Infosecurity Pro Issue 11

8/2/2019 Infosecurity Pro Issue 11

http://slidepdf.com/reader/full/infosecurity-pro-issue-11 1/24

issu e nu m b e r 1 1

An (ISC)2 Digital Publication

www.isc2.org

Th n

idenTificaTion

A complex

computing

landscape

has made ID

management

technology a

top priority.

I t ’ s

me !

http://www.isc2.org/




Visitwww.isc2.org/issaploloffer

or call

1.866.462.4777 and press 1

http://www.isc2.org/issaploloffer


http://www.isc2.org/issaploloffer



c o v e r

p h o t o b

y

I m a g e

S o u r

c e / D a v I D o

x b e r r y ; a b o v e

I l l u S t r a t I o n b

y

I k o n I

m a g e S / c o r b I S

[ features ] 8 Measure by Measure

A gid baiig mis

pv h sss Wb

appiai si.By raal los

12 The Need for Identication

A mpx mpig adsap

has mad ID maagm

hg a p pii.

By Polly traylor

16 Getting on Track

Paig ad wkig wih a aha hp piiiz a

gas. By Marie lingBloM

ISSue number 11 InfoSecurIty ProfeSSIonAl 1

iss 11

[ also inside ]

3 Maintaining a High StandardExecutive Letter fm h dsk (ISc)2’s exivDi. By W. Hord tiPton

5 FYIMember News rad p wha (ISc)2 mmbswdwid ad h gaizai is a dig.

19 Careers Need AspirationCareer Corner I’s impa hav a a-d appahas sid jb, a ad pssi.By sHayne Bates

20 Why Aren’t Users More Secure?

Global Insight Imai si pssiasms sid ss’ ppis si, adhp p hm. By greg sternBerg

2010 Volume 3

InfoSecurity Professional pubh b idg ep Cum su gup, 492 o Cccu Ph, mhm, Ma 01701 (ph: 508 935-4796). th m c h pubcp h vw p h pcv uh m p h vw p (isC) 2 h u cu h pubc. n p h cum m bpuc, uc v m, m m b m (cc, mchc, phcp, c h w), pup, whu h xp wpm (isC)2. (isC)2, h (isC)2 h (isC)2 puc, vc cfc m mk mk h i im sm scu CfcCum, icp, h U s / h cu. th m cu cmp puc m h m b h mk h pcv w. ubcpm ch u , p v www.c2.. t cp b pm p m, p m cp@c2.. t qu v m,p m @c2.. © 2010 (isC)2 icp. a h v.

t vw h u

, v www.isc2.infosecpromag.com

8


mailto:[email protected]





http://www.isc2.infosecpromag.com/










Looking for a deal?

Looking for career advice?

Looking for free information?

Check out the hot deals and

free resources at the(ISC)2® Market Square!

Now available on the

Online (ISC)2 Resource Guide.

http://resourceguide.isc2.org

*** 2010 hardcopy also now available! ***

Management Team

Else YacobellsEecutve Publsher

727 683-0782 n [email protected]

Tmothy GaroPublsher


Marc G. ThompsoAssocate Publsher


Amada D’AlessadroCommucatos Coordator

727 785-0189 [email protected]

Sarah BoheDrector of Commucatos ad

Member Servces727 785-0189 236 n [email protected]

Judy Lvers

Seor Maager of Marketg Developmet727 785-0189 239 n [email protected]

Sales Team

Chrsta CollsRegoal Sales Maager

U.S. Southeast ad Mdwest352 563-5264 n [email protected]

Jefer HutEvets Sales Maager


Mke WalkerRegoal Sales Maager

U.S. West Coast ad Asa213 896-9210 n [email protected]

IDG Media Team

Charles LeeVce Presdet, Custom Solutos Group

Amy FreemaProject Maager n [email protected]

Ae TaylorMaagg Edtor n [email protected]

Km HaArt Drector

Lsa StevesoAssocate Producto Maager

ADVERTiSER inDEx

ASIS p 7Business Continuity Institute (BCI) p 18CA p 15IEEE p 11ISACA Inside Back Cove(ISC)2 Back Cove; Inside Font CoveNowich Univesity p 14Nova Univesity p 4

Fo infoation about advetising in thispublication, please contact Ti Gaon at

tgaon@isc2og

Don’t forget to take the quizand earn CPEs:

http://bitly/a2ftY

2 InfoSecurIty ProfeSSIonal ISSUE NUmBEr 11

For a lst ofevets (iSC)2 sether hostg orsposorg, vstwww.isc2.org/ events

http://resourceguide.isc2.org/













http://bit.ly/a2rftY

http://www.isc2.org/events






http://bit.ly/a2rftY











http://resourceguide.isc2.org/



Maintaining a High StandardOnce yOu’ve earned yOur credentials, it’s crucialtO maintain and prOtect them.

