Congratulations to Christopher K. Schulz, Off Peak Training’s Security Programs Director for getting the latest certification from ISACA, Certified in the Governance of Enterprise Information Technology (CGEIT). This certification is intended to recognize a wide range of IT professionals for their knowledge and application of IT governance principles and practices. It was designed specifically for professionals who have management, advisory or assurance responsibilities as defined by the CGEIT Job Practice consisting of IT governance related task and knowledge statements.

The CGEIT exam consists of 120 questions and it covers domains which are roughly broken up as follows:
• Domain 1—IT Governance Framework (25%)
• Domain 2—Strategic Alignment (15%)
• Domain 3—Value Delivery (15%)
• Domain 4—Risk Management (20%)
• Domain 5—Resource Management (13%)
• Domain 6—Performance Measurement (12%)

To earn the CGEIT designation, candidates must:
• Have at least five years of experience supporting the governance of an
enterprise’s information technology. This experience can be achieved entirely through IT governance experience, or through a combination of IT governance experience and management experience.
• Pass the CGEIT exam, which is offered twice a year in June and December
• Adhere to the ISACA Code of Professional Ethics
• Agree to comply with the CGEIT Continuing Education Policy

http://www.offpeaktraining.com/courses/security/

Off Peak Training is in the process of developing a security training course for the CGEIT and is expected to have a bootcamp course available early 2010. If you are interested in learning more about Off Peak Training Education please contact us: http://www.offpeaktraining.com/contact-us/
Off Peak Training, a Reston, VA based company, offering public and private classes to help prepare business professionals for the PMP®, CAPM®, PMI-SP®, CISSP®, CAPM®, CISA®, and much more. www.offpeaktraining.com

(ISC)2(R) Report: Federal CISOs Say Economic Crisis Will Increase Security Vulnerabilities and Improve Personnel Retention
— In First Comprehensive Survey, Federal CISOs Give Opinions on Growing Threats in a Recession, CNCI, TIC, Building a Top Workforce and Their Role in a New Administration

ISACA’s Certified Information Systems Auditor (CISA) was recently voted the Best Professional Certification Program by the 2009 SC Magazine Awards. The Certified Information Security Manager (CISM) credential was also nominated within the same category.

According to SC Magazine:

“The technical skills and practices that CISA promotes and evaluates are the building blocks of success in the field. Possessing the CISA designation demonstrates proficiency and is the basis for measurement in the profession. With a growing demand for pros possessing IS audit, control and security skills, CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organization and the IS audit, control and security industry with distinction.”

The article can be found at:
http://www.scmagazineus.com/Best-professional-certification/article/130888

With the increasing focus on cyber security and foreign-based attacks, I have been looking into the world of ethical hacking. 

(“Ethical hacking” is an attack on a system by or on behalf of the system owners.  It’s done to test for vulnerabilities.)

I reviewed several tools used to penetrate systems and analyze networks.Most tools are free and straight-forward to use, like the Nessus or Wireshark network scanners.  These tools are well built and easy to learn, however understanding what captured data means may require some knowledge of IP traffic analytics. 

One of the more interesting and powerful tools I reviewed was BackTrack 3, an open-source application marketed as the complete penetration-testers’ toolkit.  BackTrack has been around for years, but its latest release is more functional and easier to use than previous versions.  BackTrack is small enough to fit on a CD or USB drive, but powerful to enough to help even novices penetrate systems.

BackTrack is best utilized as a bootable CD or USB drive, where the user has access to a modified version of the Linux operating system loaded with a quick and dirty penetration toolkit offering more than 300 powerful tools.  Users access the tools with a simple graphical user interface through a Linux kernel resembling a standard Windows desktop.

I have some experience with software development, so  I understand the concepts upon which these tools are built, and the level of knowledge and manual effort required to develop exploits such as cross-site scripting vulnerabilities and SQL injections.  Attackers would need to have an in-depth understanding of specific system vulnerabilities, an attack method to exploit them, and the ability to develop the exploit.  BackTrack removes some of these obstacles and includes tools to automate many of the more intensive attacks. 

One of the key features of BackTrack 3 is the inclusion of the Metasploit Framework.  This feature allows users to customize exploits and the payload, with only minimal knowledge about the target system – which can be gleaned from OS fingerprinting by one of the port-scanning tools in BackTrack. 

This toolkit allows penetration testers to develop malicious code exploits quickly and easily, without much knowledge of coding.  Google can be a powerful resource to combine with this toolkit.  With openly available resources and “how to” instructions on the internet, anyone can become adept in vulnerability exploits. 

Whenever a new ethical hacking tool is released, it reminds us that information security must evolve continually – to meet continually evolving threats.  Those of us who are security professionals must evolve as well, continually building on our foundational knowledge.  Getting a certification like the CISSP ensures that we’re starting from a solid foundation, ready to meet whatever challenges are next.

Let us hear from you – what security challenges is your company facing, and how are you developing as a security professional to meet those challenges?

Chris