A reader asks: I have a friend who heard that we can be “watched” while we watch online videos. Any truth to it that you know of?

Answer: Theoretically yes, but only if you have a webcam (if you literally mean “watching”). I’ve heard of it being done.

If you mean “knowing what you are watching” (some kind of tracking), that is certain. Youtube remembers what you have seen (it can be embarrassing), and other vid sites do too. Sites do this with tracking cookies and other means to remember what videos you view, what pages you see, and the sites you visit.

The CISA Certified Information Systems Auditor All-In-One Exam Guide, published by Osborne McGraw-Hill, is now available in bookstores and from online merchants.

Written by Peter H. Gregory, this book is largest and most complete study guide available for the CISA (Certified Information Systems Auditor) professional certification.  Prior to Osborne McGraw-Hill’s decision to publish this book, the other study guides that were available are shorter and contain less detail. This difference is key for IT professionals who are studying for the CISA certification, which places high demands on the exam taker to be able to recall many details and specifications about information technology, key business processes, and IT auditing.

Despite its title, CISA Certified Information Systems Audit All-In-One Exam Guide is structured and designed to also be a desk reference for early- and mid-career security auditors and security specialists who need a reliable, easily-consumed reference guide for key information technologies and IT auditing practices.  The book contains two chapters that go beyond the CISA study material and include lengthy discussions of professional IT auditing and security and governance frameworks.

“The availability of this study guide represents a big step forward for IT professionals who are studying for the CISA exam and those who have IT security and audit responsibilities,” states Peter H. Gregory. “The IT industry has waited a long time for an All-In-One guide for this popular certification,” he adds, citing the enormous popularity of the CISSP All-In-One Study Guide that is written by Shon Harris and considered the best CISSP guide available.

About Peter H. Gregory

Peter Gregory, CISA, CISSP, DRCE is the author of twenty books on security and technology and has been a technical editor for twenty additional books on security and technology. He has over 25 years of experience in virtually every role in Business IT departments, including work in government, banking, non-profit, telecommunications and on-demand financial software businesses.

Gregory is on the board of advisors and the lead instructor for the University of Washington certificate program in information security, and a lecturer at the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity. He is also on the Board of Directors for the Evergreen State Chapter of InfraGard, and the Executive Steering Board for the SecureWorld Expo Conference in Seattle. A founding member of the Pacific CISO Forum, Mr. Gregory is a graduate of the FBI Citizens’ Academy and active in the FBI Citizens’ Academy Alumni Association.

About ISACA^®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA^® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA^®), Certified Information Security Manager^® (CISM^®) and Certified in the Governance of Enterprise IT^® (CGEIT^®) designations.

ISACA developed and continually updates the COBIT^®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

CISA Certified Information Systems Auditor All-In-One Study Guide by Peter H. Gregory; McGraw-Hill; October 2009; Hardback; $79.99; 10: 0071487557; 13: 978-0071487559

“All-in-One is All You Need.”

A thought on personal integrity, from my business manager and wife, Rebekah Gregory:

“Simply recognizing a problem does not qualify us to fix it. We should strive for personal integrity rather than cashing in on what is broken. In this way we cultivate genuine trust and become dependable leaders.”

Clicking on www.peterhgregory.com used to take readers to an “About” page. Over the weekend, I’ve made a change on the site so that you’ll now see my latest posts. You can read more about me by clicking on the About link.

This aligns better with my mission, to serve my readers by helping them better understand information security and risk management. Now you’re one click closer to the information you need.

(Our household consists of two adults and two teen-age girls in Jr. High and High School. We have recently enacted some rules for preventing the spread of influenza.)

1) Everyone washes their hands in the downstairs bathroom immediately upon returning from anywhere (bus, train, running, school, grocery store, church, etc.)

2) No washing at the kitchen sink. This is where we prepare food.

3) Each bathroom should have sanitizing wipes and they should be used daily or every other day to wipe down, in this order:

- door knobs
- surfaces
- light switches
- faucet handles
- toilet handles

4) No sharing of drinking glasses, water bottles, etc. Also, no using of our personal eating utensils for serving ourselves additional helpings of food. Use of a serving spoon is required so no more dipping into the main dishes with our own fork, no using our own utensils in the jam, peanut butter, etc.

5) Each person shall have their own hand towel for the upstairs bathrooms. The downstairs bathroom will be stocked with paper towels instead of a community hand towel.

