Sunday, April 26, 2026
Home Blog Page 145
AI cybersecurity guidance for small businesses

Know where your business is exposed, what matters most, and what to fix first.

CyberExperts gives small businesses AI-generated cyber checkups, practical recommendations, and recurring cyber hygiene monitoring — without enterprise consulting complexity.

Get an AI Cyber CheckupSee how it works
AI Cyber CheckupIdentify likely weak points and get a prioritized action plan.
Recurring MonitoringStay current with updated cyber hygiene guidance over time.
Built for SMBsPractical recommendations for real-world small business setups.

Most small businesses know cybersecurity matters. Very few know what to fix first.

CyberExperts turns cybersecurity confusion into a practical action plan. Instead of vague fear, generic checklists, or expensive consulting, you get AI-generated guidance focused on likely risks, weak spots, and the most important next steps.

How it works

1. Tell us about your businessShare your team size, tools, email setup, device practices, and current security habits.
2. CyberExperts analyzes your setupOur AI reviews likely weak points, common risks, and practical cyber hygiene gaps.
3. Get a prioritized action planReceive clear next steps in plain English — focused on what matters most.
4. Stay current with ongoing monitoringAdd recurring cyber hygiene monitoring if you want updated guidance over time.

Start with a checkup. Continue with monitoring.

AI Small Business Cyber Checkup

A one-time AI-generated assessment that identifies likely weaknesses, highlights the biggest issues, and gives you a practical action plan.

  • Likely weak points and avoidable risks
  • Top-priority recommendations
  • Plain-English next steps
Start Checkup

AI Cyber Hygiene Monitor

A recurring cyber hygiene subscription that updates your recommendations, flags likely weak spots, and helps you stay current over time.

  • Recurring reassessment
  • Updated recommendations
  • Refreshed priorities over time
See Monitoring

What CyberExperts does — and does not do

Done by AICyberExperts is built as an AI-delivered cybersecurity guidance product.
For small businessesDesigned for operators who want practical guidance without enterprise complexity.
Not a magic guaranteeIt helps identify likely risks and prioritize what to fix first.
Recurring option availableContinue with ongoing Cyber Hygiene Monitor updates over time.

See your biggest cybersecurity gaps in plain English.

Start with an AI Cyber Checkup and get a practical view of what to fix first.

Get an AI Cyber CheckupView Monitoring

How to pass the CCNA Exam

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
How to pass the CCNA Exam

If you stumbled upon this article, then you are most likely familiar with what the CCNA exam is. It is a vendor-specific exam that covers the basics of networking.

CCNA stands for Cisco Certified Network Associate. There are now multiple flavors of CCNA exams, including CCNA Security, CCNA Cloud, CCNA Data Center, and many others.

Before all of the new flavors of CCNA were introduced, there was the original: CCNA Routing and Switching.  This test was an extremely comprehensive test that covered both basic and advanced topics.

At some point the folks at Cisco decided to give the option of breaking up the CCNA exam into two parts:

  • CCENT – Cisco Certified Entry Network Technician
  • CCNA – Cisco Certified Network Administrator

You have the choice of taking the combined test and obtaining the full CCNA certification in one sitting or taking the two tests separately. The entire test can be quite daunting, so breaking up the test is an excellent option if you are concerned.

There are some ways that you can gain the required knowledge needed to pass the tests. Dozens of boot camps available will teach you what you need to know. I am not a big fan of these boot camps because most of them are quite costly. If you are ok with the cost or better yet if your company is willing to pay for the Bootcamp, then you will undoubtedly be more prepared after completion. Many boot camps will also include the cost of the test. They also often offer some type of pass guarantee. This means that you can either retake the test at no cost or take the class a second time without having to pay.

A self-study is undoubtedly an option for this test. There are many books and online video courses that will prepare you well for this exam. I recommend the free video course at Cybrary.it

One of the benefits of boot camps is that the instructors often have an excellent idea of the types of questions on the tests. The instructors get feedback from their students regularly and use this feedback to adapt their class to ensure that they are teaching the specific knowledge that will likely be on the test.

But, there are also some excellent online resources that allow you to get the pulse of the recent CCNA exams. These sites are a combination of ethical teaching sites and somewhat black hat test dump sites.

If you are doing self-study and you want to get a good feel for the questions on the test, then there is just one website to use. This site is famous in the Cisco world and will ensure that you are prepared for the CCNA exam by providing sample questions that are very close to what you will find on the actual test. The site is 9Tut.net.

I have no idea why the site has such a strange name, but I can vouch for it. The questions and answers that 9Tut.net provide are so close to what you will find on the actual exam that you will be amazed. Some folks claim that they have passed the CCNA exam by merely studying the test questions and answers on the 9Tut.net website. I believe that this is probably true.

If you study hard and know the material, then 9Tut.net will top off your knowledge and ensure that you are prepared for the questions you will encounter on the exam.

 

AWS Cloud Architect Tops the Latest Salary Survey

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
AWS Cloud Architect Tops the Latest Salary Survey

Amazon Web Services (AWS) is the most significant player in the cloud, holding an astonishing 45% of the industry market share. Given this, there is a huge demand for experts in AWS cloud experts.

The latest Salary Survey from CertMag.com proves that AWS professionals can make substantial salaries. The AWS Certified Solutions Architect certification is the most lucrative certification today. The average salary for holders of this certification is $146,960.

People in the IT industry are rushing to prepare for the AWS Solutions Architect test. I know a few people in my circle that are studying for this test right now and expect to sit for it in the next weeks.

Should you pursue this certification? The answer is yes if you want to increase your earnings power.

If you are interested in becoming one of these top earners, then the path is relatively straight forward.

First, study for the AWS Cloud Practitioner Exam. This exam is suitable for the absolute beginner. You can find excellent training videos on acloudguru.com that will make this test a breeze to pass.

Next, you should prepare for the AWS Certified Cloud Developer exam. This is a more difficult exam that will require that you know the ins and outs of the AWS cloud platform. Linux Academy also has excellent classes available for this certification.

You should now be ready to start preparing for the AWS Certified Cloud Architect exam. This test will get into details beyond those required on the lower level exams.

I have friends that have devoted 30 days of study and were able to pass the Architect test. So, it is very doable, and it is well worth the effort.

The folks that hold the AWS Certified Cloud Architect certification complain that they have to shut their phones off because the recruiters won’t stop calling. It sounds like a good problem to have.

Here’s the list…

Salary Survey 75 2018

IAM vs IAT Certifications

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
2
IAM vs IAT Certifications

There is often some confusion about the difference between IAM and IAT certifications. Many times these terms are confused and interchanged.

Both IAM and IAT were established by the Dept. of Defense in 2004. These are qualification standards meant to ensure that the Dept. of Defense IT systems are staffed with technical and management personnel who meet a certain standard of technical expertise.

