2016: Held Ransom

Written and originally posted by Transcender

It was predicted late last year that 2016 would the year for ransomware. Thus far, the prediction is proving right; only four months in to 2016, the Locky ransomware has managed to spread itself over 114 countries (displaying its demands in dazzling array of 24 languages). The Hollywood Presbyterian Medical Center paid $17,000 in bitcoins after having their computer systems seized in February 2016, while hospitals in Kentucky and Maryland report similar attacks.

In case you’ve been in that doomsday bunker a bit too long, ransomware is malicious mobstersoftware that blocks access to your own data, usually by encryption that targets a local computer. Data stays locked away until you pay a tidy sum of money to the hacker (or, more commonly, to the hacking organization). The malware usually contains a ticking bomb that will format the entire hard drive if you don’t pay by a deadline (or post the data for everyone to see, just as extra motivation). The data kidnappers may call themselves hackers or vigilantes, or even pretend to be a federal agency, but their demand is always the same: pay us for your data — or else!

Worse, with automated viruses like Crytpolocker, Crytowall and TeslaCrypt, hackers don’t have to go through the extra effort of targeting big fish like CEOs of Fortune 500 companies. Any end user could be bilked for hundreds of dollars. And, through the economies of scale, hackers rake in millions per campaign. While current year damages won’t be tallied for a while,  the FBI estimates the CrytoWall variant pulled in over $18 million from 2014 to 2015 alone.

End users are not the only targets; nor are Windows users. Major sites like the New York Times, BBC, AOL and NFL had their advertising networks compromised by malvertising, where a malicious ad hijacked user’s browsers and redirected them to install a crypto-virus via the Angler toolkit (another argument for using adblockers?). And the once near-invincible Mac OS has been revealed as the target of the KeRangers malware – the first ransomware Mac users have ever had to contend with.

Posting to the security community in late March, Jonathan Klijnsma noticed an unusual vulnerability to the Angler toolkit on a WordPress plugin used by the iClass site. It was possible for a TelsaCrypt payload to be installed if the following conditions were met:

  • The user’s browser was Internet Explorer (or the user-agent was set to IE).
  • The user was redirected from a search engine, like Google or Bing.
  • The user’s IP address or location information was blocked (probably from some blacklist to protect the hackers  from getting served themselves!).

This vulnerability was not only difficult to detect, but also uncommon – most users do not use IE and EC-Council students would access the iClass directly without going through a search engine. I’m proud to say that EC-Council didn’t rest on their laurels. They fixed the problem within days of being notified of the security breach.

A Testing Horror Movie

Written by David Foster, CEO of Caveon

There is a funny television commercial where a group of friends is running from an unseen danger, seeking a place to hide. They make several panicked suggestions to each other including hiding in an attic and a basement. They finally decide to hide behind a wall of chainsaws. The point was that in a horror movie you make poor decisions.

For a high-stakes testing program, the number and variety of test security threats would rival any horror movie, and the potential and actual damage can keep you up at night. In the light of day, it makes sense to be aware of those threats—and what to do about them—in order to make better decisions than the group in the commercial.

For years now I’ve talked about using a threat-based approach to security, eventually producing a list of 12 test security threat categories, divided equally between cheating and theft. In its simplest form, here is the list:

Cheating Threats

  • Using Pre-Knowledge of Test Questions
  • Using a Proxy Test Taker
  • Getting Help During the Test
  • Using Cheating Aids
  • Tampering with Scores after the Test
  • Copying from Another Person During the Test

Theft Threats

  • Capturing Downloaded Test Files on a Server or Stealing Test Booklets
  • Photographing Test Content During the Exam
  • Copying the Test Content Electronically
  • Memorizing the Test
  • Recording the Content Orally on a Recorder
  • Receiving the Test Content from a Testing Program Insider

For each of these there are dozens, or maybe even hundreds, of different ways the threat can be carried out.

By reviewing this list, a program can evaluate which threats pose the greatest danger or risk. The program can then put in place a carefully-crafted solution to prevent a possible breach or deter an attacker. It can set up a defense in order to better detect the beginnings of a breach or to mitigate any potential damage.

There are several reasons why avoidable test security breaches occur. Some testing programs will be surprised by a breach, and then be focused for months and years on future solutions for that specific breach, ignoring other dangers. A program may rely on a single security solution, such as requiring proctoring for their exam, not realizing that there are many threats to the security of a program that a proctor cannot detect or do anything about. Programs may not be aware how technology is being used today to cheat or to steal a program’s tests. Or a program is simply not funded adequately to protect the tests and usefulness of the test scores. These programs are living in a real horror movie with no control over the ending.

The good news is that great decisions can be made; risks of cheating and test piracy can be eliminated or mitigated. Good solutions are available. There is no reason to be in a horror movie to begin with or to stay there any longer than is necessary.

