Upside/Downside

The Internet is an open standards-based bunch of technologies that the IAB and IETF document thereby ensuring that all the various software developers have a set of basic reference specifications that can form the foundation core upon which they build their applications.

Unfortunately, the down side to this is that those wishing to perpetrate malicious activities also have access to these very same standards and specifications. It is this access to the technical specifications of how the Internet and Internet technologies are implemented that allows an attacker to subvert systems, networks and the Internet for their own ends.

Today we find that this tends to mean cybercrime such as identity theft, fraud, theft, malicious intent (creating damage to the detriment of others) various forms of Denial-of-Service (DoS) attacks, phishing, malware in general and the one we all hate with a passion Spam.

Civilizations, Societies, and Protocols

In order for a civilization to develop and prosper social beings and the societies they belong to create various protocols (rules concerning acceptable/”normal” roles, behaviors, customs and etiquettes etc.) which allow them to communicate with other members of that society. Language is but one of these protocols.

In these regards humans, bees, ants etc all have much in common. The important difference is that humans have a capacity for conceptualization and virtualization of thought and self.

Knowledge and Information Technologies

Over time it has proven most beneficial for one generation to pass onto succeeding generations the knowledge that it inherited, developed and further progressed. The label we humans have given to these processes is Information Technology (IT) and its most obvious manifestation in today is the Internet.

The benefits and freedoms delivered by these Information Technologies are susceptible to damage, degradation, subversion and destruction from a host of very diverse threats. Thus, securing information technologies against these threats becomes a desirable necessity and is achieved by way of a wide variety of technologies, processes, and training.

Before we can design and implement security procedures it is important that we first define the ultimate goals which we hope that our initiatives will achieve once implemented. Here are some of the more important security related concepts.

Security and Privacy

Because of the significant degree of entanglement of privacy and security it is practically impossible to deal with the one without involving the other. In order to deal with security and privacy related issues we must first clarify what we mean by security and being in a secure state.

In short; security is the state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within.

Security measures and initiatives on the other hand are those precautions taken to defend, maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime be they potential perceived or real.

Security Goals

Security goals are the predefined targeted levels of protection, precautions, and/or defensive strategies deemed to be adequate and/or appropriate for specific “real world” scenarios. Thus security goals can and do vary considerably from one entity to the next.

However; from the “big picture” perspective, we find that security goals developed by different organizations will all have the commonality of providing an acceptable predefined level(s) of security assurance in conjunction with varying degrees of acceptable exposure(s) usually weighted by economic factors such as cost effectiveness.

Security Auditing and Accounting

Security auditing is the process of recording; usually to a log file, information regarding network and resource access and access requests including which computer(s) and/or user(s) are issuing said access requests. Typically audited criteria include system/network resources, security events, unauthorized access, logon attempts and outcomes as well as communications related events.

Security-in-Depth

Security-in-depth is a strategic security concept based around hierarchies, multiple layers of defenses and the removal of single-point-of-failure instances. The basic philosophy here is to use multiple layers of defenses with each using multiple different types of defenses at every stage and station of a security infrastructure.

The result of this is that any time a user requires access to assets or resources with prescribed access and privilege levels above that of the user's current logon account status said user will be required to supply additional authentication credentials in order to proceed.

For instance an example of security/defense-in-depth would use variable combinations of password authentication in conjunction with and supplemental to smart cards, keypads, biometrics, digital signatures/certificates etc.

Additional Networking and Security Infrastructure

Additional factors worthy of consideration when designing and building a security infrastructure include: physical accessibility, system/network availability, firewalls, Demilitarized Zones (DMZs), surveillance systems (video cameras), traffic control mechanisms, check-points, email security initiatives, multi-factor authentication, intrusion detection systems and intrusion prevention systems.

Security Policies

A security policy is a document containing a set of organization/enterprise-level rules governing acceptable usage of enterprise assets and resources as well as user behaviors. Response measures (what to do when things go wrong) are usually included in security policy documentation as well.

Other criteria commonly found in security policies includes: information technology resources, acceptable security practices, acceptable operational procedures, best practices guidelines, recommended procedure and practices, glossary of terms and terminology used etc.

There are quite a number of different types of policies that all organizations, enterprises, business and institutions must develop and implement. Most of these policies will be created primarily in response to legislation.

