WEIGHING IN ON NEW EXAMS

InfoSecurity
PROFESSIONAL
A Publication for the (ISC)2 Membership
NOVEMBER/DECEMBER 2016

WHAT LIES
BENEATHThe Shadowy Side of IT

+ CREATING YOUR PERSONAL LEARNING NETWORK

WRITING A BOOK IS FAR FROM CHILDS PLAY
also
AMERICAS ISLA WINNERS
LETTING GO OF LEGACY NIPS

isc2.org facebook.com/isc2fb twitter.com/ISC2

5 MINUTES WITH TUSHAR GOKHALE
GET EMPLOYERS ATTENTION
CREDENTIALS THAT SET YOU APART

EARN UP TO THREE NSA DIGITAL BADGES on your way to a degree at

a nationally recognized university. Badges are offered for these information
assurance and security (IAS) programs:

PURSUE A DEGREE IN: EARN AN NSA DIGITAL BADGE IN:

Bachelors in IT IAS Information Assurance and Security

Masters in IAS Digital Forensics Digital Forensics

Security Incident Analysis and Response

Masters in IAS Network Defense Network Security Administration

Network Security Engineering
System Security Engineering

Capella University has been designated by the National Security Agency

(NSA) and the Department of Homeland Security as a National Center
of Academic Excellence in Information Assurance/Cyber Defense for
academic years 2014-2021.

GET RECOGNIZED FOR WHAT YOU KNOW. START TODAY.

CAPELLA.EDU/ISC2 OR 1.866.933.5836

See graduation rates, median student debt, and other information at www.capellaresults.com/outcomes.asp.

ACCREDITATION: Capella University is accredited by the Higher Learning Commission.

HIGHER LEARNING COMMISSION: https://www.hlcommission.org, 800.621.7440
CAPELLA UNIVERSITY: Capella Tower, 225 South Sixth Street, Ninth Floor, Minneapolis MN
55402, 1.888.CAPELLA (227.3552)

Copyright 2016. Capella University. 16-8831

Contents VOLUME 9 ISSUE 6

DEPARTMENTS
4 EDITORS NOTE
What Kind of
Information Security
Professional Are You?
BY ANNE SAITA

6 EXECUTIVE LETTER
(ISC)2 Examinations to
Carry More Weight
BY DR. CASEY MARKS

8 FIELD NOTES
Americas ISLA winners
announced; top-paying IT
There are numerous ways
jobs in 2016; cheers for

to learn without breaking your Santiagos SecureChile;

and much more.

budget. PAGE 21

FEATURES
14 MEMBERS CORNER
Why Your Legacy
Network IDS/IPS
Needs to Be
TECHNOLOGY Replaced NOW

15 What Lies Beneath

Its time to cast a stronger light on the shadowy side of IT.
BY JAMES HAYES

27
BY RODRIGO CALVO

CENTER POINTS
Raising Awareness,
Scholarships and
PROFESSIONAL DEVELOPMENT Opportunities for

21
Future Cybersecurity
Its Not Just Who You Know Professionals
or maybe it is. Expand your professional potential by building a BY PAT CRAVEN
Personal Learning Network. BY KERRY ANDERSON
28 5 MINUTES WITH
Tushar Gokhale
PROFESSIONAL DEVELOPMENT
The Mumbai, India,

24 Playing by the Book

How an (ISC)2 member creates childrens books also meant
for their elders. BY CHRIS GRECO
native came to the U.S.
for a formal education
in information security.
And, boy, has he gotten it.

Cover image: JOHN KUCZALA. Image (above): ROBERT PIZZO. 4 AD INDEX

InfoSecurity Professional is produced by Twirling Tiger Media, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: [email protected]. The information contained
in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on the issues discussed
as of the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any
form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2,
the (ISC)2 digital logo and all other product, service or certification names are registered marks or trademarks of the International Information Systems Secu-
rity Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies mentioned herein may
be the trademarks of their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint materials, please email
[email protected]. To request advertising information, please email [email protected]. 2016 (ISC)2 Incorporated. All rights reserved.

RE TURN TO
InfoSecurity Professional 3 November/December 2016 CONTENTS
 Editors Note
WHAT KIND OF INFORMATION (ISC)2 MANAGEMENT TEAM
SENIOR MANAGER,
SECURITY PROFESSIONAL ARE YOU?

O
MEMBERSHIP MARKETING
AND MEDIA SERVICES
Jessica Hardy
727-785-0189 x4063
[email protected]
F ALL THE EXCELLENT advice delivered during a Security EXECUTIVE PUBLISHER
Congress session on building and retaining security teams, Timothy Garon
the piece that stood out most to me came from Deidre 508-529-6103
[email protected]
Diamond, founder and CEO of Cyber Security Network.
Her secret tool to hold on to good employees: kindness. SENIOR MANAGER,
CORPORATE COMMUNICATIONS
Its the number one thing that everyone wants from an employer, Diamond
Maria Forrest
says in an abbreviated transcript of the session published online. 727-201-5759
If kindness is all it took to keep top talent, youd think no one would leave. [email protected]
But, it turns out, compassion and consideration become more scarce as people MEDIA SERVICES COORDINATOR
rise in rank. UC Berkeley psychology professor Dacher Keltner discovered that Michelle Schweitz
as people gain power or privilege, they are less likely to demonstrate empathy, 727-785-0189 x4055
[email protected]
collaboration and openness toward othersnot just in politics and professional
sports, but in the workplace too. SALES TEAM
How can you tell if you practice empathy, gratitude and generositythree
EVENTS SALES MANAGER
cornerstones of kindness? Consider your own behavior toward your colleagues Jennifer Hunt
and direct reports. Studies show that people in position of corporate power are 781-685-4667
three times as likely as other employees to interrupt [email protected]
coworkers, raise their voices, and say insulting things REGIONAL SALES MANAGER
at the office, Keltner writes in the October issue of Lisa OConnell
781-460-2105
Harvard Business Review.
[email protected]
And the result? In a recent poll of 800 managers
and employees in 17 industries, about half the respon- EDITORIAL ADVISORY BOARD
dents who reported being treated rudely at work said Carlos Canoto South America
they deliberately decreased their effort or lowered the Tushar Gokhale U.S.A.
quality of their work in response, Keltner reports. Javvad Malik EMEA
This gives credence to Diamonds recommendation J.J. Thompson U.S.A.
and should serve as a warning to anyone in, or seeking, Elise Yacobellis (ISC)2
a senior-level position, today or 10 years from now. If you
arent already, learn how to listen earnestly to others. TWIRLING TIGER MEDIA
Deliver thoughtful thank yous. Acknowledge good EDITORIAL TEAM
Anne Saita, editor-in- EDITOR-IN-CHIEF
work and those who did it. Give praise generously
chief, lives and works Anne Saita
in Southern California. (and genuinely).
[email protected]
She can be reached at Do this for both your present you and your future
[email protected]. you. After all, as the famous saying goes, Be nice to ART DIRECTOR & PRODUCTION
Maureen Joyce
those you meet on the way up, for they are the same [email protected]
people youll meet on the way down.
MANAGING EDITOR
ANNE SAITA Deborah Johnson
PROOFREADER
Ken Krause
Rob Andrew Photography

ADVERTISER INDEX
For information about advertising in this publication, please contact Tim Garon at [email protected].
Twirling Tiger Media is
Capella.................................................................... 2 (ISC)2. ....................................................................12 certified as a womens
business enterprise by the
RSA.......................................................................... 5 Center for Cyber Safety & Education............13 Womens Business Enterprise
National Council (WBENC).
(ISC) . ..................................................................... 7
2
(ISC)2. .................................................................. 20 This partnership reflects (ISC)2s commitment
to supplier diversity.
Pearson...................................................................9 Twirling Tiger Media........................................ 29 www.twirlingtigermedia.com

RE TURN TO
InfoSecurity Professional 4 November/December 2016 CONTENTS
ATTEND RSA
CONFERENCE 2017
FOR LESS!

Save $200 with

your (ISC)2 member
discount code.

From February 1317, the (ISC)2 community will

come together in San Francisco at RSA Conference 2017,
the worlds largest infosecurity event.