For inFormation security p,d hv hd bg “ hv” “ hv.” m jb pp d hg w q ,dg h cissP® d h (isc)2 d.ep gz h v (isc)2’ db h kw w p h d

v g h d gh hgh dd q d p f. B ’ hd, ’ p h g b kpg h d -

v. (isc)

2 pph h v w:

1. We oer ways or our

members to maintain their

education levels. i h -hgg d h-g v, - p kp p--d. thd hvg kwdg hw d pg—h b- g b—Wb 2.0 d d

hg h d. i kpg p wh gg h, v d -w. (isc)2 wb, -pd d h hp b p. chk mb r hp://www.2.g/b-.px.

2. We maintain the test environment. (isc)2 k g p v d hq x. W hv q wkhp wh bj xp zh q —g d q dhg w . T k p

wkd w wk f h x,

d d ppp p v.W h x h gq dd-g bd h ha n sdd i (ansi).

3. We oer educational and fexible methods

o re-certiication. (isc)2 pvd pgw hp b wh h

d—p h v bdg.F xp, cPe,b d -, wkhp g. T pd wb, d

bk d b vw, k h qz dgh h gz.

i dd, w k , b, hp vv d pvd h b-pb g pp-. W w xp whpf d kwdg

v h g p-, h d wh h -b d, g, dbk wd -

g h d’ v, g d v p .

W k wd hg .

s,W. Hd tpcissP-isseP, caP, cisa

exv D, (isc)²

issue number 11 inFosecurity ProFessional 3

xv FrOm the desk OF the (isc)2 executive directOr












































http://www.isc2.org/member-resources.aspx

http://www.isc2.org/member-resources.aspx



The password

to your future

is NSU.

Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associate’s, bachelor’s,master ’s, educatio nal specialis t, and doctora l degrees. • Nova Southeastern Universi ty admits students of any race, color, sexual orienta tion, and national or ethnic origin. 01-138-10PGA

Apply today and advance your [email protected]

www.scis.nova.edu/isc

Our beautiful, 300-acre main campus

n designated a National Center of Academic Excellencein Information Assurance Education by the U.S.government since 2005

n pioneer of online education since 1984

n earn your graduate certicate, master’s degree, orPh.D. degree in information security

n IEEE members receive tuition discounts

How we stand outGraduate deGreesn Computer Science

n Educational Technology

n Information Security

n Information Systems

n Information Technology


http://www.scis.nova.edu/isc

http://www.scis.nova.edu/isc




(isc)2 MeMberNews

fyı

Your InputCounts

C r e a t i v e i n t e l l e C t

C o n s u l t i n g , n onjntonth (isc)2, ayng ot a

tdy to tt ndtand thtat o ota dvlopmnt

today. (isc)2 mm alom to fll n th onln

vy at .vymonky.om//VsQPccL. All thoho omplt th vy ll

ntd nto a dangto n a hal-day o

ota onltng.

issue NuMber 11 InoSecurIty ProeSSIonal 5

as k i d s r e t u r n to s C h o o l h s w , h (ISc)2

S d S oi pgm (hps://bxhg.is2.g/s-

s.spx) s s i Hg Kg, h u.K. d u.S.

T pgm hs s gi p i h mb mmb v-s wh hv sigd v h ps w mhs—ms 1,000.

Vs sg gd mp h ss ppwk

s h bgi ig shs g h sh shd.

I ddii big whwhi pgm, vs wi

10 ciig Pssi edi (cPe) dis mkig hi

s w psis, d cPe v psi hf.

Visi hps://bxhg.is2.g/V-Sigup.spx m

imi d sig p.

as i h ws: (ISc)2 is pig wih h Dpm

Hmd Si d h ni cb Si ai (www.

ssi.g) pm ni cb Si awss

Mh i ob.

Safe and Secure Online ProgramGoes Bc sc

P

h o t o b

y b

e A u L

A r k / c o r b i s

http://www.surveymonkey.com/s/VS/VSQPCCL


https://cyberexchange.isc2.org/safe-secure.aspx


https://cyberexchange.isc2.org/Volunteer-Signup.aspx

http://www.staysafeonline.org/







https://cyberexchange.isc2.org/Volunteer-Signup.aspx




6 InoSecurIty ProeSSIonal issue number 11

Hig asi-PifSi ldsT h i s y e a r ’ s a s i a - P ac i f i c ioato sctLadhp Achvt (isLA) poga wa a hgcc. Th howcad hoo cld:

imt st Ptt: fk K ft c, CissP-issAP, issmP, CssLP, o t aagat Atoatd st Ltd., Hog Kog. H ha cogzd o h vw ad hact o govt iTct-latd glato, polc ad gdl.

Ml Pl imt st

Pjt: r ik, atto (goh), at rchiagak Law Oc Japa. H wa cogzd o h io-ato sct Wokoc ipovt Poga.

s imt st Pl d

cmmt sv st rt: P. rbth. D, P.D., poo, aocat da o Faclt &rach school o ioato st at sgapomaagt uvt. H wa hood o h pojct“iovatv Applcato o sct Tchq th ralWold.” H alo cvd th Cot svc sta oh cotto towad ldg ad oadg ctawa h cot.

s imt st Pl: D h

Pk, CeO, niCs Tch Co., soth Koa. H wa cogzdo h ot povg copttv soth Koa’oato ct dt.

