Blog Analysis and Summary - The Final Chapter

The past 12 weeks has been a wonderful learning experience. I felt like I knew a bit about security, but I certainly did not know the management aspect of it. This blog was my way to bring the business lingo down to Earth on a level most of us could understand and relate to.

Much of the information I found was scattered across the Internet. I found articles on CNET, The Washington Post, ABC News, and Business Week. I really wanted to gather as much information on the topics as possible and not utilize the same resources over and over again. There was a lot of good information I garnered from LifeHacker. The information has been out there, I just never knew what to look for. Having this blog and the topics week-to-week helped keep me focused.

I started my blog by looking at personal security. In the corporate world, securing data is a major part of doing business today. It is no different in our personal lives. We need to make sure we are taking the appropriate precautions to ensure we protect ourselves, just as we would do as managers within a corporation.

Next, I looked at liability and security. It is good to know that we have some form of protection if our data is compromised. On the personal level, this could be with credit monitoring services and such. On the corporate level, liability can be deflected to other agencies, if services are contracted and the other agency is liable via the contract.

Over the next few weeks, I took a look at life and how it related to security awareness, risk management, and the costs associated with protecting valuable assets. Just as a corporation must have security policies in place and evaluate risk, we need to do that in our own lives too. We need to consider the costs associated with decisions. Perhaps a child downloads a program which installs a virus and wreaks havoc on your home computer. This same type of behavior can happen in the business world too!

Lastly, I looked into securing wireless networks. In the business world, leaving networks unsecured is the easiest way to lose valuable information. The same hold true in your own home. Understanding the need to secure networks is critical for protecting data from being compromised. We all have some degree of information that, if stolen from someone on the outside, could be detrimental to our own personal lives. Businesses are no different.

As you can see, I used this term to relate the business ideas to those of my personal life. It will be some time before I am able to utilize the information security principles we learned, so relating them to something I am doing now helped clarify most of the topics. I am hopeful that, by bringing these concepts down to Earth, I will remember the valuable information in this class. Hopefully it will help someone else who is new to the concepts of information security! It sure helped me!

The Chief Information Security Officer, Big Shoes to Fill!

This week, we have been looking at personnel and security. One of our assignments was to write a job description for the Chief Information Security Officer (CISO). We have been following a newly appointed CISO throughout the class, so I thought it would be easy. It was a bit more difficult than I thought. Additionally, there is a LOT the CISO is responsible for, based on the job descriptions I looked at for guidance.

I looked mainly at CareerBuilder in my quest for more information and found 31 jobs advertised for CISO. Looking at the job descriptions, it should be no surprise that the CISO is responsible for the information security and risk management programs. Another resonating topic noticed while looking at the job descriptions was communication and supervision. This should not be a surprise, since we are looking at a top-level officer in the organization. I did find something surprising, however.

I was surprised to see the experience and education requirements for a CISO in most of the listings. The listing for LRS.com did not list education as a requirement, but did ask for a minimum of seven years of experience. Another listing, a CISO job for Teledyne Technologies, indicated a minimum of five years' experience. I based my assignment on those factors, but then I began to think about it. Is that really enough experience?

After more consideration, I would change my requirements on the job description to require at least 10 years in the IT field and, preferably, a majority of those in management. If you think about the role of the CISO, it is an important asset in the organization. The CISO is the person ultimately responsible for everything related to the IT systems, their security, and the security and privacy of data. When a breach occurs, it is likely going to be the CISO answering the questions and trying to figure out just what happened. Is this where you want inexperience?

Don't get me wrong. There are a lot of individuals who excel on the job and move up the ranks very, very quickly. Perhaps these organizations are looking for those top performing, quick moving individuals. My concern, especially if I was hiring a top-level manager, is that less than 10 years just might not be enough to learn the skills necessary to head the IT operations. Am I wrong? Perhaps. Would I be elated to receive the job with just five years' experience? You bet!

Referenced Sites

http://www.careerbuilder.com/jobs/keyword/ciso

Security and Your Wireless Network

This week, we learned about protection mechanisms. These include firewalls and wireless networking protection. After reviewing this, it made me wonder about the status of wireless networks and how many users are actually educated enough to protect themselves. What I found is that I am guilty of not protecting myself more!

