When working with any technology, there is always information that needs to be safeguarded or only accessed by individuals that need to know certain information to perform their job function. This process of limiting information access is known as separation of duties in the workplace. Separation duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information.
This separation also allows organizations to limit the potential for an insider threat occurring. It does this by limiting what information can be removed or accessed from various sources. For example, if accessing confidential information the organization may only allow those with a clearance of confidential and limit what devices are allowed in the room. They may also require a two-person control, in which one is required to have another authorized person in the room to access certain information. All of these are steps to protect and safeguard information in the IT realm.
Safeguarding information is essential to the organization in order for the organization to remain secure and fully functional. Without these procedures anyone could go into and access and take information that may potentially damage the overall organization.
To learn more , read the following:
FBI Guidance for Combating the Insider Threat. Retrieved from http://www.infosecisland.com/blogview/21321-FBI-Guidance-of-Combating-the-Insider-Threat.html
Separation of Duties for System Adminstrators. Retrieved from http://www.infosecisland.com/blogview/18905-Separation-of-Duties-for-System-Administrators.html
A CISOs Guide on Cybersecurity
Sunday, November 10, 2013
Sunday, November 3, 2013
Cryptography: A Way to Secure Information
It seems in today's world that everyone is looking for ways to maintain and keep what privacy they may have. There are daily news stories of how people are upset that their information is shared or collected from the Internet, emails, or social media sites. It's not that they have something to hide, necessarily, but that they have a sense of inherent right to give their information to whom they choose.
Cryptography is a way to help encode or encrypt the information over the Internet. So what is it? In simple terms, a way to scramble up a message or data and send it somewhere and have it decoded back to the original message using a key or cipher. There is software available that can do this process and cryptographic messages can be very simple or very complex.
This process may be used to protect some information but it also can cause for potential unknown or unseen risks to the the systems that use them. The message is secured by the key or cipher but it is not guaranteed that someone who has a program to decode ciphers cant intercept this information or upload other information.
Either way it is a process of securing information to maintain some of the precious security we all want and the privacy when transmitting data. Although, I highly doubt that most average users on the Internet are taking time to encrypt their messages and providing a key or cipher to the other parties to decipher.
To learn more, read the following:
Defending against Crypto Backdoors. Retrieved from https://www.schneier.com/blog/archives/2013/10/defending_again_1.html
CISSP Reloaded Domain 4: Cryptography. Retrieved from http://www.infosecisland.com/blogview/20786-CISSP-Reloaded-Domain-4-Cryptography.html
Cryptography is a way to help encode or encrypt the information over the Internet. So what is it? In simple terms, a way to scramble up a message or data and send it somewhere and have it decoded back to the original message using a key or cipher. There is software available that can do this process and cryptographic messages can be very simple or very complex.
This process may be used to protect some information but it also can cause for potential unknown or unseen risks to the the systems that use them. The message is secured by the key or cipher but it is not guaranteed that someone who has a program to decode ciphers cant intercept this information or upload other information.
Either way it is a process of securing information to maintain some of the precious security we all want and the privacy when transmitting data. Although, I highly doubt that most average users on the Internet are taking time to encrypt their messages and providing a key or cipher to the other parties to decipher.
To learn more, read the following:
Defending against Crypto Backdoors. Retrieved from https://www.schneier.com/blog/archives/2013/10/defending_again_1.html
CISSP Reloaded Domain 4: Cryptography. Retrieved from http://www.infosecisland.com/blogview/20786-CISSP-Reloaded-Domain-4-Cryptography.html
Sunday, October 27, 2013
Risk Appetite: Finding a balance that doesn't hurt the organization
Risk is a natural part of life. Everything we do has some sort of risk involved, although the level of risk determines whether it is a good idea to continue with the original plan or to change to meet a more acceptable level of risk. This is what we call risk appetite, the urge to take on certain levels of risk.
So why would an organization need to have a risk appetite? Well, short answer is it determines the path the organization is going to take. The level of risk determines how the stable the organization is viewed and how likely it will succeed in it's overall goals.
Most business professionals tend to keep risk levels as low as possible to reduce the amount of possible outcomes based off the unknown. Risk mitigation and risk avoidance are used to keep these levels within reason. Once the risk is identified the organization then allows management to decide what is to be done with this risk. Is the risk acceptable as is? If not, what level of risk is the organization willing to accept? These are a few of the questions management looks at to determine what their appetite is.
