topic Re: Community Site Security? in Member Support

Community Site Security?

AppDefects — Fri, 19 Jul 2019 17:32:57 GMT

@david-shearer @amandavanceISC2 this Community site needs some love and attention to when it comes to security. In particular, it is missing several "security headers". The site gets a failing grade of "D" [report here]. In comparison the isc2.org site gets a grade of A [report here].

Re: Community Site Security?

SamanthaO_isc2 — Fri, 19 Jul 2019 16:17:08 GMT

Hello @AppDefects ,

Thank you for bringing this to our attention. We will have our security team review this information.

Re: Community Site Security?

Chuxing — Fri, 19 Jul 2019 16:28:00 GMT

Need to take as a grain of salt of these types of scans, they typically don't mean a whole lot.

Go scan dhs.gov, whitehouse.gov, etc.

Bottom line, I don't think we need to spend time and money on meeting these scans. Of course the overall security measures need to be in place, but no necessarily spending effort chasing some academic security standards.

JMHO,

Re: Community Site Security?

Shannon — Fri, 19 Jul 2019 16:33:46 GMT

If that site provides a reliable assessment this is certainly an embarrassment for (ISC)2.

Assuming the community site is still being 'developed' --- like I said in another post, it's like they employed the waterfall model, but re-ordered the phases --- perhaps we'll see this attended to shortly.

(I seem to be feeling over-optimistic today --- could have been something I ate... )

Re: Community Site Security?

AppDefects — Fri, 19 Jul 2019 17:46:12 GMT

@Chuxing wrote:
these types of scans, they typically don't mean a whole lot.

Unfortunately, we hear (la, la, la, la, la, not listening to you) a lot until something happens. Then it is on record that management knew about it and maybe they didn't do anything about it because someone told them not to. I wouldn't want to be in that position. I take AppSec very seriously. That is why I showed the comparison between sites and the differences in grades. Why should social media sites be a <blank>. The organization has a responsibility to protect your data and mine.

Re: Community Site Security?

Chuxing — Fri, 19 Jul 2019 23:56:19 GMT

There’s security risk, and there’s risk management. For any realistic risk management, one has to evaluate the probability and the impact, then decide what is the most optimum risk treatment. One of the risk treatments is acceptance.

It is my humble opinion that in this case, acceptance should be the treatment.

If ISC2 has unlimited resources, sure, go ahead to make the residual risk next to zero.

FWIW,

Re: Community Site Security?

david-shearer — Sat, 20 Jul 2019 00:43:39 GMT

Message received.

Regards,

David Shearer
CEO

(ISC)2, Inc.
311 Park Place Blvd., Suite 400
Clearwater, FL 33759

www.isc2.org | www.iamcybersafe.org | dshearer@isc2.org

Re: Community Site Security?

denbesten — Sun, 21 Jul 2019 04:24:32 GMT

Lithium communities at other companies (Checkpoint, Cisco, Spotify, Sprint, Dell) get similar grades. It seems like the "AppSec" vulnerability and its response belong to Lithium, not (ISC)².

(ISC)²'s risk is most likely reputational damage from a supplier breach. Their mitigation is to minimize non-public information shared with suppliers and to include a "supplier breach" scenario in their Incident Response playbook so that they are prepared to quickly respond.

My guess/hope is that (ISC)² is only sharing first/last name, email and a list of certificates held (to be turned into badges). If true, @Chuxing is on the right track regarding the severity and appropriate response.

I do suggest that if one believes there to exploit potential, the community is not the best place to start the conversation. Instead, one ought to follow responsible disclosure practices. That is, privately report the issue and a reasonable deadline to the company before you go public.

Re: Community Site Security?

rslade — Mon, 22 Jul 2019 17:25:39 GMT

> denbesten (Community Champion) posted a new reply in Member Support on

> I do suggest that if one believes there to exploit potential, the
> community is not the best place to start the conversation.

You could, of course, sign on to the CISSPforum, and, privately and safely, discuss
it there ...

https://community.isc2.org/t5/Welcome/Privacy/m-p/10722

https://community.isc2.org/t5/Welcome/CISSPforum-replacement/m-p/11006

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
True patriotism hates injustice in its own land more than
anywhere else. - Clarence Darrow
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Community Site Security?

cdc — Wed, 14 Aug 2019 04:23:44 GMT

When was the last ISC2 security risk assessment performed and what were the results?

Re: Community Site Security?

Shannon — Wed, 14 Aug 2019 05:14:20 GMT

@cdc wrote:
When was the last ISC2 security risk assessment performed and what were the results?

I have a feeling they concluded that performing a risk assessment was too much of a risk...

Re: Community Site Security?

cdc — Wed, 14 Aug 2019 16:38:12 GMT

Would you share a list of what you consider "academic" and therefore not worth time to implement?

Re: Community Site Security?

cdc — Wed, 14 Aug 2019 16:42:11 GMT

@AppDefects, great catch! The lack of content security policy is the main reason for the C grade. Troy Hunt, Microsoft Regional Director and MVP, has several articles on his website about its purpose and how to configure.