Looking back into my blog posts…

       During the initial weeks, I decided to write about the data breaches and security concerns faced by the major retailers and health care service providers. I could find a lot of information in internet related with data breaches as there are still many victims impacted by intentional or unintentional release of secured information to an untrusted environment. I felt it is important for home owners to ensure their home network is secured enough and know some techniques to keep home network secured, hence, I wrote a post on securing home network which I think can be informative for the readers. I also tried my best effort to describe in detail on what causes the online information security issue and what security measures can be taken to protect your online information.

  I tried not to limit myself to certain items and wanted to hit many areas concerning information security in my blog covering variety of topics.  Hence, starting the fifth week of the course, I decided to write on the topic from the reading list for that week. While going through the assigned chapter from the text and researching online on the similar topic, I learned some serious topics within information security such as importance of incident response plans, things to consider while developing info security policy, promoting security awareness and so on. While writing the blog posts on these topics, I always felt as a writer I had a big responsibility to present true facts, current and correct information to the readers. 

       I used the text book for this course (CIS 608) as the main source for my blog posts. I found techtarget.com as my frequent online source and really appreciate the definitions on technical terms posted by Margaret Rouse on this website. Beside these, I also used variety of sources for each week and have mentioned those sources in the reference section of each post. I think these types of blog can be very useful to an information security professional as internet is full of information and in my opinion; me and my classmates have contributed to the online world by adding some valuable information via these blogs. We need to make sure that we are adding the correct information in the blog and if we have used others’ words, make sure we give them credit by using correct citation or links to the websites we used as the source of information. 

Information Security Certifications and Positions

Have you ever thought about applying for Information Security Position? Well, I have thought about it and as I am currently on different industry, a little research on the info security positions will help me out to know more on the available positions.  Many organizations rely on professional certifications, so it is always good step to look at the related job descriptions and try to determine which certification programs will help in the job market. International Information Systems Security Certification Consortium (ISC)² offers security certifications such as Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP) and Certified Secure Software Lifecycle Professional (CSSLP) which can be a plus point in the resume. Depending upon the info security positions you are interested in, there are several certifications specifically designed for that position such as Information Systems Audit and Control Association (ISACA) sponsors four certifications: Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified in the Governance of IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). The SANS Institute, formerly known as the System Administration, Networking, and Security Institute developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC).

Chief information security officer (CISO) is often considered the top InfoSec officer in the organization and usually the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications are common qualifications for the position. The CISO must be knowledgeable in all areas of InfoSec, including technology, planning, and policy. Below figure (Whitman, M., & Mattord, H., 2014) shows possible information security positions and reporting relationships within a business organization:

For someone who is new to the Information security industry and with not much professional experience, I would recommend to start with the role of Security Technician which is an entry level position. It requires some level of experience with a particular hardware and software package and familiarity with a particular technology. The job tasks will involve configuring firewalls and IDPSs implementing security software, diagnosing and troubleshooting problems and coordinating with systems and network administrators to ensure security technical controls are properly implemented.

References:

IU edu (n.d.). Roles and Responsibilities for Technicians. Retrieved May 18, 2015 from https://protect.iu.edu/cybersecurity/policies/ISPP-25/25.1/technician

Whitman, M., & Mattord, H. (2014). Management of information security (4th ed.). Cengage Learning

Importance of Encryption

You might have heard the term ‘Encryption’ in various occasions while reading articles on information security. Encryption is the conversion of electronic data into another form, called cipher text, which cannot be easily understood by anyone except authorized parties. It converts tan original message into the form that cannot be used by unauthorized individuals who makes things tougher for anyone without the tools and knowledge to convert an encrypted message back to its original format and hence, won’t be able to interpret it. Many people may think encryption and encoding are same, but encoding is typically performed for the convenience of storage or transmission, not keeping secrets.

The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Devices like modems, set-top boxes, smartcards and SIM cards all use encryption or rely on protocols like SSH, S/MIME, and SSL/TLS to encrypt sensitive data. It is used to protect data in transit sent from all sorts of devices across all sorts of networks; encryption is used to protect the information being relayed. Just imagine when you use ATM or do online shopping with the smartphones, make phone calls, press remote button to lock the car; encryption is being used.