Overall, the risk appetite of an organization must really be determined by the management to ensure it is in line with the goals of the organization. To much risk can hurt the organization and too little does not allow the organization to grow and flourish.
To learn more, read the following:
Time for a Change in our Attitude Around Risk. Retrieved from http://www.infosecisland.com/blogview/19981-Time-for-a-Change-in-our-Attitude-Around-Risk.html
What is Risk Appetite? Retrieved from http://jitenderarora.co.uk/what-is-risk-appetite/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-risk-appetite
So why would an organization need to have a risk appetite? Well, short answer is it determines the path the organization is going to take. The level of risk determines how the stable the organization is viewed and how likely it will succeed in it's overall goals.
Most business professionals tend to keep risk levels as low as possible to reduce the amount of possible outcomes based off the unknown. Risk mitigation and risk avoidance are used to keep these levels within reason. Once the risk is identified the organization then allows management to decide what is to be done with this risk. Is the risk acceptable as is? If not, what level of risk is the organization willing to accept? These are a few of the questions management looks at to determine what their appetite is.
Overall, the risk appetite of an organization must really be determined by the management to ensure it is in line with the goals of the organization. To much risk can hurt the organization and too little does not allow the organization to grow and flourish.
To learn more, read the following:
Time for a Change in our Attitude Around Risk. Retrieved from http://www.infosecisland.com/blogview/19981-Time-for-a-Change-in-our-Attitude-Around-Risk.html
What is Risk Appetite? Retrieved from http://jitenderarora.co.uk/what-is-risk-appetite/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-risk-appetite
Sunday, October 20, 2013
Vulnerability assessments: A need for all organizations
After a business reaches a certain size and becomes large enough to have a sustainable IT department, it has to consider what are the weaknesses in the organizations technology? It also has to determine how do we counteract or mitigate these vulnerabilities? And of course, how do we rank these concerns , based on certain criteria, to protect the organization?
I state all of these questions, but why would an organization care? It is essential for the organization to identify the vulnerabilities, determine what is their greatest risk and then implement a process to eliminate or mitigate this risk. Threat vulnerability assessments allow the organization to do just that. An organization or business do not have unlimited resources , so this helps to prioritize what portion of the budget is going to be spent on the IT department to increase or keep a certain level of security. Also, it is important that your vulnerability assessments are conducted correctly, as an error could result in the very problems that you are trying to avoid.
To ensure that vulnerability assessments are effective to the organization ensure you set a proper schedule your vulnerability assessment, conduct testing on your network before implementing any changes, and ensure you have a disaster recovery plan. There are more ways to ensure that your vulnerability assessment is effective but this will help you get started on how to focus your efforts.
Keep in mind now, while vulnerability assessments are beneficial, if done incorrectly they can consume a lot of resources and time with little to no results that are of any benefit to the organization. The best method, I can suggest is to define the requirement, identify the risks, and develop a plan that is not only cost effective but effective at securing the organization's IT network.
To learn more, read the following:
Three Tips for Effective Vulnerability Assessments. Retrieved from http://www.infosecisland.com/blogview/22744-Three-Tips-for-Effective-Vulnerability-Assessments.html
Penetration Tests Are Not Vulnerability Assessments. Retrieved from http://blog.tevora.com/info/penetration-tests-are-not-vulnerability-assessments/
The Perils Of Automation In Vulnerability Assessment. Retrieved from
http://www.infosecisland.com/blogview/21723-The-Perils-Of-Automation-In-Vulnerability-Assessment.html
I state all of these questions, but why would an organization care? It is essential for the organization to identify the vulnerabilities, determine what is their greatest risk and then implement a process to eliminate or mitigate this risk. Threat vulnerability assessments allow the organization to do just that. An organization or business do not have unlimited resources , so this helps to prioritize what portion of the budget is going to be spent on the IT department to increase or keep a certain level of security. Also, it is important that your vulnerability assessments are conducted correctly, as an error could result in the very problems that you are trying to avoid.
To ensure that vulnerability assessments are effective to the organization ensure you set a proper schedule your vulnerability assessment, conduct testing on your network before implementing any changes, and ensure you have a disaster recovery plan. There are more ways to ensure that your vulnerability assessment is effective but this will help you get started on how to focus your efforts.
