As published in the November/December edition of InfoSecurity Professional Magazine. It could be a blended attack as slick as a multichannel marketing campaign. Or a spontaneous crime of opportunity by a single dis-gruntled employee. It could even be an innocent configuration error. When a threat exists, there will be indicators. The perennial challenge is to hunt for signs in the right places and to isolate the signal from the noise. How best to find—and remove, where possible—such threats remains up for debate.  Lance Cottrell, chief scientist at Ntrepid, approaches threat hunting less as a specific set of techniques than as a set of high-level goals. “From the 50,000-foot view, we’re trying to understand the threat landscape,” he says. “Writ large,

If you hold the CISSP certification, you may have asked yourself “What’s next for me?” as far as your certification journey is concerned. For many professionals, the next step is one of the CISSP concentrations: architecture, engineering or management. This year, the CISSP-ISSAP (Information Systems Security Architecture Professional) exam will be updated. The exam length (125 items in three hours) remains unchanged, as do the number of domains (six). However, the domains have been reordered and reweighted based on last year’s Job Task Analysis (JTA) which is a process by which professionals who hold the CISSP-ISSAP review the content of the exam and make recommendations to best align the exam’s domains with the current work performed by those in relevant

As published in the November/December 2019 edition of InfoSecurity Professional Magazine By Naresh Kurada, CISSP Threat modeling is gaining even more attention with today’s dynamic threat environment. The sophistication of threat actors and development of advanced tactics, techniques and procedures (TTPs) has put a brighter spotlight on the process of finding vulnerabilities by incorporating the attacker’s point of view. There are several threat modeling approaches and techniques to consider. Often, these can be classified as asset-centric, system-centric, people-centric or risk-centric. For instance, Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is system-centric, while PASTA (Process for Attack Simulation and Threat Analysis) is risk-centric. Regardless of the model, the primary objectives remain the same—identify threats and

By Clayton Jones, Managing Director, Asia-Pacific for (ISC)² The past few weeks have been challenging. Governments, individuals and organizations are working hard to contain the spread of Covid-19. Many of us across the Asia-Pacific region are still haunted by the SARS epidemic that wreaked havoc back in 2003. At the time, I had a very young family and was new to (ISC)², which in the region was still in its infancy. I feared for the health of my family and was also very conscious of the potential impact an economic downturn in the region could have on my recently created position. 17 years later, my children are young adults and (ISC)² has grown our membership in the region to over

(ISC)²’s Certified Information Systems Security Professional (CISSP) is currently the sixth highest paying IT certification, according to newly published research. CISSP-certified cybersecurity professionals earn salaries averaging more than $140,000. The CISSP is one of just six IT certifications commanding salaries above $140,000, which places them on the 15 Top-Paying IT Certifications for 2020 compiled by training company Global Knowledge. The list contains salaries ranging from an average of $117,000 for Citrix Certified Professional – Virtualization to nearly $176,000 for Google Certified Professional Cloud Architect. The list’s top four certifications are either in cloud computing or cybersecurity, confirming that demand in these two areas continues to soar. In cybersecurity, (ISC)²research has revealed an acute shortage of cybersecurity skills, currently estimated at 4