Certified Information Systems Security Professional (CISSP) is an independent information security certification for IT professionals administered by the International Information System Security Certification Consortium, (ISC). CISSP is recognized globally as one of the leading certifications in the field of IT security.

Since 2015, the CISSP curriculum has focused on eight specific aspects. These are:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

However, it is important to note that government, military, and non-profit sectors have more extensive information security needs than private companies. As well as dealing with network security and information privacy, these organizations need to actively protect against cybercrime and cyber terrorism.

Difference Between Cybercrime and Cyber Terrorism

People are commonly confused about the difference between cybercrime and cyber terrorism. Each phrase can be best understood by breaking it down into its two separate parts.

The word “cyber,” on its own, refers to cyberspace. This, broadly speaking, usually means the Internet; however, it can also be extended to any other modern communications network, including mobile phones. Therefore, crime or terrorism that is undertaken using chat rooms, email, social media, online banking, internet forums, SMS, or MMS messages is said to be either cybercrime or cyber terrorism.

To understand the distinction between cybercrime and cyber terrorism we need to understand the definitions of the words “crime” and “terrorism.”

Crime is a very broad term that refers to any sort of illegal activity. Therefore, cybercrime is any sort of illegal activity that is conducted via cyberspace including money laundering, child pornography, identity theft, or creating spyware. All cyber terrorism is a form of cybercrime; however, most cybercrimes are not cyber terrorism.

Cyber terrorism has at its basis a very distinct motive for cybercrime. Whereas cybercrime is usually motivated by personal gain for the attacker, cyber terrorism, like any other form of terrorism, is usually motivated by an intent to cause destruction or violence and create fear. Cyber terrorists hope that, by inciting fear and causing mass violence and destruction, they will be able to manipulate governments, organizations, or societies into changing their policies or adopting the ideology of the attacker. Cyber terrorism is often politically or religiously motivated.

What Is Offensive Cyber Security?

A widely accepted definition of offensive cyber security is as follows:

“Offensive security is a proactive and adversarial approach to protecting computer systems, networks, and individuals from attacks. Conventional security—sometimes referred to as “defensive security”—focuses on reactive measures, such as patching software and finding and fixing system vulnerabilities. In contrast, offensive security measures are focused on seeking out the perpetrators and in some cases attempting to disable or at least disrupt their operations.” (Source: Techtarget.com)

In other words, offensive cyber security is about utilizing IT security knowledge and processes to put systems in place to deter and foil cyberattacks before they happen.

Three Offensive Cyberattack Technologies

According to Josh Cartin’s journal article in Global Security Studies, there are three types of offensive cyberattack technologies: cyber exploitation, cyber disruption and cyber deception.

A cyber exploitation is essentially an invasion (or intrusion) of an organization’s information system, in order to access, destroy, or scrutinize classified or sensitive information. This information could include top secret defense knowledge; for example, classified weapons systems, or information related to systems for example passwords, financial or personal details, or source code. Cyber exploitations commonly emanate from China.

Cyber disruption, on the other hand, is any form of cyberattack that threatens the smooth service or functioning of IT systems; for example, denial of service and distributed denial of service attacks. Less than a week ago a major cyber disruption attack brought outages to companies including Twitter and Netflix. The attack was executed by flooding the affected websites with more traffic than they can handle, causing access difficulties and delays and faults in service. This is the same method seen in the April 2007 attacks on Estonian institutions and the August 2008 attacks on Georgian government agencies and websites. The threat of cyber disruption is a very disturbing one, as the US Armed Forces depend on IT infrastructure, as do America’s banking and financial services, emergency services, and energy grid.

The third category of offensive cyberattack technologies is known as cyber deception. This is when IT systems are hacked so data can be distorted, causing the system to deliver incorrect information to people who rely on the information to make important decisions. Many processes within military, government, and non-profit organizations are automated so, if this form of offensive cyberattack can corrupt or deceive the information system, the integrity and reliability of an entire organization can fall into disarray.

Ways to Protect Against Offensive Cyberattack Technologies

Paul Asadoorian and John Strand, instructors at the SANS institute, explained at a conference in 2012, two ways to protect against offensive cyberattack technologies. These methods are known as annoyance and attribution.

