Elamb Cybersecurity

Blog

  • Strategies To Protect Yourself Against Identity Theft

    Identity theft is a serious crime that is growing each year. If you're a victim of identity theft you may spend months, even years, trying to repair a ruined credit history. A seriously damaged credit report can compromise your chances of getting a new job, a bank loan, insurance or even rental housing. It's even possible to be arrested for a crime you didn't commit if someone else has used your identity to break the law.

    Unfortunately, many of the methods that thieves use to steal identities are beyond your control to guard against. Although it's rare, even store clerks have been known to use their position to pass along information to identity thieves. There are some measures you can take, however, that will make it harder for a thief to steal your identity.

    Protect Your Credit Card Number When Making Purchases

    After you make a purchase and your credit or debit card has been swiped through a credit card terminal, check to make sure that the printed receipt hides all but the last 4 digits of your credit card account number (usually there will be Xs in place of the first 12 digits). Some terminals still print receipts that show all 16 digits of an account number, and may even include the expiration date as well. After your card is swiped, you're permitted by law to hide the first 12 digits of your account number on the copy of the receipt that the vendor keeps. Use any marking pen that will do the job.

    When you go to a restaurant, it's especially important to make sure that the first 12 digits of your credit card number are hidden on your receipt. You might be in the habit of signing it and then leaving the restaurant's copy on the table after your meal. An identity thief can easily steal the signed receipt before the waitperson comes back around to pick it up from the table. Don't take any chances.

    Do You Really Need To Give Your Social Security Number?

    Another important way that you can guard against identity theft is to avoid giving out your social security number unless it's absolutely required. Although you need to share your social security number when you apply for credit or for a bank account, sometimes a store or an organization will want to use it as an ID number, simply to identify you within their system. This is a common practice even though the law says that social security numbers aren't to be used as ID numbers. In these situations, use your judgment. There's usually an alternative if you ask.

    Destroy Documents That Contain Sensitive Personal Information

    Buy a paper shredder and use it to destroy documents you're throwing away which contain personal information such as credit card numbers, social security numbers, phone numbers and dates of birth. This is important to do both at home and at work. Identity thieves aren't above going through someone's trash to find valuable personal information that can help them obtain credit in your name.

    If The Worst Happens

    If you do become a victim of identity theft, take the following steps immediately:

    • Contact your credit card companies, close your accounts and ask to have new cards issued to you.
    • Place a fraud alert on your file with any one of the three major credit bureaus. The other two will be notified automatically.
    • File a police report. You may need it to show to creditors as proof of the crime.
    • File a complaint with the FTC, which maintains a database of identity theft cases used by law enforcement agencies for their investigations.

  • The ISSEP: Information System Security Engineering Professional (ISSEP) certification

     

    I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

    What is the ISSEP?
    The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
    meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
    systems so that they can safely resist the forces they might be subjected to.”

    System Security Engineers tasks:
      Discover Information Protection Needs
      Define system Security Requirements
      Design System Security Architectures
      Develop Detailed Security Design
      Implement System Security
      Assess Information Protection Effectiveness

    Instead of ten Domains the ISSEP has four:
      System Security Engineering
      Certification and Accreditation
      Technical Managment
      U.S. Government Information Assurance Regulations 

    Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

    My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
    The CISSP is so broad that you could not possibly get all the information from a single source.

    http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
    www.nsa.gov
    www.isc2.org

     

  • Microsoft talks up Xbox 360 security

    THE VOLE has been touting the security features of the Xbox 360 of late, claiming that unlike previous consoles â?? and notably the first Xbox â?? the Xbox 360 will take a very long time to be able to modify for nefarious purposes.

    read more | digg story

  • Katrina: a tough lesson in security

    Pay attention, or pay the price

    read more | digg story

  • Mozilla offers temporary fix for Firefox flaw

    Responding to the disclosure of a serious Web browser flaw, the Mozilla Foundation offered on Friday a temporary fix to protect Firefox and Mozilla users.

    read more | digg story

  • Katrina-themed malware attack hits the net.

    Hurricane Katrina is bringing out the worst in people on the net as well as on the streets of New Orleans. Spam emails purporting to offer links to news about Katrina are been used to tempt potential victims onto a site hosting Trojan malware.

    read more | digg story

  • Hackers Admit to Wave of Attacks

    With their ringleader on the run, two cybervandals own up to using an army of compromised PCs to take down sites for commercial gain.

    read more | digg story

  • ISP Architectural Views

    One the most important part of an Information Support Plan
    (previously known as a C4ISP) is the Architectural Views.
    The DoD Architectural Framework Document describes each veiw
    in painful, painful detail.  Since the C4ISP has been
    changed into the ISP, the DoD Architectural Framework is a
    bit out dated.  For example it doesn't mention "ISP" and
    also includes some old views that have been phased out such
    as OV-3 and SV-1.  The following gives my view on some of
    the views.

    In my limited experience creating views is very interative
    process. Meaning you create a little then your tweak and
    change them as you go.

    AV-1 Overview and Summary Information is a breeze if you
    have all the appropriate information readily available.

    Operation Views (OV)
    These are fun for me because I feel like I understand
    them.  OV-1, High-level Operational Concept Graphic is
    one that I've had the pleasure of not having to do. 
    Merely starting it was a bit of a challenge.  It is
    intended to look pretty. I've seen it done affectively
    with MS Word and PowerPoint.