Fo o oato aot th isLA poga, vtwww.c2.og/la.

SecureSDLC Eventa Huge Success a w h o P P i n g 8 3 P e r c e n T o oatoct pooal a that c otwa

pt a gcat that to tp. That’ jt o o th lt o a oal v co-dctd at th scsDLC vt slco Vall,Caloa th pat J.

Th coc, ttld “bldg sct to thsotwa Lccl,” dw dvdal o aodth u.s., wth th a o qppg th wth thlatt tool ad oato o otwa ct.

ioato ct pooal cogz thpotac o th topc. Aog th vt patc-pat, 56 pct ad c otwa cold

lt daag to th copa’ ptatod to data ach.

uotatl, ol 19 pct dcatd th hava oal c otwa dvlopt poc.Coc patcpat dcd th topcad o, ad dg to wa to tackl otwact challg.

Th xt scsDLC vt wll hld Wahgto, D.C. o nov. 4. Fo o oa-to, vt http://www.c2.og/evtDtal.apx?d=6340.

A Round Up of (ISC)2 evtby brAnDOn DunLAP

M a ny o f y o u hav lkl had voc o th (isC)2 ThkTak rodtal o ptg at th lv

sct Ladhp s vt that tak plac vao ct aod th glo. i ’ happ to aoc that i wll cottg a hot col Infosecurity Professional agaz wh i ca ha wth a wd adc oo th k pot that hav co ot o th gagg dco dg th vt, oth o th W ad po.

i ol a odato ad pt o (isC)2 vt—a wll ol a aagg dcto o rach atbghtf)—i look to o, th hp, o potat ght to how th poo chagg. i’d alo lkto ha o da o how w ca wok togth to dg th gap dtadg, kowldg ad cltaloda to a catalt o th hag a w ov owad.

i o’ ala wth th ThkTak odtal, o ca acc th va th W, whch cota achvdvt, a wll o o pcog wcat at: .bttlk.m/l/5385

mawhl, pla cotact wth o odtal dack: [email protected]

http://www.isc2.org/isla

https://www.isc2.org/eventDetails.aspx?id=6340


http://www.brighttalk.com/channel/5385







http://www.isc2.org/isla



Different events.Different strategies.

Same focus.

For more than 55 years, ASIS International has led the security industry

by providing up-to-the-minute education and strategic solutions to

professionals around the world. For leaders who understand that

identifying and managing threat in one geographic area does not

necessarily make you an expert in another, ASIS invites you to attend

one or more of our four worldwide security events. For more informationon maximizing your security, visit www.asisonline.org.

57th Annual Seminar and ExhibitsOrlando, Florida

September 12– 15, 2011

5th Asia-Pacific Conference

and Exhibition

Kuala Lumpur, Malaysia

December 5-7, 2011

10th European Security

Conference and Exhibition

Vienna, Austria

April 3-6, 2011

2nd Middle East Security

Conference and Exhibition

Manama, Bahrain

February 20-22, 2011











http://www.asisonline.org/






8 InfoSecurIty ProfeSSIonal ISSUE NUMBER 11

Rafal Los offers

a guide to

obtaining

metrics toprove the

success of

Web application

security.

Measure

Me

asu

r eby



ISSUE NUMBER 11 InoSecurIty ProeSSIonal 9

I l l U S

t R a t I o N © I

k o N I

M a g E S / C o R B I S

w d dms h ppiisi s wkig? Bsiss ds

w s hd d, b whih mis wi shw isk

di? M gizis s h mb ds

disvd d iii p pj, b hs mis i

p h i pp mgm.

exig mis h m bh It and

pp mgm b d. Msig h

hg i isk v h bsiss i mig

w hp mgm dsd h v imi si. I s hps h It giz-

i jsi is ivsm i si iiiivs.

THE SCIENCE OF NUMBERS

Mis hv b sd pv dispv h-

is is; i h p wd, k p-

m idis (KPIs) h mis

hi. B dvpig s KPIs b h-

gig. is, ssm-phig mis m

id im--ph, ph vg d ph

i — whih dms

whh phig sg is sss.Simi wih Wb ppii si, m-

s ps mis b ghd. M g-

izis wih w ppii si iiiivs

wi s b ig vbiiis p ppii

bs i’s s mhd. B h qik dis-

v h i is’ iv w dms mgm h v si s.

Tis i ss isk-bsd mis h

gg gizi’s pgss i sig is

Wb ppiis. I dsibs fv Wb ppii

si KPIs, hi mhds i, d hi

imp h gizi.

