CISSP Tips and Topics
Recent Cybersecurity News Highlights:
- Save the date: Industrial Control Systems (ICS) Cybersecurity Conference. October 23-26, 2023: Atlanta. For information, visit: https://www.icscybersecurityconference.com/
- Montalbano, E. (2023, September 7). "Weaponized Windows Installers Target Graphic Designers in Crypto Heist: Attackers use legitimate Windows installer to hide malicious scripts that install a backdoor and miners that leverage victims' graphics processing power." Dark Reading. https://www.darkreading.com/attacks-breaches/weaponized-windows-installers-target-graphic-designers-in-crypto-heist
- Chickowski, E. (2023, Aug 30). "How CISOs can shift from application security to product security: Product security teams are becoming more popular for the in-depth security approach they take when compared to appsec teams. But there is more to it, which includes creating a security-conscious culture." CSO Online. https://www.csoonline.com/article/650586/how-cisos-can-broaden-the-focus-from-application-security-to-product-security.html
- Wilson, M. (2023, August 8). "Protection is No Longer Straightforward – Why More Cybersecurity Solutions Must Incorporate Context: Context helps complete the picture and results in actionable intelligence that security teams can use to make informed decisions more quickly." https://www.securityweek.com/protection-is-no-longer-straightforward-why-more-cybersecurity-solutions-must-incorporate-context/
- Schwartz, J. (2023, August 10). "What's in New York's 'First-Ever' Cyber Strategy? Governor Kathy Hochul has made cybersecurity a key priority, with New York's first chief cyber officer, Colin Ahern, leading the effort." Dark Reading. https://www.darkreading.com/edge-articles/whats-in-new-york-first-ever-cyber-strategy
- New cybersecurity startups get ahead of the game and introduce products that address established and new, emerging cybersecurity needs. CSO Staff. (2023, August 4). "Cybersecurity startups to watch for in 2023: These startups are jumping in where most established security vendors have yet to go." https://www.csoonline.com/article/574053/cybersecurity-startups-to-watch-for-2023.html
- Burgess, C. (2023, August 3). "When your teammate is a machine: 8 questions CISOs should be asking about AI: The inevitability of AI is forcing many cybersecurity leaders to decide if it's friend or foe. Treating it as a teammate may be the ultimate solution, but there are a number of pointed questions CISOs should be asking." CSO Online. https://www.csoonline.com/article/648380/when-your-teammate-is-a-machine-how-cisos-are-learning-to-embrace-ai.html
- Schuman, E. (2023, July 26). "Companies Must Have Corporate Cybersecurity Experts, SEC Says
Enterprises must now describe their management's expertise in cybersecurity. But what exactly does that entail?." DarkReading. https://www.darkreading.com/edge-articles/companies-must-have-corporate-cybersecurity-experts-sec-says
- Brumfield, C. (2023, July 18). "House-passed US 2024 defense bill contains $13.5 billion for cyberspace activities." CSO. https://www.csoonline.com/article/646597/house-passed-us-2024-defense-bill-contains-13-5-billion-for-cyberspace-activities.html From the FY 2024 Defense Budget Overview: "The FY 2024 cyberspace activities budget resources the development of new capabilities and technologies to support the advancement of the Department’s cybersecurity and cyberspace operations programs (FY 2024, $0.5 billion). These activities will accelerate multiple innovative lines of effort across the Department to support the 2023 DoD Cyber Strategy and facilitate Information Advantage throughout the spectrum of competition, crisis, and conflict." Ref: Overview – FY 2024 Defense Budget https://comptroller.defense.gov/Portals/45/Documents/defbudget/FY2024/FY2024_Budget_Request_Overview_Book.pdf
- Venkat, A. (2023, June 27). "New Android banking Trojan targets US, UK, and Germany: The threat actors are distributing their malware via the Play Store, and already had over 30,000 installations as of March." https://www.csoonline.com/article/643467/new-android-banking-trojan-targets-us-uk-and-germany.html
- (ISC)2 Management. (2023, June 22). "ISC2 ON THE HILL: ISC2 INVITED TO TESTIFY FOR THE HOUSE HOMELAND SECURITY SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION" (ISC)2 Blog. https://blog.isc2.org/isc2_blog/2023/06/isc2-on-the-hill-isc2-invited-to-testify-for-the-house-homeland-security-subcommittee-on-cybersecuri.html From the news release: "On June 22, 2023, (ISC)² was invited to testify at the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection. Discussing “Growing the National Cybersecurity Talent Pipeline,” Tara Wisniewski, (ISC)² Executive Vice President Advocacy, Global Markets and Member Engagement joined Anjelica Dortch, Senior Director, U.S. Government Affairs, SAP America, Inc., Will Markow, Vice President of Applied Research, Lightcast and Col. Chris Starling, Executive Director, NPower, were invited to speak on the current state of the cybersecurity workforce and opportunities for working together to create a strong and secure national and global cyber ecosystem built on partnership, communication, responsible action, and technological development."
