CPE Alerts
Wow – did some math today on my CPE’s. I have been tracking but not updating my CPE efforts for the CISA and the CISSP. Nothing I did prior to June 2011 counted for the CISSP. I have 84 at a minimum for ISACA/CISA. I have 16.5 for ISC2/CISSP. I may be able to book another twenty for both by the end of the year. I have several projects underway that need to be completed and posted before the end of this year. Still want to try to keep to at least 60 a year on average but won’t be able to hit that number for ISC2 unless I can complete some inflight classes by year end.
Panel Discussion @ Maine InfoSec Pro Meeting – Career Development and Advancement
The Panelist are set. Agenda is ready. The final formal announcement should go out on the LinkedIn Group later this week.
Michael Swartz – General Manager of Tilson Technology Group
Mark Aiello – CEO and founder of The Revolution Group
Mia Dow – Senior IT Recruiter at Randstad Technologies
Brad Dormanen – Director of IT at GWI
Topic is Career Development and Advancement
Our Panelists experienced professionals with a broad range of experience in hiring and finding people for IT roles.
Location is InfoSecurus in Portland Maine. The new Stroudwater offices on Congress Street.
Time is Wednesday December 14th 6pm to 8pm. InfoSecurus has provide the space. Tilson Technologies is covering the cost of pizza and soda. The Revolution Group is offering a door prize.
It will be a fun evening of Networking and discussion. RSVP through the LinkedIn group. We want to be sure to order enough pizza.
December 14th Discussion Panel Set
Panel Members for the December 14th Maine Information Security Professionals is set. We have a great set of people for the panel. We will have pizza and soda and a door prize. I am keeping the door prize as a surprise but it is a great contribution.
We are hoping that people who plan to attend RSVP on the LinkedIn Group. We will be doing a posting of the full agenda and panel members next week.
December 14th 2011 – Mark your Calendars
I am organizing the next Maine Information Security Professionals Event in Portland Maine. I have set up a Panel Discussion on Career Development and Advancement. I have four committed professionals already signed up to be on the Panel. Event will be held at the InfoSecurus offices in Portland Maine from 6pm to 8pm Wednesday December 14. Pizza, soda, and a door prize included. No cost whatsoever!
It will be a great opportunity to ask questions and get decent answers from knowledgeable people.
To attend join our group on LinkedIn “Maine Information Security Professionals” and get in the know. Other interesting and worthwhile events are on the horizon for January and February.
Info Sec Maine Rises Again!
Please join the former TechMaine Information Security User Group as we redesign and regroup ourselves in the wake of the departure of TechMaine.
There are plenty of individuals who would agree that this group provided great value to local professionals in the past. Now is our chance to regroup and determine just how we want to position ourselves for the future.
This will be an organizational meeting with a flexible agenda designed to provide direction for where the group is headed and any possible affiliations (i.e. ISC2 chapter?) that may be beneficial in taking us there.
Please join us on 11/9 from 6pm-8pm at the offices of InfoSecurus, located at:
Stroudwater Crossing
1685 Congress St., 2nd Floor
Portland, ME 04102
In the meantime, please feel free to reach out to me directly if you have any additional thoughts or questions. We hope to see you there on the 9th.
Rich Spies
Tilson Technology Management
rspies@tilsontech.com
Good IT Security needs a Hammer and the Nails
The article below is from SANS, again. The word needs to get out. An organization with a professional IT Security staff must be sure to equip those teams with both the Hammer and the Nails to get the job done. In the article below it is pointed out that a report on threats was published before the threats materialized. What was NOT included in the threat report was the information and direction necessary to invalidate the threat.
The Nails are the threats. The Hammer is the answer for how to deal with the threat. A professional IT Security organization must use both. Announcing the threat is out there and not providing the executives with the solutions AT THE SAME TIME and in the same report is a disservice to both the executives and organization.
Canadian Intelligence Agency Warned Government About Targeted Cyber Attacks
(October 31, 2011)
A year ago, the Canadian Security Intelligence Service (CSIS) issued a
top secret intelligence report that included warnings of ongoing cyber
attacks against the Canadian government. The report was issued in
November, 2010; two months later, cyber attacks crippled Canadian
government networks. It is not clear who received copies of the report
when it was initially published.
http://www.theglobeandmail.com/news/national/ottawa-warned-about-hackers-weeks-before-crippling-cyber-attack-csis-report/article2219129/?from=sec434
http://spectrum.ieee.org/riskfactor/telecom/security/canadian-security-services-warnings-about-last-years-cyberattacks-apparently-ignored
[Editor's note (Paller): This type of journalistic Monday morning
quarterbacking is worse than useless because it places blame on the
wrong players. The CSIS report did a great job of identifying the
problem, but it did not identify the 3 or 4 key mitigations that needed
to be implemented immediately. So the recipients of the report got fair
warning from people who understood the threat but without the
threat-informed guidance that the users need. The Australian DSD faced
exactly the same type of attacks and delivered to their agencies the
four key mitigations that had to be implemented immediately. They are
listed at
http://www.cso.com.au/article/405364/dsd_wins_us_cybersecurity_innovation_award/#closeme
(Pescatore): This is one of the reasons why Intelligence and Defense
should always be kept separate. Intelligence is very good at warning
about many, many things but is never very good at stopping particular
individual threats.]
