In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.
As we’ll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.
How did the Equifax breach happen?
Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.
The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax’s internal processes, wasn’t.
The attackers were able to move from the web portal to other servers because the systems weren’t adequately segmented from one another, and they were able to find usernames and passwords stored in plain text that then allowed them to access still further systems.
The attackers pulled data out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
Equifax did not publicize the breach until more than a month after they discovered it had happened; stock sales by top executives around this time gave rise to accusations of insider trading.
To understand how exactly all these crises intersected, let’s take a look at how the events unfolded.
When did the Equifax breach happen?
The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening up the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have done so didn’t. Equifax’s IT department ran a series of scans that were supposed to identify unpatched systems on March 15; there were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.
While it isn’t clear why the patching process broke down at this point, it’s worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to assess their systems. Mandiant warned Equifax about multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony within a few weeks.
Forensics analyzed after the fact revealed that the initial Equifax data breach date was March 10, 2017: that was when the web portal was first breached via the Struts vulnerability. However, the attackers don’t seem to have done much of anything immediately. It wasn’t until May 13, 2017 — in what Equifax referred to in the GAO report as a “separate incident” — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in earnest. (We’ll revisit this time gap later, as it’s important to the question of who the attackers were.)
From May through July of 2017, the attackers were able to gain access to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor data governance practices made their romp through Equifax’s systems possible. But how were they able to remove all that data without being noticed? We’ve now arrived at another egregious Equifax screwup. Like many cyberthieves, Equifax’s attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn’t being inspected.
The expired certificate wasn’t discovered and renewed until July 29, 2019, at which point Equifax administrators almost immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.
It took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many top Equifax executives sold company stock in early August, raising suspicions that they had gotten ahead of the inevitable decline in stock price that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.
What data was compromised and how many people were affected?
Equifax specifically traffics in personal data, and so the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially affected 143 million people — more than 40 percent of the population of the United States — whose names, addresses, dates of birth, Social Security numbers, and drivers’ licenses numbers were exposed. A small subset of the records — on the order of about 200,000 — also included credit card numbers; this group probably consisted of people who had paid Equifax directly in order to order to see their own credit report.
This last factor is somewhat ironic, as the people concerned enough about their credit score to pay Equifax to look at it also had the most personal data stolen, which could lead to fraud that would then damage their credit score. But a funny thing happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable after this breach: it never happened. And that has everything to do with the identity of the attackers.
Who was responsible for the Equifax data breach?
As soon as the Equifax breach was announced, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of data that might be connected to it. They waited, and waited, but the data never appeared. This gave rise to what’s become a widely accepted theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, not theft.
The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues beyond the fact that the stolen data never seems to have leaked. For instance, recall that the initial breach on March 10 was followed by more than two months of inactivity before attackers began abruptly moving onto high-value targets within Equifax’s network. Investigators believe that the first incursion was achieved by relatively inexperienced hackers who were using a readily available hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that point and easy to exploit. They may have found the unpatched Equifax server using a scanning tool and not realized how potentially valuable the company they had breached was. Eventually, unable to get much further beyond their initial success, they sold their foothold to more skilled attackers, who used a variety of techniques associated with Chinese state-backed hackers to get access to the confidential data.
And why would the Chinese government be interested in Equifax’s data records? Investigators tie the attack into two other big breaches that similarly didn’t result in a dump of personally identifying data on the dark web: the 2015 hack of the U.S. Office of Personnel Management, and the 2018 hack of Marriott’s Starwood hotel brands. All are assumed to be part of an operation to build a huge “data lake” on millions of Americans, with the intention of using big data techniques to learn about U.S. government officials and intelligence operatives. In particular, evidence of American officials or spies who are in financial trouble could help Chinese intelligence identify potential targets of bribery or blackmail attempts.
In February of 2020, the United States Department of Justice formally charged four members of the Chinese military with the attack. This was an extremely rare move — the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives — that underscored how seriously the U.S. government took the attack.