Keep in mind now, while vulnerability assessments are beneficial, if done incorrectly they can consume a lot of resources and time with little to no results that are of any benefit to the organization. The best method, I can suggest is to define the requirement, identify the risks, and develop a plan that is not only cost effective but effective at securing the organization's IT network.
To learn more, read the following:
Three Tips for Effective Vulnerability Assessments. Retrieved from http://www.infosecisland.com/blogview/22744-Three-Tips-for-Effective-Vulnerability-Assessments.html
Penetration Tests Are Not Vulnerability Assessments. Retrieved from http://blog.tevora.com/info/penetration-tests-are-not-vulnerability-assessments/
The Perils Of Automation In Vulnerability Assessment. Retrieved from
http://www.infosecisland.com/blogview/21723-The-Perils-Of-Automation-In-Vulnerability-Assessment.html
Sunday, October 13, 2013
RIsk Management Practice
All organizations need some sort of risk management process to identify the risks and hazards in the workplace. In the cyber realm, the risk management process helps to identify the vulnerabilities and shortcomings so that IT personnel can develop measures that help protect the organization.
So what does this mean for the everyday organization or business? It means that this process is a necessary one and a without a risk management process or an emphasis on it, your business is at risk for an attack or intrusion on the data within the organization.
So the bottom line is that a risk management process should be identified early on in the strategic goals to allow for the implementation of this process without accepting risk in other areas. The process should be simple in nature to allow for easy implementation. Remember risk management is a balancing act between the risk and the overall opportunity. You have to be able to determine if we can accept that risk and that gives us the opportunity and ability to exploit that situation.
In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers.
If you would like to learn more, read the following:
http://www.infosecisland.com/blogview/22624-Fifteen-Tips-to-Improve-Your-Infosec-Risk-Management-Practice.html
https://securosis.com/research/threat-intelligence-for-ecosystem-risk-management
http://www.infosecisland.com/blogview/18897-Risk-Management--More-Than-Just-Risk-Assessment.html
So what does this mean for the everyday organization or business? It means that this process is a necessary one and a without a risk management process or an emphasis on it, your business is at risk for an attack or intrusion on the data within the organization.
So the bottom line is that a risk management process should be identified early on in the strategic goals to allow for the implementation of this process without accepting risk in other areas. The process should be simple in nature to allow for easy implementation. Remember risk management is a balancing act between the risk and the overall opportunity. You have to be able to determine if we can accept that risk and that gives us the opportunity and ability to exploit that situation.
In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers.
If you would like to learn more, read the following:
http://www.infosecisland.com/blogview/22624-Fifteen-Tips-to-Improve-Your-Infosec-Risk-Management-Practice.html
https://securosis.com/research/threat-intelligence-for-ecosystem-risk-management
http://www.infosecisland.com/blogview/18897-Risk-Management--More-Than-Just-Risk-Assessment.html
Sunday, October 6, 2013
Security Education, Training, and Awareness: Is it Useful?
As with every profession in life there is some sort of training requirement to keep you at the so called"tip of the spear" in your field. Information Security is no different. There are annual training requirements, seminars, and courses designed to keep the INFOSEC personnel up to date on the current and emerging threats. This seems pretty simple, your field requires some sort of training to stay current but the reality is that some in the field believe that this training is a waste of time. That training is not effective at helping employees prevent mishaps in information security or that it takes away from the IT professionals job responsibility. Well, personally I think that all of these reasons are invalid and a lot of training needs to be done by everyone who uses technology in the workplace.
Think about it. How can you expect to enforce information security policies and principles without some sort of training or familiarization for your organization. Remember, we work the systems, we operate the computers, and we have the breaches in data. People must be taught to secure information within their organization, it is not a natural response that we are born with. Also training must be relevant to the organization your in. You do not need to be trained on everything, that is what IT is for. You need to be educated on your part within the organization.
So, what does this mean? That humans are the weakest link in information security and privacy. Computers and technology will not divulge any information it is not made to or given a command to. The technology does not leave itself to where unauthorized people can access or view it, we do. So, when it is said that an organization does not need security awareness training then that organization must like potentially dangerous situations or potential lawsuits from loss of private information. It is not good business to ignore an essential task such as protecting information from unauthorized disclosure.