DEFECT REMEDIATION WINDOW

DEFINITION: DrW mss hw g gi-

zi ks fx dmd, vifd si

d. I s gizi’s spsivss

d sv s x psi g-izi mi. Tis mi shd b -

sd wih h xps widw, whih mss

H

KEY PERFORMANCE INDICATORS

The ollowing KPIs are useul in measuring the success o Web application

security programs and are listed in order o most to least difcult to attain:

n Weighted Risk Trend (WRT): A weighted risk score measured over time

n Deect Remediation Window (DRW): How long it takes to fx or “close”a deect

n Rate o Deect Recurrence (RDR): How many times a deect is

reintroduced over the lie o an application

n Specifc Coverage Metric (SCM): How much o an application’s

unctionality is tested or security

n Security to Quality Deect Ratio (SQR): The ratio o the number o

security deects to the number o all identifed deects (quality, perormance

and security) in a testing cycle

As an organization matures, its ability to gather metrics that provide greater

insight into the value o the application security program will grow.



10 InoSecurIty ProeSSIonal ISSUE NUMBER 11

WEIGHTED RISK TREND

Deinition: isd sy u ubr sury vu-

rbs ud , WRt rvds busss rsk

r r . i sury rr s

wrk rry, s r sud drs vr d rss

rs. WRt s w bsd rskv , d r bsd ry

vurby ud . t rsk v

s drd bsd rs su s: wr

s usd ry r ry; wr ds ssv d

r ; d wr rsds s wrk r srvrs s

y fd r.

oRganizational impoRtance: WRt rvds busss-

wd vw sury rsk vr

dv rss. i ws r ssss wr

rsurs r b rry d r-

s sury rsks, d b usd u wrr, v r dur. ts r sud drs vr

rss r.

gatheRing methoD: WRt s wd rsk vr .

t ru y b s r vry r, bu -

w s d bs:

∑(D ciii x nmb Ds)* x[appii Wigh] = risk S

*P h d ss cii | High | Mdim | lw

example:

appii Wigh (0 - 1.0): .75

Svi Sig: cii = 10 High = 5 Mdim = 3 lw = 1

Ds Disvd: 10 cii, 7 High, 30 Mdim, 39 lw

([10 x 10] + [5 x 7] + [3 x 30] + [1 x 39]) x .75 = 198

hw g d xisd “i h wid”b i ws sd. T xps wi-dw is mh m di msd ss vb h gizi.

OrganizatiOnal impOrtance: Tis miidis gizi’s spsivss

si ds i Wb ppiis. Imss hw sis gizi isb si d whh h pppi- ss vib. M mgizis shd b b shDrW v im.

gathering methOd: DrW is bs gh-d sig m d kig ss-m, whih s d d sh swh h d ws idid, vidd,sd d h sd. as giz-

i ms i is pph ppi-i si, DrW shd ds.

rate OF deFect recUrrence

deFinitiOn: rDr is h whihpvis sd si ds isd i ppii i hsm p, i h sm m, d isbsq s s. n h hspi xi is h dis iv. is, i fdss-si sipig (XSS) d sig

h sig is mvd m hppii b is pd i sbs-q vsi wih h sm d sig sigh mdid h sig, is s . th i his mi is g dvps pm imi pvis sdds d hi pmis.

OrganizatiOnal impOrtance: rDrmss gizi’s bii s ds pm. this ds

m h h sm p dwi i h ppii swh i h sm d i . rDr is pd v im dshd d s s z s pssib,dsig v im.

gathering methOd: rDr is bs gh-d sig m d kig wih h pbii k spiid p (i.., SQl iji, sdss-si sipig) spi i

i h d ss mip s s.rDr is pd s h mb -

ig ds p ppii v hs .

SpeciFic cOVerage metric

deFinitiOn: ScM diiv swsh qsi “Hw mh h ppi-i [s ] ws sd si?” I mss h pg mps sd gis h mps h ppii dviw. n h ScM is spi hmps d viw,d hs ds ssi k i h i ppii.

OrganizatiOnal impOrtance: Msig

ScM qis si sig vg,pig h ppii ws ih

sd pi sd. I i wspi sd, ScM pvids im-i whih fws mps wmissd—d m imp, wh

h w missd. Di p sigvg bigs dibii h si m d p mid h bsiss. Ipvids dmi mpid sss h si m h hipsss ig ppiis wih high v si.

gathering methOd: ScM is pg h ppii fws/mps h vd b si sig gis hwh h ppiis/mps

big sd. th s h ppii big sd is bid




IEEE, along with some o the world’s leading biometrics experts,

has developed a new certifcation and training program or biometrics

proessionals and their organizations. The IEEE Certifed Biometrics

Proessional TM (CBP) program ocuses on the relevant knowledge and

skills needed to apply biometrics to real-world challenges and applications.

• Certifcation: Earning the IEEE CBP designation allows biometricsproessionals to demonstrate profciency and establish credibility.

• Training: The IEEE CBP Learning System combines print materials

and interactive online sotware – ideal or job training, proessional

development, or preparing or the CBP exam.

Have you gained access toBiometrics Certifcation?

