talking about. They make sure that the organization can maintain a certain level of authorization so that the, so that all of their documentation is good, so that all the security compliance security controls on their system is good. And let me break this down to you. So cap is a good one. Another one is CI while I'm topping here. Another one is a CI S S P CI SS P is a good one. Security plus is also a good one. Those three, I say, well, the top certifications that ISSO is typically typically has. Now this might evolve cap cap. I notice comes up a lot. CS a comes up from time to time. But look at these, what I'm, what I just did was I logged into ISE two squared.org, and I'm showing you the different certifications now cap. This is the certified authorization certification. So security assessment and authorization certification. So that's what it is. Certified authorization professional. That's what it's called. So this is one of the top. This specifically focuses on N 800. So N 800 is what the federal government and states and some other organization contracting organizations will use to ensure that you know what you're doing when you're talking about security. For an organization. So these, let me just read a couple more here, a, a couple other ones that an ISSO is considered they're good for an ISSO is let me just name a few that I've seen in the industry, a cap, a cap, a C SM, a C S S P a G S GS, C L L C. And a recent add-on. These two right here is C, C I S O and a H C I S P P, which is normally for hospitals. This is like HIPAA compliance and stuff that one's getting gaining ground right there. And this is listed on the dissa site. So this is that's a dot mill site. So that's, that's a big deal right there. So those are the main ones. I hope that answers your question. Let me keep going down questions. If you guys have any questions whatsoever, feel free to ask me, like, I've been doing this so long. Just off the top of my head. I, I know this stuff. I've just been doing it so long. You know, I don't know if that's necessarily a good thing, cuz it's pretty much. All I know , you know what I mean? So let me see let me answer a couple questions here. Somebody said how do you get, how do you get this? I'm looking for? Okay. What, what are you talking about here? A hundred. Oh, okay. I posted a job a job, a remote job where you're making a hundred K. And somebody says, how do you get this? I'm looking for this right now. I took a cyber security course, and now I'm studying for the interview questions. I would like to know how you do this boss. Okay. So I do this, like in the beginning of this, of this session, I, I talked about it and I can just give you a brief rundown. The first thing I do is I make sure all the keywords are on my resume. So every, every category of cyber security. Has a different set of keywords. For example, for example, at one time I was proficient at like two or three different parts of cyber security. I was, I was proficient. I'd done it before I'd had certifications, everything. Right. And those two were one, I was a seam engineer. That's a security information event manager, engineer. I could build them from scratch, set 'em up, create content for it. And it could monitor all your logs. You know, I did that for like three years straight, so I just, I just knew it. And then another thing was, I was an information. I still am information system security officer. I know that means I like, I know how to allow an organization to be compliant with certain security standards. And then another thing I was good at was cyber security analyst work. So those three things, those are three separate resumes. Okay. They have three separate keyword sets of keyword. . So what I did was I made a resume for each one of those. Each one has different certifications that are more relevant. I'd put those on top. Each one has different. Some of 'em really require a security clearance. Like if so, and a cyber security analyst usually requires a security clearance, cuz you're working in like a, a, so a security operation center, which is, has classified information and blah, blah, blah. But the, the scene really didn't need a security clearance. So I could even leave that off. And that was still good. My point is every single time you, whatever career path you're going in, it has this different set of, of keywords. And so what I do to make myself more marketable for this is I get keywords for each one of those work roles. Whatever it is. And to do that, you can, you can actually research it and figure it out. Right? And I'm not telling you to lie on your resume. I don't recommend that a lot of people like lie on your resume. Why aren't you, why aren't you lying on your resume? Me personally, I say don't no, do not lie on your resume. Do not put your picture on your resume. Like put your picture on your, not resume, but, but unless you're on in, I guess EU does that, but put your picture on your profile. Some people are like, nah, because I'm black. I don't want people to see that I can't get jobs. Nah. Why would you wanna work at an organization who doesn't want you? You need to put your picture there and if they don't wanna work with you, you shouldn't wanna work with them. That's how I feel about it. I don't wanna work somewhere. They don't want me. So I put my black face on my profile. Go look at it. It's up there right now. So that's number one, like put your don't lie on your resume. The reason why I don't lie on my resume is because I don't want to get in there. And then they, I, they think I'm some, I'm freaking gonna walk on water and I don't not for that particular technology. Not only that, but in the res in the actual interview, they will ask you these questions and then they will verify what you sold them. They will call your employer and ask, Hey, did Bruce do this X, Y, and Z. They'll do that. Especially as you go higher up in the echelons right now, if you wanna fudge some numbers of how long you work the place, and you know that it's not that big of a deal, but do not put certifications. You don't have do not. Don't lie about your degree. They're gonna check that stuff, right? Don't like, this is some obvious things you shouldn't, you shouldn't lie about on your resume, cuz they will ask you I'm going through an interview process right now. You better believe they're investigating me. They're looking at it. Every part of my life I'm having to put in there. Right? Because it, you can't, you can't just lie on your resume. So I don't recommend lying on your resume, put the real deal on your resume. But not only that put the key words for what you're doing on your resume. So that.  when so that way, when you put the, when you upload this into LinkedIn into dice, into monster, and you need to put it on like 20 or 30 different job aggregators, okay. You need to put on 20 or 30 different ones. And that's why I say you shouldn't use your real phone number or your real, you should use an alias because you're gonna get so many calls from all kinds of people and you don't wanna get scammed anyway. So that's what you do. That's what I do. And that's how I've been able to get all these offers for remote 100 K type jobs or more. And, and that's how you do it. And I'm writing a book right now. If you're interested in this, if you're super deep into this, if you're very serious about this, I'm writing a book right now, it's gonna be out soon. And if you, if you, if you're interested in this, the very beginning of this podcast, I broke down exactly how, what I'm telling you. I broke down. I showed you my like, how, how I picked these key out, how I find them. All that kind of stuff. If you're interested in this, a book is coming, that's gonna break all this down in great detail about how to get into cybersecurity in particular, but you can use these techniques for basically any, any job where you have to apply for a resume. Any job you need a resume that you could use it for that. So let me see, I got a couple other questions that says on TikTok it says I just got a free ISO two course. And let me see. Cert is free when I'm done. Have you heard of this course? Yes, this is, this is great. Like thank you so much for asking that question. So I've been, I've been telling everybody about this new certification that's coming out, like what's happening right now. If you guys didn't know, is that the government's hurting for cyber security positions, there's something. 