To learn more, read the following:
http://blog.noticebored.com/2012/05/this-years-uk-information-security.html
http://www.infosecisland.com/blogview/22152-Not-Providing-Education-is-the-Dumbest-Idea-for-Infosec.html
https://securosis.com/blog/security-awareness-training-evolution-why-bother-training-users
Think about it. How can you expect to enforce information security policies and principles without some sort of training or familiarization for your organization. Remember, we work the systems, we operate the computers, and we have the breaches in data. People must be taught to secure information within their organization, it is not a natural response that we are born with. Also training must be relevant to the organization your in. You do not need to be trained on everything, that is what IT is for. You need to be educated on your part within the organization.
So, what does this mean? That humans are the weakest link in information security and privacy. Computers and technology will not divulge any information it is not made to or given a command to. The technology does not leave itself to where unauthorized people can access or view it, we do. So, when it is said that an organization does not need security awareness training then that organization must like potentially dangerous situations or potential lawsuits from loss of private information. It is not good business to ignore an essential task such as protecting information from unauthorized disclosure.
To learn more, read the following:
http://blog.noticebored.com/2012/05/this-years-uk-information-security.html
http://www.infosecisland.com/blogview/22152-Not-Providing-Education-is-the-Dumbest-Idea-for-Infosec.html
https://securosis.com/blog/security-awareness-training-evolution-why-bother-training-users
Sunday, September 29, 2013
Network Security Policies: Essential to all Levels of Business
Everywhere you go in today's society you hear the word security. Security has many meanings to people as they go about their daily activities. Security to one person may be ensuring that there is law enforcement in the area or that they live in a safe neighborhood but that's not the type of security we are examining this week. We are examining cyber security and the policies that help to regulate and implement these security needs.
But who is in need of these security policies? In short, everyone but for this we are going to discuss how businesses need this essential policy and program to defend themselves from hackers or breaches in data storage. There is no excuse that alleviates the need for a security policy. By saying my business is too small or I don't really have a lot of information stored you leave yourself vulnerable to attacks and essentially put your whole company and livelihood in jeopardy.
The basis of these security policies allow for users within to company to understand their roles and responsibilities, expectations while on the company network, and allows management a way to enforce violations to allow for change within the network.
So, what do you need to know? Well, when developing a security policy you need to ask yourself some questions to address the need of your business. For example, some of these questions may be:
1. What existing policy does our company have that also applies to what we want to do?
2. What do we want to out of our policy? Based on this, you will be able to identify criteria to determine the best service required and the best way to implement.
3.Do we have a good data classification policy and procedure and what type of data will we allow access to– sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data?
4. What have others in our industry done and what can we borrow? Calling up a peer who’s already experience with the good, the bad and the unexpected can really help you craft your policy.
These are not necessarily the questions that you may need but they give you an idea of where to start, if you haven't already. The security policy should be a comprehensive document that enables users in your business to understand the expectations for data information management and the expectations of management in the event of a violation.
If you would like to read more, go to the following:
http://www.infosecisland.com/blogview/23404-Whats-a-Security-Policy-and-why-do-I-Need-one-Im-only-a-Small-Business.html
http://www.securityweek.com/ten-questions-every-business-should-ask-developing-cloud-security-policy
But who is in need of these security policies? In short, everyone but for this we are going to discuss how businesses need this essential policy and program to defend themselves from hackers or breaches in data storage. There is no excuse that alleviates the need for a security policy. By saying my business is too small or I don't really have a lot of information stored you leave yourself vulnerable to attacks and essentially put your whole company and livelihood in jeopardy.
The basis of these security policies allow for users within to company to understand their roles and responsibilities, expectations while on the company network, and allows management a way to enforce violations to allow for change within the network.
So, what do you need to know? Well, when developing a security policy you need to ask yourself some questions to address the need of your business. For example, some of these questions may be:
1. What existing policy does our company have that also applies to what we want to do?
2. What do we want to out of our policy? Based on this, you will be able to identify criteria to determine the best service required and the best way to implement.
3.Do we have a good data classification policy and procedure and what type of data will we allow access to– sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data?
4. What have others in our industry done and what can we borrow? Calling up a peer who’s already experience with the good, the bad and the unexpected can really help you craft your policy.
