Insider Threat - Week 11

You can install all the firewalls you want, use the most advanced and up-to-date antivirus software there is, but one thing remains constant. The insider threat is very real. And it is sometimes the most difficult threat to your information systems to detect. Ask Bradley Manning or Edward Snowden how real the insider threat is. There are ways to reduce the insider threat. One way is for an organization to routinely review what type of access to which systems each employee maintains. Then determine if that access is necessary for the position they are filling. If the answer is no, remove that access. The organization should also maintain a meticulous log of what accesses, and by what means, each employee has. Other employees should be aware of their surroundings. If an employee all of a sudden doesn’t like what the organization is doing, they could be a threat to that organization’s information systems as an insider.

Another step an organization can take is routinely check activity logs where employees access the various systems. If an employee is becoming disgruntled, it wouldn’t take much for them to install some type of software that could still give them access to the organization’s information systems if they are terminated. The activity logs could show this.

While there is no way an organization can completely eliminate an insider threat, there are steps they can take to minimize the threat of an insider attack.

Intrusion Detection - Week 10

Information systems intrusion detection. Who uses it? Pretty much anyone using a firewall or antivirus software. Intrusion detection works a few different ways. One way is a network-based intrusion detection. This type of intrusion detection system would be placed at different points within a network to monitor traffic between devices on the network. Another type is host-based intrusion detection. Host-based detection runs on individual devices within a network. Signature-based intrusion detection is another type. This type of intrusion detection looks for specific signatures traveling over the network, such as viruses, trojan horses, or worms. Another type of intrusion detection is anomaly-based intrusion detection. This detection method watches what normally goes across a network for traffic and establishes a baseline. Once the baseline is established it watches for anomalies, or traffic that is out of the ordinary being transmitted over the network, as it compares to that baseline.

Intrusion detection systems are able to keep a log on the system to alert system administrators when an intrusion has been detected. They can also be set to generate a pop-up window to alert that an intrusion was detected.

Intrusion detection is just another tool to keep information safe within a network and when it is being transmitted.

Controlling Risk - Week 9

Last week we talked about Risk Management.  Controlling Risk is the goal. Whether that is identifying the risk and then determining if that risk is preventable, determining how to prevent it, or determining what it would take to prevent that risk would cost more than paying for the risk. There are several methods to determine if the risk is worth taking or not.

One of these methods is cost benefit analysis. This looks at the annualized rate of occurrence, or how many times this risk is expected to happen in a year, the annualized loss expectancy, or how much an organization expects to lose over a year due to this risk. There are also controls that can be put into place, such as new safeguards, new software, new hardware, etc. This is all figured by the cost to the organization pre-control, and the cost to the organization post-control. Many times the cost of the control will reduce the annualized loss expectancy enough to make the cost of the control worth it. Other times, the annualized loss expectancy is not reduced that much post-control and actually makes the cost of the control too much. Using the control would actually cost the company more than absorbing the cost of the risk.

It is up to the organization to determine if it is worth using a control or not.

Risk Management - Week 8

Risk management is something we do every day. When I get up in the morning do I stand still and let the dogs get around me or do I continue down the hall to let them out, knowing at some point they’re going to blow through me and potentially take my legs out from under me. Driving to work, do I have enough time to make a right on red or do I need to wait for this car to go past first?

Now apply this to information security. There is risk management involved there, too. The way technology keeps improving we need to keep on top of risk management. As technology improves for the good guys, it also improves for the hackers. Also, as technology improves, newer parts coming out generally could have bugs in them that will need to be fixed. Staying on top of that is part of risk management. As the technology improves when does the older equipment become obsolete? What kind of vulnerabilities are there in the older software or hardware that can be taken advantage of?

Risk management is sometimes a balancing act between staying within a budget and updating to newer software or hardware to alleviate these vulnerabilities. It is weighing the vulnerabilities and then racking and stacking to determine which are the most important ones to take care of first.

Critical Infrastructure Cybersecurity Framework - Week 7

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, signed on February 12, 2013, and its follow on NIST document, Framework for Improving Critical Infrastructure Cybersecurity, published on February 12, 2014, discuss coming up with a plan to ensure the cybersecurity of the nation its businesses. It is voluntary, but sets out to put into place a set of guidelines across a common language to ensure the safety and cybersecurity of the economy, the public, and businesses alike.

