Saturday, September 30, 2017

Security Education & Training

 
On-line Training and Education for DOD Security Personnel
 
Government personnel providing security advice and assistance to their various agencies and enterprises are entrusted with tremendous responsibilities, but too often are provided with only minimal training to fulfill those responsibilities. The security functions of these personnel are frequently an additional duty, not their primary function within the organization. Too often, security managers, OPSEC officers, anti-terrorism officers, and the like, perform their duties as part-time functions, balancing security requirements against other demands of their employment. Even if the security function is a full-time duty, individuals are being assigned to these positions with little more than one or two weeks of training.
 
With limited budgets and the inability to travel regularly for training, how can security professionals enhance their skills and document their training? I have put together a list of On-line Training and Education for DOD Security Personnel. The list consists of the following sections: 
 
Pages 1 - 3 - General Security Awareness Training
Pages 4 - 10 - Security Practitioner Courses
Pages 11 - 13 - Paid Courses (Not Free)
Pages 14 - 17 - Military Learning Portals
Pages 18 - 22 - Other On-line Training and Education Resources
Pages 23 - 25 - Certification Programs
 
Anyone interested in security should take the listed General Security Awareness Training courses. These courses are available to the general public, and by completing all of the courses in this section you will develop a good awareness of security and make yourself safer in your day-to-day life.
 
If your job involves a security function, then you may want to complete the Security Practitioner Courses. These courses are intended to develop your security knowledge and analytical skills. The courses in this section are all free, but may require that you validate your status as a government employee. This section is followed by a list of Paid Courses that I believe will be of value to security practitioners. 
 
Because this course list is focused on DOD Security personnel, I have included the various Military Learning Portals. You will require your DOD CAC to access these portals, and your CAC will grant you access to all of the military learning portals, regardless of your branch of service.
 
Finally, I provide a list of Other On-line Training and Education Resources and Certification Programs that may be of interest to security professionals.
 
In each section, I highlight a few courses of interest, but there are often several other courses available on the sites listed. Your personal interests, along with your job requirements, will dictate which courses are most applicable to you.
 
You can download the complete training guide from my Google Drive here: https://goo.gl/v6SHV4
 
 
 




Friday, September 29, 2017

GnuPG / PGP - Pretty Good Privacy



In 1991, Phil Zimmermann published a data encryption program called Pretty Good Privacy or PGP. PGP quickly became one of the world’s most widely used cryptographic programs. However, some of the algorithms used in PGP were copyrighted and thus not suitable for free distribution. Because of the importance of PGP an Open PGP Standard was published in 1997 that allowed developers to create PGP compatible encryption without copyright restrictions. GnuPG is a free PGP compatible replacement for the PGP software suite that is currently owned by Symantec Corporation. GnuPG uses non-copyrighted algorithms allowing it to be freely distributed. GnuPG development received major funding from the German Government, and in 2014 also raised over 36,000 Euro through a crowd-funding campaign.

GnuPG allows users to exchange strongly encrypted messages and files with anyone using an Open PGP Standard program, such as PGP or Mailvelope. With GnuPG you can create a PGP public / private key pair, as well as create a personal X.509 key pair (digital certificate). In addition to encrypting messages and files you can digitally sign messages ensuring that they are not later altered. The Gpg4win (GnuPG for Windows) Compendium is located at
http://www.gpg4win.org/doc/en/gpg4win-compendium.html and provides detailed information on using the program.

You can download a copy of Gpg4Win at:  https://www.gpg4win.org  (Version 3 was released on September 20, 2017)

GnuPG is not difficult to use, but as with any new software, there may be a small learning curve while you get used to using the program. I believe that any associated learning curve is far outweighed by the advantages of having strong encryption available to safeguard your personal communications and files. As its says on the GnuPG web-site https://www.gnupg.org/ "Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you are in good company; GnuPG is one of the tools that Edward Snowden used to uncover his secrets about the NSA."

A similar program for conducting public key encryption in web-based e-mail programs is Mailvelope https://www.mailvelope.com/ which can be downloaded as either a Google Chrome Extension or a Firefox add-on. Install Mailvelope in your Chrome or Firefox browser. Once installed, open Mailvelope, choose options and generate a key pair. You can now exchange encrypted messages with other Mailvelope and Open PGP users. If you have a GnuPG key pair already, you can import it into Mailvelope.

