Blog Analysis and Summary - The Final Chapter

The past 12 weeks has been a wonderful learning experience. I felt like I knew a bit about security, but I certainly did not know the management aspect of it. This blog was my way to bring the business lingo down to Earth on a level most of us could understand and relate to.

Much of the information I found was scattered across the Internet. I found articles on CNET, The Washington Post, ABC News, and Business Week. I really wanted to gather as much information on the topics as possible and not utilize the same resources over and over again. There was a lot of good information I garnered from LifeHacker. The information has been out there, I just never knew what to look for. Having this blog and the topics week-to-week helped keep me focused.

I started my blog by looking at personal security. In the corporate world, securing data is a major part of doing business today. It is no different in our personal lives. We need to make sure we are taking the appropriate precautions to ensure we protect ourselves, just as we would do as managers within a corporation.

Next, I looked at liability and security. It is good to know that we have some form of protection if our data is compromised. On the personal level, this could be with credit monitoring services and such. On the corporate level, liability can be deflected to other agencies, if services are contracted and the other agency is liable via the contract.

Over the next few weeks, I took a look at life and how it related to security awareness, risk management, and the costs associated with protecting valuable assets. Just as a corporation must have security policies in place and evaluate risk, we need to do that in our own lives too. We need to consider the costs associated with decisions. Perhaps a child downloads a program which installs a virus and wreaks havoc on your home computer. This same type of behavior can happen in the business world too!

Lastly, I looked into securing wireless networks. In the business world, leaving networks unsecured is the easiest way to lose valuable information. The same hold true in your own home. Understanding the need to secure networks is critical for protecting data from being compromised. We all have some degree of information that, if stolen from someone on the outside, could be detrimental to our own personal lives. Businesses are no different.

As you can see, I used this term to relate the business ideas to those of my personal life. It will be some time before I am able to utilize the information security principles we learned, so relating them to something I am doing now helped clarify most of the topics. I am hopeful that, by bringing these concepts down to Earth, I will remember the valuable information in this class. Hopefully it will help someone else who is new to the concepts of information security! It sure helped me!

The Chief Information Security Officer, Big Shoes to Fill!

This week, we have been looking at personnel and security. One of our assignments was to write a job description for the Chief Information Security Officer (CISO). We have been following a newly appointed CISO throughout the class, so I thought it would be easy. It was a bit more difficult than I thought. Additionally, there is a LOT the CISO is responsible for, based on the job descriptions I looked at for guidance.

I looked mainly at CareerBuilder in my quest for more information and found 31 jobs advertised for CISO. Looking at the job descriptions, it should be no surprise that the CISO is responsible for the information security and risk management programs. Another resonating topic noticed while looking at the job descriptions was communication and supervision. This should not be a surprise, since we are looking at a top-level officer in the organization. I did find something surprising, however.

I was surprised to see the experience and education requirements for a CISO in most of the listings. The listing for LRS.com did not list education as a requirement, but did ask for a minimum of seven years of experience. Another listing, a CISO job for Teledyne Technologies, indicated a minimum of five years' experience. I based my assignment on those factors, but then I began to think about it. Is that really enough experience?

After more consideration, I would change my requirements on the job description to require at least 10 years in the IT field and, preferably, a majority of those in management. If you think about the role of the CISO, it is an important asset in the organization. The CISO is the person ultimately responsible for everything related to the IT systems, their security, and the security and privacy of data. When a breach occurs, it is likely going to be the CISO answering the questions and trying to figure out just what happened. Is this where you want inexperience?

Don't get me wrong. There are a lot of individuals who excel on the job and move up the ranks very, very quickly. Perhaps these organizations are looking for those top performing, quick moving individuals. My concern, especially if I was hiring a top-level manager, is that less than 10 years just might not be enough to learn the skills necessary to head the IT operations. Am I wrong? Perhaps. Would I be elated to receive the job with just five years' experience? You bet!

Referenced Sites

http://www.careerbuilder.com/jobs/keyword/ciso

Security and Your Wireless Network

This week, we learned about protection mechanisms. These include firewalls and wireless networking protection. After reviewing this, it made me wonder about the status of wireless networks and how many users are actually educated enough to protect themselves. What I found is that I am guilty of not protecting myself more!