700,000 careers that are empty slots. Like we in desperate need of, of people to get in here. So what's happened is there's been this huge push from nonprofit organizations, corporations, and government entities to actually get people into this field as entry level. And so ISD two squared has this new certification. That's an entry level cybersecurity certification. And right now it's free. It will not be free forever because is ISD two squared. I don't know if you knew this, but they don't, they don't mess. They don't mess around. They do not. These guys have the top cyber security certification in the world, arguably in the world's called C I S S P. I have this certification, this certification changed my life. It's a high level cyber security certification that talks about nothing and everything. But it is so good at marketing me. Like, all I gotta do is put that on my resume. I could probably just have a blank page with just C I S S P on there, and I'd probably get hired. That's how powerful this resume. And it's the reason why this certification's so powerful is because they've done a great job of marketing it. That being said, I'm saying this to tell you that they're now given this damn thing, this right here for free, this is an entry level for you to get into cyber security. This right, this right here, I'm showing you it's called certified in cyber security CC. Now, from here, you can build into other sec into other this is an entry level, but you can take this and build up to a higher level certification. That's why this is so powerful. And these guys, this is not some fly by night, organiz. This is one of the top, if not the top and best cyber security certification organizations in the world on planet earth currently right now. So this is a great path. If you are actually looking into this, this is a great path for you to do, do this, doing it for free. They're giving it away for free. This will not be free for long. I guarantee you because they're trying to compete directly with comp Tia security plus, that's what they're trying to do. And eventually this right here, this certification, I mark my words. This certification right here, this certified in cyber security will be on this sheet right here. This is 81 40. This is 81 40. Also known as 85, 70 approved baseline for certifications. They will have CC on this. I bet you it'll be like right here. They'll put it right here alongside a plus certification, alongside C and D and all these other ones. And once this goes on here, It'll be way more marketable than it is right now. Right now it's a free certifi it's it's brand new people don't really know about it. People are kind of figuring it out. Like they're kind trying to compete with this and the Google support it and the security plus, and those kind of certifications that are entry level because the government is making this huge push to get more and more people in this field. This is a really, really exciting time to get into cyber security. This is, this is a rare opportunity where they're trying to open the doors, but you, this is not a field where you can just come in off the street and know nothing. You have to do some work. Like even if you come in and know nothing, you have to do work to understand the basics of information technology. Right. That's all. I'm, that's what I'm saying. So this is a great opportunity. Let me see, I got a couple other questions that says, how does a civilian get a security clearance? Okay. So there's a couple ways. Just, just so you know, I've been doing this for some time and I've had security, all kinds of security clearances from public trust, all the way up to top secret type certification security clearances. Another one misconception that you, that I wanna dispel is that you don't need a security clearance to get into cyber security. They're two separate things. Okay. A security clearance is just verifying that you are, are who you say you are. They're VE they're doing a, a, anywhere from a basic security background check to make sure you're not that you are trustworthy to work in their organization with secret information. They're making sure you're not linked to any kind of terrorist organization or insurgents or militia organizations. You'd be surprised. You'd be surprised how many people are associated with it.  because every time they ask me, I'm like, ha ha. That's ridiculous. I'm not, but no, there's really a lot of people who are associated with these organizations that wanna take down the government that don't feel like they have some kind of issues with the United States government, or they're tied to another government. They actually happen to be working for another government. And they're trying to get in and infiltrate. You'd be surprised how many people this, this applies to anyway. So background check is just trying to see if you are who you say you are. If you don't have, make sure you don't have any crazy credit issues, that's gonna affect you to work on their job, making sure you're not like a, your a super predators killing people or something like that. Yeah, they're trying to just do that. That's separate from cyber security. Okay. Cyber, a lot of cyber security jobs need a security background check. Because the nature of the information that you're gonna be having access to, and they wanna make sure that they can trust you to protect their systems, but they not, every, not every job requires a security background check. Okay. Cyber security is their separate things. You can be a janitor and need a security clearance. Okay. So the question was, how does a civilian get a security clearance? There's a couple ways. Number one, work for an organization who will get you a security clearance. If you happen to work in the DMV area that's DC, Virginia, Maryland area. There's so many jobs, not just cyber security you might have be a groundskeeper and mowing grass and have to have a clearance, some dead serious. You might be painting the inside walls of a, a skiff that need you need a clear. You might, there's all kind of clerical jobs secretarial jobs name something, janitors anything like can get you. So you would, one way that you could get in is if you had a job, if you got a job at a place that required a clearance, a lot of times they will pay for you to get a clearance. They will pay for you to get the clearance because it costs money to get a clearance. Another thing is you can there's sites. Somebody contacted me the other day. They were trying to get me a clearance. Like they didn't, they didn't know. I guess they would contact me and saying, Hey, we can get you a clearance and stuff. So there's, there's private organizations that can get you a clearance, but you're gonna have to pay for it. It's not cheap. Just to give you an example, from what I heard a security, a secret background check is like $5,000. And then a Ts is like $10,000. That's what an organization has to pay to get you a clearance. And then a public trust. I don't know, public trust is like here. Secret clearance is here and then above that is top secret and all other white house, all this other stuff. So, yeah, so you can, you can get into a position, a job that requires it and then they'll let the organization pay for it. That's probably the best way. The other way is to get it privately and pay for it yourself. That's another way. But then it has to remain active. I don't know how all that stuff works, but so those are the two ways that I personally know about how to do it. So, and I could be wrong. Anybody else you guys know of another way to do it, please chime in and, and, and inform me what's going on. Let me see here. Somebody ask hope that ask your, answer your question, by the way. Somebody ask so I just signed up and I have to take an exam. Yes. So, so I believe that that, that I C two squared, they have a, they have a course. All right. And I believe the course is free. If it's still free, they have a course that you can take that breaks down. What's gonna be on the test. And then you, you, you go to that course, you study for it. If it's still free, hopefully still free it. They were saying it was a value of one ninety nine, a hundred ninety $9. But even if it costs $199, it's worth you investing in yourself. It's, it's, it's worth the risk. It's worth the risk. Anyway, if it's still free, cuz just last week, it was free. You take the, you go through the course that I believe is on course. Sarah it's either on course, Sarah or it's on their website. Okay. Sign up for their website. They'll give you a breakdown of everything you need to do. And then from there you will take the test. Like once you study for it, you take the test. Somebody.  