Join your peers and discover:

Over 555 sessions covering a range of topics to
help you stay on top of threats and solutions.
(ISC)2 CCSP Two-Day Crash Course covering the six domains
in the Certified Cloud Security Professional CBK.
(ISC)2 CISSP Two-Day Crash Course covering the eight domains
in the Certified Information Systems Security Professional CBK.
More than 550 exhibitors in two Expo halls.
Four days of enlightening and inspiring keynotes, led by speakers
such as Dr. Neil DeGrasse Tyson, Amit Yoran and many more!

Visit www.rsaconference.com/isc2 to register today!

Use code 1U7ISC2FD when you register to save $200 off
a Full Conference Pass.

Follow us on: #RSAC

 THE LATEST
FROM (ISC)2S
LEADERSHIP

EXECUTIVE LETTER DR. CASEY MARKS

(ISC)2 EXAMINATIONS
TO CARRY MORE WEIGHT

T HE TIME THAT a candidate spends preparing to take

a rigorous examination can be described any number
of ways: nerve-racking, mind-numbing, paranoia-
inducing or painful. Rarely is it uneventful.
Certification examinations seek to illuminate the knowledge, skills
and abilities an individual possesses under the shroud of absolute
secrecy. Examination forms are secured. Test items may only be seen
by vetted candidates and validated professionals. Exam administration
occurs in locked-down facilities. Threat detection and risk mitigation
the highest industry standards in examination
development, administration and security. We
subject our programs to continuous third-party
audits to demonstrate that our exams are valid,
that they actually measure what they intend to
measure, and that they are reliable. Indeed, the
examination development at (ISC)2 has always
been world-class on these these important psy-
chometric principles. Now, we hope to improve
countermeasures are deployed, continuously, post-exam administration. on how we talk about these concepts.
Furthermore, we seek to assess test takers by
asking questions to measure a latent psycholog-
ical trait: in our case, the vast knowledge and
practice of securing information. Now candidates will
Dr. Casey Marks, a
20-year psychome-
While examinations and their development
need to be secure, they dont need to be a
know not only the
trician, is the director
of examinations and
mystery. To this end, (ISC)2 for the first time content areas to be
recently approved publishing examination
customer experience
at (ISC)2. He can be domain weights. Now candidates will know not assessed, but also what
reached at cmarks@
isc2.org.
only the content areas to be assessed, but also
what proportion of an exam will be dedicated proportion of an exam
to these sections.
Publishing the percentages of items dedi-
will be dedicated to
cated to each exam domain is not only good these sections.
testing practice, it is a giant leap forward in
providing necessary clarity to ensure that our
standards of validity and reliability continue Publishing domain weights at this time
to stand up to public scrutiny. provides necessary guidance and focus for
(ISC)2 cares a great deal about its certifica- candidates in their educational preparation.
tion programs. We have sought ANSI 17024 Additionally, it provides a convenient remedia-
accreditation for nine of our 10 professional tion heuristic for candidates who do not pass
certifications. How difficult is it to earn this an exam on their first attempt.
mark of excellence? Of the more than 3,000 Rest assured, the exam is certainly not any
certification programs in the United States easier than when you passed it. As what is test-
alone, fewer than 200 reportedly are ANSI- able in information security continues to grow,
accredited. so will our focus on certifying professionals who
In obtaining this prestigious recognition, are best able to help us inspire, and create, a
we must demonstrate that (ISC)2 adheres to safer and more secure cyber world.

RE TURN TO
InfoSecurity Professional 6 November/December 2016 CONTENTS
 Member Benefits
Are you getting the most out of your (ISC)2 membership? Whether you are looking for CPEs to
maintain your certification, avenues to network with your peers, or resources to help you stay on
the cutting edge of information security, your membership provides these benefits and more.

Free Digital Member Magazine

Digital Badges and Certificates
Free Online Events
Access to Exclusive Information Security Reports
Vulnerability Central and many more

VIEW BENEFITS
www.isc2.org/member-benefits.aspx

Member Discounts
(ISC)2 continues to strive to partner with industry leading organizations to deliver discounts to
provide more value to your membership. These help you stay relevant in your career, introduce
you to the top resources, and help you save money and time.

Discounts on Industry Conferences,

such as BlackHat and RSA EVENTyoSu!
r
1-Day SecureEvents to a city nea
Coming
Service and Subscription Discounts
50% Off on (ISC) Official Books,
Study Guides,and Other Resources

VIEW DISCOUNTS

www.isc2.org/member-discounts.aspx
 FIELD EDITED BY DEBORAH JOHNSON

NOTES A ROUNDUP OF WHATS HAPPENING IN (ISC)2 COMMUNITIES

(ISC)2 SALUTES THE 2016 IN REMEMBRANCE

(ISC)2 BANGALORE CHAPTER
AMERICAS ISLA WINNERS PRESIDENT SHEKHAR BOSE

T
Shekhar Bose,
president of the
HE SIXTH ANNUAL Americas Information Security Leadership (ISC)2 Bangalore
Awards (Americas ISLA) were presented at the 2016 (ISC)2 Security Chapter in India,
Congress in Orlando. Americas ISLA, part of (ISC)2s Global Awards died unexpect-
Program, recognizes the achievements of outstanding cybersecurity edly on Sept. 3,
professionals who have led a workforce improvement initiative, program or proj- 2016.
ect in Central, North or South America. An (ISC)2
Jim Davis, the creator of Garfield, provided the keynote address during a ban-
member since
quet ceremony. Garfield, the iconic cartoon cat featured in the Garfield & Friends
June 2007, Bose
series, is the spokescat for the Center for Cyber Safety and Educations Safe and
was the founding
Secure Online program.
president of the
We are excited to honor the Americas ISLA recipients once again this year,
says (ISC)2 CEO David Shearer. These professionals are advancing our industry Bangalore Chapter. With his and
and truly making a difference in the cyber world. the chapter officers efforts, the
The 2016 Americas ISLA winners are: Bangalore Chapter grew from 43
members in 2014, to 63 mem-
Senior Information Security Up-and-Coming Information bers in 2015. In an interview for
Professional Security Professional the March Chapter Connections
Diego Andres Zuluaga Urrea, Jennifer Chermoshnyuk, Paralegal, online newsletter, Bose spoke of
Information Security Officer, Davis Wright Tremaine LLP (U.S.A.) wanting to increase the chapter ac-
ISAGEN S.A. (Colombia) PROJECT: Continuing Legal tivities by providing more member
PROJECT: Colombian Energy Education Program benefits to the local community.
Sector Cyber Security Improvement His energy and enthusiasm will be
Community Awareness greatly missed.
Information Security Practitioner Sandra Toner, Senior Technical He is survived by his wife and
Mack Bhatia, Senior Practice Specialist, ICF International (U.S.A.) daughter.
Director, Enterprise Integration PROJECT: Online Cybersecurity
(U.S.A.) Awareness Tools
PROJECT: Enterprise Integration

CPEs
SOC 2 and SOC 3 Compliance For more information on the Americas ISLA
program, please visit www.isc2.org/aisla.

Top 10 Wearable Technologies and Please note that (ISC)2 submits

Capabilities for 2017 and 2018 CPEs for (ISC)2s InfoSecurity
Professional magazine on your
1. Biometric authentication 6. Embedded security behalf within five business
Photograph: Thinkstock

2. Mobile health monitoring 7. Conformal electronics days. This will automatically

3. Energy boosting using harvesting
4. Virtual personal assistants
(VPAs)
5. Smart coaching
8. Wearable processors
9. Virtual and augmented reality
10. Accurate motion recognition
Source: Gartner, August 2016 Report
assign you two Group A CPEs.
https://live.blueskybroadcast.
com/bsb/client/CL_DEFAULT.
asp?Client=411114&PCAT=7777&-
CAT=10476

RE TURN TO
InfoSecurity Professional 8 November/December 2016 CONTENTS
 100% Online Master of Science in Cyber Security

The front lines of digital defense are looking thin.

Become an in-demand expert.
CNBC estimates a need for 30,000 top-level security experts worldwide.
Those experts are consistently earning more than six figures annually,
according to payscale.com. The numbers dont lie there has never been a
better time to specialize your skills. Elevate your technical abilities in booming
areas like cloud security, wireless network security, and mobile device
hacking. Housed within the John E. Simon School of Business, Maryville
Universitys Online Master of Science in Cyber Security program helps you
develop the business literacy to influence, and even enter, the C-suite.

Earn your advanced degree. START TODAY

Graduate in Complete your Use our Maryville Learn from

as few as coursework Virtual Lab as a faculty
18 months. 100% online, a professional dedicated to
on any device. training ground. the profession.