These are not necessarily the questions that you may need but they give you an idea of where to start, if you haven't already. The security policy should be a comprehensive document that enables users in your business to understand the expectations for data information management and the expectations of management in the event of a violation.
If you would like to read more, go to the following:
http://www.infosecisland.com/blogview/23404-Whats-a-Security-Policy-and-why-do-I-Need-one-Im-only-a-Small-Business.html
http://www.securityweek.com/ten-questions-every-business-should-ask-developing-cloud-security-policy
Sunday, September 22, 2013
Disaster recovery and Contigencies: Are you Ready?
Most of the time when you think of the terms Disaster Recovery and Contingency planning people think of some external event such as a natural disaster, war or an event that causes physical endangerment. What others tend to overlook is the digital disaster and the contingencies needed to prevent these attacks from occurring.
Almost all major corporations and companies have some sort of technological disaster recovery plan in order to maintain functionality in the event of some form of an attack or natural occurrence. Even though they have these plans, many companies are lacking a solid grasp on what assets they have and where their weakest security areas are, either due to uncertainty on how to begin the process or having too few resources to allocate to it.(Hinkley, 2013)
Whatever the cause for your slipshod hold on your areas of weakness, you must create a risk profile over time in order to take your data protection to the next level.
In order for effective business operations to function, these companies have to devote more time to contingencies, disaster recovery, and maintaining business continuity in the wake of these events.
This works great for businesses but what about the every person who has his or her data on their personal network at home? Do you have a personal disaster recovery plan in the event of a natural disaster? Does it allow you to recover all of your information stored on your computers?
These are all reasonable questions that with a little contingency planning can be answered and leave you and your family ready and prepared in the event of a disaster.
So what type of data should you store for retrieval later?
As you think through your data, consider storing these items:
[1] Birth, death, and marriage certificates
[2] Diplomas and transcripts
[3] Medical data – details of medications, illnesses, injuries – and contact info for all doctors (note, also include medical details for your pets)
[4] Financial data — details of bank accounts, credit cards, stocks, insurance (house, car, life), and recent tax returns (don’t forget contact info for all financial institutions)
[5] Contacts — a list containing addresses and phone numbers of friends and family
[6] Family photos (weddings, births, graduations, etc.)
[7] Portfolio – if you’re a writer, designer, artist, or musician, you may wish to add your work to a storage device (if not already there)
[8] Passwords – a list of websites that you frequent and user names/passwords
[9] Technology – be sure to keep computer-related software and serial numbers with the rest of your disaster recovery data (whether on thumb drives or on CD’s) – this way, you won’t have to go through the hassle of purchasing new software and starting from scratch in the event of destruction or loss
[10] Insurance recovery – take photos or videos of all large items so that in the event the items are destroyed, you have proof of ownership (for example, cars, TV, computer, other appliances)
(Pratt, 2012)
Having these items stored where they can be retrieved digitally later can help prevent a lot of hardship in the event of a disaster. This is only the tip of the planning spear for a potential disaster but if you would like to read more, check out the following links:
Pratt, A. (2012). Do you have a Personal Disaster Recovery Plan. Retrieved from http://www.infosecisland.com/blogview/22637-Do-you-have-a-PERSONAL-disaster-recovery-plan.html.
Hinkle, C. (2013). Three Security Must-Haves for 2013. Retrieved from http://www.securityweek.com/three-security-must-haves-2013.
Almost all major corporations and companies have some sort of technological disaster recovery plan in order to maintain functionality in the event of some form of an attack or natural occurrence. Even though they have these plans, many companies are lacking a solid grasp on what assets they have and where their weakest security areas are, either due to uncertainty on how to begin the process or having too few resources to allocate to it.(Hinkley, 2013)
Whatever the cause for your slipshod hold on your areas of weakness, you must create a risk profile over time in order to take your data protection to the next level.
- Identify each of your assets and classify them, so you can then pinpoint exactly what risks exist and what assets they affect.
- Determine what version of your software each of the assets run on, where that is on your network, and how it’s deployed.
- Assign a value to each of those assets. Figure out how much risk is truly constituted within each one based on the business impact if the assets’ security was compromised.(Hinkley, 2013.
