In retrospect....

This is my final week of class for this course, Information Security Management, and while it has been a long ride, it has been most informative and worthy of my time.

Looking at my blog for the past few (cough12cough) weeks they have been a variety of IT/InfoSec yummy-ness.  I wrote a few times about Sony and their malware/hacking drama, we touched on policy/procedures, ISO certification, disasters and a rant about security breaches that actually affected me directly.

I tended to choose these topics because either they were close to my heart, got my blood boiling or I found them interesting. Many times a week I would research Cnet.com for much of my news, I also checked Forbes and of course, Yahoo. But Cnet.com tended to have the goods more so than not.

When I was first asked to write a blog for this course I felt intimidated and a little stuck. What would I write about, what if I couldn't think of anything, how do I do this, what if I sound like an idiot..all of these thoughts went through my mind.

I also found that once I didn't worry about these things I could just be myself and blog. A few tips to the next batch of students that have to do this for course credit:

• Blogging isn't as serious as a paper/essay. You can be fun and feisty as you write about your topic.
• Do your research and form your educated opinion. Blogs are opinion based and it's ok to disagree or agree, just give us a reason why.
• Use reputable sources. Don't use another person's blog unless you have a reason to (I haven't found a reason too)
• Don't use Wikipedia for research. Technically you shouldn't use this for any college research, so just don't. 
• Have fun. Enjoy your writing and topic, this way it doesn't feel like an assignment

Lastly, if your still terrified of the blog world or don't understand how to...just look it up online, there are many articles on how to start a blog.

As I progressed through this blog, I discovered the value in the assignment. Much of the reason is keeping up with what's happening out there in the InfoSec world, following trends, seeing whats new, etc. This can only help you in your professional life. IT and InfoSec, well anything technology related, is ever changing and in order to be at the top of our game, we need to stay in the know. This blog helps me do this. And hopefully, you too!

Stay safe out there, thank you for reading!

Go Microsoft, kick some butt!

I am proud of Microsoft!

Looks like they are targeting Asia as a global hub of cybercrime and malware. Bout time, yea?

Ok let's be honest, we (the folks in IT in the US) have seen the cyber attacks coming from Asia. I have seen it as well. Working at a university inside a NOC, the attempts to hack into systems containing that "yummy" data of students social security numbers and birth dates. Yup, happens so frequently it looks like the Matrix running in the back ground with nothing unusual in the least.

And while I am not sure this approach will actually work, I am at least glad that Microsoft is attempting to do something about it. Or at least trying...

Microsoft believes that the interpol unit in Singapore will have better access to the surrounding areas with this center. Looking at not only Asia, but the Oceanic countries as well. This way they are watching the money and where it's coming from.

Another huge concern is malware and rightfully so.

"Of a more pressing concern is China, which already has a Cybercrime Satellite Center located in Beijing. Bosco says the infection rate in China is high due to counterfeit software. There's a huge amount of infections within China, and the result of that from our investigative work was that it comes from an unsecured supply chain," said Bosco. "What happens is you're getting a lot of people infected because of simply buying a computer with pre-installed malware. Sometimes, it's not even that, it comes with all of the features, such as automatic updates and firewalls disabled."

"The minute you put it on the Internet, even if you're not infected, within hours you will be infected and it just cascades and you'll see a huge amount of infections in China because of that."

The entire article can be found here:
http://www.cnet.com/news/asia-could-be-the-next-hotbed-of-cybercrime-says-microsoft/

Will this make a difference? Well something has to be done, so why not try it. Until we get to the point of either stopping the way we do business OR never using the Internet (sorry if your laughing so hard your coffee is dribbling out your nose), then let's throw everything against the wall until something sticks. I mean doctors do it when trying to diagnose a disease they can't figure out (I know from personal experience...another blog, another time) But why not this? It will be interesting to see what happens now.

Stay safe out there!

A way of life...the constant fear of a data breach

Is it really a way of life, have we become numb to this?