I found an article by Eric Geier on PCWorld and it really opened my eyes. I am one of those who will connect to public WiFi hotspots like Starbucks, McDonald's, or even the airport. I've never really paid much attention to whether or not my connection was secure. In the article, he states you should check to make sure any web pages you log into start with https. Otherwise, he shows clear examples of how anyone could snoop out your login information. Scary, huh?

Even scarier is that the same thing can happen on your own home network. Yes, that's right! This all boils down to setting up wireless network security by using either WEP or WPA. I happen to use WPA2, because I have heard it is better than WEP. I am not a professional on that, but I have found that WPA2 appears to work better with my wireless hardware. It seems more universal to me than WEP. Regardless of the protection method used, if you leave your home wireless network unsecured, there is nothing stopping a criminal or hacker from connecting to your network and monitoring your use. With the proper software, they could get your email login information and even your online banking information. Even scarier, right?

I have never used open WiFi networks in an illegal way, nor would I ever urge anyone to. However, I have connected to other open networks and utilized Internet connections. My grandma does not have Internet access and, at the time, I did not have a cell phone that could share the connection to a computer. I fired up my laptop and noticed that there were a few networks available, one of which was unsecured. Sure enough, I was able to surf the web and look up some information on things to do in the area, all without the owner knowing I was doing it. Depending on your Internet connection, that could be precious bandwidth being stolen from you. This is just another example of what people could use your open connection for, and a tame one at that!

The bottom line is that, with more and more people moving to wireless networks, there is a growing need for education and how to protect yourself from attacks. If you are using a public hotspot, know that any information you send over the network could potentially be snooped out by an "onlooker." Also, make sure your home wireless network is secured with a strong pass phrase utilizing either WEP or WPA protection. Educating and protecting yourself could save a lot of grief in the future!

Referenced Site

http://www.pcworld.com/article/2043095/heres-what-an-eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html

Bringing Home SLE, ARO, ALE, and CBA

This week was fairly interesting to me. We read about controlling risk in the risk management process. Just as with last week, this is fairly new to me, so I try to relate the topics to layman's terms here at home to simplify it. This week, I wanted to do the same thing, so I am going to look at single loss expectancy (SLE), annualized rate of occurrence (ARO), annualized loss expectancy (ALE), and cost-benefit analysis (CBA). In my case, I am going to look at my home desktop computer...my lifeblood, really!

To get the SLE, you have to look at the value of the asset and the exposure it has to an exploited vulnerability. My desktop computer is valued at around $2,000 total. However, the value that I could lose would be closer to $500, which is the cost of my hard disks and memory. The vulnerability I want to look at is malicious software. For the purpose of this exercise, the malicious software will be considered a virus which would cause a total destruction and loss of all data on my computer. Therefore, it would be a 100% loss. So, my SLE would be $500 x 100% or $500. We will use this calculation a little later. First, we need to look at the ARO.

The ARO is the amount of times an exploited vulnerability is expected to occur. My wife and kids utilize my desktop and they are not very diligent, at times, about using the internet. As such, I could expect about four viruses per week, on average, to affect my computer. Of those four viruses, we will assume that two of them could cause catastrophic damage to my hard drive. Therfore, my ARO would be 2 x 52, or 104. There are 52 weeks in a year and I can expect two nasty viruses each of those weeks. That's significantly high, but you can see how it is calculated for this example. So, where does the ARO come into play?

The SLE and ARO combine to give me the ALE. ALE is found by taking the SLE and multiplying it by the ARO. In other words, my single loss value times the rate of occurrence. In this case, it is $500 x 104 or $52,000. What does that mean? Without any controls in place to reduce my catastrophic loss, it would cost me over $50,000 to keep my desktop computer functioning. Who on Earth would pay that kind of money to keep a computer functioning? I know I don't have that much money to replace my hard drive and memory every time. That is why I invest in anti-virus software, or my control. This will factor into my CBA.

A CBA is an analysis of how much you benefit from implementing a specific control to reduce your risk. To figure it, you need to figure out how much your ALE is after implementing the control. In my case, we will assume that my ALE after the control is $0. My anti-virus software is that effective, because I keep it updated regularly. I have Norton 360, which I paid $175 for three years of protection. Therefore, my annual cost of safeguard (ACS) is about $58. The CBA is the difference of the precontrol ALE, postcontrol ALE, and the ACS. Plugging in the numbers, we have $52,000 - $0 - $58, which equals $51,942. What does all of this mean?