In order for effective business operations to function, these companies have to devote more time to contingencies, disaster recovery, and maintaining business continuity in the wake of these events.
This works great for businesses but what about the every person who has his or her data on their personal network at home? Do you have a personal disaster recovery plan in the event of a natural disaster? Does it allow you to recover all of your information stored on your computers?
These are all reasonable questions that with a little contingency planning can be answered and leave you and your family ready and prepared in the event of a disaster.
So what type of data should you store for retrieval later?
As you think through your data, consider storing these items:
[1] Birth, death, and marriage certificates
[2] Diplomas and transcripts
[3] Medical data – details of medications, illnesses, injuries – and contact info for all doctors (note, also include medical details for your pets)
[4] Financial data — details of bank accounts, credit cards, stocks, insurance (house, car, life), and recent tax returns (don’t forget contact info for all financial institutions)
[5] Contacts — a list containing addresses and phone numbers of friends and family
[6] Family photos (weddings, births, graduations, etc.)
[7] Portfolio – if you’re a writer, designer, artist, or musician, you may wish to add your work to a storage device (if not already there)
[8] Passwords – a list of websites that you frequent and user names/passwords
[9] Technology – be sure to keep computer-related software and serial numbers with the rest of your disaster recovery data (whether on thumb drives or on CD’s) – this way, you won’t have to go through the hassle of purchasing new software and starting from scratch in the event of destruction or loss
[10] Insurance recovery – take photos or videos of all large items so that in the event the items are destroyed, you have proof of ownership (for example, cars, TV, computer, other appliances)
(Pratt, 2012)
Having these items stored where they can be retrieved digitally later can help prevent a lot of hardship in the event of a disaster. This is only the tip of the planning spear for a potential disaster but if you would like to read more, check out the following links:
Pratt, A. (2012). Do you have a Personal Disaster Recovery Plan. Retrieved from http://www.infosecisland.com/blogview/22637-Do-you-have-a-PERSONAL-disaster-recovery-plan.html.
Hinkle, C. (2013). Three Security Must-Haves for 2013. Retrieved from http://www.securityweek.com/three-security-must-haves-2013.
Sunday, September 15, 2013
Insider attacks: A recurring organizational risk
organization is the driving factor for the motivation for attack. Whether it is ideology, profit, anger, and so on these individuals all have different reasons and these reasons can be the deciding factor at any given time to damage those within an organization.
For example an article from Security Week reported yesterday, "Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany".(Lennon, 2013) This phone company had access to millions of people's personal data and someone who knew the organization inner structure stole this data and the motive is unknown or at least unreported. This attack was reported publicly yesterday but actually happened on September 5, 2013 and the organization conducted their own internal investigation. Right now no one knows the extent of the information stole or how much potential damage can be done such as identity theft, credit card details, or phishing scams. This seems to me to be a pretty viable threat. While it may not be physically threatening these insider cyber crimes have the potential to cause hardship to a lot of individuals.
Nick Cavalancia, vice-president of marketing at SpectorSoft, told SecurityWeek. "Anyone who looks closely at the record of damages caused by breaches will discover that insiders are not only a leading concern but also a leading problem." (Rashid, 2013) Insider threats pose a real risk that is just as dangerous to an organization as an external attack. There are organizations which pay to prevent external attacks and hacking of their systems but failed to focus on the insider threat because it is not rated as high in the reports put out annually. On average the reports by places such as the Verizon Risk Team reported insider attacks only at 14% of all the attacks that occur. This number may seem small but it is very prevalent in all organizations today, big or small.
While this threat continues to be a viable adversary in organizations, Wade Baker, principal author of Verizon's DBIR said it best for the vigilance needed to safeguard your information, "Understand your adversary—know their motives and methods, and prepare your defenses accordingly and always keep your guard up".
If you would like to know more, Read the following links:
FBI. 2013. The Insider Threat: An introduction to detecting and deterring an insider spy. Retrieved from http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
Lennon, M. 2013. Insider Steals Data of 2 Million Vodafone Germany Customers. Retrieved from http://www.infosecisland.com/blogview/23380-Insider-Steals-Data-of-2-Million-Vodafone-Germany-Customers.html
Rashid, F. 2013. Verizon 2013 DBIR: Financial Cybercime and Cyberespionage Dominate Threat Landscape. Retrieved from http://www.securityweek.com/verizon-2013-dbir-financial-cybercime-and-cyberespionage-dominate-threat-landscape
Reichenburg, N. 2013. Network Security - Inside Out or Outside In? Retrieved from http://www.securityweek.com/network-security-inside-out-or-outside
Saturday, September 7, 2013
Facebook: A compromise of security or a way to keep in touch?
