8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 1/24
issu e nu m b e r 1 1
An (ISC)2 Digital Publication
www.isc2.org
Th n
idenTificaTion
A complex
computing
landscape
has made ID
management
technology a
top priority.
I t ’ s
me !
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 2/24
Visitwww.isc2.org/issaploloffer
or call
1.866.462.4777 and press 1
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 3/24
c o v e r
p h o t o b
y
I m a g e
S o u r
c e / D a v I D o
x b e r r y ; a b o v e
I l l u S t r a t I o n b
y
I k o n I
m a g e S / c o r b I S
[ features ] 8 Measure by Measure
A gid baiig mis
pv h sss Wb
appiai si.By raal los
12 The Need for Identication
A mpx mpig adsap
has mad ID maagm
hg a p pii.
By Polly traylor
16 Getting on Track
Paig ad wkig wih a aha hp piiiz a
gas. By Marie lingBloM
ISSue number 11 InfoSecurIty ProfeSSIonAl 1
iss 11
[ also inside ]
3 Maintaining a High StandardExecutive Letter fm h dsk (ISc)2’s exivDi. By W. Hord tiPton
5 FYIMember News rad p wha (ISc)2 mmbswdwid ad h gaizai is a dig.
19 Careers Need AspirationCareer Corner I’s impa hav a a-d appahas sid jb, a ad pssi.By sHayne Bates
20 Why Aren’t Users More Secure?
Global Insight Imai si pssiasms sid ss’ ppis si, adhp p hm. By greg sternBerg
2010 Volume 3
InfoSecurity Professional pubh b idg ep Cum su gup, 492 o Cccu Ph, mhm, Ma 01701 (ph: 508 935-4796). th m c h pubcp h vw p h pcv uh m p h vw p (isC) 2 h u cu h pubc. n p h cum m bpuc, uc v m, m m b m (cc, mchc, phcp, c h w), pup, whu h xp wpm (isC)2. (isC)2, h (isC)2 h (isC)2 puc, vc cfc m mk mk h i im sm scu CfcCum, icp, h U s / h cu. th m cu cmp puc m h m b h mk h pcv w. ubcpm ch u , p v www.c2.. t cp b pm p m, p m cp@c2.. t qu v m,p m @c2.. © 2010 (isC)2 icp. a h v.
t vw h u
, v www.isc2.infosecpromag.com
8
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 4/24
Looking for a deal?
Looking for career advice?
Looking for free information?
Check out the hot deals and
free resources at the(ISC)2® Market Square!
Now available on the
Online (ISC)2 Resource Guide.
http://resourceguide.isc2.org
*** 2010 hardcopy also now available! ***
Management Team
Else YacobellsEecutve Publsher
727 683-0782 n [email protected]
Tmothy GaroPublsher
508 529-6103 n [email protected]
Marc G. ThompsoAssocate Publsher
703 637-4408 n [email protected]
Amada D’AlessadroCommucatos Coordator
727 785-0189 [email protected]
Sarah BoheDrector of Commucatos ad
Member Servces727 785-0189 236 n [email protected]
Judy Lvers
Seor Maager of Marketg Developmet727 785-0189 239 n [email protected]
Sales Team
Chrsta CollsRegoal Sales Maager
U.S. Southeast ad Mdwest352 563-5264 n [email protected]
Jefer HutEvets Sales Maager
781 685-4667 n [email protected]
Mke WalkerRegoal Sales Maager
U.S. West Coast ad Asa213 896-9210 n [email protected]
IDG Media Team
Charles LeeVce Presdet, Custom Solutos Group
Amy FreemaProject Maager n [email protected]
Ae TaylorMaagg Edtor n [email protected]
Km HaArt Drector
Lsa StevesoAssocate Producto Maager
ADVERTiSER inDEx
ASIS p 7Business Continuity Institute (BCI) p 18CA p 15IEEE p 11ISACA Inside Back Cove(ISC)2 Back Cove; Inside Font CoveNowich Univesity p 14Nova Univesity p 4
Fo infoation about advetising in thispublication, please contact Ti Gaon at
tgaon@isc2og
Don’t forget to take the quizand earn CPEs:
http://bitly/a2ftY
2 InfoSecurIty ProfeSSIonal ISSUE NUmBEr 11
For a lst ofevets (iSC)2 sether hostg orsposorg, vstwww.isc2.org/ events
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 5/24
Maintaining a High StandardOnce yOu’ve earned yOur credentials, it’s crucialtO maintain and prOtect them.
For inFormation security p,d hv hd bg “ hv” “ hv.” m jb pp d hg w q ,dg h cissP® d h (isc)2 d.ep gz h v (isc)2’ db h kw w p h d
v g h d gh hgh dd q d p f. B ’ hd, ’ p h g b kpg h d -
v. (isc)
2 pph h v w:
1. We oer ways or our
members to maintain their
education levels. i h -hgg d h-g v, - p kp p--d. thd hvg kwdg hw d pg—h b- g b—Wb 2.0 d d
hg h d. i kpg p wh gg h, v d -w. (isc)2 wb, -pd d h hp b p. chk mb r hp://www.2.g/b-.px.