IAT stands for Information Assurance Technical. The IAT certification levels are achieved by passing specific exams and having certain work experiences that meet particular requirements. These requirements are focused on technical knowledge and are geared toward technical staff.

IAM stands for Information Assurance Management. The IAM certification levels are achieved by passing specific exams and having certain work experiences that meet particular requirements. These requirements are focused on management and are geared toward leadership staff.

Both IAT and IAM standards have three levels: 1, 2, and 3. Level 1 is considered entry-level certifications, level 2 are intermediate, and level 3 is expert level.

Government jobs and many commercial industry jobs require applicants to meet one of the certification levels as a minimum requirement for being considered for the position.

Below is the government-published chart that shows the IT certifications that fall into each of the IAT and IAM levels.

DoD 8570.01-M. DoD Approved Baseline Certifications

IAT Level I IAT Level II IAT Level III
CompTIA A+
CompTIA Network+
SSCP		 GSEC
CompTIA Security+
SCNP
SSCP		 CISA
GSE
SCNA
CISSP (or Associate)
GCIH
IAM Level I IAM Level II IAM Level III
CAP
GISF
GSLC
CompTIA Security+		 CAP
GSLC
CISM
CISSP (or Associate)		 GLSC
CISM
CISSP (or Associate)

If you are working in or planning to work in the IT or cybersecurity field, then obtaining the appropriate certification levels is critical and can be quite lucrative.

Obtaining IAM1 or IAT1 level certifications is often the first step to gain an entry-level position in the IT field.

Obtaining IAM3 or IAT3 level certifications demonstrates expert-level knowledge and experience and is the objective of many experienced technical and management IT professionals.

AI and Facial Recognition will improve society

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
AI and Facial Recognition will improve society

There has been a lot of speculation on how the combination of artificial intelligence and facial recognition will affect the future.  This speculation focuses on how this technology will be intrusive of our privacy rights.

It sounds scary

It sounds a bit scary when you first think about it.  Anytime you are at an event, a mall, or even within a city, the cameras are watching.  When you combine these cameras with facial recognition, the whole context changes.  Government and even businesses will know who you are and where you are.

Think about walking into a store.  The computers will be able to identify you if you have been there before.  If you previously bought something, then the computers will know your name. They know what you purchased. They know whatever other information they may have been able to get from you when you made the purchase.  Scary.

Think about going to a concert.  When you scan your ticket, the computers will be able to identify you and track you when you are at the venue.  The machines will be able to track your movements, your actions, and what you buy.  No doubt, this information will be used to create an environment in which you will be apt to spend more money.  Scary.

It sounds scary because it is scary.  We accept that our mobile phones track us.  But with these devices, we have the option to hit the power switch.  We can turn them off, and we are free.  But tracking with facial recognition cannot be turned off, and we have no control over the use of the information.

The Power of Good in Facial Recognition is real

Think about walking into a store.  You will have incredible security and safety.  You can let your children look at the toys without having to stand by within arms reach because you are wary of their safety.  You know that anyone with a criminal record will already have the attention of security.  The computers already know that those children belong to you.  The machines will notify security if someone who does not belong approaches your kids while they are playing.  But it would not even come to this because everyone will know that they can’t get away with crime in the building.  The signs at the door already warn of this.  Facial recognition and AI will prevent crime.  It will eradicate crime because there is virtually no chance to get away with any crime.

Think about going to a concert.  There will be no threat of terrorism.  Facial recognition will let security know anytime that a suspected terrorist comes near the stadium.  What if one of your children goes missing at the venue?  Instead of frantically looking for your child, you can report to the nearest security desk and have them locate your child and reunite you.  But, you will not even need to do this.  The AI can be programmed to recognize that your child is lost and distressed.  Your child would likely be returned to you before you even know she was missing.

Think about the overall effect on crime.

To reiterate – IA combined with facial recognition – will eradicate many types of crime.  Today, it is difficult to even think about getting away with shoplifting in Walmart.  There are cameras everywhere.  Only a fool would try to shoplift when they know that the chances of getting caught are nearly 100%.

If this premise holds, then AI and facial recognition will get better and better. Society will soon understand that it is virtually impossible to get away with stealing a car, kidnapping, theft, or almost every crime.

People will no longer have to lock their doors.  People will not have to worry about getting held up on the street.  There will be no more drunk driving because the person who had too much to drink will get intercepted before they get on the highway.

Sounds pretty good, right?

The Marriott Hack – This is What will Happen Next.

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
4
The Marriott Hack – This is What will Happen Next.

Personal information from about 500,000,000 people who made reservations at a Starwood hotel was stolen by hackers. 

These hotels include Sheraton, Aloft, W Hotels, and Westin Hotels.  Marriott acquired the Starwood Group back in 2016, but the compromise started way back in 2014 before the acquisition took place.

Hackers had full access for four years

This means that the hackers had plenty of time to learn, gather data, and exploit that data.  The hackers had access to everything in the system and used the Starwood system as their playground for four years.

A data loss protection (DLP) system was in place to make sure that sensitive data does not leave the network.  But, there is an easy way to get around DLP systems.  DLP systems have to be able to read communications to identify that it is sensitive and act to stop it.  Hackers have to encrypt the data so that the DLP system is unable to read it.  Then they export away –  taking the encrypted data at will.

Of course, exporting vast volumes of encrypted data will itself raise a red flag.  But the hackers had plenty of time.  Over 4 years the data could easily have been encrypted and dripped out in smaller batches.

So, what will happen next?

The investigation will continue.  Likely, the full extent of the breach will not be known for some weeks.  The breach will continue to make headlines for weeks as more is learned and disclosed to the press.

People will be fired.

Marriott will need to make an example of walking one or more of their technology folks out the door.  The breach should have been detected before the Marriott acquisition.  Someone did not do their homework, and that person or people will be ousted to appease the shareholders.

Marriott Hack Firing

Marriott will pay a fine

Just like in the case of Yahoo, Marriott will be liable for some fines.  With GDPR the penalty could be as much as 4% of profits.  With the threat of a fine looming, the stock price will be depressed for a bit.  But this one-time event will not affect the stock price in the long term.

There will be a class-action lawsuit

Many law firms will be lining up to profit from Marriott’s woes.  The suits will drag on for years, and in the end, the lawyers will make a boatload of money, and the people affected will get a coupon for a discounted hotel stay.

Marriott will not pay to replace passports

Leadership at Marriott stated that they would do all that they can to support their customers.  But this will not include replacing passports of their customers. 

Under pressure from Lawmakers, Marriott quickly agreed to pay for passport replacements for the data breach victims.  But this will never happen.  The cost of replacing a passport is currently $110.  The number of passport numbers that were compromised are numbered in the hundreds of millions.

This makes it impossible for Marriott to replace all of the passports that were compromised.  Footing the bill would put the hotel chain into bankruptcy.

The damage will not be known

The actual harm from the data breach is already done.  People’s identities have likely already been stolen.  Credit cards have been fraudulently used for purchases.  The perpetrators have probably already made millions by quietly selling the data over the past four years.

At this point, it will likely be impossible to attribute a quantitative cost of the breach.

People will still use Marriott

With the breaches of Yahoo, Equinix, Home Depot, and hundreds of other companies, people have begun to become numb to the effects of large scale data compromises. 

Credit card companies already protect the consumer, so credit card fraud has become just a minor inconvenience for people.

Identity theft is a bit more of a mess to clean up, but even this is no longer a life-impacting event in most cases.

Marriott and the Starwood family of hotels will continue to be profitable.  Soon this data breach will be a story from the past.  This breach will have almost no effect on the stock price over time.

Marriott will be forced to step up their cybersecurity efforts.  Sometimes companies have to learn the hard way.

Data Limitation Laws?

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
Data Limitation Laws?

It is usually not a good idea for lawmakers to get involved in cybersecurity beyond a certain point.  The reason for this is that lawmakers do not have an understanding of the technology that they are legislating.

Case in point:  Australia is quickly enacting legislation that will require companies like Apple and Facebook to provide a way for law enforcement to read encrypted data. 

This sounds nice on the surface because law enforcement can go after the bad guys easier.  But this law will be a boon for hackers because the encryption will be less secure.  There will be a back door or another method available to decrypt the messages and data.  If it is there, hackers will find it… it is just a matter of time.

But this may be a good idea…

There is no reason that businesses should keep certain customer information after a specified duration of time.  But they do.

When data breaches happen, we find out on the news what personal details that the hackers got.  Often it includes credit card information, addresses, and even items like passport numbers.

Businesses build up massive databases of this personal information over years and years.  We don’t believe that there is a valid reason for companies to keep expired credit card information for years and years.

Recent news shows that hackers have stolen data that is over five years old.  If there was a limitation that prevented companies from keeping data for after a specific duration, then customers would be protected to an extent.

Companies should face fines

It will be easy to determine when companies violate the data limitation law.  When there is a breach, and it is found out that a company kept the data beyond the required time limit, then that company should face additional fines due to the violation.

Audits could also be conducted to make sure that the data is deleted after the time limit is up. 

Is it a good idea?

We believe that companies should self regulate.  But unless there is a compelling reason, companies will likely not give up their valuable data – even if it is outdated.  Therefore, it is time for the government to act.

How to Transition to a Cyber Security Career at Any Age

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
33
How to Transition to a Cyber Security Career at Any Age

Are you thinking about doing a mid-career transition to a cybersecurity position?

It is a great field to join.  There are currently millions of unfilled cybersecurity jobs in the US and countless more around the world.  There are not enough qualified applicants to fill these jobs.

Because qualified applicants are limited, the salaries for cybersecurity jobs are on the rise.  It is common for cybersecurity positions to pay more than six figures to folks who have some strategic IT certifications and just a few years of experience.

In your 30s, 40s, or 50s?

It is never too late to get into cybersecurity.  I know plenty of folks in the industry that got started in their 40s and 50s.  With age comes valuable experience.  Combine your current expertise with some cybersecurity training, and you will have a great head-start over many of the younger folks who are trying to break into the cybersecurity industry.

Perhaps you have years of experience in management, sales, teaching, or another profession where you deal with people.  Such people skills can make you very attractive to a technology company.  Many people who get into the field are introverts.  A whole team of introverts requires leadership and someone with the interpersonal skills needed to deal with the clients and manage the people.  With a little bit of cybersecurity education and a few certifications, you will be able to talk the talk, understand the mission, and become a leader or manager in this growing field.

Here is what you need to do:

You first need to prove that you know the basics.  If you have been working with computers your whole career, then you probably have a good head start on your transition.  If you have little experience with computers, then you have a bit more work to do.

Step 1: Get Certified

The first thing that employers look for is certifications.  Certifications prove to the industry that you know your stuff.

CompTIA certifications should be your first step.  Each certification will likely take up to a couple of months of preparation to pass.

For the absolute beginner, you should first choose the CompTIA A+ certification.  If you already have a good background in computers, then you could skip to the Security+ certification.  Here are the CompTia certification paths:

The certifications get harder as you move along the path.

Passing the Security+ exam will begin to open doors in the industry.  The Department of Defense categorizes the certifications.   The three levels are IAT1, IAT2, and IAT3.  The Security+ certification puts you in the IAT2 category.  Here is a visual of the certification levels:

You can see the value of each of these certifications by searching the job search engine, Indeed.com for IAT1, IAT2, and IAT3.  You will find that the higher IAT levels qualify you for positions at higher average pay.  As an example, here is a summary of jobs that are available in Northern Virginia for people who hold the Security+ (IAT2) certification:

But your ultimate goal should be to earn an IAT Level 3 certification.  It will be a pretty significant commitment to studying and passing the CASP exam.  The CASP exam does not require any experience to sit for it, but it is designed for well-experienced professionals.  If you can do it, then you are setting yourself up to be qualified for a six-figure income.  As an example, here is a summary of positions that are available in Northern Virginia for people who hold the CASP (IAT3) certification:

The CASP certification clearly demands a higher salary range.

Step 2: Get some experience

The next step is to get some experience on your resume.  This might not be as hard as it seems.  Many businesses are looking for computer help.  Since you are already working, you may be able to pick up some additional job duties at your existing company.  You could volunteer to help out with configuring laptops, troubleshooting issues, and a wide array of other tasks that can build your credibility in the industry.

One way to gain the needed experience is to start your own cyber consulting business.  You can set this up as a sole proprietorship or a limited liability corporation.

You will need a website and some business cards.  You can have a lot of fun and learn a lot if you set up your site using WordPress.  There are plenty of tutorials online about how to get a WordPress site up and running.

You can then start approaching small businesses and offering your assistance as a part-time gig.  The experience you gain can be strategically incorporated into your resume.

Step 3:  Find your first position

After you have your certifications and have a bit of experience, then it is easy to get an entry-level job in cybersecurity.  You may have to start at the bottom, but you can quickly leverage your skill to move up the ladder.

You may find it a bit harder to step into the industry in a mid-level position, but it is certainly not impossible.  You can leverage your professional experience to get into a leadership position.  You can then continue to learn and grow without having to be the one that does the highly technical work.

Step 4:  Keep learning and growing

The fun thing about cybersecurity is that it continues to evolve and change.  This requires continuous learning.  After you are full-time in the field, you should continue to gain certifications.  Your goal should be to get to IAT level 3 (CASP or CISSP).