To gain access to more details, visit

www.IEEEBiometricsCertifcation.org.

Access is now being granted to

qualifed Biometrics Proessionals.

EseSweSeciIcpi seci el d

iii i llpses e swe lieccle

s pve be 30-100 ies

less expesive d iclclbl

e eecive e elese

d pc edl sed

eqel d. (ISC)2’s

Ceifed Sece Swe

Lieccle Pessil (CSSLP®)

is e l ceifci i e

ids desied ese seci is csideed -

e eie swe lieccle.

Learn more about the

CSSLP certifcation at

https://www.isc2.org/

csslp/deault.aspx.

hgh d xi m i

spifis. Tis mi is s p-

vidd b h i sig giz-i h si sig m.

SECurIty to QuaLItyDEECt ratIoDEInItIon: SQr mss h m-

b si-spif ds gis

h mb ds vd

dig sig s. I qiis h

imp si ds h ppi-

i. Tis mi is bs psd

s i—Si Ds /Qi

Ds.

organIzatIonaL ImPortanCE: SQr

hp bsiss mk h g/-g

disi b sig ppii

bsd is si isk. I ddii,

his mi b mpd wih h

d mis (i.., i, p-

m) dsd wh ss

shd b did.

gathErIn g mEthoD: SQr is bs gh-

d hgh md mhds mqi d si sig s.

ConCLuSIonT mis s highigh

sss ms dms ds h

mig pp mgm.

th s psd h hp m-

s Wb ppii vbiiis s

i bsiss isk. I s-

i iiiivs wkig, hs misshd idi h di isk v

im—hs dmsig h v

ppii si pgm.

Rafal “Raf” Los is

a Web application

security evangelist for

HP Software & Solu-

tions. He is respon-

sible for bridging the

gaps between security

technologies and business needs to reduce enterprise risks and create embedded,

lasting solutions on behalf of the HP

Application Security Center group.

http://www.ieeebiometricscertification.org/

https://www.isc2.org/csslp/default.aspx



http://www.ieeebiometricscertification.org/




12 InfoSecurIty ProfeSSIonal ISSUE NUMBER 11

p h o t

o

B y

I M

a g E

S o U R c E / D a v I D

o x B E R R y

A complex

computing

landscape

has made ID

managementtechnology

a top priority,

writes Polly

Traylor.

I t ’ s m e !

Th Nd rIDeNTificaTioN

past April, a trader with

Société Générale was

arrested for stealing

proprietary code from

the company’s high-

speed trading system.

This




I J, m d Jm Kvi

sd i g, bh s, d

hizd mp s. Kvi’s

ims d $6 bii i sss Siéé

Géé. Ts pbms m hv

d hd b si mss,

idig m sid ss ssms,

b i p.I pps h It is gig h mssg.

rspds G’s 2010 CIO Sur-

vey d idi mgm s hi p

si pii. “Idi mgm hs

b hs pjs h ws p

h sh i m gizis d h

m, d is w big bgh wd

s h sigs higs impvig,” ss

Vi Whm, s d mgig vi

psid i G’s S Js, ci. .

th qims ID mgm

gwig, i p b h is i -svis, -iig d himi-shig ppiis wihi d bw giz-

is, h dds.

Düssd, Gm-bsd sh m Kppig c

ps midsiz mpis s pig m i

idi mgm, whih shd is h dmd

pds h si is d spp. “Vds wih

sdd imiis d ighwigh pds wi b ms

m his,” s Kppig c s Mi Kppig, i

h p, 10 Top Trends 2010.

T is i h mbi wk hs p ID mgm h p h It is Md’s Mgm c,

dig Kih yg, si i i h ’s h-i svis dpm. “W ’ [h mp-

’s] i h wk h sig, s w d

h s ID, spi wh i s sig smphs

d wkig m hm.”

cig wh hs ss wh s b h-

g. “Mgig h svis h ps ss gs v

mpx, s i s h di ss ds d

ppvs,” h ss.

ID Management TodayIdi mgm is’ js b wig sm g

wk ssm. I s ivvs dvpig bsiss- dids-div piis h d s s d wh

h g i hs ssms. Miiig d kig mip

IDs d psss ss ms diis d ssms hs

pd hv bd It. “o biggs pbm igh w is

dig s ss d h sig h d ss pi-

is d iss,” yg ss. “I w g md s, s

wh swih jbs ss swihs mi.”

as ss gi ss m ssms, h ms mmiz

m IDs d psswds. Tis id si isks i

h imi is sd sik s i s--d s.

nw gis v h ps w s hv md mpi

h imp i idi mgm. B It dsi gps ms b s wih xibii, s s

impd giim ss m ssig

h d h qi hi jb i.

