New, Hot and must (arguably post your CISSP & Other Equivalents) have Certification for Information Security Professionals

A big hello to my fellow Information security Professionals. Many of us post our CISSP,CISA/CISM,PMP are thinking what next ? Below is the answer:

ISC2 and ISACA – two giant of the Information security world have come up with two new certifications CCSP - Certified Cloud Security Professional and CSX (Cyber Security Nexus) – Practitioner, Specialist & Expert.

The areas covered by them – Cloud Computing and Cyber Security are one of the most talked and having a very high demand in the current market.

1. CCSP - Certified Cloud Security Professional

CCSP is a global credential born from the expertise of the two industry-leading stewards of information systems and cloud computing security, ISC2 and CSA.

CCSP exam will test their competence in the six CCSP domains of the ISC2 Common Body of Knowledge (CBK), which cover:

·         Architectural Concepts & Design Requirements

·         Cloud Data Security

·         Cloud Platform & Infrastructure Security

·         Cloud Application Security

·         Operations

·         Legal & Compliance

For more Details: https://www.isc2.org/ccsp/default.aspx

2.       CSX (Cyber Security Nexus) – Practitioner, Specialist & Expert

Whereas other certifications available today test for knowledge in a question and answer format, CSX training and exams are conducted in a live, virtual “cyber lab” environment — providing validation of actual technical skill, ability and performance

CSX Practitioner

A CSX Practitioner certification demonstrates your ability to serve as a first responder, following established procedures, defined processes and working mostly with known problems on a single system. You’ll show you have firewall, patching and anti-virus experience and can implement common security controls, perform vulnerability scans and some analysis

CSX Specialist

The CSX Specialist series offers you the opportunity to pursue a certification in a specialty area — allowing you to demonstrate deep knowledge and ability in that domain. Choose from five independent certifications: Identify, Protect, Detect, Respond or Recover. These certifications build on the skills developed in CSX Practitioner and test advanced concepts in each of the domains

CSX Expert

A CSX Expert certification establishes your standing as a master-level security professional capable of identifying, analyzing, responding to and mitigating the most complex cybersecurity incidents — usually in intricate enterprise environments that pose significant exposure to attacks. CSX Experts are the authoritative source for all cybersecurity matters within an organization and approve cybersecurity controls.

 For more Details: http://www.isaca.org/cyber/Pages/csx-cybersecurity-nexus-certifications.aspx

If you ask my personal Favourite, Post my CISSP, PMP etc. – It is CSX as Cyber Security is the next big Thing!

All the Best and please feel free to touch base with me in case of any clarifications/Guidance.

Deepesh Kumar

CISSP,PMP, ISO 27001 LA,CHFI…

Email: jannayak.deepesh@gmail.com

Image Courtesy : ISC2 and ISACA

Changes to PCI DSS v3.1 - What has changed in comparison to PCI DSS v3.0

PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance today. The revision includes minor updates and clarifications, and addresses vulnerabilities within the

Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

 

PCI DSS version 3.1 is effective immediately. PCI DSS Version 3.0 will be retired on 30 June 2015.

What has changed?

PCI DSS v3.1	Section	PCI DSS V3.0
Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.	2.2.3*	Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access	2.3	Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access
Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: · Only trusted keys and certificates are accepted. · The protocol in use only supports secure versions or configurations. · The encryption strength is appropriate for the encryption methodology in use	4.1	Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: · Only trusted keys and certificates are accepted. · The protocol in use only supports secure versions or configurations. · The encryption strength is appropriate for the encryption methodology in use.

*- Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

My view on TLS : TLSv1.0 is prone to CCB attacks. Recommended version is TLSv1.2

 Courtesy :  PCI DSS

Privacy vs security…isn’t it the same thing?

Not really. But they are cousins. Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways. Security focuses more on protecting Confidentiality, Integrity and Availability of data. While security is necessary for protecting data, it’s not sufficient for addressing privacy.

 

 Image source: ISACA

Courtesy : IAPP