Network Security Policies: Essential to all Levels of Business

Everywhere you go in today's society you hear the word security. Security has many meanings to people as they go about their daily activities. Security to one person may be ensuring that there is law enforcement in the area or that they live in a safe neighborhood but that's not the type of security we are examining this week. We are examining cyber security and the policies that help to regulate and implement these security needs.

But who is in need of these security policies? In short, everyone but for this we are going to discuss how businesses need this essential policy and program to defend themselves from hackers or breaches in data storage. There is no excuse that alleviates the need for a security policy. By saying my business is too small or I don't really have a lot of information stored you leave yourself vulnerable to attacks and essentially put your whole company and livelihood in jeopardy.

The basis of these security policies allow for users within to company to understand their roles and responsibilities, expectations while on the company network, and allows management a way to enforce violations to allow for change within the network.

So, what do you need to know? Well, when developing a security policy you need to ask yourself some questions to address the need of your business. For example, some of these questions may be:

1. What existing policy does our company have that also applies to what we want to do?

2. What do we want to out of our policy? Based on this, you will be able to identify criteria to determine the best service required and the best way to implement.

3.Do we have a good data classification policy and procedure and what type of data will we allow access to– sensitive corporate data, protected data such as PII, SSNs or HIPAA related, day-to-day operational data?

4.    What have others in our industry done and what can we borrow? Calling up a peer who’s already experience with the good, the bad and the unexpected can really help you craft your policy.

These are not necessarily the questions that you may need but they give you an idea of where to start, if you haven't already. The security policy should be a comprehensive document that enables users in your business to understand the expectations for data information management and the expectations of management in the event of a violation.

If you would like to read more, go to the following:

http://www.infosecisland.com/blogview/23404-Whats-a-Security-Policy-and-why-do-I-Need-one-Im-only-a-Small-Business.html

http://www.securityweek.com/ten-questions-every-business-should-ask-developing-cloud-security-policy

 

Disaster recovery and Contigencies: Are you Ready?

Most of the time when you think of the terms Disaster Recovery and Contingency planning people think of some external event such as a natural disaster, war or an event that causes physical endangerment. What others tend to overlook is the digital disaster and the contingencies needed to prevent these attacks from occurring.

Almost all major corporations and companies have some sort of technological disaster recovery plan in order to maintain functionality in the event of some form of an attack or natural occurrence. Even though they have these plans, many companies are lacking a solid grasp on what assets they have and where their weakest security areas are, either due to uncertainty on how to begin the process or having too few resources to allocate to it.(Hinkley, 2013)

Whatever the cause for your slipshod hold on your areas of weakness, you must create a risk profile over time in order to take your data protection to the next level.

• Identify each of your assets and classify them, so you can then pinpoint exactly what risks exist and what assets they affect.

• Determine what version of your software each of the assets run on, where that is on your network, and how it’s deployed.

• Assign a value to each of those assets. Figure out how much risk is truly constituted within each one based on the business impact if the assets’ security was compromised.(Hinkley, 2013.

In order for effective business operations to function, these companies have to devote more time to contingencies, disaster recovery, and maintaining business continuity in the wake of these events.

This works great for businesses but what about the every person who has his or her data on their personal network at home? Do you have a personal disaster recovery plan in the event of a natural disaster? Does it allow you to recover all of your information stored on your computers?

These are all reasonable questions that with a little contingency planning can be answered and leave you and your family ready and prepared in the event of a disaster.

So what type of data should you store for retrieval later?

As you think through your data, consider storing these items:

[1] Birth, death, and marriage certificates

[2] Diplomas and transcripts

[3] Medical data – details of medications, illnesses, injuries – and contact info for all doctors (note, also include medical details for your pets)

[4] Financial data — details of bank accounts, credit cards, stocks, insurance (house, car, life), and recent tax returns (don’t forget contact info for all financial institutions)

[5] Contacts — a list containing addresses and phone numbers of friends and family

[6] Family photos (weddings, births, graduations, etc.)

[7] Portfolio – if you’re a writer, designer, artist, or musician, you may wish to add your work to a storage device (if not already there)

[8] Passwords – a list of websites that you frequent and user names/passwords

[9] Technology – be sure to keep computer-related software and serial numbers with the rest of your disaster recovery data (whether on thumb drives or on CD’s) – this way, you won’t have to go through the hassle of purchasing new software and starting from scratch in the event of destruction or loss

[10] Insurance recovery – take photos or videos of all large items so that in the event the items are destroyed, you have proof of ownership (for example, cars, TV, computer, other appliances)
(Pratt, 2012)


Having these items stored where they can be retrieved digitally later can help prevent a lot of hardship in the event of a disaster. This is only the tip of the planning spear for a potential disaster but if you would like to read more, check out the following links:

Pratt, A. (2012). Do you have a Personal Disaster Recovery Plan. Retrieved from http://www.infosecisland.com/blogview/22637-Do-you-have-a-PERSONAL-disaster-recovery-plan.html.

Hinkle, C. (2013). Three Security Must-Haves for 2013. Retrieved from http://www.securityweek.com/three-security-must-haves-2013.