2. We maintain the test environment. (isc)2 k g p v d hq x. W hv q wkhp wh bj xp zh q —g d q dhg w . T k p
wkd w wk f h x,
d d ppp p v.W h x h gq dd-g bd h ha n sdd i (ansi).
3. We oer educational and fexible methods
o re-certiication. (isc)2 pvd pgw hp b wh h
d—p h v bdg.F xp, cPe,b d -, wkhp g. T pd wb, d
bk d b vw, k h qz dgh h gz.
i dd, w k , b, hp vv d pvd h b-pb g pp-. W w xp whpf d kwdg
v h g p-, h d wh h -b d, g, dbk wd -
g h d’ v, g d v p .
W k wd hg .
s,W. Hd tpcissP-isseP, caP, cisa
exv D, (isc)²
issue number 11 inFosecurity ProFessional 3
xv FrOm the desk OF the (isc)2 executive directOr
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 6/24
The password
to your future
is NSU.
Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associate’s, bachelor’s,master ’s, educatio nal specialis t, and doctora l degrees. • Nova Southeastern Universi ty admits students of any race, color, sexual orienta tion, and national or ethnic origin. 01-138-10PGA
Apply today and advance your [email protected]
www.scis.nova.edu/isc
Our beautiful, 300-acre main campus
n designated a National Center of Academic Excellencein Information Assurance Education by the U.S.government since 2005
n pioneer of online education since 1984
n earn your graduate certicate, master’s degree, orPh.D. degree in information security
n IEEE members receive tuition discounts
How we stand outGraduate deGreesn Computer Science
n Educational Technology
n Information Security
n Information Systems
n Information Technology
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 7/24
(isc)2 MeMberNews
fyı
Your InputCounts
C r e a t i v e i n t e l l e C t
C o n s u l t i n g , n onjntonth (isc)2, ayng ot a
tdy to tt ndtand thtat o ota dvlopmnt
today. (isc)2 mm alom to fll n th onln
vy at .vymonky.om//VsQPccL. All thoho omplt th vy ll
ntd nto a dangto n a hal-day o
ota onltng.
issue NuMber 11 InoSecurIty ProeSSIonal 5
as k i d s r e t u r n to s C h o o l h s w , h (ISc)2
S d S oi pgm (hps://bxhg.is2.g/s-
s.spx) s s i Hg Kg, h u.K. d u.S.
T pgm hs s gi p i h mb mmb v-s wh hv sigd v h ps w mhs—ms 1,000.
Vs sg gd mp h ss ppwk
s h bgi ig shs g h sh shd.
I ddii big whwhi pgm, vs wi
10 ciig Pssi edi (cPe) dis mkig hi
s w psis, d cPe v psi hf.
Visi hps://bxhg.is2.g/V-Sigup.spx m
imi d sig p.
as i h ws: (ISc)2 is pig wih h Dpm
Hmd Si d h ni cb Si ai (www.
ssi.g) pm ni cb Si awss
Mh i ob.
Safe and Secure Online ProgramGoes Bc sc
P
h o t o b
y b
e A u L
A r k / c o r b i s
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 8/24
6 InoSecurIty ProeSSIonal issue number 11
Hig asi-PifSi ldsT h i s y e a r ’ s a s i a - P ac i f i c ioato sctLadhp Achvt (isLA) poga wa a hgcc. Th howcad hoo cld:
imt st Ptt: fk K ft c, CissP-issAP, issmP, CssLP, o t aagat Atoatd st Ltd., Hog Kog. H ha cogzd o h vw ad hact o govt iTct-latd glato, polc ad gdl.
Ml Pl imt st
Pjt: r ik, atto (goh), at rchiagak Law Oc Japa. H wa cogzd o h io-ato sct Wokoc ipovt Poga.
s imt st Pl d
cmmt sv st rt: P. rbth. D, P.D., poo, aocat da o Faclt &rach school o ioato st at sgapomaagt uvt. H wa hood o h pojct“iovatv Applcato o sct Tchq th ralWold.” H alo cvd th Cot svc sta oh cotto towad ldg ad oadg ctawa h cot.
s imt st Pl: D h
Pk, CeO, niCs Tch Co., soth Koa. H wa cogzdo h ot povg copttv soth Koa’oato ct dt.
Fo o oato aot th isLA poga, vtwww.c2.og/la.
SecureSDLC Eventa Huge Success a w h o P P i n g 8 3 P e r c e n T o oatoct pooal a that c otwa
pt a gcat that to tp. That’ jt o o th lt o a oal v co-dctd at th scsDLC vt slco Vall,Caloa th pat J.