Information security is paramount when dealing with social media sites that gather and store private, personal information on all of its users. While most will never have any issues with their identity or compromising of their family's information, it is best to know what you are agreeing to when you sign up for these sites.For this reason ,this week we discuss the social media connection site, Facebook and the potential risk to information security.
Facebook, a social media website continues to grow in popularity and has millions of users worldwide which update their status and post messages daily to others throughout the world. While this is not necessarily a risk to the user themselves it does pose the question, what information is stored or being kept on the users for retrieval at a later time? After researching this question, I found that Facebook has an updated privacy policy which helps us understand about some of the items collected from usage of this site. For starters, it records your IP address, your mobile number, and gains the right to all personal identifiable information placed on the site to be used for any commercial ad purpose Facebook may need or want to give it out to.
I also found it interesting to see in a post that Facebook does a practice known as cross-site tracking. This is when Facebook will track the users habits on what the reader is clicking on and reading even if the user is not using the" like" or "social plug in" button. This enables the company to better target advertising towards certain individuals.
Finally, the most serious implications with using these social media sites comes from the risks of "phishing" scams that contain viruses that can either steal information or compromise your system. There are countless stories of identity theft, email scams, and social media links that are really malware intended to harm the person who clicks on it. These threats increase daily and have the potential to destroy someones life.
Everything I discuss here is only a small portion of the risks associated with open source social media sites and as technology continues to grow the risk increase substantially. As more and more people subscribe to these sites, more attacks on the site will occur. While you do not have to choose to refrain from using these sites, it is best to understand the risks and mitigate them as much as possible by limiting what you post that is personal and harmful to your identity and not accepting or clicking on links or sites that you do not know the origin of.
If you would like to learn more on these potential risks. You can read the following links:
Facebook. 2013. Section-by-Section Summary of Updates. Retrieved from https://www.facebook.com/notes/facebook-site-governance/section-by-section-summary-of-updates/10153200989785301.
Jaycox, M. & Rainey, R. 2012. Facebook's Conspicious Absence From Do Not Track Discussions. Retrieved from http://www.infosecisland.com/blogview/20729-Facebooks-Conspicuous-Absence-from-Do-Not-Track-Discussions.html.
Mills, E. 2008. Facebook BOTNET Risk Revealed. Retrieved from http://news.cnet.com/8301-1009_3-10034327-83.html.
Siciliano, R. 2010. Social Media and Identity Theft Risk PT 1. Retrieved from http://www.infosecisland.com/blogview/3417-Social-Media-and-Identity-Theft-Risks-PT-I.html.
Facebook, a social media website continues to grow in popularity and has millions of users worldwide which update their status and post messages daily to others throughout the world. While this is not necessarily a risk to the user themselves it does pose the question, what information is stored or being kept on the users for retrieval at a later time? After researching this question, I found that Facebook has an updated privacy policy which helps us understand about some of the items collected from usage of this site. For starters, it records your IP address, your mobile number, and gains the right to all personal identifiable information placed on the site to be used for any commercial ad purpose Facebook may need or want to give it out to.
I also found it interesting to see in a post that Facebook does a practice known as cross-site tracking. This is when Facebook will track the users habits on what the reader is clicking on and reading even if the user is not using the" like" or "social plug in" button. This enables the company to better target advertising towards certain individuals.
Finally, the most serious implications with using these social media sites comes from the risks of "phishing" scams that contain viruses that can either steal information or compromise your system. There are countless stories of identity theft, email scams, and social media links that are really malware intended to harm the person who clicks on it. These threats increase daily and have the potential to destroy someones life.
Everything I discuss here is only a small portion of the risks associated with open source social media sites and as technology continues to grow the risk increase substantially. As more and more people subscribe to these sites, more attacks on the site will occur. While you do not have to choose to refrain from using these sites, it is best to understand the risks and mitigate them as much as possible by limiting what you post that is personal and harmful to your identity and not accepting or clicking on links or sites that you do not know the origin of.