Another useful tool for using Open PGP encryption is GPG4USB http://www.gpg4usb.org/.  GPG4USB combines a text editor and an Open PGP key manager into a small file.  You can generate key sets, import external keys (such as the keys you generated in GnuPG), and encrypt / decrypt messages in the text editor.

A copy of my GnuPG / PGP Public Key is below:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFnPHl8BCAC4HGu9zjNlAWLhbmKP9WdQ+EwZfXLkdP7mmR67pVC1MzLYv4MQ
Xk1T3C73aoSAS5UDPT3c0Xb2IUG1h6v16kQEn/OAnPlmBKap/OjNLiBuxg4INgRO
Q7hkdSMhL3VBU2v752haywuRcsK6/3Qn+oop9G3TNzrPogzWg38rqDg+Pq4t3Iwy
SVG9UsC95EKUvovZaVXxc6HBDEzMUeCbAfLT7PY9tv5f76iKagLd3kX0e94tDR8K
yt9s6S67K3kzQwOHdQX+hszSTBoT8rlkitQ/dHtwL+c4Opv28iCCi9AniGErqE5k
zl5hYNnNRZV3ydSzQY0GWijT4VJBJfk7hTqjABEBAAG0ME1pY2hhZWwgQ2hlc2Jy
byA8bWljaGFlbC5jaGVzYnJvQHByb3Rvbm1haWwuY29tPokBTgQTAQgAOBYhBJzo
zkRU1AuR4kSwe2cs/juuYWojBQJZzx5fAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4B
AheAAAoJEGcs/juuYWojXUQH+weUWl0JO/Llfo3GFdDaYBD5LWIjOzdjR/sz7jBx
nAuBST2M+Px66v7tn0oFuiYg+djuUv8mk6xWDWi4oIEE/gZADC2wH9R8+VnWipbk
tx/bQyTTQcDy/cmWN3+v0hjpfIIxNd4a/q/CKyJte8KOsTPHZetno4DhvAeYBbPa
QcjwFWjTy64XPoiqjuKzXIPQ71P946FUfKbZPIIMkeu2He5iGDyBOmmUEo35MEIG
7lRjkRAGMgc0mtFSTft7KPY3y86s/tDPj++jUo8GyrVnP8p+ymF7xSP7N8L3lSt9
SnaCIIlR5M+BaBmjh7MX47yBjIEG6J5dtloNIOVqOrkDaV+5AQ0EWc8eXwEIALzK
Sh6Is2jQS7tsgDT7coDrOdPgL0sHl7U1/m4KnrCqkxsQouOgQ1WJ5sbCApU3Knsf
vlactocLjFkoLL7MlPktry7bXRBfSylX36qC8J/jvFpneDBCDmw4xe17enADKGhf
myq1e31EEYMtgNPqOzfdDhei28S1WQcP1I3dzh1ZOOxiVA35t1RdbPYQaTq9NILQ
rtiTROve0hAMMfXVHUhClxMTNdiVGezxpKtBZ2D93ovInCKljtPBZkRzQBbpjf+o
d7427Q5mZVi5896Dhn8xxXpfvIVmO27P/GclyxcrkyU7/ZBuscoMflpzg1UfLGgG
vkFT1lCS0n5O4TuQpz0AEQEAAYkBNgQYAQgAIBYhBJzozkRU1AuR4kSwe2cs/juu
YWojBQJZzx5fAhsMAAoJEGcs/juuYWoj71QH/1yd6fUwipjCnjY1VaHX+iBSn/XP
XBCO/K06VYbqHaweisuK55/UOjQuKCCb6gA6TfnE/q9UkYrcAcpS5Kwkm0uiqM99
Zok6pGyV+sCd6fHOhVHb8bV+/wnUUQvhi7g7PqphF3QtYTN6jU4qqjGbJrpXYlKa
PxH6tycYp4D0ivcscdADyrS730uSZ8xFm29AA3OPBtpPz7XGP2Sl8+oIqcAopi2F
37Gw+21oOGdHNyyBke+2As6QEdWv/BAmEtplNtQ88C+g0oaLe3vEM0R4J7awTa/B
4rI/7FYWuKU5LRNThIOivt+qV99L+R3RrKhFSs0qHkHBQ2S6MA3u8wW/WGM=
=OB6k
-----END PGP PUBLIC KEY BLOCK-----
 
 


Individual OPSEC & Personal Security

 
Operations Security, or OPSEC, is the process by which we protect unclassified information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of an adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm people, resources, or mission is an adversary. OPSEC should be used to protect information, and thereby deny the adversary the ability to act.
 