By creating a living document, they intend to make it usable for both large and small organizations. The idea is to create a framework consisting of three parts for cybersecurity. The three parts of the framework are the core, profiles, and tiers. The core is cybersecurity activities, outcomes, and references common across critical infrastructure sectors. They provide detailed guidelines for organizations to create their profiles. The profiles help an organization align with its business requirements, risk tolerances and resources. Tiers are to help an organization understand their approach to managing cybersecurity risk.

The Executive Order requires a methodology be included to protect individual privacy and civil liberties. The framework is designed to work for any business small or large, and is not a one size fits all. Because many companies operate overseas, the goal is to get the international community involved in the framework as well.

Information Security Awareness Training - Week 6

What do we really know about security awareness training? How many of us are required to do some sort of training annually for our jobs? How much do we really pay attention to that annual training? Depending on our role within the organization, there could be many different forms of information security awareness training.

The training an executive within the company does is most likely different than the training a new hire would do. That training would most likely be different than the training an IT manager would do. How do we know what training should be taken by each employee within an organization? There are several organizations and websites that can help.

There are companies that specialize in creating information security awareness training for other organizations. Some of these companies will develop entire programs for an organization. Others will tailor the training for a specific organization and hold a webinar, or go conduct in-house training for that organization. Others already have different modules of training developed that an organization can pick and choose which modules they would need for security awareness training for their employees.

Another option is developing the training in-house. There are several websites that offer checklists and suggestions for developing a training program. One of these is the National Institute of Standards and Technology. Their 800 series Special Publications can be a great help to an organization for many different things. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, basically walks you through creating a training program for your organization.

Regardless of which method, company, training program you use, make sure you have one that is effective. Make sure your employees are up to speed on it. With the heavy reliance on technology in every business these days, you want to make sure your information is secure.

Information Security Policies - Week 5

Organizations need to develop information security policies for their operations. There are three types of information security policies, enterprise information security policy (EISP). issue-specific security policy (ISSP), and system-specific security policy (SysSP). Each of these policies serves a different purpose within an organization.

EISP deals with the organization's overall information security policies. It defines InfoSec for the organization and details the responsibilities of each department, as well as users, for InfoSec within the organization. It defines InfoSec as it relates to the organization and identifies critical components of InfoSec within the organization. This policy will also define staffing necessary to support InfoSec within the organization and will lay out how the InfoSec program will function throughout the organization and give a document that all other InfoSec policies will reference.

ISSP deals with how technology-based resources will be used and afforded InfoSec. It will define how the resources will be used, who may use them, and what restrictions there are with use of the resources. The policy defines physical security, who is authorized to use the resource, what is considered fair and responsible use of the resource, and what is considered misuse. It will stipulate what the organization can do to for systems management such as monitoring, physical security, virus protection, encryption, etc. There will be a timeline for scheduled reviews of the policy and procedures for modification.

With SysSP, the policy will address who exactly can use each system in the performance of their duties, what parts of each system a user can access, when the system is available for access, from where the systems may be accessed, as well as to what extent users can access the system. Each system may be set up with specific rights to information contained on that particular system that defines what type of access each user has, whether that is read only, write access, execute access, or delete access

Contingency Planning - Week 4

What do you do when the unthinkable happens? A tornado has just wiped out your business. Whether you are a small business, or a large corporation, contingency planning is a must. In NIST SP 800-34 the U.S. Department of Commerce provides guidelines for creating a contingency plan for information systems. If you are a large business, most, if not all, of the guidelines would apply. If you are a small business, there are certain guidelines you don't need to worry about, such as alternate sites.

When creating a contingency plan, a business should do a business impact analysis. This analysis will provide valuable information for creating your contingency plan. It will tell you what your Recovery Time Objective is, in what amount of time are you shooting for to be back up and running. What is your Maximum Tolerable Downtime? It will also tell you what your Recovery Point Objective is, the most critical functions you want back up after a disaster.

When creating a contingency plan, make sure you have looked at all the procedures and written them down. Assign specific duties and responsibilities in the event of a disaster. Identify who makes the call that your contingency plan goes into effect.

One of the key things to remember in contingency planning is to practice. Set up tests and exercises to ensure all personnel know their roles and responsibilities, and also to ensure equipment and systems are adequate for disaster recovery. Make sure to also relook at your contingency plan from time to time to ensure it is still sufficient to get your business back up and running after a disaster.

Data Breach Incidents - Week 3

                Looking through the past few years of Verizon’s Data Breach Investigations Reports, it makes me wonder how the same issues keep happening year after year. Yes, hackers and attackers get more sophisticated and creative as technology safeguards advance, but some of the same things keep happening each year. The 2016 report says 40% of the incidents could be prevented with what they consider “quick fixes.” If this is the case, why aren’t these quick fixes being utilized?

