After using AVG Free anti-virus for many years, we have switched all of our home PCs to Kaspersky Internet Security 2010.
AVG served us faithfully for five years. It never malfunctioned. Still, it didn’t far so well in a recent high-profile test of anti-virus products.
Kaspersky Internet Security 2010 can be installed on up to three home computers. It comes with (of course) anti-virus software, plus a firewall, parental controls, and the ability to run selected applications in a sandbox. It has other features that I will write about in future blog posts.
If you’re on a budget, the free version of AVG is still good, and way better than nothing. I still recommend AVG for people who simply don’t have the cash for Kaspersky or another product.
A reader asks: I have a friend who heard that we can be “watched” while we watch online videos. Any truth to it that you know of?
Answer: Theoretically yes, but only if you have a webcam (if you literally mean “watching”). I’ve heard of it being done.
If you mean “knowing what you are watching” (some kind of tracking), that is certain. Youtube remembers what you have seen (it can be embarrassing), and other vid sites do too. Sites do this with tracking cookies and other means to remember what videos you view, what pages you see, and the sites you visit.
The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.
Written by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification. Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.
Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices. The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.
“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.
About Peter H. Gregory
Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.
Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.
About ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559
“All-in-One is All You Need.”
A thought on personal integrity, from my business manager and wife, Rebekah Gregory:
“Simply recognizing a problem does not qualify us to fix it. We should strive for personal integrity rather than cashing in on what is broken. In this way we cultivate genuine trust and become dependable leaders.”
Clicking on www.peterhgregory.com used to take readers to an “About” page. Over the weekend, I’ve made a change on the site so that you’ll now see my latest posts. You can read more about me by clicking on the About link.
This aligns better with my mission, to serve my readers by helping them better understand information security and risk management. Now you’re one click closer to the information you need.
(Our household consists of two adults and two teen-age girls in Jr. High and High School. We have recently enacted some rules for preventing the spread of influenza.)
1) Everyone washes their hands in the downstairs bathroom immediately upon returning from anywhere (bus, train, running, school, grocery store, church, etc.)
2) No washing at the kitchen sink. This is where we prepare food.
3) Each bathroom should have sanitizing wipes and they should be used daily or every other day to wipe down, in this order:
- door knobs
- surfaces
- light switches
- faucet handles
- toilet handles
4) No sharing of drinking glasses, water bottles, etc. Also, no using of our personal eating utensils for serving ourselves additional helpings of food. Use of a serving spoon is required so no more dipping into the main dishes with our own fork, no using our own utensils in the jam, peanut butter, etc.
5) Each person shall have their own hand towel for the upstairs bathrooms. The downstairs bathroom will be stocked with paper towels instead of a community hand towel.
This would be a great time to multi-task and get the gunk out of your computer. During the Emmy awards, there are plenty of slow moments when you can get to more important things like scanning your PC for malware (viruses, worms, Trojans, spyware).
Get New (Free) Anti-Virus Software
If the license has run out on your Norton, Symantec, McAfee, or other brand of anti-virus, don’t renew it. Instead, download AVG anti-virus. It’s a great anti-virus program, and it’s free. We use it on our Windows systems and recommend it to our friends. Several businesses we know of use the commercial versions of AVG as well. Get it here:
Scan Your Computer, Twice
After you install AVG (or if you are still using another brand, which is working well and up-to-date), you need to scan your entire hard drive for viruses. Each brand of anti-virus does this a little differently. Make sure you scan the entire hard drive; if your computer has more than one hard drive, scan them all.
There are also several good online virus scanning programs available. Scanning your PC with your local anti-virus scan and an online virus scanner is like getting a second opinion. There are several good online virus scanners, here:
- Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
- Symantec: http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
- Trend Micro: http://housecall.trendmicro.com/
- Kaspersky: http://www.kaspersky.com/virusscanner
- CA: http://cainternetsecurity.net/entscanner/
…all of the above companies are commercial organizations of the highest quality.
Most or all of the above online virus scanners require you use Internet Explorer. Most of my readers know that I strongly recommend Firefox with the NoScript and FlashBlock add-ons for the safest online browsing, but once in a while it’s necessary to run IE.
Set Up Weekly Scans
It’s a good idea to have your anti-virus program automatically scan your PC every week. This provides an added protection, by having your anti-virus program search for viruses that may have somehow gotten by your anti-virus program.
I recommend you have the scan run overnight – have it start well after you go to bed, but give it enough time to complete before morning. On some larger (and older) PC’s, a virus scan can take a few hours.
Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.
This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.
People who are interested in joining the group may go to the following URL:
http://groups.yahoo.com/group/CISSP-study/join
People who are already members may go to the group at this URL:
http://groups.yahoo.com/group/CISSP-study
The CISSP Study group will have the following features:
* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys
Only active members of the group may access these features.
Information that will be discussed in the forum include:
* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security
Auditors and security professionals usually prefer preventive controls over detective controls because they actually block unwanted events and prefer detective controls to deterrent controls because detective controls record events while deterrent controls do not. However, there are often circumstances where cost, resource, or technical limitations force an organization to accept a detective control when it would prefer a preventive one. For example, there is no practical way to build a control that would prevent criminals from entering a bank, but a detective control (security cameras) would record anything they did.
Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide
Logical access controls are used to control whether and how subjects (usually persons) are able to access objects (usually data). Logical access controls work in a number of different ways, primarily:
- Subject access. Here, a logical access control uses some means to determine the identity of the subject that is requesting access. Once the subject’s identity is known, the access control performs a function to determine if the subject should be allowed access the object. If the access is permitted, the subject is allowed to proceed; if the access is denied, the subject is not allowed to proceed. An example of this type of access control is an application that first authenticates a user by requiring a user ID and password before permitting the user to access the application.
- Service access. Here, a logical access control is used to control the types of messages that are allowed to pass through a control point. The logical access control is designed to permit or deny messages of specific types (and possibly it will also permit or deny based upon origin and destination) to pass. An example of this type of access control is a firewall or screening router that makes pass/block decisions based upon the type of traffic, origin, and destination.
An analogy of these two types of access is a symphony hall with a parking garage. The parking garage (the “service access”) permits cars, trucks, and motorcycles to enter, but denies oversized vehicles from entering. Upstairs at the symphony box office (the “subject access”), persons are admitted if they possess a photo identification that matches a list of prepaid attendees.
Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide
Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.
Download here (PDF)
Biometrics for Dummies available immediately to fill the knowledge void
Biometrics for Dummies
India has decided to issue biometric ID cards to each of its 1.2 billion citizens. Delhi recently established the Unique Identification Authority that will assign unique ID numbers to each citizen.
This will create a demand for knowledge about how biometrics works. Biometrics For Dummies, published in 2007, meets that need. “This is a huge deal in the world of biometrics,” writes Mike Simon, co-author of Biometrics For Dummies.
“Like many populations, people may not embrace biometrics right away,” cites Peter Gregory, co-author. “Most people do not know how biometrics works, and whether biometrics can be used to pry into someone’s personal details.”
Biometrics for Dummies is available in many forms and from several sources, including:
Online bookstores serving India:
You may view the Table of Contents here (PDF)
I’ve been a PC user for 25 years and switched to Mac last year. It is SO much easier to use, HIGHLY reliable, no hangs or reboots, no DLL hell. The Mac just runs and runs and runs, absolutely reliable, no performance problems.
I ran Vista last year and it is AWFUL: terrible performance, compatibility problems, booting took a long time, and it lost all of my data twice. After six months I switched that laptop back to Windows XP. XP is the last MS OS I am buying. We are either going 100% mac, or going to run Mac and Linux systems. Microsoft has been so completely disappointing with continued security problems (despite “the memo” in 2002, things have continued to get worse) that I have completely given up on them.
I have used PCs since 1985, and it’s really disappointing to see the direction that MS has taken. Windows is no longer a usable OS, but a symbol of the bloat and middle age that has occurred in the MS company itself.
I am sold on my Mac and wonder why I waited to long to switch.
If you switch to Mac, you will be amazed at how easy it is to use. You’ll be productive on day one, without all of the attendant problems present with Windows.
The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.
Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.” And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.
- from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky
Residual risk is like the dirt on the floor that cannot be picked up by the broom and dustpan. Rather than pursue residual risk down to the last iota, it is swept aside and will probably not be noticed.
- From CISA Certified Information Systems Auditor All-In-One Study Guide
New links added 4/26/09
I have been studying and writing about avian influenza pandemics for several years now. And what do you know… it’s a completely different novel influenza that is making the “h2h” (human-to-human) leap: swine flu influenza A (H1N1) is readily passing from person to person. Avian influenza is still a concern, but there have been few h2h cases of avian influenza to date. But this new swine flu in the U.S. and Mexico is readily and rapidly spreading from person to person.
This development is the greatest threat of a global pandemic since the SARS outbreak in China in 2002-2003. Some health experts say that in this case, the outbreak is too far along to stop. Even closing the U.S.-Mexico border may do little to slow down this swine flu epidemic.
If an epidemic or pandemic should occur, the following conditions are likely to take place in localized areas in many parts of the world:
- Widespread school closures
- Closures of public gathering places such as theaters, sports stadiums, concerts, shopping areas, churches
- Regional quarantines that may result in people not being able to report for work
- Closure of public transportation systems (trains, airports, subways, buses)
These could cause spot shortages of food and other necessities in some areas.
Businesses that are able to continue running may have rates of absenteeism that exceed 50% and may last for weeks at a time. Because of the complex web of businesses that rely on others for supplies and services, a general slowdown of production is expected.
Businesses that are permitted to remain operating may be required to enact several measures to slow down the spread of disease, including: gloves, masks, sanitation stations, refraining from touching others (no more hand shaking), checks for fever.
How to prepare: families need to stock up on non-perishable food, water, medicine, cash, and other essentials, and be prepared to live “off the grid” (and I mean more than just living without electricity) for days or weeks at a time.
Recent articles (all links open in new windows):
Ready.gov Pandemic Planning for Business
Wikipedia article on the current U.S. – Mexico swine flu outbreak
Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.
Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.
My most recent book on cybersecurity, which is to be published in May, opens in this way:
The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.
The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.
There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.
What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.
Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China. I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).
I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.
Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.
Often the terms threat, attack, and vulnerability are interchanged and misused. Each is defined here.
Definition of threat: the expressed potential for the occurrence of a harmful event such as an attack.
Definition of attack: an action taken against a target with the intention of doing harm.
Definition of vulnerability: a weakness that makes targets susceptible to an attack.
Excerpt from CISSP Guide to Security Essentials, chapter 10
