New Certifications from NBISE Will Set High Bar for IT Security Pros

[1]A new non-profit group is developing certifications for information technology security professionals that will set a high bar for IT security practitioners in areas like penetration testing, code auditing and control systems operation.

The National Board of Information Security Examiners (NBISE) [2] is a new, not-for-profit corporation headed by former NERC (North American Electric Reliability Corporation) CSO Mike Assante and overseen by a board of luminaries in the world of information security and critical infrastructure.  The group will be designing certification exams to test the knowledge, practical skill and professionalism of IT security practitioners, with an eye to weeding out the information technology world’s equivalent of quacks and hucksters.

The new tests are designed to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups. NBISE claims that too many of those tests test knowledge, rather than hands-on skills required of practitioners.

“This is about a higher level of testing,” said NBISE Director and SANS Institute Director of Research Alan Paller. “Its about having confidence that the person you hired doesn’t just know the answer, but can do the job.”

NBISE Chief Operating Officer Kelly Ziegler likens the exams to those required by the National Board of Medical Examiners for aspiring physicians.

Paller said that the group is working with top practitioners in a variety of disciplines to design exams that test practical knowledge, not just book knowledge. Scenario testing – akin to the now famous “Capture the Flag” tournaments at DEFCON and other hacking conferences -- will be an important component of the NBISE exams, he said.

“If you look at (penetration) testing, you can have multiple choice questions about the correct approach when pen testing, but that’s very different than having an actual set of systems and having to find a flag, rather than just answer questions about how to find it,” Paller said.

NBISE plans to release its first exam in the next 30 days. That test will be an adaptation of the UK’s Council of Registered Ethical Security Testers (CREST) [3] exam for penetration testing. The group is working with the UK government’s CESG – the British equivalent of the U.S.’s National Security Agency – to adapt that exam for use in North America, according to Ziegler.

In other areas, such as the operation of control systems and secure coding, computer forensics and incident response and handling, NBISE is forming national boards of experts to get to work developing exams. The group is also being advised by the National Board of Medical Examiners on ways to devise certification exams that test practical knowledge.

Paller said the new emphasis on certification is a response to an aching skills gap in the IT security space [4]. That gap has been underscored by a series of studies and reports that have pointed to the need to develop IT security expertise within the public and private sectors. Most recently, in June, the Center for Strategic and International Studies issued a report warning of a “human capital crisis” in cyber security.

Paller said that the profusion of different certifications has allowed legions of poorly trained IT professionals to falsely claim expertise in cyber security. Often, their lack of training only becomes evident once they’ve been hired.  

NBISE will also provide more focused instruction than initiatives like the U.S. Departments of Defense’s Directive 8570 (DOD 8570), which provides training and certification guidance for government employees who work in Information Assurance, but give employees a menu of different certifications to choose from in fulfilling the directive, say NBISE organizers.

The NBISE exams, once instituted, will serve as a threshold exam for work in areas like government and financial services, separating those with technical knowledge of a subject from those with both knowledge and hands on experience to perform a job. Paller said that the exams, once adopted, could take business away from certification organizations like The SANS Institute, but that those organizations might merely shift to fulfill a role similar to that of medical schools today: teaching students a body of material and hands on skills necessary to pass the NBISE certification exam.

Links:
[1] http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510
[2] http://www.nbise.org/
[3] http://www.crest-approved.org/
[4] http://threatpost.com/en_us/blogs/new-cybersecurity-czar-faces-tough-road-060209
[5] http://www.twitter.com/home?status=New Certifications Will Set High Bar for IT Security Pros http://threatpost.com/en_us/c4B

DOWNLOAD ISSUE 27 HERE (September 2010)

Issue 27 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
____________________________________________________

(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.
http://www.sourceconference.com

Brucon 2010
Brussels, Belgium. 24-25 September 2010.
http://www.brucon.org

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.
http://www.infosecurityrussia.ru

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.
http://bit.ly/rsa2010eu

__________________________________________________

Visit the (IN)SECURE Magazine web site at:
http://www.insecuremag.com

Subscribe to our RSS feed at:
http://feeds2.feedburner.com/insecuremagazine

Daily security news RSS feed:
http://feeds2.feedburner.com/HelpNetSecurity

Help Net Security on Twitter:
http://twitter.com/helpnetsecurity

Contact:

- For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com
- For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com

Zurich lost an unencrypted backup tape which contained the data while it was being transferred to a South African data storage centre in 2008. The records included customer identities, bank account, credit card and other financial information.