Generally speaking, this group of essential and mandatory policies includes: authentication policies, password policies, privacy policies, environmental policies, auditing and accounting policies, physical security policy, emergency events and response policies, general resources and assets usage policies.

Under Attack

An attack is considered to be the direct or indirect; real or perceived, consequences and effects of action(s) perpetrated by one or more entities with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms and rights of one or more other entities; generally with deliberate malicious intent, manner or purpose.

A threat is any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset. An exploit is usually some vulnerability that can be taken advantage of by a threat in an unsolicited, unfair or selfish manner; to the advantage or intent of said threat, and/or disadvantage or detriment of that being exploited (target/victim).

Security analysts have identified a special category of vulnerability; known as a zero-day vulnerability, which is generally considered by security professionals to be of the highest order of risk because there are no known patches or countermeasures available at the time the vulnerability, exploit or flaw is first publically disclosed.

Napoleonic Tactics - Divide and Conquer

In order to be able to manage the vast array and types of attacks with an eye to producing the most appropriate response with the shortest possible delay/lag between identification/notification and the development and roll-out of countermeasures it is helpful to break up the attacks into classes delineated by the relative location of the source of the attack as well as the relative location of the target as follows:

Outside

Resources and assets external to an organization come under attack. The effects and consequences of which are felt by the organization and other parties. This type of attack can result in damage arising directly from malicious intent by the attacker and targeting you specifically.

Damage from outside sources can also be collateral in nature. This type of damage arises directly or indirectly out of malicious intent and/or actions by the attacker directed at another party but adversely affecting you in the processes.

Outside-In

A more classical form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network defenses in order to execute ill intent or to perpetrate malicious and vindictive activities.

Data theft; particularly of Personally Identifiable Information (PII) and financial information in general, tends to be the main motive here. Other vindictive actions such as data corruption do occur as the result of outside-in attacks.

A more recent twist on this theme sees the villains gaining access to inside resources including databases and accounts information. Once in; they will encrypt your data thereby denying you rightful access to it. For a sum of money the perpetrators will give you the encryption key. In short; this form of outside-in attack is nothing other than extortion.

Inside

The attacker is internal to the target system or network. A very common example of this is when authentic users of a system/network attempt inappropriate access of resources, services, or data to which they are not explicitly entitled.

Examples of insider attacks include the inappropriate unauthorized downloading of materials of a non-work related nature or use of an organization's resources in the pursuit of personal activities. Using the company printer to print family photos or using network resources to play online games or downloading movies and MP3s are all examples of this class of insider attack.

There is another more serious type of insider attack where an authentic user attempts to gain access to resources which they are not and may never be entitled to access. Company financial records, upper management documents and employee history records are examples of this type of insider attack.

Inside-Out

The attacker is inside the target and either instigates a remote malware download and then does its damage or the attacker wishes to propagate from its current host system to other external systems. The unauthorized export of company data to the attacker's external offsite storage devices is a classic example of the inside-out attack. Most consider this to be industrial espionage.

Proxy

The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to over-whelm the target by sheer volume. Malicious “botnets” are an example of this attack source category that has gained much notoriety of late.

Diffuse Perimeter

A relatively new category related to the morphing of the “security perimeter” as a result in the recent massive expansion of ad hoc wireless public access networks.

Secure resources are now traveling out into an ever more insecure environment where they will encounter wireless networks in places where once there were no freely publicly accessible networks. Now there are many. Airports and transit centers along with the hospitality industry are primary locations from which nefarious activities are launched upon the unsuspecting.

Mobile

Many attacks today are implemented by mobile (in transit) devices such as laptops and notebooks. This makes it very hard to identify the attacker. Another much publicized form of mobile attack is the practice of “war driving”.

Generally; war driving entails an attacker cruising around in a vehicle with a wireless enabled laptop or notebook placed on the seat next to them. When a wireless is detected the attacker will use packet-sniffing software among others to determine as to whether or not the victim network is transmitting in plain language (not encrypted).

Cloud

Considering the current rate of uptake; by business and individuals alike, of cloud computing technologies such as Software-as-a-Service (S-a-a-S) it comes as no surprise to learn that the security world now recognizes that attackers and attack mechanisms that exploit various aspects of cloud computing technologies constitute a new attack source.