Dspi h d idi mg-

m d ss ssms, h si

dpd i 30 40 p g mp-

is, ss Bb Ws, d & d ceo

eh o, ohi-bsd imi

si sh d sig m. “Tisis p mpx d s qis

sigi ivsm. I k h v

s smims g iv,” dds Ws,

wh is s h m hi si

ifh Tid Bk. Sh ssms mpss

sv s vvig s, idig:

n Pvisiig h s p s IDs d

psswds

n Sg d diis, idig vi

di hg

n ahii, sig psswds, PIns,

smds bimis vi s idi n Sig sig-, imi mip IDs d psswds

n di, sppig iq ID ss mip

i d x ssms

n eim mgm, whih dis wh s

d d wihi ppii.

Managing Identity ManagementSimpiig idi mgm is p mid m

si d It pssis. , his is bmig

si d ss xpsiv i. cd-bsd mpig

bs hsd idi mgm, s-iv pi

h pvids m p vim.Vd sidi is h b. cmpis

w g s 80 p h ii h d m

o, ca, nv, IBM ci, dig Ws, wh

s mmds dig h mb diis sd

s idi imi.

Mgig idi mgm s wih h si

ssms hp It b k d spd bhs. Kp-

pig ss mpis shd sid dvpig ps h

hd pvisiig, ss, d h psss m -

i. Sig sig- Wb ppiis is h pik s w.

I qis sidig dbss h s s imi.

m pi pspiv, yg mmds miimizigh mb s d d d mg. “I hd

m g gizi h ws b simpi hi

is i mj erP ssm dw 20 s,” h ss.

Imi si pssis shd mk s h

hv h igh skhds m It, g, Hr, di d is

bsiss mp bsiss qims d d s d

ds. “I h pj is big div b h It dpm

h h p s, h bsiss is wi w zhi jb psiis wi qs v mpx bsiss s,”

yg ss.

Bsiss is s hp v d pimiz xisig

psss, sh s hw w hi is gd ss ssms.I’s bs pi s hs psss i d

User-friendly

technologies

such as infor-

mation cards

(a form of

digital identity)

and OpenID

are beginning

to take off.

souce: Kppingr cl rprt,

10 Top Trends 2010





Copyright © 2010 CA. All rights reserved. All trademarks, trade names, service marks

and logos referenced herein belong to their respective companies.

can you confidently

answer the question,

“Who has access

to what?”

you can.As information and data demands explode, do you have

the ability to maintain control over users, their access

and how they use information, while also meeting

compliance requirements? Finding ways to easily and

securely control your IT environments — physical, virtual

and cloud — is crucial to your business success.

Consider this innovative approach — an approach we call

“Content-Aware IAM”. Content-Aware Identity and Access

Management (IAM) from CA Technologies gives you thecontrol you need to confidently drive your business forward.

Control identities, access and information use by going

further than traditional IAM — down to the data level. You

will know how data is being used and can then answer the

question, “Who has access to what?”, with confidence.

Take control of your IT environments easily and

securely. Starting here. Visit ca.com/security.

you can

http://ca.com/security





16 InoSecurIty ProeSSIonal ISSUE NUMBER 11

I l l U S

t R a t I o N B y K E N o R V I D a S / t h E I S p o t . c o M

When it comes to career planning, ss rdi

Bssi, ifd mgm h d ps

bdig sgis, ms pp simp d k m

iv . Sss pig ws ss wih—

d is bk —gs. “B I fd h 99.9 p m i-

s m m, d h hv gs,” ss Bssi. “Gs

hp g i wh w, d wh ig

hiv.”

I h imi si pssi, s hv vvd

dmi i d sp—m pis si,

wk si d mmiis mp -

sis, pgph d bsiss ii. ad h’s p f mpii d h bs jbs.

S wh shd s?

c hs sh s Bssi s h hs wiig

mk h ivsm i h ispiv, i-bsd hd

wk g sig d pig wi s gib,

wdig ss.

Turn Inward, Write It Down“I wi dw gs d p hm smwh visib,

s pgmmig sbsis mid mk h

hpp,” ss Bssi.

Wid W, d Ds-bsd Pch I.,

gs. Sh s gs i ms visi, d sggss s-ig b kig h fv s. “I d

, h’s oK,” ss W. “I’s s.”

W d Bssi bh s h gs, visi, shd

id sps idivid’s i, idig ,

di, pssi dvpm, iships, fi

gs, hh, hbbis, vim, . T gh his p

h pss vis dpdig h sii, b W

sggss w wks i g.

“ask s ‘Wh d I w m i b i h ?’”

ss W. o hiq sh sggss jmps h

pss is dsib i di pi wk d d pi

wkd d. “D’ w b wh hw gig hiv h visi,” ss W. “T ms .”

Getting on Track

Marie Lingblom investigates how

planning and working with

a coach can help you

prioritize your career goals.

http://theispot.com/
















Sig gs s hps idi disis—bh i

d x—h kpig m hivig gs.W ss h “visi, i i is i dsi, wh

hik shd dsi, pvids h di whih

sbish piiis, s sh-m gs d mk

disis.”

