(ISC)² Code Of Ethics

Posted: January 26, 2014 in Analysis
Tags: , ,

This is an interesting feeling came in to my mind while I’m a looking at the Official ISC2 guild to the CISSP CBK third edition. It’s about the code of ethics we have to adhere as CISSPs. We have code of ethics Preamble and four ethics canons.

Code of Ethics Preamble1:

  • The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons1:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

It’s happened me to know in-depth of the canons, then I found a nice article on eHow.com by By Jennifer Gigantino. It explains above canons in details.

First Canon

The first canon of the (ISC)2 Code of Ethics is to “protect society, the commonwealth, and the infrastructure.” In short, CISSPs must promote public trust in information and systems, as well as the understanding of proper information security measures. They must also discourage unsafe information security practices and strengthen the integrity of the public infrastructure.

Second Canon

The second canon is to “act honorably, honestly, justly, responsibly, and legally.” CISSPs must tell the truth, as well as honor all commitments and agreements. Their advice must be given prudently and without unnecessary alarming. They must be objective and fair with those they deal with and in the advice they give, and when resolving laws in different jurisdictions, the laws of the current jurisdiction must take precedence.

Third Canon

The third canon is to “provide diligent and competent service to principals.” This means that CISSPs must avoid conflicts of interest while respecting the trust placed in them as well as the value of systems and information. CISSPs are also obligated to render services only when they are fully competent and qualified to do so.

Fourth Canon

The fourth canon is to “advance and protect the profession.” A CISSP must respect the reputations of other professionals and sponsor those best qualified for advancement. Conversely, a CISSP should avoid professional association with those who degrade the profession. Above all, a CISSP should keep his own skills and knowledge sharp and current while giving generously of his time and knowledge to others.

I hope this explains everything about what a CISSP can do and cannot do from the ethical prospective.


1 https://www.isc2.org/ethics/default.aspx



Cyber criminals are taking advantage of the widespread popularity of the mobile messaging app ‘WhatsApp’. A malware expert at the Kaspersky Lab revealed a large-scale spamming campaign, advertising a fake PC version of the WhatsApp, to spread a banking trojan.

According to the report, unaware users have received an email written in Portuguese language, it also tries to deceive the recipient with a social engineering tactic in which cyber criminals composed the malicious email informing that victims already have 11 pending friend invitations.

If users click on the “Baixar Agora” (Download Now) link in the spam email, they will be redirected to aHightail.com URL to download the Trojan. Hightail is a cloud storage service, the malicious component deployed on it then downloads the malware via a server in Brazil.

The file stored on Hightail server looks like a 64-bit installation file bundled with 2.5 megabyte MP3 file. According to Virus Total engine, only 3 out of 49 anti-malware softwares are able to detect it.
“This Downloader has some anti-debugging features like: UnhandledExceptionFilter() and RaiseException() and once running, it downloads a new Trojan that is banker itself. This time the malware comes from a server in Brazil and has a low VT detection 3 of 49. The recently downloaded banker has the icon of an mp3 file. Most users would click on it, especially after seeing it is about 2.5MB in its weight.”
During execution of the malicious code, it communicates with the command & control servers to provide infection statistics and system console through the local port 1157. The Malware sends back the stolen information in the Oracle DB format. The malicious code is also able to download another payload on the infected system.

There are some interesting consideration to do:

• The technique used by the attacker could result very effective in areas where the application is mostly used i.e. Latin America and Europe. The WhatsApp has more than 430 million users and 30 million added in just the last month.

• Researchers identified a “classic style of a Brazilian-created malware” pattern, the malicious agent targeted Brazilian population much inclined to the use of WhatsApp. The language used and the fact that the Trojan is downloaded from a Brazilian server confirm the hypothesis.

This isn’t the first spam email campaign that abused the WhatsApp brand, cyber criminals leveraged the service in the past November to push malware via email by tricking users into thinking they had a new voicemail message.

Source : THN

Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system*. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.

This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.

For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.

Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.

Microsoft recommends best practices to protect your PC such as:

  • Using modern software that has advanced security technologies and is supported with regular security updates,
  • Regularly applying security updates for all software installed,
  • Running up-to-date anti-virus software.