Th coc, ttld “bldg sct to thsotwa Lccl,” dw dvdal o aodth u.s., wth th a o qppg th wth thlatt tool ad oato o otwa ct.
ioato ct pooal cogz thpotac o th topc. Aog th vt patc-pat, 56 pct ad c otwa cold
lt daag to th copa’ ptatod to data ach.
uotatl, ol 19 pct dcatd th hava oal c otwa dvlopt poc.Coc patcpat dcd th topcad o, ad dg to wa to tackl otwact challg.
Th xt scsDLC vt wll hld Wahgto, D.C. o nov. 4. Fo o oa-to, vt http://www.c2.og/evtDtal.apx?d=6340.
A Round Up of (ISC)2 evtby brAnDOn DunLAP
M a ny o f y o u hav lkl had voc o th (isC)2 ThkTak rodtal o ptg at th lv
sct Ladhp s vt that tak plac vao ct aod th glo. i ’ happ to aoc that i wll cottg a hot col Infosecurity Professional agaz wh i ca ha wth a wd adc oo th k pot that hav co ot o th gagg dco dg th vt, oth o th W ad po.
i ol a odato ad pt o (isC)2 vt—a wll ol a aagg dcto o rach atbghtf)—i look to o, th hp, o potat ght to how th poo chagg. i’d alo lkto ha o da o how w ca wok togth to dg th gap dtadg, kowldg ad cltaloda to a catalt o th hag a w ov owad.
i o’ ala wth th ThkTak odtal, o ca acc th va th W, whch cota achvdvt, a wll o o pcog wcat at: .bttlk.m/l/5385
mawhl, pla cotact wth o odtal dack: [email protected]
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 9/24
Different events.Different strategies.
Same focus.
For more than 55 years, ASIS International has led the security industry
by providing up-to-the-minute education and strategic solutions to
professionals around the world. For leaders who understand that
identifying and managing threat in one geographic area does not
necessarily make you an expert in another, ASIS invites you to attend
one or more of our four worldwide security events. For more informationon maximizing your security, visit www.asisonline.org.
57th Annual Seminar and ExhibitsOrlando, Florida
September 12– 15, 2011
5th Asia-Pacific Conference
and Exhibition
Kuala Lumpur, Malaysia
December 5-7, 2011
10th European Security
Conference and Exhibition
Vienna, Austria
April 3-6, 2011
2nd Middle East Security
Conference and Exhibition
Manama, Bahrain
February 20-22, 2011
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 10/24
8 InfoSecurIty ProfeSSIonal ISSUE NUMBER 11
Rafal Los offers
a guide to
obtaining
metrics toprove the
success of
Web application
security.
Measure
Me
asu
r eby
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 11/24
ISSUE NUMBER 11 InoSecurIty ProeSSIonal 9
I l l U S
t R a t I o N © I
k o N I
M a g E S / C o R B I S
w d dms h ppiisi s wkig? Bsiss ds
w s hd d, b whih mis wi shw isk
di? M gizis s h mb ds
disvd d iii p pj, b hs mis i
p h i pp mgm.
exig mis h m bh It and
pp mgm b d. Msig h
hg i isk v h bsiss i mig
w hp mgm dsd h v imi si. I s hps h It giz-
i jsi is ivsm i si iiiivs.
THE SCIENCE OF NUMBERS
Mis hv b sd pv dispv h-
is is; i h p wd, k p-
m idis (KPIs) h mis
hi. B dvpig s KPIs b h-
gig. is, ssm-phig mis m
id im--ph, ph vg d ph
i — whih dms
whh phig sg is sss.Simi wih Wb ppii si, m-
s ps mis b ghd. M g-
izis wih w ppii si iiiivs
wi s b ig vbiiis p ppii
bs i’s s mhd. B h qik dis-
v h i is’ iv w dms mgm h v si s.
Tis i ss isk-bsd mis h
gg gizi’s pgss i sig is
Wb ppiis. I dsibs fv Wb ppii
si KPIs, hi mhds i, d hi
imp h gizi.
DEFECT REMEDIATION WINDOW
DEFINITION: DrW mss hw g gi-
zi ks fx dmd, vifd si
d. I s gizi’s spsivss
d sv s x psi g-izi mi. Tis mi shd b -
sd wih h xps widw, whih mss
H
KEY PERFORMANCE INDICATORS
The ollowing KPIs are useul in measuring the success o Web application
security programs and are listed in order o most to least difcult to attain:
n Weighted Risk Trend (WRT): A weighted risk score measured over time
n Deect Remediation Window (DRW): How long it takes to fx or “close”a deect
n Rate o Deect Recurrence (RDR): How many times a deect is
reintroduced over the lie o an application
n Specifc Coverage Metric (SCM): How much o an application’s
unctionality is tested or security
n Security to Quality Deect Ratio (SQR): The ratio o the number o
security deects to the number o all identifed deects (quality, perormance
and security) in a testing cycle
As an organization matures, its ability to gather metrics that provide greater
insight into the value o the application security program will grow.