- Arghire, I. (2023, June 14). "CISA Instructs Federal Agencies to Secure Internet-Exposed Devices CISA’s Binding Operational Directive 23-02 requires federal agencies to secure the network management interfaces of certain classes of devices." Security Week. https://www.securityweek.com/cisa-instructs-federal-agencies-to-secure-internet-exposed-devices/
- Conversant Group; The International Legal Technology Association (ILTA). (2023, June 6). "ILTA and Conversant Group Release First Cybersecurity Benchmarking Survey of the Legal Industry: Joint Research Highlights Disconnect Between Legal IT and Recommended Cybersecurity Practices." https://www.prnewswire.com/news-releases/ilta-and-conversant-group-release-first-cybersecurity-benchmarking-survey-of-the-legal-industry-301843339.html From the PR: CHATTANOOGA, Tenn. and CHICAGO, June 6, 2023 /PRNewswire/ -- Law firms store some of the most sensitive information available regarding material business transactions, intellectual property, Personally Identifiable Information (PII) and other personal data. Because of the importance of their role in protecting data, the International Legal Technology Association (ILTA) and Conversant Group, an innovative provider of "Secure First" infrastructure and cybersecurity services, today announced the release of a joint cybersecurity research report titled "Security at Issue: State of Cybersecurity in Law Firms."
- IANS Research. (2023, June 6). "With SEC Rule Changes on the Horizon, New Research Reveals Only 14% of CISOs Have Traits Desired for Cyber Expert Board Positions." CISION PR Newswire. https://www.prnewswire.com/news-releases/with-sec-rule-changes-on-the-horizon-new-research-reveals-only-14-of-cisos-have-traits-desired-for-cyber-expert-board-positions-301843184.html
From the PR: "BOSTON, June 6, 2023 /PRNewswire/ -- Today, IANS Research, Artico Search and The CAP Group released its CISO as Board Directors - CISO Board Readiness Analysis, a collaborative research study that evaluates the qualifications of Chief Information Security Officers (CISOs) across the Russell 1000 Index (R1000 [top 1000 US public companies by market capitalization]) against five key traits of credible candidates for cyber expert board positions. The study found that 14% of R1000 CISOs stand out as potential board director candidates."
- Dunn, John E. (2023, May 26). Analysis: Ransomware In 2023 – Same Old Vulnerabilities, Bigger Ransoms, And Plenty of Pain. (ISC)2 blog. https://blog.isc2.org/isc2_blog/2023/05/analysis-ransomware-in-2023-same-old-vulnerabilities-bigger-ransoms-and-plenty-of-pain.html. Question posed in the article: "The 2023 Sophos State of Ransomware report found that while the number of ransomware attacks stabilized, larger victims are paying more than ever. Are they simply getting used to paying up?"
- Sharma, S. (2023, May 31). "Phishing remained the top identity abuser in 2022: IDSA report
The survey revealed phishing as the most common identity-related incident in 2022, with “emails” as the most popular type." CSO. https://www.csoonline.com/article/3697755/phishing-remained-the-top-identity-abuser-in-2022-idsa-report.html. According to the article, the reason comes down to "employees unknowingly clicking on a #phishing email."