How did Equifax handle the breach?
At any rate, once the breach was publicized, Equifax’s immediate response did not win many plaudits. Among their stumbles was setting up a separate dedicated domain, equifaxsecurity2017.com, to host the site with information and resources for those potentially affected. These sorts of lookalike domains are often used by phishing scams, so asking customers to trust this one was a monumental failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped up that URL used it for good, directing the 200,000 (!) visitors it received to the correct site.
What, ultimately, was the Equifax breach’s impact? Well, the upper ranks of Equifax’s C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would’ve imposed fines on credit-reporting agencies that get hacked went nowhere in the Senate.
That doesn’t mean the Equifax breach cost the company nothing, though. Two years after the breach, the company said it had spent $1.4 billion on cleanup costs, including “incremental costs to transform our technology infrastructure and improve application, network, [and] data security.” In June 2019, Moody’s downgraded the company’s financial rating in part because of the massive amounts it would need to spend on infosec in the years to come. In July 2019 the company reached a record-breaking settlement with the FTC, which wrapped up an ongoing class action lawsuit and will require Equifax to spend at least $1.38 billion to resolve consumer claims.
Was I affected by the Equifax breach?
This was a lot of anguish just to find out if you were one of the unlucky 40 percent of Americans whose data was stolen in the hack. Things have settled down in the subsequent years, and now there’s a new site where you can check to see if you’re affected, with yet another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.
That settlement eligibility website actually isn’t hosted by Equifax at all; instead, it’s from the FTC.
How does the Equifax settlement work?
The Equifax settlement dangles the prospect that you might get a check for your troubles, but there are some catches. The settlement mandates that Equifax compensate anyone affected by the breach with credit monitoring services; Equifax wants you to sign up for their own service, of course, and while they will also give you a $125 check to go buy those services from somewhere else, you have to show that you do have alternate coverage to get the money (though you could sign up for a free service).
What are the lessons learned from the Equifax breach?
If we wanted to make a case study of the Equifax breach, what lessons would we pull from it? These seem to be the big ones:
Get the basics right. No network is invulnerable. But Equifax was breached because it failed to patch a basic vulnerability, despite having procedures in place to make sure such patches were applied promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
Data governance is key — especially if data is your business. Equifax’s databases could’ve been stingier in giving up their contents. For instance, users should only be given access to database content on a “need to know basis”; giving general access to any “trusted” users means that an attacker can seize control of those user accounts and run wild. And systems need to keep an eye out for weird behavior; the attackers executed up to 9,000 database queries very rapidly, which should’ve been a red flag.
Phishing is a type of cyberattack that uses disguised email as a weapon. These attacks use social engineering techniques to trick the email recipient into believing that the message is something they want or need—a request from their bank, for instance, or a note from someone in their company—and to click a link or download an attachment.
“Phish” is pronounced just like it’s spelled, which is to say like the word “fish”—the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite.
Phishing emails can be targeted in several different ways, with some not being targeted at all, some being “soft targeted” at someone playing a particular role in an organization, and some being targeted at specific, high-value people.
One of the oldest types of cyberattacks, phishing dates back to the 1990s, and it’s still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated.
The term arose among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.
Some phishing scams have succeeded well enough to make waves:
What a phishing email can do
There are a couple of different ways to break attacks down into categories. One is by the purpose of the phishing attempt—what it is intended to do. Generally, a phishing campaign tries to get the victim to do one of two things:
Hand over sensitive information. These messages aim to trick the user into revealing important data—often a username and password that the attacker can use to breach a system or account. The classic version of this scam involves sending out an email tailored to look like a message from a major bank; by spamming out the message to millions of people, the attackers ensure that at least some of the recipients will be customers of that bank. The victim clicks on a link in the message and is taken to a malicious site designed to resemble the bank’s webpage, and then hopefully enters their username and password. The attacker can now access the victim’s account.