no they're paying for it once you finish the course. There you go. Okay. Thank you for that. ODI says no, they're gonna pay for it once you take the course and there's only 1 million openings. Okay. There you go. Okay. I stand corrected. So let me, let me correct myself. So what he's saying is once you, it was free for a while. It was, it has actually free like a, like a week ago or something  I'm telling you. So now you're gonna have to take the, the, the course, and then once you take the course, I think was 1 99, then you you'll take the test, pass it, get your certification. So let me see. You have to take a test. Yes. It's this is, yeah. There's there's hurdles. You have to take the test to get the certification, but it's worth your inve. If you are serious about this, it's worth your time. Okay. Let me see. I got a couple other questions. Somebody said I barely see a hundred percent remote opportunities. Most people keep wanting people to be on site. That's true. And bro branding, I, I would add to that and say a lot of the security clearance, a lot of the cyber security jobs that require security clearances do require you to be on site at least like a hybrid on site. But I would say that there's a lot more remote jobs opportunities than than there were before. COVID cuz it was, it used to be really hard to find them. Now they're everywhere and I could show you how to find them real quick. I'll show you let see if I could show you on LinkedIn, if you guys didn't know, I have a LinkedIn page you can search me out on Bruce Brown for the win. Let me show you on. If you guys happen to be on LinkedIn here, here I am right here. If you type in Bruce, go to LinkedIn and type in Bruce. CIS S P RMF or something like that. You'll find me there. It is right there. There I am right there. And so join me. I'll definitely add you. I've got a, a lot of people wanting to add and I'm, I'm always open to, to add people or you can talk to me online, all that kind of stuff, but okay. Let me show you how to find remote jobs. Okay. Let me see. Let's let's say you were looking for a cyber security analyst job, right? Cyber I'm just, just randomly pick one off out the air. So now check this out. First. You'll go jobs. And the reason why you wanna check pick jobs is because there it's gonna show you everything. It's gonna show you companies, posts, schools, groups, people, all that you want jobs. Okay. So search jobs, then post a date. You don't want any time, cuz this goes back like a year or something. You want something within the, at least the last month.  all right, so let's look for last month and then this one's up to you, they got internships, entry level, associate senior manager, whatever. Right? You ch choose that. But if you don't really care, leave that blank and then remote, let's go to remote job. So here it is right here. You're gonna onsite versus remote. So you've got hybrid, you got remote and you got onsite. You just click on site. Now you notice it went from 17 K jobs down to three K jobs. I'm on LinkedIn, by the way. So I just went to jobs stuff in the past month. And then I went to remote on site. This is a new feature, by the way, they didn't have, it needs to have all of this stuff. And now they have it on dice. They have it on monster. They have it on almost every site because remote jobs are so prevalent now after COVID. So here you go. Here are some remote jobs for cyber security analysts, which I just typed in. And that's how you find remote jobs right there in five minutes. I just showed you how to do it.  and you can do this with every site, with monster, with LinkedIn, with with da, with, with dice, all of these show you how to do remote jobs. And if you go to dice, let me see if this one's ready. So here's, here's my profile on dice.com. I'm about to turn this thing off, man. I'm getting so many contacts with these guys, so there's a way to search for remote jobs. Let me just show you here. Let me I'll do the same thing. Cyber security. I'll just type in cyber security. I didn't put a location in I'll hit search and check this out. It comes out with this page right here, taking a little bit of time and then look right at the top. Remote only if I hit remote only you notice it went down from 4,800 jobs to 600 jobs. So, yeah, there are less Brandon to, I, I could piggyback on what you're saying. There are quite a bit less, but there are jobs there. I mean, look at this there's 600 jobs here. I mean, granted, I didn't search for, I said any dates, so that's, that's probably, what's adding to that. Let's do the last seven days. It's gonna be quite a few less. Oh, still 126 jobs. Look at that. These are all remote jobs. And all I did was type in cybersecurity, look, 100% remote cyber security analyst, all of these are a hundred percent remote. Now you gotta double check. Cuz one of the things I noticed about these jobs is sometimes they'll say they're a hundred percent remote, but then when you do a, an interview with 'em, they're like, well, well it's a hundred percent, but we want you to come into the, I was like, Is this a hundred percent or not? yeah. You gotta do an interview with 'em to make sure and ask them, is this a hundred percent remote? You know what I mean? Like you usually straighten that out with the, with the actual screener, once you, once you talk to them, ask them, and then sometimes it's, it is remote, but it's like 50% travel or something. Like there's always some kind of catch sometimes with the judge. You just gotta make sure you, you weed out those gotchas with the remote jobs. I just went through this. That's why I know a lot about it. You know, , I've been, do working remotely for the past seven years now. Like I've been working remotely for a long time. Crazy. It's crazy to me. Like I've been working. Yes. Seth's been seven years. I started in 2014 working remotely and I've been working remotely ever since. And I will never go back. I will never go back.  all right. And that being said, if you guys are interested, I have a course on how to work remotely. It's on combo courses.  Go check it out on combo courses dot com, just work, find the remote jobs course. And then I have it out there and I I'm, I might even write a book about that one and break it down. So it's like a 20, $20 book or something like that. I might, I might do that cuz I I've gotten pretty good at getting remote jobs and winning those remote job positions. Okay. Let me see link to the course. I'm assuming you're talking about the C the CC let me see if you're interested in this. We were just talking about this, this course right here, which is an entry level ISC two squared course, which they're given. I believe you have to pay for their training and then thinks 200 bucks for the training. Now it was free like last week, unfortunately, no longer free. And then after. That you take the, the test and I think they give you the test for free. If I'm not mistaken, correct me if I'm wrong, TikTok somebody on TikTok, correct me on that one. I appreciate that. But yeah, here's the link right here. It's ISC two dot org slash configuration certifications and four slash CC. Or you can go to Google and just type in ISE two square ISE, two space CC, and you'll find it. Let me see if I can give you the link in the chat. I, I don't have access to the chat right now. Yeah, and I always walk me through all this other stuff I gotta do to get link access to that. All right, guys, that's it for this one. Thank you for watching. I really appreciate all the questions. Thanks a lot for, for all your kind words and stuff and all the donations. Appreciate that. Thank you so much. I've got a couple other questions on, on TikTok. Let me see if I can answer those real quick. Yes, it's still a self-paced exam. Okay. We're still talking about the I C two CC. So I can get an entry level job with a CI

