securityzed contains opinions and anecdotes about INFOSEC issues. Views expressed herein belong solely to the contributors. Not to be taken as professional advice, or internally.
I’m really proud of this one…I actually got to publish some of the ideas that have been clawing at my brain for several years. It runs counter to a lot of the industry orthodoxy, and I’m sure it will stir up some…disagreement.
Interested to hear the opinions of other practitioners. It’s available to order on Amazon now, for shipment next week. Please let me know what you think of it!
Should the police need a search warrant to look at the data on your phone? If your car creates tracking data about your driving behavior, habits, and location, should you have access to it?
The voters in the US states of Michigan and Massachusetts certainly think so.
This week, we do a roundup of some recent changes to the legal landscape associated with INFOSEC, made by referenda.
The Michigan change to the state constitution: https://ballotpedia.org/Michigan_Proposal_2,_Search_Warrant_for_Electronic_Data_Amendment_(2020)
The Massachusetts law: https://ballotpedia.org/Massachusetts_Question_1,_%22Right_to_Repair_Law%22_Vehicle_Data_Access_Requirement_Initiative_(2020)
Our very first product review! Founder and CEO of Hyperproof Craig Unger joins us to talk about audits and how to streamline them with his company’s compliance operations platform. Not sponsored, just a fascinating chat about the ever-exciting world of audits. You can learn more about Hyperproof at their website: https://hyperproof.io/
You may notice some sound quality issues in the episode. Remember when we talked about how having a lot of security can sometimes have drawbacks? Like if you need to open your door quickly but there are five deadbolts on it? Or...if you need to stream audio but have serious endpoint security? That sort of happened here. We still think it was a great episode, and hope you agree because we would love to have Craig back soon.
We had a great time doing the live show; thanks so much to everyone who joined in (we were thrilled to see more than our Three Listeners!); and more thanks for our hosts, New Horizon (and Queen Circe), for inviting us to take part in the event.
If you’re interested in seeing the slides associated with the audio track, please use this link to YouTube: https://www.youtube.com/watch?v=RU5moEg5noU&feature=youtu.be
To continue preparing for disaster to strike, we take a look at firearms from the perspective of personal security. Or personal INsecurity? (As in a lack of security, not ego--but maybe that too.) Everyone’s situation is different, but we do have some information that might help you make that decision a bit more safely and responsibly.
Read MoreThis week, we prepare for the endtimes through personal continuity and disaster recovery, and nerd out on some truly great media.
Read MoreDid you know we have the bestest security system in the world? Yes we do! Join us as we review the costs and outstanding benefits of having a dog for security.
Additional resources mentioned:
War Dog: A Soldier’s Best Friend (2017) Documentary directed by Deborah Scranton, Produced by Channing Tatum. You will cry.
Togo (2019) Live action Disney movie based on true heroes. Starring Willem Dafoe. You will also cry.
Molly Burke YouTube vlog channel following the life of a “millennial girl who just so happens to be blind,” often featuring her guide dog. You can view her playlist “All About Guide Dogs” here!
This week we do a deep and rambling dive into Aaron Schwartz, his attitude toward IP, and JSTOR.
If you or someone you know is experiencing depression or suicidal thoughts, please reach out for help. NAMI (National Alliance on Mental Illness) can provide crisis support or help you find local resources to support your recovery. You don’t have to be in distress to call.
1-800-950-NAMI (6264) or info@nami.org
This is extremely exciting: Robin and I will be hosting a free webinar for New Horizons during their Awareness Month seminar. We'll be doing a live episode of the "The Sensuous Sounds Of INFOSEC" that you can participate in! So, if you ever wanted to be on the show, now's your chance.
Did I mention it's free?
We're going to discuss different INFOSEC certifications, and which pathways might be best for different practitioners. Come check it out, ask questions, and hassle us.
Also, you don't have to pay for it.
