ISC2 New Jersey Chapter Newsletter

Editor-in-Chief: Tran Cheung

Editor Notes for Issue #5

As an official Communications Chair for the NJ Chapter, I would like to thank Ken Fishkin and Board members for the opportunity to help build awareness and support for the (ISC)² NJ Chapter community. Additional thanks to the contributing authors for another great monthly issue!

This month's contributors:
Disney Paul
Stan Mierzwa

Ken's Korner

Message From The President

In the six months that I've been President of our (ISC)² Chapter, I am humbled by how much we have accomplished in such a short period of time. This feat of course could not have been accomplished without the tremendous amount of work from our Board members, member volunteers and even non-member volunteers!

I want to take this time to thank everyone who has taken time away from their family to build and grow our community, through our monthly meetings, workshops, study groups, mentorship programs, conferences and our newsletter!

I also want to acknowledge that Tran Cheung, our Editor-in-Chief, has now accepted the position of Communications Chair on our Board! Congrats!

Chapter News

EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and Its Impact on the EU-U.S. Privacy Shield

On July 16, 2020, in a decision referred to as Schrems II, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield (Privacy Shield). Privacy Shield is a framework developed by the European Union (EU) and the United States to facilitate cross-border transfers of personal data for commercial purposes. Privacy Shield requires companies and organizations that participate in the program to abide by various data protection requirements and, in return, assures the participants that the transfer is compliant with EU law. The CJEU, however, found Privacy Shield inadequate in part because it does not restrain U.S. intelligence authorities’ data collection activities. According to the CJEU, U.S. law allows intelligence agencies to collect and use the personal data transferred under the Privacy Shield framework in a manner that is inconsistent with rights guaranteed under EU law. The CJEU focused on Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive 28, which govern how the U.S. government may conduct surveillance of non-U.S. persons located outside of the United States.

Continue reading click here.

Phishing Attacks that Defeat 2FA Every Time

Protected with 2FA? Think Again.

Two-factor authentication (2FA) is certainly a best practice for corporate security, but cybercriminals are also quite good at defeating it, often without a user’s knowledge. However 2FA is not a panacea and just like cyber awareness training, it is just one part of a total protection program. Assessing the risk of bypassing 2FA is an important part of any risk assessment, so we thought it would be helpful to review some of the threats we repeatedly encounter that defeat 2FA or multi-factor authentication (MFA).

Continue reading click here.

Oil giant Shell discloses data breach linked to Accellion FTA vulnerability

Shell has disclosed a data breach involving stakeholders that exposed personal information records.

The oil and gas company said an unknown threat actor managed to gain access to "various files" during the time of intrusion which included personal data and information "from Shell companies and some of their stakeholders."

Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.

The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell's central infrastructure.

However, the data breach has been connected to Accellion's File Transfer Appliance (FTA), enterprise software used to transfer large files -- and a solution linked to a string of security incidents in December 2020 and January 2021.

Continue reading click here.

Upcoming Events

Public Speaking Workshop

Click here to register.

Conducted by Steven Santamorena, Arthur Hedge, and Ken Fishkin

CISSP Study Group

Conducted by Priyanka De Abrew and Member volunteers

At each our weekly study groups, we will be reviewing a different CISSP domain.

Members only study location: https://zoom.us/j/97546610767?pwd=M1RIRThZODhRaFAxZCtrU1oyQlpEdz09

April 2021 Meeting Agenda

NJ Chapter April 2021 Meeting will be held on Thursday 4/29/2021.

We will have the honor of having Marene Allison, the CISO of Johnson and Johnson, who will discuss her amazing career along with the challenges she faces in her current role. She will be followed by Jason Starr and his team from Cyzen, to educate us about the art and science of planning and performing a penetration test.

Click here to register.

NJ Social Engineering Conference (SECON) 2021

NJ SECON 2021 conference is now a joint effort with the NJ Chapter of ISACA

Date: Thursday, May 13, 2021
Time: 5-9pm
Location: A very unique and humorous virtual experience

Before you attend, we HIGHLY ENCOURAGE you to watch John Manley's SECON Tutorial to familiarize with the conference's platform!

Conference is free for members and $10 for non-members.

Confirmed Speakers:

Jared Maples – Director of NJ Office of Homeland Security and Preparedness

Sajed “Saj” Naseem – CISO of NJ Courts and Adjunct Professor St. Johns University and Rachael Rakoski – Managing Partner at XPAN Law Partners

James McQuiggan - Security Awareness Advocate at KnowBe4, College Professor, (ISC)2 Chapter President (Central Florida)

Stan Mierzwa - Managing Assistant Director, Lecturer, Center for Cyber Security at Kean University, Department of Criminal Justice

Bonus - NYU representatives will be discussing their affordable Cybersecurity Masters program.