I found an article by Eric Geier on PCWorld and it really opened my eyes. I am one of those who will connect to public WiFi hotspots like Starbucks, McDonald's, or even the airport. I've never really paid much attention to whether or not my connection was secure. In the article, he states you should check to make sure any web pages you log into start with https. Otherwise, he shows clear examples of how anyone could snoop out your login information. Scary, huh?

Even scarier is that the same thing can happen on your own home network. Yes, that's right! This all boils down to setting up wireless network security by using either WEP or WPA. I happen to use WPA2, because I have heard it is better than WEP. I am not a professional on that, but I have found that WPA2 appears to work better with my wireless hardware. It seems more universal to me than WEP. Regardless of the protection method used, if you leave your home wireless network unsecured, there is nothing stopping a criminal or hacker from connecting to your network and monitoring your use. With the proper software, they could get your email login information and even your online banking information. Even scarier, right?

I have never used open WiFi networks in an illegal way, nor would I ever urge anyone to. However, I have connected to other open networks and utilized Internet connections. My grandma does not have Internet access and, at the time, I did not have a cell phone that could share the connection to a computer. I fired up my laptop and noticed that there were a few networks available, one of which was unsecured. Sure enough, I was able to surf the web and look up some information on things to do in the area, all without the owner knowing I was doing it. Depending on your Internet connection, that could be precious bandwidth being stolen from you. This is just another example of what people could use your open connection for, and a tame one at that!

The bottom line is that, with more and more people moving to wireless networks, there is a growing need for education and how to protect yourself from attacks. If you are using a public hotspot, know that any information you send over the network could potentially be snooped out by an "onlooker." Also, make sure your home wireless network is secured with a strong pass phrase utilizing either WEP or WPA protection. Educating and protecting yourself could save a lot of grief in the future!

Referenced Site

http://www.pcworld.com/article/2043095/heres-what-an-eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html

Bringing Home SLE, ARO, ALE, and CBA

This week was fairly interesting to me. We read about controlling risk in the risk management process. Just as with last week, this is fairly new to me, so I try to relate the topics to layman's terms here at home to simplify it. This week, I wanted to do the same thing, so I am going to look at single loss expectancy (SLE), annualized rate of occurrence (ARO), annualized loss expectancy (ALE), and cost-benefit analysis (CBA). In my case, I am going to look at my home desktop computer...my lifeblood, really!

To get the SLE, you have to look at the value of the asset and the exposure it has to an exploited vulnerability. My desktop computer is valued at around $2,000 total. However, the value that I could lose would be closer to $500, which is the cost of my hard disks and memory. The vulnerability I want to look at is malicious software. For the purpose of this exercise, the malicious software will be considered a virus which would cause a total destruction and loss of all data on my computer. Therefore, it would be a 100% loss. So, my SLE would be $500 x 100% or $500. We will use this calculation a little later. First, we need to look at the ARO.

The ARO is the amount of times an exploited vulnerability is expected to occur. My wife and kids utilize my desktop and they are not very diligent, at times, about using the internet. As such, I could expect about four viruses per week, on average, to affect my computer. Of those four viruses, we will assume that two of them could cause catastrophic damage to my hard drive. Therfore, my ARO would be 2 x 52, or 104. There are 52 weeks in a year and I can expect two nasty viruses each of those weeks. That's significantly high, but you can see how it is calculated for this example. So, where does the ARO come into play?

The SLE and ARO combine to give me the ALE. ALE is found by taking the SLE and multiplying it by the ARO. In other words, my single loss value times the rate of occurrence. In this case, it is $500 x 104 or $52,000. What does that mean? Without any controls in place to reduce my catastrophic loss, it would cost me over $50,000 to keep my desktop computer functioning. Who on Earth would pay that kind of money to keep a computer functioning? I know I don't have that much money to replace my hard drive and memory every time. That is why I invest in anti-virus software, or my control. This will factor into my CBA.