The CompTIA A+ 900 Series: What’s New

By: Robin Abernathy, Content Developer for Kaplan IT

It’s that time again! CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15. The 220-801 and 220-802 exams are still available, but will retire June 30, 2016 in the United States. This deadline should give you enough time to finish studying for the 800 series if you have already taken one test, because you cannot mix and match exam versions. If you pass the 220-801 or 220-802 exam, you must pass the other 800-series exam to obtain your A+. If you pass the 220-901 or 220-902 exam, you must take the other 900-series exam to obtain the A+.

Once again, with a new release, we see another small shift in the structure and topic coverage of the two exams. Years ago (and I am going to date myself here), the two exams were referred to as a Hardware exam and a Software exam. While I think the topic coverage is moving in this direction again, CompTIA is NOT referring to them in these terms, and all documentation from CompTIA will refer to them as 220-901 and 220-902. Broadly, though, I think of the tests as “hardware and networking” and “software and security.”

For the 220-901 exam, you will be expected to understand installing, configuring, and troubleshooting desktop, laptop, mobile device, and printer hardware, as well as basic networking topics. The breakdown of the exam’s topics are as follows:

o    Hardware – 34% o    Networking – 21%

o    Mobile Devices – 17%

o    Hardware & Network Troubleshooting – 28%

For the 220-902 exam, you will be expected to understand installing, configuring, and troubleshooting Windows Vista, Windows 7, Windows 8, Windows 8.1, Mac OS, Linux, and mobile device operating systems. (Notice that Windows 10 is NOT included in this list.) It  includes virtualization, cloud, and. server technologies. It also covers security, including security devices and configuring and troubleshooting security components. Finally, it covers those soft skills and operational procedures required by the IT technician. The breakdown of the exam’s topics are as follows:

o    Windows Operating System – 29%

o    Other Operating Systems & Technologies – 12%

o    Security – 22% o    Software Troubleshooting – 24%

o    Operational Procedures – 13%

When the 800-series A+ was released back in 2012, many test candidates decided to knock out both exams on the same day because there was so much overlap between the topics being covered. For those exams, this was probably a good strategy. But with the 900-series exams, the structure has changed enough that I would suggest that you prepare to take them separately, NOT on the same day. As you can see from the topic listings above, there is hardly any overlap between the two exams.

CompTIA has launched a new CompTIA Instructor Network (CIN), which I encourage all CompTIA instructors to join. It’s easy as going here to sign up. It is a great way to network with other instructors. Recently, they started a Deep Dive series of Webinars on the new A+ exams! To access the A+ Deep Dive series, go here.

Watch for my upcoming posts!

CISSP 2015: What’s New

As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.

So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version: https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.

Here’s what I found from my own investigation of the new CISSP exam.

No topics were REMOVED from the exam.

From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”

New topics WERE added to the exam.

From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”

New item types WERE added to the exam.

The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see https://www.isc2.org/innovative-cissp-questions/default.aspx.

The exam contains the same number of questions as before.

This exam still have 250 questions. You still have 6 hours to complete the exam.

The exam was condensed from 10 domains to 8 domains.

But let me repeat, content was not removed. It was simply restructured.

The new domains are:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.

Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”

If you don’t meet the experience requirements, you can still take the exam.

Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See https://www.isc2.org/how-to-become-an-associate.aspx for more information on this loophole.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin Abernathy

NASCAR and Microsoft: A match made in Victory Lane

Author: George Monsalvatge, Team Lead – Microsoft IT Pro at Kaplan IT

Tags: azure, NASCAR, Shake and Bake, windows 10

I grew up in “stock car” country and loved to see auto racing, so I was pretty pleased when Microsoft announced it has teamed up with Hendrick Motorsports. NASCAR and Hendrick Motorsports will use the Windows 10 platform and Microsoft Azure to deliver technology solutions to make the cars faster and the fan experience better.

Microsoft will sponsor the Dale Earnhard Jr’s Number 88 car.

For those of you not familar with NASCAR, NASCAR is auto racing using cars that resemble standard stock cars, but these go 200 miles per hour around a track. Unlike Formula One or other open wheel racing, stock car racing is full contact. These drivers bump and bang their cars into each other for 500 miles. Dale Earnhard Jr is the most popular driver in the sport, and Hendrick Motorsports  is the most successful team; it includes four-time champion Jeff Gordon  and six-time champion Jimmie Johnson.

Microsoft has made in roads into other sports recently. If you are a fan of American football, then you may have noticed that every NFL team uses Microsoft Surface tablets. NASCAR has a large fan base in the United States. One of the reasons for its large popularity is the interaction of the fans. When they’re at the track, fans can get pit passes to tour the the garages and see the cars and teams up close. Even if a fan is not at the track on race day, the fan can get a 3D virtual picture of the live race, hear live race radio, and stream live audio of the driver talking with his crew during the race. Technology plays a big part in the fan experience in NASCAR as well, with the NASCAR teams trying to shave a hundredth of a second off a lap or pit stop.