Thanks to the support of our new sponsors, this conference is being offered as a free event to our members. We encourage you to visit their booths.

CLICK HERE to register for this event!.

June 2021 Meeting Agenda

NJ Chapter June 2021 Meeting will be held on Thursday 6/24/2021.

Presenters:
Kathleen McGee – Partner at Lowenstein Sandler – White Collar Criminal Defense Practice
Peter Thermos – Founder, President of Palindrome Technologies

July 2021 Meeting Agenda

NJ Chapter July 2021 Meeting will be held on Thursday 7/29/2021.

Presenters:
Mike Wilkes – Chief Information Security Officer / Adjunct Professor - Security Scorecard
Fernando Leitao – Director at Mastercard Data & Services – Risk management quantification

August 2021 Meeting Agenda

NJ Chapter August 2021 Meeting will be held on Thursday 8/26/2021.

Presenters:

This will be a member speaking event. If you are interested in presenting at this meeting, please reach out to Ken at president@isc2chapternj.org.

New York Metro Joint Cyber Security Coalition (NYMJCSC) - 2021 Conference & Workshop

The 2021 NY Metro Joint Cyber Security Conference will take place virtually on October 14th followed by a workshop on the 15th. NYMJCSC is now in its eighth year; featuring a keynote and sessions aimed at various aspects of information security and technology.

NYMJCSC will include several online workshops on October 15th featuring in-depth extended hands-on classroom-style educational courses to expand your knowledge and foster security discussions.

If you're interested in presenting at the conference, please reach out to Ken Fishkin at president@isc2chapternj.org.

Volunteer Opportunities

Volunteer Positions and opportunities

Newsletter contributor – submission date is April 19th. We need 2-3 volunteers
August meeting - Speaking opportunities at member meetings / Round Table discussions
Bring your own ideas to us

If you're interested in any of these volunteer opportunities, please reach out to Ken Fishkin at president@isc2chapternj.org.

Member Contributions

Application Security 101: Part Three of a Three Part Series by Disney Paul

Congrats, Disney Paul on completing your three-part series on Application Security! Your articles are very timely and need be discussed in more depth within the AppSec community. We all enjoy gaining more insight into this very complex field in cybersecurity.

Continue reading click here.

Taking a Practical Timely Opportunity to Evaluate the Security of Your Cloud Video Surveillance Solution by Stan Mierzwa

These days, it is not unusual to walk too far before you see the endpoint of a video surveillance system.

Consider the cameras you have seen on homes, at traffic stop lights (look up), in stores, at the gym, in your workplace (when you are back in the office), transportation centers, warehouse facilities, and the list can go on and on. Video surveillance is a necessity in many environments where having the ability to review video footage following incidents; or the ability to get live feeds in the name of security is warranted. In many cases, video surveillance will be coupled with having the ability to obtain alerts, based on motion or other sensors, to bring up video instantaneously. There are many use cases for video surveillance that make security-sense. Through the Internet of Things (IoT) movement, the growth of IP-based video surveillance system is considered one of the fastest increasing elements in this evolution. In a report from Allied Market Research, the video surveillance industry’s annual growth is expected to reach $144.8 billion by 2027, an increase of 14.6% (CAGR) between 2020 to 2027 (Allied Market Research, 2020).

Continue reading click here.

Upcoming Presenters

Marene Allison

Marene is the Vice President Information Security & Risk Management, Chief Information Security Officer for Johnson & Johnson.

She has responsibility for protecting Johnson & Johnson information technology systems and business data worldwide. This includes ensuring that the company’s information security posture supports business growth objectives, protects public trust in the Johnson & Johnson brand, and meets legal/regulatory requirements.

Marene is a member of the company’s Compliance committee and presents to the Johnson & Johnson Board of Directors on cybersecurity risk. With more than 260 companies in 60 countries worldwide, Johnson & Johnson is a global leader in consumer health, pharmaceutical products, and medical devices.

Jason Starr

Jason Starr is Business Development Manager at CyZen, which is the cybersecurity practice of Friedman LLP. Jason draws on a decade of experience in the professional services industry to bring his clients cutting-edge cybersecurity expertise that helps them improve their security posture and reduce risk. He works with clients across a broad range of industries including law, finance and government, among others.

Jason is a Certified Information Systems Security Professional (CISSP) and Certified in Risk and Information Systems Control (CRISC). Jason holds a Bachelor of Science in Marketing from Fairfield University and is currently pursuing his Masters of Engineering in Cybersecurity Policy and Compliance from George Washington University.

Recordings and Slides From Prior Meeting

Video and content of our monthly meetings

March 25, 2021 meeting recordings:

Chris Dixon - Data Forensics

Grace Chi and Dan Sherry - Pulsedive Threat Intelligence
* Pulsedive presentation slide deck

Please visit https://www.isc2chapternj.org/ to access previous meeting recordings.