Download malware. Like a lot of spam, these types of phishing emails aim to get the victim to infect their own computer with malware. Often the messages are “soft targeted”—they might be sent to an HR staffer with an attachment that purports to be a job seeker’s resume, for instance. These attachments are often .zip files, or Microsoft Office documents with malicious embedded code. One of the most common form of malicious code is ransomware—in 2017 it was estimated that 93% of phishing emails contained ransomware attachments.
Types of phishing
Another way to categorize these attacks is by who they target and how the messages are sent. If there’s a common denominator among phishing attacks, it’s the disguise. The attackers spoof their email address so it looks like it’s coming from someone else, set up fake websites that look like ones the victim trusts, and use foreign character sets to disguise URLs.
That said, there are a variety of techniques that fall under the umbrella of phishing. Each of these types of phishing are a variation on a theme, with the attacker masquerading as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with.
Email phishing: With general, mass-market phishing attacks, emails are sent to millions of potential victims to try to trick them into logging in to fake versions of very popular websites.
Spear phishing: When attackers craft a message to target a specific individual. For instance, the spear phisher might target someone in the finance department and pretend to be the victim’s manager requesting a large bank transfer on short notice.
Gathering enough information to trick a really high-value target might take time, but it can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs with emails that claimed to have FBI subpoenas attached. In fact, they downloaded keyloggers onto the executives’ computers—and the scammers’ success rate was 10%, snagging almost 2,000 victims.
Business email compromise (BEC): A type of targeted phishing attack in which attackers purport to be a company’s CEO or other top executive, typically to get other individuals in that organization to transfer money.
Other types of phishing include clone phishing, snowshoeing, social media phishing, and more—and the list grows as attackers are constantly evolving their tactics and techniques.
How phishing works
All the tools needed to launch phishing campaigns (known as phishing kits), as well as mailing lists are readily available on the dark web, making it easy for cyber criminals, even those with minimal technical skills, to pull off phishing attacks.
A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims.
Some phishing kits allow attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link. Akamai’s research provided in its Phishing–Baiting the Hook report found 62 kit variants for Microsoft, 14 for PayPal, seven for DHL, and 11 for Dropbox.
The Duo Labs report, Phish in a Barrel, includes an analysis of phishing kit reuse. Of the 3,200 phishing kits that Duo discovered, 900 (27%) were found on more than one host. That number might actually be higher, however. “Why don’t we see a higher percentage of kit reuse? Perhaps because we were measuring based on the SHA1 hash of the kit contents. A single change to just one file in the kit would appear as two separate kits even when they are otherwise identical,” said Jordan Wright, a senior R&D engineer at Duo and the report’s author.
Criminals rely on deception and creating a sense of urgency to achieve success with their phishing campaigns. As the following examples show, these social engineers know how to capitalize on a crisis.
Phishing example: Corona update The following screen capture is a phishing campaign discovered by Mimecast that attempts to steal login credentials of the victim’s Microsoft OneDrive account. The attacker knew that with more people working from home, sharing of documents via OneDrive would be common.
Phishing example: Covid cure This phishing campaign, identified by Proofpoint, asks victims to load an app on their device to “run simulations of the cure” for COVID-19. The app, of course, is malware.
Phishing example: A matter of public health This email appears to be from Canada’s Public Health Agency and asks recipients to click on a link to read an important letter. The link goes to a malicious document.
Security information and event management (SIEM) tools collect and aggregate log and event data to help identify and track breaches. They are powerful systems that give enterprise security professionals both insight into what’s happening in their IT environment right now and a track record of relevant events that have happened in the past.
SIEM software (pronounced ‘sim’; the ‘e’ is silent) collects and aggregates log and event data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. A SIEM tool’s goal is to correlate signals in all that data together to provide security teams with the information they need to identify and track breaches and other problems.
The term “SIEM” was actually coined by Gartner analysts in 2005, and they continue to rate the various vendors using their Magic Quadrant methodology. You can see the 2021 installment of the Magic Quadrant for SIEM here. Companies in the “Leaders” quadrant include Splunk, IBM, Exabeam, Securonix, and LogRythm.