Punctuality

If a job interview is scheduled for 9:30am, employers will expect candidates to arrive at least 15 minutes prior to the job interview. Candidates should find out in advance where the exact location is and endeavor to do a practice drive to the location, not just at 8:00pm when traffic will be calmer, but around the time of the interview. The reason for this is so that delays caused by rush hour can be counted into the travel time. Candidates who arrive late for a job interview already have a strike against them. It is very unprofessional to be late. The employer will doubt your interest in the company and the job if you are not punctual. If for any reason there is a genuinely good reason why you cannot arrive on time, due to a traffic accident, then call ahead of time and ask whether the job interview can be re-scheduled for a more opportune time. The employer's time will not be wasted, and they will also appreciate this common courtesy.

Bad appearance

Unkempt hair, an unshaven face and clothes that have not been ironed will send out all the wrong messages to the employer. They will base a lot of their impression of a person's character and capability on their outward appearance. If they meet with an unprofessional, disheveled appearance, they will want to quickly move ahead to the next candidate. The same applies for people who have a lot of body piercings and tattoos. Whatever a person's tastes in this regard, they need to be kept to themselves and covered up during a job interview, not be put out on display.

Complaining attitude

A job interview is not the time to start complaining to the employer about previous colleagues or the manager. It is highly unprofessional, as well as inappropriate. It is simply not the time or the place to air past grievances. They are best left at home.

Failing to ask for the job

A very basic thing that many people fail to do at job interviews is to close properly. One thing employers want to see is a willingness to actually obtain the job. If a candidate sails through the job interview but then fails to actually ask for the job or at least hint that they want it, what has the candidate really achieved? It is puzzling why people forget to do this. It should be their objective to find out more. They can do this by coming out and saying they are keen to have the job and to ask when it would be a good time to call and find out if the job is theirs. Employers will be expecting to hear this. It will close the interview in the correct manner and allow the candidate to check back in and see if they were successful.

Answering their mobile phone

It is not unheard of for job candidates to go into a job interview and to allow themselves to be distracted by their phone. They should have their mobile phone switched off so that they can focus exclusively on the job interview. People who have their phone on and actually answer it if it rings are showing great disrespect to the employer. Their focus should not wander at such an important time.

Lying

Employers hate to be in a room with a job applicant who is lying to them to their face. They are easy to spot and can often be caught out. If they are lying at their job interview, the employer may wonder what else they have lied about and just decide that they are not worth the risk to the company.

Job candidates are not all so obvious in their annoying habits at their job interviews, but they must do all they can to avoid doing anything that will make employers look upon their job application. Many of the above suggestions are basic and avoiding them can help to make all the difference in whether the job applicant is successful or not.

If they have customers and/or clients such as consultants, then these customers and/or clients can write testimonials for them and/or letters of reference.

However, for many self-employed, such as those who work in affiliate marketing online, how to build credentials as business professionals and/or as creative professionals?

An important manner of doing so is writing articles. The article market online is a market that helps to build credentials and many article markets help writers and business professionals to achieve "expert status."

Let's say you're an affiliate of a jewelry store. Suppose a client wants to know your credentials, whether you're trying to get the customer to buy from your jewelry store, your jewelry affiliate website, etc.

You can write articles about jewelry, the history of jewelry, how to appraise jewelry, and/or articles on shopping for jewelry. These can include links to your store, etc.

Maintain a portfolio of these articles, and when customers might want your credentials, then this portfolio can help to build credentials that you are an "expert" on jewelry, and not just an affiliate salesperson.

You can also start a jewelry newsletter and/or emagazine in which your expertise and the expertise of others who know jewelry can be included in these articles. If your newsletter is successful, then you might consider becoming the editor of the print version of the magazine. You are the founder and the editor. You can show your clients your magazine.

You can also become an expert consultant with companies, sending your brochures to them. If any of these companies agree to hire you as a consultant, then this goes into your resume, this list of companies.

You can write books and ebooklets on jewelry to help build your resume. You can collaborate on these books with other experts in jewelry. You can write books on different types of jewelry, like vintage jewelry and art jewelry.

You can take workshops and classes in jewelry making and in jewelry history and/or in certain types of jewelry such as African jewelry and/or Native American jewelry. These workshops and classes can also be including in your resume.

These are some of the ways in which the online self-employed can build a resume and credentials.