Group items tagged

Security organization ISACA has launched a new risk management qualification for information security professionals. The Certified in Risk and Information Systems Control (CRISC) certification targets professionals in the IT area who use information security controls to manage risk in technology environments.

ISACA, which focuses on audit, risk, and governance disciplines, will administer the first CRISC examination next year

This is the fourth certification launched by ISACA. It also offers the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and the Certified in the Governance of Enterprise IT (CGEIT), which is its most recent certification, launched in 2006.ISACA is also the publisher of the Risk IT standard for managing risk in IT, and the COBIT standard for IT governance.

Only 12 percent of federal CISOs worry about poorly trained users. According to an April 2010 study by the Ponemon Institute, 40 percent of all data breaches in the United States are the result of negligence, however a comparable statistic for the federal space is unavailable.

The Computer Security Act of 1987 requires federal agencies to "provide for the mandatory periodic training in computer security awareness and accepted computer security practices of all persons who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." At the NIST event, Hord Tipton, executive director of (ISC)², estimated that most federal employees only get an hour of training per year, under FISMA requirements.

State of California's primary advisor to the Director, Office of Homeland Security on Homeland Security Exercise and Training matters. Directs a multi-disciplinary/multi-agency staff of military and civilian subject matter experts in developing, coordinating, and producing exercises and training for California's fifty-eight counties, five Urban Area Security Initiative cities, and six hundred fifty thousand emergency responders to respond to terrorist attacks involving weapons of mass destruction (WMD) and catastrophic natural disasters. Produces the annual State wide exercise series Golden Guardian.

As of today, the Common Vulnerabilities and Exposures (CVE) database, hosted by Mitre Corporation (http://cve.mitre.org/) for the Department of Homeland Security (DHS), contains 34,542 entries. That may not seem like a large number, but any one of those entries can translate to multiple instances in the field. While the contents of this database are very important in the IT world to help security practitioners ply their trade, build rule sets, etc., there is a glaring lack of information on industrial control systems (ICS). A search of the CVE database using “SCADA” or “DCS” or “PLC” as a search ...

By leveraging the proprietary data in Delphi™, the world’s largest database of industrial system vulnerabilities, Wurldtech has created a solution specifically designed to help reduce the cost and complexity of mitigation activities for process control networks by integrating specific vulnerability intelligence into common security enforcement devices such as firewalls and intrusion detections systems. This allows common IT infrastructure to be tailored for industrial network environments and continuously updated with specific rule-sets and signatures, protecting control systems immediately, substantially reducing the frequency of patching activities and reducing overall costs. This update and support service is called AchillesINSIDE™.

Today we’re making a version of that framework, the Verizon Incident Sharing Framework (VerIS), available for you to use. In the document that  you can download here, you’ll find the first release of the VerIS framework.  You can also find a shorter executive summary here.  Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality.  Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

Varying the types of skills you work on in practice sessions engages a different part of the brain than the one you use when focusing on a single task, researchers say. The finding explains why variable practice improves the brain's memory of most skills better than working on just one type of task, according to the research team from the University of Southern California and the University of California, Los Angeles.In their study, published online recently in Nature Neuroscience, the investigators divided 59 volunteers into different groups. Some were asked to practice a challenging arm movement, while others did the arm movement and related tasks in a variable practice structure.The participants in the variable practice group learned the arm movement better than those who practiced only the arm movement, the study authors found.Among those in the variable practice group, the process of consolidating memory of the skill engaged a part of the brain called the prefrontal cortex, which is associated with higher level planning. Among those who practiced only the arm movement, the engaged part of the brain was the primary motor cortex, which is associated with simple motor learning, the authors explained."In the variable practice structure condition, you're basically solving the motor problem anew each time. If I'm just repeating the same thing over and over again as in the constant practice condition, I don't have to process it very deeply," study senior author Carolee Winstein, a professor of biokinesiology and physical therapy at the University of Southern California, said in a university news release.

With VDI, virtual desktop images are stored in a data center and provided to a client via the network. The virtual machines will include the entire desktop stack, from operating system to applications to user preferences, and management is provided centrally through the backend virtual desktop infrastructure.   The promise is that VDI will replace the need for myriad systems management and security tools that are currently deployed. No more demands for traditional desktop management tools for OS deployment, patch management, anti-virus, personal firewalls, encryption, software distribution and so on. In fact, many are suggesting that we can return to thin client computing models

Complex Event Processing (CEP) is a technology which has been used for many years in the Aerospace and Defence Industry for Situational Awareness and Data Fusion modules in Command, Control, Communications, Computing and Intelligence Systems (aka C4I).   Currently CEP is being rediscovered as a foundation for new class of extremely effective Business Intelligence, Security and System/Network/SCADA Monitoring solutions in industries like Financial Services, Telecommunications, Oil and Gas, Manufacturing, Logistics etc.

nCircle Suite360 Intelligence Hub™ is the reporting and analytics platform for nCircle’s integrated auditing solutions. Suite360 aggregates the detailed information gathered by nCircle IP360, nCircle Configuration Compliance Manager (CCM) and PCI scan results, utilizing advanced analytics to provide a comprehensive, unified, and enterprise-wide view of security and compliance.