When the information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. Businesses use encryption to protect corporate secrets, government’s use it to secure classified information, and many individuals use it to protect personal information to guard against things like identity theft. Encryption is your last defense against malicious security crackers violating your privacy. When all other means of protecting the data on your computer prove fruitless, encryption is the last barrier against your most sensitive data being accessible to people who simply should not have it.

References:

Rouse, M (n.d.). Encryption. Retrieved May 16th 2015 from http://searchsecurity.techtarget.com/definition/encryption

Perrin, C (2008). The importance of being encrypted. Retrieved May 17th 2015 from  http://www.techrepublic.com/blog/it-security/the-importance-of-being-encrypted/

Whitman, M. & Mattord, H. (2014). Management of Information Security. Cengage Learning  

Risk Control Strategies

       When there are chances of rain during the afternoon, it is always a smart move to take an umbrella with you when you are planning to spend the time out. Risk control is a method by which business firms and organizations evaluate potential losses and take action to reduce or eliminate such threats. Risk control is a technique that utilizes findings from risk assessments and implementing changes to reduce risk in these areas. Once risks have been identified, and contingency plans developed, risk control strategies can be developed and implemented. In order to control the risk, we can take action to minimize the effect, change aspects of the event so that the risks disappear, or transfer some of the risk to other parties such as insurance agencies. Below are the five strategies to control the risks within an organization:

Defense

Defense strategies help to prevent the exploitation of the vulnerability by applying safeguard that eliminated or reduce the remaining uncontrolled risk. This strategy is also referred as Avoidance. There are three method of defense: Application of policy which allows all management levels to mandate that certain procedures should always be followed, Application of training and education to create safer and controlled organizational environment and Implementation of technology to reduce risk effectively.

Transferable

Transferable risk control strategy attempts to shift the risk to other assets. There might be another organization to deal with the risk such as insurance agencies. Transfer of such risks can be done by rethinking, revising development models, outsourcing to other organization or implementing service contracts.

Mitigation

Mitigation risk control strategy helps to reduce the impact caused by the exploitation of vulnerability by the means of planning and preparation. This strategy included disaster recovery plan, incident response plan and business continuity plan.

Acceptance

Acceptance risk control strategy is the method or decision to do nothing to protect an information set from risk but rather accepting the outcome of its exploitation. Acceptance strategies is valid only if the organization determines the level of risk, assess the probability of attack, estimated the potential damages and determines the cost to control the risk to  particular function, asset, data etc.

Termination

Termination risk control strategy helps to control risk from having negative impact. If the organization’s choice is not to protect an asset and does not wish to remain at risk so it will be removed or terminated. Usually termination of the assets occurs when the cost of protecting the asset outweighs its value.

References:

Gillette, W. (n.d.). Risk control strategies. Retrieved May 9^th 2015 from http://www.cs.uwlax.edu/~riley/CS419/RiskControl.ppt

   

Thorpe, S (n.d.). Risk Control Strategies. Retrieved May 9^th 2015 from

http://www.win.edu.au/elearning/Dip_Mgt/ManageRisk/shared/company/resources/risk_control.htm

Whitman, M. & Mattord, H. (2014). Management of Information Security. Cengage Learning  

Identifying Threats in a business organization

     Threat is an agent that may want to or definitely can result in harm to the target organization. They are potentials for vulnerabilities to turn into attacks on computer systems, networks, and more. Threats can put individuals’ computer systems and business computers at risk, so vulnerabilities have to be fixed so that attackers cannot infiltrate the system and cause damage. It becomes important task for organization to identify the threats have potential to cause serious damage and can lead to attacks on computer systems.

     Threats can come in the form of spyware, malware, adware, software attacks, human errors, internal and external data thefts and so on. The organization needs to watch for the attackers sifting through log data to identify actual attack patterns which can give them a good idea of the types of attacks. The information security awareness training for the employees is always a good step to start with. Once the employees have good ideas and knowledge and what can be considered as the threats, they will think twice before opening emails from an unidentified source or plugging in an external device to the work PC. Organizations which give access to various social networking sites for its employees without any restrictions need to understand the risks that are out there, and make sure the proper controls are in place.