- Hill, M. (2023, May 25). "Inactive accounts pose significant account takeover security risks: Inactive accounts that haven’t been accessed for extended periods are more likely to be compromised due to password reuse and lack of multifactor authentication." CSO. https://www.csoonline.com/article/3696941/inactive-accounts-pose-significant-account-takeover-security-risks.html
- Brumfield, C. (2023, May 15). Law enforcement crackdowns and new techniques are forcing cybercriminals to pivot: Researchers say that law enforcement crackdowns and new investigative tools are putting pressure on cybercriminals, but challenges for defenders remain." CSO. https://www.csoonline.com/article/3696748/law-enforcement-crackdowns-and-new-techniques-are-forcing-cybercriminals-to-pivot.html The article highlights how the use of investigative tools have resulted in the identification and tracking of cybercrimes -- making it more difficult for cybercriminals to engage in illicit operations undetected. But article contributors caution that the drop in annual ransomware revenue, for example, has made way for cybercriminals to resort to other schemes and techniques "with more certainty of success."
- About Digital Services Act (DSA) compliance in the EU: Trueman, Charlotte. (2023, April 25). "Amazon, Facebook, Twitter on EU list of companies facing DSA content rules: The EU Commission has announced the 19 online companies and search engines, including Bing and Google, that will have to comply with new transparency and accountability regulations by August." https://www.computerworld.com/article/3694571/amazon-facebook-twitter-on-eu-list-of-companies-facing-dsa-content-rules.html From the article: "The EU Commission has announced 19 large online platforms and search engines that will face new content moderation rules under the Digital Services Act."
- Dark Reading Staff. (2023, March 29). "Phishing Emails Up a Whopping 569% in 2022: Credential phishing emails are the clear favorite of threat actors, with a 478% spike last year, new research shows." Dark Reading. https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022
- Pratt, M.K. (2023, March 16). "When and how to report a breach to the SEC: Publicly traded companies will have to make decisions and prepare for the reporting of cybersecurity breaches to the Securities and Exchange Commission when new requirements are enacted." CSO Online. https://www.csoonline.com/article/3690732/when-and-how-to-report-a-breach-to-the-sec.html
- Venkat, A. (2023, March 10). Customer Proprietary Network Information (CPNI) data belonging to 9M AT&T customers exposed in latest breach: "AT&T informs 9M customers about data breach: The company’s marketing vendor suffered a security failure in January and exposed CPNI data that included first names, wireless account numbers, wireless phone numbers, and email addresses." CSO Online. https://www.csoonline.com/article/3690609/att-informs-9m-customers-about-data-breach.html See also: Gatlan, S. (2023, March 9). "AT&T alerts 9 million customers of data breach after vendor hack." Bleeping Computer. https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/
- Nelson, N. (2023, March 8). "TSA Issues Urgent Directive to Make Aviation More Cyber Resilient: Will stricter cybersecurity requirements make flying safer? The TSA says yes, and sees it as a time-sensitive imperative." Dark Reading. https://www.darkreading.com/ics-ot/tsa-issues-urgent-directive-aviation-cyber-resilient
- From the TSA press release: "WASHINGTON, March 7, 2023 /PRNewswire/ -- Today, the Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers. This is part of the Department of Homeland Security's efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners." See: https://www.prnewswire.com/news-releases/tsa-issues-new-cybersecurity-requirements-for-airport-and-aircraft-operators-301765090.html
- Schwartz, J. (2023, February 28). "CISOs Share Their 3 Top Challenges for Cybersecurity Management: The biggest dilemmas in running a modern cybersecurity team are not all about software, said CISOs from HSBC, Citi, and Sepio." Dark Reading. https://www.darkreading.com/edge-articles/cisos-share-their-3-top-challenges-for-cybersecurity-management
- Newman, L.H. (2023, February 17). "The WIRED Guide to Data Breaches: Everything you need to know about the past, present, and future of data security—from Equifax to Yahoo—and the problem with Social Security numbers." Wired Magazine. https://www.wired.com/story/wired-guide-to-data-breaches/
- Thinking about sharpening your INFOSEC tech skills and certifications? Good move! From The Bureau of Labor Statistics Occupational Outlook. "Employment of information security analysts is projected to grow 35 percent from 2021 to 2031, much faster than the average for all occupations." https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
About Certified Information Systems Security Professional (CISSP) Certification:
- Call to Action: Review the current outline for CISSP-ISSEP concentration exam and reply to questions.