By this I mean data breaches. They are more and more frequent and seem just like something we have to "live with".

Recently, Anthem Blue Cross and Blue Shield has been the most recent hack to affect nearly 80 million people. And I could be one of them. I have their insurance through my employer, it's good insurance...a bit pricey but good. But now I need to worry about this.

They are supposed to mail their customers letter if they were affected. And while that is a policy. it's a crappy in practice. Do you realize that by the time I get the letter (if I get one; I hope I don't), someone already has opened up credit cards in my name or taken out loans. Seriously this is getting ridiculous.

"Anthem Blue Cross was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information (such as claims, test results or diagnostic codes) were targeted or compromised (http://www.forbes.com/sites/gregorymcneal/2015/02/04/massive-data-breach-at-health-insurer-anthem-reveals-social-security-numbers-and-more/)."

Does that make me feel better? Um, no! I am kind of irate. Being a geek (as I so choose to identify with) I find the lack of protect and the "oh, it's just something we need to live with" frustrating to say the least. We shouldn't have to live with this. There has got to be a better way. 

I realize that since we are doing pretty much everything through the Internet...it has an enhanced risk. But maybe doing business this way is OK or maybe it isn't. While I don't have the answers and I can't really think of much else, except to maybe not use social security numbers for things like insurance (maybe a different number to identify with) might help this craze of stealing information and identities. OR even crazier, it's too bad we have a monetary based society (I know way off topic), but it would eliminate the greed factor of crimes....just saying.

If you were compromised or even if you weren't, there are a few things everyone can do to be a little bit safer in the vortex of the Internet. Check out these steps for security: http://www.forbes.com/sites/gregorymcneal/2015/02/05/6-ways-to-protect-yourself-after-the-anthem-data-breach/

I am off to call the 3 credit reporting agencies...just as a precaution. 

Try to stay safe out there....try.... 

If it ain't broke, don't fix it....Really? I am not buying that.

There is a theory that if something isn't broken we don't need to fix it.

Well I am here to tell you that is a poor way to live, especially in IT.

Last week I discussed risk management. With that also comes re-evaluation of systems and those associated risks. So while the idea of "it ain't broke, don't fix it" might work for other aspects of your life...if your in IT it doesn't.

While the world is an ever changing place, we all know technology is as well. What iPhone are we on now? 16 or something. (Ok, I know it's 6...I think) The point is that rapid change also means threats are changing rapidly as well. With that comes a responsibility to maintain a current risk management strategy that follows current threats with current technology.

Let's face it...if we have sever or any hardware from ages ago with the associated cost of that equipment from that time period and the threats from back then as well...It really doesn't do an organization any good for today, because it's no longer valid. Much like just because you took a shower yesterday, doesn't mean you never need a shower again. (I had a classmate use this analogy and I did tell him I would steal it, so there)

Just as technology changes so much the organization re-analyze their strategies. Risk management would be a big one to keep current. And it's not the only one, they are all important to maintain and re-analyze from time to time. One thing I learned is establishing these as "living" documents, they are ever changing and evolving to keep up with the times.

Some interesting pieces related to my topic:
http://www.pwc.com/gx/en/governance-risk-compliance-consulting-services/resilience/publications/business-resilience-sustainability-enterprise-risk-management.jhtml
http://www.accuvant.com/resources/risk-and-the-ciso-role
http://www.resolvergrc.com/blog/what-makes-for-an-effective-risk-manager-in-todays-ever-changing-world/

While the topic is broad and I could go on for a long time....ultimately this type of thinking makes any organization stronger, being able to recognize and to adapt to changes that happen...that should get them to a level of greatness and hopefully protect themselves better from the ever changing world of technology.

Risk & Reward

I think we have all heard the phrase, "no risk, no reward".  I think not only does it apply to life in a general sense...asking out that special someone or taking on new challenges...it also applies to the IT world as well. Specifically in the infosec arena. 