Again, speaking in layman's terms, the $58 per year investment in Norton 360 saved me $51,942 annually. Over the course of three years, that $175 investment saved me $155,826. When you look at it that way, that $175 price tag seems pretty cheap, doesn't it? We sometimes look at the high cost of something to protect our valuable assets as too expensive. However, when you step back and look at the long-term, you can definitely see the benefit of paying such a small cost up front. In this case, considering the worst case scenario of a nasty virus outbreak, I have saved thousands of dollars for an investment of less than $200. Amazing when you look at it that way, right?

Bringing Risk Management Home

This week, we have been discussing risk management and working to identify assets and their associated vulnerabilities. This got me thinking about my life here at home and how these concepts could be realized at home. Therefore, I wanted to take a look at my assets and how I would rank their value.

First of all, I have a DSL modem hooked up to a wireless router as my connection to the Internet. My desktop computer is hardwired into the router for optimal speed and, to be honest, the location just worked better for that. I also have my home printer connected into the router and set up on the WiFi so the rest of my network can see it.

Next, my network branches off into two wireless access points. One access point allows my children's computer to connect to the network. That particular computer also doubles as my Web server, music server, file server, and sends the data from my weather sensor out to the rest of the world. The other access point is connected to our Wii, Blu-ray player, and DirecTV system to allow each of these to connect to the Internet.

Lastly, on the network, I have my cell phone, tablet, and my wife's Nook. These all connect to the Internet over the WiFi from the router. The network also allows me to move files anywhere and access just about any device I own quickly and easily. I can even set up my DVR to record from my phone, even when I am not on the network. So, how do I value these items and any risks?

Personally, my highest valued risk would be my Internet connection. Without it, there is very little that I can do. My ability to work on homework, balance my checkbook, pay my bills, or anything else requiring a data connection comes to a halt. Now, I certainly could use my cell phone as a backup, but my Internet hardware is the most important asset on my network. Next, I would have to rank the computer with my Web server, music server, and file storage as second. If this computer crashed, I would lose just about everything. However, I do have the information backed up onto drives. Therefore, those drives would rank third. I would rank my desktop computer fourth, because I do a lot of work on it, but it is all backed up on the aforementioned hard drives. Lastly, I would rank my access points as fifth. They are not extremely important, as I have other ways to navigate around an outage with them. As you can see, it gets interesting when you start looking at risk management from the home perspective.

Have you ever sat down and thought about your information assets at home? How would you function without them? What is the most important? Do you have a plan in place in case you lose an asset or it is compromised through your Internet connection? We look at these things from a business standpoint, but our personal data is just as critical to us as those balance sheets are to the business. Just something to keep in mind while you are surfing the Web or balancing your checkbook!

Life as a Security Management Model

I am going to switch gears a little bit this week, taking a side-step from the personal privacy aspect of my posts, and leaning more toward what we are covering in class this week. One topic that interested me was that of Security Management Models. As I was reading through the textbook about these models, I related back to work and personal life. Interestingly, it helped me grasp the concept a little better. So, I wanted to discuss a couple of them and how "layman's terms" turned the light bulb on upstairs.

Our book outlined a couple of integrity models: Bell-LaPadula and Biba. These integrity models essentially state the same principles. The basics of these models attempt to maintain the integrity of data. As such, higher and lower levels of classification and integrity are maintained. It sounds foreign, right? That is where I put a touch of life into it. If you have children, you can relate to you being the higher level. If not, then your parents are the higher level.

As parents, we dictate to our children on a daily basis. We tell them to do things like clean their rooms, do their homework, and complete their chores. Our higher level of authority allows that. However, our children, typically speaking, do not tell us what to do. It's that old expression, "I'm the parent, that's why." Thus, in our every day lives, we become living examples of these integrity models. When that integrity is compromised, such as your child telling you no, we take action to correct that compromise.

Businesses have due diligence to do the same thing. If the integrity of their data is compromised to a lower level that is not authorized to access certain data, measures are taken to correct the behavior and attempt to ensure it does not reoccur. In my line of work, the military, we have the same type of scenarios. If you recall the behaviors of Private Bradley Manning and Edward Snowden and the reaction of the military and Federal government in their wake, you can see this model in play and where it failed.