SMART GoalsBig gdd i i is ssi. Bssi pis

xmp v pi i wh dsibd his g

s “d w jb I ik.” S Bssi shid h vsi

SMart (spi, msb, ib, v isi,

im-bd) gs. usig h SMart gidi, sh pmpd

h i wih qsis sh s: Wh ids? Hw mhm d w mk? Hw wd kw i ikd

i? Wh kid pp d w wk wih?

“H m bk wih dis: w jb is d ids-

is,” ss Bssi. “I sid ‘nw g d k pp i

hs idsis s i wh hv i bkgd is

gig .’ H d’ d h b.”

Bssi d h i w b qik idi d

kwdg, ski d mp gps, d g wh

kid spp m h dd hiv his gs. “Hkkd i h pk,” sh ss.

Set Yourself ApartT -pig pss, s Bssi d W, is hd

v. Wkig wih h hp. chs pvid

sh, iq pspiv s w s h mmm, s d

spp k i d hiv gs—whh i’s jb

sh, sii ps bdig.

It pssis i pi, ss Bssi, pi

wid hik b mkig d bdig hmsvs. as

xmp, sh dsibs It i’s sm sh is viw-

ig. “I’m dig h sm, d hikig ‘Wh difis m v s?’” ss Bssi. “y s, ‘I dv-

pd It si d his h,’ b hw did i hv imp h gizi? y hv b b g

wh h sss is, d i i.”

W sggss h imi si pssi

wih h hi skis d iis h jb di-

i hs b hvig sg pp skis. “tmwk is

spi imp i h si d bs is m-

pxi d h d v dp spiizi,” ss W.

“y ’ b w.”

oh higs kp i mid id dmsig

wiigss , d dppig h hi jg whspkig wih bsiss mgm. “Spk hi gg,”

ss W.

Bh W d Bssi ps bdig h-

iqs imd sdig , sis mssg b wh

d wh hv f. Whi h mhds di-

sigh, h h sks idivids idi pssis,

sghs d pps. Idivids h skd g

dbk m ids, mi, mgs, hs h kw

w d s. “Tis is imp sp bs ms s

dismiss sgs is,” ss W.

Strategy and ActionBssi d W s h is mp h i-

spiv p h pss, h mv wd sgis

d is imd hig hi gs. Ts id dv-

pig mgb sps, miig pgss d djsig s

ss. “Tis is pss,” ss Bssi. “y hv b wi-

ig p i h im d f.”

Visi d sbsq gs, ss W, hp —s

wh ps—d piiis mvig wd. “I s

g d im hs piiis, wi b

igh k,” ss W.

Marie Lingblom is a freelance technology editor and writer based in Massachusetts.

Working with a CoachRandi Bussin, certifed career management coach, personal branding

strategist and owner o Boston-based Aspire!, describes coaching as a

collaborative and personalized process: “I have to get to know you, and

you have to get to know me.”

Bussin says clients can expect to work together to explore and identiy

where they are, clariy where they want to go, and put together a plan tohelp them reach their proessional goals. Coaching can help individuals in

transition, active job seekers or people dissatisfed with their current role.

Windy Warner, executive business coach and owner o Dallas-based

ProCoach Inc., says the key advantage o working with a coach is that

you “have someone in your corner whose only agenda is that you will

be happier in your lie and more successul, according to your personal

defnition o success.”

Coaching can take place in person , over the phone or even via Skype.

E-mail, say both can be a useul tool, but not as the primary means

o communicating. “[There are] way too many opportunities or

miscommunication,” says Bussin.

Both recommend investing months—not weeks—in the coaching

process; Warner asks or a six-month commitment. “Coaching is

not a short-term fx,” she says.

Warner describes a fve-step process to her executive coaching program:

1. Create inventory and vision.

2. Identify blockages or obstacles.

3. Perform sel-assessment, personal branding.

4. Come up with strategies to turn vision into reality.

5. Implement strategies in manageable steps, monitoring

progress and making adjustments as necessary.

Coaching, says, Warner, is about the whole person: “Some coaches

ocus more on lie goals, others on career goals, others on business-

building—but inevitably we touch on all aspects o our clients’ lives

because human beings don’t compartmentalize well.”

But all coaching is not equal. The proession isn’ t regulated, so it’s

important to do some homework. Warner and Bussin advise individuals

to check the credentials and types o coaches beore signing on to any

coaching program.




http://www.thebcicertificate.org/alternative_route.html

http://www.thebcicertificate.org/



issue number 11 InosecurIty ProessIonal 19

professional advice for your career

Careers Need AspirationHave an all-round approacH as you consider your job,

your career and your profession, writes sHayne bates.

as you read pg 16

17 hi i, i’ imp

i iv i p

. H m i-

i ip, m imi

i pi h.

si hip m h

i bw jb j

hw p ’

iv i. d’ b i

pph p k hi hp—m m b

wiig h hi ki,

wk wi bm.

chg i i h Itiv; miig v

qi mmim g-

ig i. tk v pp-

i h i,

v w im—p-

, vi, i

ig h b pi.

