Reflections..

It's time to reflect on what I have been blogging about over the past 11 weeks. I never had to write a blog before so this was new and interesting for me. I hope people that have read my blogs - found them informative, educational and maybe even a little fun to read. I know I found the experience enjoyable and hope to keep my blog postings active after this course!
In answer to the question - what have I been writing about? I found that I wrote about a myriad of topics from security breaches to certifications. However, while all of them were different – they all had something in common – the information highway can be a scary place and you need to have controls in place to ensure a smoother ride!

Week1 -  Passing the Buck - Who's responsible for the security breach? -  My first blog discussed a major security breach at a market that involved over 2 million credit and debit cards being compromised. I discussed how long it took the company to notify their customers and how that breach also involved several other entities.

Week2 - One Billion Served! – I thought my initial post was a little boring so I actually started to let my creative side take over and included graphics and charts to help spruce up my post! This post described the number of smartphone and tablet owners and how we need to improve security measures for these types of devices.

Week3 -  Shhhhh....Don't tell anyone! – I concentrated this week's blog on the recent NSA scandal. I find it frightening how the government is entwined in all we do online. In six months Facebook had received over 12,000 requests for customer information from various government agencies – really makes me think twice before I post something.

Week4 - BACKUP - It's Gonna Blow! – This week's blog was focused on the importance of a business having both Disaster Recovery and Business Continuity plans in order to mitigate the risk of a disaster. I also found a funny cartoon that I posted:

Week5 -  Press the Key for Security... – This blog discussed the importance of developing a security plan and the steps necessary to accomplish this. I also found this quote which summed up the discussion for me "Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." — Paul Herbka

Week6 -  Security Starts With You! – This was an interesting blog for me. I wanted to show how important you are to the role of security. In addition, I wanted to emphasize the importance of security training and awareness and how it fits into the company culture. I also found a hilarious youTube video of a product called the Password Minder that Ellen Degeneres featured on her show. It was a ridiculous product that was nothing more than a notebook to hold all of your passwords in. It is very funny!

Week7 -  ISO 27K What? – I created this blog dealing with the ISO 27K process because I wanted to find out more about the process. I really hadn't realized all that goes into this certification for companies and it gave me a better appreciation for those organizations that do invest the time, money, and personnel to implement these standards.

Week8 -  IT can be a RISKY Business! – The focus of this week's blog was on the importance of Risk Management in information technology. Defining risks and developing a risk management plan should be a part of any IT initiative and I hope this blog reflected that. Of course I did have a little help from Albert Einstein in trying to get my point across - "Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted" - Albert Einstein.

Week9 -  Is it Worth the Risk? – This blog put an emphasis on the cost benefit analysis side of risk management. I did find some great tutorials that discussed the idea of CBA located at this link: Cost Benefit Analysis

Week10 -  Things That Go BUMP in the Night....  – Since I love all things scary and it was Halloween week – I decided to create a blog dedicated to the "scary" side of computing such as: Viruses, spoofing, Denial of service attacks, malware, social engineering, and zombie attacks! I discussed the Sphere of Protection and how it might help to protect your company against these types and other types of threats. 

Week11 -  Certifications - Are They the Necessary Evil? - This week's blog addressed the question of certifications – are they necessary? While there doesn't appear to be a simple answer – I did realize this after my research – education can never hurt your chances of succeeding. So if you have the ability and time – adding certs to your resume will not hurt.

I definitely feel that these types of blogs are useful to information security professionals and really any information technology professional – it gives you a chance to research and see what is happening out there now. Textbooks are fine – but technology is constantly updating and it's difficult to grasp some of that in a textbook alone. The internet can be a great tool for learning.

Lessons learned: Make sure you verify your information. Also – use graphics, videos, and charts to keep your posts interesting. I found it easier for me to convey my thoughts in this fashion. Last – have some fun with it!

Certifications - Are They the Necessary Evil?

CERTS - They're Not Just For Keeping Your Breath Fresh!

The IT security certification roadmap can be quite bumpy and confusing – do you really need all of those to land a job? The simple answer would be no. Nevertheless, if you want to advance your IT security career obtaining some relevant certifications is a great way to start.