The company did not become aware of the loss until a year later. The fine is, to date, the largest company fine for a single data loss although HSBC were fined £3 million in 2009 for a number of separate losses of customer data.

Because the company agreed to settle early on in the investigation by the FSA, the fine was reduced by 30%.

Without that cooperation the fine would have been £3.25 million. Margaret Cole, the FSA's director of enforcement and financial crime said the company had "let it's customers down badly" noting that the company failed to effectively oversee its outsourcing and lacked full control of the data being processed in South Africa.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made" added Cole. The FSA say that, according to Zurich UK, there is no evidence that the lost data has been misused.

This shows clearly that IT security is NOT only a technical issue.  If management fail to exercise due care and due diligence and play the role they are supposed to, they will be find guilty and will pay the price dearly.  In this case it is the law that caught them but the next time it might be a large scale compromise.   You have to implement proper security and that include audit, enforcement, and constant review.  See the article below:

Bank fined $9.7m over poor IT governance

Liam Tung | Aug 5, 2010 9:22 AM

http://www.nature.com/news/2010/100829/full/news.2010.436.html

Hackers blind quantum cryptographers

Lasers crack commercial encryption systems, leaving no trace.

Zeeya Merali

A way to intercept photons of light to create a security leak has been discovered.

Quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission — they have fully cracked their encryption keys, yet left no trace of the hack.

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.

Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. "Our hack gave 100% knowledge of the key, with zero disturbance to the system," he says.

In standard quantum cryptographic techniques, the sender — called 'Alice' for convenience — generates a secret key by encoding classical bit values of 0 and 1 using two different quantum states of photons, or particles of light. The receiver, 'Bob', reads off these bit values using a detector that measures the quantum state of incoming photons. In theory, an eavesdropper, 'Eve', will disturb the properties of these photons before they reach Bob, so that if Alice and Bob compare parts of their key, they will notice a mismatch.

In Makarov and colleagues' hack, Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it. While Bob's detector is thus disabled, Eve can then intercept Alice's signal. The research is published online in Nature Phototonics today1.

Breaking the rules

The cunning part is that while blinded, Bob's detector cannot function as a 'quantum detector' that distinguishes between different quantum states of incoming light. However, it does still work as a 'classical detector' — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.

That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob's readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. "Once I had the systems in the lab, it took only about two months to develop a working hack," says Makarov.

This is the latest in a line of quantum hacks. Earlier this year, a group led by Hoi-Kwong Lo at the University of Toronto in Ontario, Canada, also showed that an IDQ commercial system could be fully hacked. However, in that case, the eavesdropper did introduce some noticeable errors in the quantum key2.

Grégoire Ribordy, chief executive of IDQ, says that the hack of Makarov and his group is "far more practical to implement and goes further than anything that has gone before".

Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

"We provide open systems for researchers to play with and we are glad they are doing it," says Anton Zavriyev, director of research and development at MagiQ.

Ribordy and Zavriyev stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ's system also use classical cryptographic techniques as a safety net, says Ribordy.

Makarov agrees that the hack should not make people lose confidence in quantum cryptography. "Our work will ultimately make these systems stronger," he says. "If you want state-of-the-art security, quantum cryptography is still the best place to go." 

• References
  1. Lydersen, L. et al. Nature Photonics advance online publication doi:10.1038/NPHOTON.2010.214 (2010).
  2. Xu, F., Qi, B. & Lo, H.-K. Preprint at http://arxiv.org/abs/1005.2376v1 (2010).

Microsoft's Security Development Lifecycle under Creative Commons License

Microsoft is to change the license for its process for developing secure software. In future, the company's Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on "trustworthy computing". The resulting programme was intended to make security an integral part of the company's software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

David Ladd, Principal Security Program Manager at Microsoft, has announced that the first two documents to be placed under the new license will be a white paper entitled "Simplified Implementation of the Microsoft SDL" and "Microsoft Security Development Lifecycle (SDL) – Version 5.0", a guide to how the company uses SDL in its product development. These can be expected within the next few weeks. According to Ladd, the company will also be going through other content on the SDL portal and relicensing it as appropriate. SDL tools are not affected by the licensing change, but will continue to use Microsoft licenses.

http://promo.pearsonitcertification.com/pages/start/plp-webcast-home/index.html?Campaign_Id=262&Activity_Id=212

Kevin Wallace, expert trainer and best-selling author of the CCNP TSHOOT 642-832 Official Certification Guide and Network Troubleshooting Video Mentor, takes you on a tour of a troubleshooting scenario that is typical of what you might see on the CCNP TSHOOT exam. Kevin walks you through an HSRP trouble ticket. You will review the theory of HSRP followed by a live troubleshooting demonstration and concluding with a Q&A session.