37 thoughts on “How to Transition to a Cyber Security Career at Any Age”

  1. Mark
    Thank you Donald. I have an option of attending Thomas Edison State on line to pursue a BS in Cybersecurity engineering. I’m wondering if that is the correct path. Or do I pursue these certifications instead? Thank you
    • Donald
      Mark, If you have the opportunity to go get a degree in cybersecurity engineering, I would recommend that, for sure. It is both a big financial investment and time investment. But, I would also recommend that you pursue certifications. A degree along with certifications will be very valuable. For most cybersecurity job descriptions, you will see that certifications are required and a degree is preferred. Having both will ensure that you are a top candidate.
  2. Oladapo Gafar
    Hi Donald, I will be turning 37 this year and i am considering going into cybersecurity, do you think my age has already put me at a disadvantage and if No, what certificate should i start with?
    • Donald
      Your age really has no bearing on this – You can get into the cybersecurity field at any age, for sure. I was over 40 when I started the certification path. If you are pretty tech-savvy, you could start with the Comptia Security + exam. This is an entry-level cert, but it still has great value in the job market. Plus, this stuff is really fun to learn. The SEC+ exam is what I started with. Good Luck!
  3. Jennifer
    I am considering a cybersecurity bootcamp but I am worried it might be too expensive. I have no experience outside of personal use. What resources would you recommend that I use to self study that would get be ready for security+ exams as well as a career in risk management.thanks.
    • Donald
      Jennifer,I am not a fan of boot camps. I think that there are many ways to successfully get ready for the SEC+ exam that are more effective and much cheaper. One of the best books that you can get is the “Security+ for Dummies” book. You could easily prepare by reading this book alone. But, if you like the idea of a teacher, you can choose online classes from Udemy.com or from Cybrary.it. These very low cost or free video training are, in my opinion, just as good as any Bootcamp. Good luck!
  4. Peter liggett
    I worked on I.B.M computers for nine plus years. This was in operations and some technical support.I also studied 3 programming languages.My main exposure to computers is the lower half of the FORTUNE 500.How difficult would it be to get into cybersecurity??
    I have also studied networking technologies
    • Donald
      Peter, It sounds like you have a great foundation to make the transition into cybersecurity! Of course, it will take a bit of work. The best thing to do is to start obtaining some certifications. Since you already know networking, I would suggest grabbing some study materials and work toward the CompTia Security+ certification.
  5. Doliven Mae Sumanpan
    Hi Donald I’ve been thinking about getting cybersecurity training. I am currently an RN but like to transition to cybersecurity which I think is also a great career. I’m 30 y.o. What do you think of this training focus below? I’m planning to start in May 2021.
    Trianing Focus:
    ISC2 – Certified Authorization Professional (CAP)
    FISMA / RMF / NIST SPECIAL PUBLICATIONS/ SSP/ SAR/ POAM
    Prepare
    Categorize
    Select
    Implement
    Assess
    Authorize
    Monitor
    Training Benefits:
    Job focused hands-on training
    Job Interview Preparation
    Certification Preparation
    Resume Build
    On the job support
    Access to training videos
    Provision of training materials, documents, templates, reports
    • Donald
      Doliven, This sounds like a great plan. CAP is an IAM Level 2 Certification that would prepare you well for a position such as ISSO (Information Systems Security Officer). ISSOs focus on the RMF steps to accredit systems. There is an incredible demand for ISSOs, and this demand will most certainly continue to grow.
  6. Simone
    Hello Donald,My current background is in finance and accounting. I have been in this career path for the last 5 years but I do not enjoy it. I have been wanting to switch over to something else but I some how keep getting sucked back into accounting/finance by recruiters because it is where the majority of my experience lies. I am thinking about switching to cyber security but I am not sure if I will like it or not as I do not have any hands experience or knowledge on what the job entails. Do you have any recommendations on what I should do or how I should go about this? Also, do you have any suggestions on the most cost effective approach to getting the needed exposure/training without going back to school for a degree in cyber security?
    • Donald
      Hi Simone,If you have an accounting background you are well-poised to get into cybersecurity. Specifically, you have the skills necessary to get into cybersecurity auditing. This is more of an administrative role, and does not require hands-on experience.A cybersecurity auditor is a very important role that focuses on either internal or external audits. As in internal auditor, you would prepare your customers to do pass required cybersecurity audits (Such as FISMA audits). This person would look at past findings (known as NFRs) and work with the ISSOs and other stakeholders to remediate any findings. Also, this person would be proactive to identify and resolve other issues that might be a negative finding in an audit. An external cybersecurity auditor is hired to conduct these audits on companies and agencies.You would likely need to obtain a certification such as CISA in order to break into this role. The good news is that there is an unbelievable demand for cybersecurity auditors. If you obtain the CISA certification, you should have your choice of positions. Additional schooling is not a requirement, but it would look good if you can add some cyber training to your resume. One great technique to beef up your resume is to add a TRAINING section and list 5 or 6 cybersecurity trainings that you have recently completed.
  7. Ray
    I’m about to be 26, have a useless general studies degree, and have been working under the state of MN (SSA disability) for 3 years now. I don’t enjoy my job and am considering switching fields to cybersecurity. I’m wondering if at this stage in my life whether I should pursue a second undergraduate degree in cybersecurity or perhaps obtain a Computer Forensics post-baccalaureate UCERT through an online university. Kind of lost and trying to figure out what my best options are for further education in this field.
    • Donald
      Ray,Perhaps you should get your feet wet in cybersecurity before you jump headfirst by getting into a degree program. I would suggest that you start by studying for some entry-level certifications (I suggest the Comptia Security+ certification) Then, if you find that you have a passion for cybersecurity, invest in taking online classes to get a degree. There are a ton of great online degree programs both at the graduate and undergraduate levels. Good luck!
      • Pietro Malino
        Hi Donald ! My name is Pete . I am 57 years old and work in pharmaceutical manufacturing . I am not passionate about the work that I do . And at my age the physical work it requires to complete assignments is beginning g to become very taxing on my body . I am not computer savvy at all . But I love to learn and I would like to work in a field that I can work doing something I enjoy , live well and retire young enough to enjoy retirement . Can a person like myself transition Into cyber security with no computer skill and knowledge .
        • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
          Hi Pietro, Yes, of course, you can do this. But, it will take a lot of studying. I would recommend starting the certification path. Start with Comptia A+, and work your way up from there. With hard work, you could get yourself certed up enough within about a year. You should be able to break into the industry. Good luck!
  8. Abigail
    Hello,
    I have a doctorate in clinical psychology and am a licensed psychologist currently working as a therapist. I’m interested in possibly transitioning into cybersecurity but don’t know if my skills are a good fit or transferable. Does this seem like a reasonable thing to pursue? Thank you!
    • Donald
      Hi Abigail, Your psychology skills would be very valuable in the world of cybersecurity. We need to study how hackers and victims behave and act in different situations and scenarios. If you get a chance, pick up the book or audiobook called “The Art of Deception”. I think that you will love the book and you will also clearly see how your current skills would be of use in this exciting field.
