What does isc2 stand for

InfoSecurity PROFESSIONAL

SEPTEMBER/OCTOBER 2018

A Publication for the (ISC)2‰ Membership

RAISING YOUR PROFESSIONAL DEVELOPMENT GAME

isc2.org facebook.com/isc2fb twitter.com/ISC2 linkedin.com/company/isc2 community.isc2.org

BUILDING AWARENESS Using existing standards and regs for a security program

CLOUD MIGRATIONS Deciding vs. deploying solutions to complete a digital transformation

http://isc2.org
http://facebook.com/isc2fb
http://twitter.com/ISC2
http://linkedin.com/company/isc2
http://community.isc2.org
CHRIS YOUNG Chief Executive Officer, McAfee

WALTER ISAACSON Best-Selling Author; Acclaimed Historian and Journalist

SIR TIM BERNERS-LEE Inventor of the World Wide Web

2018 Cybersecurity Summit McAfee’s 11th Annual Security Summit

LEARN from McAfee CEO Chris Young and other thought leaders on how a strong cybersecurity posture is an essential component of any innovation.

HEAR from the man who literally wrote the book on innovation, Walter Isaacson, and Sir Tim Berners-Lee, who invented the World Wide Web.

DISCOVER the latest trends and best practices across some 90 technical breakout sessions.

NETWORK with your peers from across industries and learn directly from other McAfee users.

EXPERIENCE our closing event featuring the Grammy Award-winning rock band Weezer!

MPOWER 18 features targeted, highly technical sessions guaranteed to provide valuable, tangible knowledge to help you maximize your security solutions and tackle today’s greatest security challenges, while the breakouts offer insights and best practices to help you optimize your security and compliance initiatives. The Sponsor Expo will feature an extensive lineup of McAfee partners, including some of the industry’s most successful businesses. Don’t miss out on this unique opportunity to meet with key players in the cybersecurity arena—all in one location.

To learn more about MPOWER 18, please visit www.mcafeempower.com

Dynamic keynotes from McAfee and innovative industry leaders

CPE credits awarded with a full MPOWER summit pass

Sponsor expo showcasing McAfee partner security solutions

Opportunities to see the McAfee Labs research team in action

Targeted breakout sessions and technical deep dives

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC

SAVE $100 As an (ISC)² member, you can save $100 off your registration by using promo code MPWR18!

OCTOBER 16–18 MGM GRAND, LAS VEGAS

www.mcafeempower.com
www.mcafeempower.com
RETURN TO CONTENTSInfoSecurity Professional • 3 • September/October 2018

InfoSecurity Professional is produced by Twirling Tiger‰ Media, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: asaita@isc2.org. The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2® on the issues discussed as of the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies mentioned herein may be the trademarks of their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information, please email tgaron@isc2.org. ©2018 (ISC)2 Incorporated. All rights reserved.

features INCIDENT RESPONSE

18 One Year LaterWhat have we really learned from the Equifax breach? BY JOYCE FLORY

GRC

26 Building a PlatformKnowing what’s mandated—and what’s not—can help update or re-create a solid security awareness program. BY STEFAN BEISSEL, CISSP

CLOUD SECURITY

30 Our Journey to the Cloud(ISC)2’s COO explains why the organization decided now was the time to press forth. BY WESLEY SIMPSON

Cover image: JOHN KUCZALA Illustration above: L.J. DAVIDS

departments 4 EDITOR’S NOTE

Mind the Gap BY ANNE SAITA

6 EXECUTIVE LETTER

Taking Your Professional Development to the Next Level

BY MIRTHA COLLIN

8 FIELD NOTES Newest cybersecurity advo- cate; five CPEs per book read; cast your vote in the annual (ISC)2 board of directors elec- tion; highlights from 2018 Cost of Data Breach Study; Recom- mended Reading and more

14 #NEXTCHAPTER (ISC)2 Singapore Chapter

16 ADVOCATE’S CORNER

On African Safaris and Attribution

BY JOHN McCUMBER

34 CENTER POINTS

The Missing Piece (and How You Can Help Supply It) BY PAT CRAVEN

36 COMMUNITY

Is the New CISSP Format Better? Members weigh in on this as well as on listing certs in email signatures.