A CBA is an analysis of how much you benefit from implementing a specific control to reduce your risk. To figure it, you need to figure out how much your ALE is after implementing the control. In my case, we will assume that my ALE after the control is $0. My anti-virus software is that effective, because I keep it updated regularly. I have Norton 360, which I paid $175 for three years of protection. Therefore, my annual cost of safeguard (ACS) is about $58. The CBA is the difference of the precontrol ALE, postcontrol ALE, and the ACS. Plugging in the numbers, we have $52,000 - $0 - $58, which equals $51,942. What does all of this mean?

Again, speaking in layman's terms, the $58 per year investment in Norton 360 saved me $51,942 annually. Over the course of three years, that $175 investment saved me $155,826. When you look at it that way, that $175 price tag seems pretty cheap, doesn't it? We sometimes look at the high cost of something to protect our valuable assets as too expensive. However, when you step back and look at the long-term, you can definitely see the benefit of paying such a small cost up front. In this case, considering the worst case scenario of a nasty virus outbreak, I have saved thousands of dollars for an investment of less than $200. Amazing when you look at it that way, right?

Bringing Risk Management Home

This week, we have been discussing risk management and working to identify assets and their associated vulnerabilities. This got me thinking about my life here at home and how these concepts could be realized at home. Therefore, I wanted to take a look at my assets and how I would rank their value.

First of all, I have a DSL modem hooked up to a wireless router as my connection to the Internet. My desktop computer is hardwired into the router for optimal speed and, to be honest, the location just worked better for that. I also have my home printer connected into the router and set up on the WiFi so the rest of my network can see it.

Next, my network branches off into two wireless access points. One access point allows my children's computer to connect to the network. That particular computer also doubles as my Web server, music server, file server, and sends the data from my weather sensor out to the rest of the world. The other access point is connected to our Wii, Blu-ray player, and DirecTV system to allow each of these to connect to the Internet.

Lastly, on the network, I have my cell phone, tablet, and my wife's Nook. These all connect to the Internet over the WiFi from the router. The network also allows me to move files anywhere and access just about any device I own quickly and easily. I can even set up my DVR to record from my phone, even when I am not on the network. So, how do I value these items and any risks?

Personally, my highest valued risk would be my Internet connection. Without it, there is very little that I can do. My ability to work on homework, balance my checkbook, pay my bills, or anything else requiring a data connection comes to a halt. Now, I certainly could use my cell phone as a backup, but my Internet hardware is the most important asset on my network. Next, I would have to rank the computer with my Web server, music server, and file storage as second. If this computer crashed, I would lose just about everything. However, I do have the information backed up onto drives. Therefore, those drives would rank third. I would rank my desktop computer fourth, because I do a lot of work on it, but it is all backed up on the aforementioned hard drives. Lastly, I would rank my access points as fifth. They are not extremely important, as I have other ways to navigate around an outage with them. As you can see, it gets interesting when you start looking at risk management from the home perspective.

Have you ever sat down and thought about your information assets at home? How would you function without them? What is the most important? Do you have a plan in place in case you lose an asset or it is compromised through your Internet connection? We look at these things from a business standpoint, but our personal data is just as critical to us as those balance sheets are to the business. Just something to keep in mind while you are surfing the Web or balancing your checkbook!

Life as a Security Management Model

I am going to switch gears a little bit this week, taking a side-step from the personal privacy aspect of my posts, and leaning more toward what we are covering in class this week. One topic that interested me was that of Security Management Models. As I was reading through the textbook about these models, I related back to work and personal life. Interestingly, it helped me grasp the concept a little better. So, I wanted to discuss a couple of them and how "layman's terms" turned the light bulb on upstairs.

Our book outlined a couple of integrity models: Bell-LaPadula and Biba. These integrity models essentially state the same principles. The basics of these models attempt to maintain the integrity of data. As such, higher and lower levels of classification and integrity are maintained. It sounds foreign, right? That is where I put a touch of life into it. If you have children, you can relate to you being the higher level. If not, then your parents are the higher level.

As parents, we dictate to our children on a daily basis. We tell them to do things like clean their rooms, do their homework, and complete their chores. Our higher level of authority allows that. However, our children, typically speaking, do not tell us what to do. It's that old expression, "I'm the parent, that's why." Thus, in our every day lives, we become living examples of these integrity models. When that integrity is compromised, such as your child telling you no, we take action to correct that compromise.