In 2014 NASCAR used a Windows touch-enabled mobile line of business application for the race car inspection process across all three NASCAR series (Camping World Truck, Xfinity and Sprint Cup), which reduced inspection times by nearly half.  NASCAR will use Windows 10 as its platform to run all apps for different types of devices and race operations. NASCAR teams will use this information to make quicker and more informed decisions in race situations.  Hendrick Motorsports will use Azure to capture and analyze terabytes of data for race simulations. Making critical decisions at critical times is how great race teams win. How many laps can I keep the car out on the track before I need to get gas in the pits? How many laps can get on these new tires now that the sun has come up and heated the track up by 10 degrees? If we give the car a track bar adjustment late in the race, will this give us a competitive edge?  Knowledge is not only power, it is the difference between winning and losing.

Earnhardt said, “I’m a big technology user and really enjoy Microsoft products.” Dale Jr. may be excited about playing around with Windows 10.

As you’ve probably already heard, everybody that owns Windows 7, Windows 8, or Windows 8.1 can get a free upgrade for Windows 10 on July 29th, 2015. I know I’m supposed to be writing a more computer-oriented post here, but personally, I just can’t wait to see what improvements this will bring to my favorite sport. I hope to see you at the track.

Shake and Bake!

Employers Rely on TechCertRegistry for Verified Transcripts

The ITCC TechCertRegistry application allows IT candidates to create a secure account to aggregate their IT certifications into one, convenient record. The candidate is able to create a unique ID to use universally with credential sponsors/certification vendors and testing providers. After the account and ID are established, candidates can publish an official verified transcript of their IT certifications to employers or other parties and save time, money and frustration. https://techcertregistry.org


Attend Caveon’s Exam Integrity Investigations Webinar

Caveon Image REDFINAL 500 x 500 pixel

Exam Integrity Investigations: An Introduction to the Essentials

It’s time for an investigation…now what?

Attend this free webinar on Wednesday, January 21, Noon ET

In today’s high-speed, electronically connected society, exam integrity incidents occur more frequently and present greater risks to test sponsors and their examinations. When incidents occur that threaten the integrity of your exam, you must have a comprehensive investigation plan in place that your team members understand and are prepared to execute swiftly and thoroughly.

Thorough investigations of exam integrity violations are needed in response to a wide range of possible exam integrity incidents; from individual cheating, to collusion, to item harvesting. It’s important to have personnel trained and ready to respond with effective strategies to (1) detect and mitigate exam integrity vulnerabilities and (2) conduct internal exam integrity investigations when incidents occur.

Join our hosts, Marc Weinstein and Ben Mannes of Caveon Investigation Services as they discuss why a sound investigation plan is necessary, what to consider when an investigation is conducted, and why having the right resources is so important.

This webinar is free, and will only last about an hour.

Welcome ITCC’s Brand New Vice-Chair, Kristin Wall Gibson!


Kristin Wall Gibson manages the IBM Cloud & Smart Infrastructure Certification Program and has been developing IBM certification exams since 2005. She has helped C&SI transition their exam development processes to exclusively utilize virtual SMEs using various collaborative technologies and tools.

ITCC Seeks Nominees for Innovation Award by January 26, 2015


The Information Technology Certification Council (ITCC), a collective of IT industry leaders focused on promoting and growing professional IT certifications, is now accepting nominations for its first annual Innovation Award. The award will celebrate a true innovator in the industry responsible for creating a testing product, service or initiative that positively impacted a customer, test candidate experience, or company. Nominations will be open through January 26, 2015, and the award presentation will take place at an ITCC event gathering in conjunction with the ATP Innovations in Testing Conference in Palm Springs, California in March.

In order to qualify for a nomination, there are several criteria to meet. Participating companies and individuals must be a part of the IT certification industry and can include ITCC members. Implementation of an innovative test, process or service must have occurred within the past two years. The product, service or initiative must demonstrate a benefit to users and address a market need within the IT certification and testing industry. An example could be adding value to an IT certification or improving convenience or market access to a certification program. There is no fee associated with submission.

Participants must write a brief abstract of 500 words or less responding to any of the following questions, and a follow-up interview will take place if selected:

  • How did the product/service meet an unmet need or improve upon an existing process?
  • How is the product/service a unique offering?
  • What new value was created for the end user?
  • How will it go beyond marginal improvement and create a wide impact across the industry?
  • How has the product/service created a “me-too” response from competitors?
  • What quantifiable evidence or market data is available to support the success of the initiative?

The written response and contact information should be emailed to innovation@itcertcouncil.org.

The judging panel will be comprised of select members from the ITCC Board of Directors.

The winner receives a featured story in the ITCC quarterly e-newsletter, TechCertNews, and a recognition ad in industry press outlets; a presentation opportunity at an ITCC Member Meeting webinar; and a video capturing the ‘story’ around the winning product or service streamed through the ITCC website and social media outlets. For more information, contact info@itcertcouncil.org.