Reflections..

It's time to reflect on what I have been blogging about over the past 11 weeks. I never had to write a blog before so this was new and interesting for me. I hope people that have read my blogs - found them informative, educational and maybe even a little fun to read. I know I found the experience enjoyable and hope to keep my blog postings active after this course!
In answer to the question - what have I been writing about? I found that I wrote about a myriad of topics from security breaches to certifications. However, while all of them were different – they all had something in common – the information highway can be a scary place and you need to have controls in place to ensure a smoother ride!

Week1 -  Passing the Buck - Who's responsible for the security breach? -  My first blog discussed a major security breach at a market that involved over 2 million credit and debit cards being compromised. I discussed how long it took the company to notify their customers and how that breach also involved several other entities.

Week2 - One Billion Served! – I thought my initial post was a little boring so I actually started to let my creative side take over and included graphics and charts to help spruce up my post! This post described the number of smartphone and tablet owners and how we need to improve security measures for these types of devices.

Week3 -  Shhhhh....Don't tell anyone! – I concentrated this week's blog on the recent NSA scandal. I find it frightening how the government is entwined in all we do online. In six months Facebook had received over 12,000 requests for customer information from various government agencies – really makes me think twice before I post something.

Week4 - BACKUP - It's Gonna Blow! – This week's blog was focused on the importance of a business having both Disaster Recovery and Business Continuity plans in order to mitigate the risk of a disaster. I also found a funny cartoon that I posted:

Week5 -  Press the Key for Security... – This blog discussed the importance of developing a security plan and the steps necessary to accomplish this. I also found this quote which summed up the discussion for me "Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." — Paul Herbka

Week6 -  Security Starts With You! – This was an interesting blog for me. I wanted to show how important you are to the role of security. In addition, I wanted to emphasize the importance of security training and awareness and how it fits into the company culture. I also found a hilarious youTube video of a product called the Password Minder that Ellen Degeneres featured on her show. It was a ridiculous product that was nothing more than a notebook to hold all of your passwords in. It is very funny!

Week7 -  ISO 27K What? – I created this blog dealing with the ISO 27K process because I wanted to find out more about the process. I really hadn't realized all that goes into this certification for companies and it gave me a better appreciation for those organizations that do invest the time, money, and personnel to implement these standards.

Week8 -  IT can be a RISKY Business! – The focus of this week's blog was on the importance of Risk Management in information technology. Defining risks and developing a risk management plan should be a part of any IT initiative and I hope this blog reflected that. Of course I did have a little help from Albert Einstein in trying to get my point across - "Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted" - Albert Einstein.

Week9 -  Is it Worth the Risk? – This blog put an emphasis on the cost benefit analysis side of risk management. I did find some great tutorials that discussed the idea of CBA located at this link: Cost Benefit Analysis

Week10 -  Things That Go BUMP in the Night....  – Since I love all things scary and it was Halloween week – I decided to create a blog dedicated to the "scary" side of computing such as: Viruses, spoofing, Denial of service attacks, malware, social engineering, and zombie attacks! I discussed the Sphere of Protection and how it might help to protect your company against these types and other types of threats. 

Week11 -  Certifications - Are They the Necessary Evil? - This week's blog addressed the question of certifications – are they necessary? While there doesn't appear to be a simple answer – I did realize this after my research – education can never hurt your chances of succeeding. So if you have the ability and time – adding certs to your resume will not hurt.

I definitely feel that these types of blogs are useful to information security professionals and really any information technology professional – it gives you a chance to research and see what is happening out there now. Textbooks are fine – but technology is constantly updating and it's difficult to grasp some of that in a textbook alone. The internet can be a great tool for learning.

Lessons learned: Make sure you verify your information. Also – use graphics, videos, and charts to keep your posts interesting. I found it easier for me to convey my thoughts in this fashion. Last – have some fun with it!

Certifications - Are They the Necessary Evil?

CERTS - They're Not Just For Keeping Your Breath Fresh!

The IT security certification roadmap can be quite bumpy and confusing – do you really need all of those to land a job? The simple answer would be no. Nevertheless, if you want to advance your IT security career obtaining some relevant certifications is a great way to start.

Certifications coupled with real-world experience can push your resume higher on the list for some employers. Keeping yourself knowledgeable in your field can never hurt your career and certifications can help you do that.

There are so many Certs and programs - how do you know which one is right for you? Unfortunately this question doesn't have an easy answer.

Some of the more popular certifications are:

• CompTIA Security+
• GIAC Security Essentials
• CHE - Certified Ethical Hacker
• CISSP - Certified Information Systems Security Professional
• CISM - Certified Information Security Manager

Click the image below to go to the SANS Security Training Career Roadmap:

There are both pros and cons to gaining certifications. I have listed some of them below:

Pros

• Enhances your job prospects
• Increases your knowledge
• Shows commitment to your field
• Might allow for increase in salary
• Some certs only require a test – while others require experience and classes

Cons

• Can be expensive to obtain
• Limited shelf life – need to continuously update cert
• Not a substitute for real world experience
• Difficult to choose a certification path
• Does not guarantee you a job

IT Certifications can be a positive addition to your work experience and give you the tools to succeed in your chosen field. Just remember that they are not the "winning ticket" and a certification alone won't get you the job.

Here are some more links that discuss certification options:

ISC2

CompTIA

SANS

Things That Go BUMP in the Night....

Now That's Scary…..

Viruses, spoofing, Denial of service attacks, malware, social engineering, and zombie attacks…. this list of threats against your network appears to come straight from a horror movie! What can be done to protect your company's systems and data from these and other monsters?

Protection Mechanisms

There are several ways to protect your company against threats such as Paranormal Email Activity and The Return of the Living Hackers. Utilizing the Sphere of protection is a good way to see how technical controls will help you defend against such threats.

The left side of the sphere shows the controls that defend against outside threats and the right side shows those that defend against those pesky inside attacks. Since People can access all layers of the Sphere – the right side of the Sphere must apply a different approach to security. People have to become a safeguard of the system. Members must be effectively trained, implemented and maintained – or they will also represent a threat to the data and system. 

There are thousands of stories involving technology nightmares. For instance, a nonprofit in Maine called People Plus accidentally posted a portion of its membership database on its website. This data included contributions, addresses, numbers, and contact information. This private information sat exposed on their website for two weeks before they detected the breach. 

Network World also has a great page that lists several "True Life IT Horror Stories". Click on the image below to access it: 

So don't let your organization become the next "Nightmare on Data Street" – make sure you are placing protection mechanisms in place to safeguard it! 

BOO;)

Here are some more links about Protection Mechanisms that you might find useful:

Microsoft - Protection Mechanisms

Tech Target

wiseGEEK