ONLINESECURITY.MARYVILLE.EDU/STARTTODAY
 FIELD NOTES

CHAPTER SPOTLIGHT: (ISC)2 CHILE CHAPTER

CYBERSECURITY: CRUCIAL IN EVERY LANGUAGE

S ANTIAGO, CHILE HOSTED the first Spanish-

language secure event, (ISC)2 SecureChile,
organized by (ISC)2 Chile Chapter in partner-
ship with the (ISC)2 Latin America Office. Information
Security: A Task of All was attended by 100 information
security professionals, from management to C-level.
The keynote speaker, James Harris, a former senior
management official from the U.S. Federal Bureau of
Investigations Cyber Division, briefed the audience on
a project studying why users make bad choices when it
comes to cybersecurity and how training and education can
improve their decision-making.
Other presenters included representatives from major
businesses, including Telefnica, Neosecure, Deloitte Chile, (ISC)2 Chile Chapter at SecureChile meeting. From left to right:
Assertiva and Grupo SURA as well as (ISC)2 Chile Chapter Gabriel Bergel (vice president), Eric Donders (secretary) and
officers, who emphasized the importance of (ISC)2 certi- Wilson Espaa (president).
fications and the initiatives in Latin America to increase
awareness of (ISC)2. The day wrapped up with a panel encourage the professional community to join the activities
featuring three female CISOs representing their companies, of our chapter, and also demonstrate the high quality of the
CODELCO, NEXUS and SINACOFI, who discussed secu- professionals that are part of the (ISC)2 membership. There
rity management challenges in BYOD, big data and IoT. is no doubt that (ISC)2 SecureChile met the needs of non
It was an honor and privilege to have been part of this commercial events at the international level, said Wilson
first Secure event in Chile. The experience was enriching, Espaa, president of (ISC)2 Chile Chapter.
both for the content of the presentations and for the great
opportunity of networking with other professionals. This is
an initiative that must be repeated every year, said Javier
Toro Rodrguez, head of regulation and security compliance (ISC)2 CHILE CHAPTER CONTACT INFORMATION
and risk and security management for RedBanc. Chapter President: Wilson Espaa
Carrying out the first Secure event in the Spanish Email: [email protected]
language in Latin America was a major achievement for the Website: http://www.isc2chile.cl/
(ISC)2 Chile Chapter. Definitely, the success achieved will

27 percent 210 percent

of corporate data traffic will increase in the adoption
bypass perimeter security by 2021, of bug bounty programs
up from 10 percent today. since 2013.
Source: Gartner, August 2016 Report Source: Bugcrowds 2016 State of Bug Bounty Report
released in September

RE TURN TO
InfoSecurity Professional 10 November/December 2016 CONTENTS
 FIELD NOTES

9
PITTSBURGH HIGH SCHOOL
STUDENTS TACKLE THE
DARK SIDE OF CYBER
Highest
Paying
IT Jobs
(2016)
Pittsburgh-area high school students participate
in a kinetic exercise assisting a U.S. Navy Seal
team in a hostage rescue operation.

R EAL-WORLD SITUATIONS provided the material for high school

students to test their cybersecurity know-how in a series of exer-
cises, including a hostage rescue operation presented by experts
at Carnegie Mellon Universitys Software Engineering Institute. Seventy-five
Pittsburgh students, from freshmen to seniors, got a firsthand look at the
dangers lurking in cyberspace, including identity theft, social engineering
Functional
Area

Cloud computing
Average Annual
Salary (USD)

$115,826
attacks, malware, and its cousin, ransomware. They learned how to protect
IT architecture $113,499
computer systems using the latest Windows and Linux security tools and
techniques and state-of-the-art network simulators. IT security $104,949
(ISC) board member Dave Kennedy from the security firm TrustedSec spoke
to the teens about his early days of hacking. Business
For the hostage rescue exercise, students, assisting a Navy SEAL team, hacked technology $101,663
into the power grid and disabled the building lights where hostages were, and Java developers $99,763
at the same time defended their drone infrastructure from attacks, all the while
providing cyber support for the SEALs. Project/program
The competition event, co-hosted for the second year by SEIs CERT Division, management $98,607
featured US$1,500 in prizes provided by TrustedSec.
Data warehousing/
This competition reflects the commitment of the SEI, (ISC)2 and TrustedSec
business
to providing opportunities for STEM education and experiences to young people,
intelligence $93,522
said Chris May, technical director of the workforce development team in the SEIs
CERT Division. Events like these help address a gap in teen education and inspire Business
the next generation of cybersecurity professionals. application
Jonathan Frederick, cybersecurity exercise developer for the SEIs CERT development $92,037
Division and vice president of the Pittsburgh Chapter of (ISC), added, Since
its inception, our chapters primary focus has been to provide outreach to the Voice engineering $91,489
Pittsburgh region. IT security professionals from businesses throughout the area
Source: 2016 IT Skills and Salary Survey
collectively realize the importance of educating our successors. Global Knowledge, http://images.globalk-
For more information on this event visit http://isc2chapterpittsburgh.com/, nowledge.com/wwwimages/pdfs/2016_
https://www.trustedsec.com/, http://www.cert.org/. SalaryReport.pdf

RE TURN TO
InfoSecurity Professional 11 November/December 2016 CONTENTS
 FIELD NOTES
RECOMMENDED READING
Cloud Computing: Assessing the Risks
By Jared Carstensen, Bernard Golden
and JP Morgenthal
Suggested by Larry Marks, CISSP
AS THE CLOUD becomes a partner in more
and more enterprises, the need for in-depth
information on the benefits and risks grows
as well. This book, though a few years old, is a good invest-
ment, especially for those professionals working to bring
cloud computing to their companies. The authors provide
step-by-step guidance to the various components, gover-
nance and liabilities that may impact performance. The
authors identify the top security risks related to the cloud,
the impact of DevOps, and the risks of auditing application
security.
MEMBERS
Download Your
Certificate DIGITALLY
Based on member feedback, you can
now download a digital PDF certificate!
Your digital certificate is available under
My Profile.
Download my certificate
InfoSecurity Professional 12 November/December 2016
The authors highlight the means of performing foren-
sics in the cloud and reviewing the location of the data in
regard to international requirements such as EU Privacy
Directive 2002/58/EC. They make a point of indicating that
the information security professional has to collaborate
with the business or process owner to help these stakehold-
ers better understand their risks related to cloud, and better
grasp the concepts.
Real-life scenarios are presented, such as: When I am
done, how do I de-provision and transition assets out of the
cloud vendor to another location of another context? Also
included is an overview of cloud deployment models and
other cloud concepts so the reader has the proper founda-
tion. I found this book to be a practical guide that can apply
to a variety of cloud possibilities that any employer will
consider. It is a good supplement to any understanding of
the risks that professionals should concern themselves with
when reviewing security for the cloud.
RE TURN TO
CONTENTS
 www.isc2cares.org

Its easy to see that teachers, librarians, and media specialists need more quality
information and resources to address cyber safety in the classroom and at school!

We believe everyone has the right to access the internet without fear of compromising
their safety or identity. However, in the Centers 2016 study of children grades 4-8 we
found a few alarming results:

62%
Went to adult

40%
websites after Have connected with
a search or chatted online with
strangers

21% Watch adult

11%
programming online Met a stranger
in person after
meeting online

49%
Are online at 11pm
or later on school
nights

You can choose to support any of the following:

Child 1 Individual Packet
Classroom 1 Educators Kit
Grade 3 Educators Kit
School 15 Educators Kit
Girl Scout Troop Patches for
a Troop of 10 Scouts
(*Quantities are not limited) Paws. All rights reserved

