Presented by Peter Fortunato

BNN’s Risk and Business Advisory Team

◦ Peter Fortunato; CISM, CISA, CISSP

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

Comptia◦ Security+

ISACA◦ CISA – Certified Information Security Auditor◦ CISM – Certified Information Security Manager◦ CRISC – Certified in Risk and Information Systems

Control

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

(ISC)2◦ SSCP – Systems Security Certified Practitioner◦ CISSP – Certified Information Systems Security

Professional

A system administrator is configuring accounts on a newly established server. Which of the following characteristics BEST differentiates service accounts from other types of accounts?

A. They can often be restricted in privilege.B. They are meant for non-person entities.C. They require special permissions to OS files and

folders.D. They remain disabled in operations.E. They do not allow passwords to be set.

Which of the following if used would BEST reduce the number of successful phishing attacks?

A. Two-factor authenticationB. Application layer firewallC. MantrapsD. User training

Protection of Information Assets

Information Systems Operations, Maintenance and Service Management

Information Systems Acquisition, Development and Implementation

Governance and Management of IT

The Process of Auditing Information Systems

Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?

A. ResponseB. CorrectionC. DetectionD. Monitoring

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

A. incorporates state of the art technology.B. addresses the required operational controls.C. articulates the IT mission and vision.D. specifies project management practices.

Information Security Governance

Information Risk ManagementInformation Security

Program Development and Management

Information Security Incident Management

All risk management activities are PRIMARILY designed to reduce impacts to:

A. a level defined by the security manager.B. an acceptable level based on organizational risk

tolerance.C. a minimum level consistent with regulatory

requirements.D. the minimum level possible.

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name.

Which would be the BEST approach to prevent successful brute forcing of the account?

A. Prevent the system from being accessed remotelyB. Create a strong random passwordC. Ask for a vendor patchD. Track usage of the account by audit trails

Which of the following is MOST beneficial to the improvement of an enterprise’s risk management process?

A. Key risk indicators (KRIs)B. External benchmarkingC. The latest risk assessmentD. A maturity model

Which of the following factors should be analyzed to help management select anappropriate risk response?

A. The impact on the control environmentB. The likelihood of a given threatC. The costs and benefits of the controlsD. The severity of the vulnerabilities

Certification Years of

Exp.

Exam Cost PracticeQuestions

Books Total

Security+ 3 $330 $89 $50 $420SSCP 1 $330 $89 $45 $464CISSP 5 $650 $99 $70 $819CISA, CISM, CRISC 5 $575 -

$760*$185 -$225*

$105 -$135*

$865 -$1,120

*ISACA Non-member price.

https://www.csoonline.com/article/3116884/security/top-cyber-security-certifications-who-theyre-for-what-they-cost-and-which-you-need.html

Job Requirement

Desire for a Self-propelled Career

Personal Challenge / Satisfaction

Monetary Gain

Knowledge of Subject Matter Experience Ethics

In my opinion, and by the standards of many employers, this is not true. The exams might not be as respected as other certification leaders, but they are comprehensive and you must study hard to pass.

CompTIA Security+ certification covers network security, cryptography, identity management, compliance, operation security, threats, and host security, among other topics.

https://www.globalknowledge.com/us-en/content/articles/top-paying-certifications

According to the 2018 Report:

“IT WILL PROBABLY BE YOU ONE DAY”

“Most cybercriminals are motivated by cold, hard cash. If there’s some way they can make money out of you, they will.”

*Verizon 2018 Data Breach Investigation Report, 11th Edition

For further information or questions feel free to reach out to:

Peter Fortunato, RBA Manager◦ pfortunato@bnncpa.com◦ (207) 791-7561

https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

http://www.nomoreransom.org/

https://urlhaus.abuse.ch/host/bluesky-oz.ru

https://cloudblogs.microsoft.com/microsoftsecure/2014/12/30/before-you-enable-those-macros/

https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd

https://www.washingtonpost.com/local/public-safety/hack-of-baltimores-911-dispatch-system-was-ransomware-attack-city-officials-say/2018/03/28/e273ef36-32a3-11e8-8abc-22a366b72f2d_story.html?noredirect=on&utm_term=.bd822425af42

https://www.engadget.com/2018/04/23/atlanta-spends-over-2-million-ransomware-recovery/

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf