Tuesday, September 19, 2017

My first SANS/GIAC certification

I have several infosec certifications, but most are from ISC(2) and ISACA.

This past week I learned that I passed the test I took for a new GIAC certification: the GSTRT, which is for the GIAC Strategic Planning, Policy, and Leadership.  Its tied to SANS's new MGT514: IT Security Strategic Planning, Policy, and Leadership, which I took last year.  At the time there was no cert, so I got to beta test the new exam.

Not having done any of the GIAC certs, this was a new experience for me.  GIAC allows you to bring your books with you, so I knew it was vital to prep for the cert.  I read and re-read my books and also created my own index of the books.  This was vital because one volume was devoted to leadership concepts, and it had a lot, many I wasn't familiar with when I took the course.  In many cases, they almost introduced a new concept every 2-3 pages!

I don't know my score yet, but am curious to learn how well I did.

Monday, September 18, 2017

"Hacker Summer Camp" 2017

This past July I went out to Las Vegas for the first to attend some of the events referred to as "hacker summer camp": Black Hat, BSides, and Defcon.

Now, I did not attend Black Hat as the event was pretty expensive.  I did want to drop by the exhibit hall, but couldn't get in.  I did attend the ISSA and ISC(2) receptions tied to the event.  I was a little disappointed that ISACA made a big deal about being at Black Hat but didn't do a reception of some kind.

I mainly came to attend BSides and Defcon and stayed at the Tuscany Suites where BSides was being held, which I recommend.  This guaranteed you a ticket for BSides.  I also got the meal ticket deal (breakfast & lunch) at BSides, which made me a sponsor and got me earlier checking at the sponsor table.  I also pre-ordered a t-shirt (recommended).

There were a lot of interesting sessions I attended.  I'll need to do another posting on some of the sessions I went thru and give more info on them.

Once BSides was over I attended Defcon.  This event was a bit overwhelming.  There was a big line for the trading post (cash only!), and I mainly wanted to get a t-shirt.  I was a little disappointed that the badge this year was a rubber badge, not an electronic one.  But many others had their own badge and I got a few.

Defcon is almost a collection of conferences.  There are main Defcon sessions, which are in HUGE rooms, four at a time.  Then there are a half dozen or so "villages" which have activities and their own sessions.  Skytalks was a good one, but there are villages for privacy & crypto, car hacking, IoT, and many others.  There was also a vendor area (but not open the first day).  There were many interesting vendors.  One I had met at BSides is HackerBoxes

As I noted, a lot of groups, including some of the villages, had their own electronic badges.  I really wanted a few, but they were cash only.  I didn't consider that and didn't bring a lot of cash with me.  And using ATMs was expensive.  So next time I will bring a lot more cash. 

I did some fun things, like solider a small badge at the Hardware Hacking Village (wasn't their big electronic badge they had, missed out on that).  Had some interesting conversations with several people. Met a few interesting people and groups.

Not sure if I'll go back next year or when I'll go back.  I would probably want to submit some talk proposals to BSides (I had thought of doing some this year, but wasn't certain if any I do would get accepted, but after seeing the sessions I should have submitted some).  I would again get a room at the Tuscany and had debated getting one just in case I decided to go.  Just don't know at this point.

I'll post some pics soon.

Wednesday, August 16, 2017

NIST releases DRAFT SP800-53R5

Recently NIST finally releases the DRAFT of SP800-53R5.  800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations and is the set of controls used in FISMA, the mandated set of infosec controls used in federal systems (tho many others use it as well, often times state and local governments, as well as government contractors).

This has been in the works for awhile now, and many expected this draft to come out several months ago.  The due date for comments is September 17, 2017.  They want to put out the final draft (second draft) in October, with the final version by the end of the year.

They note several changes.  They have incorporate privacy controls into this.  They have separated out the control selection process from the controls.  The Risk Management Framework is that control selection process.  By doing this, it more easily allows others to use the controls as is.  With the NIST CSF referencing the controls in SP800-53, it makes it easier for those using the CSF to use these controls.  This is actually called out that SP800-53 can be used with the RMF, CSF, and Systems Engineering Processes.

One big change was the striking out "federal" from the title within the document, again as part of making the controls more accessible to non-federal users.

Wednesday, August 9, 2017

Sad news- Intel drops Edison, Galileo, Joule, Curie

I had previously posted about some of Intel's efforts to get involved in the IoT and Maker communities with their own products such as the Edison, Galileo, Curieand more.

At the recent DefCon conference I was chatting with the guy behind HackerBoxes and was sad to learn that Intel has recently dropped some of their efforts.  I took a look and found info that they are dropping production of the Edison, Galileo, Curie, and Joule products by the end of 2017 or mid 2018.

This is a bit disappointing.  I thought some of these had a lot of potential, and I think that if they haven't been as successful as they could have been that maybe Intel didn't do all they could to make these products successful.  I know Sparkfun had put out several items in support of the Edison.  I had hoped to see more published information on these items and there was a planned work on the Edison and Galileo that never came out.

As far as I can tell they are still supporting the Euclid product, but that's just not the same.

Does this end Intel's foray into this realm?  Hopefully not.

Tuesday, August 8, 2017

News on NIST CSF v1.1

I've previously posted on the NIST Cybersecurity Framework (NIST CSF) and the recent work to update it to v1.1.  I had attended the recent workshop held at NIST headquarters following the released of the Draft v1.1 and comments.  And I've been awaiting their report on the Workshop and a better idea as to what are the next steps.

Well, just before "Hacker Summer Camp" they released their summary and I missed it.  You can read it HERE.

Monday, August 7, 2017

New stuff coming soon

Been awhile since I've posted anything.  I was recently out in Las Vegas for what some call "hacker summer camp": BlackHat, BSides Las Vegas, and DefCon.  I had never been out there and had heard about it from several of my friends and associates who go out there almost annually.  For various reasons I haven't been able to, but made the point to get out there this summer.

I learned some interesting things, saw some interesting presentations.  So over the next week or so will have several postings on these items.

Wednesday, June 28, 2017

Better Business Bureau's work on Cybersecurity (CYBER$3CUR1TY)

While I was at the NIST CSF Workshop, something I learned about is the work being done by the Better Business Bureau on Cybersecurity, especially for small businesses.  This under the tagline of CYBER$3CUR1TY.

Tho to be accurate, this is coming from the Council of Better Business Bureaus, which is the umbrella organization for BBBs in North America.

All of what they have may be found HERE.