                Phishing still seems to be the biggest culprit for data breaches.  As long as phishing has been around, do people still not pay attention when they open emails and attachments? How much effort does it take to look at an email and make sure it’s from someone you would expect an email? If it’s not, check it first. Don’t open any attachments.

                Another one is using default or weak passwords, or doing something that allows someone to steal your password. Everyone knows what the default passwords are. When you first log into a system, change the password. Don’t change it to a weak password. Make sure it is strong and not easily figured out. Then, when you create a strong password, don’t write it down. That’s how they get stolen.

                One more on data breaches…card skimmers. They’ve been around for a bit and most times people pay closer attention when they use a card reader. If you’re in a hurry, still pay attention to your surroundings. Especially for those “quick” stops to fill up a gas tank. There are now tamper-resistant and tamper-evident card readers. Take a closer look and see if there is any evidence to lead you to believe it has been tampered with. Take a look at other gas pumps at the same place. Do they all look the same? Odds are if someone is using a skimmer, they’re not going to put one on every pump. If something looks out of place, don’t use it and alert the person inside behind the register. If in doubt, go inside and pay.

Information Security and Project Management

                Project management will be an ongoing thing in business, with technology and other aspects. One of the main things that will need to be considered is information security. This week for class we were all asked to write a paper based on failed IT project management. While it doesn’t happen that often, it does happen. There were several different scenarios where failed IT had happened.

            I one, the U.S. Air Force had spent $1 billion over seven years to develop a single system to merge 240 separate systems. This Expeditionary Combat Support System was eventually stopped. The prime contractor was terminated from the project, after they had been given a stop work order the year prior, due to poor performance. Could this poor performance have led to a breach of information security? What information was contained in the 240 other systems they were trying to merge into this one system? Could that information have been breached?

            Another incident involved the Canadian government developing a new payroll system. When the payroll system was brought online it was a mess. People’s information was hacked, employees didn’t receive a paycheck for months, many of them having to sell their homes in order to get by. Was this project pushed too quickly with not much, if any, testing before it went fully online? Could the headaches have been prevented if there was thorough testing done ahead of time to make sure the system was ready to go? Were there higher ups sticking to a certain deadline for the system to go active? Was there a lack of communication about the potential problems if the system went active at that time?

            These are just a couple examples of IT failure in project management. Information security is critical to systems that are online and running, but it is also critical in project management to make sure these problems don’t occur while developing a new project.

Secure vs. Unsecure Wi-Fi Networks

Information Security should be one of the first things you think about when setting up or joining any kind of network. If you pay no attention to InfoSec, you greatly run the risk of information not being available to you when you need it. Or, you run the risk of people who don't have a need for the information getting hold of it.

Many people don't think about Wi-Fi networks being open or secured when they join them while traveling or outside of their home or place of work. It seems these days people, mainly younger people, are more worried about being able to post their selfies or status updates on Facebook or Instagram, or any of the other social networking applications out there. They are in such a rush to post these they don't even stop to think if they're doing it on a secure network or an open network.

If you are on an open network, you are potentially allowing others access to your device. Once they have access to your device there are many types of threats they could pose. They could collect data from your computer. They could insert malicious code in your device which could eventually render it useless. They could leave loopholes to gain later access to your device.  Some of these threats have far reaching consequences.

With many transactions taking place online these days, once someone has access to your device there are many things they could do. Many devices and operating systems ask if you want the device to save a password when you fill it in to go to a specific account’s website. If you are one who does save passwords on your device it won’t take long for someone to get into the password vault on your device. How many different accounts do you deal with online? What could happen if someone now has access to every one of those accounts? Many people also do online banking these days. What would happen if someone got into your bank accounts? There is potentially enough information on your device that someone could clean out your bank accounts, use your other accounts, or even steal your identity.

But there are steps you can take to lessen this risk. First, stay off open networks. Use only secure networks. If you must get on an open network, at least make sure it is one you have to sign into, like a Wi-Fi network provided by your internet company across a city. Make sure you have anti-virus software installed on your device and make sure it is up to date. You can set your device to automatically install updates. Or, if you are not comfortable with that, make sure you are manually checking for and installing updates weekly. When you are somewhere you think you need to log into a Wi-Fi network to do something, ask yourself what is saved or stored on your device, and what damage could be caused if someone got hold of that information.