Insider Threat - Week 11

You can install all the firewalls you want, use the most advanced and up-to-date antivirus software there is, but one thing remains constant. The insider threat is very real. And it is sometimes the most difficult threat to your information systems to detect. Ask Bradley Manning or Edward Snowden how real the insider threat is. There are ways to reduce the insider threat. One way is for an organization to routinely review what type of access to which systems each employee maintains. Then determine if that access is necessary for the position they are filling. If the answer is no, remove that access. The organization should also maintain a meticulous log of what accesses, and by what means, each employee has. Other employees should be aware of their surroundings. If an employee all of a sudden doesn’t like what the organization is doing, they could be a threat to that organization’s information systems as an insider.

Another step an organization can take is routinely check activity logs where employees access the various systems. If an employee is becoming disgruntled, it wouldn’t take much for them to install some type of software that could still give them access to the organization’s information systems if they are terminated. The activity logs could show this.

While there is no way an organization can completely eliminate an insider threat, there are steps they can take to minimize the threat of an insider attack.

Intrusion Detection - Week 10

Information systems intrusion detection. Who uses it? Pretty much anyone using a firewall or antivirus software. Intrusion detection works a few different ways. One way is a network-based intrusion detection. This type of intrusion detection system would be placed at different points within a network to monitor traffic between devices on the network. Another type is host-based intrusion detection. Host-based detection runs on individual devices within a network. Signature-based intrusion detection is another type. This type of intrusion detection looks for specific signatures traveling over the network, such as viruses, trojan horses, or worms. Another type of intrusion detection is anomaly-based intrusion detection. This detection method watches what normally goes across a network for traffic and establishes a baseline. Once the baseline is established it watches for anomalies, or traffic that is out of the ordinary being transmitted over the network, as it compares to that baseline.

Intrusion detection systems are able to keep a log on the system to alert system administrators when an intrusion has been detected. They can also be set to generate a pop-up window to alert that an intrusion was detected.

Intrusion detection is just another tool to keep information safe within a network and when it is being transmitted.

Controlling Risk - Week 9

Last week we talked about Risk Management.  Controlling Risk is the goal. Whether that is identifying the risk and then determining if that risk is preventable, determining how to prevent it, or determining what it would take to prevent that risk would cost more than paying for the risk. There are several methods to determine if the risk is worth taking or not.

One of these methods is cost benefit analysis. This looks at the annualized rate of occurrence, or how many times this risk is expected to happen in a year, the annualized loss expectancy, or how much an organization expects to lose over a year due to this risk. There are also controls that can be put into place, such as new safeguards, new software, new hardware, etc. This is all figured by the cost to the organization pre-control, and the cost to the organization post-control. Many times the cost of the control will reduce the annualized loss expectancy enough to make the cost of the control worth it. Other times, the annualized loss expectancy is not reduced that much post-control and actually makes the cost of the control too much. Using the control would actually cost the company more than absorbing the cost of the risk.

It is up to the organization to determine if it is worth using a control or not.

Risk Management - Week 8

Risk management is something we do every day. When I get up in the morning do I stand still and let the dogs get around me or do I continue down the hall to let them out, knowing at some point they’re going to blow through me and potentially take my legs out from under me. Driving to work, do I have enough time to make a right on red or do I need to wait for this car to go past first?

Now apply this to information security. There is risk management involved there, too. The way technology keeps improving we need to keep on top of risk management. As technology improves for the good guys, it also improves for the hackers. Also, as technology improves, newer parts coming out generally could have bugs in them that will need to be fixed. Staying on top of that is part of risk management. As the technology improves when does the older equipment become obsolete? What kind of vulnerabilities are there in the older software or hardware that can be taken advantage of?

Risk management is sometimes a balancing act between staying within a budget and updating to newer software or hardware to alleviate these vulnerabilities. It is weighing the vulnerabilities and then racking and stacking to determine which are the most important ones to take care of first.

Critical Infrastructure Cybersecurity Framework - Week 7

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, signed on February 12, 2013, and its follow on NIST document, Framework for Improving Critical Infrastructure Cybersecurity, published on February 12, 2014, discuss coming up with a plan to ensure the cybersecurity of the nation its businesses. It is voluntary, but sets out to put into place a set of guidelines across a common language to ensure the safety and cybersecurity of the economy, the public, and businesses alike.

By creating a living document, they intend to make it usable for both large and small organizations. The idea is to create a framework consisting of three parts for cybersecurity. The three parts of the framework are the core, profiles, and tiers. The core is cybersecurity activities, outcomes, and references common across critical infrastructure sectors. They provide detailed guidelines for organizations to create their profiles. The profiles help an organization align with its business requirements, risk tolerances and resources. Tiers are to help an organization understand their approach to managing cybersecurity risk.

The Executive Order requires a methodology be included to protect individual privacy and civil liberties. The framework is designed to work for any business small or large, and is not a one size fits all. Because many companies operate overseas, the goal is to get the international community involved in the framework as well.

Information Security Awareness Training - Week 6

What do we really know about security awareness training? How many of us are required to do some sort of training annually for our jobs? How much do we really pay attention to that annual training? Depending on our role within the organization, there could be many different forms of information security awareness training.

The training an executive within the company does is most likely different than the training a new hire would do. That training would most likely be different than the training an IT manager would do. How do we know what training should be taken by each employee within an organization? There are several organizations and websites that can help.

There are companies that specialize in creating information security awareness training for other organizations. Some of these companies will develop entire programs for an organization. Others will tailor the training for a specific organization and hold a webinar, or go conduct in-house training for that organization. Others already have different modules of training developed that an organization can pick and choose which modules they would need for security awareness training for their employees.

Another option is developing the training in-house. There are several websites that offer checklists and suggestions for developing a training program. One of these is the National Institute of Standards and Technology. Their 800 series Special Publications can be a great help to an organization for many different things. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, basically walks you through creating a training program for your organization.

Regardless of which method, company, training program you use, make sure you have one that is effective. Make sure your employees are up to speed on it. With the heavy reliance on technology in every business these days, you want to make sure your information is secure.

Information Security Policies - Week 5

Organizations need to develop information security policies for their operations. There are three types of information security policies, enterprise information security policy (EISP). issue-specific security policy (ISSP), and system-specific security policy (SysSP). Each of these policies serves a different purpose within an organization.

EISP deals with the organization's overall information security policies. It defines InfoSec for the organization and details the responsibilities of each department, as well as users, for InfoSec within the organization. It defines InfoSec as it relates to the organization and identifies critical components of InfoSec within the organization. This policy will also define staffing necessary to support InfoSec within the organization and will lay out how the InfoSec program will function throughout the organization and give a document that all other InfoSec policies will reference.

ISSP deals with how technology-based resources will be used and afforded InfoSec. It will define how the resources will be used, who may use them, and what restrictions there are with use of the resources. The policy defines physical security, who is authorized to use the resource, what is considered fair and responsible use of the resource, and what is considered misuse. It will stipulate what the organization can do to for systems management such as monitoring, physical security, virus protection, encryption, etc. There will be a timeline for scheduled reviews of the policy and procedures for modification.

With SysSP, the policy will address who exactly can use each system in the performance of their duties, what parts of each system a user can access, when the system is available for access, from where the systems may be accessed, as well as to what extent users can access the system. Each system may be set up with specific rights to information contained on that particular system that defines what type of access each user has, whether that is read only, write access, execute access, or delete access