I posted about a list of hacker movies back in October. Today I looked up the book on amazon, and its $10 for the kindle addition. I did a little more digging and I found the entire list published on Cybercrime Magazine for free. It includes links and a PDF download. Great fun resource to find a good movie to watch this weekend. Enjoy!
Category: cybersecurity
How To Get Started in Information Security
How I Earned my Certified in Cybersecurity Certificate for Free
In my company, someone posted about (ISC)2 giving away certifications. (ISC)2 is the same company that provides the CISSP and other certifications that are well-recognized by companies throughout the world. This One Million Certified in Cybersecurity initiative started at the end of August 2022 with a press release on their website.
I was intrigued and signed up. It is free, there is nothing to lose but time. Even if you fail, you still learn something. The certificate they are helping people receive is called Certified in Cybersecurity (CC). It is a beginner certification and you need no experience to start. Step by step instructions are here, but I want to share my own experience.
The free training is split into 5 sections/domains/chapters. I took one a week. After taking the training I signed up for the test which was two weeks out. I took that time to study, going through the terms and making sure I understood the ideas behind the terms.
You have to take this test at a Pearson VUE center. This was my first time taking a test at Pearson and I found this video very helpful.
I can’t say anything about the test, other than with the studying I did and the (ISC)2 training I was well prepared. You have to sign an NDA before taking the test.
I really enjoyed this program as it helped validate my feelings that I understand cybersecurity fundamentals. I highly recommend it. There is one small catch… After you pass the exam you need to pay your first $50 annual maintenance fee in order to obtain your certification. For me, this was a very small ask for getting free training and a free exam. The exam is usually $199. It is a great deal.
Access Controls
Discretionary Access Control (DAC) – A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.
Mandatory Access Control (MAC) – Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.
Role-based access control (RBAC) – An access control system that sets up user permissions based on roles.
Risk Treatment
Risk Treatment is making decisions about the best actions to take regarding the identified and prioritized risk. There are four types outlined below:
- Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.
- Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.
- Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place.
- Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.
I’m posting this because it is a concept that I have in the past been confused on. For example, mitigation and transference can be confused in the following way. If someone buys software as a decision are they transferring the risk to the manufacture of the software? No, this is an example if mitigation, because no other outside party has taken responsibility.
I also think that risk avoidance should just be called risk elimination. To me avoidance sounds a lot like taking no action, which is actually risk acceptance. Very strange way to think about it!
Books about cybercrime
A guardian article was recently published covering the top 10 cybercrime books. What they didn’t do is rank them with any third-party data. Below I’m putting those 10 books plus another with their goodreads rankings (0-5 being the best), to help me, and maybe you, choose the right book to start reading first.
| Book | Rating |
| The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick | 3.76 |
| People Like Her by Ellery Lloyd | 3.37 |
| The Blue Nowhere by Jeffery Deaver I read this years ago and it is still one of my favorite books! | 4.10 |
| Impostor Syndrome by Kathy Wang | 3.29 |
| Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter This is nonfiction and has over 6,000 reviews on goodreads. It looks like a great place to start. | 4.16 |
| Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth by Theresa Payton | 3.91 |
| Little Brother by Cory Doctorow | 3.93 |
| Digital Fortress by Dan Brown | 3.68 |
| DarkMarket: How Hackers Became the New Mafia by Misha Glenny | 3.78 |
| Zoo City by Lauren Beukes | 3.63 |
| Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore by Joe Payne, Jadee Hanson, Mark Wojtasiak | 3.88 |
Cybersecurity Articles | Week of October 24, 2022
- TechCrunch, Inside TheTruthSpy, the Stalkerware network spying on thousands by Zach Whittaker (Oct 26) | A database containing about 360,000 unique android devices exposed.
- TechCrunch, Hive Ransomware gang leaks data stolen during Tata Power cyberattack by Carly Page, Jagmeet Singh (Oct 25) | Tata Power, which serves more than 12 million customers through its distributors, confirmed on October 14 that it had been hit by a cyberattack.
- Bleeping Computer, Medibank now says hackers accessed all its customers’ personal data by Tom Toulas (Oct 26) | All customers’ personal data and significant amounts of health claims data downloaded.
- Bleeping Computer, Dutch police arrest hacker who breached healthcare software vendor by Tom Toulas (Oct 25) 19 year old hacker being held by police while they investigate him. 19!
- CSO Online, Iran’s nuclear energy agency confirms email server hacked by Apurva Venkat (Oct 24) | Iranian hacking group Black Reward has claimed responsibility for a breach at the email server of the country’s Bushehr nuclear power plant, in support of nationwide protests over the death of a young woman in police custody.
- Wall Street Journal, ‘Deepfakes’ of Celebrities Have Begun Appearing in Ads, With or Without Their Permission by Patrick Coffee (Oct 25) | Digital simulations of Elon Musk, Tom Cruise, Leo DiCaprio and others have shown up in ads, as the image-melding technology grows more popular and presents the marketing industry with new legal and ethical questions.
- Dark Reading, Stress Is Driving Cybersecurity Professionals to Rethink Roles by Staff (Oct 24) Burnout has led one-third of cybersecurity staffers to consider changing jobs over the next two years, potentially further deepening the talent shortage, research shows..
Great Recent Articles
- Nature: Why scientists are turning to Rust by Jeffrey M. Perkel (Dec 11, 2020)
- Why this is interesting. RUST is seen as more secure than other older programming languages.
- The Trade Secrets Network: Struggles with Insider Risk Program Stakeholders by Stacey Champagne (Sep 9)
- Bleeping Computer: Web browser app mode can be abused to make desktop phishing pages by Bill Toulas (Oct 3)
- CSO Online: Lessons of the Sarah Palin e-mail hack by Roger A. Grimes (Sep 19, 2008)
- Dated, but an excellent example of just how easy it is to hack an poorly secured email password.
Verizon Data Breach Reports
Full disclosure I work for Verizon. Regardless of that fact, these are information packed reports that I found fascinating.
- All reports – list of cool stuff to browse through.
- Data Breach Investigations Report (DBIR) – THE report that analyzes the threat landscape. It tells the story of what is happening with data breaches across industries.
- Insider Threat Report – This report very much like the DBIR, but focuses specifically on insider threats. An amazing resource to get better acquainted with that the issues are and what is happening in this world.
Star Trek & Cybersecurity
These two things together. Take my money!
Hacker’s Movie Guide: The Complete List of Hacker and Cybersecurity Movies by Steven C. Morgan, Connor S. Morgan