Daily Tech Headlines
China Approves New Games From Tencent and NetEase – DTH

Daily Tech Headlines

Play Episode Listen Later Sep 14, 2022


China approves new games from NetEase and Tencent for the first time in over a year, NIST and Google partner on nanotechnology semiconductor designs, and DJI and GoPro announce new action cams. MP3 Please SUBSCRIBE HERE. You can get an ad-free feed of Daily Tech Headlines for $3 a month here. A special thanks toContinue reading "China Approves New Games From Tencent and NetEase – DTH"

B Shifter
FSRI's Study of Fire Service Residential Home Size-up and Search & Rescue Operations

B Shifter

Play Episode Listen Later Sep 14, 2022 52:48


You can find information on the FSRI study here.This three-year Research and Development Project examines fireground size-up measures and search and rescue operations as part of a coordinated fire attack on a residential structure. Our guest is Craig Weinschenk, Research Engineer.Craig is a Research Engineer with UL's Fire Safety Research Institute (FSRI). He holds a Master of Science and a doctorate in mechanical engineering from The University of Texas-Austin. During his graduate studies, Craig worked with the Austin Fire Department on analyzing firefighter compliance to changes in standard operating guidelines and on characterizing the impact of forced ventilation on room-scale fires. Since graduation, he has conducted full-scale residential fire experiments designed to characterize the thermal environment within the structure as well as exposed firefighter personal protective equipment. Craig is also a developer of NIST's Fire Dynamics Simulator (FDS) Version 6. He has used FDS to study the fire dynamics and thermal environment of fires that resulted in line-of-duty deaths and injuries to firefighters. Nick Brunacini is the leader of B Shifter and Blue Card. He joined the Phoenix Fire Department (PFD) in 1980. He served seven years as a firefighter on different engine companies before promoting to captain and working nine years on a ladder company. Nick served as a battalion chief for five years, and in 2001, he was promoted to shift commander. He then spent the next five years developing and teaching the Blue Card curriculum at the PFD's Command Training Center. His last assignment with the PFD was south shift commander; he retired from the department in 2009. Nick is the author of “B-Shifter—A Firefighter's Memoir.” He also co-wrote “Command Safety.” Contact Nick Brunacini at nick@bshifter.com Josh Blum, Blue Card Program Manager and has been in the fire service since 1993. He began his service as a volunteer firefighter before accepting a full-time career position. Josh served as the deputy chief of operations for the Loveland Symmes (Ohio) Fire Department, where he measurably increased the department's training and operational effectiveness. Josh retired from Loveland Symmes in 2020 and now works for Blue Card as the program manager in all aspects of curriculum development and program delivery. Josh continues to work directly with departments throughout Southern Ohio assisting with training and fire department operations. Josh has developed and managed many fire service training programs throughout his career. He is a graduate of the Ohio Fire Executive ProgramContact Josh Blum at josh@bshifter.com Jeff King who is our Professional Development Manager, Lead Instructor and Houston Fire Department member.  Jeffery L. King began his career with the Houston Fire Department in 2001 and currently serves as a safety officer. As a dedicated student of the fire service, Jeff earned a Bachelor of Science in fire science and a Master of Science in emergency services management. He has also earned the professional designations of fire service chief executive officer through the Mays School of Business at Texas A&M University and chief training officer through the Center for Public Safety Excellence. Jeff is a graduate of the City of Houston's Leadership Institute Program. He lives in Spring, Texas, with his wife, Tracy, and their daughters Savannah and Madigan.You can contact Jeff at jeffery@bshifter.com

Government Matters
Threats to space security, Operationalizing US-Pacific partnerships, Direct air capture tech – September 13, 2022

Government Matters

Play Episode Listen Later Sep 14, 2022 26:30


DIA's Challenges to Security in Space 2022 report findings John Huth, defense intelligence officer for space and counterspace at the Defense Intelligence Agency, details some of the main findings of a report about threats to U.S. space capabilities from Russia, China and other adversaries   Operationalizing US-Pacific partnerships Keoki Jackson, senior vice president and general manager for MITRE National Security, discusses the need for the U.S. to reinvigorate alliances with Pacific nations and use whole-of-nation thinking to counter China   Developing direct air capture technology Pamela Chu, researcher at the National Institute of Standards and Technology, describes NIST's efforts to improve direct air capture technologies to remove carbon dioxide from the atmosphere

Cloudy With a Chance of Trust
Key NIST cybersecurity publications and how to apply them

Cloudy With a Chance of Trust

Play Episode Listen Later Sep 14, 2022 28:35


Pam and Brad dissect their recent discussion with NIST Fellow Ron Ross (episode 34) and provide advice for applying the guidance in the special publications he helped develop. Listen to this complimentary deep dive to learn how best to apply controls, properly differentiate and value your data assets, rank and classify your apps, and manage risk by using cybersecurity standards.