It is clear that we cannot gain a security suite that will give us 100%protection, but we need to minimize the risk waiting at our doorway. In order to do that we need to use a score mechanism that will help us make the right decision.

     Forces of nature in the form of earthquake, flood, fire, lightning can be considered threats as well. Hardware can fail and this can result in loss of data and revenue. Viruses, worms, spyware, malware, adware can always harm the PC and provide aid towards stealing valuable information for the intruders, hence, running antivirus software and security scan on regular basis is always recommended. Organization should also prepare from the inside threats which can come from the internal staffs as well. Access controls and proper transactions logging in place can play key role here by configuring the system on who can have access to the data and keeping track of which transaction was occurred at what time and by whom.

References:

Kartz, Or (2012). Identify the Most Probable Threats to an Organization. Retrieved from https://devcentral.f5.com/articles/identify-the-most-probable-threats-to-an-organization

Techpedia, (n.d.). Threat. Retrieved from http://www.techopedia.com/definition/25263/threat

Importance of Access Control

Have you ever wondered why your colleague has different views of the same internal office website with extra menus and tabs which you don’t have access into? Wouldn’t it be nicer to have access to all the available menus, tabs and buttons in the website? Well, it would be nicer to have that access but remember that bigger power comes with bigger responsibility. In the fields of information security, access control is the selective restriction of access to resources and login credentials are analogous mechanisms of access control. Information security is the primary reason for having an access control system, although it can also be used for monitoring users’ access into the system. Access control is maintained by means of a collection of policies, programs to carry out those policies and technologies that enforce policies. Access control enables organizations to restrict access to information and assets.

Authentication is used to identity a user and the host that they are using. Whereas the goal of user authentication is to first verify that the user, either a person or system attempting to interact with the system is allowed to do so, there is also a second goal of authentication - which is to gather information regarding the way that the user is accessing your system. For example - Some company strict on their network security do not allow access for VPN connection is the staff user is using the internet from unsecured network such as free WI-FI in a coffee shop and so on. Authorization is the act of determining the level of access that an authorized user has to behavior and data. For example – HR manager has more access to view and update employee information than rest of the HR staffs.

The access control based on user roles is designed to prevent the situation of unauthorized access to data. In many business organizations, there are different user accounts scattered throughout various applications in the organization which may have a few different levels offering different privileges, but they are unlikely to reflect the complex combinations of privileges present in the hierarchy of employee roles. Without the account privileges, the network can open at the both side resulting attacks from external hackers and internal data breaches. There are different types of access controls, such as Mandatory access control (MAC), in which the system (and not the users) specifies which subjects can access specific data object, hence better suited in places such as a military institution. Discretionary Access Control (DAC) is another type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have those files and programs.  As it allows admins to control access for the users defined based on their job requirements, DAC can be beneficial in the businesses and corporations.

References:

Wambler, S (n.d.). Implementing Security Access Control (SAC). Retrieved April 24^th 2015 from http://www.agiledata.org/essays/accessControl.html

Bradburry, D (2007). How to implement role-based access control. Retrieved April 24^th 2015 from http://www.computerweekly.com/news/2240083532/How-to-implement-role-based-access-control

Network Security in a business organization

     Couple of weeks ago I had added a post on how you can secure the home network; this one is about securing the network within a business organization. The term ‘Network security’ consists of applications and software designed to protect your organization’s network. Effective network security targets a variety of threats and stops them from entering or spreading on the organization’s network.

     Most common threats to any computer networks are viruses, worms, spyware and adware, hacker attacks, data interception and identity thefts. Multiple layers of security need to be implemented to make sure if one fails, other stand within any computer network. Hardware and software need to be constantly updated and managed to protect you from emerging threats. The components such as Anti-virus and anti-spyware, Firewall to block unauthorized access to the network and Virtual Private Networks (VPNs), to provide secure remote access (for businesses) helps accomplishing the goals of network security. Keeping the network secured helps any business organization meet mandatory regulatory compliance and helps protect the customers' data, reducing the risk of legal action from data theft.