Our goal is to provide great antimalware solutions for our consumer and business customers. We will continue to work with our customers and partners in doing so, and help our customers complete their migrations as Windows XP end of life approaches.

Source: Technet.com

Internet Explorer 11 offers improvements to Enhanced Protected Mode, password manager, and other security features. Internet Explorer 11 also turns on Transport Layer Security (TLS) 1.2 by default.

Privacy settings

By adjusting Internet Explorer’s privacy settings, you can affect how websites monitor your online activity. For example, you can decide which cookies are stored, how and when sites can use your location info, and block unwanted pop-ups.

Tracking Protection

Tracking Protection helps prevent information about your browsing from being sent to third–party content providers on sites you visit. Think of a Tracking Protection Lists as a “do not call” list. Internet Explorer blocks any third–party content from sites on the list, and limits the info that those third–party sites can collect about you.

Private Browsing

Browsers store some info—like your search history—to help improve your experience on the web. When you use InPrivate Browsing, info like passwords, search history, and page history is deleted once you close the tab.

Enhanced Protected Mode

Enhanced Protected Mode makes it harder for malware to run in Internet Explorer. It’s turned on by default for Internet Explorer, but you can turn it on or off in Internet Explorer for the desktop.

Security zones

By changing the security settings, you can customize how Internet Explorer helps protect your PC from potentially harmful or malicious web content. Internet Explorer automatically assigns all websites to a security zone: Internet, Local intranet, Trusted sites, or Restricted sites. Each zone has a different default security level that determines what kind of content might be blocked for that site. Depending on the security level of a site, some content might be blocked until you choose to allow it,ActiveX controls might not run automatically, or you might see warning prompts on certain sites. You can customize the settings for each zone to decide how much protection you do or don’t want.

At the end of 2012, we thought were about to observe the End of the world. In 2013, the end of Futurama was gravely approaching. 2014 will bring us the end of support for the Microsoft operating system, Windows XP. This ‘catastrophe’, as stated by Windows representatives, is scheduled for April, 8. However, you can bet that users around the world will continue to use their preferred OS after this date. It goes beyond its usability, but also to users’ habits. It’s been 12 years since its introduction to the public, many PC users got used to the system launch notification sound, standard screen saver, and the enormous ‘Start’ button.

Check out the graph below: it depicts the changes in different OS use throughout 2013, as seen by NetMarketShare:



It is even more important, in light of the fact that regular updates are key in efficient protection when it comes to malware. Microsoft claims that the XP user base gest infected up to 3 times more often than Vista or Windows 7 users and 10 times more often than Windows 8 users. This is because of outdated XP protection mechanisms and possibly a lack of updates. Attackers often target well-known vulnerabilities, which were not patched with updates on the computer.

So update your self to win 7 or 8. Keep the xp contained in an isolated environment because still I believe that to test certain security stuffs, the best OS is XP

Source : kaspersky.com, NetMarketShare.com, Microsoft.com


New research conducted by SplashData revealed that “password” isn’t the dumbest password choice around anymore, as it has been replaced by “123456,” for the past year. However, “password” fell only one position compared with 2012, basically switching places with “123456.” The list of weak passwords includes various other obvious combinations such as “qwerty,” “iloveyou,” “1234,” “111111” and “000000.” Passwords such as “adobe123” or “photoshop” also made the top 20, revealing that many Internet users may choose passwords that are similar to the services they’re logging into.

“Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing,” SplashData CEO Morgan Slain said. “Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies.”

The popularity top of bad log in security choices among Internet users has been compiled using data from lists of hacked accounts containing millions of stolen passwords posted online last year. The top 25 worst passwords of 2013 follows below.



Watering Hole is a computer attack strategy identified in 2012 by the RSA security firm. The attacker wants to attack a particular group (organization, industry, or region). The attack consists of three phases:

  • Guess (or observe) which websites the group often uses.
  • Infect one or more of these websites with malware.
  • Eventually, some member of the targeted group will get infected.

Relying on websites the group trusts makes this strategy efficient even with groups that are resistant to spear phishing and other forms of phishing.

Ref : http://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/