Category: World of Security News

CISSP is an Entry Level Certification.

 

No it is not. The ISC2’s CISSP Exam was a very intense exam even for someone with 15+ years in IT Industry with having applied IT Security in day to day job duties (yeah that is me 😉).

The last time I heard entry level means someone is at the lowest level in an employment hierarchy, just means that they are starting out, that could be 1 to 3 years of industry experience. If someone says or writes about CISSP being an entry level certification, please refer them to me. I will get the CISSP community to weigh in and will reach out to them and do our due diligence. Or simply direct them to ISC2’s requirements section. (Required Experience)

So why was this post necessary?
It is because of CIO.com’s recently published article which claims CISSP is an entry level Certification. Below is a tweet of that article.

Why I am writing this post?
Because CISSP is not an entry level certification and it takes 5+ years of experience in two (out of eight) of the security domains to get this credential next to one’s name. The exam is also not as easy or simple. It takes more than just knowing the IT Security concepts to answer the 150 questions in three hours.

Without real understanding of IT Security concepts and without having sufficient experience applying these various security concepts in the real world scenarios, will leave you playing Eeny, meeny, miny, moe and will give you just under 2% success rate according to these math geeks. (Link)

Why the Click Bait?
If you saw a post or a NEWS article claiming CISSP is an entry level certification, then it is definitely a click bait, just look at the views on this post 😊 (I am guessing it must be in its hundreds by now, it was only posted on 10/4/2020). Just demonstrating… or am I?

👇 Finger Pointing Down Emoji Meaning with Pictures: from A to Z




 

What does ISC2 have to say about all this?
Here is ISC2 Tweet responding to an individual, confirming they are also aware of this incorrect classification of CISSP Certification in the specific CIO’s article:

Still not convinced?
Then I suggest you to join this Discord group called Certification Station. No, this is not an advertisement and they are not selling anything, but it is a group of professionals in IT Security who like to hangout and learn together. Check them out here: https://certificationstation.org/

Certification Station
DK, CISSP

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Don’t pay that Ransom yet. Call OFAC first.

Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?

Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.

While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.

Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.

2019

  • Park DuValle Community Health Center, Kentucky, USA
    Amount paid: $70,000
  • La Porte County, Indiana, USA
    Amount paid: $130,000
  • Jackson County, Georgia, USA
    Amount paid: $400,000
  • Lake City, Florida, USA
    Amount paid: $500,000

    There are many more…

Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.

The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,

The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.

Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/

Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.

Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.

* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.

Let us look at a few highlights of this Advisory:

OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.

Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.

So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.

So what should an organization that actively dealing with a ransomware attack do?

The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:

  • U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
  • Financial Crimes Enforcement Network (FinCEN)
  • Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
  • Homeland Security Investigations Field Office (ice.gov)
  • Federal Bureau of Investigation Cyber Task Force (fbi.gov)
  • U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)

In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.

Looking for the OFAC’s Ransomware Advisory, check out this page: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001




DK