     In my opinion, the IT Security Policy is the principle document for network security and it should outline the rules for ensuring the security of organizational assets. Policy should clearly state that employees are supposed to install only the approved applications and software in their office PC or laptops. Analyzing all network traffic flows should be performed and should aim to preserve the confidentiality, integrity, and availability of all systems and information on the network.

The concept of defense in depth is observed as a best practice in network security, prescribing for the network to be secured in layers. These layers apply an assortment of security controls to sift out threats trying to enter the network:

·Access control
·Identification
·Authentication
·Malware detection
·Encryption
·File type filtering
·URL filtering
·Content filtering

     While monitoring the network traffic and user access to the network is an important task for network admin, auditing network use encourages continuous improvement by requiring organizations to reflect on the implementation of their policy on a consistent basis. The cost to implement better network security can turn out to be well spent money over the expenses to recover from the data breaches.

Reference:

Paloalto (n.d.). What is network security? Retrieved April 21^st 2015 from

https://www.paloaltonetworks.com/resources/learning-center/what-is-network-security.html

Promoting Information Security Awareness

 I have seen many flyers and posters in school and work place on what is right and what is wrong. Whenever I go to fill coffee in the office’s break room, there is a poster which reminds me to lock my PC when I am away from my desk. I believe awareness like this can be very informative. Those who have been victims of identity thefts in past surely agree with me on the needs of promoting info security awareness. Not only for the students in any university or the staffs of any business organization, it is important for every computer user to be aware of information security.

“The scope of any security awareness campaign is to persuade computer users to listen and act on measures to avoid,deter, detect, and defend against information security threats and/or data security breaches.”

          Information security awareness aims to prevent incidents related to cyber-attacks, identity thefts, online threats and loss or disclosure of data committed by unlawful hacking. The challenge is how to deliver this information to general public to make sure they are aware of these threats and able to protect their information. One of the best ways to promote information security awareness is by user training and education or through policies and procedures. Awareness training can give users tips on how to use anti viruses to protect the data, why it can be risky to give personal information online to malicious and not trusted site or person and why you need to think twice before opening any email and attachments from unknown source.  Users need to have good understanding on what is considered as cyber-crime and should be encouraged to report computer crimes to HR in companies, student affairs in universities or to local law officials in private or public sectors.  TV and radio are also good medium to promote security awareness among users. The power of the media is a tremendous asset when it comes to getting our message out to the public. Posters and flyers can be another great way to deliver message on info security awareness. Flyers with short informative message on security awareness can be distributed in public places, universities and business organizations. Posters just as warning users to take caution while sharing sensitive data online can be placed in office break rooms and university cafeteria which can catch users’ attentions and can turn out to be an effective medium to promote awareness. Requirements to take mandatory online security training every quarter, take quizzes on security awareness and messages via mass emails can also be good promotional steps in larger organizations.
          The internet continues to grow each year and with that the cyber threats multiply every year. It becomes important for computer users to protect themselves and understand at least the basic steps that can help sure their sensitive information. Info security awareness can be promoted by various means but in order to make it a successful campaign, the users need to follow the steps mentioned in it properly and get united against the cyber-crime.

References:

McDonough, M (2010). Ideas to Promote Information Security Awareness. Retrieved April 14th 2015 from http://www.brighthub.com/computing/enterprise-security/articles/75233.aspx

Ray, R. (n.d.). Promote Security Awareness In Your Company. Retrieved April 15th 2015 from http://www.allbusiness.com/promote-security-awareness-in-your-company-11694831-1.html  

Things to consider while developing Information Security Policy

Have you ever looked into information security policy of the company you worked for? It is a security policy document that states in writing how a company plans to protect the company's physical and information technology assets. Most of the organizations usually have these documents available for their employees to review in the company's internal websites or notice boards. The purpose is to have employee read, understand and follow them. I was wondering how hard it can be to write these policies, so I decided to do some research on things you need to consider while developing Information Security Policy in the first place.