SIM vs. SIEM
Before we dive into the details of how SIEM software works, we need to understand two related acronyms: SIM and SEM.
SIM, which stands for security information management, is a tool that provides analysis and reporting for historic security events—with historic here meaning not that these events are part of some epic, important historical event, but merely that they happened in the past. SIM systems grew out of the log management discipline, and work to automate the collection of log data from various security tools and system and surface that information to security managers.
SEM, which stands for security event management, is similar to SIM, although instead of focusing on historic log data, it attempts to work in real time, or as close to it as possible, to identify specific events relevant to security professionals. For instance, if a user somewhere on your network manages to elevate their privileges to admin status in a way that is out of the ordinary, a SEM system should let you know about it.
a SIEM system is simply a tool that combines the functionality of SIM and SEM software. It’s quite rare at this point to find software that offers only SIM or SEM functionality, and SIEM has been the order of the day for a decade or more.
At first blush, it may seem odd that SEM ended up combined with SIM rather than replacing it. The appeal of getting alerts on real-time security events is obvious, and if you can do that, what’s the point of pulling information out of some dusty old log? In fact, much of a security pro’s jobs involves working backwards from real-time alerts to try to figure out what’s happening on your network. Once you get that warning about the user who managed to make themselves an admin, you’ll need to look at the history of that user’s logins and behavior to try to get to the bottom of what’s happening, and you need SIM tools that can quickly find that information for you in your logs.
SIEM software, therefore, has two main objectives:
provide reports on security-related incidents and events, such as successful and failed logins, malware activity, and other possible malicious activities; and
send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.
How does SIEM work?
Logs and other data need to be exported from all your security systems into the SIEM platform. This can be achieved by SIEM agents—programs running on your various systems that analyze and export the data into the SIEM; alternately, most security systems have built-in capabilities to export log data to a central server, and your SIEM platform can import it from there.
Which option you take will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get logs from. The amount of data transmitted and processing power necessary at the end points can degrade the performance of your systems or network if you don’t implement things carefully; SIEM agents at the edge can relieve some of that burden by automatically parsing out some data before even sending it over the network. At any rate, you’ll want to ensure that your entire infrastructure is instrumented for SIEM, both on-prem and in the cloud.
Obviously the amount of data generated by this SIEM instrumentation is huge, more than your staff could possibly parse through. The primary value delivered by SIEM suites is that they apply data analysis to make sure that only useful information gets delivered to your security operations center. These platforms use correlation engines to attempt to connect disparate log entries or other signals that don’t seem worrisome on their own but taken together can spell trouble. These engines, combined with the specific artificial intelligence and machine learning techniques used to sniff out attacks, are what various SIEM vendors use to differentiate their offerings from one another.
SIEM tools also draw information from threat intelligence feeds—basically, updated feeds of data about new forms of malware and the latest advanced persistent threats. Some of these feeds are maintained by the SIEM vendors, but others are open source or internally maintained by security teams at large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.
We noted above that SIEM was initially embraced for its ability to aid regulatory compliance; that’s still an important role for these tools, and many platforms have built-in capabilities that are focused on ensuring and documenting your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.
Ferrill’s list also looks at some of the top SIEM vendors, which make for a good guide through the landscape of this market segment:
All these different vendors have their own strengths and weaknesses. For instance, Microsoft’s Azure Sentinel offering is only available on Microsoft’s cloud, but easily integrates with Microsoft 365 and Windows Defender. RSA’s platform is built with massive data volume in mind, while Securonix has an open architecture that makes it possible to add a wide variety of third-party analytics plug-ins.
We should take a moment to spotlight Splunk, since it was one of the first software vendors to discover gold in log file analysis. Splunk Enterprise Security draws on the company’s mature data analytics and visualization capabilities to deliver a SIEM solution integrated with threat intelligence and available in the cloud or on prem. IDC maintains that Splunk has the largest SIEM market share.