“aw-” hg p-

hg. a im-

i i pi,

hv pibii b

iv , p

hi wihi h p

h w. uig wh h

hg wk wih xi

wh i m i i.

y hv pibii

xpi h bi v

pj hg p-p i imp, iv m.

Ti wi v hw ’

g , g ,

hw h imi i f

i g w. t i

pif pi i pih.

xmp, “I h , w

v 1700 k, vig

m Xz cmp

ppxim $200 mii.”

T hg h-

g i ig, m

ivi w p i

i— j i h h-

g i, b i hw hivi fg, h

w h pp hm,

h i q.

xmp, gb

wk i ppi-

i h mg mii

iii phi-

vi vi. uif

m

mgig. T i i b

bw phi gi

i, ig w ppi-

i mh- mp-i. It phi i

g p f; h i

qi h h i

iv iig bi.

W pppi, -

iv i p h iv

w-big pp,

imi. uig

h bi ig m

wih bh phi vi

m g v

gizi’ i p.W h pi i

g, mpi pi-

i. t wh pi?

y w.

Shayne Bates works with Brivo

Systems, which focuses on business

value while mitigating enterprise

security risks for clients globally

using Brivo’s cloud hosted security

solutions. He can be reached at

[email protected]. p H o t o t

o p

b y

m o o d b o a r d / c o r b i s





20 InoSecurIty ProeSSIonal issue number 11

Why Aren’t Users More Secure?information security professionals must consider

users’ perceptions of security, and help protect them.

SecurIty: “y psswd is wk; d

hg i.”

us: “M psswd is’ wk; i’s m s m.”

Si: “Wh I m is s m ds’

w psswd vis.”

us: “B i hs pp d w s d i’s

m h igh hs. Hw mh m s

d I d b?!”

as msig s h bv vsi is, i

highighs h si bw ss d s-

i. B phps ss should b sd. I

dsi kp hm s, w idv dhm wih s, gis, piis d p-

ds, izig w ig hm hg

hi hbis --q bsis. a w

vig h s s w di-ig s bhvi?

Pp d b s-d- id,

hg, d bd simig isk. I

w sid si i igh hm pshgi-

is, w bgi dsd wh ss

d is higs.

Sdis shw ss hv vg 25 pss-

wds mg, d dmiig mmb

psswd is s. a s wh s fv pss-wds d kig fv sds h

wss w hs mp im .

mp mpig 1,000 pp his qs

72 days wsd, h d v . I’s s-

pisig h psswds sd d

hgd.1 I , 2007 sd d ss si

hs h wks h g w wih, js s

h did h dds i.

as imi si pssis, w kw

wh d wih xpid SSl if wigs.

B v w vd ss d. I h’ d, “d’

ik hig,” i d k ds sv hpbm. Hwv, i h’ d , “g hd d

ig h wig,” h h s is ik

iz h sm dig pppig p di

si shd b ddssd.

Si is d pig h mp

d is sss; i sids h ms v-

s i h mp ds sh his

s. Giv h hi bw dfi dvs

hi w jb i h pssibii

smhig hppig smwh s i h m-

p, ms mps wi, dsdb, p

wh di imps hm.Si is m h js s big s.

W ms sid hw big s s

ss d hw hi ppi si s

hi bhvi.

Greg Sternberg, CISSP, is a security/solutions archi-

tect for Jeppesen, and is based in Colorado. He can be

reached at [email protected].

1 rb Mis d K Tmps, “Psswd Si: a cs His”,

cmmiis h acM, 1979. PD his sd, visi: hp://isx.

is.ps.d/viwd/dwd?di=10.1.1.128.1635&p=p1&p=pd

p h o t o t

o p b

y G

e o r G e

d i e b o l d

gb isighinternational information security perspectives


http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.128.1635&rep=rep1&type=pdf







Introducing ISACA’s newest certification:

Grandfathering is now open.

GOOD FORTUNECan Be Yours

BREAK INTO IT.Register for an ISACA certification exam.

Exam Date: 11 December 2010

Registration Deadline: 6 October 2010

www.isaca.org/infosecmag

http://www.isaca.org/infosecmag




Give your software some teeth! Commit to building security into every

aspect of the software lifecycle by becoming an (ISC)2® Certied

Secure Software Lifecycle Professional (CSSLP®

). (ISC)2

has educationoptions to t your schedule. Live OnLine gives you the same course

content and the benet of an (ISC)² Authorized Instructor, from your

very own desktop delivered in two 2-hour sessions per week, over the

course of 10 weeks. This will help you study for the CSSLP computer

based exam available in over 500 locations around the world.

Sign up for CSSLP Live OnLine Education Program today.

Now take CSSLP courses from

the comfort of your den.

*Can’t be combined with any other offer.

Get a

FREE iPad*

when you register for a

CSSLP Education Program visit www.isc2.org/csslpipad

i Pad





















http://www.isc2.org/csslpipad

http://www.isc2.org/csslpipad

Documents

Infosecurity Pro Issue 11