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 12/24
10 InoSecurIty ProeSSIonal ISSUE NUMBER 11
WEIGHTED RISK TREND
Deinition: isd sy u ubr sury vu-
rbs ud , WRt rvds busss rsk
r r . i sury rr s
wrk rry, s r sud drs vr d rss
rs. WRt s w bsd rskv , d r bsd ry
vurby ud . t rsk v
s drd bsd rs su s: wr
s usd ry r ry; wr ds ssv d
r ; d wr rsds s wrk r srvrs s
y fd r.
oRganizational impoRtance: WRt rvds busss-
wd vw sury rsk vr
dv rss. i ws r ssss wr
rsurs r b rry d r-
s sury rsks, d b usd u wrr, v r dur. ts r sud drs vr
rss r.
gatheRing methoD: WRt s wd rsk vr .
t ru y b s r vry r, bu -
w s d bs:
∑(D ciii x nmb Ds)* x[appii Wigh] = risk S
*P h d ss cii | High | Mdim | lw
example:
appii Wigh (0 - 1.0): .75
Svi Sig: cii = 10 High = 5 Mdim = 3 lw = 1
Ds Disvd: 10 cii, 7 High, 30 Mdim, 39 lw
([10 x 10] + [5 x 7] + [3 x 30] + [1 x 39]) x .75 = 198
hw g d xisd “i h wid”b i ws sd. T xps wi-dw is mh m di msd ss vb h gizi.
OrganizatiOnal impOrtance: Tis miidis gizi’s spsivss
si ds i Wb ppiis. Imss hw sis gizi isb si d whh h pppi- ss vib. M mgizis shd b b shDrW v im.
gathering methOd: DrW is bs gh-d sig m d kig ss-m, whih s d d sh swh h d ws idid, vidd,sd d h sd. as giz-
i ms i is pph ppi-i si, DrW shd ds.
rate OF deFect recUrrence
deFinitiOn: rDr is h whihpvis sd si ds isd i ppii i hsm p, i h sm m, d isbsq s s. n h hspi xi is h dis iv. is, i fdss-si sipig (XSS) d sig
h sig is mvd m hppii b is pd i sbs-q vsi wih h sm d sig sigh mdid h sig, is s . th i his mi is g dvps pm imi pvis sdds d hi pmis.
OrganizatiOnal impOrtance: rDrmss gizi’s bii s ds pm. this ds
m h h sm p dwi i h ppii swh i h sm d i . rDr is pd v im dshd d s s z s pssib,dsig v im.
gathering methOd: rDr is bs gh-d sig m d kig wih h pbii k spiid p (i.., SQl iji, sdss-si sipig) spi i
i h d ss mip s s.rDr is pd s h mb -
ig ds p ppii v hs .
SpeciFic cOVerage metric
deFinitiOn: ScM diiv swsh qsi “Hw mh h ppi-i [s ] ws sd si?” I mss h pg mps sd gis h mps h ppii dviw. n h ScM is spi hmps d viw,d hs ds ssi k i h i ppii.
OrganizatiOnal impOrtance: Msig
ScM qis si sig vg,pig h ppii ws ih
sd pi sd. I i wspi sd, ScM pvids im-i whih fws mps wmissd—d m imp, wh
h w missd. Di p sigvg bigs dibii h si m d p mid h bsiss. Ipvids dmi mpid sss h si m h hipsss ig ppiis wih high v si.
gathering methOd: ScM is pg h ppii fws/mps h vd b si sig gis hwh h ppiis/mps
big sd. th s h ppii big sd is bid
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 13/24
ISSUE NUMBER 11 InoSecurIty ProeSSIonal 11
IEEE, along with some o the world’s leading biometrics experts,
has developed a new certifcation and training program or biometrics
proessionals and their organizations. The IEEE Certifed Biometrics
Proessional TM (CBP) program ocuses on the relevant knowledge and
skills needed to apply biometrics to real-world challenges and applications.
• Certifcation: Earning the IEEE CBP designation allows biometricsproessionals to demonstrate profciency and establish credibility.
• Training: The IEEE CBP Learning System combines print materials
and interactive online sotware – ideal or job training, proessional
development, or preparing or the CBP exam.
Have you gained access toBiometrics Certifcation?
To gain access to more details, visit
www.IEEEBiometricsCertifcation.org.
Access is now being granted to
qualifed Biometrics Proessionals.
EseSweSeciIcpi seci el d
iii i llpses e swe lieccle
s pve be 30-100 ies
less expesive d iclclbl
e eecive e elese
d pc edl sed
eqel d. (ISC)2’s
Ceifed Sece Swe
Lieccle Pessil (CSSLP®)
is e l ceifci i e
ids desied ese seci is csideed -
e eie swe lieccle.