The policy maker should know that the objectives of the policy are to reduce risk, compliance with laws and regulations, assurance of operational continuity, information integrity and confidentiality. The policy maker should realize that the success of an information resources protection program depends on the policy generated and on the attitude of management toward securing information on automated systems. The policy can provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats. If an employee is terminated for some wrong doing (example: stealing and sharing sensitive data with outsiders) and if the organization cannot verify that the policy was not properly implemented about it; then the employee could sue the organization accusing for wrongful termination. By having everything stated clearly on the policy about what is right thing to do; the organization can have employees follow the rules for acceptable behavior.

“Information security policies are supposed to be read, understood and followed by all staff in the organization”.

Knowing your audience is one of the important steps while developing the information security policy. The policy maker should understand the purpose the policy is meant to serve and align the policy with any subsequent information governance training to be delivered. Policy needs to be aligned to the business objectives of the organization and should be delivered in the best format to the audiences. By thinking from user’s point of view, the policy maker can cull polices to fewer pages with absolute minimum information which are needed and key message to retain.

As a user, I would like to see policy information in fewer pages but should be brief and to the point about the user’s responsibilities towards the information they collect, use and access. It is also my responsibility to read, understand and follow the policy with all respect towards the organization I work for.

References:

Computer Weekly (n.d.). How to create a good information security policy. Retrieved April 9^th, 2015 from http://www.computerweekly.com/feature/How-to-create-a-good-information-security-policy

Whitman, M., & Mattord, H. (2014). Management of information security (4th ed.). Cengage Learning

Importance of Incident Response Plans

Have you ever imagined what will happen if something unexpected happens at your work place such as virus attacks to the entire computer network and suddenly you do not have resources available to perform your daily tasks? Well, I was thinking about this today and it will be very hard for me if my laptop crashes and I loss the access to all my emails and documents in it.

Incident response (IR) plans are essential in disaster recovery and business continuity as they give added protection to sensitive company data. However, many companies lack these features of having the step-by-step process of responding to data security breaches. Many business organizations may think that the IR plan doesn't serve any significant purpose and hence, they give major focus on recovering from disasters and keeping critical business systems and processes running during a disaster.

The complexity and targeted nature of attacks has continued to increase, the number of compromised records is rising, and organized crime is surfacing more often. Hence, having a solid data breach response plan in place can make the threat of a security breach less intimidating. Incident response plan, if utilized correctly, will outline who, what, when, where and how to respond to data security breaches. Imagine how useful and time saving effort it can be to troubleshoot some incident which had occurred in past we have all the documents available along with the name and contacts of the each individual who were involved to find a fix.

I do not know if the company I work for has listed incident response procedures in the information security policy, probably this is because I did not give more attention reading the paragraphs in tiny fonts of the big paper works they gave me to read and sign when I was hired. Well, I should definitely review that section of the policy and to find out if there are plans and procedures related to incident response with management buy-in to effectively protect the organization against incidents and cyber security attacks.

An Incident Response Plan (IRP) is needed because attacks frequently compromise data within organizations. The goals of an Incident Response Plan include:

• Verify that an incident has occurred

• Maintain or restore Business Continuity

• Reduce the impact of the incident

• Determine attack vectors and how the incident occurred

• Prevent future attacks/incidents

• Improve the organization’s security posture

• Keep managementinformed and follow proper chain of command procedures

By having a successful Incident Response Plan in place, organization can proactively mitigate incidents before occurring and can react quickly and effectively when incidents occur. Without an adequate Incident Response plan, organization can face massive loss of time and cost, valuable data and more importantly loss of customers’ trust to cyber security attacks without methods to mitigate, contain, eradicate, and remediate incidents.