Please click here to

make a donation.
Donate Today!
safeandsecureonline.org
MEMBERS CORNER
A SOUNDING BOARD
FOR THOSE WITH
SOMETHING TO SAY
Why Your Legacy Network IDS/IPS
Needs to Be Replaced NOW
BY RODRIGO CALVO
GHOSTNET, STUXNET AND DUQU
are just a few examples of advanced
persistent threats (APT) that demon-
strate the complexity used by hackers
to exfiltrate information from inter-
nal networks. Weve all heard about
these attacks, but are we prepared to
prevent them?
Lets assume that our perimeter is
full of firewalls and network intru-
sion prevention systems (NIPS) based
on stand-alone legacy and not OSI
Layer 7 technologies. Is that enough?
I asked a lot of colleagues about
the best defense for APTs and con-
firmed with the Gartner MQ for IPS
from 2015 this common perception:
NIPS, with the technologies that we
recognized five to 10 years ago, can-
not provide comprehensive protec-
tion. Its necessary to have additional
support that can handle analysis of
advanced threats and interact with
other security tools. That kind of
protection has many names: UTMs,
NGFWs, NGIPSs and ATPs.
Yet legacy tools exist because
many of us work for organizations
that lack the resources to fully
replace them. In those instances,
we must find better solutions that
complement our current corporate
security model. Figure 1 graphically
demonstrates the idea of protecting
the environment and minimizing the
risk with a solution that can collect
security data at multiple levels,
InfoSecurity Professional 14 November/December 2016
Rodrigo Calvo, CISSP,
is a senior security
engineer at infoLock
Technologies. He can
be reached at rcalvo@
infolocktech.com.
FIGURE 1: Comparative between
Legacy NIPS and Modern ATP approaches
prioritize and provide intelligence
from email, endpoint and network
Modern advanced
events. Even better if the solution can Legacy NIPS threat protection
integrate actions for a quick incident approaches
response.
A use case of such multilevel
integration on a single solution could Classic malware
include: detection
Correlated information from
multiple sources. But in contrast to
Behavioral monitoring Advanced
a SIEM solution, the technologies or heuristics persistent threats-
being used could block malicious based detection
traffic, suspicious files, or send a
command to the endpoint protection Protocol anomalies Advanced evasion
solution in order to isolate it and let detection techniques
the security team analyze the evi- detection
dence for further actions.
Use of reputation services from Cloud-based
Signature database sandboxing and/or
the cloud to compare against network payload detonation
events. ser vices
Alerts of events from the host
IDS/IPS in order to bypass SSL traffic
(or any potential attacks across that
channel).
Network events in which host
IDS/IPS information will feed back to Source of the attack
the solutions infrastructure to deter- The logic of malicious code
mine if there is some sort of advanced attacking the company (files, registry
attack going on. creation, network connections, etc.)
Actionable recommendations
The time has long passed when
the IT department just waited for the No doubt APT protection solutions
antivirus provider to get a virus defi- add crucial benefits for customers.
nition (or vaccine like many people So, as budget seasons are underway,
called it a few years ago) for a virus. it may be time to evaluate the market
Now its necessary to have more and find the best option for our com-
information to understand at least: panies.
RE TURN TO
CONTENTS
 TECHNOLOGY

WHAT LIES
BENEATH BY JAMES HAYES

Its time to cast a stronger

light on the shadowy side of IT.
The cloud has a dark lining.
Shadow IT, or stealth ITthose enterprise computing solutions cre-
ated and deployed by end users without approval of IT managementhas
made its way into the cloud, uncontrolled and unchecked. The 2015 Global
CIO Survey, conducted by New York-based Logicalis, has suggested that
shadow IT is now a fact of life for the majority of CIOs, with 90 percent of
IT chiefs polled admitting that they are now bypassed by line-of-business
colleagues at least occasionally.
So whats a cybersecurity professional to do about it?

PHOTO ILLUSTRATION BY JOHN KUCZALA

RE TURN TO
InfoSecurity Professional 15 November/December 2016 CONTENTS
We are seeing that shadow IT concerns are now growing, due
in part to the realization that the enterprise IT function cannot
evade having to take on some ownership of the problem.
NIGEL HAWTHORN, EMEA marketing director, Skyhigh Networks
TWO SIDES TO A SHADOW
As its proponents seek to re-label shadow IT less threat-
eningly as flexible IT or devolved IT, caught-in-the-
middle CIOs are being advised to stop trying to quash the
trend, and instead enfold it into their management plans.
More fatalistic IT chiefs have thought hard about bringing
shadow IT into the sphere of progressive enterprise IT
strategies, but may retain an anti-shadow stance toward
C-suite executives susceptible to sharing shadows perceived
business benefits.
Corporate information security specialists and their
security teams are less likely to be beguiled by claims from
pro-shadow lobbyists; rather, as an expectation arises
thateven though they have no innate influence over,
or knowledge of, shadow IT adoptionthey should bear
responsibility for defusing security-related incidents where
shadow is the known source. As shadow IT proliferates, so
too will the system security-related issues that it is likely to
cause.
We are seeing that shadow IT concerns are now grow-
ing, due in part to the realization that the enterprise IT
function cannot evade having to take on some ownership
of the problem, says Nigel Hawthorn, EMEA marketing
director at Skyhigh Networks, based in Campbell, Calif.
This is because other enterprise departmentssuch as risk
and compliance, as well as external auditorsare increas-
ingly demanding information on shadow IT usage.
THE LENGTHENING SHADOW
Shadow IT usage has continued to grow over the last 12
months.
A May 2016 study of 355 IT professionals by
CloudstandingMicrosofts tool that matches up potential
partners for cloud operationsreported that 70 percent of
employees are using cloud-based technologies that are not
officially provided or managed by their company. The
media sector, with 83 percent of employees using unautho-
rized services, led the ranking, with manufacturing at the
bottom of the list, still with 49 percent of their workforce
using uncontrolled cloud technology.
Most organizations grossly underestimate the number
InfoSecurity Professional 16 November/December 2016
of shadow IT applications in use, says Gartner principal
research analyst Brian Lowans. Many cloud services
have good security, Lowans adds, but left unchecked, the
adoption of SaaS (software as a service) or BPaaS (business
process as a service) applications by business units and
their employees inevitably heightens the risks of erroneous
or malicious posting of sensitive dataand of resource
wastage.
SAVING MONEYOR RISKY BUSINESS?
It is tempting to see shadow IT as a way of cutting costs,
says Owen Wright, assurance director at London-based
Context Information Security. But in my experience, a
short-term saving can be undone several times over if there
is a security breach, or if a shadow system [that becomes
business-critical] later needs significant refactoring to be
integrated with the rest of a companys IT systems.
Addressing the shadow IT issues on a variety of fronts
will also entail additional costs across the business, pre-
dicts Andy Buchanan, area VP at RES Software, based in
Radnor, Pa. Infosecurity professionals understand that
IT environments are more vulnerable to attacks than ever,
and are therefore focusing heavily on internal and external
auditswhich are extremely time-consuming and costly,
he says.
With new government regulationsnotably, the
forthcoming EU General Data Protection Regulationthe
cost and burden of compliance is going to rise, especially
if shadow IT increase continues. Ultimately, organizations
that fail to rein in IT shadows will face stringent fines and
punishment.
Such turns of events may not, however, necessarily
bring forth concessionary quid pro quos from unrepentant
business unit managers who are signing off on shadow IT
activity, points out Jonathan Sander, VP of product strategy
at Los Angeles Lieberman Software.
Although many CIOs are now keenly aware of security
issues around shadow IT, he says, it does not mean that they
can find it when it exists.
CIOs are now actively engaging the businessthe
source of shadow ITto find things out. They are discover-
RE TURN TO
CONTENTS