Join us for this Free Pearson IT Certification / Cisco Press Webcast to gain unique insight into what you can expect on the CCNP TSHOOT exam!  Register Now. Hope you can attend!

~Jamie

Jamie Adams, Senior Publicist

Representing technical brands of Pearson in networking technologies (IP Com, network security, storage), and all certifications including Cisco®, Microsoft and CompTIA.

Office: 317-428-3012

Twitter: @ciscopress, @pearsonitcert, and @jamieadams76

Facebook: facebook.com/ciscopress and other Pearson brands at informit.com/socialconnect.

LinkedIn: www.linkedin.com/in/msjamieadams.

To Security Professionals – Important Request:

In case you did not know, I am a Founding Member of the CompTIA Security+ Cornerstone Committee.  I am writing this blog to ask if you would complete an important survey because of your expertise in information security. CompTIA is developing a new advanced security certification exam to follow CompTIA Security+ (or equivalent experience) and we are seeking your input on the exam objectives. We hope you’ll appreciate how important your input is to the development of this certification, and ultimately to those who follow you in their security careers.  Personally, I am excited by the cutting-edge objective set of the intended certification:  It is up-to-date and pragmatic.  It includes (speak of the devil) objectives related to:

• Security and Social Media
• Virtualized Desktops (VDI)
• Insider Threat
• 802.1x
• Fuzzing
• And a plethora of deep, technical, scary stuff!

To begin this approximately ten-minute survey, please go here:  https://s-xut5m-345723.sgizmo.com
In appreciation for your time and participation, CompTIA is giving away a CompTIA T-shirt to every 10th person who completes the survey.

CompTIA values your privacy. Results are completely anonymous and the data will only be viewed in the aggregate. Please complete by September 8, 2010.
Thank you very much for your participation.

Please contact research_at_comptia.org if you experience any technical difficulties with the survey.

Go ahead:  support the community and get a free T-Shirt!

Barry Kaufman, CISSP, CEH, MCSE, ITILv3

By Mathew J. Schwartz,  InformationWeek
--> Aug. 23, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=226900089

Spanish authorities investigating the crash of Spanair flight 5022 in Madrid have found that malware may have contributed to the accident, which occurred two years ago, killing 154 people on board. Only 18 survived the crash and subsequent fire.

The Spanish agency charged with investigating the accident has listed the official cause as pilot error, because the pilots failed to extend the MD-80 airplane's takeoff flaps and slats, which would have helped the airplane to rise. Instead, the plane stalled just seconds after takeoff.

But the agency also found that a warning alarm meant to ensure that the pilots didn't leave the flaps and slats retracted failed to sound, and that the warning had failed to sound on two previous occasions.

According to Spanish daily El Pais, those failures, which were non-trivial, should each have been immediately logged in a maintenance system, which would have spotted the recurring fault and triggered an alarm at the airline's headquarters in Palma de Mallorca, keeping the plane grounded until the issue was fixed.

But authorities say that the maintenance system had been infected by a Trojan application, rendering the monitor useless. In addition, two engineers currently under investigation for manslaughter apparently failed to log the device faults, even though under company policies they were required to do so immediately. When they did attempt to enter the faults, the plane had already crashed, at which point they found that the monitoring system apparently wasn't working.

The judge, Juan David Perez, has demanded that the airline turn over copies of all entries in the maintenance system from the days before and after the crash.

"I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome," wrote Rick Wanner of the SANS Internet Storm Center, on his blog. "Clearly the SpanAir diagnostic system (a detective control) designed to detect anomalies in the airliners system failed, possibly due to a Trojan. Also it appears the pilots bypassed part of their pre-takeoff checklist, leaving the flaps and slats in a position not recommended for takeoff."

"This one all boils down to inadequate training and a lack of professional behavior," said a responder to Wanner's post, citing 25 years of jet avionics experience. "They had to have had ample indications that certain systems were not working, they didn't follow the checklists and they didn't abort when they failed to reach certain speeds at certain points during the takeoff roll."