Certifications coupled with real-world experience can push your resume higher on the list for some employers. Keeping yourself knowledgeable in your field can never hurt your career and certifications can help you do that.

There are so many Certs and programs - how do you know which one is right for you? Unfortunately this question doesn't have an easy answer.

Some of the more popular certifications are:

• CompTIA Security+
• GIAC Security Essentials
• CHE - Certified Ethical Hacker
• CISSP - Certified Information Systems Security Professional
• CISM - Certified Information Security Manager

Click the image below to go to the SANS Security Training Career Roadmap:

There are both pros and cons to gaining certifications. I have listed some of them below:

Pros

• Enhances your job prospects
• Increases your knowledge
• Shows commitment to your field
• Might allow for increase in salary
• Some certs only require a test – while others require experience and classes

Cons

• Can be expensive to obtain
• Limited shelf life – need to continuously update cert
• Not a substitute for real world experience
• Difficult to choose a certification path
• Does not guarantee you a job

IT Certifications can be a positive addition to your work experience and give you the tools to succeed in your chosen field. Just remember that they are not the "winning ticket" and a certification alone won't get you the job.

Here are some more links that discuss certification options:

ISC2

CompTIA

SANS

Things That Go BUMP in the Night....

Now That's Scary…..

Viruses, spoofing, Denial of service attacks, malware, social engineering, and zombie attacks…. this list of threats against your network appears to come straight from a horror movie! What can be done to protect your company's systems and data from these and other monsters?

Protection Mechanisms

There are several ways to protect your company against threats such as Paranormal Email Activity and The Return of the Living Hackers. Utilizing the Sphere of protection is a good way to see how technical controls will help you defend against such threats.

The left side of the sphere shows the controls that defend against outside threats and the right side shows those that defend against those pesky inside attacks. Since People can access all layers of the Sphere – the right side of the Sphere must apply a different approach to security. People have to become a safeguard of the system. Members must be effectively trained, implemented and maintained – or they will also represent a threat to the data and system. 

There are thousands of stories involving technology nightmares. For instance, a nonprofit in Maine called People Plus accidentally posted a portion of its membership database on its website. This data included contributions, addresses, numbers, and contact information. This private information sat exposed on their website for two weeks before they detected the breach. 

Network World also has a great page that lists several "True Life IT Horror Stories". Click on the image below to access it: 

So don't let your organization become the next "Nightmare on Data Street" – make sure you are placing protection mechanisms in place to safeguard it! 

BOO;)

Here are some more links about Protection Mechanisms that you might find useful:

Microsoft - Protection Mechanisms

Tech Target

wiseGEEK

Is it Worth the Risk?

Managing Risks

Risk Management is crucial to the success of every company. If an organization fails to take risks – they will not be able to thrive in this competitive market. However, when a company ignores managing those risks that they can succumb to failure. Information technology systems play a large role in most organizations – a company has to properly manage their IT risks if they want to continue to do well.  Once you assess your risks and determine ways to control those risks – you should then examine the trade-offs between costs and benefits related to every control option. One way to accomplish this is through a Cost Benefit analysis (CBA).

Cost Benefit Analysis

A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a fi le server may represent the loss of $1 million worth of company information. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, you would spend $10,000 to save $1 million. This makes sense. A CBA starts by gathering data to identify the costs of the controls and benefits gained if they are implemented.

·         Cost of the control—Purchase costs plus the operational costs over the lifetime of the control.

·         Projected benefits —Potential benefits gained from implementing the control. You identify these benefits by examining the costs of the loss and how much the loss will be reduced if the control is implemented. A control doesn’t always eliminate the loss, it may only reduce the risk.

The following equation can be used to determine the CBA:

CBA = (Annualized Loss Expectancy) Loss before control  * (Annualized Loss Expectancy) loss after control - annual cost of the risk safeguard

Here is a nice video tutorial that illustrates the cost benefit analysis concept:

 

Is it Worth it?

If the costs outweigh the benefits, the control may not be worth implementing. Instead, the risk could be accepted, transferred or avoided. The cost benefit process will help to:

·         Determine the cost of protecting an asset

·         Define the economic loss if the asset remained unprotected

·         Prioritize actions and spending on security

A company should not spend more to protect an asset than the asset is worth!