At this point, you should have a good sense of what SIEM should do for your company. But these platforms aren’t cheap, and that means you need to do all you can to prepare before you roll one out. For instance, SIEM software requires high-quality data for maximum yield. And SIEM technologies are resource intensive and require experienced staff to implement, maintain and fine-tune them—staff that not all organizations have fully invested in yet.
The security analyst is the backbone of a company’s day-to-day IT security. Whether they’re monitoring network infrastructure for breaches and intrusions as part of a security operations center, performing internal security audits, or analyzing past breaches to find the root causes of network vulnerability, they work to keep the company’s infrastructure locked down tight.
If you’re looking to get into this line of work, you may be wondering if a professional certification can help you stand out from the crowd—and if you’re looking to hire a security analyst, you may be wondering what certs are a good signal of a great candidate.
“As an experienced hiring manager, certificates are important to me, for they show a candidate’s potential for retaining knowledge,” says Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct Shares. Lucia Milică, Global Resident CISO at Proofpoint, agrees: “Security leaders rely heavily on certifications for entry level security roles as a high-level barometer of one’s level of knowledge in a particular area of expertise,” she says.
Of course, certs aren’t everything. Far from it. “The totality of a person’s experience and eagerness to learn are equally critical, says Milică. Everette agrees: “What certificates don’t clearly reflect is the candidate’s ability to apply that knowledge to real-world applications. Having knowledge is one part, being able to apply the knowledge properly and effectively is a critical skill that certificates can’t always measure.”
Still, both Everette and Milică cited several certifications that they felt reflected well on candidates, as did other IT pros we spoke with. We’ve highlighted here the six that our experts brought up most often. They can be broken down into two broad groups: three that might be useful at the beginning of a security analyst’s career, and then three more that could help an analyst as they gain experience and climb the ladder or start specializing in a particular corner of infosec.
Top security analyst certifications
Certified Ethical Hacker (CEH)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
Security+ CompTIA’s Security+ certification is, in CompTIA’s opinion, “the first security certification a candidate should earn.” It aims to establish a baseline of security skills, including the ability to understand specific attacks and to conduct operations and incident response. Candidates will also come away with some understanding of security architecture, design, and governance.
“For entry level candidates, I don’t expect to see a laundry list of certifications, but if an individual has a CompTIA certification like Security+, that’s a benefit,” says Tim Bandos, CISO at Digital Guardian. “It demonstrates the candidate’s drive to want to learn the fundamentals of the industry.”
There are no prerequisites for CompTIA Security+. However, CompTIA recommends that a candidate have at least two years of IT administration experience with a security focus before seeking certification. In addition, candidates may want to aim for the CompTIA Network+ certification before moving on to Security+, as networking basics are an important element of security knowledge.
Offered by: CompTIA Prerequisites: None Test format: 90 questions, including a combination of multiple-choice questions, drag and drop activities, and performance-based items, which test your ability to solve problems in a simulated environment Cost: $370 for an exam voucher only; CompTIA sells bundles at higher prices that include study material Official website: https://www.comptia.org/certifications/security
CySA+ If you want to be a security analyst, CompTIA’s CySA+ wants very much to be your certification: the name itself is short for CyberSecurity Analyst, after all. If you’re following CompTIA’s track, CySA+ is the next logical step after Security+, and starts to go beyond the basics of infosec to get into the nitty gritty of the analyst’s craft. As Keatron Evans, Principal Security Researcher at the Infosec Institute puts it, a CySA+ cert “helps security professionals know how to be an analyst.”
The CySA+ exam features interactive performance-based questions meant to simulate real-world situations. Candidates should know how to leverage intelligence and threat detection techniques, identify vulnerabilities, and suggest preventative measures and strategies to respond to successful breaches. CompTIA+ recommends a minimum of three to four years of hands-on security or related experience before taking the exam.