      • Jay
        I agree. I just read “Ghost in the Wires” by Fred Mitnick, and it is an amazing insight into the psychological thoughts of a hacker.
        • Donald
          Yes, Kevin Mitnick. I highly recommend his books.
  9. Angel
    Hi Donald, I’m a 45 year old Mortgage Loan Officer looking to transition into a new role. I’ve been thinking about the demand for Cybersecurity and thought it might be a good opportunity. Where would you recommend I start and do you think my age would be a disadvantage. Thanks!
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      Your age will not be a disadvantage. I was in my 40s when I started the transition to cybersecurity. Sure, you will likely be surrounded by a lot of younger folks in the industry. But, this can be an advantage. With age comes wisdom. With experience comes better problem-solving skills and more mature reaction ability. I started out by getting some certifications. I believe that this is the best way to break into the field. After you get a Security+ or higher, you will find that employers will be willing to talk to you about positions. The demand for employees in this industry is insatiable and it will only get tighter.
  10. Wendy
    Hi There! I am a 41 year old Graphic Designer with 20+ years. The graphic design industry is dying and being outsourced for little to no pay. I am thinking of switching over to Cyber Security. It sounds like an interesting career and is in high demand. I do not have any programming skills or coding background unfortunately. From some of the info I found only, it seems like you need to have a heavy understanding of coding and programming to get into this field. Is that true? Would jumping into a bootcamp or certificate program be worth it?Cheers
    Wendy from San Diego!
    • Donald
      I am not a big fan of boot camps, but they certainly can help people pass certification exams. Coding and programming is only needed for some positions. Many positions, however, do not need coding.
  11. DominusEditHi Donald,Thanks for the beautiful writeup. I presently work in Data Analysis with majority of my experience in Engineering (Oil and Gas). I am very much interested in transiting into cyber security but not sure how to get on. Do you think the certifications you mentioned will help and will my experience assist in any way.Thanks
    • Donald
      Hi Dominus,If you are an engineer, you have a great step up on most people. Engineers solve problems and so do cybersecurity experts. Yes, I recommend hitting the books and picking up a few certifications. This is definitely the first step. Doing this will also solidify your decision to get into cyber. “Security+ for Dummies” is a great book that will teach you a ton of good information and will also prepare you for the SEC+ exam.
  12. Christian
    Hi Donald,Thank you for writing this article as I was very curious about prospectively moving into the cybersecurity field and have thought about it for years. Like someone before had mentioned, I too have a degree in general studies and minor in chemical engineering and currently work as a New Product Development Engineer. I was wondering if you could help layout a plan for how I need to get where I want to get. I don’t have any IT experience but am savvy enough and technologically inclined that I feel I can start with the SEC+ certification. My goal is to be an ethical hacker and get my CEH, so what pathway do you think I should pursue after achieving the SEC+ cert? I’m taking a SOC Analyst career path course through Cybrary right now while concurrently studying for the SEC+ exam I hope to take in a couple weeks, but would love to hear your input.Thanks
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      Hi Christian,
      After you get the Sec+, you should be able to jump right to the CEH exam. Several years ago, the CEH exam was not as valuable as it is now. The test questions were readily available on the internet, so the test lost credibility. Since then, however, the CEH has been completely revamped and is much more challenging than it used to be. The price of the exam also was raised significantly. But, for someone with your education and background, I would say go straight from Sec+ to CEH. With your engineering background, you should be quite marketable in the cybersecurity industry. You should also do some penetration testing using some of the online platforms, like hackthebox. Good luck!
  13. David Jackson
    Donald, thank you for the great advice on how to get started with a cybersecurity career. I am retiring from the Navy after a 30 year career in operations and would like to transition into cybersecurity. Past military experience includes overseeing cyber defense and electronic warfare operations, managing digital data links, supervising computer system and electronic repair. In addition, I have a Bachelors in Computer Information Science and a CompTIA A+ certification. Currently studying for my Network+ and Security+ certs. What else should I so to help make me a good cybersecurity candidate? Thank you for your assistance.
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      Wow – your skills and experience will certainly make you in high demand after you leave the Navy. Knock out those Network+ and SEC+ certifications and you will be well sought after in the civilian workforce. Well done! Let me know where you land.Reply
  14. Anish
    Donald, brilliant article. Thank you so much. I am an Automotive engineer with a masters degree and slightly over ten years of experience in this field. I, however, wish to explore the field cyber security and am looking at formal education(MSc Advanced Security & Digital Forensics from Edinburgh Napier University). The program is accredited by NCSC of UK so I am inclined to assume it’s sought after. Your suggestions about certifications have given me more relevant ideas to think about. I would consider certifications along with the MSc program (which I do intend to do in a part time schedule in order to not jeopardise my present career and learn networking and computer science modules that I will need).
    My primary target is Security Audit and Compliance. Would you be kind enough to suggest if it’s a good plan or not? I am 32 and looking at at least 2+ years into formal education towards my target.
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      Anish, It sounds like a great plan. Cybersecurity auditors and compliance folks are in tremendous demand. One of the best certifications in this domain is the ISACA CISA certification. If I would you, I would use your studies to also prepare for the CISA. A degree, along with a certification will allow you to break into cyber at a high level and a nice salary. I encourage you to go for it!
  15. Jay
    Hello Donald,
    Thank you for your guidance. I am making a career change as well into the cybersecurity field, as someone who is in his mid-40’s. From looking at the other comments and other’s experiences that are similar to mine, I think I’m going to go for the SEC+ certification. I don’t have any other certifications but I know a lot about computers. How long does it take to study for this exam in general (weeks/months)? And do you have any tips on what’s the best way to study for this exam or if there are any good prep courses/materials that you recommend?
    Thank you so much and have a Happy New Year!
    Jay
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      think that 30 days of studying for a couple of hours per day should be sufficient. Practice tests are key to passing the tests. So, I recommend 15 days to review the material and 15 days of taking practice tests. Security+ for Dummies is an excellent resource. I also like the teachers at ITProTV. Let me know how it works out for you!
  16. JJ St Marie
    Donald, thanks so much for the article. I have been obsessed with tech since I was little but found myself in the sales/psychology career path. I’m 33, and a bit nervous about a complete industry change. Any advice? I’ll look into the certifications.
    • Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
      You can get inexpensive bootcamp-type training at Udemy.com. I would recommend that you watch the videos and prep up for the SEC+ exam. That will be enough to get you started in the industry. You are still young! The transition to cyber should be an easy one for you.