Businesses have due diligence to do the same thing. If the integrity of their data is compromised to a lower level that is not authorized to access certain data, measures are taken to correct the behavior and attempt to ensure it does not reoccur. In my line of work, the military, we have the same type of scenarios. If you recall the behaviors of Private Bradley Manning and Edward Snowden and the reaction of the military and Federal government in their wake, you can see this model in play and where it failed.

The integrity was upheld by allowing them access to the data, but it failed when that data was subsequently linked to outside agencies. Thus, the lower level, the civilian world, were given access to data we should not have been granted access to. Actions were taken to remedy the behavior, ensuring it would not happen again, and Private Manning was punished by the military for breaking his agreement to keep the data confidential. In the case of Edward Snowden, it is still ongoing and we do not know what the outcome will be. We also use these principles in our private life.

Think about your data on Facebook. You have the option of keeping your data private. In this case, you are the higher level of authority and allow certain access to a lower level, your friends. If you have no privacy settings set up, all of your data is available for viewing by anyone using Facebook. Your "wall" is a great example of this integrity. Your settings can dictate that you and your friends have read and write access to your wall, thus keeping outsiders from posting to it. On the other hand, a lack of privacy settings makes your wall fair game to anyone wishing to write messages on it. Your privacy settings maintain the integrity of your data. Should that integrity be violated, you have a valid complaint against Facebook for not maintaining it.

As you can see, it is interesting how our normal daily lives revolve around something as simple as these integrity models. Again, I was looking for a way to relate the learning to how we function in life. It made it easy to remember and clarified certain aspects of it for me. Essentially, we are living life in terms of security management models in this technologically advanced world we live in. Interesting, huh?

Referenced Sites

Gellman, B. (2103, December 23). Edward Snowden, after months of NSA revelations, says his mission's accomplished. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

Maniscalchi, J. (2010, May 17). Information Security Models for Confidentiality and Integrity. Retrieved October 12, 2014, from http://www.digitalthreat.net/2010/05/information-security-models-for-confidentiality-and-integrity/

Tate, J. (2013, August 21). Bradley Manning sentenced to 35 years in WikiLeaks case. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/judge-to-sentence-bradley-manning-today/2013/08/20/85bee184-09d0-11e3-b87c-476db8ac34cd_story.html

Security Awareness and You

I've been blogging about security and privacy over the past few weeks. This week, we took a look at security awareness training and I thought about how this could factor into your personal life. So, I just wanted to pass along some tips to the personal user on how to better secure your information. I wanted to discuss phishing, passwords, and malicious software.

Phishing is the act of presenting an email to look as though it came from a legitimate user or business. These emails can be disguised to fool you into thinking they came from a friend or a business you regularly deal with. How many of you have received an email from a friend with a strange subject, such as "Hey, check this out!," and contains a link for you to click? What about an email from PayPal asking you to verify your log in information? Chances are, neither of these emails came either your friend or PayPal. Rather, it is a phishing email designed to gain some type of information from you. In the case of the PayPal email, once you enter your username and password, a thief now has your information and can access your account. Be weary of strange emails! But, you have all of your sites password protected, right?

Passwords are the weakest link in the chain for gaining unauthorized access to sites. Many people choose common terms that are found in a dictionary. They also use things such as pet names, birth dates, anniversaries, or another easily remembered combination. This is bad! Cracking programs can run thousands of times per minute and throw a wide variety of passwords at your account to attempt a log in. Yes, many sites have a lockout feature, but do not bet your money on that protecting you. The person running the script may likely just keep trying. Choose a strong password that contains a combination of lowercase and uppercase letters, numbers, and special characters. Make the password as hard to crack as you possibly can without using anything that resembles a common phrase. The more complex your password, the less likely it is to be cracked.

