Week 11

So much information in so little time. I decided to post a bit of the discussions we had in CYBR 610: Risk Management. It really got me thinking. I will be paraphrasing here, but several of my peers brought up some good points as to why risk management and internet security isn't really taken seriously yet.

• Human beings are animals and won't respond until danger is eminent.
• People buy security software and think that is enough to secure their devices
• People assume there will be people out their to "fix" their problems when something does go wrong
• People don't like change.
• People like convenience and just want everything to work easily

I started thinking about it. I remember my interview with the Human Resources guy and he noticed that I was getting my Master's in Cybersecurity and he assumed the base was going to want me. It made me realize, he didn't understand what cybersecurity was. I'm not saying he's stupid, I just think he is part of the majority that thinks cybersecurity is a military or DoD thing. It's a big word that actually works from the home office to the FBI.

So, the question became, should we teach risk management and information security at the junior high and high school level? I started thinking about that and realized that risk management is already being taught in other topics such as PE and Science. In PE, kids stretch and warm up before vigorous exercise, managing the risk of injury for training on muscles that have not been warmed up. Science requires safety instruction in regards to how to handle scalpels for dissections or how to handle acid and water. 

It would make sense to put something that simple into the computer classes, I'm sure. After all, risk management or security should just be something that happens, not a separate job. It should be a habit, much like warming up before exercising or learning the importance of making sure the scalpel is properly cleaned and taking care of specimens to be dissected. Computer classes could begin in junior high with basic importance of strong passwords, Internet safety, and the importance of backing up your data. Start small and easy. As you get into the high school areas, they can do things such as assess the assets in their computer labs or even their homes to develop risk mitigation plans, showing them real world applications to risk management. 

Cybersecurity is not a national security issue. It's actually something that can be applied at home and should start in the home. The question is, how do we make people aware that security is more than just software? Again, people typically don't respond until they are the victims of ID theft or bank fraud. There is nothing telling the public that the security software they buy is good, but it's not 100%. Much like there are car mechanics that are not trustworthy, there are also computer techs that are just as dishonest. If you don't know your devices, how do you know you are getting quality repair work? And finally, what can be done, to get people to change their habits.

I would like to ask you a few questions to get you started:

• How many passwords do you have?
• If you only have one or two, are they used on all your accounts from banks to e-mail?
• If your job requires your account at work to have a long and complicated password, did you write it down and put someplace that you think is hidden but could potentially still be found?
• Is your WiFi at home broadcasting its SSID?
• Is your WiFi password protected to allow only those who know the password onto your network?
• Is your security software updated?
• Are your OS patches updated?

All these are things you can fix at home to reduce your risk of attack and secure your home office. All those things are cybersecurity.

Week 10

I don't really have much to offer in regards to links this go around except this week's reflections of the events of the past couple of weeks.

This week's assignment for CIS 608 regarded the different forms of biometric security. In doing this assignment, I realized that in the last two weeks, I have been exposed to many forms of biometric security ranging from security questions on my bank's website to taking a CBEST test. We were asked which form of biometric would be more acceptable to the average person, so to speak.

Believe it or not, we are exposed to biometric security all the time. If you don't have your ID on you when you go the bank, the bank has several standard questions for you such as the last four of your social or mother's maiden name. Unfortunately, if you are divorced, your ex-spouse knows the answers to all those questions. Which means that you need to change those questions to something that only you would know.

Another is signature recognition when you sign that schnazzy terminal at the bank. I don't feel this is accurate because I can't sign that stupid thing anyways and my signature never matches my driver's license. Not to mention, forgery was a problem with checks, why would that be any different?

In the recent weeks, I got hired on to the local school district. One of the requirements was for me to be fingerprinted by Live Scan. That wasn't too painful, although the machine can be picky in regards to your fingerprints and if your finger slides, you have to do the whole thing over again. But it was handy and I was glad to find out that my Information Warfare research and resulting paper did not put me on the terrorist list for the FBI or Department of Justice!

Finally, I was asked to take the CBEST because the school district wanted to know if I would be a substitute teacher. Sure. I visited Pearson VUE to take the CBEST. When I got there, they took my picture, and then had my right palm scanned, left palm scanned, right palm scanned again, and the left palm scanned again. What was wild was that I could not carry my phone in with me to the testing area (OK, smart phones, I can see that) and they kicked my husband out of the building!!!! My phone and water bottle were placed in a locker in the lobby. When I went into the testing station, they checked my driver's license and then scanned my palms again. If I wanted to take a break (the test is almost 5 hours long), then I would show my driver's license and scan my palm again to exit the testing area. I was not allowed to use my phone or anything electronic. When I went into the testing center, I would have to show ID again and scan my palms again. Oh! and I was being video and audio recorded which really sucked because tests make me nervous and my stomach was making a whole lot of noise (hence my need for the water bottle which I was denied)!!!!

Anyways, when I finished the test, I was escorted out of the testing area, showed ID, scanned my palm, got a copy of the unofficial test scores, went to the front desk, scanned my palms again and was released.

Who would have thought that taking a test was SOOOO serious and required so much security!!!!!

It really made me ponder, if security is this tight for a test, what would be like working for the government! HOLY COW!!!

Week 9

This week, I got to post a blog for CYBR 610: Risk Management taught by Ronald Woerner aka "Coach." Some of the articles I found, I thought would be appropriate here. The EC-Council is recommending that CISOs change how they do risk assessments by "wargaming" and  the Financial Times state that organizations are still blind to the importance of information security. I have included a link to the EC-Council's White Paper regarding wargaming below. Enjoy.