ing that they can only get answers when they ask the right
questions, [so] they are now asking their business leaders
[directly] about IT that is happening outside of normal
channels.
These communication shortfalls do not, of course, nec-
essarily mean that certain shadow services buyers are also
procuring their own security solutions: 52 percent of 1,200
business surveyed in an April 2016 report on cloud security
by Santa Clara, Calif.-based Intel Security still expect IT
to secure their unauthorized department-sourced cloud
services.
CONFLICT OF INTERESTS?
A further complication is the possibility that a cloud
service provider is working at the same time both over
the counter with a clients IT department and under the
radar with separate business unit contacts.
The scope for confusion is obvious, says Skyhigh
Networks Hawthorn. Some cloud providers business
models include promoting a free service to users, after
which they approach the users IT departments to show
them how many users they have, in an effort to justify it
becoming a paid service.
Having two or more routes to market can muddle
matters, potentially leaving the company to pay for more
licenses than it requires, Hawthorn warns.
Some of the more dangerous shadow IT scenarios
we have seen have involved business leads creating their
own internal application development teams, and launch-
ing apps in cloud-hosting environments with little or no
involvement by the IT department, says Ben Desjardins,
a Washington, D.C.-based security solutions director at
Radware. Some will even argue that SaaS providers may
be better at securing data than their organizations own IT
team.
Desjardins point underscores the fact that enterprise
shadow IT is not confined to business workgroups; indeed,
according to a 2013 report from Frost & Sullivans strate-
gic forecasting practice, Stratecast, IT staffs use a higher
number of non-approved SaaS applications than their col-
leagues. It appears that, in acting as the guardian of corpo-
rate technology, the IT department considers itself exempt,
writes report author Lynda Stadtmueller at Stratecast.
KNOW THE RISKS
It is important when seeking insight into degrees of shadow
IT risk to distinguish between the liabilities of shadow IT
per se, and those liabilities arising as a direct consequence
of shadow IT deployments, says Contexts Wright. The real
challenges that shadow IT raises, such as lack of control
InfoSecurity Professional 17 November/December 2016
Shadow IT Security
Management To-Do List
Ascertain the degree of understanding of
shadow IT risk at C-suite level, and ensure
that senior executives have access to guid-
ance that informs both sides of the pro/anti
arguments.
Ensure that any recommendations or proofs
provided in favor of shadow IT are balanced
against reliable and quantifiable informa-
tion about verified security risks, and are
set forth in the broad context of possible
outcomes in the event of a problem.
Review enterprise IT procurement policies
to identify any causes of delay that could
be eliminated, providing end users with
a valid excuse for localized IT purchase
decision-making.
Ensure that standard IT procurement pro-
cedures are communicated throughout the
enterprise, eliminating any possibility that
shadow IT consumers can claim that they
had not been made aware of official proce-
dure toward new product acquisition.
Develop enterprise IT procurement policies
and guidelines that contain provision for
end-user requests for non-standard tech-
nology to be speedily brought under full
consideration by the information security
function.
Communicate information about potential
security risks of unauthorized IT procure-
ment, supported by examples and by com-
mentary from directorate heads in the legal,
financial and governance departments.
James Hayes
RE TURN TO
CONTENTS
over system configurations and failures in asset manage-
ment, are common information security manager worries.
Michael Hack, SVP EMEA operations at Ipswitch,
based in Lexington, Mass., has no doubt that shadow IT is
a significant and persistent risk for information security
management, but is one that is often underplayed because
it is seen as a creeping problem [that] does not impact on
the business in the same dramatic, headline-grabbing way
that a debilitating virus or major data breach does.
Theres an element of reverse polarity at play here,
Hack suspects, because market studies have indicated that
internal threats arising from human error or misjudgment
(and many would regard shadow IT activity as such) remain
at the top of the list of cybersecurity headaches for orga-
nizations of all types and sizesand indeed pose a more
acute threat than external menaces such as viruses and
intrusive attacks.
Shadow IT apps are [usually] installed with the best
of intentions, and a desire to improve business efficiency,
Hack says. This means they are not ranked as highly on
the information security risk scale as Trojans, for instance,
or other kinds of malware. But their risks are potentially
as devastating, particularly when it comes to a companys
ability to comply with constantly changing data privacy and
protection laws or to thoroughly encrypt its data.
THE DANGERS LURKING IN THE SHADOW
The adverse impacts of a security incident arising from a
shadow IT deployment can be generally assigned to three
groups. The possibility that shadow IT could provide an
entre to external cybersecurity threats is, of course, a crit-
ical concern, but ways in which proliferating, unsanctioned
technology might introduce additional security-related
problems also need to be factored into any risk assessment.
1. Endangering the System
Best IT management practice is about ensuring that opti-
mal performance value is derived from IT assets in order
to maximize returns on investments (ROI). Any factors
that put technological well-being at risk and hamper IT
management should necessarily be regarded as threats to
infrastructural stability and performance, some systems
experts believe.
Use of non-approved software can have a number
of adverse effects on the network [it runs over], says
Ipswitchs Hack. [Such software] can consume a large
amount of bandwidth, for example, which in turn slows
down the network, and can cause compliance and data
sharing issues.
Shadow IT at its most unrestrained can result in
unmanageable systems, warns Contexts Wright: For
InfoSecurity Professional 18 November/December 2016
example, an organization might have fully aligned to the
Microsoft stack, including .NET web applications, based on
Internet Information Services and SQL server hosted in the
Azure cloud infrastructure, Wright explains. If a [busi-
ness] team were to deploy an application based on PHP,
MYSQL and Linux into an Amazon AWS environment, they
would then need to manage an entirely different stack of
technologyand all of the complexity involved.
If a [business] team were
to deploy an application
based on PHP, MYSQL and
Linux into an Amazon AWS
environment, they would
then need to manage an
entirely different stack of
technologyand all of the
complexity involved.
MICHAEL HACK, SVP EMEA operations, Ipswitch
Should the respective business team move on, respon-
sibility for this can fall back to the core IT department,
resulting in systems where no one within the organization
has the technical capability to manage them, Wright says,
and where existing data security standards, processes and
policies cannot be applied, (because) they are tailored for
a different platform: Thus, an upfront saving in time and
money to deploy quickly can lead to significant ongoing
expenses further down the line.
2. Challenging Security Regulations
Shadow IT can negatively impact regulatory compliance
and legislative requirements that all businesses are now
subject to. In Europe, the impending European Commission
General Data Protection Regulation (GDPR) intends to
strengthen and unify data protection for people within the
European Union. It also addresses export of personal data
outside the EU, so it will affect companies and other orga-
nizations around the world.
3. Creating Breach Opportunities
The possibilities of breaches of IT systems, resulting in
infiltration of an enterprise computing resource, data theft,
RE TURN TO
CONTENTS
denial or impairment of service, and the installation of
malware (such as ransomware) are well known. A high
proportion of cloud apps have been found to be not enter-
prise-ready, lacking the baseline security, audit and certi-
fication capabilities required for workplace use. Unsecured
applications could be used for months without the employ-
ees who set them up being aware that their cost-effective
self-sourced application has been compromised from day
oneeven the details of the credit card they used to make
the purchase online have likely been filched.
A data breach resulting from a shadow IT instance will
result in financial liabilities affecting the organizations
bottom line, warns Gartners Brian Lowans: Liabilities can
be very large due to a mix of costs that include notification
penalties, auditing processes, loss of customer revenue,
brand damage, security remediation and investment, and
cyber-insurance.
WHO IS RESPONSIBLE FOR
THE SHADOWS RISKS?
The question remains: Who takes the flak when shadow
is at fault? If a business team has ignored company
processes in order to deploy systems in contravention of
company policy, then its likely they will bear the brunt of
any immediate fallout, suggests Contexts Wright, but
any resulting data breach is a problem for staff across an
organization. Information security will likely end up
having to find time to deal with the outcome in either case,
distracting them from scheduled work that might be of
greater importance.
The risks of shadow IT are quantifiable: the risk of
breach, of noncompliance, of IT failure, of lack of control,
says Nathan Dornbrook, CTO at Glasgow, U.K.-based ECS.
The risks of not using shadow IT are also quantifiable
cost and time[the difference being that] these risks can
be managed. Ultimately, business risk is owned by the
business, not by IT, so violators of these policies need to be
handled by the business.
ITS OUT THERE SOMEWHERE
How big of a problem is shadow IT? How widespread is
its use? How can it best be managed? These questions
and more pose a challenge to information security profes-
sionals seeking to introduce better security management
over shadow IT. Up until now, IT managers could detect
evidence of use of unauthorized cloud apps and service
through usage pattern alerts, email monitoring and traffic
logs. But it is getting harder for IT to detect the use of rogue
SaaS, as shadow-minded users have become more covert
especially given the increase in mobile enterprise platforms
InfoSecurity Professional 19 November/December 2016
that might have no direct touch on the main enterprise IT
systems.
Cloud services make it harder to discover unofficial
systems associated with a company as they often do not
reside within the companys own network space, says
Wright, making it harder to discover using common
inventory management or network scanning processes
and tools.
RES Softwares Buchanan agrees. Based on conversa-
tions we have with customers, it is becoming increasingly
difficult for security professionals to discover and keep
track of the shadow IT usage in an organization. This is
largely due to the [the closer coupling of] cloud and mobile,
as individuals, and indeed department leads, can now easily
go to a cloud service and leverage their tools and services.
Adds Ipswitchs Michael Hack: Monitoring shadow IT
deployment and use on corporate networks is [now] one
of the main reasons that infosecurity professionals need a
fully integrated and multifunctional network management
tool.
Network monitoring tools that can help safeguard the
networks performance, monitor the availability of appli-
cations and prevent misuse, continue to evolveand even
advance into the realms of bots, artificial intelligence and
machine learning. But right now, network-monitoring solu-
tions that make use of advanced visualization technology
are already coming onto the market. The best of these solu-
tions can intuitively map the user experience directly to the
environment that the IT team originally created, allowing
team members to easily understand irregularitiessuch as
shadow IT deployments.
Corralling shadow IT into a more managed context
calls for revised terms of engagement between the business
and the IT team, suggests David Emm, principal security
researcher at Kaspersky Lab based in Woburn, Mass. One
of these could include new reciprocal ground rules designed
to get the message across that security policies have a
critical purpose, and exist to protect all staff from threats
of which they probably have limited comprehension.
In todays business world we have always-on staff
conducting business with an assortment of devices and
solutions, Emm says, so businesses must be able to apply a
security wrapper around each employeewhatever device
they use and wherever they work. To do this, the informa-
tion security team must be able to see what is being done,
manage staff and devices throughout the organization, and
protect corporate datawherever its held.
JAMES HAYES is a freelance writer based in the United Kingdom.
His first feature on car hacking appeared in the January/February
2016 issue.
RE TURN TO
CONTENTS
 Have confidence
in your cloud security knowledge.
Become a CCSP and lead your organization to the cloud.