Learn more about the
CSSLP certifcation at
https://www.isc2.org/
csslp/deault.aspx.
hgh d xi m i
spifis. Tis mi is s p-
vidd b h i sig giz-i h si sig m.
SECurIty to QuaLItyDEECt ratIoDEInItIon: SQr mss h m-
b si-spif ds gis
h mb ds vd
dig sig s. I qiis h
imp si ds h ppi-
i. Tis mi is bs psd
s i—Si Ds /Qi
Ds.
organIzatIonaL ImPortanCE: SQr
hp bsiss mk h g/-g
disi b sig ppii
bsd is si isk. I ddii,
his mi b mpd wih h
d mis (i.., i, p-
m) dsd wh ss
shd b did.
gathErIn g mEthoD: SQr is bs gh-
d hgh md mhds mqi d si sig s.
ConCLuSIonT mis s highigh
sss ms dms ds h
mig pp mgm.
th s psd h hp m-
s Wb ppii vbiiis s
i bsiss isk. I s-
i iiiivs wkig, hs misshd idi h di isk v
im—hs dmsig h v
ppii si pgm.
Rafal “Raf” Los is
a Web application
security evangelist for
HP Software & Solu-
tions. He is respon-
sible for bridging the
gaps between security
technologies and business needs to reduce enterprise risks and create embedded,
lasting solutions on behalf of the HP
Application Security Center group.
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 14/24
12 InfoSecurIty ProfeSSIonal ISSUE NUMBER 11
p h o t
o
B y
I M
a g E
S o U R c E / D a v I D
o x B E R R y
A complex
computing
landscape
has made ID
managementtechnology
a top priority,
writes Polly
Traylor.
I t ’ s m e !
Th Nd rIDeNTificaTioN
past April, a trader with
Société Générale was
arrested for stealing
proprietary code from
the company’s high-
speed trading system.
This
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 15/24
ISSUE NUMBER 11 InoSecurIty ProeSSIonal 13
I J, m d Jm Kvi
sd i g, bh s, d
hizd mp s. Kvi’s
ims d $6 bii i sss Siéé
Géé. Ts pbms m hv
d hd b si mss,
idig m sid ss ssms,
b i p.I pps h It is gig h mssg.
rspds G’s 2010 CIO Sur-
vey d idi mgm s hi p
si pii. “Idi mgm hs
b hs pjs h ws p
h sh i m gizis d h
m, d is w big bgh wd
s h sigs higs impvig,” ss
Vi Whm, s d mgig vi
psid i G’s S Js, ci. .
th qims ID mgm
gwig, i p b h is i -svis, -iig d himi-shig ppiis wihi d bw giz-
is, h dds.
Düssd, Gm-bsd sh m Kppig c
ps midsiz mpis s pig m i
idi mgm, whih shd is h dmd
pds h si is d spp. “Vds wih
sdd imiis d ighwigh pds wi b ms
m his,” s Kppig c s Mi Kppig, i
h p, 10 Top Trends 2010.
T is i h mbi wk hs p ID mgm h p h It is Md’s Mgm c,
dig Kih yg, si i i h ’s h-i svis dpm. “W ’ [h mp-
’s] i h wk h sig, s w d
h s ID, spi wh i s sig smphs
d wkig m hm.”
cig wh hs ss wh s b h-
g. “Mgig h svis h ps ss gs v
mpx, s i s h di ss ds d
ppvs,” h ss.
ID Management TodayIdi mgm is’ js b wig sm g
wk ssm. I s ivvs dvpig bsiss- dids-div piis h d s s d wh
h g i hs ssms. Miiig d kig mip
IDs d psss ss ms diis d ssms hs
pd hv bd It. “o biggs pbm igh w is
dig s ss d h sig h d ss pi-
is d iss,” yg ss. “I w g md s, s
wh swih jbs ss swihs mi.”
as ss gi ss m ssms, h ms mmiz
m IDs d psswds. Tis id si isks i
h imi is sd sik s i s--d s.
nw gis v h ps w s hv md mpi
h imp i idi mgm. B It dsi gps ms b s wih xibii, s s
impd giim ss m ssig
h d h qi hi jb i.
Dspi h d idi mg-
m d ss ssms, h si
dpd i 30 40 p g mp-
is, ss Bb Ws, d & d ceo
eh o, ohi-bsd imi
si sh d sig m. “Tisis p mpx d s qis
sigi ivsm. I k h v
s smims g iv,” dds Ws,
wh is s h m hi si
ifh Tid Bk. Sh ssms mpss
sv s vvig s, idig:
n Pvisiig h s p s IDs d
psswds
n Sg d diis, idig vi
di hg
n ahii, sig psswds, PIns,
smds bimis vi s idi n Sig sig-, imi mip IDs d psswds
n di, sppig iq ID ss mip
i d x ssms
n eim mgm, whih dis wh s
d d wihi ppii.
