Don't Look Now, But You Need a Pro
Don't Look Now, But You Need a Pro
  • Robert Weimer
  • 승인 2010.10.11 19:37
  • 댓글 0
이 기사를 공유합니다

On the way to the office one morning, one of your company's employees sees a USB thumb drive  digital media storage device laying on the ground near the front door of your company's office building. He picks it up and takes it to his office. He boots up his company computer and inserts the drive into a USB port, so that he can see what is on it. He thinks “Maybe that way I can figure out who it belongs to and return it to its rightful owner.”

As he starts to browse the files on the thumb drive. He notices a folder that is called “company financials”. He clicks on the folder and inside sees a file called “company salaries”. His curiosity gets the better of him and he clicks on the file.

At this point a Trojan horse application that is embedded in the document starts collecting all of the email addresses on  the computer. Next, it sends a malicious program to all of the addresses that it finds. It harvests any passwords that are stored on the computer and sends them back to the bad guy who left the thumb drive on the ground outside the the front door of your company building.

When the addressees that were found on the first victim's computer receive the malicious email that was send by the Trojan from your employee's email address, they open it to see what he has to say. The message says “click on this link to see pictures of the company Christmas party.” They click on the link and the malicious application starts harvesting their passwords and sending a copy of the malicious email to everyone in their address book. The flood of activity brings your corporate network to a screeching halt. Your IP phones stop working and your call center is out of business, not to mention the fact that the bad guy has received more passwords than he knows what to do with. Eventually the infected machines are taken off of the network and communication is restored.

Later that day, an employee in HR sends a document that contains confidential company information regarding a problematic situation that has arisen, due to some derogatory terms that were use by an executive of the company, to an attorney who the company had retained for consultation. Because the email and the document are not encrypted by the corporate email system, the confidential data is sent in the clear. There is a disgruntled former employee who is using hacker tools to monitor all of the data that leaves your network bound for the Internet. He harvests the confidential data and posts it on a popular web site. The media picks the story up and the cat is out of the bag. Now you have a publicity nightmare on your hands. Calls start coming in from the board of directors. They say that they are going to recommend an audit to assess the state of the company's information handling practices. The bad day gets worse.

About that time, a company analyst is updating the the enterprise database. She is copying and pasting data from a spreadsheet into fields in the database. She gets a call from her sister who is asking for their grandmother's recipe for Ukrainian borsch. The analyst digs around in her files and finds grandma's recipe. She copies and pastes it in to an email and sends it to her sister. When she goes back to work on the database, she accidentally pastes the recipe into one of the fields. The recipe is very long and has some Cyrillic characters in it. The database, because error checking is not enabled, becomes corrupt, due to the volume of data and Cyrillic characters that it doesn't know how to parse.

It doesn't take long before the analyst's supervisor figures out that the database is corrupt and calls the server manager with a request to restore the database from a backup. After some time has passed, the backup is located and restored to the server. Users try to access the data to no avail. It turns out that the most recent back up is bad. The next available good back up is a month old. That means that all the data that was entered in the last month has to be reentered. You have to hire temps to come in and do the work, meanwhile no one has access to the data. Will this day ever end

If you had an Information Assurance (IA) or Information Security program, then user awareness training might have prevented the first guy from inserting the thumb drive into his computer. Awareness training and a good security architecture might have prevented the employee in HR form sending out unencrypted confidential data or the former employee from intercepting it. A robust back up strategy and routine vulnerability assessments for the database could have saved the inconvenience of manually updating the restored database. Did you say that auditors are coming to check on information handling policy compliance

Clearly you need an Information Assurance (IA) professional to establish your IA
program and keep it up and running. But where do you find one and then how do you know if he or she is any good

If you run a job vacancy announcement, you are likely to receive the resumes of every hacker wannabe, reformed script-kiddie and junior James Bond within the commuting area. They will try to impress you with tales of their exploits in the underworld of computer hackery. Intermingled with the resumes of the these ill qualified aspiring cyber-warriors, will be a handful resumes from true IA professionals. But how can one tell them apart  That's where the (ISC)² comes in.

The International Information Systems Security Certification Consortium, Inc., or (ISC)² , headquartered in the United States and with offices in London, Hong Kong and Tokyo, is the global, not-for-profit leader in educating and certifying information assurance professionals throughout their careers. They are recognized for Gold Standard certifications and world class education programs.

In November of 1988, “The Consortium” was formed among several professional organizations to create a global information security certification process for professionals and address the need for a standardized curriculum for the burgeoning profession. A series of strategy and planning meetings were held at Idaho State University and in Salt Lake City, Utah in the US.

By 1992 the consortium had finalized creation of what is known as the Common Body of Knowledge, or the CBK for Information Security Professionals. The CBK refers to the ten “domains” of information assurance, which include Access Control,  Application Development Security, Business Continuity and Disaster Recovery Planning, Cryptography,  Information Security Governance and Risk Management,  Legal, Regulations, Investigations and Compliance, Operations Security,  Physical (Environmental) Security, Security Architecture and Design, and Telecommunications and Network Security.

The (ISC)² has a number of certification programs where candidates are qualified at various stages in the development of their Information Assurance careers. At the end of the bad day described above, the cert holder that you are looking for is the Certified Information Systems Security Professional, or CISSP. The (ISC)² has established criteria for becoming a candidate for the certification, which includes completion of at least five full years of experience in information security / assurance and sponsorship by someone who is already a CISSP.

Once accepted as a candidate, certification requires successful completion of a 250 question written test of the candidates knowledge of the CBK, which must be completed within six hours. Most professionals prepare for approximately six months prior to taking the exam. The pass / fail rate is about 70 percent. Today, there are approximately 60,000 CISSPs worldwide.

Just because a person has the CISSP certification doesn't mean that they are an expert in all ten domains, or any of them for that matter. In fact, that is one of the knocks on the program. They say that the certification requires understand these topics in a way in which a river might be described – a mile wide and a foot deep. In other words, in order to pass the exam a person has to have a broad knowledge of the concepts, but it does not require deep knowledge in any in order to pass. It's this writers experience that the person you select to implement your IA program should at least be an expert in one of the domains and the more the better.

Obviously, there are a great many factors that one must consider when hiring an employee. The CISSP certification isn't perfect, but with all things being equal, pick the person who has those initials after their name, as opposed to the one that doesn't.

To learn more about the (ISC)² and the CISSP certification, please visit the (ISC)² web site at

삭제한 댓글은 다시 복구할 수 없습니다.
그래도 삭제하시겠습니까?
댓글 0
계정을 선택하시면 로그인·계정인증을 통해
댓글을 남기실 수 있습니다.

  • #1206, 36-4 Yeouido-dong, Yeongdeungpo-gu, Seoul, Korea(Postal Code 07331)
  • 서울특별시 영등포구 여의도동 36-4 (국제금융로8길 34) / 오륜빌딩 1206호
  • URL: / Editorial Div. 02-578-0434 / 010-2442-9446. Email:
  • Publisher: Monica Younsoo Chung. CEO: Lee Kap-soo. Editor: Jung Yeon-jin. Juvenile Protection Manager: Yeon Choul-woong.
  • IT Times Canada: Willow St. Vancouver BC, Canada / 070-7008-0005.
  • Copyright(C) Korea IT Times, Allrights reserved.