Lastly, I wanted to take a minute to discuss malicious software. This is software that, with or without your approval, can run on your system and accomplish a multitude of dangerous tasks. Malicious software can scan your computer for vital documents, photos, and can even record your keystrokes on the keyboard. The last one is very dangerous, because it can track the sites you visit, harvest your usernames, and grab your password...all without your knowledge. It is very critical that you run some type of virus software to pick up on these types of programs. Some will install just by visiting a web site. Once you have clicked a link, the rest is history. Virus scanning software can help defend you against these types of attacks. If it looks odd and feels strange, do NOT click on it!

In conclusion, for personal safety, it is important that you understand what you are doing. Do not respond to strange emails, ensure you have strong passwords, never use the same password on multiple sites, and always make sure that any computer connected to the Internet is protected with an anti-virus or malware protection software. Just taking these small precautions can spare your time and your checkbook of any harmful activities!

Policies: Security and Privacy

This week, we have been studying policies. One of our assignments was to create a home computer use policy governing the use of our networks at home. This led me to the thought of researching security and privacy and how they relate in policies. So, how does security and privacy factor into policies?

I found Google's policy information concerning its Business Apps offering. It actually breaks the frequently asked questions (FAQ) into the two parts: privacy and security. First of all, let's look at privacy. Many people are concerned with posting or sharing information on the Internet, because they feel that the provider would then own the data. Google makes it clear this is not the case with them. They also make it clear that they respect the organization's privacy by not accessing it unless granted access by the domain administrator. Additionally, in light of recent developments with security and law enforcement, it appears as though Google will typically entertain requests to remove content. However, I do not see anything about mentioning providing government access to your data. So, you can rest assured that Google may have your back if the NSA comes knocking!

Security also plays a factor at Google. They have received satisfactory SSAE 16 and ISAE 3402 Type II audits. What does this mean for you? Essentially, Google has passed tests for securing your data with respect to data security, privacy, and the security of its Data Centers. This should give users of its Business Apps peace of mind that any data the entrust to Google will not make it into the wrong hands. Google also reassures its users that they are safe against hackers and miscellaneous threats through a security team used to test its controls and enhance the security of data. Lastly, Google uses encryption through HTTPS to ensure data transmitted to and from its servers is secure and free from prying eyes. To me, it sounds like Google is a safe, secure, and private area to conduct business.

It's nice to know that privacy and security policies are in place, but what can you do if you feel yours have been violated? That is a fair question and one I wanted to look up. In the event you feel that a business has violated the security and/or privacy policies put in place to protect you, you should contact the Federal Trade Commission (FTC). According to its website, the FTC had brought 32 legal actions against companies for violating their policies regarding security and privacy. In such cases, companies are in violation of Section 5 of the FTC Act. What does that mean? Essentially, it protects you against deceptive practices. A company can provide a policy, gaining your trust, and then violate it by not abiding by its own policies. Therefore, they can be punished and you will have protection. That is good information to know, should you ever encounter this type of practice. Thankfully, I have never had that issue with any companies.

As you can see, companies have policies in place to protect both themselves and you, their clients. Without these policies in place, there could be tremendous harm to either you or the company. Private information made available to others could hurt you or your company, leading to lawsuits against your provider. You certainly do not want your information freely available and the companies who host your data, like Google, do not want to lose valuable monetary resources because of negligence. Most of us, myself included, tend to just breeze through the policies. Next time, take a few minutes to read through those privacy and security policies to see how you are protected. You might find a plethora of useful information at your fingertips!

Referenced Sites

Enforcing Privacy Promises. (n.d.). Retrieved September 28, 2014, from http://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises

Your security and privacy. (n.d.). Retrieved September 27, 2014, from https://support.google.com/a/answer/60762?hl=en

Liability and Security

I have been researching and talking about private data, security, and the compromise of our private data. With that, I began to wonder about liability. Who is liable in the event that my data is compromised? The answer, in reality, is that it depends on what data was compromised and how it was compromised. So, let's look at a couple of different aspects: self-disclosure and data breaches.

Self-disclosure is just as it sounds. You have willingly provided your data to someone, whether or not it is the person you thought you were providing it to. It is simply the act of providing information, such as a password, on behalf of yourself. You might think that you are fully liable in this case, but you do have some recourse. As the msnbc.com article indicates, if you act within two days, Federal law states you are only liable for $50. After that, you become liable for $500 out to 60 days. If, after 60 days, you have not reported the potential fraud to the bank, the liability is unlimited. It's good to know you have some rights if you are duped out of information in a phishing scam. So, what happens in the event of a data breach, such as with Target and Home Depot?