 

Insider attacks: A recurring organizational risk

Most cyber crimes are preventable and most have the ability to severely damage or cripple an organization, in regards to leaks of sensitive information or data. While these attacks will always occur there are certain attacks that seem concern me more than the typical hacker who is out to either cause harm or for financial gain. These are the insider attacks that are occurring daily. Insider attacks occur when someone institutes a process from within an organization that is used to steal information or data from the organization. These attacks concern me more due to the fact that the individual in the
organization is the driving factor for the motivation for attack. Whether it is ideology, profit, anger, and so on these individuals all have different reasons and these reasons can be the deciding factor at any given time to damage those within an organization.

For example an article from Security Week reported yesterday, "Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany".(Lennon, 2013) This phone company had access to millions of people's personal data and someone who knew the organization inner structure stole this data and the motive is unknown or at least unreported. This attack was reported publicly yesterday but actually happened on September 5, 2013 and the organization conducted their own internal investigation. Right now no one knows the extent of the information stole or how much potential damage can be done such as identity theft, credit card details, or phishing scams. This seems to me to be a pretty viable threat. While it may not be physically threatening these insider cyber crimes have the potential to cause hardship to a lot of individuals.

Nick Cavalancia, vice-president of marketing at SpectorSoft, told SecurityWeek. "Anyone who looks closely at the record of damages caused by breaches will discover that insiders are not only a leading concern but also a leading problem." (Rashid, 2013) Insider threats pose a real risk that is just as dangerous to an organization as an external attack. There are organizations which pay to prevent external attacks and hacking of their systems but failed to focus on the insider threat because it is not rated as high in the reports put out annually. On average the reports by places such as the Verizon Risk Team reported insider attacks only at 14% of all the attacks that occur. This number may seem small but it is very prevalent in all organizations today, big or small.

While this threat continues to be a viable adversary in organizations, Wade Baker, principal author of Verizon's DBIR said it best for the vigilance needed to safeguard your information, "Understand your adversary—know their motives and methods, and prepare your defenses accordingly and always keep your guard up".

If you would like to know more, Read the following links:

 FBI. 2013. The Insider Threat: An introduction to detecting and deterring an insider spy. Retrieved from http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

Lennon, M. 2013. Insider Steals Data of 2 Million Vodafone Germany Customers. Retrieved from http://www.infosecisland.com/blogview/23380-Insider-Steals-Data-of-2-Million-Vodafone-Germany-Customers.html

Rashid, F. 2013. Verizon 2013 DBIR: Financial Cybercime and Cyberespionage Dominate Threat Landscape. Retrieved from http://www.securityweek.com/verizon-2013-dbir-financial-cybercime-and-cyberespionage-dominate-threat-landscape

Reichenburg, N. 2013. Network Security - Inside Out or Outside In? Retrieved from http://www.securityweek.com/network-security-inside-out-or-outside

Facebook: A compromise of security or a way to keep in touch?

Information security is paramount when dealing with social media sites that gather and store private, personal information on all of its users. While most will never have any issues with their identity or compromising of their family's information, it is best to know what you are agreeing to when you sign up for these sites.For this reason ,this week we discuss the social media connection site, Facebook and the potential risk to information security.

Facebook, a social media website continues to grow in popularity and has millions of users worldwide which update their status and post messages daily to others throughout the world. While this is not necessarily a risk to the user themselves it does pose the question, what information is stored or being kept on the users for retrieval at a later time? After researching this question, I found that Facebook has an updated  privacy policy which helps us understand about some of the items collected from usage of this site. For starters, it records your IP address, your mobile number, and gains the right to all personal identifiable information placed on the site to be used for any commercial ad purpose Facebook may need or want to give it out to.

I also found it interesting to see in a post that Facebook does a practice known as cross-site tracking. This is when Facebook will track the users habits on what the reader is clicking on and reading even if the user is not using the" like" or "social plug in" button. This enables the company to better target advertising towards certain individuals.

Finally, the most serious implications with using these social media sites comes from the risks of "phishing" scams that contain viruses that can either steal information or compromise your system. There are countless stories of identity theft, email scams, and social media links that are really malware intended to harm the person who clicks on it. These threats increase daily and have the potential to destroy someones life.

Everything I discuss here is only a small portion of the risks associated with open source social media sites and as technology continues to grow the risk increase substantially. As more and more people subscribe to these sites, more attacks on the site will occur. While you do not have to choose to refrain from using these sites, it is best to understand the risks and mitigate them as much as possible by limiting what you post that is personal and harmful to your identity and not accepting or clicking on links or sites that you do not know the origin of.

If you would like to learn more on these potential risks. You can read the following links:

Facebook. 2013. Section-by-Section Summary of Updates. Retrieved from https://www.facebook.com/notes/facebook-site-governance/section-by-section-summary-of-updates/10153200989785301.

Jaycox, M. & Rainey, R. 2012. Facebook's Conspicious Absence From Do Not Track Discussions. Retrieved from http://www.infosecisland.com/blogview/20729-Facebooks-Conspicuous-Absence-from-Do-Not-Track-Discussions.html.

Mills, E. 2008. Facebook BOTNET Risk Revealed. Retrieved from http://news.cnet.com/8301-1009_3-10034327-83.html.

Siciliano, R. 2010. Social Media and Identity Theft Risk PT 1. Retrieved from http://www.infosecisland.com/blogview/3417-Social-Media-and-Identity-Theft-Risks-PT-I.html.