4 AD INDEX

contents VO LU M E 1 1 • I S S U E 5

Why start from scratch when you can lift from popular regulations and standards to build a security awareness program? PAGE 26

RETURN TO CONTENTSInfoSecurity Professional • 4 • September/October 2018

(ISC)2 MANAGEMENT TEAM

EXECUTIVE PUBLISHER Timothy Garon 571-303-1320 | tgaron@isc2.org

SENIOR MANAGER, CORPORATE COMMUNICATIONS Jarred LeFebvre 727-316-8129 | jlefebvre@isc2.org

MANAGER, CORPORATE PUBLIC RELATIONS Brian Alberti 617-510-1540 | balberti@isc2.org

COMMUNICATIONS SPECIALIST Kaity Eagle 727-683-0146 | keagle@isc2.org

MANAGER, MEDIA SERVICES Michelle Schweitz 727-201-5770 | mschweitz@isc2.org

EVENT PLANNER Tammy Muhtadi 727-493-4481 | tmuhtadi@isc2.org

SALES TEAM

EVENTS SALES MANAGER Jennifer Hunt 781-685-4667 | jhunt@isc2.org

REGIONAL SALES MANAGER Lisa O’Connell 781-460-2105 | loconnell@isc2.org

EDITORIAL ADVISORY BOARD

Kaity Eagle, (ISC)2

Jarred LeFebvre, (ISC)2

Yves Le Roux, EMEA

Cesar Olivera, Brazil and Canada

TWIRLING TIGER MEDIA EDITORIAL TEAM

EDITOR-IN-CHIEF Anne Saita | asaita@isc2.org

ART DIRECTOR & PRODUCTION Maureen Joyce | mjoyce@isc2.org

MANAGING EDITOR Deborah Johnson

EDITOR Paul South

PROOFREADER Ken Krause

Twirling Tiger‰ Media (www.twirlingtigermedia. com) is certified as a Women’s Business Enterprise (WBE) by the Women’s Business

Enterprise National Council (WBENC). This partnership reflects (ISC)2’s commit- ment to supplier diversity.

advertiser index For information about advertising in this publication, please contact Tim Garon at tgaron@isc2.org.

McAfee ..................................................................................... 2

(ISC)2 Secure Summit EMEA ..............................................5

Qualys ........................................................................................7

Wallix .......................................................................................13

CSA ...........................................................................................17

(ISC)2 Community ...............................................................23

eSentire ..................................................................................25

Symantec ...............................................................................29

TechTarget .............................................................................35

2018 Cloud Security Report .............................................37

SecurityMetrics ...................................................................38

AWS ........................................................................................39

(ISC)2 Security Congress ................................................. 40

Twirling Tiger Media ...........................................................41

editor’s note  B Y A N N E S A I TA

Mind the Gap

A S SOMEONE WHO’S DEVOTED a considerable portion of her career to covering information security, I’ve been on a mission to promote—in word and deed—the non-tech skills now needed for career advancement (even survival). Becoming competent, let alone fluent, in so-called “soft skills” is hard work. Employers still

value coding over communications skills. And too many of us are more comfortable mining event logs than mingling at actual events.

Promoting interpersonal communications to cyber professionals has never been an easy sell. But there are signs the working world is now providing an assist. A few months ago, Jeff Weiner, the CEO of LinkedIn, told a morning news program that interpersonal skills—communications, reasoning, team coordination, etc.—are now the number one quality sought by employers.

“It’s interesting because a lot of people are fixated on technology, and rightfully so. It’s an increasingly important part of how companies do business,” Weiner said. “But what we found when we did our skills gap analytical work is [with] interpersonal skills, the gap there is roughly three times higher than software engineering in the United States.”