    OV-2 is Operation Node Connectivity.  As a network guy,
    this is my favorite.  I use Visio for this one with
    simple shapes representing the nodes or you can get
    fancy and use computer Icons OV-4, Organizational
    Relationship Chart is another fun easy diagram that can
    be created with Visio or Word using simple shapes. 
    Ov-5 is the Activity Model.  Since it is so closely
    tied to SV-4, fuctional description and SV-5,
    Operational Activity to System Function Traceability
    Matrix, it is very, very interative and not one of my
    favorites. I complete these three one after another. 
    Both SV-4 and OV-5 must be completed before you do SV-5
    since all the info in SV-5 comes from those two.
    OV-6c, Operational Events-Trade Description requires a
    very good understanding of what happens to the data
    upon entering the system.  But once you have that
    nailed down it is fairly straight forward.  The logical
    data model, OV-7, can get a bit convoluted, I imagine. 
    In it you are supposed give a visual representation of
    the various domains.

    System Views (SV)
    The SV's can get a little gray as some of the views can
    touch on things that involve your system but you have
    perhaps only heard of.  For example, if your system "A"
    connects with System "B" you may have to show that
    connection even though you don't know much of anything
    about System "B". I haven't seen SV-1 on the Teao Saic
    site so I assume it has been phased out. But it deals
    with Interfaces.  SV-2, System Communication Description
    is very much like the example of system "A" in relation
    to "B".  SV-2 shows how your system communicates/connects
    with other systems.  Its almost like a birds eye veiw of
    OV-2. SV-4, System Functionality Description, like I said
    in the OV section closely related to OV-5 and SV-5.  So
    if one changes, they may all have to change.
    SV-5 is a large table that shows the direct relationship
    between Operational Activity to System Function.  It is a
    pain in the ass for reason stated above. SV-6 can be a
    very complex table.  It is the System Data Exchange
    Matrix.. you'll note that anything with the word "matrix"
    in it sucks.  That is because one change on a seperate
    veiw can affect change in other views and almost always
    includes the matrices.

    Technical View (TV)
    TV-1, Technical Standards merely lists all the capabilities
    of the system and references each of the technical standards
    used.

    That is my oppinion of the ISP views.  I hope you find them as relatively painless
    as I did and if not this site will help you out --->
    http://www.teao.saic.com/cbrtraining/archpro01.asp

  • Hidden Threat: Alternate Data Streams

    Cool little NTFS trick that most security pros and even hackers don't know about. The lost art of Alternate Data Streams.

    read more | digg story

  • Information Security vs. Information Technology

    In my experience Information Security as a career field is far superior
    to Information Technology (IT).  I've done both for a number of
    years.  IT seems to get worse every year and Information Security
    seems to get better.

    Overall Information Security pays better, has less competition from
    competent professionals and usually doesn't have a lot of out of
    country competition.  There are exceptions such as highly
    specialized IT jobs and management posistions.  When I refer to
    “IT” I'm speaking of basic network engineers and
    System Administors not WAN engineering CCIE's, or IT guys with running
    their own business contracts or very specialized software coders that
    know assembly.  I used to be very excited about IT until I went
    into the private sector for about a year.

    Why does Information Technology suck as a career field?
    Well it doensn't necessarily SUCK, but there are several reasons why I
    will more than likely never go back to vanilla flavored IT: Too much work, Slave wages, competition.

    Lets start with too much work.  Many business' that rely heavily
    on their servers, routers, Data bases and other information systems
    want their systems to be up 24/7 which requires on call workers. 
    I used to be excited about getting the pager and/or corporate cellphone
    until I got called a few times at the crack of ASS
    on a weekend.  When a critical system goes down, the IT persons'
    pager blows up.  This sometimes means working long hours. 
    When you are on call, your free time is completely dependent on the
    status of the Information System.  FYI, the system hardly
    ever goes down when you're sitting at home thinking, “Damn, I'm bored!
    I wish I could fix the server.”  It usually goes off when your
    at your daughter graduation or in the middle of your mariage about to say “I DO” or in mid-stroke when you're about to orgasm.

    Information Security specialists can also have a “digital leash.” 
    But major virus' taking down an entire network is much more rare than a
    system crash or user error.. especially if you have Windows
    behind a good robust firewall.

    Slave wages.. o.k. thats an overstatement, but unless you are
    specialized, as stated above, you will be hard pressed to make over 55k
    in a basic IT job.  Now 55k is pretty good, but in security you
    can make as much as 100k (particulary in forensics).

    The low wages are directly related to the amazing amount of competition
    you will face as an IT guy.  Where I live there are a hand full of
    military installations which crank out bright young service who are
    willing to take the minimum that most companies will pay.  One of
    the biggest competitors may not even come from your country of
    origin.  In the U.S., global outsourcing has become an
    epidemic.  India is one of the biggest competitors for American IT
    jobs including help desk and software engineering.

    Information Security typically hires within the host coutries
    borders.  Many even require a secuirty clearance which greatly
    limits not only international competition, but local competition as
    well.  

    The bottom line in Information Technology and Information Security is
    specialization.  The more skilled you are at one particular trade,
    the more certifications, licenses and degrees you have focusing on one
    specialized skill that are in demand the better. They may just be
    pieces of paper but consider them ammunition against the competition
    that want YOUR job.  The specialization doesn't have to be in
    Security it could be in Database Analysis or Network Management or some
    programming language.