Certified Ethical Hacker (CEH) The Certified Ethical Hacker certification is another early-career cert, but it has a very different flavor from the two CompTIA certifications we’ve discussed. Rather than focusing on the “defensive” side of things, the CEH exam covers offense—reconnaissance techniques, network and perimeter hacking, web application hacking, and more.
As the name of the certification implies, it’s aimed at “ethical hackers”—a fancy name for folks otherwise called penetration testers or offensive security experts, who launch simulated attacks on clients or employers to probe defenses for weaknesses. This is a fun line of work to get into, but the EC-Council, the organization that offers the cert, includes analysts in its target audience. The Infosec Institute’s Evans says that a CEH certification “helps security analysts know the enemy,” and the knowledge of how to breach a network can certainly help you better understand how to defend it.
Offered by: EC-Council Prerequisites: You must either have two years of infosec work experience or attend an official EC-Council training Test format: 125 multiple choice questions Cost: $100 application fee, plus $1,199 to take the exam Official website: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Certified in Risk and Information Systems Control (CRISC) With CRISC, we enter a more specific realm of cybersecurity specialization. Proofpoint’s Milică cites it as a certification that signals a candidate’s serious interest in a more specific specialty—risk analysis and management, in this case. Candidates need to know how to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization’s tolerance for risk, categorize it, and quantify it.
As ISACA, the organization that offers the cert, puts it, you’ll be aiming for a career where you “build a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks.” This is an area of security analysis that offers a promotion path to the top of the org chart—but it’s not for beginners, and you’ll need some work experience in this specific field before you can be certified.
Offered by: ISACA Prerequisites: Three years of cumulative work experience performing the tasks of a CRISC professional across at least two of the four CRISC subject domains Test format: 150 multiple choice questions Cost: $50 application fee, $575 (ISACA members)/$760 (non-members) exam fee Official website: https://www.isaca.org/credentialing/crisc
Certified Information Systems Auditor (CISA) If you’re in the middle of your career path and are leaning towards the auditing side of the infosec world, CISA may be a promising certification for you. Security auditors use their analytic skills to assess internal auditing processes, IT governance, business resilience, and compliance. It’s another career path that points upwards. “For candidates with five or more years of experience, I place value in seeing certifications like CISA,” says Digital Guardian’s Bandos. And in fact, five years of relevant industry experience is a hard requirement for getting this certification.
Offered by: ISACA Prerequisites: A minimum of five years of professional information systems auditing, control, or security work experience Test format: 150 multiple choice questions Cost: $50 application fee, $575 (ISACA members)/$760 (non-members) exam fee Official website: https://www.isaca.org/credentialing/cisa
Certified Information Systems Security Professional (CISSP) If CRISC and CISA represent specialty certifications for the mid-career analyst, CISSP is a generalist cert, a logical progression from Security+ for someone who’s been around for a while. And as you might imagine, it’s in demand. “The certification I get questions about the most is the CISSP,” says Bandos. “I do believe this certification is a hot one, given its reputation in the cybersecurity industry.”
Advanced-level analysts interested in getting CISSP certified will need to know all the ins and outs of security and risk management, asset security, operations, security assessment and testing, and more.
Feeling overwhelmed, like you suddenly have a lot of homework to do? Maybe you’re determined to get started earning these certifications and climbing the ladder. But remember what our experts said up front: certs only demonstrate one aspect of a potential candidate’s readiness for a job. And some candidates may not need them at all.
“Some of the best, highest performing security practitioners we’ve hired have no professional certifications,” says Matt Georgy, CTO at Redacted. “What is much more important is an aptitude for critical thinking, ability to multitask and prioritize, ability to learn and apply new skills, and a passionate, self-driven work ethic that includes continual curiosity and constant learning. With this, we can mold them into a force that no certification can match.”
Certified in Risk and Information Systems Control (CRISC) is a certification that focuses on enterprise IT risk management. It’s offered by ISACA, a nonprofit professional association focused on IT governance with a number of certifications in its stable, including CISM.