References:

Beaver, K (n.d.). The importance of incident response plans in disaster recovery. Retrieved April 1, 2015 from http://searchdisasterrecovery.techtarget.com/tip/The-importance-of-incident-response-plans-in-disaster-recovery  

Enterprise Risk Management (2012). Building a Successful Incident Response Plan. Retrieved April 2, 2015 from http://www.emrisk.com/knowledge-center/newsletters/building-successful-incident-response-plan

Securing Home Network

While filing your taxes using your personal computer at home, did you feel the information in your PC are all safe and secured? I usually get little nervous connecting my PC to any free WI-FI available in a coffee shop or free wireless zones. I feel much better and safer using the internet at my own home network but when I read some articles on identity thefts and data breach, I doubt if my home network is secured enough to protect my electronic information. We know that securing home network can ensure the users can use the internet safely, but the question is – are we following the steps properly? I have seen a lot of promotional efforts by many internet service providers like Cox and Century link on applying extra level of security in home network and the importance of encrypting electronic information. However, many average users still do not realize that just using encryption might not be enough. While setting up wireless or wired home networks, many average users rush through the steps to get their Internet connectivity working as quickly as possible, and by doing so they may be skipping certain important security steps that may open a window for hackers to get into their home network. This security breach can result in unauthorized access of personal data from the home computers. Depending on the nature of the incident, a security breach can be anything from low-risk to highly critical.

Within an organization, security breaches are typically monitored, identified and mitigated by a software or hardware firewall, but home network may lack some of those features due to cost factors related with security software or due to home owners not having good knowledge on network security. Besides stealing personal data, often the hackers want to gain access into others’ computer so they can use it to launch attacks on other computer systems and hide their true location as they launch cyber-attacks. These hackers are always discovering new security holes to exploit in computer software; hence, it becomes a sole responsibility of the computer owner to install the patches to cover any security hole. Having a good understanding of security configuration of modem, router and setting up firewall, installing patches and anti-virus software can turn out to be very effective while protecting home computer network.  Physical security of the networking devices is also equally importance which many home owners need to maintain.

Federal Communication Commission recommends users to use Wi-Fi Protected Access II (WPA2) which is the most effective standard for encryption available today. Home network owners can use the recommended solutions which are also advised by FCC and NSA to protect their network from the intruders, hackers and identity thieves. Home owners should not be sharing their WI-FI password to their guests at all, instead they can setup a guest WI-FI account that many new routers include in features these days. Having an unsecure home network can be considered similar to leaving your car door open for someone to enter and steal it. Intruders may park their car within the WI-FI range to the house and try to hack into the home network, so home owners need to pay special attention to any suspicious vehicle parked near home within the WIF-FI access zone.

I really enjoyed using the new app named “Nextdoor”, which can be considered as social networking site for neighbors. I have received many helpful tips and suggestions from my neighbors related with securing the neighborhoods, also many have been reporting any suspicious activities in their area and notifying neighbors to take precaution. In my opinion, with the rapidly changing technologies - home owners should migrate to modern operating system and platform and update existing applications, as the latest versions always have improved security features. I strongly agree that security-conscious technology users within home network can surely keep the intruders away.

References:

FCC (n.d). Protecting Your Wireless Network. Retrieved March 23rd, 2015 from http://www.fcc.gov/guides/protecting-your-wireless-network

Geier, E. (2014). 8 ways to improve wired network security. Retrieved March 23rd, 2015 from http://www.networkworld.com/article/2175048/wireless/8-ways-to-improve-wired-network-security.html

Krebs. B (2011). New Tools Bypass Wireless Router Security. Retrieved March 26th, 2015 from https://krebsonsecurity.com/2011/12/new-tools-bypass-wireless-router-security/

Health Care Service Data Breach

While driving to work this morning I heard in FM radio about yet another data breach, this time the victims were the customers of Premera Blue Cross, which is a major health care service. As I used to have health insurance service via Blue Cross Blue Shield until last year, the news made me quite curious and little worried, so I surfed online to find more on what really happened.

An intrusion into the Premera Blue Cross’s network may have resulted in the breach of financial and medical records of 11 million customers. The company said its investigation revealed that the initial attack occurred on May 5, 2014 and they found out about this attack only on January 29, 2015. In their statement the company said that the incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solution.

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individualswho do business with us and provided us with their email address, personal bankaccount number or social security number are also affected. The investigationhas not determined that any such data was removed from our systems.  Wealso have no evidence to date that such data has been used inappropriately.”

The company will be notifying the affected customers via letters and it has announced to offer two years of free credit monitoring services through big-three credit bureau Experian. The company further mentioned that it is working with security firm Mandiant and the FBI in the investigation.

The days of massive data breaches in major retailers and health care services are far from over. In my opinion they are targeted because their system holds the millions of users records and information. If I was one of those 11 million customers who get letter indicating my information has been hacked and I have been offered two years of free credit monitoring, I do not think I will feel better about getting free credit monitoring offer for two years. When the customers provide their information to the health care provider, trust was the main factor and the company has lost that now. I think it was their responsibility to ensure the information is not exposed to the intruders and I still do not understand how something big like this was identified after more than 8 months.  The company mentioned in its website that “The security of our members’ personal information is a top priority”, but at this time they seemed to have lost their members’ trust already.

Reference:

Krebs on Security (2015). Premera Blue Cross Breach Exposes Financial, Medical Records.  Retrieved from https://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/

Data breach at major retailer

Sometimes I wonder how many credit cards do I have. I think I got about 10 different credit and debit cards; and if I include the rewards plus gift cards, my purse becomes a tiny fat briefcase. I don’t feel safe to have all those cards in my purse while getting out of the house, so I usually put only the cards in my purse that I plan to use during that week/month. There were times when I used to have couple of credit cards from well recognized credit card companies only, but now I have about six or seven credit cards just from the retailers and stores that I visit regularly, i.e, Yonkers, Sears, Walmart and so on. When I heard about the data breach in Target back in 2013, I first questioned to myself if I own a credit card from this store. I felt relief that I did not own any card from Target, but when I read the news that guest accounts had been impacted as well and information had been stolen, I was full of worries.

Approximately 40 million credit and debit card accounts of Target customers might had been impacted between Nov. 27 and Dec. 15, 2013. The company announced that if the customers shopped at Target between Nov. 27 and Dec. 15, 2013, they should keep a close eye for any suspicious or unusual activity on any credit or debit card accounts that they used while shopping during that time. The hackers had gained access to guest credit and debit card information and certain guest personal information was also taken. The information included names, mailing addresses, email addresses or phone numbers.  The company mentioned that up to 70 million individuals might be affected and they were committed to making this right and were investing in the internal processes and systems needed to reduce the likelihood that this ever happens again.

I live close to Target store and I had been there during that time frame for shopping and groceries. I did check my credit and debit card transactions during that time period but did not see any suspicious transactions, but I was really paying more attention to see if there was any major transaction that happened. What if the hackers had charged $1 to my credit card account indicating a service or membership fee? I would probably have ignored it as it was $1 only, but now when I read into this more – what if they had stolen $1 from each of those 70 million individuals impacted?

We all should know that online information we provide in today’s world is not going to be 100 % secured, all we can do is try our best effort to secure the information. Once I figured out I had visited target store during that time frame and had used my credit card, I called my credit card company and reported this. They issued me a new card and suggested me to pay more attention to my credit transactions and statements.  Based on my experience with Target’s data breach, I agree with below suggestion from the retailer which we can do to avoid social engineering scams:

Ø  Keep an eye on your monthly statements. If youraccount information is stolen, fraudsters can use it to charge purchases orcommit crimes in your name. Watch for unusual charges such as “membership fees”and other goods or services you didn’t authorize. If you see a charge you don’trecognize, contact your account provider immediately.

Reference:

 Target (n.d.). Data Breach FAQ. Retrieved March 17^th, 2015 from https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ

Little about myself and the blog

Hello everyone,

My name is Sabina Shrestha and I am currently enrolled at Bellevue University for Masters in Management Information System degree program. I am currently in the midway towards achieving this success and throughout this journey I have learned a lot about Information Systems and Technology. I did my undergrad in Aviation major and am currently working in aviation field; so learning about information systems and technology has been a complete new and wonderful experience for me so far and I have been enjoying it a lot. The posts in this blog will be based on my researches and findings on managing information security and I will surely add the references to any information I find useful from various sources. 

Thank you!

-Sabina