That observation reminded me of a conversation I overheard decades ago when I was a junior attending an “engineering school.” A student newspaper editor was arguing on the phone with her computer science professor about an overdue assignment. I don’t recall the exact words she used, but in essence she told the teacher her future career didn’t rest on whether or not she passed Fortran. It did matter if she aced the communications classes competing for her time.

Everyone within earshot was a little in awe of the editor’s moxie and dedication to her craft. Perhaps what we should have respected back then was the importance she placed on a skill the rest of us tended to downplay. Especially given none of us ever had to program in Fortran after we graduated. •

Anne Saita, editor-in- chief, lives and works on the U.S. West Coast. She can be reached at asaita@isc2.org.

© R

ob A

nd re

w P

ho to

gr ap

hy

http://www.twirlingtigermedia.com
http://www.twirlingtigermedia.com
SUMMITS / EMEA #ISC2Summits ENRICH. ENABLE. EXCEL.

Join us at the (ISC)² Secure Summit EMEA 15 - 16 April | World Forum, The Hague

Our annual flagship event Secure Summit EMEA will bring together hundreds of security professionals from across Europe, Africa and the Middle East.

It will be two days of insightful discussions, workshops, panels and best practice sharing to stimulate feedback, challenge thinking, create debate and enable networking.

Learn more at:

securesummits.isc2.org

SAVE THE DATE

http://securesummits.isc2.org
https://twitter.com/isc2
RETURN TO CONTENTSInfoSecurity Professional • 6 • September/October 2018

executive letter  B Y M I R T H A C O L L I N

Taking Your Professional Development to the Next Level

THE LATEST FROM (ISC)2’S LEADERSHIP

A S WE APPROACH the last quarter of the year, you may have already reached many of your professional goals. But

there’s still time for self-improvement while earning all of your CPEs. We’re excited to be hosting the 2018 (ISC)2 North America Security Congress in New Orleans and have a multitude of robust learning opportunities through- out the week.

Our commitment to your professional development doesn’t stop with Security Congress. Training and educa- tion are the cornerstone of what we do at (ISC)2 and we’ve recently updated several of our certification education products and launched several new CPE courses—all designed to be even more engaging for our members.

In keeping with our theme of “Enrich. Enable. Excel.” much of what we’ll be focusing on in the upcoming year is creating more customized professional development for our members. While certification is a huge accomplish- ment, it’s quite another to continue upon your individual path of learning to support career growth. In 2019, (ISC)2 will become a go-to resource not only for certifications, but also for continuing development and self-improvement. The information security landscape is constantly changing; we

all need to keep pace. (ISC)2 wants to be there throughout your career, helping you remain relevant and on top of current industry trends.

After hearing feedback on your learning needs, we are committed to providing more self-paced learning opportu- nities, helping you to learn in your own time and in your own environment. These courses are more engaging and leverage state-of-the-art instructional design techniques. They include

clearly articulated learning objectives, audio content, graphics, videos, readings, assessments and immersive interactive experiences designed to enhance the overall learning experience. The best part: these are free to members! Among the new curriculum offerings are:

• GDPR for Security Professionals • DevSecOps – Integrating Security into DevOps • Building a Strong Security Culture

Besides self-paced additions to our training suite, we’re introducing some in-person workshops in conjunction with (ISC)2 Security Congress, (ISC)2 Secure Events and other third-party hosted programs. The newest additions to our portfolio include a workshop specifically for executives wanting to learn more about the organizational value of a strong security team and an OWASP Top 10 workshop designed specifically for security professionals.

And finally, many members have said they’d like to see security awareness training that they can pass along to others in their organizations. They know that the number one threat faced by organizations today often comes from non-malicious and unaware employees. To answer that need, I am pleased to announce that (ISC)2 has developed an interactive training course targeted at the layperson that can be shared widely within your organizations.

This easy-to-understand training lasts approximately two hours and is based on real-world scenarios users face in their daily lives. It includes important topics such as phishing, drive-by downloads, ransomware and other cybersecurity threats commonly found in the workplace.