Enterprise risk management (ERM), is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. A risk management program aims to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization’s tolerance for risk, categorize it, and quantify it. (For more background, read CSO‘s explainer on ERM or our article on risk management mistakes CISOs still make.)
This all is, obviously, a high-level set of skills, and its increasingly one that CISOs and IT security managers are expected to have in their toolkit. CRISC can be a good way to display your competence in this field—and can be a lucrative boost to your career. Like many certifications, though, it’s not necessarily cheap or easy to get. We’ll look at some of the details of how you can get CRISC certified in a moment, but first, let’s see how CRISC stacks up against some of the other certs on the market.
CRISC vs. CISM, CISSP, and CISA
Where does CRISC stand in the world of upper-level IT security certifications? The most important thing that distinguishes it from other certs is that it’s specialized and focused specifically on the area of enterprise IT risk management. So, while ISACA’s CISM might, like CRISC, be a credential that a CISO or someone aiming to become a CISO might pursue, CISM covers a much wider range of material, generally encompassing the development and management of an infosec program at the enterprise level. (ISC)2‘s CISSP is another high-level but general-purpose cert, combining in-depth technical knowledge of a broad range of security domains with an understanding of managerial responsibilities.
Finally, there’s CISA, which is yet another ISACA cert. CISA is like CRISC in that it’s focused, but its area of focus is different from CRISC: CISA stands for Certified Information Systems Auditor, and is primarily pursed by those in the specialized realm of auditing. Unlike the other three certs, it’s less likely that someone would have pursued a CISA certification as part of a career aiming for the C-Suite. The Netwrix blog has a great chart comparing all four of these certifications if you want get a sense of the differences and similarities at a glance.
Now let’s take a closer look at the content that you’ll be expected to master in order to become CRISC certified. ISACA breaks down this material into what it calls domains; in earlier versions of the cert, these were sometimes referred to as job practice areas. These domains are regularly refreshed, and indeed a major overhaul just took place in August of 2021, so much of the following material is relatively new as of this writing.
There are four top-level domains—governance, IT risk assessment, risk response and reporting, and IT and security—each with a number of subdomains:
Organizational strategy, goals, and objectives
Organizational structure, roles, and responsibilities
Policies and standards
Enterprise risk management and risk management framework
Three lines of defense
Risk appetite and risk tolerance
Legal, regulatory, and contractual requirements
Professional ethics of risk management
IT risk assessment
IT risk identification
Risk events (e.g., contributing conditions, loss result)
Threat modelling and threat landscape
Vulnerability and control deficiency analysis (e.g., root cause analysis)
Risk scenario development
IT risk analysis and evaluation
Risk assessment concepts, standards, and frameworks
Risk analysis methodologies
Business impact analysis
Inherent and residual risk
Risk response and reporting
Risk treatment/risk response options
Risk and control ownership
Third-party risk management
Issue, finding, and exception management
Management of emerging risk
Control design and implementation
Control types, standards, and frameworks
Control design, selection, and analysis
Control testing and effectiveness evaluation
Risk monitoring and reporting
Risk treatment plans
Data collection, aggregation, analysis, and validation
Risk and control monitoring techniques
Risk and control reporting techniques (heatmap, scorecards, dashboards)
Key performance indicators
Key risk indicators (KRIs)
Key control indicators (KCIs)
IT and security
Information technology principles
IT operations management (e.g., change management, it assets, problems, incidents)
Disaster recovery management (DRM)
Data lifecycle management
System development life cycle (SDLC)
Information security principles
Information security concepts, frameworks, and standards
Information security awareness training
Business continuity management
Data privacy and data protection principles
These domains don’t just define the structure of the test; they’re also important when it comes to the cert’s experience requirements, as we’ll see in the next section.