Both Target and Home Depot finally revealed their data breaches. In the case of Target, they set up a site online to provide valuable information to consumers. Home Depot did not set up a specific site, but they did publish a frequently asked questions (FAQ) document to answer questions consumers may have. In any rate, the retailers both provided consumer protection due to the fact that consumer payment cards were compromised. Both retailers offered consumers one free year of fraud protection, which seems to ease the tension, but does it really?

In my opinion, providing free fraud protection is a good move to try easing my mind; however, does it really help? If I used my debit card at Target or Home Depot, what is to prevent anyone from using my information to drain my account of funds? This is where I feel that liability switches over from the retailer to the consumer. The retailers are providing you protection because of their mistake out of good faith. In return, it is important for we consumers to take action and contact our banks as soon as we are notified of the breach. This does not mean that your account will definitely be affected; but, keeping a proactive mindset will keep you above the game. In the end, you can be mad at the retailers for losing your information all you want. However, the best thing to do is accept their offer and take the proper actions to protect yourself. At some point, the liability falls on you.

Referenced Sites

Data breach FAQ. (n.d.). Retrieved September 22, 2014, from https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ

FAQs. (2014, January 1). Retrieved September 22, 2014, from https://corporate.homedepot.com/MediaCenter/Documents/FAQs.pdf

Sullivan, B. (2005, August 12). Know Your Rights on Bank Account Fraud. Retrieved September 21, 2014, from http://www.nbcnews.com/id/8915217/ns/technology_and_science-security/t/know-your-rights-bank-account-fraud

Security and Your Bank Account

Last week, I touched on account security and phishing. The need to protect our information is critical to keep those with malicious intent from accessing our data. We need to play a vital role in protecting our information; however, we do entrust other critical data to others in the form of payment information. Data we once felt was safe is alarmingly becoming more and more susceptible.

How many of you shop with a credit or debit card?  I am guilty of it. I seldom carry cash because, if I do, it gets spent.  I am less likely to spend if I have to use my debit card.  Additionally, when I go to the grocery store, out to dine, or shop at local retailers, I use plastic. It is fast, safe, and convenient, right?  In light of the recent revelation that Home Depot has had their payment information hacked and the same type of criminal activity affecting Target last year, it makes you wonder.

The Target ordeal involved around 40 million customers who had shopped at the retailer from November 27, 2013 to December 15, 2013. The hackers, more or less thieves at this point, were able to obtain the names, card numbers, expiration dates, and card verification value (CVV) from transactions that occurred during that period. This is alarming because, if you think about it, that really is a majority of the information you need to make a transaction online. The only piece of information missing is your billing address. If you are thinking, "Well, good! They don't have everything!", it would only take a quick stop at whitepages.com to remedy that.  

The Target breach was huge, with members of our government calling for intensive investigations and placing blame on the retailer for not having proper security measures in place; but, they did! Target had installed malware prevention on its systems to prevent such an incident.  The hackers had made preparations to route data throughout the U.S. to hide their trail and, when the Target team was alerted of suspicious activity, they failed to react. A review of the security logs even showed notifications in November and early December of malicious activity. So, there certainly is blame on the retailer for not protecting our data we had entrusted them with. As Target has begun to cool down a bit in the news, another retailer, Home Depot, is at ground zero.

The Home Depot attack, which came to light in the last couple of weeks, actually occurred back in April. From the reports I have seen, it is a different style of attack than the one which hit Target. Rather than the thieves routing data as a "middle man," the Home Depot attack used software at the took the transactions right at the register. The malware was designed to disguise itself as anti-virus software, thus being overlooked as a threat. The fact I find intriguing is that Home Depot's IT team could have potentially discarded the software, which identifies itself as McAfee, even if the did not use McAfee products. So, while the software may have looked legitimate, where were the warning flags that software was installed that they did not use? It leaves one to wonder why it was not dealt with immediately. Those consumers who dealt with the Target ordeal may take heed to the Home Depot attack, as it is a bit more in-depth.