As you can see, we’re excited about the enhancements we’ve made to our professional development portfolio, both in terms of content and ease of access. We look forward to hearing your feedback on these new offerings and to continuing to develop our programs to give you the best learning opportunities to excel as a security professional who helps ensure a safe and secure cyber world. For more information I invite you to visit learn.isc2.org. •

Mirtha Collin is the Senior Education and Training Manager at (ISC)2. She can be reached at mcollin@isc2.org.

http://learn.isc2.org
http://qualys.com/trial
RETURN TO CONTENTSInfoSecurity Professional • 8 • September/October 2018

field notes A ROUNDUP OF WHAT’S HAPPENING IN (ISC)2 COMMUNITIES

EDITED BY DEBORAH JOHNSON

Meet (ISC)2’s Newest Cybersecurity Advocate (ISC)2 RECENTLY NAMED Tony Vizza, CISSP, CRISC, CISM, as cybersecu- rity advocate for the Asia-Pacific (APAC) region to work with corporations, governments, academic institutions and others to collaborate to create the strongest cybersecurity policies. In addition, he recruits and develops cybersecurity professionals.

Vizza has more than 25 years of experience in information technology and information security. He has a B.S. in computing science from the University of Technology Sydney, a Global Executive MBA from the University of Sydney and is currently studying for a Juris Doctor degree at the University of New South Wales. He has provided expert services to several government agencies as well as professional organiza- tions. He is an expert speaker on information security and a regular contributor to several publications in the region.

“Tony will be a key addition to our growing team in Asia-Pacific and an excellent advocate for the security profession in the region,” said (ISC)2 CEO David Shearer, CISSP. “His varied experience in the regulatory, legal, computer science and information security fields gives him a well-rounded perspective on the challenges that our members face and will help further our mission to inspire a safe and secure cyber world.”

“Information security is all about people, and (ISC)2 is investing in and providing the tools to make us all that much smarter and better when facing the challenges before us,” said Vizza. “The skills shortage

in this industry is something I’m passionate about fixing, and I’m proud to be joining an organization like this at a time when I feel it’s needed most.”

Based in Sydney, Australia, Vizza will report to Clayton Jones, the (ISC)2 Regional Managing Director for APAC. •

“Information security is all about people, and (ISC)2 is invest-ing in and providing the tools to make us all that much smarter and better when facing the challenges before us.”

—TONY VIZZA, CISSP, CRISC, CISM

Award for (ISC)2

(ISC)2 webinars recently earned an industry award for work promoting the cybersecurity industry.

(ISC)2’s Think Tank webinar channel was named the 2018 Highest Growth Channel in IT by BrightTALK, an online platform that offers webinar and video products to IT professionals.

One of the organization’s free webinar channels, (ISC)2’s Think Tank features 60-minute roundtable discussions on cybersecurity chal- lenges with key security experts. The webinar series already has more than 60,000 views this year in North America alone.

“Delivering valuable educational experiences to our membership is the central goal for our team,” said Wesley Simpson, COO of (ISC)2. “BrightTALK’s recognition of the growth of our channel affirms that our members, as well as other IT and ICT professionals, are engaging in the discussions we are hosting.”

(ISC)2 has five additional free webinar channels:

• Security Briefings – Hour-long webinars providing a deep dive into topics in multi-part series

• From the Trenches – Experts providing accounts of hands- on experience in cybersecurity

• EMEA Webinars – Thought leadership on topics facing Europe, the Middle East and Africa

• APAC Webinars – Thought leadership on topics facing the Asia-Pacific region

• Security Congress – Top-rated sessions from (ISC)2’s annual flagship conference

To sign up for any (ISC)2 webinars, please visit https://www.isc2.org/ News-and-Events/Webinars/. •

Earn CPEs for Reading This Issue Please note that (ISC)2 submits CPEs for (ISC)2’s InfoSecurity Professional magazine on your behalf within five business days. This will automatically assign you two Group A CPEs.