Be a leader in the field.

CCSPs report that in addition to employer confidence, they have gained
respect, credibility, and trust across all levels within their organization.
CCSP certification on your resume will demonstrate your cloud security
expertise and show employers that you can fill a void in the rapidly
growing aspect of information technology that is cloud security.

TION MA
I CA GA
IF
RT

ZI

2016
NE
CE

TOP CERT
CCSP tops The Next Big Thing list as
CCSP the #1 certification survey respondents
plan to earn in 2016

H
G
T

E
NE H IN
XT BIG T

Download the CCSP

Exam Outline

brought
Copyright 2016 (ISC) Inc. All Rights Reserved.
 PROFESSIONAL DEVELOPMENT

WHO
ITS NOT JUST

YOU
KNOW

OR MAYBE IT IS. EXPAND YOUR PROFESSIONAL

POTENTIAL BY BUILDING A PERSONAL LEARNING NETWORK.
BY KERRY ANDERSON

CYBERSECURITY is a discipline that

requires continuous professional
development to stay ahead of the new
risks in the threat landscape, as well
as an expanded expertise. Many of
the technologies that cybersecurity
practitioners must manage securely
continually evolve, much as futurists
like Ray Kurzweil, who in his 2001
essay The Law of Accelerating Returns
predicted when he wrote that the 21st
century will experience a rate of tech-
nological change that is a thousand
times greater than in the prior one.
Cybersecurity teams will need
to respond to new challenges while
managing existing risks, such as
social engineering. It may no longer
be sufficient to obtain expertise after
the fact; practitioners need to be able
to anticipate the security repercus-
sions of technological and societal
trends, and acquire the necessary
proficiencies to manage them for
their organizations. Otherwise,
practitioners will find themselves

RE TURN TO
ILLUSTRATION BY ROBERT PIZZO InfoSecurity Professional 21 November/December 2016 CONTENTS
constantly attempting to control the proliferation of poten-
tial insecure technology implementations, such as cloud
storage or BYOD, without appropriate controls or policies
in place.
Most of us already have a means of finding expert advice,
whether through publications, social media or conferences.
But how many of us have actually established bona fide
plans to build and nurture a professional network that incor-
porates the most popular ways of connecting with peers?
WHOS IN YOUR PERSONAL NETWORK?
Many cybersecurity practitioners face challenges to their
professional development, most commonly the cost of
materials and outside training and the time away from the
office or home. A Professional Learning Network (PLN),
also referred to as Personal Learning Network, can provide
development opportunities close to home and at minimal
(if any) cost.
Practitioners design their PLN to achieve a goal: become
better at what they do, or what they want to do. Social
media tools, such as Facebook, Twitter and LinkedIn, let
(ISC)2 members connect with other professionals who
share a common interest or passion in cybersecurity, and
exchange ideas and possible collaborations. Additionally,
we have former classmates, current and past coworkers,
and members of professional organizations that we can con-
tact on a somewhat regular basis. And thats importantto
nurture a network, you need to keep in touch, though
frequency rates may vary.
This brings up an important pointand distinction for
those formally creating a PLN versus just becoming more
social. We learn from exchanging new ideas, knowledge
and different attitudes that stimulate learning and profes-
sional growth. It is not a one-way relationship. An enduring
PLN requires communication and assistance flow in both
directions. If a practitioner fails to return support to others
within their PLN, members of the PLN may become reluc-
tant to engage in the relationship in the future.
LOADING THE PLN
Designing a PLN requires a customized approach. It is
essential to diversify the composition of a PLN. The prac-
titioners might seek out potential contacts across many
specializations, including relationships with individuals in
cybersecurity-related disciplines and other fields, such as
education and human resources. Sometimes the best way to
learn from others is to engage others whose industries are
not in competition.
There are a variety of tactics to build a core PLN under
the overarching strategy of better connecting with experts
InfoSecurity Professional 22 November/December 2016
in your field. For some, this might mean expanding beyond
their normal comfort zone and putting more of themselves
out thereby commenting on blog posts or articles, and
attending more networking events. It all begins with estab-
lishing your professional presence, both in the physical and
virtual worlds.
Participate in local professional organizations. Attend
local chapter meetings or events of professional associations
several times annually at least. Monthly meetings are often
free or low cost. Events frequently offer member discounts.
Get there early to network with peers, and stay for optional
post-event activities when possible.
Make it a point to carry an ample supply of business
cardsone from your current employer, and one with a
more personal touch that includes your personal mobile
phone number and email address, as well as any relevant
social media profile links. Building a PLN is a lifetime
investment in your career, so consider what you want to
do well beyond your current position and use the personal
business cards if your employer has strict rules for email
and internet use done on company time. The bonus to these
inexpensive personal business cards: the contact informa-
tion typically stays current even if you change jobs.
Develop your social media profile. First, make sure
your chosen social media profile is easy to find via an
internet search using just your name. Dont skimp on the
descriptions sections. Your social media profile can be the
equivalent of the elevator speech, essentially a 30-second
promotion about you. People form an instant impression
based on what, and how much, information you provide. It
is a good idea to invest in a professional photo and a fully
developed profile by listing relevant experience, certifi-
cations, education and other accomplishments, such as
publications where youve contributed. LinkedIn features a
profile strength-rating system that can be used as a model
when assessing your profiles on other social media sites.
Blog. If you are a proficient writer, consider creating a
blog. Blog posts can be short pieces on a timely topic that
interests you, and are an excellent way to both develop and
display your expertise. Great blog posts can grab others
attentions and be shared via Twitter, Facebook, LinkedIn,
and other popular social network platforms.
Contribute articles to publications. If writing is your
passion, consider submitting an article to a professional
associations magazine, newsletter or peer journal. In
addition to publishing your piece, these publications also
typically allow you to include your blog or personal website.
Every publication has its own writer guidelines, so be sure
RE TURN TO
CONTENTS