Managing Identity ManagementSimpiig idi mgm is p mid m
si d It pssis. , his is bmig
si d ss xpsiv i. cd-bsd mpig
bs hsd idi mgm, s-iv pi
h pvids m p vim.Vd sidi is h b. cmpis
w g s 80 p h ii h d m
o, ca, nv, IBM ci, dig Ws, wh
s mmds dig h mb diis sd
s idi imi.
Mgig idi mgm s wih h si
ssms hp It b k d spd bhs. Kp-
pig ss mpis shd sid dvpig ps h
hd pvisiig, ss, d h psss m -
i. Sig sig- Wb ppiis is h pik s w.
I qis sidig dbss h s s imi.
m pi pspiv, yg mmds miimizigh mb s d d d mg. “I hd
m g gizi h ws b simpi hi
is i mj erP ssm dw 20 s,” h ss.
Imi si pssis shd mk s h
hv h igh skhds m It, g, Hr, di d is
bsiss mp bsiss qims d d s d
ds. “I h pj is big div b h It dpm
h h p s, h bsiss is wi w zhi jb psiis wi qs v mpx bsiss s,”
yg ss.
Bsiss is s hp v d pimiz xisig
psss, sh s hw w hi is gd ss ssms.I’s bs pi s hs psss i d
User-friendly
technologies
such as infor-
mation cards
(a form of
digital identity)
and OpenID
are beginning
to take off.
souce: Kppingr cl rprt,
10 Top Trends 2010
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 17/24
Copyright © 2010 CA. All rights reserved. All trademarks, trade names, service marks
and logos referenced herein belong to their respective companies.
can you confidently
answer the question,
“Who has access
to what?”
you can.As information and data demands explode, do you have
the ability to maintain control over users, their access
and how they use information, while also meeting
compliance requirements? Finding ways to easily and
securely control your IT environments — physical, virtual
and cloud — is crucial to your business success.
Consider this innovative approach — an approach we call
“Content-Aware IAM”. Content-Aware Identity and Access
Management (IAM) from CA Technologies gives you thecontrol you need to confidently drive your business forward.
Control identities, access and information use by going
further than traditional IAM — down to the data level. You
will know how data is being used and can then answer the
question, “Who has access to what?”, with confidence.
Take control of your IT environments easily and
securely. Starting here. Visit ca.com/security.
you can
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 18/24
16 InoSecurIty ProeSSIonal ISSUE NUMBER 11
I l l U S
t R a t I o N B y K E N o R V I D a S / t h E I S p o t . c o M
When it comes to career planning, ss rdi
Bssi, ifd mgm h d ps
bdig sgis, ms pp simp d k m
iv . Sss pig ws ss wih—
d is bk —gs. “B I fd h 99.9 p m i-
s m m, d h hv gs,” ss Bssi. “Gs
hp g i wh w, d wh ig
hiv.”
I h imi si pssi, s hv vvd
dmi i d sp—m pis si,
wk si d mmiis mp -
sis, pgph d bsiss ii. ad h’s p f mpii d h bs jbs.
S wh shd s?
c hs sh s Bssi s h hs wiig
mk h ivsm i h ispiv, i-bsd hd
wk g sig d pig wi s gib,
wdig ss.
Turn Inward, Write It Down“I wi dw gs d p hm smwh visib,
s pgmmig sbsis mid mk h
hpp,” ss Bssi.
Wid W, d Ds-bsd Pch I.,
gs. Sh s gs i ms visi, d sggss s-ig b kig h fv s. “I d
, h’s oK,” ss W. “I’s s.”
W d Bssi bh s h gs, visi, shd
id sps idivid’s i, idig ,
di, pssi dvpm, iships, fi
gs, hh, hbbis, vim, . T gh his p
h pss vis dpdig h sii, b W
sggss w wks i g.
“ask s ‘Wh d I w m i b i h ?’”
ss W. o hiq sh sggss jmps h
pss is dsib i di pi wk d d pi
wkd d. “D’ w b wh hw gig hiv h visi,” ss W. “T ms .”
Getting on Track
Marie Lingblom investigates how
planning and working with
a coach can help you
prioritize your career goals.
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 19/24
ISSUE NUMBER 11 InoSecurIty ProeSSIonal 17
Sig gs s hps idi disis—bh i
d x—h kpig m hivig gs.W ss h “visi, i i is i dsi, wh
hik shd dsi, pvids h di whih
sbish piiis, s sh-m gs d mk
disis.”
SMART GoalsBig gdd i i is ssi. Bssi pis
xmp v pi i wh dsibd his g
s “d w jb I ik.” S Bssi shid h vsi
SMart (spi, msb, ib, v isi,
im-bd) gs. usig h SMart gidi, sh pmpd
h i wih qsis sh s: Wh ids? Hw mhm d w mk? Hw wd kw i ikd
i? Wh kid pp d w wk wih?