I have published a short (53 page) paper "Individual OPSEC & Personal Security" with tips and resources that you can use to make yourself and your family a little bit safer. You can download a PDF copy of this paper from my Google Drive here: https://goo.gl/WtpUo4
 
Please share the information in this guide with others, your friends, family, and co-workers. Like immunizations, the more people around you who are immune to a disease, the less likely you are to catch that disease. Similarly, the more people around you who have defenses against a security threat, the less likely you are to become susceptible to that threat because of something someone else did, such as a data breach, or e-mail compromise. When more people in your life regularly practice individual OPSEC and implement personal security in their own lives, there is a cumulative effect increasing the overall security of everyone in the group.
 
 



Welcome To My Blog

Welcome to my new blog "Chesbro on Security". This blog is a personal effort to share privacy and security related information with those who have expressed a prior interest in receiving this type of information for research and educational purposes. 

Security consists of those measures taken to mitigate hostile actions directed against us. One of the most serious obstacles to personal security today is an attitude of complacency or fatalism. "It can't happen to me" and "if it's going to happen there is nothing I can do about it" is dangerous thinking. Recent political events throughout the world have changed - but certainly not diminished - the threats that we face. A criminal or terrorist attack against you or your family can happen at any place and at any time, as can a natural disaster, or civil unrest that disrupts the infrastructure that surrounds us. However, you can influence what happens to you and your family by assuming personal responsibility for your own safety and security.

Likewise, personal privacy is not something that we should take for granted. The government and major corporations (Big Brother and Big Business) would like us to believe that if we have nothing to hide, then we have nothing to fear. Privacy is complex, and while most people are doing nothing wrong, we all have things that we consider private and that should not be held up to government and corporate scrutiny. The rapid erosion of our personal privacy, the collection of our personal information and the loss of that information in a seemingly never-ending series of data breaches is threatening society in a fundamental way. 

It is near certain that the authors of America’s Declaration of Independence, the Constitution and its Bill of Rights could not have anticipated a world in which the average American paid a quarter of their annual income to the government in taxes, a government that secretly monitors our personal communications, collects and stores vast quantities of information about its citizens, and a government in which the concept of privacy is fast approaching extinction. The idea that individual citizens would require government approval in the form of licensing and permits in order to go about their daily lives; a license to travel upon the public highways, a permit to build upon their own private land, a permit to carry a firearm for one’s personal defense, a license to sell fresh farm products at a local market, a permit to distill spirits even for personal use, and so many other similar government intrusions into our personal lives would have been unconscionable to the men and women in 1776 who had just fought a war to gain their freedom and independence from government oppression. 

We live in a world of laws, rules, policies, and regulations. It is these laws, rules, policies, and regulations that help societies to function smoothly and to operate with some degree of regularity and efficiency. They reduce some of the friction between people living in close proximity and help to promote safety and order in our communities. But there is a problem. That problem is that there are so many laws, rules, policies, and regulations that it is almost impossible to exist without violating something on a daily basis. We have reached a point where everything has been criminalized. Not only is it almost impossible to live our lives without violating some law or regulation, but Big Brother and big business want to watch, track, and record everything we do. Ours is a surveillance society where we are monitored and tracked, licensed and taxed, from the day we are born until well after we die.

And because we live in a world of laws, rules, policies, and regulations, here are the various required...  Disclaimers & Legal Information
  • The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of any agency of the U.S. government, the author’s employer, or any organization, committee, group or other individual.
  • The author assumes no responsibility or liability for any errors or omissions in the content of this blog. The information contained in this blog is provided on an "as is" basis with no guarantees of completeness, accuracy, usefulness or timeliness.
  • Some of the links in this blog may be "affiliate links." This means if you click on the link and purchase the item, I will receive an affiliate commission. Regardless, I only recommend products or services I use personally and believe will add value to my readers.
  • This blog may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. It is being made available in an effort to advance the understanding of security, personal privacy, scientific, and social justice issues, etc. It is believed that this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this blog is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. If you wish to use copyrighted material from this blog for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.