Passwords Suck and Will Go Away – Here’s How

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
Passwords Suck and Will Go Away – Here’s How

Why Passwords Suck

Usernames and Passwords are not secure by nature.  Usernames and Passwords are controls that rely on “Something you know.”  Knowledge is easily transferable, and therefore, passwords are not secure.

No amount of security training will eliminate or overcome human nature.  It is human nature to make passwords we can easily remember.  Passwords that are easy for us to remember are also easy for people to guess.  Passwords are also used over and over again on multiple accounts – bank accounts, email accounts, work accounts, etc.

Worse yet, passwords our often openly shared among trusted individuals like family members.  That shared Netflix account email and password can, in some cases, also access many other accounts that the user has.

Therefore, Two Factor Authentication became necessary

By combining Passwords with Bio-metrics (Something you are) or a Smart Card (Something you have), the authentication is much more secure.

Requiring a one time password from an RSA token or smartphone soft token along with a password is now the norm for signing into corporate systems.  You have to know the password and also have to possess the device to sign-in securely.

Bio-metrics, like the use of a fingerprint reader or retina scan, is less common but also very effective when combined with the need for a password.

The need for two-factor authentication reiterates that passwords suck.

There must be something better.  There is.

SQRL (Squirrel) will destroy the need for Logins and Passwords

SQRL stands for “Secure Quick Reliable Login”.  SQRL is the brainchild of one of the superstars in cybersecurity, Steve Gibson.  Steve Gibson runs the Security Now podcast. He is also the author of many cybersecurity books. Steve is one of my favorite people in the cybersecurity space.

Steve and his team have been developing SQRL since the inception of the idea in 2013.  This protocol/method is still under development, but it appears that it is near ready for prime time.  You can demo SQRL at Gibson Research.

The cool thing about SQRL is that it is entirely free and open, and it will always be that way.  Steve Gibson created SQRL to fill a need and not to make money.  Thousands of hours of development and research were “donated” for the good of the cyber world – a very noble thing indeed!

Here is the login page for the SQRL demo:

To make this work, you will have an SQRL app on your phone.  This app would contain a private key.

The QR code (like in the above image) contains the URL and the domain of the site that you are trying to connect to.  By scanning the QR code, you are creating a public/private key pair by using a hashing function (HMAC) with your master key and the domain name of the site.

Your phone app would then transmit your public key to the site as your identity.  The encrypted QR code is transmitted to authenticate you.

Your public key takes the place of your username.  The encrypted QR code takes the place of your password.

Your public key is a constant – it does not change.  So, the website you are accessing will always know that it is you.

Because the QR code is encrypted with your private key, the website can verify that you possess the matching private key without knowing the private key itself.

The SQRL process is both simple and brilliant.

Steve Gibson’s process drawing shows the steps:

The Amazing Advantages

SQRL is Ridiculously Easy to Use

One of the best things about this system is that it allows you to authenticate at a website very quickly with little effort.  The user will not have to create a website account by typing in their email address and creating a password.

After you set up SQRL, when you want to create an account at a blog or any website, it is as simple as clicking on the SQRL emblem.  One step is all that you need.  It is effortless. People call this “frictionless”.

SQRL is Simple

While SQRL is ingenious, it is also very simple.  This simplicity means that there is not a lot that can go wrong.  Because it is so simple, it is unlikely that there will need to be bug fixes.

SQRL is Very Secure

You should never see SQRL being the cause of any data losses due to hacking or social engineering.  The very nature of SQRL makes it secure.  A breach would mean that a hacker would have obtained the public keys of the users.

But nobody really should care if their public key is exposed.

Your public key is,  as the name implies, public. The hacker would not be able to impersonate the users because the users’ private key remains private.

SQRL is better than using Facebook or Google to create a log in.

Using Facebook and Google to create logins for websites is very easy but has a much higher security risk.  Using this method makes you rely on a third party website for authentication.  When the third party website gets compromised, then every login that you have is compromised.  This snowball effect is not an ideal situation when it comes to security.

How Will SQRL Unfold?

Right now there are relatively few people who know about SQRL, how it works, and the advantages of it.  Only security geeks (like myself), and fans of Steve Gibson (also like myself) have a good knowledge of how SQRL works and the power of it.

I expect that Steve and the team will finish developing SQRL soon. I look forward to the official launch.  The rollout will be very slow as only security nerds will initially jump on it.  But, when its power becomes fully known, SQRL will begin gaining traction and press.

The folks at TechCrunch will do a story for sure.

Soon, SQRL will take over the web as the security standard for websites.  You will be hard-pressed to find a WordPress site that is not using SQRL.  If your site is not using SQRL, then you will be at a disadvantage.

I see SQRL as the future.  Let’s see if it unfolds the way I see it.

 

 

 

 

 

Keeping Your Privacy Online, Dos and Don’ts

Fred Templeton, CISA, CASP, SEC+
-
0

Safe browser extensions are the first line of privacy defense

If you’re old enough to remember the days when the internet was just getting fired up, you’ll remember that privacy was not really something we worried too much about. This was, of course, before the days of social media and before cybercriminals turned their wicked genius towards data theft and other nefarious purposes. Today we use the internet for virtually everything and we can do it all from a device that fits in our palm. On your home PC or the computer at your office, you may be a bit more aware of privacy and take measures to monitor how much information you’re giving out, but frequently on our smartphones, we forget that it’s the same internet we’re connecting to. We download apps without thinking, and even on our home laptops we frequently allow browser extensions because they seem like they might be useful… without really doing due diligence to find out if they are doors to malicious software such as Trojan viruses that sneak in undetected and begin stealing data. Becoming more aware of privacy issues is something we need to “up our game” in – as well as teaching our children how to always be aware of privacy as they begin their lives online. Here are some ‘do’s and don’ts’ to help you stay safe and maintain privacy online.

Privacy

Do you use a safe browser? A safe browser is an add-on extension that works in real-time to scour the net ahead of you as you browse and warn you of sites that have been flagged by the community of users or algorithms used by the website safety browser checker. It helps you to determine whether you should trust a website. And knowing if you can trust a website isn’t as simple as it sounds. Many people are still falling for the fake Facebook login pages, which you would be alerted to if you were using a safe browsing app both on your phone and on any device. So, number one: Do use a safe browser.  

Don’t give out too much personal information on social media. What is “too much information?” Well, basically anything that you can avoid sharing you should avoid sharing. Photos tagged with locations, your middle name, your phone number… you’ll be surprised at how much is available about you simply based on things you’ve put up on social media. Let’s say someone is looking to sell a car and they post, “call me at 555-5555.” That telephone number can be used to trace your address. And with just your name and telephone number, who knows what nasty things bad guys could get up to. 

Do browse the internet with a safe browser but also do so in incognito or private mode whenever possible especially when shopping and doing credit card transactions. If you have the ability, you can take it a step further and consider using a Virtual Private Network or VPN. Do also use quality antivirus software and don’t be afraid to spend a little money on a subscription as it could save you a lot down the road.