This course advances the concept that humans and their organizations are an integral part of the engineering paradigm and that it is up to engineering to learn how to better integrate considerations of people into engineering systems of all types. This course focuses this concept on the assessment and management of the risks associated with engineered systems during their life-cycle (concept development through decommissioning). Risks (likelihoods and consequences) are addressed in the contexts of the desired quality from an engineered system including serviceability (fitness for purpose), safety (freedom from undue exposure to harm), compatibility (on time, on budget, with happy customers including the environment), and durability (freedom from unexpected degradations in the other quality characteristics). Reliability is introduced to enable assessment of the wide variety of hazards, uncertainties, and variabilities that are present during the life-cycle of an engineered system. Proactive (get ahead of the challenges), Reactive (learn the lessons from successes and failures), and Interactive (realtime assessment and management of unknown knowables and unknown unknowables) strategies are advanced and illustrated to assist engineers in the assessment and management of risks.

Bea categorizes disasters into four groups. One such group is when an organization simply ignores warning signs through overconfidence and incompetence. He thinks the BP spill falls into that category. Bea pointed to congressional testimony that BP ignored problems with a dead battery, leaky cement job and loose hydraulic fittings.

CHAPTER 4 FRAMEWORK FOR SCADA UTILITY SURVIVABILITY MODELING * 4.1 Risk Modeling * 4.2 Internet Survey * 4.3 Survivability * 4.4 Taxonomy for Assessing Computer Security * 4.5 Definitions and Terms for a Taxonomy * 4.6 Understanding the Taxonomy * 4.7 Hierarchical Holographic Modeling (HHM) * 4.8 Recent Uses of the HHM in Identifying Risks * 4.9 Risk Modeling Using HHM * 4.10 Goal Development and Indices of Performance * 4.11 Event Tree and Fault Tree Analysis * 4.12 Distributions from Event Tree Analysis * 4.13 Partitioned Multiobjective Risk Method * 4.14 Multiobjective Tradeoff Analysis * 4.15 Evaluation *

The GSE exam is given in two parts. The first part is a multiple choice exam which may be taken at a proctored location just like any other GIAC exam. The current version of the GSE multiple choice exam has the passing score set at 75%, and the time limit is 3 hours. Passing this exam qualifies a person to sit for the GSE hands-on lab. The first day of the two day GSE lab consists of a rigorous battery of hands on exercises drawn from all of the domains listed below. The second day consists of on Incident Response Scenario that requires the candidate to analyze data and report their results in a written incident report as well as an oral report.

Backboard makes it easy to securely collect feedback and approval on documents, presentations, graphics, and websites. Backboard works with all common file formats.

Generic training that can aid in dealing with unanticipated complex terrorist activities is needed. Terrorist acts can create stressful situations involving volatility, uncertainty, complexity, ambiguity, and delayed feedback and information flow (“VUCAD”). Strategic management simulation technology, based on complexity theory, can be used to assess and train personnel who must deal with the threat of terrorism.

Yet we also need more generic training to handle the VUCAD of terrorism

A more applicable technology is known as “quasi-experimental simulation.”17 While the quasi-experimental approach is a compromise between the free and experimental simulation methods, it tends to combine the advantages of both and mostly eliminates the disadvantages of the other two. In a quasi-experimental simulation, preprogrammed information is restricted to only part of the information: incoming messages that assure that all participants experience the same flow of events. On the other hand, many additional computer-generated responses (typically one-half of the incoming information) to participant actions allow realism (and maintenance of high motivation levels). Yet, because of the constant flow of pre-programmed information that keeps significant events and timing constant for all participants, performance can be numerically scored against established criteria of excellence or can be compared between different participants (or participating teams). The observer (who was necessary in the free simulation) has become obsolete. Performance is computer scored, both in terms of how any participant processes information (for example, is strategy developed?) and in terms of the appropriateness of the actions taken to deal with scenario-generated events

Beginning Friday

drugstores across the nation will be able to pick up something new: a test to scan their genes for a propensity for Alzheimer's disease, breast cancer, diabetes and other ailments.

The test also claims to offer a window into the chances of becoming obese, developing psoriasis and going blind. For those thinking of starting a family, it could alert them to their risk of having a baby with cystic fibrosis, Tay-Sachs and other genetic disorders. The test also promises users insights into how caffeine, cholesterol-lowering drugs and blood thinners might affect them.

Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centers in 165 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the international education and information company, whose businesses include the Financial Times Group, Pearson Education and the Penguin Group.