In one of Coach's blogs, he mentioned that 2011 was the "Year of the Breach" and as risk management professionals, we should do what we can to make 2012 the "Year of Security" (Jan 4, 2012). However, according to Financial Times, that may be easier said than done (Risk Managers' Uphill Task).

"The importance of risk management will increase in 2012, said more than 90 per cent of risk managers in a survey, but the biggest challenge they have is demonstrating the value of risk management."

This means that if you are in risk management or information security, you are simply an adviser. In reading "IT Risk: Turning Business Threats Into Competitive Advantage, the authors stated that risk management is not just one department's job, but should be integrated into the organizational culture of an organization so it is merely part of the job. The Financial Times seems to agree:

"The risk managers agreed the single most important development for risk management would be a change in organizational cultures that led to a better defined risk appetite."

Another article also stressed the importance of CISOs to impress on their organizations that security is no minor concern (EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches).

"The damage created by the highly publicized security breaches in 2011 has many Chief Information Security Officers (CISOs) seeking alternative ways to create strategies to manage risk. A new risk management process called Business Wargaming will help the CISO forecast future scenarios and build better proactive and reactive strategies."

Business wargaming allows a CISO to not only prevent the most common breaches, but enables the CISO to predict and prevent future breaches. This is because with the new technology such as smart phones, iPads, Cloud technology, and such, the conventional way of risk management is no longer as effective.

Want to know more about wargaming? Click here: Wargaming For Chief Information Security Officers.

While it may take some upper management outside the realm of IT some convincing that information security is as important as customer satisfaction and sales, the one thing that I have run into isn't that kind of apathy, but rather ignorance of information security all together.

When working with Sears, the owner didn't even know that information security existed and became the victim of refund fraud. During a recent job interview, I was almost not hired because the interviewer thought that cybersecurity was for organizations like the military and DoD and thought the base would snatch me up. He did not know that cybersecurity was for everyone from the PC at home to government top secret classified information.

Perhaps information security's worst enemy is ignorance, not apathy. One thing is for sure, both is a recipe for disaster for any organization. It's our job to hit these organizations with the 2 x 4 of truth before the 2 x 4 of reality hits. We do this by closing the language barrier and segregation of positions. Upper management needs to be tightly connected to IT and IT tightly connected to upper management so that security becomes an organizational culture. While they are connected, they can both focus on the same objective of that organization, but instead of competing for resources, they become cohesive and aiming at the same objective in their own ways.

References:

Grene, Sophia. (2012, February 4). Risk Managers' Uphill Task. Retrieved from http://www.ft.com/cms/s/0/8926d1b0-4e5b-11e1-aa0b-00144feabdc0.html

PRWeb. (2012, February 6). EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches. Retrieved from http://www.prweb.com/releases/prweb2012/2/prweb9169249.htm

Westerman, George and Hunger, Richard. (2007). IT Risk: Turning Business Threats Into Competitive Advantage. Boston, Massachusetts: Harvard Business School Press

Week 8

Another crazy week. I have finally figured out that when you have family, ALWAYS expect emergencies, particularly when you are busiest! Which means, I will soon be duct taping my youngest son up to prevent any more "Superman" accidents.

It's funny how people associate Information Security with hacking, viruses, hard drive crashes, and other such crazy disasters. Not many associate it with politics. As the Internet expands in how it is used, it was only a matter of time before politics got involved. After taking the Information Warfare class, I seriously began to ponder about if physical war would become obsolete. Will  World War III be conducted by buttons and joysticks in a virtual battleground? Over where I live, they are conducting many experiments on unmanned airplanes and stuff.

On top of it all, there are laws being passed left and right. One set protects privacy, another states that privacy only creates a national security risk. It's enough to drive a person insane!

In Letter To Congress, Google Defends Privacy Changes

In case you don't know, sites like Google.com, Facebook, Myspace, and other social networks and search engines are watching you. They track what you say on your updates, what your likes and dislikes are, and what you search on a regular basis. They are collecting data on your surfing habits. This allows for the sites to put up ads that you might be interested in. It also creates privacy issues as sometimes that information is sold to third parties which could inundate you with lots of spam.

Google is changing its privacy policies which has people in an uproar. Google claims that the privacy of their users will still be protected and the same data that was collected before would be the same after the new policies are implemented, but others aren't quite sure. Remember, Google is still being sued for their packet sniffing in the States of unprotected WiFi routers in private homes. Internet privacy still is yet to be determine.

Let's face it, the minute you log in, you might as well be naked to the world. Because in Cyberspace, privacy is nonexistent.

My next story I kind of found amusing. For me it was a no brainer. Information is currency. The more information you get, the more money you can make. It was about time the creators of malware started their own business! Zeus Trojan for sale! Come and get it!

For 'Malware as a Service' Merchants, Business Is Booming

Bet you were wondering where those Script Kiddies were getting their hacking software from, huh?

They are malware merchants; in the business of helping others steal from legitmate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for Malware as a Service (MaaS). 

 Well, shoot, if they are being that open about it, why aren't they getting caught? Well, apparently, most of the people selling these services are using an "Onion Router." Not knowing what the heck that is, I decided to hit the button on the article and it took me here:

Researchers Show How Attackers Can Crack Onion Router

With that in mind, the only to get caught is if you honk them off and they tell on you...or your typical adage, "No honor among thieves."

Pretty interesting stuff.