The integrity was upheld by allowing them access to the data, but it failed when that data was subsequently linked to outside agencies. Thus, the lower level, the civilian world, were given access to data we should not have been granted access to. Actions were taken to remedy the behavior, ensuring it would not happen again, and Private Manning was punished by the military for breaking his agreement to keep the data confidential. In the case of Edward Snowden, it is still ongoing and we do not know what the outcome will be. We also use these principles in our private life.

Think about your data on Facebook. You have the option of keeping your data private. In this case, you are the higher level of authority and allow certain access to a lower level, your friends. If you have no privacy settings set up, all of your data is available for viewing by anyone using Facebook. Your "wall" is a great example of this integrity. Your settings can dictate that you and your friends have read and write access to your wall, thus keeping outsiders from posting to it. On the other hand, a lack of privacy settings makes your wall fair game to anyone wishing to write messages on it. Your privacy settings maintain the integrity of your data. Should that integrity be violated, you have a valid complaint against Facebook for not maintaining it.

As you can see, it is interesting how our normal daily lives revolve around something as simple as these integrity models. Again, I was looking for a way to relate the learning to how we function in life. It made it easy to remember and clarified certain aspects of it for me. Essentially, we are living life in terms of security management models in this technologically advanced world we live in. Interesting, huh?

Referenced Sites

Gellman, B. (2103, December 23). Edward Snowden, after months of NSA revelations, says his mission's accomplished. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

Maniscalchi, J. (2010, May 17). Information Security Models for Confidentiality and Integrity. Retrieved October 12, 2014, from http://www.digitalthreat.net/2010/05/information-security-models-for-confidentiality-and-integrity/

Tate, J. (2013, August 21). Bradley Manning sentenced to 35 years in WikiLeaks case. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/judge-to-sentence-bradley-manning-today/2013/08/20/85bee184-09d0-11e3-b87c-476db8ac34cd_story.html

Security Awareness and You

I've been blogging about security and privacy over the past few weeks. This week, we took a look at security awareness training and I thought about how this could factor into your personal life. So, I just wanted to pass along some tips to the personal user on how to better secure your information. I wanted to discuss phishing, passwords, and malicious software.

Phishing is the act of presenting an email to look as though it came from a legitimate user or business. These emails can be disguised to fool you into thinking they came from a friend or a business you regularly deal with. How many of you have received an email from a friend with a strange subject, such as "Hey, check this out!," and contains a link for you to click? What about an email from PayPal asking you to verify your log in information? Chances are, neither of these emails came either your friend or PayPal. Rather, it is a phishing email designed to gain some type of information from you. In the case of the PayPal email, once you enter your username and password, a thief now has your information and can access your account. Be weary of strange emails! But, you have all of your sites password protected, right?

Passwords are the weakest link in the chain for gaining unauthorized access to sites. Many people choose common terms that are found in a dictionary. They also use things such as pet names, birth dates, anniversaries, or another easily remembered combination. This is bad! Cracking programs can run thousands of times per minute and throw a wide variety of passwords at your account to attempt a log in. Yes, many sites have a lockout feature, but do not bet your money on that protecting you. The person running the script may likely just keep trying. Choose a strong password that contains a combination of lowercase and uppercase letters, numbers, and special characters. Make the password as hard to crack as you possibly can without using anything that resembles a common phrase. The more complex your password, the less likely it is to be cracked.

Lastly, I wanted to take a minute to discuss malicious software. This is software that, with or without your approval, can run on your system and accomplish a multitude of dangerous tasks. Malicious software can scan your computer for vital documents, photos, and can even record your keystrokes on the keyboard. The last one is very dangerous, because it can track the sites you visit, harvest your usernames, and grab your password...all without your knowledge. It is very critical that you run some type of virus software to pick up on these types of programs. Some will install just by visiting a web site. Once you have clicked a link, the rest is history. Virus scanning software can help defend you against these types of attacks. If it looks odd and feels strange, do NOT click on it!

In conclusion, for personal safety, it is important that you understand what you are doing. Do not respond to strange emails, ensure you have strong passwords, never use the same password on multiple sites, and always make sure that any computer connected to the Internet is protected with an anti-virus or malware protection software. Just taking these small precautions can spare your time and your checkbook of any harmful activities!