Note: To access this members-only platform and quiz, you’ll need a Blue Sky account. If you don’t have an account, go to the Blue Sky homepage via the link and click on “Create User Profile” in the upper right-hand corner.

https://live.blueskybroadcast.com/bsb/client/CL_DE- FAULT.asp?Client=411114&PCAT=7777&CAT=10787

READ. QUIZ. EARN.

2 CPEs

https://live.blueskybroadcast.com/bsb/client/CL_DEFAULT.asp?Client=411114&PCAT=7777&CAT=10787
RETURN TO CONTENTSInfoSecurity Professional • 9 • September/October 2018

field notes

Earn CPEs by Reading—As Long as You Know What to Read BY BEN ROTHKE, CISSP

F OR MANY PEOPLE, it’s not passing the CISSP exam that is so difficult, it’s maintaining enough

continuing professional education (CPE) credits to ensure the continuation of their certification. CPE require- ments vary depending on one’s (ISC)2 certifications. Details about the CPE requirements can be found at https://www.isc2.org/Member-Resources/CPE- Overview. One of the ways in which to earn CPEs is by writing book reviews.

(ISC)2 recently updated the CPE program and members now get up to five CPEs per book read with a summary review attached with their CPE submission. For that, it doesn’t need to be a published review. But if you’d like to write a more extensive review and get additional CPEs, read on.

If knowledge is power, then one of the more effective ways to gain that power is by reading. When it comes to information security and risk manage- ment, it is a daunting task to try to keep up with the vast and ever-growing amount of written material. So, what is a security professional to do? How do you know which books are the most significant?

Presenting the Cybersecurity Canon project (https://cybercanon.paloal- tonetworks.com/), of which I’m a member. Started in 2014 by Rick Howard, CSO of Palo Alto Networks, the members of the canon identify lists of must- read books for cybersecurity professionals or those looking to get a better understanding of the security industry.

The canon-worthy books include those that focus on the core aspects of information security, are forward thinking, original and insightful. They also should stand the test of time, meaning that they should be relevant for several years. You won’t see specific technology such as those on operating systems or specific types of hardware or software.

Some examples of books in the canon include CISO Desk Reference Guide: A Practical Guide for CISOs, The Hardware Hacker: Adventures in Making and Breaking Hardware, and my perennial favorite, Measuring and Managing Information Risk: A FAIR Approach.

If there is a book you think is a candidate for the canon, you are invited to nominate it for entry and write a review. The review ensures the sincerity of the nomination and demonstrates to the canon committee that the person submitting the book is serious about it and feels strongly enough about it to take the time to write a review. The review does not have to be a monograph; a few hundred words will certainly suffice. There are plenty of good books out there to be read, so submit as many nominations as your time permits.

For more information or if you want to contact the canon, check out the Canon FAQ (https://cybercanon.paloaltonetworks.com/cybersecurity-can- on-faq/). Looking forward to your review.

And after your review has been published, don’t forget to submit your CPEs at the (ISC)2 site (https://cpe.isc2.org/). •

It’s Time to Vote

Don’t miss your opportunity to cast your vote in the annual (ISC)2 board of directors election. Voting takes place over the course of two weeks, from September 5 through Septem- ber 19, 2018. All members in good standing as of May 8, 2018 may vote in the election.

The 13-member board of direc- tors provides strategy, governance and oversight for the organization, grants certifications to qualifying candidates and enforces adherence to the (ISC)2 Code of Ethics.

Here is this year’s slate of candi- dates:

• Gabriel Alexander Bergel, CISSP – Chile

• Dr. Kevin Charest, CISSP – U.S.

• Aloysius Chai Luen Cheang, CISSP – Singapore

• Cindy Cullen, CISSP – U.S.

• Paul Innella, CISSP-ISSMP – U.S.

• Siu Cheong Leung, CISSP, CCSP – Hong Kong

• Dr. Brian David Anthony Mussington, CISSP – U.S.