to review those before you submit a work.
Speak at events. Many cybersecurity conferences and
events put out a call for papers (presentations), including
those hosted by (ISC)2. Again, there typically are guide-
lines to follow, so be sure to apply properly to speak on a
topic based on that conferences criteria for presenters. Not
ready for the national stage? No problem. Many chapters
of cybersecurity associations look for speakers for monthly
meetings and annual events. Speaking at events gives oth-
ers an opportunity to get to know you and add to your PLN.
In addition to speaking, some events task speakers to write
a blog on their sessions topic, and this offers an additional
mechanism for building a PLN.
Join online discussion forums. Virtual discussion groups
exist all over the internet. Its not tough to find them, but it
may take some work to find one that you want to join and
to which you will contribute. Be sure to read threads to
make sure theres valid information being exchanged, and
that trolling or other disparaging comments are discour-
aged. There are literally hundreds of these groups related
to information assurance and compliance areas. Some are
open forums, while others require a request for member-
ship to join.
BUILDING A COMMUNITY
The creation of a PLN does not replace the traditional
development options of formal classroom training or
conferences, but rather offers opportunities to expand
knowledge and perspectives in a one-on-one manner. It is
the foundational step for initiation into communities of
practice. A community of practice is a collection of individ-
uals who share a specific profession or area of interest. Jean
Lave, a cognitive anthropologist, and educational theorist
Etienne Wenger introduced this concept in their 1991 book
Situated Learning: Legitimate Personal Participation. Wenger
expounded on the topic in his 1998 book Communities of
Practice: Learning, Meaning, and Identity. Communities of
practice are pivotal in a profession like cybersecurity, where
it is impossible to develop expertise in all areas.
A cybersecurity professional who does not participate in
either informal or formal communities of practice, such as
local chapters of professional associations, is at a distinct
disadvantage in such a broad field with many sub-special-
izations.
Cybersecurity professionals build their own communities
of practice using many of the same tools to build a PLN
developing a strong social media presence, writing and blog-
ging, and participating in conferences. In addition to these,
there are a number of virtual discussion groups on social
InfoSecurity Professional 23 November/December 2016
LEARN MORE
Personal Learning Networks are not new, but they
are an emerging concept among technologists after
years of development by formal educators. Here
are some online resources to get you started on
building a robust roster of e-learning opportunities:
(ISC)2 Secure Webcasts
These sessions are free to members and may
include CPEs for attending. Visit www.isc2.org
and click the Events tab.
Stephen Downes
The Canadian researcher has posted a number of
presentations on SlideShare outlining the benefits
and online resources for developing a PLN. One
particularly relevant slide deck is at http://www.
slideshare.net/Downes/we-learn-66731688.
How to Create a Robust and Meaningful
Personal Learning Network
This 2013 blog post by Debbie Morrison spells out
a lot of opportunitiessome mentioned in this
articleincluding MOOCs.
How Important is Twitter to
Your Personal Learning Network?
eLearn magazine dives into the value of this social
media platform. The 2012 article is dated but still a
good primer for those who havent added their own
140-character thoughts to the Twitterverse.
media sites, primarily LinkedIn. As an adjunct professor, I
along with my co-instructor encourage our students to par-
ticipate in communities of practice by creating a class blog.
PUT YOURSELF OUT THERE
A significant component of adult learning is social. We
learn from our interactions with others. By designing a
PLN, we can proactively engage others with knowledge we
need to advance in our careers, and in our lives. In turn, we
can do the same for someone else by becoming part of his
or her PLN.
Sound simple? It is, at least in theory. Throughout our
careers, many of us unconsciously build professional learn-
ing networks and, as a result, become a member of one or
more communities of practice. With PLNsand those ded-
icated to sustaining them as they evolveso too does the
cybersecurity industry through stronger professional rela-
tionships and greater information sharing. So, as you plan
for 2017, consider raising your personal profileonline and
in real lifeto help make our cyber world a little safer.
Massachusetts-based (ISC)2 member KERRY ANDERSON has earned
the following education and career credentials: CISSP, ISSAP, ISSMP,
CISM, CISA, CGEIT, CSSLP, CRISC, CFE, CCSK, MBA, MSIA.
RE TURN TO
CONTENTS
 PROFESSIONAL DEVELOPMENT
Playing by the
BOOK
HOW AN (ISC)2 MEMBER CREATES CHILDRENS
BOOKS ALSO MEANT FOR THEIR ELDERS. BY CHRIS GRECO
CYBERSECURITY CAN SEEM relatively complex to children.
I know from experience that our youngest members of
Photograph: Thinkstock
society view technology from a convenience standpoint
being able to connect with others, or collect information
at the touch of a button. This is a generation of texters, not
talkers, who rarely use a smartphone to actually make a
call. Instead, they are adept at using more modern methods
to communicate using social networking tools.
InfoSecurity Professional 24 November/December 2016
But this convenience comes with risks, from privacy
intrusions to identity theft, cyberbullying and even extor-
tion. That is the reason childrens books on cybersecurity
are both wanted and warranted in this age of cyber first,
consequences second.
As an author of a series of childrens books on cybersecu-
rity, I can attest that these publications are neither simple
nor straightforward to produce, but they also are one of the
RE TURN TO
CONTENTS
 most satisfying and reward- first one, on passwords,
ing ventures that I have ever was something that we all
accomplished, besides helping encounter. For most of us, its
my wife raise our two children, a simple task to generate a
of course. password, which is why there
are tons of easy passwords out
there to break.
GETTING READY I wanted to ensure I got
TO LAUNCH the point across that pass-
When I first started writing words are the keys to your
and illustrating cybersecurity padlock of information you
books for children, I wanted want to keep secret. Keep in
to ensure that the character mind, we are dealing with
would be someone who chil- an age in which schoolyard
dren would enjoy listening to, friendships are frequently
as well as learning from. cemented over sharing
Granpappy Turtle fulfills secrets.
both needs. This is one illustration that, with a narrative, helps In some cases, I have
He understands how to explain how a computer user downloads information heard of children giving away
from the web.
speak to the generations that their passwords to their best
followed him, by asking good, friends. Although I can
focused questions. The character is the right blend of understand how you want to trust people, the best friends
inquisitive and knowledgeable to work for these types of in a childs life change, sometimes daily, and that can lead
books. to someone who is not a friend getting the password. From
While the character was important, the content was key. there they can wreak havoc on the childs social networking
I wanted to present a book that parents could read to their site, posting comments or pictures that seem like they are
children, or that children could (eventually) read them- coming from the child. In todays world, the lines between
selves to provoke thought. As a parent, I can tell you that real life and online personas is blurring, so what is said
my children might listen to what I say, but they listen to online can easily spill into the real world and cause need-
another adult with much more attention. The same is true less friction and fractures.
with Granpappy Turtle and the characters that surround My book, therefore, had to address both the password
him. structure and content in easily understood terms, and
As for the content of the books, I am still exploring the underscore why it is essential to keep passwords secret
tone and volume of the written language that grabs chil- all this with colorful pictures.
drens attention. I try to share my books with friends and
their children to get feedback on the content and then use
that feedback to refine the message. WHY CHILDRENS BOOKS
The books that I write are not for early elementary Someone once asked me why I write childrens books rather
school age, but more for 8- to 10-year-old children. I have than books for adults. I had to smile since I actually write
found that 9-year-old children thoroughly enjoy the books childrens books for adults. I know that, as an adult, I used
and do not feel challenged by the language. At a recent to read books to my children at bedtime, as well as review-
book festival, I had a 9-year-old pick up one of my books ing them before I read them.
and read it so well that I was sure that my age range was I often found the books were as educational for me as for
appropriate. them, and I hope my books may also spread education by
In addition to the content of the book, the venue is the parents reviewing the book prior to reading it to their
also important. I tried narrating some of my Granpappy children. I also expanded my offering to e-books, which
Illustration: Chris Greco

Turtle books on shared video websites like YouTube, but
the results have been mixed. I am still experimenting with
all of these aspects of childrens book writing to see which
ones work and which ones dont, but the journey is well
worth the work.
The topics for the books were no easy task either. The
helps the parent (or any adult) download the book and then
use their mobile device to share it. I feel that this is the
epitome of informing people about cybersecurity: using
technology to teach it!
I have learned a lot by creating Granpappy Turtle books.
In exploring the subject for my first book, I learned that