“H m bk wih dis: w jb is d ids-
is,” ss Bssi. “I sid ‘nw g d k pp i
hs idsis s i wh hv i bkgd is
gig .’ H d’ d h b.”
Bssi d h i w b qik idi d
kwdg, ski d mp gps, d g wh
kid spp m h dd hiv his gs. “Hkkd i h pk,” sh ss.
Set Yourself ApartT -pig pss, s Bssi d W, is hd
v. Wkig wih h hp. chs pvid
sh, iq pspiv s w s h mmm, s d
spp k i d hiv gs—whh i’s jb
sh, sii ps bdig.
It pssis i pi, ss Bssi, pi
wid hik b mkig d bdig hmsvs. as
xmp, sh dsibs It i’s sm sh is viw-
ig. “I’m dig h sm, d hikig ‘Wh difis m v s?’” ss Bssi. “y s, ‘I dv-
pd It si d his h,’ b hw did i hv imp h gizi? y hv b b g
wh h sss is, d i i.”
W sggss h imi si pssi
wih h hi skis d iis h jb di-
i hs b hvig sg pp skis. “tmwk is
spi imp i h si d bs is m-
pxi d h d v dp spiizi,” ss W.
“y ’ b w.”
oh higs kp i mid id dmsig
wiigss , d dppig h hi jg whspkig wih bsiss mgm. “Spk hi gg,”
ss W.
Bh W d Bssi ps bdig h-
iqs imd sdig , sis mssg b wh
d wh hv f. Whi h mhds di-
sigh, h h sks idivids idi pssis,
sghs d pps. Idivids h skd g
dbk m ids, mi, mgs, hs h kw
w d s. “Tis is imp sp bs ms s
dismiss sgs is,” ss W.
Strategy and ActionBssi d W s h is mp h i-
spiv p h pss, h mv wd sgis
d is imd hig hi gs. Ts id dv-
pig mgb sps, miig pgss d djsig s
ss. “Tis is pss,” ss Bssi. “y hv b wi-
ig p i h im d f.”
Visi d sbsq gs, ss W, hp —s
wh ps—d piiis mvig wd. “I s
g d im hs piiis, wi b
igh k,” ss W.
Marie Lingblom is a freelance technology editor and writer based in Massachusetts.
Working with a CoachRandi Bussin, certifed career management coach, personal branding
strategist and owner o Boston-based Aspire!, describes coaching as a
collaborative and personalized process: “I have to get to know you, and
you have to get to know me.”
Bussin says clients can expect to work together to explore and identiy
where they are, clariy where they want to go, and put together a plan tohelp them reach their proessional goals. Coaching can help individuals in
transition, active job seekers or people dissatisfed with their current role.
Windy Warner, executive business coach and owner o Dallas-based
ProCoach Inc., says the key advantage o working with a coach is that
you “have someone in your corner whose only agenda is that you will
be happier in your lie and more successul, according to your personal
defnition o success.”
Coaching can take place in person , over the phone or even via Skype.
E-mail, say both can be a useul tool, but not as the primary means
o communicating. “[There are] way too many opportunities or
miscommunication,” says Bussin.
Both recommend investing months—not weeks—in the coaching
process; Warner asks or a six-month commitment. “Coaching is
not a short-term fx,” she says.
Warner describes a fve-step process to her executive coaching program:
1. Create inventory and vision.
2. Identify blockages or obstacles.
3. Perform sel-assessment, personal branding.
4. Come up with strategies to turn vision into reality.
5. Implement strategies in manageable steps, monitoring
progress and making adjustments as necessary.
Coaching, says, Warner, is about the whole person: “Some coaches
ocus more on lie goals, others on career goals, others on business-
building—but inevitably we touch on all aspects o our clients’ lives
because human beings don’t compartmentalize well.”
But all coaching is not equal. The proession isn’ t regulated, so it’s
important to do some homework. Warner and Bussin advise individuals
to check the credentials and types o coaches beore signing on to any
coaching program.
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 20/24
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 21/24
issue number 11 InosecurIty ProessIonal 19
professional advice for your career
Careers Need AspirationHave an all-round approacH as you consider your job,
your career and your profession, writes sHayne bates.
as you read pg 16
17 hi i, i’ imp
i iv i p
. H m i-
i ip, m imi
i pi h.
si hip m h
i bw jb j
hw p ’
iv i. d’ b i
pph p k hi hp—m m b
wiig h hi ki,
wk wi bm.
chg i i h Itiv; miig v
qi mmim g-
ig i. tk v pp-
i h i,
v w im—p-
, vi, i
ig h b pi.