• Lori O’Neil, CISSP – U.S.

For more information about (ISC)2 board elections, please visit https:// www.isc2.org/About/Board-of-Di- rectors/Board-Elections. •

https://www.isc2.org/Member-Resources/CPE-Overview
https://www.isc2.org/Member-Resources/CPE-Overview
https://cybercanon.paloaltonetworks.com/cybersecurity-canon-faq/
https://cybercanon.paloaltonetworks.com/cybersecurity-canon-faq/
https://cpe.isc2.org/
https://www.isc2.org/About/Board-of-Directors/Board-Elections
https://www.isc2.org/About/Board-of-Directors/Board-Elections
https://www.isc2.org/About/Board-of-Directors/Board-Elections
https://cybercanon.paloaltonetworks.com
RETURN TO CONTENTSInfoSecurity Professional • 10 • September/October 2018

field notes

The Cost of a Data Breach – 2018 Highlights from 2018 Cost of Data Breach Study: Global Overview, an IBM-Ponemon Institute study of nearly 500 companies worldwide. https://www.ibm.com/security/data-breach

ROOT CAUSES

Malicious or criminal attack 48%

Human error 27%

System glitch 25%

AVERAGE COST OF A DATA BREACH

$3.86 MILLION Up 6.4% (from the 2017 report)

INDUSTRY SECTOR

Highest per capita cost of a data breach (Millions)

Health $408

Financial $206

Services $181

AVERAGE COST OF A DATA BREACH BY REGION

Highest (Millions)

U.S. $7.91

Middle East $5.31

Canada $4.74

Lowest (Millions)

Brazil $1.24

India $1.77

Australia $1.99

DATA BREACHES CAUSED BY MALICIOUS OR CRIMINAL

ATTACK

Highest incidence

Middle East 61%

France 55%

U.S. 52%

Germany 51%

Lowest incidence

Turkey 38%

South Korea 40%

India 42%

Italy 42%

InfoSecurity Professional Recognized for Editorial and Design Excellence

InfoSecurity Professional took two awards in the 2018 TABBIES, presented by the Trade Association Business Publi- cations Interna- tional.

The maga- zine’s design team, including art director Maureen Joyce and photographer Matt Greenslade, received an hon- orable mention for Design/Opening Page or Spread for their work on “View from the C-Suite” in the 2017 July/August issue of InfoSecurity Professional.

The magazine feature titled “Change Manage- ment: Transform- ing Resistance into Acceptance,” landed at No. 18 among the Top 25 feature arti- cles—among the most popular, and therefore compet- itive, categories in the contest. The article was written by Paul South and appeared in the 2017 March/April issue. •

“Cyber risk is not yet fully understood by people who should be in the know. Many principals at small and medium healthcare organizations simply do not fully understand the impact of a significant cybersecurity incident until they experience it.” —Lee Kim, CISSP, from the June issue of Insights, a companion e-newsletter for the (ISC)2 membership

https://www.ibm.com/security/data-breach
RETURN TO CONTENTSInfoSecurity Professional • 11 • September/October 2018

Saluting the Finalists for the 2018 ISLA Americas Awards

field notes

(ISC)2 CONGRATULATES the finalists for the 2018 Information Security Leadership Awards (ISLA) for North and Latin America.

Held annually by (ISC)² in cooperation with the North and Latin American Advisory Councils, the ISLA Americas Program recognizes information security and management professionals throughout the private and public sectors in North, Central and South America, with the exception of the U.S. federal government (recognized through the ISLA Government Program), for their out- standing leadership and achievements in workforce improvement.

The winners will be announced in a luncheon ceremony at the 2018 (ISC)2 Security Congress in New Orleans on October 9, 2018.