We look forward to seeing you there!
https://register.gotowebinar.com/register/3599988395504979725
There are also some other sessions being offered by excellent presenters:
https://bangor.newhorizons.com/resources/free-webinars
Roger Ison-Haug is the head of Berigo AS, a Norwegian audit and consulting firm. [https://www.berigo.as/?lang=en] We also consider him a good friend, and he is one of the three people who listen to the show.
International audit/standards organizations mentioned during the episode:
- ISO (the International Organization for Standardization, which is odd, considering how it’s abbreviated) [https://www.iso.org/home.html]: a global standards body that publishes standards for performing just about every kind of human activity possible. Standards discussed on the show include:
-- The 9000 series: The Total Quality standards (sometimes referred to as “Total Quality Management (TQM),” or “Quality Management Systems (QMS),” collectively)
-- The 27000 series: Standards for information security, often referred to as the “Information Security Management System (ISMS),” which is actually the name of one of the standards in that series, 27001
- ISACA (originally the Information Systems Audit and Control Association, but has now legally changed its name to the abbreviation) [isaca.org]: Originally an American standards body that addressed information systems audit and security for manufacturing systems, but has since evolved into an international IT security and management standards body. Famous for:
-- Professional certifications, such as the CISA (certified information systems auditor) and CISM (certified information security manager) [full disclosure: Ben has the CISM certification]
-- Audit and governance standards, particularly the (unfortunately named) COBIT 19 standard (control objectives for information and related technologies)
A former student wrote in yesterday to tell me:
” I passed the exam last Wednesday. A few observations on my experience:
1. Like others posting their results to LinkedIn recently, my exam cut off at the 100 question mark. My elapsed time at that point was somewhere between 90 and 100 minutes.
2. Candidly, the first thought that passed through my mind when the exam cut off was that I failed, because...
3. A lot (I would estimate 60-70%) of the questions required a good deal of domain knowledge synthesis to answer. By that, I mean the question wasn't just asking for a fact or straightforward application of domain knowledge. I got about 50 questions into the exam and considered walking away from the test, I thought I was doing that poorly. I really thought "OK, those first 25 or so were the 'evaluation' questions for future exams, now the real exam is starting" but the questions didn't change in style after that.
4, I really had to slow myself down to make sure I read the questions and answers correctly and thoroughly. This is probably what saved me from failing, of course, since the result is only pass/fail there's no way to know if the answers I changed after re-reading the question and answer while thinking about every word were the correct choice.
5. Notwithstanding the "synthesis" comment above, most questions did have 2 fairly obvious wrong or distractor answers. It was deciding between the remaining two that created the most frustration.
6. I did use current editions of both the Shon Harris and Mike Chapple texts and practice exams for preparation. I guess that's why I was a bit surprised at the nature of the questions. Practice exam questions from both books were for the most part more oriented toward straightforward domain knowledge demonstration.”
Great advice— SLOW DOWN, everybody. And remember that you can’t fail until you’re done. Good luck to you all!
Saw this on reddit recently:
“So, to your primary question, during those best 90 minutes of my exam - I passed at 100Q at 90 minutes - this was what I'd written on my dry-erase board and what I focused on:
YOU ARE A RISK ADVISOR/CEO – think like one.
Do NOT fix things (unless asked to do so, or unless those are the only answer options)
Think END GAME
Read EACH question 3x and then THINK before responding
This said, during my last two weeks, I did a high-level but comprehensive review of notes from ALL domains, and I particularly focused on making sure I knew and understood processes like RMF, SDLC, IR, BCP/DRP, etc. I took several 100-125 question practice exams during the last 10 days and used feedback from those exams to further hone the things I needed to focus on prior to my exam. Good luck and all the best as you make final preps for your exam!”
https://www.reddit.com/r/cissp/comments/i1eshf/exam_tips/fzx8qth/
In this episode, we discuss the initial steps a small/medium-sized business might take to institute an INFOSEC program. Topics include: identifying assets, determining risks, and conducting a Buiness Impact Analysis.