Here are some useful links to help in deciphering the various costing methods:
Simple Risk Analysis
FFIEC
The Society of Information Risk Analysts

IT can be a RISKY Business!

Risk Management

Risk management is an important activity for a business. Identifying risks, assessing the impact of the risk, and making the right financial decision about how to deal with the results of a risk – are crucial areas that need to be addressed. In addition, programs that continually measure and assess the effectiveness of your company's current safeguards – are vital to the risk management process. Managing risk is continuous – it's not a one-time project!

What is a Risk?

It's probably best to define a Risk by the following formula: 

Risk = Threats x Vulnerabilities x Impact

Threat: Any potential danger to information or an information system.
Vulnerability: An information system weakness that could be exploited.

Impact: Asset value - what you are trying to protect

Develop a Risk Management Assessment Plan

Developing an effective Risk Management Plan is an important part of any project, but unfortunately, is often viewed as something that can be dealt with later. However, without a plan even small emergencies can get out of hand. Here is a flowchart depicting steps that can be taken to create a sustainable plan for Risk Assessment.

"Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted"  

~Albert Einstein~

Here are some more sites that I found useful when researching this subject:

The Internal Auditor

ISACA

TechRepublic

ISO 27K What?

What is ISO 27000....

 

 

With the growth of the internet and the explosive emergence of mobile technology, managing information security has become even more vital and should encompass all aspects of an organization's operations. As a consumer, we would like to be certain our information is being protected by an organization. For instance, if you use a website - you want to be assured that the information you provide is safe from internal or external threats.

One way to accomplish this is by utilizing the ISO 27000 series of security standards. The ISO 27000 series originated from the British Standard 7799. It is comprised of information security standards published together by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). It is an optional qualification for organizations to show that they meet a certain level of information security development.

The series is designed to cover more than just privacy, confidentiality and technical security issues - it also focuses on all business processes and business assets. Currently the ISO 27000 series contains six publically available parts – each dealing with a different area of IS Security Management. However, there are several more being developed.

 

Plan - Do - Check - Act

 



The ISO 27000 series utilizes the Plan-Do-Check-Act model in its procedures. Just like a circle has no end, the PDCA cycle should be repeated again and again for continuous improvement.

 

If you would like to find out more about the ISO 27000 series please follow these links:

ISO 27000 Security
ISO Standards

 

Security Starts With You!

 

How many of us have written little password reminders on sticky notes? Working in an office environment  - I have seen quite a few screens covered in these notes. This type of issue should be dealt with in a simple security training course offered by all organizations. With all of the advances in technology - now it is even more important to address the need for strict security controls and raise awarenes for security protection.

Security Training is a Wise Investment

The current economic climate is forcing companies to choose which programs they need to discontinue. While it might seem like an area where a company can save a few dollars - Security Training should not be where an organization withdraws their support from. Employee and contractor behavior is the primary source of costly data breaches. It's also the best way to prevent loss.

Security Awareness Isn't Just a Good Idea, It's the Law

Besides being good company practice, raising security awareness is not just a great idea. There are also laws that require companies to provide training in this area.

Some Laws requiring security and privacy awareness or training programs apply to:

• The Federal Government (Federal Information System Security Managers' Act)
• The health care industry (Health Insurance Portability and Accountability Act)
• Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)
• Publicly-traded companies (Sarbanes-Oxley Act) 

Inexpensive Tools to Get You Started

Here are some inexpensive ways you can raise security awareness in your organization:

• Posters
• Free On-line training courses
• Company meetings
• Government pamphlets
• YouTube Videos offer another free source

Remember - security is only as strong as your weakest link. Help prevent these types of issues by being proactive in raising your company's security awareness.

This is a great YouTube video I found showing an actual product that is being sold called the Password Reminder. It was featured on the Ellen show:

Some links for more information:
InfoSec Institute
Sophos - Security Do's and Dont's
Security Breach Examples

   

Press the Key for Security...