The Daily Scoop Podcast
State of the federal cyber workforce; Leveraging disaggregated data; IT Mod. caucus on Capitol Hill

The Daily Scoop Podcast

Play Episode Listen Later Sep 13, 2022 30:46


One big source of cyber talent for federal agencies is other federal agencies. Simon Szykman, senior vice president for client growth at Maximus and former chief information officer at NIST and Dept. of Commerce, discusses the current state of the federal cyber workforce. The new U.S. Chief Data Scientist, Denice Rose, says disaggregated data is “the next generation of data.” Donna Roy, strategic advisor for the national security sector at Guidehouse and former executive director of the Information Sharing and Services Office (IS2O) at the Department of Homeland Security, explains why disaggregated data is useful to federal agencies. The House IT Modernization Caucus will kick off its work next Thursday. Dave Powner, executive director of the Center for Data-Driven Policy at MITRE and former Director of IT Issues at Government Accountability Office, previews what he expects to see from the caucus. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Plus
Za obzorem: Afghánistán už před víc než rokem ovládlo radikální islamistické hnutí Tálibán

Plus

Play Episode Listen Later Sep 11, 2022 25:18


15. srpna loňského roku bojovníci Tálibánu definitivně vstoupili do vládních budov v Kábulu. Prozápadní prezident Ašraf Ghání opustil zemi, provládní armáda bez boje vyklidila pozice a islamistické hnutí převzalo kontrolu nad drtivou většinou Afghánistánu. Vedení Tálibánu vyhlásilo vznik Islámského emirátu Afghánistán s novým politickým zřízením, které už nebude napodobovat západní demokracii.