If you would like to learn more on these potential risks. You can read the following links:
Facebook. 2013. Section-by-Section Summary of Updates. Retrieved from https://www.facebook.com/notes/facebook-site-governance/section-by-section-summary-of-updates/10153200989785301.
Jaycox, M. & Rainey, R. 2012. Facebook's Conspicious Absence From Do Not Track Discussions. Retrieved from http://www.infosecisland.com/blogview/20729-Facebooks-Conspicuous-Absence-from-Do-Not-Track-Discussions.html.
Mills, E. 2008. Facebook BOTNET Risk Revealed. Retrieved from http://news.cnet.com/8301-1009_3-10034327-83.html.
Siciliano, R. 2010. Social Media and Identity Theft Risk PT 1. Retrieved from http://www.infosecisland.com/blogview/3417-Social-Media-and-Identity-Theft-Risks-PT-I.html.
Tuesday, August 27, 2013
Wireless Security
Although, protecting information in today's age has become relatively difficult and continues to prove to be a challenge for all of those in the information security field it is a manageable task. Vulnerabilities seem to exist everywhere in the realm of technology and without safeguards in place they will continue to to be exploited by those who intend to do harm to others.
Let's look at something as simple as a wireless network in your home. Most of us today have several devices throughout our household which store massive amounts of personal and confidential information about our family and our accounts. All of these systems are linked together by our wireless router which probably was setup by the person who installed it, with minimum security protocols in place. Depending on someones time and interest in your personal life, this could pose a potential risk to the safeguarding of your personal information. If no precautions are taken then you are more likely handing over your information instead of protecting it. While it may not be possible to completely protect everything, implementing security practices will limit the amount of information lost or stolen by others.
Protecting your wireless network can potentially protect everyone in the house from unnecessary risks, whereas without some level of security protocol you can potentially compromise every device on your network. For example, a house with a wireless network that has an alarm linked to a desktop computer on the network has the potential to compromise the physical security of the whole house.
As technology grows and matures, the threats will continue to increase and evolve to present a more complex problem to those who are not implementing best practices for information security and with the way technology is advancing a little protection may be just as good as no protection.
To read more about the potential risks in wireless network check out the following articles:
Wireless Home Technologies Create Security Risks
http://www.infosecisland.com/blogview/23355-Wireless-Home-Technologies-Create-Security-Risks.html
NSA Issues Guide for Keeping Home Networks Secure
http://www.infosecisland.com/blogview/13494-NSA-Issues-Guide-for-Keeping-Home-Networks-Secure.html
Researchers Spotlight Vulnerabilities in Popular Wireless Routers
http://www.securityweek.com/researchers-spotlight-vulnerabilities-popular-wireless-routers
Let's look at something as simple as a wireless network in your home. Most of us today have several devices throughout our household which store massive amounts of personal and confidential information about our family and our accounts. All of these systems are linked together by our wireless router which probably was setup by the person who installed it, with minimum security protocols in place. Depending on someones time and interest in your personal life, this could pose a potential risk to the safeguarding of your personal information. If no precautions are taken then you are more likely handing over your information instead of protecting it. While it may not be possible to completely protect everything, implementing security practices will limit the amount of information lost or stolen by others.
Protecting your wireless network can potentially protect everyone in the house from unnecessary risks, whereas without some level of security protocol you can potentially compromise every device on your network. For example, a house with a wireless network that has an alarm linked to a desktop computer on the network has the potential to compromise the physical security of the whole house.
As technology grows and matures, the threats will continue to increase and evolve to present a more complex problem to those who are not implementing best practices for information security and with the way technology is advancing a little protection may be just as good as no protection.
To read more about the potential risks in wireless network check out the following articles:
Wireless Home Technologies Create Security Risks
http://www.infosecisland.com/blogview/23355-Wireless-Home-Technologies-Create-Security-Risks.html
NSA Issues Guide for Keeping Home Networks Secure
http://www.infosecisland.com/blogview/13494-NSA-Issues-Guide-for-Keeping-Home-Networks-Secure.html
Researchers Spotlight Vulnerabilities in Popular Wireless Routers
http://www.securityweek.com/researchers-spotlight-vulnerabilities-popular-wireless-routers
Subscribe to:
Comments (Atom)