Is the Cloud the right place for Criminal Records?
Apparently the FBI does not think so but the LAPD does. Why is it that easy and cheap always wants to trump appropriate and prudent?
In the case reported below I think the full story is likely more complex and could be investigated by following the links. On the other hand it is easy to imagine why this was a bad idea from the beginning. First there is nothing more damaging to the course of Law and Order and the hoped for result of Justice than too much transparency too soon. What would a potential suspect or defendant or their lawyers do with the wrong or unsubstantiated information that could leak from the cloud? What kinds of advantages would criminals have if the records of the investigations they are subject to are published. What would innocent people do for redress if aborted or misguided investigations are leaked from the cloud.
I think the cloud is a wonderful concept and opportunity. The caveat is you just cannot consider that anything placed into the cloud will be or stay private. Clouds leak, it is called rain. Clouds dissipate and are blown into unknown fragments. Clouds migrate from one end of a country to another and across the oceans. The metaphor of cloud computing is a good one if you remember the qualities of the real thing can apply to the virtual one as well.
The article below is curtesy of SANS’s Newsbites by the way.
–Data Security Rules May Prevent LAPD From Migrating to Cloud Services
(October 26, 2011)
The Los Angeles Police Department’s (LAPD) plan to migrate to Google
Apps has been put on hold indefinitely because of FBI security rules.
According to FBI Criminal Justice Information Services security
policies, state and local law enforcement agencies have to maintain
“management control” over criminal justice data security. All Los
Angeles City employees are using Google Apps except for law enforcement.
http://www.nextgov.com/nextgov/ng_20111026_6213.php?oref=topstory
[Editor’s note (Liston): Sometimes, maintaining the confidentiality,
integrity, and availability of sensitive/critical information is going
to be in direct conflict with doing things easier and cheaper. What I
find newsworthy in this piece isn’t that the FBI rules block this
migration, but that someone at the LAPD actually thought it was a good
idea to begin with.
(Honan): This case highlights one of the compliance concerns relating
to cloud computing and how important it is to clearly understand all
your legal and regulatory obligations when engaging with a cloud
provider. This challenge is exasperated by the ease people can sign up
for cloud services simply by using a credit card. It would be prudent
to engage with your accounts department to monitor company credit card
statements for subscriptions to cloud services so you can ensure all
such services are compliant.
Just in case you thought TSA would complain
Good to Know – The TSA won’t arrest you for packing Land mines in your luggage.
Salt Lake Tribune – (Utah) TSA agents discover land mine packed inside bag. Transportation Security Administration (TSA) baggage checkers discovered four land mines tucked inside of a passenger’s checked bag at Salt Lake City International Airport in Salt Lake City, the week of October 10. Airport officials said someone doing military training decided to take them as a souvenir. A TSA spokeswoman said the devices set off the airport’s explosive detector and officials had to clear the area and delayed four flights for about 19 minutes. Crews determined the land mines were benign and removed them from the bag. No one was arrested. However, the spokeswoman said TSA officials wanted to remind passengers that land mines are among the prohibited items not allowed on airplanes. Source: http://www.sltrib.com/sltrib/news/52761036-78/airport-bag-minesofficials. html.csp
SSA is leaking data – oh my
Social Security Administration Leaking Data
What is there to say. If you read through the story at this link there are three things that stand out. First a Federal Agency that has access to the personal data of pretty much everyone in this country is leaking data. Second they have not disclosed this systematic breach. Third and last, the database in question is one where those that have been declared dead and are actually not so could be victimized twice over by these breaches.
TechMaine is being Dissolved
I received the email below this afternoon. TechMaine and its support of User Groups had been a staple of the IT life in Southern Maine. There has been a lot of change at the organization in the past two years. They gave up their fixed location in Westbrook. That was a very convenient place for me with lots of free parking but it was not in downtown Portland which does hold some attraction for folks. The long time director Joe left last year and was honored at the Gala Event this past spring. The operations fellow Todd who kept the User Groups coordinated and was a great resource departed.
I have no clue as to what drove TechMaine to dissolve but I know they will be missed. The InfoSec group will survive.
After 19 years as an industry and professional association, TechMaine is announcing that it will be dissolving. This decision comes after careful consideration of the association’s financial position and sustainability model by its board of directors.
For further information, please contact:
Steve Hand, President of the Board of TechMaine
207-xxx-5318
steve knowtechnology.xxx
Thank you.
John Spritz
(207) xxx-0872
jspritz maine.rr.xxxx.com