ConvoCourses
Convocourses Podcast: CIS controls to 27001 mapping

ConvoCourses

Play Episode Listen Later Sep 10, 2022 20:01


get the xls spreadsheet here: https://securitycompliance.thinkific.com/courses/cis-control-maps   Hey guys, this is Bruce and welcome to a convo course podcast. And today I want to talk about one thing in particular, and that is the CIS and how it maps to the ISO 27,000. And one, if you didn't know, both of these are security compliance frameworks that are used in the public sector and private sector, as well as international organizations. So pretty much a little slice of everybody use. One are the two of these particular security frameworks. CIS is typically used for the private sector. That means like retail stores or banking or community centers or those kind of organizations that are private Lee own organization. And sometimes nonprofits. I'll also say that in having worked in the public sector from time to time, we'll actually use CIS controls as well. It, just depends on what kind of what we're doing. Like we use the CIS benchmarks. I've seen those used within the government within like department of defense, cuz it's just a great tool to use. And if you're interested in finding this, just go to Google or being or Yahoo or your favorite search engine and just type in CIS controls and. Right now you have a mapping from the CIS controls version 7.1 to ISEL 27,001. Now right now, CIS controls are on version eight. I'm not, I don't think that one's out yet, but right now we are focusing on. Version 7.1, but we will revisit this once we get version eight. Okay. So that being said, I sell 27,001 is an international standard for information security management. And they both, do the same thing. It's for an organization to have a guidance on how to actually. Proceed as far as securing their entire network, not even just the software and hardware devices that are connected to the network, but also things like physical security, maintenance. All aspects of protecting the actual security of the system. Whether it's outside of the system whether who's touching the system who has access to the system, all those things let's start from the top. So what we're gonna do is just focus on the main security controls, like CIS control, one that is inventory and control of hardware assets. And you'll see that the IO 27,001 has something similar in and it's called a.eight.one.one. So inventory of assets, right? They kind of group 'em all together. They don't break 'em apart in individual things for ISO 27,001. Whereas I CIS controls, they break it up into do different things. CIS control one is hardware. Whereas CIS two is inventory of security controls. I inventory of security sorry, inventory and control of software assets. That is not broken apart by ISO 27,001. They keep those together as a dot eight, do one.one. Let's keep going here. We're gonna go to the next control, which is CIS control three, which is vulnerability management, continuous vulnerability management, every single security compliance. Framework does have some sort of vulnerability management, our continuous monitoring and vulnerability management they're hand in hand. And this one is no different, so I sold 27,001, let me see let's see if they have it here. They have more of a risk rating response. That's continuously done. management of technical vulnerabilities. Yeah. So they have a dot 12, do six.one that matches to CIS control three, 3.7, to be precise. Let's go on, keep moving here to CIS control four. And that covers controlled use of administrative privileges. And that's really important because you don't wanna give your admin accounts to everyone. That's one. One of the things that some organizations do is they'll just give admin rights to everyone, anyone who needs it, they'll just put it on individual laptops and think it's okay. And it's really not okay. Because if you have an administrative privilege on that system, you can pretty much do what you want with that particular system. And it might even allow you to escalate privileges on other systems. So you gotta be really careful with that. So that's why you have CIS control for. Controlled use of admin privileges and let's see what ISO 27,001 has. So ISO 27,001 does have this and they've broken it into parts and have it as password management systems as a dot nine dot four dot three. They also have managed privileged access rights. There you go right there. So that matches directly to CIS four controlled use. Admin privileges. Let's keep it high. So far, I've gone through a bio, probably about 50 different controls. If you break it into the sub controls, it's probably 50. We just hit, but we'll just keep it high level and just focus on the main security controls. Now let's move on to CIS five and this one deals with secure. Secure configuration and hardware software. This means like whenever you have a, laptop, a hard a laptop, a workstation, a server, there's a hardening process. Meaning we're gonna take this system and we're gonna make sure it doesn't have default passwords. Make sure it has it's locked down. The WiFi's not just open and, attaching to anything. Maybe the wifi is off. We have some sort of secure configuration that we put on all hardware and software for mobile devices, laptop. Workstations and servers. This is a common, this is a, best practice. That's using most security frameworks. So the ISO 27,001 does have this and they have it broken into two parts ex acceptable use of an asset where you would actually secure that system. And then also secure system engineering principles. Let's keep going to maintenance, monitoring, and analysis of audit. So the reason why audit logs in CIS control six is merged with maintenance is because audit logs are used not only for making sure that the incidents if you find any incidents, you can find them through the audit logs, but also for maintenance because every now and then a system goes down and you could put that in the log. So it goes directly to a server. So you can, your maintenance people can go in and say, okay, let's look at the logs and see where this thing crash. So CIS six actually covers this and it maps directly to two different security controls in ISO 27,001 mainly event logging and clock synchronization. The reason why clock synchronization is important is because if you need a timestamp for all logs, otherwise if, you see that the system went. You need to know what time it went down. So the actual clock synchronization is super important to event logs at the, and if the time is off, you don't know when an incident happened. You don't know when the system went down or whatever the log is telling you. All right. Let's keep going to CIS seven, which covers email and web browser. Protections and these just so you know, these are not that much different from CIS controls eight. This is the same one that's so far, these are all the same ones that are in CIS version eight. So anyway, let's keep going here. We wanna know if this maps to ISO 27,001 and it does. So it goes into susceptible use of assets, just like we seen on the, in the previous section. And then also it goes to restrictions on. Installations and that's what you have for protecting the email and browser protections. Another thing it has is network controls, making sure that the network traffic isn't going all over the place, making sure that we, making sure that the internal, our internal users are not allowed to go to. Sites that they're not supposed to go to another one that's broken up into in ISEL 27,001 is control against malware. And that's your anti-virus stuff. E electronic messages that is making sure that you have secure messaging going back and forth, making sure that you don't have like email spoofing, things like that. So it's broken up into several different parts, but let's keep going here to the next section to C I S eight and that's malware defense. This goes really deep into malware defenses for CIS controls those in everything from centralized management of, manage of anti malware software as, as well as ensuring that anti malware software signatures are updated and things like that. And we do have this on ISO 27,001 name. And the control against malware is where we would find that in ISO 27,001, but there's several other breakdowns in ISO 27,001 that also link to our malware protection. All right, let's keep going to CIS nine. And this goes to limitations and control of network, ports, protocols, and services. This is a common best practice that you'll find in this 800 you'll find in all of the different frameworks in some way, shape or form, do cover this on how to actually focus in. And use the, law of least functionality is what it's called the nest 800. But anyway let's, go into this one. So we're talking about associating, active ports and services with two asset inventories. So we need to know is if port 23 is on which systems are using port 23. And ensuring the next one is ensuring only approved ports and protocols are used are running like what we only use in what we need. And you'll find the same thing in ISO 27,000 in one with security of network services and segregation of networks. And then also network controls. Let's keep going here and see how we can map the next one, which is C I.  control 10, which is data recovery capabilities. So this one does map to ISO 27,001, namely in information backups that those two map directly to the CIS data recovery. And this is just what you might think is ensuring that you have regular automated backups making sure that you can recover from those backup. And, making sure that you protect those backups. All right, let's go to the next one. And we don't have that many more to go here. But this should give you an idea of what's in CIS controls and also what's in ISO 27,001 as well. So let's keep going. CIS control 11. So this is secure configuration of net for network devices, such as firewalls routers and switch. And if I'm not mistaken, this one might be a little bit different in the CIS eight. It's not the same. The content's the same. They just shifted things around a little bit. So this one is, dealing with maintaining a standard for security configurations for network devices. That's their switches. That's your routers, that's your firewalls and things like that. And let's see if there's a comparable. Control on ISO 27,001. Yeah, we have change management. This is where you would control the actual iOS security on a system and making sure that you have change management. But the, also the another one that they have here on ISO 27,001 is segregation of networks. That one is lined up with what you have in CIS controls as well. All right. Let's keep going.  C I S 12, and that is boundary defense. Now this is also in N 800. All the stuff that I've read so far is also in missed 800, maybe going forward, we will cover how CIS maps to N 800 because it does it all maps up. And if one, that's why I say in some of my other courses and in my other videos is if one, you know them. There's a little bit of change of terminology. The control names are different, but if one, you know them all, okay. So this one is dealing with boundary defense, and this is maintaining an inventory of what is in your network. What you need to know what's in your network. And to do this, you do things like scanning. You do things like denying certain communications from going to certain IPS. You have to control your boundary. In depth is used quite a bit with this one, but boundary defense and this one maps directly to network control. That's in the ISO 27,001. Okay. Let's keep going here. Let's keep keeping it high level. There's a lot of things that we're going over, cuz we want to keep this high level. Okay. N the CIS control, 13 data protection. What does this one deal with? This is maintaining an inventory of sensitive information removing sensitive data or systems not regularly accessed by the organization. Anything you don't need, we're gonna get rid of it. And making sure the sense of, data's not floating around out there, which is how a lot of data gets.  and ISO 27,001 has addresses this in several different controls. One is classification of information. Another one is network controls, another one's electronic messaging. And another one is mobile device policies. And there's a few others, but we are gonna keep going. All right. So C I S 14, this one deals with controlled access controlled access. On on the need to know. And so this one is segmenting the network based on sensitivity, enable fi enabling firewall filtering for between VLANs. And this sounds a lot like PCI compliance. So PCI compliance also maps to the CIS. PCI I'm, talking about PCI DSS, that's protection of credit cards and the credit card industries and retail retailers and hotels use this quite a bit. So they have to actually go through an audit and assessments and stuff for all of their card readers. So for this one, you have the same thing. ISO 27,001 has segmentation of network. Network control. You can see them, them using the same ones. Theirs is just broken up differently. So they group a lot of, the controls together. Let's keep going here. We don't have that many more to go. We're on 15 CIS control 15, which is wireless access control. So this one, as you would suspect it, it's disabling access points that are not used if they're not required detecting wireless access points. That are connected to the wired network and, taking an inventory of all your wireless stuff. And so this is covered in ISO 27,001 in the inventory of assets and the network controls and the acceptable use of AC of, assets. Let's keep going here to the CIS 16. And I think we only have two or three left here, but CIS controls 16. Account monitoring and control. So in, in N 800, And in this 800, you have this one is AC two, a C one C three. When you're doing account control and account management and things like that, this one is in CIS control 16. So how does this map? Two 27,001. Control. In the inventory of assets, that's where they control it in ISO 27,001. They also cover it in policy on the use of crypto cryptographic controls and control network controls and user registration. And deregistration so you can see it's just broken up. They're covering the same topics, but it's broken up into different parts. Now let's keep going to CI. Control 17. And I wanna say this is the last one. Let me see. 18, 19 20. Okay. There's only three more left. All right. 17 we'll just quickly go through these implementation of security awareness training. Self-explanatory you do have the same thing on ISO 27,001. It's literally called information security awareness, education and, training. Same. Okay, so we're gonna go to 18 and 18 is application software security. That's making sure that you're, whenever you're developing software is developed securely and is, establishing secure coding practices. And you have the same thing over ISO ISO 27001, which is a secure development policy. Whenever you're developing the actual software, you have to develop it securely. Okay. Then we go into 19, which is incident response. This is a big one. This is also in IR in the IR controls, IR 1, 2, 3, and 4 in the NIST 800. But how does this map over to ISO 27001? They have something called responsibilities and procedures. And they have reporting information, security events, and con contacting authorities. All right. Onto pen testing. So this is CIS control 20. This is penetration testing and red team exercises. And this one, I don't know, this one actually doesn't have a comparable ISO 27001 control, which is. Very shocking and that pretty much covers all the maps between CIS controls and ISO 27,001. And we also mentioned a couple of N 800 controls and I'll catch you guys on the next podcast. If you want to download your free copy of the CIS To ISO 27001. Then go ahead and go to https://securitycompliance.thinkific.com/courses/cis-control-maps