Wouldn't it be great if it were that simple to control security on your system! However, we all know that taming the security monster is a precise and detailed process. IT departments have their hands full trying to develop a security policy as they strive to reduce the risk profile of a business and fend off both internal and external threats.

What's the Plan?

So how do they do it? Where can they start?

There are numerous websites out there, chock full of information on how to develop a plan. Many of them also include templates to help you begin your security plan journey. A well thought out plan for distribution, monitoring and evaluation turns a good technology plan into a great technology plan. 

 

Here are some basic steps for developing your security plan:

• Plan - Select a well-rounded Technology Committee and develop a realistic time line for the development of the Technology Plan.
• Mission Statement - Create an information technology mission statement and align it with the goals of your organization.
• Analyze - Analyze your current data, security policies and infrastructure. Determine your current threats, attacks and legal issues.
• Risks - Evaluate risks and threats to your organization.
• Design - Create your security blueprint and evaluate technology to support it, implement key policies and perform a feasibility analysis. Agree on a final design.
• Implement - Test and implement security solutions. Evaluate any personnel issues, conduct training and educate users. Present to management for approval.
• Maintain - Focus your organizational efforts on maintenance through monitoring, planning, reviewing, constantly updating and responding to changing threats.
• Enforce  - Without enforcing the policies - they will be useless.
• Educate - Keep all users educated and communicate all phases of your plan.

Policy is the cornerstone of an effective organization. It serves as a road map that every person in the organization can use in a variety of ways. In today's technology connected world - it is imperitive that organizations and individuals incorporate security management into their IT practices.

"Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." — Paul Herbka

Here are some links to a few sites I found useful in my research for developing security plans:
IBM
Rutgers Information Technology
SANS

BACKUP - It's Gonna Blow!

You always back up your important documents right? You diligently save everything to your corporate network, feeling secure in the backups being performed. But do you know if those backups are ever being restored to test them? Do you save really important files to an external drive like a flash drive and are the company backups being kept off-site? From hurricanes to simple power outages - disasters, unpredictable by nature, can strike anywhere at any time with little or no warning. Is your company prepared?

Disaster Recovery and Business Continuity - these are two phrases that are often uttered after a system crashes or becomes incapacitated. Disaster Recovery Planning is the factor that makes the critical difference between the organizations that can successfully manage crises with minimal cost and effort and maximum speed, and those that are left picking up the pieces. A Business Continuity Plan will help a business stay in business during a crisis. 

In order to stay competitive, today's business needs to have a strategy in place to avert and minimize harm from disasters. In using technology to increase business - a company is also placing much of their core practices at the mercy of that same technology.

Here are some simple steps a company can take to create a business continuity plan:

• Establish a business case for Risk Mitigation
• Follow a process:
• To Minimize the business impact
• To address Human Safety
• To mitigate corporate liability
• To meet regulatory requirements
• To protect the organization's public image
• Build and train the team(s)
• Create a business impact analysis - you might create a chart where you assign each business function a rating.
• Evaluate external resources
• Build a crisis communication plan

A good Disaster Recovery Plan will also be needed to mitigate the effects of a disaster. There are all types of documents available to help you design a plan but here are a few points to consider:

• Develop goals
• Identify key personnel
• Identify key points of failure
• Prepare a plan and procedures to support the plan
• Communicate the plan
• TEST and refine the plan
• Make sure you test the plan periodically

Don't end up with sticky notes all over - create a plan!

Here are some sites with useful information on disaster recovery and business continuity planning:

Business Continuity Disaster Recovery Plan Steps, Examples or Scenarios

CSO - Business Continuity and Disaster Recovery

Shhhhh....Don't tell anyone!

Big Brother is definitely watching every move you make even if they are trying to keep it a secret. It's been recently reported that the National Security Agency (NSA) has been able to thwart internet security by using supercomputers, technical sleight of hand, court orders and behind-the-scenes persuasion. Some of the encryption they have cracked is used to protect banking, global commerce and even medical records. While they might have our "best interests" at heart – has the government gone too far in the quest to keep us secure?