CRISC certification requirements and fees
There are three steps you need to take in order to attain CRISC certification:
We’ll dive into the exam in more detail in the next section, but let’s pause here for a moment to discuss those work requirements. As noted, CRISC is intended as a relatively high-level cert, and so its holders have to show that they have real-world experience, not just book smarts. To that end, in order to be certified, you need to have:
At least three years of work experience performing the tasks covered by at least two of the four domains we discussed in the previous section; and
At least one of those domains needs to be one of the first two listed (governance or IT risk assessment)
To ensure that you’re at least relatively current on industry trends, you have to have accrued this experience over the 10 years before you apply for the credential. But if you don’t have this experience yet and are itching to take the exam, that’s OK too: you can apply up to five years after you pass the test. (In fact, you can’t actually formally apply for the credential until you pass the exam.)
Once your CRISC application has been accepted, you need to adhere to ISACA’s Continuing Professional Education (CPE) program to maintain it. That means taking at least 120 hours of CPE training over each three-year reporting period after you’ve attained the credential. For more information on how you can meet this requirement, download the CRISC CPE Policy from ISACA.
Still, as is true for most certifications, the exam is the heart of the CRISC certification experience. The exam lasts four hours and consists of 150 multiple-choice questions. The exam is available in English, Spanish, and Simplified Chinese, and you can take it either at a PSI Exam Site or as an online proctored exam from your home; in the latter scenario, a proctor will be watching you through your webcam, so be warned if you find that a little off-putting.
First up is the exam fee, which is $575 for ISACA members and $760 for non-members. (ISACA membership dues are $135, so if you’re planning on taking one of the certification exams this year, you will come out ahead from the get-go.) You have a year to take the exam after registering to do so, but you will not be refunded if you don’t take it in time.
Once you’ve passed the exam, you must formally apply to be CRISC certified, and the fee for this application is $50.
Subsequently, you must pay an annual maintenance fee to remain in good standing with your certification. This fee is $45 for members and $85 for nonmembers.
But as we noted, it’s important to keep in mind that the test was recently extensively revamped. While you can assume ISACA’s in-house training material is adapted for the latest version of the test, you will want to double-check to make sure this is true of any third-party material you reference.
CRISC study materials and exam questions
That same caveat also applies to third-party study materials. The 7th Edition of ISACA’s CRISC Review Manual, which costs $105 for ISACA members and $135 for non-members, is up to date. Other books that we might normally recommend for studying for a cert exam, like the All-In-One Guide, are as of this writing behind the times. You’ll want to check the publish date of anything you’re considering to make sure it’s after the August 2021 revamp.
Most of the training courses you can take include sample questions that will prepare you for the exam. If you just want to take a quick look to get a sense of what to expect, you can check out ISACA’s practice quiz. If you’re willing to spend some money, you can pay $299 (as an ISACA member) or $399 (as a non-member) for access to ISACA’s CRISC Review Questions, Answers, and Explanations Database.
CRISC jobs and salary
Most people pursue credentials because they believe that it will help them either gain or demonstrate skills that burnish their resume and advance their career. And because this process isn’t cheap, the obvious question that arises is whether the benefits are worth the cost.
For CRISC, the answer certainly seems to be yes at first glance. The Netwrix blog lists a very high-powered list of potential jobs associated with the credential:
Control and Assurance Pro
The Global Knowledge database of top-paying IT certifications for 2021 tells a similar story. According to their figures, the average salary of a CRISC holder is $151,995, 57% of those holders are in management, and their most common job titles are CISO, CSO, and ISO.
But anyone telling you that a particular certification guarantees a certain salary is trying to sell you something (probably a certification). Global Knowledge also notes that the average CRISC certification holder is 48 years old and also holds four other certifications—in other words, they’re well advanced in their career, as you would expect from a certification with an experience requirement the one like CRISC has. There is definitely a question of causation vs. correlation here: is CRISC your ticket to a high-paying job, or is CRISC a credential pursued by people who already have the skills and experience to provide a lucrative career?
The answer is probably somewhere in between. CRISC won’t magically boost your paycheck, but is definitely a feather in your cap that can make your manager—or hiring managers at other companies—take notice.