“aw-” hg p-
hg. a im-
i i pi,
hv pibii b
iv , p
hi wihi h p
h w. uig wh h
hg wk wih xi
wh i m i i.
y hv pibii
xpi h bi v
pj hg p-p i imp, iv m.
Ti wi v hw ’
g , g ,
hw h imi i f
i g w. t i
pif pi i pih.
xmp, “I h , w
v 1700 k, vig
m Xz cmp
ppxim $200 mii.”
T hg h-
g i ig, m
ivi w p i
i— j i h h-
g i, b i hw hivi fg, h
w h pp hm,
h i q.
xmp, gb
wk i ppi-
i h mg mii
iii phi-
vi vi. uif
m
mgig. T i i b
bw phi gi
i, ig w ppi-
i mh- mp-i. It phi i
g p f; h i
qi h h i
iv iig bi.
W pppi, -
iv i p h iv
w-big pp,
imi. uig
h bi ig m
wih bh phi vi
m g v
gizi’ i p.W h pi i
g, mpi pi-
i. t wh pi?
y w.
Shayne Bates works with Brivo
Systems, which focuses on business
value while mitigating enterprise
security risks for clients globally
using Brivo’s cloud hosted security
solutions. He can be reached at
[email protected]. p H o t o t
o p
b y
m o o d b o a r d / c o r b i s
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 22/24
20 InoSecurIty ProeSSIonal issue number 11
Why Aren’t Users More Secure?information security professionals must consider
users’ perceptions of security, and help protect them.
SecurIty: “y psswd is wk; d
hg i.”
us: “M psswd is’ wk; i’s m s m.”
Si: “Wh I m is s m ds’
w psswd vis.”
us: “B i hs pp d w s d i’s
m h igh hs. Hw mh m s
d I d b?!”
as msig s h bv vsi is, i
highighs h si bw ss d s-
i. B phps ss should b sd. I
dsi kp hm s, w idv dhm wih s, gis, piis d p-
ds, izig w ig hm hg
hi hbis --q bsis. a w
vig h s s w di-ig s bhvi?
Pp d b s-d- id,
hg, d bd simig isk. I
w sid si i igh hm pshgi-
is, w bgi dsd wh ss
d is higs.
Sdis shw ss hv vg 25 pss-
wds mg, d dmiig mmb
psswd is s. a s wh s fv pss-wds d kig fv sds h
wss w hs mp im .
mp mpig 1,000 pp his qs
72 days wsd, h d v . I’s s-
pisig h psswds sd d
hgd.1 I , 2007 sd d ss si
hs h wks h g w wih, js s
h did h dds i.
as imi si pssis, w kw
wh d wih xpid SSl if wigs.
B v w vd ss d. I h’ d, “d’
ik hig,” i d k ds sv hpbm. Hwv, i h’ d , “g hd d
ig h wig,” h h s is ik
iz h sm dig pppig p di
si shd b ddssd.
Si is d pig h mp
d is sss; i sids h ms v-
s i h mp ds sh his
s. Giv h hi bw dfi dvs
hi w jb i h pssibii
smhig hppig smwh s i h m-
p, ms mps wi, dsdb, p
wh di imps hm.Si is m h js s big s.
W ms sid hw big s s
ss d hw hi ppi si s
hi bhvi.
Greg Sternberg, CISSP, is a security/solutions archi-
tect for Jeppesen, and is based in Colorado. He can be
reached at [email protected].
1 rb Mis d K Tmps, “Psswd Si: a cs His”,
cmmiis h acM, 1979. PD his sd, visi: hp://isx.
is.ps.d/viwd/dwd?di=10.1.1.128.1635&p=p1&p=pd
p h o t o t
o p b
y G
e o r G e
d i e b o l d
gb isighinternational information security perspectives
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 23/24
Introducing ISACA’s newest certification:
Grandfathering is now open.
GOOD FORTUNECan Be Yours
BREAK INTO IT.Register for an ISACA certification exam.
Exam Date: 11 December 2010
Registration Deadline: 6 October 2010
www.isaca.org/infosecmag
8/2/2019 Infosecurity Pro Issue 11
http://slidepdf.com/reader/full/infosecurity-pro-issue-11 24/24
Give your software some teeth! Commit to building security into every
aspect of the software lifecycle by becoming an (ISC)2® Certied
Secure Software Lifecycle Professional (CSSLP®
). (ISC)2
has educationoptions to t your schedule. Live OnLine gives you the same course
content and the benet of an (ISC)² Authorized Instructor, from your
very own desktop delivered in two 2-hour sessions per week, over the
course of 10 weeks. This will help you study for the CSSLP computer
based exam available in over 500 locations around the world.
Sign up for CSSLP Live OnLine Education Program today.
Now take CSSLP courses from
the comfort of your den.
*Can’t be combined with any other offer.
Get a
FREE iPad*
when you register for a
CSSLP Education Program visit www.isc2.org/csslpipad
i Pad
Recommended