In an effort to alleviate consumer concerns about privacy, Google, Microsoft, Yahoo and Facebook have each filed suit to ask the government for permission to reveal information about the number and types of national security requests for user data that the companies receive. In doing so, the companies are hoping to bring some transparency to this secretive government process. They want to ensure their users that their data has some form of protection against unwarranted searches.


http://www.nytimes.com/interactive/2013/06/17/technology/company-data-requests.html

What protections are being done to ensure the safety of the information being "reviewed" by the NSA? According to an article in the New York Times, the 2013 NSA budget requests “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” – this will make it even easier for them to eavesdrop. One main problem seen in the technical community is that once you open a backdoor (in the interest of security) – you are also opening that back door to unethical hackers who could use it for malicious activity. If someone found a way to access this so-called confidential information about the NSA, then it is suffice to say that any information held by and reviewed by the NSA is vulnerable.

Remember the next time you are browsing that web site - someone might be watching!

Here are some links with more information on this topic:

NSA Foils Internet Encryption
NSA Defeats Many Encryption Efforts
National Security Agency


One Billion Served!

 


One billion-that's not how many have been served at McDonalds - instead it represents the number of smartphone and tablet owners. That number will undoubtedly keep growing and along with it will be the opportunity for security threats from outside sources. What steps are being done to help the consumer protect themselves from these types of threats and what can we do to help make our mobile devices more secure?

O/S vendors do seem to be taking notice and have been beefing up their systems with better security measures. Android, Blackberry, Apple, and Windows have all recently released new O/S versions containing stricter security controls.

Some of the enhancements include:

·         Windows 8 - increased password security

·         Android –heightened built-in security defaults

·         Blackberry – data encryption

·         Apple – built in cloud based password manager

Here is a security comparison of the various systems:
 

 

While it's important for vendors to start taking responsibility for developing more secure systems, consumers also need to be accountable for protecting their own information.

Some ways you can avoid a security intrusion are:

·         Frequently change your password and use a strong password (numbers, capitals, special characters) whenever possible.

·         Disable Bluetooth mode when not in use

·         Disable automatic WI-FI connections

·         Only install trusted apps

·         Keep your O/S updated

By arming yourself with the knowledge of how to implement protection measures and taking the above few simple steps; you can help ease some of the security threat concerns you might encounter. Doing nothing is not an option because with a billion mobile devices, there are plenty of opportunites for hackers to wreck havoc on your system.

Visit these sites for more information on this topic:

http://mobappsectriathlon.blogspot.com/2013/03/what-canshould-mobile-os-vendors-do-to.html

http://www.techfruit.com/2013/07/31/how-secure-are-the-various-mobile-operating-systems/

http://searchconsumerization.techtarget.com/tip/Comparing-mobile-operating-systems-manageability-and-security

 

 

Passing the Buck - Who's responsible for the security breach?

We all know someone who has been the victim of a cyber-security breach. Small amounts of money being transferred from bank accounts and strange charges showing up on credit card statements are a couple of results we see from this type of activity. Normally we just call the bank or credit card issuer and the charges are removed and new account numbers are assigned - but what happened and who do we blame?

When you use your credit card for a retail purchase you should expect a certain level of security from that retailer. A recent security breach on the point of sale network at Schnucks Market Inc. resulted in over 2 million credit and debit cards being compromised. Not only was their information stolen - but it took the company two weeks to formally notify customers that their data might have been stolen.

Timeline for Schnucks' Breach:

• March 15th, 2013  - Schnucks is notified by its credit card processor of customer complaints for fraudelent charges.
• March 28th, 2013 - Malware is found on their network.
• March 30th, 2013 - Schnucks comunicates to customers that an issue has been found and contained.
• April 15th, 2013 - Schnucks releases a statement saying that 2.4 million card numbers were compromised.

See complete Timeline here.

A recent article on BankInfoSecurity.com has now linked this breach to several other retail security breaches. While we won't be able to stop all of these kinds of threats - one thing is certain, we need to hold retailers and banks accountable for maintaining and protecting our information. Communication is going to be instrumental in making the consumer more aware of what to look for.

References:

http://www.bankinfosecurity.com/recent-retail-breaches-connected-a-6022/p-2

http://www.bizjournals.com/stlouis/news/2013/04/10/schnucks-sued-over-security-breach.html