Finally, don’t use bad passwords. There’s no nice way to say this but many people use passwords that are… well, dumb. These unsafe passwords are relatively simple for hackers to guess, especially those who are using AI programs to crack codes. Strong passwords can be difficult to remember – and there are programs that can create and compile passwords for you, although these can be problematic as they can be hacked themselves – in general try to think of some sort of phrase that you will remember and turn it into a password with symbols, capital letters, and numbers. For example, your passphrase for a website that you buy books from could be something like, “Shakespeare was born in April 1564.” This would be turned into sKpWzBn=4/1564. If you forget the date, you can always go look up when Shakespeare was worn and the passphrase/password will probably come back to you. These password phrases are the best way of being able to have unique, strong passwords that for each individual website you log into.

The days of being able to get away with slip-ups online are over and like packs of hungry predators, hackers sit around all day with nothing else to do but search for weaknesses and if you’re one of them… you will be eaten. Don’t let that happen. Start by downloading a safe browser extension and use that whenever you’re online. Next, assess your other vulnerabilities and start taking steps to correct them.

Are Dark Web Scans Effective?

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
Are Dark Web Scans Effective?

The Dark Web is Anonymous

The dark web is a scary place.  It is a network of websites teeming with illegal activity.  It is a secret place where visitors protect their identity by using techniques to keep identifying information (Like their IP address) hidden.

There are several methods that people use to keep themselves anonymous when accessing the dark web.  You need to use the TOR browser to access the dark web.

What can be Found on the Dark Web?

As far as illegal stuff – you name it, and it can be found on the dark web.  Related to identity theft, you can find tax forms, credit card numbers, login credentials for bank accounts, stolen debit card numbers, and more.

You can also hire hackers to use their botnets to conduct denial of service attacks on the victims of your choice.

You can buy drugs and weapons.  You can order guns and other devices that can be used for crimes.  You can even purchase counterfeit money in bulk.

Why it is best to stay away

If you want to enter into the seedy world of the dark web out of curiosity, I recommend that you resist the temptation.  You will find nothing but trouble.

If you think that the TOR browser will keep you anonymous, then you are making an assumption that you may not want to make.  Law enforcement, the government, and others have a great interest in the Dark Web and are looking out for the bad guys.

So don’t have too much confidence that you are invisible and anonymous.

There are VPN apps and other ways that people to further enhance their privacy when accessing the dark web.  But remember that the good guys are out there and doing everything they can to clamp down on illegal activity.  So, as I said, it is best to stay away.

The Dark Web Scan

Many different companies are starting to market their dark web scan services.  These services allow you to scan the dark web for your private information – you can scan for things like your email address, social security numbers, and other personal information.

Some of these services, like Experian, allow you to scan for basic information at no cost.  But they encourage you to sign up for a paid scanning service that will dig deeper and be of more value than a cursory scan.

There is debate as to whether this type of scan is useful.

These scans access the dark web and analyze information from message boards, documents, etc.  If your private information is found then you want to take action by freezing your credit, reporting your credit cards as stolen, and taking other measures to mitigate the damage.

But there is a high likely hood that these dark web scans do not detect effectively.  If your data is for sale, it is highly unlikely that the information can be scanned on the dark web.  Your data would not be released and available on the dark web, but it would be sold to a private buyer.  The value of your private information would be diminished if it was posted on the dark web for anyone (Including the scanner) to see.

By nature, the dark web is not searchable.  The companies that sell dark web scan services do not outline their scanning methods.  But logically, it is questionable that these services are effective.

 

 

PMP vs CISSP

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
PMP vs CISSP

How does the PMP exam compare to the CISSP exam?

When someone asked me that question, I thought it was rather odd.  How can you compare the PMP to the CISSP?  These are two completely different tests on two completely different subjects.  The PMP exam covers project management while the CISSP exam covers cybersecurity.

But then I thought about it.

The question is valid.  I expect that many people may be considering both the PMP and the CISSP.  Both of these certifications are considered the top certification in their respective fields.  So, this question deserves some thought.

The value of the PMP vs. the CISSP.

The current number of people who hold the PMI PMP certification worldwide is 791,448.  On the other hand, the number of people who hold the IS2 CISSP certification worldwide is 122,289.

So, there are far more PMPs in the world then there are CISSPs.  In other words, holding a CISSP certification is much rarer than a PMP.

The first PMP exam was in 1984.  The first CISSP exam was in 1994.  So, the PMP has a 10-year head start.  But this does not matter if you are comparing sheer numbers.  Based on the numbers, it is harder to find CISSPs.

When I am deciding what certification to pursue, I want to know how valuable the certification is in the job market.  The quickest way for me to test this is to search for the certification on Indeed.com.  The results of the search will show the number of positions that either require or desire the applicant to have that certification.

When I search for PMP in the Washington DC metro area, I find 2525 results.  Here is a breakdown of the estimate salaries for these results:

If I do the same search for CISSP in the same area, I find that there are 2707 results.  Here is a breakdown of the estimated salaries for these results:

So, there are slightly fewer jobs available that require the CISSP certification.  But the CISSP positions have a bit of a higher starting salary than the PMP.

So, I believe that the CISSP exam has more value than the PMP certification.  But, the difference is not drastic, and both certifications are desirable for employers.

The Exams

Both the PMP exam is 4 hours.  The CISSP exam does not have a set duration.  Unlike the PMP exam, the CISSP exam is adaptive.  This means that if you get a question correct, then the next question is a bit harder and so on.  The CISSP exam ends when you meet the criteria of passing it or if the computer algorithm determines that you will not pass.

Therefore, there is no set time for the CISSP exam.  Some people finish it rather quickly (I did).  I was only presented with about 110 questions.  Other people keep getting question after question and need to complete up to 150 questions.  The questions are mind-bending and can take many minutes to answer each one.  So an additional 40 questions can equate to a couple more hours of exam taking.

The PMP consists of 200 multiple-choice questions.  These questions tend to have more than one “right answer.”  This makes it tricky because you have to choose the answer that is “more correct.”

For this reason, when I got to a question that required a formula is was relieved.  As long as I could remember how to do the math could be sure that my answer was correct.  The non-formula questions were much more challenging.  I had to debate on which solution was better and why.  On many of the questions, I had to make a “best guess.”  It is hard to maintain confidence when you are forced to make choices that you are not sure of.

The CISSP also consists of multiple-choice questions.  Just like on the PMP exam, many questions do not have a clear, correct answer.  And just like the PPM exam, I found myself choosing between 2 answers that I thought were both correct.

With the CISSP, the golden rule is that the least expensive answer is the best one.  For example, if you are asked for the best way to mitigate risk, you should choose the answer that does the job a the least cost.

Which test is harder?

Both the PMP exam and the CISSP exam are challenging.  Pass rates are not published for either exam, but it is said that less than 50% of people pass the CISSP exam on the first try.  The numbers are said to be similar for the PMP exam.