The premise of annoyance is to use tools to create false ports, services, and directories within your IT system. If a hacker manages to breach your false systems, they will end up endlessly looping around these false systems without being able to disturb or access the data or functionality of your actual system.

Attribution, that is, how to accurately identify an attacker, can be done by embedding a web bug in any sensitive documents. If the document is accessed from an external system, the web bug will send back a report to you with information about who accessed your document. Although this doesn’t prevent a cyberattack, it is very useful in establishing any breaches in security early on and being able to provide helpful information to authorities for prosecution.

Aside from these strategies, many government, military, and non-profit organizations conduct penetration testing or ethical hacking to test the security of their systems and information.

Why Government, Non-Profit, and Military Organizations Should Hire a CISSP-Certified IT Professional

CISSP is the premier information security certification in the entire world. Not only is it a qualification that is recognized globally, but it also was the first credential developed specifically for information security. Candidates who are able to pass this certification have a broad breadth of experience and knowledge related to all aspects of software and hardware architecture, design, management, and controls. This is especially important for government, non-profit, and military organizations that may have more security risks and threats than the average business environment. Although there are many other information security training programs developed by small companies on the market, many are not worth more than the paper they are printed on. Some of these qualifications can be gained simply by attending a two-day training course and provide lifetime certification. This is completely farcical, given that new security threats and new forms of technology are developed each month, requiring new security protocols to be developed and enforced. CISSP-certified individuals, on the other hand, must engage in continuing professional development every year to maintain their CISSP status. This ensures that they are up-to-date with the latest in innovation, security threats, trends and information security research. Government, non-profit, and military organizations should hire candidates who, at the minimum, have a four-year degree in computer science or computer engineering from a well-regarded college, CISSP certification, and several years’ work of postgraduate experience in information security. CISSP certification is important for government and military employers to consider due to the 8520 regulation/directive, which requires government organizations to have certified IT professionals. 

Special Skills and Training CISSPs Will Need to Work in These Fields

Although all candidates who desire to work in the government, military, or non-profit sectors should be CISSP-certified, additional special skills and training will also be invaluable. According to a 2012 report by the Department of Homeland Security, there is a huge skills shortage in the United States in cyber security for mission-critical jobs. “Mission-critical jobs,” according to the report, require specialist skills in penetration testing, incident response, and threat analysis and the Department of Homeland Security has identified a huge priority to find more candidates with demonstrated skills and expertise in penetration testing in particular.

The report states that:

“Knowing how to penetrate an architecture allows for better security monitoring, event analysis, security engineering, and architecture…and knowing how to find and exploit application vulnerabilities allows for better code reviews, forensics analysis, threat analysis, and incident response.”

It goes on to explain that, because real human lives are often at stake in the military/government arena, the skill level of information security professionals working in this field must be equivalent to the skill level of a pilot, physician or nuclear plant operator. Thus, information security professionals who can demonstrate skills in penetration testing, ethical hacking, incident response, and threat analysis will be highly regarded. Risk management, cryptography, data analysis, mobile security, and cloud-based security skills (such as SAML) will also be advantageous due to the increase in bring your own device (BYOD) policies and cloud-based software-as-a-service applications. Individuals who wish to work in government and military organizations will also need to be able to prove their trustworthiness, as they may be required to undergo background checks and security clearances.

Interested in a CISSP training class? Fill out the form below for course details/pricing.

CISSP Instant Pricing – InfoSec

Some government organizations now even hire information security professionals on a CV-blind basis and make their decisions relying on mandatory work sample tests instead. Work sample tests may include short “capture-the-flag” experiments, e.g., giving candidates access to a test network and asking them to break the computers in this network within a short timeframe. This is because government organizations, which may be under threat from hackers, need their security professionals to be able to think like hackers themselves so they can anticipate an attacker’s next steps before they happen.

How to Find a Job as a CISSP Working for Government, Military, or Non-Profit Organizations

CISSP jobs are listed on all the usual online job sites, including Indeed.com, Careerbuilder.com, and CISSPjobboard.com. This page provided by the U.S. Department of State is a good resource of places to look to find non-profit organizations that may need CISSPs.

The top five biggest government/military employers of CISSP-qualified information security professionals are:

The National Science Foundation and Department of Homeland Security also offer Scholarships for Service (financial assistance with undergraduate, masters or doctoral studies for information security professionals seeking employment in government once they graduate).

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan