Looking back into my blog posts…

       During the initial weeks, I decided to write about the data breaches and security concerns faced by the major retailers and health care service providers. I could find a lot of information in internet related with data breaches as there are still many victims impacted by intentional or unintentional release of secured information to an untrusted environment. I felt it is important for home owners to ensure their home network is secured enough and know some techniques to keep home network secured, hence, I wrote a post on securing home network which I think can be informative for the readers. I also tried my best effort to describe in detail on what causes the online information security issue and what security measures can be taken to protect your online information.

  I tried not to limit myself to certain items and wanted to hit many areas concerning information security in my blog covering variety of topics.  Hence, starting the fifth week of the course, I decided to write on the topic from the reading list for that week. While going through the assigned chapter from the text and researching online on the similar topic, I learned some serious topics within information security such as importance of incident response plans, things to consider while developing info security policy, promoting security awareness and so on. While writing the blog posts on these topics, I always felt as a writer I had a big responsibility to present true facts, current and correct information to the readers. 

       I used the text book for this course (CIS 608) as the main source for my blog posts. I found techtarget.com as my frequent online source and really appreciate the definitions on technical terms posted by Margaret Rouse on this website. Beside these, I also used variety of sources for each week and have mentioned those sources in the reference section of each post. I think these types of blog can be very useful to an information security professional as internet is full of information and in my opinion; me and my classmates have contributed to the online world by adding some valuable information via these blogs. We need to make sure that we are adding the correct information in the blog and if we have used others’ words, make sure we give them credit by using correct citation or links to the websites we used as the source of information. 

Information Security Certifications and Positions

Have you ever thought about applying for Information Security Position? Well, I have thought about it and as I am currently on different industry, a little research on the info security positions will help me out to know more on the available positions.  Many organizations rely on professional certifications, so it is always good step to look at the related job descriptions and try to determine which certification programs will help in the job market. International Information Systems Security Certification Consortium (ISC)² offers security certifications such as Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP) and Certified Secure Software Lifecycle Professional (CSSLP) which can be a plus point in the resume. Depending upon the info security positions you are interested in, there are several certifications specifically designed for that position such as Information Systems Audit and Control Association (ISACA) sponsors four certifications: Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified in the Governance of IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). The SANS Institute, formerly known as the System Administration, Networking, and Security Institute developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC).

Chief information security officer (CISO) is often considered the top InfoSec officer in the organization and usually the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications are common qualifications for the position. The CISO must be knowledgeable in all areas of InfoSec, including technology, planning, and policy. Below figure (Whitman, M., & Mattord, H., 2014) shows possible information security positions and reporting relationships within a business organization:

For someone who is new to the Information security industry and with not much professional experience, I would recommend to start with the role of Security Technician which is an entry level position. It requires some level of experience with a particular hardware and software package and familiarity with a particular technology. The job tasks will involve configuring firewalls and IDPSs implementing security software, diagnosing and troubleshooting problems and coordinating with systems and network administrators to ensure security technical controls are properly implemented.

References:

IU edu (n.d.). Roles and Responsibilities for Technicians. Retrieved May 18, 2015 from https://protect.iu.edu/cybersecurity/policies/ISPP-25/25.1/technician

Whitman, M., & Mattord, H. (2014). Management of information security (4th ed.). Cengage Learning

Importance of Encryption

You might have heard the term ‘Encryption’ in various occasions while reading articles on information security. Encryption is the conversion of electronic data into another form, called cipher text, which cannot be easily understood by anyone except authorized parties. It converts tan original message into the form that cannot be used by unauthorized individuals who makes things tougher for anyone without the tools and knowledge to convert an encrypted message back to its original format and hence, won’t be able to interpret it. Many people may think encryption and encoding are same, but encoding is typically performed for the convenience of storage or transmission, not keeping secrets.

The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Devices like modems, set-top boxes, smartcards and SIM cards all use encryption or rely on protocols like SSH, S/MIME, and SSL/TLS to encrypt sensitive data. It is used to protect data in transit sent from all sorts of devices across all sorts of networks; encryption is used to protect the information being relayed. Just imagine when you use ATM or do online shopping with the smartphones, make phone calls, press remote button to lock the car; encryption is being used.

When the information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. Businesses use encryption to protect corporate secrets, government’s use it to secure classified information, and many individuals use it to protect personal information to guard against things like identity theft. Encryption is your last defense against malicious security crackers violating your privacy. When all other means of protecting the data on your computer prove fruitless, encryption is the last barrier against your most sensitive data being accessible to people who simply should not have it.

References:

Rouse, M (n.d.). Encryption. Retrieved May 16th 2015 from http://searchsecurity.techtarget.com/definition/encryption

Perrin, C (2008). The importance of being encrypted. Retrieved May 17th 2015 from  http://www.techrepublic.com/blog/it-security/the-importance-of-being-encrypted/

Whitman, M. & Mattord, H. (2014). Management of Information Security. Cengage Learning  

Risk Control Strategies

       When there are chances of rain during the afternoon, it is always a smart move to take an umbrella with you when you are planning to spend the time out. Risk control is a method by which business firms and organizations evaluate potential losses and take action to reduce or eliminate such threats. Risk control is a technique that utilizes findings from risk assessments and implementing changes to reduce risk in these areas. Once risks have been identified, and contingency plans developed, risk control strategies can be developed and implemented. In order to control the risk, we can take action to minimize the effect, change aspects of the event so that the risks disappear, or transfer some of the risk to other parties such as insurance agencies. Below are the five strategies to control the risks within an organization:

Defense

Defense strategies help to prevent the exploitation of the vulnerability by applying safeguard that eliminated or reduce the remaining uncontrolled risk. This strategy is also referred as Avoidance. There are three method of defense: Application of policy which allows all management levels to mandate that certain procedures should always be followed, Application of training and education to create safer and controlled organizational environment and Implementation of technology to reduce risk effectively.

Transferable

Transferable risk control strategy attempts to shift the risk to other assets. There might be another organization to deal with the risk such as insurance agencies. Transfer of such risks can be done by rethinking, revising development models, outsourcing to other organization or implementing service contracts.

Mitigation

Mitigation risk control strategy helps to reduce the impact caused by the exploitation of vulnerability by the means of planning and preparation. This strategy included disaster recovery plan, incident response plan and business continuity plan.

Acceptance

Acceptance risk control strategy is the method or decision to do nothing to protect an information set from risk but rather accepting the outcome of its exploitation. Acceptance strategies is valid only if the organization determines the level of risk, assess the probability of attack, estimated the potential damages and determines the cost to control the risk to  particular function, asset, data etc.

Termination

Termination risk control strategy helps to control risk from having negative impact. If the organization’s choice is not to protect an asset and does not wish to remain at risk so it will be removed or terminated. Usually termination of the assets occurs when the cost of protecting the asset outweighs its value.

References:

Gillette, W. (n.d.). Risk control strategies. Retrieved May 9^th 2015 from http://www.cs.uwlax.edu/~riley/CS419/RiskControl.ppt

   

Thorpe, S (n.d.). Risk Control Strategies. Retrieved May 9^th 2015 from

http://www.win.edu.au/elearning/Dip_Mgt/ManageRisk/shared/company/resources/risk_control.htm

Whitman, M. & Mattord, H. (2014). Management of Information Security. Cengage Learning  

Identifying Threats in a business organization

     Threat is an agent that may want to or definitely can result in harm to the target organization. They are potentials for vulnerabilities to turn into attacks on computer systems, networks, and more. Threats can put individuals’ computer systems and business computers at risk, so vulnerabilities have to be fixed so that attackers cannot infiltrate the system and cause damage. It becomes important task for organization to identify the threats have potential to cause serious damage and can lead to attacks on computer systems.

     Threats can come in the form of spyware, malware, adware, software attacks, human errors, internal and external data thefts and so on. The organization needs to watch for the attackers sifting through log data to identify actual attack patterns which can give them a good idea of the types of attacks. The information security awareness training for the employees is always a good step to start with. Once the employees have good ideas and knowledge and what can be considered as the threats, they will think twice before opening emails from an unidentified source or plugging in an external device to the work PC. Organizations which give access to various social networking sites for its employees without any restrictions need to understand the risks that are out there, and make sure the proper controls are in place.

It is clear that we cannot gain a security suite that will give us 100%protection, but we need to minimize the risk waiting at our doorway. In order to do that we need to use a score mechanism that will help us make the right decision.

     Forces of nature in the form of earthquake, flood, fire, lightning can be considered threats as well. Hardware can fail and this can result in loss of data and revenue. Viruses, worms, spyware, malware, adware can always harm the PC and provide aid towards stealing valuable information for the intruders, hence, running antivirus software and security scan on regular basis is always recommended. Organization should also prepare from the inside threats which can come from the internal staffs as well. Access controls and proper transactions logging in place can play key role here by configuring the system on who can have access to the data and keeping track of which transaction was occurred at what time and by whom.

References:

Kartz, Or (2012). Identify the Most Probable Threats to an Organization. Retrieved from https://devcentral.f5.com/articles/identify-the-most-probable-threats-to-an-organization

Techpedia, (n.d.). Threat. Retrieved from http://www.techopedia.com/definition/25263/threat

Importance of Access Control

Have you ever wondered why your colleague has different views of the same internal office website with extra menus and tabs which you don’t have access into? Wouldn’t it be nicer to have access to all the available menus, tabs and buttons in the website? Well, it would be nicer to have that access but remember that bigger power comes with bigger responsibility. In the fields of information security, access control is the selective restriction of access to resources and login credentials are analogous mechanisms of access control. Information security is the primary reason for having an access control system, although it can also be used for monitoring users’ access into the system. Access control is maintained by means of a collection of policies, programs to carry out those policies and technologies that enforce policies. Access control enables organizations to restrict access to information and assets.

Authentication is used to identity a user and the host that they are using. Whereas the goal of user authentication is to first verify that the user, either a person or system attempting to interact with the system is allowed to do so, there is also a second goal of authentication - which is to gather information regarding the way that the user is accessing your system. For example - Some company strict on their network security do not allow access for VPN connection is the staff user is using the internet from unsecured network such as free WI-FI in a coffee shop and so on. Authorization is the act of determining the level of access that an authorized user has to behavior and data. For example – HR manager has more access to view and update employee information than rest of the HR staffs.

The access control based on user roles is designed to prevent the situation of unauthorized access to data. In many business organizations, there are different user accounts scattered throughout various applications in the organization which may have a few different levels offering different privileges, but they are unlikely to reflect the complex combinations of privileges present in the hierarchy of employee roles. Without the account privileges, the network can open at the both side resulting attacks from external hackers and internal data breaches. There are different types of access controls, such as Mandatory access control (MAC), in which the system (and not the users) specifies which subjects can access specific data object, hence better suited in places such as a military institution. Discretionary Access Control (DAC) is another type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have those files and programs.  As it allows admins to control access for the users defined based on their job requirements, DAC can be beneficial in the businesses and corporations.

References:

Wambler, S (n.d.). Implementing Security Access Control (SAC). Retrieved April 24^th 2015 from http://www.agiledata.org/essays/accessControl.html

Bradburry, D (2007). How to implement role-based access control. Retrieved April 24^th 2015 from http://www.computerweekly.com/news/2240083532/How-to-implement-role-based-access-control

Network Security in a business organization

     Couple of weeks ago I had added a post on how you can secure the home network; this one is about securing the network within a business organization. The term ‘Network security’ consists of applications and software designed to protect your organization’s network. Effective network security targets a variety of threats and stops them from entering or spreading on the organization’s network.

     Most common threats to any computer networks are viruses, worms, spyware and adware, hacker attacks, data interception and identity thefts. Multiple layers of security need to be implemented to make sure if one fails, other stand within any computer network. Hardware and software need to be constantly updated and managed to protect you from emerging threats. The components such as Anti-virus and anti-spyware, Firewall to block unauthorized access to the network and Virtual Private Networks (VPNs), to provide secure remote access (for businesses) helps accomplishing the goals of network security. Keeping the network secured helps any business organization meet mandatory regulatory compliance and helps protect the customers' data, reducing the risk of legal action from data theft.

     In my opinion, the IT Security Policy is the principle document for network security and it should outline the rules for ensuring the security of organizational assets. Policy should clearly state that employees are supposed to install only the approved applications and software in their office PC or laptops. Analyzing all network traffic flows should be performed and should aim to preserve the confidentiality, integrity, and availability of all systems and information on the network.

The concept of defense in depth is observed as a best practice in network security, prescribing for the network to be secured in layers. These layers apply an assortment of security controls to sift out threats trying to enter the network:

·Access control
·Identification
·Authentication
·Malware detection
·Encryption
·File type filtering
·URL filtering
·Content filtering

     While monitoring the network traffic and user access to the network is an important task for network admin, auditing network use encourages continuous improvement by requiring organizations to reflect on the implementation of their policy on a consistent basis. The cost to implement better network security can turn out to be well spent money over the expenses to recover from the data breaches.

Reference:

Paloalto (n.d.). What is network security? Retrieved April 21^st 2015 from

https://www.paloaltonetworks.com/resources/learning-center/what-is-network-security.html