Link to: (ISC)2 Management. (2023, July 12). "Calling All CISSP-ISSEPs! Help Shape Future CISSP-ISSEP Exams!" (ISC)2 Blog. https://blog.isc2.org/isc2_blog/2023/07/calling-all-cissp-isseps-help-shape-future-cissp-issep-exams.html
- (ISC)2 Management. (2023, March 30). "NEW CISSP EXAM REGISTRATION PROCESS FOR 2023: Looking to earn your (ISC)² CISSP certification? Make sure you follow these updated steps to register for your exam." (ISC)2 Blog. https://blog.isc2.org/isc2_blog/2023/03/new-cissp-exam-registration-process-for-2023.html
- (ISC)2 Blog. (2022, December 13). "CALLING ALL CISSPS! HELP SHAPE THE CISSP EXAM." From the blog post: "Coming up next month, the CISSP will be taking its next step in the certification lifecycle with a JTA Study Workshop tentatively scheduled for January 17-19, 2023." Read more: https://blog.isc2.org/isc2_blog/2022/12/calling-all-cissps-help-shape-the-cissp-exam.html
- "Changes to the CISSP Exam Length Coming Soon. Beginning June 1, 2022, additional pretest items and time will be added to the CISSP exam for the Computerized Adaptive Testing (CAT) format." (ISC)2 blog (March 10, 2022). Read further: https://blog.isc2.org/isc2_blog/2022/03/changes-to-the-cissp-exam-length-coming-soon.html
- How is the CISSP-ISSMP Exam Changing? - (ISC)² Blog (isc2.org) (March 17, 2022)
- "A Cybersecurity Role Has Topped List of Best Jobs" ... by (ISC)2 Management, (ISC)2 Blog (January 14, 2022)
- Survey Says: CISSP and CCSP Among the Most In Demand IT Certifications of 2021 - (ISC)² Blog (isc2.org) (26 February 2021)
- (ISC)² Updates CISSP Cybersecurity Certification Exam Based on Expert-Led Domain Revision ... (ISC)2 news release (01 February 2021)
- "SURVEY: CISSP IS THE MOST VALUABLE SECURITY CERTIFICATION FOR 2021" ... (ISC)2 blog site (January 21, 2021)
- "STUDY: CERTIFICATIONS BOOST SALARIES SUBSTANTIALLY" ... (ISC)2 blog site (November 2020)
News Sites of Interest to the Certified Information Systems Security Professional (CISSP):
- (ISC)² blog: https://blog.isc2.org/
- Krebs on Security: https://krebsonsecurity.com/
- Schneier on Security: https://www.schneier.com/
- Dark Reading: https://www.darkreading.com/
- The Hacker News: https://thehackernews.com/
- Daniel Miessler Blog: https://danielmiessler.com/blog/
- CSO Online: https://www.csoonline.com/news/
- Security Week: https://www.securityweek.com/
- Wired: https://wired.com
- Threatpost: https://threatpost.com
Thinking about taking the CISSP certification exam?
- What are the benefits of CISSP certification?
- What are the requirements for CISSP certification?
- What experience do you need to have before you take the CISSP certification exam?
- How should you prepare to take the CISSP certification exam?
CISSP - Certified Information Systems Security Professional - About the CISSP NOW! method:
- The CISSP NOW! method, documented in the CISSP NOW! ebook, references official (ISC)² study material, which may be purchased from Amazon: https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119787637
- If you do not have access to the official (ISC)² study material, you will not be able to follow the CISSP NOW! method.
- The CISSP NOW! method is built around continuous self-assessment and quantitative feedback.