But for me, the CISSP exam was significantly more difficult than the PMP exam.

I took almost the full four hours on the PMP exam.  I spent a lot of time reviewing my answers, and there were only about six questions that I was completely unsure of.  The PMP exam allows you to go back, review, and change answers.  When you are complete with your review, you can click a button to end the test and see if you passed.  By the time I clicked the complete button, I was pretty confident that I passed.

I said a prayer, and I clicked.

I believe that the testing software gives an intentional delay to keep you in suspense.  After what seems like forever, the test results are shown.

Boom – I passed.

On the other hand, the CISSP exam is administered entirely differently.  I mentioned before that the test is adaptive.  If you get an answer right, the next question is more complicated.  You get to a point in the testing where the questions become so obscure that no one can know all of the answers.

And you can’t go back and review or change answers on the CISSP exam.  When you answer the question, it moves to the next one, and there is no looking back.  Also, the test can end anytime.  You don’t know when it will end or if the questions will keep coming.

I was on question 107, and I had a feeling that if I got the next one right, I would pass.  For some reason, I also thought that if I missed the question, I would be going down in flames.

I answered question 107, and the test did not end.

Question 108 was on a topic that was completely unfamiliar to me.  I analyzed the question and the answers and somehow became very confident that I was correct. The test continued until 110.

Then the test ended.  There was no notification that I had passed or failed.

I left the computer and walked out.  Biometrics were scanned again to ensure that I did not somehow change places with a smarter version of me.

I discouragingly walked out to the front desk, where the woman at the desk was looking at a computer.  She printed a sheet of paper and folded it in half.  She handed the paper to me, and I slowly opened it.

I was unable to decipher what the paper said because my mind did not yet recover from the exam.  “Congratulations,” the woman said with a smile.

Boom again.  I passed.

When people ask me which test was harder, I say that the CISSP was much harder than the PMP.

Don’t Underestimate the CompTia Security+ Exam

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
Don’t Underestimate the CompTia Security+ Exam

The Comptia Security+ exam isn’t that easy!

I was recently at a family reunion, and I was talking to my cousin, who does IT work for the military.  He was getting prepared to leave the military within a few years to transition into civilian work.

I asked him if he had any IT certifications.

“No, but I am thinking about trying to get some of the really easy ones like Security+”.

I had taken and passed the CompTIA Security+ exam just a couple of years before this conversation.  I thought to myself, “Really easy? I think not!!!”.  But I did not say anything to my cousin.

The Security+ is an entry-level cybersecurity certification that has significant value when you are looking for a job.  Security+ is an IAT Level 2 certification.  What does this mean?

The Department of Defense has approved the Security+ certification as “Level 2”.  Many jobs that relate to government contracts require the certification as a baseline requirement.  In other words, you cannot be considered for the position unless you hold this certification.

Here is a quick way to see if a certification has value:

The easiest way to determine if a certification holds significance in the marketplace is to do a job search that requires that certification.

In the case of Security+ I would go to Indeed.com and search “IAT2”.  These results will show all of the jobs that require or prefer an IAT Level 2 certification like Security+.

If you do this search where I live – in the Washington DC metro area – you will find dozens and dozens of positions appear in the search results.  Nearly all of the jobs have a salary range of more than $100,000.

So yes, the Security+ certification is quite valuable.

You have to know your stuff.

I studied for the Security+ exam way longer than I studied for more advanced exams like CASP and CISSP.

It was one of my New Year’s resolutions to pass the exam.  The next thing you know, it was November, and I did not yet take the test.  I had studied off and on for 8 or 9 months for the test.  I was not about to let the calendar turn to another year without at least giving it a try.

One of the reasons that it took me so long to prepare for this exam is that I skipped over the IT Fundamentals, the A+, and the Network+ exams.

If I could do it again, I would start with these two beginner exams to build up my confidence and create a runway to the Security+.  I would recommend this path as outlined the CompTia:

But of course, I decided to take a shortcut and skip directly to the Security+.  But it was not a shortcut – It took me many months to prepare for the test.  I could have been picking up certifications along the way instead!

The Exam

I took the exam at PearsonVue.  All of the simulations were at the beginning of the test.  There were seven simulations on my test.  They had to do with setting up firewall rules, configuring RAID.  The book “Security+ Exam for Dummies” really helped me prepare for this part of the exam.  Some of the examples in this book were very close to what was on the actual test.

I believe that I got 6 of the seven simulations correct.  I bombed one of the questions completely.  This put me in a tight spot because I heard that the simulations are more heavily weighted than the multiple-choice section.

So I carefully worked through the multiple-choice questions and did the best I could to narrow down the answers and choose the correct choice.  Unlike the CASP and the CISSP, the questions on the Security+ exam are black and white.  There is a single right answer to all of the questions.  You will not find questions that try to trip you up by showing two solutions that are correct and making you choose the best one.

I nervously clicked the “complete test” button and waited for the response.  I was happy to find that I passed the exam.  This was my first step in my certification path.

 

Why Hardware Encryption is Not Secure

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3
-
0
Why Hardware Encryption is Not Secure

Hardware Encryption is not Secure

A Little History…

In the past, it was assumed that hardware encryption is far more secure than software encryption.  Many people, including security experts, still believe this to be true.  And in the past, it was true.

But recent history has proven that hardware encryption is highly vulnerable.  The widely published recently discovered hardware encryption vulnerabilities include Spectre and Meltdown.  Both Spectre and Meltdown exploit flaws in processors.

Our good friend Steve Gibson has also outlined severe security vulnerabilities in a hardware-encrypted solid-state drive (SSDs).  Every SSD that researchers have examined has been found to have such a critical vulnerability that there is almost no barrier to accessing encrypted data on these drives.  Steve outlined the details on his Security Now Podcast.

Backdoors and Poor Encryption Standards

Hardware companies are notorious for including back doors.  The expectation or concern is that companies and even governments include back doors at the chip level.  This is entirely feasible and also likely.

It has also been reported that poor practices lead to hardware encryption vulnerabilities.  For example, encryption keys may not be held securely or may not be unique to each machine.

The Solution?

The solution is quite simple.  Ensure that you encrypted your data using reputable software encryption.  You will certainly keep your data more secure than with hardware encryption alone.  The software should be widely accepted.  Don’t use an encryption solution that is lesser-known or obscure.  Strong encryption requires methodical perfection in its processes because encryption is only as secure as its weakest link.

I use VeraCrypt or AxCrypt.  Both are free, widely accepted, and secure!

 

 

1...144145146...149Page 145 of 149

CyberExperts is your cybersecurity news and education website. We provide you with the latest breaking news and videos in the cybersecurity industry.

Contact us: [email protected]

© Copyright - CyberExperts.com