While the thieves in the Target attack were only able to gather names, card numbers, expiration dates, and CVV data from those transactions, the Home Depot thieves were able to garner more information.  In fact, they were able to obtain the card holders full name, city, state, and zip code for the store where the card was used. Why is that important? They now have nearly enough information to reset your personal identification number (PIN) on your debit card. All that is needed, with the way most banks work now, is your social security number (SSN); and, they only really need the last four. Why, you might ask? Banks allow users to reset their PIN numbers through automated systems which typically require only the last four of your SSN to verify your identity. As you can see, this is a very serious threat to those who shopped at Home Depot, including myself!

As of right now, there is no information regarding the number of those affected by the Home Depot attack. I can honestly say that I have not panicked yet; but, I am on the verge of requesting new debit cards from my bank as a precautionary measure. It will be interesting to follow this story over the next few months to see how many people were affected and how Home Depot deals with the breach. One thing I do know, my data is not as secure as I once thought it was. It also brings to light the questions, how safe is my data? Can I really trust the retailers I shop at? As our reliance on information and data continues to grow, securing that data is going to continue being at the forefront, both professionally and personally.

References

D'Innocenzio, A. (2014, September 11). 4 Reasons Shoppers Will Shrug off Home Depot Hack. Retrieved September 13, 2014, from http://abcnews.go.com/Business/wireStory/reasons-home-depots-breach-matter-25432058

Krebs, B. (2014, September 8). In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud. Retrieved September 14, 2014, from http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/

Lawrence, D., & Riley, M. (2014, September 11). Home Depot Malware Hints at Different Hackers Than Target's. Retrieved September 13, 2014, from http://www.businessweek.com/articles/2014-09-11/home-depot-hack-malware-points-to-different-hackers-than-targets

Pagliery, J. (2014, September 8). Home Depot confirms hack, maybe since April. Retrieved September 13, 2014, from http://money.cnn.com/2014/09/08/technology/security/home-depot-breach/

Ravenscraft, E. (2014, September 8). Home Depot Hacked By Same Group That Hacked Target [Updated]. Retrieved September 14, 2014, from http://lifehacker.com/home-depot-reportedly-hacked-by-same-group-that-hacked-1631973172

Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Retrieved September 14, 2014, from http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Wallace, G., Pepitone, J., O'Toole, J., Isadore, C., Pagliery, J., & Johns, J. (2013, December 19). Target: 40 million credit cards compromised. Retrieved September 13, 2014, from http://money.cnn.com/2013/12/18/news/companies/target-credit-card/

Wallace, G. (2013, December 23). Target credit card hack: What you need to know. Retrieved September 14, 2014, from http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/

How Secure Do You Really Feel?

We spend a lot of time online, whether it is taking classes, reading the news, watching television, visiting social websites, or posting pictures.  There are a lot of ways to pass the time in the inter-webs.  We also store lots of information.  I, myself, have four terabytes of storage on my server computer.  I am not using it all, but I have plenty for when I need it.  I store financial documents, homework, pictures, and music, just to hit the basics.  However, a lot of people have moved to cloud-based storage.  One such service, iCloud, was recently hacked.  

With the iCloud hack, some very personal photos of celebrities were leaked onto the internet.  Information that was supposed to be safe and secure was compromised.  How, you might ask?  It appears, while reading Smith's article, as though security vulnerabilities outside of Apple's control were to blame; at least, that is what Apple wants you to believe.  In fact, reading through the articles by Reed and Leyden, I am led to believe it was a phishing scam that led to the vulnerabilities.  This brought the question to my mind, how safe and secure do you really feel?

Phishing scams abound.  It is the process by which a third party tries to gain access to your account by posing as the actual company you have an account with.  As Leyden puts it, the iCloud case involves an SMS scam where users are sent a text message indicating there was an unauthorized attempt to gain access to their accounts.  They must provide their ID and password or risk being locked completely out.  Once you do that, it is too late; and, before you know it, your iCloud account is in the hands of mischievous bandits.  You have just opened the door for the enemy.

