CTRL + ALT + SEC

Author: ByteMe

  • How I Earned my Certified in Cybersecurity Certificate for Free

    In my company, someone posted about (ISC)2 giving away certifications. (ISC)2 is the same company that provides the CISSP and other certifications that are well-recognized by companies throughout the world. This One Million Certified in Cybersecurity initiative started at the end of August 2022 with a press release on their website.

    I was intrigued and signed up. It is free, there is nothing to lose but time. Even if you fail, you still learn something. The certificate they are helping people receive is called Certified in Cybersecurity (CC). It is a beginner certification and you need no experience to start. Step by step instructions are here, but I want to share my own experience.

    The free training is split into 5 sections/domains/chapters. I took one a week. After taking the training I signed up for the test which was two weeks out. I took that time to study, going through the terms and making sure I understood the ideas behind the terms.

    You have to take this test at a Pearson VUE center. This was my first time taking a test at Pearson and I found this video very helpful.

    I can’t say anything about the test, other than with the studying I did and the (ISC)2 training I was well prepared. You have to sign an NDA before taking the test.

    I really enjoyed this program as it helped validate my feelings that I understand cybersecurity fundamentals. I highly recommend it. There is one small catch… After you pass the exam you need to pay your first $50 annual maintenance fee in order to obtain your certification. For me, this was a very small ask for getting free training and a free exam. The exam is usually $199. It is a great deal.

  • Access Controls

    Discretionary Access Control (DAC) – A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.

    Mandatory Access Control (MAC) – Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

    Role-based access control (RBAC) – An access control system that sets up user permissions based on roles.

  • Risk Treatment

    Risk Treatment is making decisions about the best actions to take regarding the identified and prioritized risk. There are four types outlined below:

    • Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.
    • Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.
    • Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place. 
    • Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.

    I’m posting this because it is a concept that I have in the past been confused on. For example, mitigation and transference can be confused in the following way. If someone buys software as a decision are they transferring the risk to the manufacture of the software? No, this is an example if mitigation, because no other outside party has taken responsibility.

    I also think that risk avoidance should just be called risk elimination. To me avoidance sounds a lot like taking no action, which is actually risk acceptance. Very strange way to think about it!

  • My Broadway Debut at Age 75: George Takei at TEDxBroadway

  • ChatGPT Learning Possibilities

    …and ways people can take advantage of this new artificial intelligence.

    I’ve been hearing a lot about ChatGPT and I wanted to explore more of what it can do. I wanted to see how easy it was to use myself. I created a user account and typed in my prompt:

    write an information article about software bill of materials in easy to understand terms

    I published what I got as a post on this website. This strikes me as interesting initially in two ways. First, I can type in questions and have this AI produce short and easy to understand articles for me to learn more about whatever topic I want, probably cybersecurity for the moment.

    Secondly, I could also have it write lots of content for this blog or any other along with google adwords or anything else. All I’m doing is posting content, and I don’t even have to write it anymore. ChatGPT comes up with the content about a subject I want it to write about and people visit the site to read the content. I mean it’s not horrible content after all. Nothing really wrong with it.

    This could flood the internet with many useless sites that are written by the same AI. Yes, I’m well aware that the internet is already flooded with lots of useless content, but not all of it is generating revenue for the owners. Just an idea. This is pretty neat, but getting a little scary quickly too!

  • Software Bill of Materials (SBOM)

    A software bill of materials (SBOM) is a comprehensive list of all the individual components that make up a piece of software. This list includes both the source code and any external libraries or other dependencies that are necessary for the software to function properly.

    Having an SBOM is important for several reasons. First, it allows developers and other stakeholders to easily see exactly what is included in a piece of software, making it easier to identify any potential security vulnerabilities or other issues. It also makes it easier to track down and fix bugs, as well as to keep the software up to date with the latest versions of its components.

    Additionally, an SBOM can help organizations comply with various regulations and industry standards that require them to disclose the components that make up their software. This is especially important in industries such as healthcare and finance, where the use of certain components may be restricted or prohibited due to security concerns.

    Creating an SBOM can be a time-consuming process, as it requires developers to carefully review and document all of the individual components that make up their software. However, there are tools and frameworks available to help automate this process, making it easier to create and maintain an SBOM.

    Overall, a software bill of materials is a valuable tool for any organization that develops or uses software. It allows developers to easily see and manage the components that make up their software, and helps organizations comply with regulations and industry standards.

    *This article was written using ChatGPT.

  • Books about cybercrime

    A guardian article was recently published covering the top 10 cybercrime books. What they didn’t do is rank them with any third-party data. Below I’m putting those 10 books plus another with their goodreads rankings (0-5 being the best), to help me, and maybe you, choose the right book to start reading first.

    BookRating
    The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick3.76
    People Like Her by Ellery Lloyd3.37
    The Blue Nowhere by Jeffery Deaver
    I read this years ago and it is still one of my favorite books!    		4.10
    Impostor Syndrome by Kathy Wang3.29
    Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter
    This is nonfiction and has over 6,000 reviews on goodreads. It looks like a great place to start.    		4.16
    Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth by Theresa Payton3.91
    Little Brother by Cory Doctorow3.93
    Digital Fortress by Dan Brown3.68
    DarkMarket: How Hackers Became the New Mafia by Misha Glenny3.78
    Zoo City by Lauren Beukes3.63
    Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore by Joe Payne, Jadee Hanson, Mark Wojtasiak3.88

  • Cybersecurity Articles | Week of October 24, 2022

  • Great Recent Articles

  • Verizon Data Breach Reports

    Full disclosure I work for Verizon. Regardless of that fact, these are information packed reports that I found fascinating.

    • All reports – list of cool stuff to browse through.
    • Data Breach Investigations Report (DBIR) – THE report that analyzes the threat landscape. It tells the story of what is happening with data breaches across industries.
    • Insider Threat Report – This report very much like the DBIR, but focuses specifically on insider threats. An amazing resource to get better acquainted with that the issues are and what is happening in this world.