--Originally published at That Class Blog

So you are a pro, you say…

You think you are good, you say…

But do you have a computer security certification?

No?, you say…

As many more data breaches are happening each year, with more size and quality of attack, cybersecurity skills are on very high demand. But not because there a lot of jobs available, means that the position is going to be given to anyone who tryes and aplyes (Mainly to make sure that the person know about the stuff, but also because there are so many areas of specialization in security). The company will ask you to have one or more certifications.

Let’s talk about some of them. In fact, just 8 of the more of 70 certifications that Wikipedia has mentioned (Only 10 of those have an individual entry).

ISSEP/CISSP

The Information Systems Security Engineering Professional certification was developed by the N.S.A. It cover security methodologies and practices into all information systems aswell as the proper and secure handling of data. This is the must-have certification if you want a career in IT security.
It’s issued by the (ISC)²

LPT

The EC-Council Licensed Penetration Tester certification demonstartes the person’s ability to audit network security and perform penetrations and develop proper corrective actions to the problems and weakness found in the test.
It’s issued by the EC-Council

GPEN

The GIAC Certified Penetration Tester certification it’s similar to the LPT (Above) but it demonstrate too the persons knowledge of legal issues regardiong penetration testing aswell as specific penetrations tests and practices.
It’s issued by the GIAC.

CSFA

The Cybersecurity Forensic Analyst certification provides the necessary knowledge to perform a deep analysis of computer systems and proper interpretation of investigation results in a short time frame.
It’s issued by the GIAC.

ECSP

The EC-Council Certified Secure Programmer issue assures that the programmer knows most f the security vulneravilities due to programming. The certification holder has developed the best practices and techniques against those vulnerabilities. This certifications it’s available for .NET and Java.
It’s issued by the EC-Council.

CSSLP

The Certified Secure Software Lifecycle Professional certification validates the holder’s ability to develop application and software security protocalsin the organization. It ensures that potential  breaches and vulnerabilities are reduced troughout the software development.
It’s issued by the (ISC)²

CEH

Certified Ethical Hacker. You can read more about this certification and ethical hacking in my previous post.
It’s issued by the EC-Council.

There are somo other certifications that I didn’t mention here.

 

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

--Originally published at That Class Blog

This is the first time I hear about ethical hacking. Really, it is.

I mean, I knew that there are people who do that. But I never thought that they were called like that.

So let’s start learning ethically!

Ethical Hacking describes the action of hacking by an entity to help identify potential threats. The hacker tries to go around the security and search for weak points where a malicious hacker could exploit and cause an information breach. This information is later provided to the companies or individuals to fix and minimize future hazards.

Ethical hackers and penetrations testers have some perks. They might not reach the levels of adrenaline and badassery as a regular -nonethical- hacker, but they really do earn a nice economic remuneration and the nice assurance that you won’t end up in prison.

And how can you become an ethical hacker?

First, you might consider career/major in IT. You might even study alongside the military (If your country has a program) and they could even pay you to study your career and offer you a job regarding security.

You need to get some basic certifications (CCNA) and some more specialized (Security+, CISSP or TICSA). When doing your certifications, you should also work in tech support and move up to administrative roles, until you achieve an information security position. At this point, you can apply for the Certified Ethical Hacker (CEH) title by the International Council of Electronic Commerce Consultant.

To hack, network engineering skill are -of course- necessary, but UNIX/Linux, C, LISP, Perl, JAVA, and SQL are necessary concepts that you need to master. Oh, and let’s not forget about the soft skill (As any other IT job) and street smarts (People skills and talent for manipulations).

And can you just start hacking after that?

Nope.

Usually, you need expressed, written, permission to probe the network, respect individual’s and company’s privacy, close everything after testing (Let’s not leave open doors for anybody else), and record and report any finding you might have encountered.

That’s all folks…

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

--Originally published at That Class Blog

No, I’m not going to talk about the Central Intelligence Agency (Responsibles to provide national security intelligence to the US). This particual triad -which some people call AIC to avoid the confusion with the regular CIA- stands for Confidentiality, Integrity and Availability.

In general, confidentiality is the property in charge to limit the information, integrity is the assurance of accurate and trustworthy information and availability  is the guarantee of authorized people to information. These concepts conform a model to help people think security-wise.

Confidentiality

The purpose of this is to ensure that every piece of information reaches the adequate people and that no sensitive information is breached.

And to make sure this is done, to enforce levels of authorization and authentication of information access is necessary. As well as creating categories and collections of information and stablish discretion functions.

Some methods used to ensure confidentiality are: Data encryption, two-factor authentication, biometric verification, security tokens. In extreme cases air gapping, or doing hard copies of the information is made.

Integrity

The purpose of this component is to protect data from unauthorized modifications or to make sure that an option to undone changes is always available. Also, integrity involves making sure that data is always consistent, accurate and trustworthy.

Some methods used to ensure integrity are: Typical system file permissions, user access control, version control. Data might include checksums. Backups and redundancy is important to restore breaches of integrity.

Availability

This is very straightforward. This property assures the availability of the data. All kinds of systems for protection must be up to provide the informationwhen requested. Power outages and hardware upgrade and failure must be taken into account when making the availability design. Attacks of the DoS and DDoS kind might compromise the service.

Some approaches to ensure availability are: Adequate bandwidth, redundancy, failover and high availability clusters. Disaster recovery is essential in case of loss of data. Backups are a must.

Now, I found an interesting article that talks about the challenges of the CIA paradigm.

It talks about 3 concepts that poses an extra challenge for the CIA

• Big data

The high volume of data can pose a big challenge to make sure the information is safeguarded, mainly because the high quantity of differetn sources of the data and the high costs of mantaining dupplicates and disaster recovery plans.

• IoT Privacy

One IoT device might not generate important information, but multiple devices can provide relevant data in case of a breach.

• IoT Security

This topic has been mentioned in class many times. There are so many IoT devices that aren’t patched, updated or without safe passwords, that these devices are an excellent source for thingbots and eventual botnets.

And that’s it for this post.

Each topic is getting more related to each other now.

Miguel A. Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