ILTA
Has the Time Come for Passwords to Take a Back Seat to Security

ILTA

Play Episode Listen Later Sep 9, 2022 27:51


The majority of breaches today no longer come through delivered malware as our systems have become very strong with detecting and blocking these resulting in more effort than value for the attacker. Instead, it's easier, faster and more economical to just try and steal your password, or better yet have you provide it yourself. This podcast takes a look at the security risks that are actually derived from one of our more important security controls… passwords; and look at what we can do to minimize those risks moving forward. Questions Dave will ask the speakers: A recent study by Verizon found that more than 80 percent of breaches through hacking involve brute force or the use of lost or stolen credentials. Microsoft estimates that there are 921 password attacks per second. We've been educated for years by the security industry and our awareness programs that passwords are the most crucial component to protecting our environments and our information. How is it that this sacred key to our kingdom is actually resulting in opening so many doors for attackers? NIST has taken steps to try and reduce the bleeding with their new Password guidelines and best practices which encourage passphrases of more characters, less complexity and less changes. Are these steps in the right direction to actually keeping us secure? Many security tools are now providing artificial intelligence around login requests that look to see if the member is coming from a known device and location prior to providing access. Would implementing these types of risk based controls with MFA and a passphrase by the answer to our problems? Biometrics for authentication always seemed to be the next logical step for passwords. We have our basic biometrics on devices however, those are all back supported by a password or PIN. Will we ever get to a place where we're truly only using biometrics for all authentication? I understand that Apple, Google and Microsoft are working on a solution together that will get rid of passwords. Instead, they will just leverage the biometrics on your phone as your access code to everything. With this in mind do we just need to sit tight and all our troubles will soon be fixed? Moderator: @David Whale - Director Information Security, Fasken Martineau Dumoulin LLP Speakers: Sohail Iqbal - CISO, Veracode Eldon Sprickerhoff - Founder and Chief Innovation Officer, eSentire Phillip Solakov - Director, Client Solutions, Optiv, Inc. Recorded on 09-09-2022​

Feds At The Edge by FedInsider
Ep. 90 Identity Management Lays the Foundation for Zero Trust

Feds At The Edge by FedInsider

Play Episode Listen Later Sep 9, 2022 60:31


This is a discussion that provides the listener with ideas of how agencies are adopting identification to enable to zero trust and gain some insight into the evolution of access control in the federal government. The federal government certainly is not a monolithic enterprise; it must manage mundane requests like access to National Parks as well as negotiate atomic energy agreements. NIST has reinforced the fact that identification is the first component of deploying Zero Trust. When a mandate comes from the White House to target Zero Trust, it makes sense that each agency will have a history of identification systems and have a different level of sophistication when it comes to identity management. Bryan Rosensteel from Ping gives a remarkable analysis of the evolution of Attribute Based Access Controls. His purview is immense. He begins by examining the historical application of Attribute Based Access Controls. He comments they were effective but tedious to deploy. To streamline this system, Role Based Access Controls were implemented. Unfortunately, today's technical climate allows malicious actors to steal identities and defeat the RBAC method. Bryan Rosensteel argues that today's dynamic system will have to revert to the precise controls that ABAC provides. The weakness of Multiple Factor Authentication is reviewed by David Temoshok, NIST. He suggests that when a person gets a code via SMS text message, it is transmitted via the public telephone system. He calls this weak MFA. This is another reason today's Role Based Access Control, can provide the kind of security that some agencies require. FEMA's needs for identification are broader than most. Dr. Gregory Edwards from FEMA understands the complexity of cryptographic identification models, but he also recognizes that he cannot give every flood victim a federally issued PIV card. Solutions must be provided where FEMA optimizes quick access to federal assistance while maintaining security controls so vital for federal information technology. Listening to this podcast will give the listener a terrific overview of innovations in access control and the variety of ways federal agencies are coping with identification with the new focus on Zero Trust Architecture.