This would be a great time to multi-task and get the gunk out of your computer. During the Emmy awards, there are plenty of slow moments when you can get to more important things like scanning your PC for malware (viruses, worms, Trojans, spyware).

Get New (Free) Anti-Virus Software

If the license has run out on your Norton, Symantec, McAfee, or other brand of anti-virus, don’t renew it. Instead, download AVG anti-virus. It’s a great anti-virus program, and it’s free.  We use it on our Windows systems and recommend it to our friends. Several businesses we know of use the commercial versions of AVG as well. Get it here:

http://free.avg.com/

Scan Your Computer, Twice

After you install AVG (or if you are still using another brand, which is working well and up-to-date), you need to scan your entire hard drive for viruses. Each brand of anti-virus does this a little differently. Make sure you scan the entire hard drive; if your computer has more than one hard drive, scan them all.

There are also several good online virus scanning programs available. Scanning your PC with your local anti-virus scan and an online virus scanner is like getting a second opinion. There are several good online virus scanners, here:

• Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
• Symantec: http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
• Trend Micro: http://housecall.trendmicro.com/
• Kaspersky: http://www.kaspersky.com/virusscanner
• CA: http://cainternetsecurity.net/entscanner/

…all of the above companies are commercial organizations of the highest quality.

Most or all of the above online virus scanners require you use Internet Explorer. Most of my readers know that I strongly recommend Firefox with the NoScript and FlashBlock add-ons for the safest online browsing, but once in a while it’s necessary to run IE.

Set Up Weekly Scans

It’s a good idea to have your anti-virus program automatically scan your PC every week. This provides an added protection, by having your anti-virus program search for viruses that may have somehow gotten by your anti-virus program.

I recommend you have the scan run overnight – have it start well after you go to bed, but give it enough time to complete before morning. On some larger (and older) PC’s, a virus scan can take a few hours.

Seattle (WA USA) Sept 8, 2009. Noted security expert Peter H. Gregory, CISA,
CISSP, DRCE who started CISA and CISM certification study groups in 2002, has
launched a CISSP certification study group. Like the CISA and CISM groups, the
new CISSP study group is hosted by Yahoo Groups.

This group is for technology and security professionals who are interested in
learning more about the CISSP certification, as well as for instructors who
teach courses on information security. People who are already certified are also
invited to join as “mentors” who can help those who are just starting out.

People who are interested in joining the group may go to the following URL:

http://groups.yahoo.com/group/CISSP-study/join

People who are already members may go to the group at this URL:

http://groups.yahoo.com/group/CISSP-study

The CISSP Study group will have the following features:

* Message archive
* Moderated messages (no spam)
* Files upload
* Links pages
* Surveys

Only active members of the group may access these features.

Information that will be discussed in the forum include:

* CISSP qualifications
* CISSP study tips
* CISSP study books and courses
* CISSP study questions
* Registering for the certification exam
* Test tips
* Questions on any topic of information and business security

Auditors and security professionals usually prefer preventive controls over detective controls because they actually block unwanted events and prefer detective controls to deterrent controls because detective controls record events while deterrent controls do not. However, there are often circumstances where cost, resource, or technical limitations force an organization to accept a detective control when it would prefer a preventive one. For example, there is no practical way to build a control that would prevent criminals from entering a bank, but a detective control (security cameras) would record anything they did.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide

Logical access controls are used to control whether and how subjects (usually persons) are able to access objects (usually data). Logical access controls work in a number of different ways, primarily:

• Subject access. Here, a logical access control uses some means to determine the identity of the subject that is requesting access. Once the subject’s identity is known, the access control performs a function to determine if the subject should be allowed access the object. If the access is permitted, the subject is allowed to proceed; if the access is denied, the subject is not allowed to proceed. An example of this type of access control is an application that first authenticates a user by requiring a user ID and password before permitting the user to access the application.

• Service access. Here, a logical access control is used to control the types of messages that are allowed to pass through a control point. The logical access control is designed to permit or deny messages of specific types (and possibly it will also permit or deny based upon origin and destination) to pass. An example of this type of access control is a firewall or screening router that makes pass/block decisions based upon the type of traffic, origin, and destination.

An analogy of these two types of access is a symphony hall with a parking garage. The parking garage (the “service access”) permits cars, trucks, and motorcycles to enter, but denies oversized vehicles from entering. Upstairs at the symphony box office (the “subject access”), persons are admitted if they possess a photo identification that matches a list of prepaid attendees.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide

Whitepaper by Ernie Hayden, a noted security expert, on studying for the CISSP exam.

Download here (PDF)