Tag Archives: security+

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

Advertisements

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015

Breathing new life into old hardware with Ubuntu

I’ve got a five year old Compaq laptop computer that ran Windows XP Pro for years (except for a time when I ran Vista in order to write an e-book on Vista security). With additional patches over the years, the system has been running more slowly, even after performing a lot of work to optimize performance.

I also have security concerns. This computer is used by other family members (including teens) who are less security-conscious than I am.

After saving some personal data, I’ve removed Windows and installed Ubuntu Linux.  The install procedure is very simple. If you are wondering whether it will run on your hardware, you can boot it and run it from CD-ROM to see whether all of your hardware is supported.  Critical were Ethernet, WiFi, and USB drives. All worked flawlessly – so last night I installed it over WindowsXP (and am hoping that I won’t regret doing a dual-boot first). Today I am installing updates. After that I will re-create all of the same user accounts and restore users’ bookmarks (browser favorites) and files.

Not counting work computers, this now makes the computers in our home running mostly Unix. My Macbook runs Leopard, and the Compaq runs Ubuntu. There is a Windows XP Pro running on a desktop computer, and we have a little Acer netbook that runs XP.

Sept Scientific American on security and privacy

Bookmark This (opens in new window)

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

CISA forum guides certification candidates

Bookmark This (opens in new window)

CISA ForumThe CISA Forum is an online community whose purpose is to assist CISA candidates in their studies towards the Certified Information Systems Auditor certification.  The forum, started in 2002 by Peter H Gregory, CISA, CISSP, is hosted by Yahoo Groups and has more than 3,000 members.

“The forum has helped many achieve their certification through lively discussions about the security audit profession and the CISA exam itself,” Gregory states.  “I started this forum as a way to help new CISA candidates and to provide a platform for others to help these new candidates.”  Gregory encourages newly-minted CISA holders to stay on the van and help others on their way.

The CISA Forum is open to all who possess the CISA certification or are interested in attaining it.

http://groups.yahoo.com/group/CISAforum/

The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

CISSP one of the hottest certs for 2008

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites CISSP as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “With CISSPs earning $94,070 a year on average, it’s easy to see why Trapp puts this one on the list. (Note that the exam costs $500, lasts up to six hours, and includes 250 multiple choice questions.”

CISSP for Dummies, 2nd editionLink to full article here.

Study for the CISSP certification with the best-selling CISSP study guide, CISSP for Dummies, here.

Security+ one of the hot certs for 2008

Bookmark This (opens in new window)

Tech RepublicToni Bowers, senior editor for Tech Republic, cites Security+ as one of the ten hottest IT certifications of 2008. Ms. Bowers states, “Growth in Security+, which covers topics like communication security, infrastructure security, cryptography, access control and authentication, shows no signs of slowing down. According to Michael Trapp, writing for knowhow-now.com, “Comptia’s Security+ Credential is must have in today’s world.”

Link to article here:

http://blogs.techrepublic.com.com/career/?p=223

securityplusfd.jpgStudy for the Security+ certification with the best-selling Security+ study guide, Security+ Certification for Dummies, here.