Many would like to blame the companies for our blunder.  After all, the email was from "them," wasn't it?  However, most companies I have ever dealt with specifically state in their terms and/or frequently asked questions that they will never ask you for your user ID or password.  If you ever receive a message stating you should provide it, look very, very carefully to ensure it is legitimate.  It is not the company's fault that you let your guard down, momentarily, and allowed the enemy through the gates.  So, how can you combat these false requests for information?

There are several things you can do to help protect yourself and your information online.  For sites that require a password, as Schneier states, you can use a password manager.  I use Google Chrome as my browser of choice and I love the fact that it has a built-in password manager.  It even auto-fills the usernames and passwords for me when I return to sites.  While Schneier discusses his password manager and how auto-fill prevents inadvertently entering a phony site, I would argue that Google Chrome's manager will only auto-fill the information if the domain is the same.  Visiting PayPal.com will load my username and password; however, if I were to visit MyPayPal.com, it would not.  You should look at this address on your browser when you visit it.  If the URL does not look like the one tied to the company, LEAVE!  Many phishing links arrive via email.  An easy way to determine if the link is legitimate is to hover over it.  The text of the link may say PayPal, but the link may take you to mypaypal.com, not the legitimate site.

In the end, companies can only do so much to protect you and your information.  You should feel secure in the online environment and trust that companies will hold up their end of the bargain.  However, they are relying on your just as much to keep your information safe and secure.  The next time you get a strange email or text message, do a little investigation of your own.  It might just be the next attempt at phishing information from consumers.

References

Leyden, John. "Something Smells PHISHY: It's the Celeb Nudie ICloud PERV Trap..." The Register. The Register, 04 Sept. 2014. Web. 07 Sept. 2014. <http://www.theregister.co.uk/2014/09/04/icloud_privacy_flap_phishing_warning/>.

Reed, Brad. "Apple Provides Key New Details on the Massive ICloud Hack of Nude Celebrity Pics." BGR. BGR Media, 02 Sept. 2014. Web. 07 Sept. 2014. <https://bgr.com/2014/09/02/apple-icloud-nude-celebrity-pictures-hack/>.

Schneier, Bruce. "Schneier on Security." Schneier on Security. Bruce Schneier, 05 Sept. 2014. Web. 07 Sept. 2014. <https://www.schneier.com/blog/archives/2014/09/security_of_pas.html>.

Smith, Chris. "Tim Cook Vows to Improve ICloud Security, Prevent Future ‘nudegates’." Yahoo! News. Yahoo!, 05 Sept. 2014. Web. 07 Sept. 2014. <http://news.yahoo.com/tim-cook-vows-improve-icloud-security-prevent-future-153310951.html>.

Welcome to My Blog!

About This Blog

If you are finding this blog, you are either a) a fellow student, b) my professor, or c) you searched for Cybersecurity and found it.  This is a requirement for my CIS 608 class through Bellevue University to aid in my learning about information security management; and, I look forward to learning a lot!

A Little About Me

I am working on completing my Master of Business Administration through Bellevue University.  I have five classes remaining, counting this one.  I received my Bachelor of Science through BU in 2009 and jumped right into my Master's program.  It has been a long road, going on five years now; but, I am putting forth the effort to finish up by next summer!

I am from Kansas and currently live in New Mexico.  I have served in the United States Air Force for the past 15 years and see the light at the end of the road for retirement.  Some days I am excited, others I am ready for the next five years to be over.  I am still very honored to serve my country and cherish each day I am able to!

I enjoy the great outdoors and am very active in the Cub Scouting community.  I have been a Tiger Cub, Wolf, and Bear Cub leader, as well as filling Cubmaster and Assistant Cubmaster roles.  This year I am filling in as Assistant Cubmaster, helping a new Cubmaster get his feet wet; so, we'll be learning as we go I am sure!

I am married with two kids, a cat, and a dog.  We try to keep ourselves busy with any free time we have and we all enjoy camping, fishing, and bike riding.  Being from Kansas, I am a life-long Royals and Chiefs fan; so, I root for Kansas City no matter what.  We have had a lot of disappointing seasons, but I still root for them!

That's me in a nutshell and a little about this blog.  Check back each week for posts about Cybersecurity! :)