The SSI Orbit Podcast – Self-Sovereign Identity, Decentralization and Web3
#39 - Digital Notarization Can Kickstart Digital ID Ecosystems (with Dan Gisolfi)

The SSI Orbit Podcast – Self-Sovereign Identity, Decentralization and Web3

Play Episode Listen Later Sep 8, 2022 53:46


Dan Gisolfi is currently leading the delivery of innovation capabilities across Discover Financial Services (DFS), such as Hack-aaS, Patent Program, Design Thinking Services, and an Innovation Accelerator. Prior to joining DFS, he led an innovation team focused on the incubation of IBM Security's Zero Trust Architecture in collaboration with internal labs, academic institutions and NIST. About Podcast Episode Some of the key topics covered during this episode with Dan are: How does the chicken and egg problem relate to digital identity? Is there a dependency on Government IDs to seed the marketplace? Are unique identifier databases required to become a credential issuer? What is transitive trust? And how does it differ from how trust gets established otherwise (e.g., through backend API calls)? The missing role in the trust triangle: The Examiner. Can Examiners become digital notaries? Rethinking authentication and authorization - using attestations from multiple issuers helps to create more trust. How Issuance can become a business model for many trusted service providers. Some challenges with the mDL (ISO/IEC 18013) standard. The benefits of using a Microcredentials approach. Misconceptions about becoming credential issuers (e.g., assuming liability, data minimization). Where to find Dan? LinkedIn: https://www.linkedin.com/in/vinomaster/ Blogs: https://www.ibm.com/blogs/blockchain/author/dan-gisolfi/ Follow Mathieu Glaude Twitter: https://twitter.com/mathieu_glaude LinkedIn: https://www.linkedin.com/in/mathieuglaude/ Website: https://northernblock.io/

Phoenix Cast
BYOD for the Marine Corps?

Phoenix Cast

Play Episode Listen Later Sep 7, 2022 54:36


In this episode of Phoenix Cast, hosts John and Kyle are joined by special guest Col Brian Russell and we discuss whether BYOD is the right thing for the Marine Corps.  Share your thoughts with us on Twitter: @USMC_TFPhoenix (Now verified!) Follow MARFORCYBER & MCCOG on Twitter, LinkedIn, Facebook, and YouTube. Leave your review on Apple Podcasts. Links: Fedscoop article on BYOD:  https://www.fedscoop.com/army-to-kick-off-bring-your-own-device-byod-pilot-in-coming-weeks/ Brian's article for the MCA: https://mca-marines.org/blog/2022/07/12/before-firing-a-shot-operations-in-the-information-environment-in-the-marine-corps/ NIST 800-207: https://csrc.nist.gov/publications/detail/sp/800-207/final CrowdStrike's Zero Trust overview: https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/ Google BeyondCorp: https://cloud.google.com/beyondcorp Okta's BeyondCorp Website: https://beyondcorp.com

Raising The Bar with Allison De Paoli
Trust and Transparency

Raising The Bar with Allison De Paoli

Play Episode Listen Later Sep 6, 2022 34:15


In this episode of Raising The Bar Podcast, Allison talks with Amanda Lee Keammerer. Amanda is the founder and CEO of Javilud, transforming innovation at the intersection of technology, people, politics, and art through consulting services, signature events, and creative collaborations. Born and raised in San Antonio, Amanda Lee Keammerer is the founder and CEO of Javilud, a consulting firm leading at the intersection of people, politics, tech, and art through programs and services. Previously, Amanda was the Vice President of Cybersecurity and director of the CyberSecurity San Antonio program at the San Antonio Chamber of Commerce. Before returning to Texas, Amanda worked for the Federal CIO and first Federal CISO at the White House. Prior to serving in the Obama administration, Amanda coordinated digital marketing projects at the Kaiser Family Foundation, and managed community relations at the LULAC National Office in Washington, D.C. From 2019 to 2021, Amanda served as an Honorary Commander with the 502d Communications Squadron at Joint Base San Antonio. In 2020, Amanda was nationally recognized as a Latinx Next Generation Leader in National Security & Foreign Policy. Currently, Amanda is a Security Fellow with the Truman National Security Project. She is the author of a forthcoming bilingual children's book series on cybersecurity awareness, and the founder of National Cyber Signing Day. Amanda earned her MA in Global Communication with a double concentration in national security policy and IT policy from The George Washington University. She earned her BA in Russian and Government from Smith College. Are you ready to Raise the Bar? Make sure to take away the notes! Conversation Highlights: [00:27] Who is Amanda Lee Keammerer? ●    "The Cyber Queen of San Antonio" [00:55] How does Amanda come into the Cyber Space? ●    Amanda's journey from LULAC to Cyber Security ●    What are the skills Amanda learned from LULAC that helps her in the Cyber Space? ●    Privacy policies have a different meaning for different people. [06:38] What is Privacy for Non-Social Media People? [08:36] Cyber and privacy policies for mid-size employers… ●    "Budget" is an important characteristic of cybersecurity in any organization. ●    Cyber Mishappenings can take place in any sector. [13:30] Communication interest and using technology strategically towards your business goal can help to overcome Cyber problems. [15:09] Allison's email automation tool was hacked! [18:25] How can businesses take advantage of the frameworks offered by the National Institute of Standards and Technology (NIST)? ●    What is the advantage of NIST for mid-size and small-size businesses? ●    There is a lot of transparency about things that may or may not affect your businesses provided by the government. ●    Participating in the process is really important to any business or organization. [22:09] What are the two parts of trust? ●    Relationships are the key feature in any business! ●    Open communication channels are important to build trust and relationships in businesses. ●    Building trust and being action-oriented will definitely benefit your business. [31:00] What would Amanda like to see in the Cyber Community of San Antonio? ●    What is Amanda's goal for this year? Memorable Quotes: “Crisis also comes with opportunities" “We are humans, we can't remember everything so we should have daily checklists and documentation." "Good advice of upfront is always invaluable." "People shouldn't expect privacy at work, which is often uncommunicated!" Special Reminder: Thanks for checking out the show. Be sure to subscribe and leave a review. If you have an idea or...

NoLimitSecu
Cryptanalyse et informatique quantique

NoLimitSecu

Play Episode Listen Later Sep 4, 2022 30:00


Episode #378 Dans cet épisode, Andre Schrottenloher nous présente sa thèse sur les impacts de l'informatique quantique appliquée à la cryptanalyse. Références: – Le processus de standardisation des algorithmes post-quantiques du NIST : page des algorithmes sélectionnés en 2022https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022 – Le projet parallèle du NIST concernant la cryptographie légère (lightweight cryptography) :https://csrc.nist.gov/Projects/lightweight-cryptography – Notre article […] The post Cryptanalyse et informatique quantique appeared first on NoLimitSecu.

ConvoCourses
Convocourses Podcast: In another country

ConvoCourses