RE TURN TO
InfoSecurity Professional 25 November/December 2016 CONTENTS
Becoming an author also has led me to present cybersecurity
concepts at senior centers, where elder citizens, which I have
named Silver Hats, can also learn from Granpappy Turtle
about how to not fall for online scams and fraud.
some of the password techniques I have used in the past to
reduce my risk did not actually reduce my risk at all, and I
am a computer security professional!
The research that I have done to make these books as
factual as possible, while surrounding them with turtle
characters, mixes the real and the imagined so that chil-
dren can adopt the character as someone that gives them
information to keep them safe.
I hope that through my make-believe characters and
handy delivery formats, both reading and concepts of cyber-
security are a little more enjoyableand prompt the actions
we want children to take to become safer online.
I am continuing the storytelling with more Granpappy
A Marketing Tip When
Youre Self-Published
W RITING AND ILLUSTRATING
childrens books is hard work.
Marketing finished works can be just as hard,
maybe even harder. It takes time and a strategy
to spread the word and gain readers, especially
if you are self-published and do not have a
publishing company to help with marketing.
I recently participated in the Baltimore Book
Festival to sell my Granpappy Turtle childrens
books and found one way to attract potential
customers was to have a game or contest.
During the festival many people had games
of chance (usually a spinner) where every spin
rewarded a prize. Since my main book is on pass-
words, I downloaded a cell phone app that would
score a persons password. When someone
came to my booth and showed interest, usually
by smiling at my book cover, I would ask them if
InfoSecurity Professional 26 November/December 2016
Turtle books including a two-part series on cybersecurity
(the first part is out now and the second part is coming).
Becoming an author also has led me to present cybersecu-
rity concepts at senior centers, where elder citizens, which
I have named Silver Hats, can also learn from Granpappy
Turtle about how to not fall for online scams and fraud.
This, along with the writing and illustrating of other
non-cybersecurity related Granpappy Turtle books, helps
me to give back to the computer security community.
CHRIS GRECO, CISSP, is a senior consultant/trainer with Greco
Techknowledgee (GRECTECH) (www.grectech.com).
they felt their password was strong. Most would
be pretty humble and say no, to which I would ask
them to put a password (not the one that they use
for any of their applications) into the password
meter to check the strength.
If their password was not strong, I would then
show them that adding just three characters would
make the password that much stronger. Their
reaction was one of surprise and delight. In one
instance, a young lady put in four numbers, all
the same. It was the lowest score of the day. She
was shocked, saying that she thought placing
four of the same number would be the hardest
to guess.
With that lesson, people expressed a little more
interest in the book. In a sense, they all won the
prize that day.
Chris Greco
RE TURN TO
CONTENTS
CENTER POINTS
FOCUSING ON EDUCATION
AND RESEARCH INITIATIVES
Raising Awareness, Scholarships
and Opportunities for Future
Cybersecurity Professionals
I KNOW YOU THINK I am
going to talk about Garfield
this month, given our big
launch at Septembers
Security Congress in Orlando. Yes,
weve worked hard over the past year
to make the worlds most recog-
nizable feline our Safe and Secure
Online spokescat. But that isnt all
weve been working hard on this year.
In addition to achieving record-
shattering participation in this
years Global Information Security
Workforce Study, we have revitalized
our scholarship programalso to
great success.
This year, with your support, we
are providing some USD$150,000
in educational scholarships to help
prepare the next generation of
cybersecurity professionals. Last year
66 students applied for financial aid;
this year we received 511 applica-
tions for our womens, graduate and
undergraduate scholarships. Of those
seeking aid, 61 percent of applicants
were female and 56 percent were
born outside the United States. Of
the 42 scholarships award, 22 (52
percent) went to females and 20
(48 percent) to males.
Applications for next years
women, graduate and undergraduate
InfoSecurity Professional 27 November/December 2016
of the Center for Cyber
Safety and Education
and can be reached at
[email protected].
scholarships open in January 2017.
Information on all scholarships may
be found at www.isc2cares.org/schol-
arships.
CHAPTER CHALLENGE
WINNERS
This year also saw the introduction
of a new three-year partnership
with Raytheon. The technology
organization is now providing two
USD$10,000 scholarships along with
a paid summer internship for two
aspiring female cybersecurity profes-
sionals. We are so excited Raytheon
is providing a model program that
we hope inspires other companies
committed to diversity within infor-
mation security.
But the achievements dont stop
there. This year we challenged three
(ISC)2 chapters to pilot a new effort
to provide scholarships to high school
students in their communities. The
results are in! The following chapters
met the (ISC)2 Chapter Scholarship
Challenge by raising at least
USD$1,500 in funds and expanding
opportunities for high school students
in their communities. Here are their
fundraising totals as of October 1:
Austin Chapter USD$3,409
Tampa Bay Chapter USD$3,000
Pat Craven is the director
BY PAT CRAVEN
Richmond-Metro Chapter
USD$1,500
Congratulations to these chap-
ters for collectively raising nearly
USD$8,000 toward information
security scholarships.
FUTURE CHALLENGES?
Does your U.S.-based chapter want
to provide local high school students
with scholarships? A new fundrais-
ing period opens on November 1
and runs until July 31, 2017. Thats
nine months of fundraising, and
we have all the tools you need to
help. Chapters will have their own
personalized donation pages, where
the chapters scholarship can be
promoted on social media sites and
funds can be collected online. (ISC)2
will also help you get the word out
by emailing (ISC)2 members in your
local community. Its easy, and a great
way to help impact future cybersecu-
rity professionals.
Join in the fun and make a dif-
ference! Email us at scholarships@
isc2.org for more information on how
you, your chapter, or your company
can play a part in preparing the next
generation of information security
professionals.
RE TURN TO
CONTENTS
 5
MINUTES WITH
TUSHAR GOKHALE
Tushar Gokhale lives in Dallas, Texas, but grew up in
Mumbai, India. The cybersecurity specialist has been
part of (ISC)2 for more than two years and is the newest
member of our Editorial Advisory Board.
EDITED BY ANNE SAITA
When did you know you wanted a
career in information security?
After I completed my bachelor
studies in electronics and telecom-
munication engineering, I started
working as a network and communi-
cation engineer. I worked on several
network design and technology
projects, such as implementation of
routers, firewalls, intrusion detection
and prevention systems, etc. At that
juncture, I decided to start learning
more about information technology
security and eventually pursued a
career in information security.
After realizing that was your chosen
path, how easy or difficult was it to
gain entry?
I must say, it was a little difficult.
Specifically in India, I remember
information security was considered
a branch of IT and a potential can-
didate for information security was
expected to be best at information
technology most times. An entry-level
career as an information security
professional was a little difficult, as in
most industries and sectors, security
concepts and security implementa-
tions were considered child projects
of IT implementations.
What have been your biggest hurdles
in your current career?
Transitioning my career from a net-
work and communication engineer
InfoSecurity Professional 28 November/December 2016
to an information security specialist
was the biggest hurdle. It was more
difficult than I thought it would be.
Further, elevating my career path by
focusing on being a technology secu-
rity professional to business security
professional was another challenge.
Youre originally from India. What
part of the nation are you from,
and how has living in India, and still
visiting, impacted your career?
I am from Mumbai (often termed
the financial capital of India), which
is located in western Indias state of
Maharashtra. There is always huge
demand for great talent across all
sectors and industries in Mumbai.
I started my professional career in
Mumbai and later moved to the
United States to pursue a formal
education in the field of information
security. My information security
professional contributions to the
financial and insurance sector in
Mumbai provided the groundwork for
my current work in the United States
and internationally. I believe the
more diverse and international your
experience is, the more rewarded you
are.
What are you most proud of accom-
plishing with the group to date?
Every achievement and contribution
I make to the information security
community makes me feel satisfied.
That includes doing my small part to
help nurture others in the informa-
tion security profession. Im proud
to have earned a masters degree in
information security, continue to
advance in my professional career,
and volunteer as a peer reviewer for
academic and professional secu-
rity journals and magazines. Ive
also been an instructor for secu-
rity courses, judged cybersecurity
contests, and held other roles that
I believe contribute to making our
community and industry better.
What do you believe are some mis-
conceptions about the cybersecurity
workforce in India?
Not only India, but a majority of
developing nations still consider
cybersecurity as only a technology
challenge. Also, another misconcep-
tion is that only those with a tech-
nology background and significant
amount of technical experience can
advance to a career in cybersecurity.
This may not be always true. While
cybersecurity could still be technical
at its core, in wider context it is a
business challenge and overlaps with
governance, risk, compliance and
business in addition to technology.
An expanded version of this interview
will appear in the December issue of
Insights, a companion e-newsletter
for the (ISC)2 membership.
RE TURN TO
CONTENTS
Why blow your budget on piecemeal, ad hoc content generation?

Use our full-service

creative agency dedicated to
delivering your unique message
Unleashing strong ideas and creating effective content marketing that
is on brand and on time is our specialty. Twirling Tiger Media, a creative
agency with its roots in journalism, is a team of expert storytellers and
designers who will connect your customers business issues to your
companys solutions through original and honest contentthe type
that will attract, acquire and engage your target audience.

Drive profitable audience action with our services, which will be on brand with your
companys marketing goals.
Articles Infographics Publications
Blogs Inspirational Quotes Social and Digital Media
Case Studies Leadership Guides Sponsored Content
Content Marketing Magazines Success Stories
Custom Content Newsletters Web Content
eBooks Press Releases White Papers and more!

TWIRLING
For how our team of experts can serve you, please contact
Bob Ostrow at [email protected].
TIGER media
creators of content you
can sink your teeth into
Twirling Tiger Media is certified as a womens business enterprise by the Womens Business
Enterprise National Council (WBENC) and federally designated as a Women-Owned Small
Business (WOSB). twirlingtigermedia.com