Here are the 2018 finalists:

COMMUNITY AWARENESS

Joseph Carson, CISSP Chief Security Scientist, Thycotic Project/Initiative: Cyber Security for Dummies

Nemi George Senior Director, Information Security & Service Operations, Pacific Dental Services Project/Initiative: Okta Deployment

INFORMATION SECURITY PRACTITIONER

Domingo Castillo, CISSP AVP Regional Information Security Officer, Chubb Project/Initiative: Information Security Technology Convergence

Robb Van Eck, CISSP, CCSP Senior Information Security Architect Project/Initiative: ePHI Data Identification

SENIOR INFORMATION SECURITY PROFESSIONAL

Dave Bailey, CISSP Manager of Security Services, CynergisTek, Inc. Project/Initiative: Security Partner Network

Rinki Sethi, CISSP Vice President of Information Security, Palo Alto Networks Project/Initiative: Security Education Growth Initiative

Additional Awards Being Presented at the Ceremony In addition to recognizing the ISLA Americas winners, (ISC)2 is honoring other information security professionals for their contributions to (ISC)2’s efforts in creating a culture of information security:

(ISC)2 President’s Award This award recognizes volunteers who have made a significant impact on and/or contribution to (ISC)2. Multiple recipients are chosen annually for each region at the sole discretion of (ISC)2’s CEO.

Fellow Award The Fellow of (ISC)2 was established to honor and distinguish a select number of elite information security professionals who have made outstanding contributions, throughout their careers, to the information security profession.

Center for Cyber Safety and Education Awards Julie Peeler Franz “Do It for the Children” Volunteer Award honors a Center volunteer/ambassador for their work with the Garfield’s Cyber Safety Adventures program and/or the Safe and Secure Online program promoting cybersecurity efforts for children, parents, educators and seniors.

Center for Cyber Safety and Education’s Partnership Award is presented to a company or organization that has partnered with the Center to grow and expand its programs including education, research or scholarships. •

RETURN TO CONTENTSInfoSecurity Professional • 12 • September/October 2018

 RECOMME NDED READING Suggested by Dr. Richard N. Knepp, CISSP

Future Crimes: Inside the Digital Underground and the Battle for Our Connected World By Marc Goodman

(Anchor, 2016)

I F YOU THOUGHT you knew about every cyber threat, think again. Toasters and fake USB chargers? They are just the beginning. Author Marc Goodman does an excellent job

of identifying the many security threats, attacks, decep- tions, hacks, ransomware extortions and other crimes that were and are being heaped upon the users of the “connected world.” And there are some threats you would not have thought about until he discusses them.

The author draws interesting parallels between the computer security industry and the medical profession based on the terminology security profes- sionals use. Terms such as infection, quarantine, virus and users are discussed. He also proposes some interesting solutions based on the Centers for Disease Control (CDC) to help solve some of the security issues.

Goodman presents a serious eye-opening lesson about “friendly and free” service providers such as Facebook, Google, Instagram and Apple that harvest your personal information on a massive scale to sell it, and the impact of click- ing on the OK button after skipping over the option to read the lengthy terms of service (TOS) agreement.

These and other companies that maintain large data repositories of cus- tomers’ personal information are at great risk for theft by what the author calls “Crime, Inc.,” encompassing cybercriminals including the Chinese, terrorist organizations, script kiddies, Russian mafia and a host of other thieves plying their expertise in theft on Tor networks.

As an example, he cites a case of theft of a manufacturer’s trademarked and copyrighted intellectual property and the Chinese customer’s subsequent cancellation of millions of dollars in work because they already had everything they needed (stolen, of course).

In addition to covering past and present threats, the author also speculates on what may be most valuable to the reader: future threats. These include the impact of quantum computing on encryption, blockchains, artificial intelli- gence, robotics, biometrics and much more, such as risks inherent in DNA technology. He describes a case where DNA evidence was fabricated from DNA information stolen from a medical database.

This is an unusually long book (608 pages in paperback; the the author does warn the reader at the beginning). It is detailed and well composed. The three main sections and 18 chapters are logically organized and flow nicely from one chapter to the next. The threats are well documented. Marc Goodman does an excellent job of scaring the reader. •