While generally risk might imply, death and destruction (ok, maybe not that bad), it isn't always doom and gloom. A lot can be learned from things like risk identification inside an organization. 

We (I am assuming here) have all heard of something called risk management. Essentially, managing the risks to the company or organization. This is a critical component in managing IT in all it's glory and splendor. 

But why is it a good thing, what does it have to offer? One thing that comes to mind is knowledge. Learning the company (the self) and learning your enemy (the hackers or the threats that come from the outside). Much like General Sun Tzu's words of "know the enemy and know yourself". 

Going through a risk identification process, which is the self-examination process that can identify the organizations assets and classify them by importance. Giving value to everything, every moving part....allowing then for that threat identification to come to fruition.

Oh my! I know admitting it is the first step right...probably hard for an organization to actually admit their threats or weaknesses. But necessary in order to protect their assets. Detecting their vulnerability and planning from there. The possibly of consequences or percentages of risks mitigated, etc. 

And again we go back to knowing the enemy and knowing the self, how much more useful things like a risk analyst would be in order to protect the self from the enemy. Hence without taking that risk of knowing the self (faults and all), the reward of protecting the self from the enemy can't happen. And possible bad things could happen on a much broader scale than if an organization had put in the time to actually analyze their assets and weaknesses (knowing the self). 

Because there really is a lot of information on risk management, risk identification, etc. here are a few links to have a look at for more information. 

Risk Management: https://www.theirm.org/about/risk-management/

Risk Identification: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification

Stay safe out there (and if you feel like it, try something new..remember risk & reward, unless it's illegal...don't do that)

ISO 2700

While ISO 2700 may sound like a new piece of technology or electronic device...it's not.  It's actually pretty neat, I shall explain why. 

When organizations hire employees they tend to like certifications for certain types of positions. Right? I mean my old A+ from CompTIA is still golden (and it never expires, unlike these new ones..hehe) 

An ISO is a certification for the organization that says, "Hey we have IT standards set in place and we are on top of this." Much like an employee's certification in something valuable, this something for the organization to have. Making it extremely valuable. 

Why? Well because you asked so nicely, I shall continue. 

In our modern world technology is advancing...rapidly. And security and competence is always a question of, "are they secure, do they know what they are doing?" While many times we can assume they are or they might be, one sure fire way to tell is to look for organizational certifications. Such as the ISO 2700. 

While it doesn't guarantee that a company/organization is perfect or that they won't have a security mishap, etc. It does, however, show that the organization has received the standard for information technology and management information systems. With this, the organization can be a trusted source of IT services and confirm a confidence in the reliability of their internal operations. 

Granted, now this doesn't guarantee that security will never be an issue, but it's at least something in place to consider when going into business with an organization that has an ISO 2700. It's like having an alarm system, it doesn't guarantee your safety or that someone won't try to break in. BUT it's one heck of a deterrent AND an establish process in place. It makes you FEEL better...that's important.

If you would like to know more about ISO 2700, please have a look at: http://www.27000.org

It does look like a lot to go through and may be a bit dry, but I believe on an organizational level it's a diamond to have in your pocket...especially if your in the IT business. I may even have to make a recommendation at my place...hmm.

Stay safe out there!

The Curious Mind

While I am naturally curious, I tend to think most IT professionals are. 

What does this do, how does that work, is there a better way...etc. And while Youtube.com has been the answer to many of those questions and searches, there might be a new contender on the block. 

Curious.com might have the answer to all those questions and more. According to Cnet, "The Menlo Park, Calif.-based e-learning site offers more than 10,000 curated short-form, interactive videos taught by 1,000 teachers on a variety of esoteric topics, ranging from macrame to triathlon training to calculus to the martial arts (Karr, Cnet.com, 2015)." 

And while even I am wondering, why not use Youtube.com... the idea of Curious.com is too bring the formality of training, much like Lynda.com and the extensive courses or randomness of Youtube.com together in a new way. 

Cnet also goes on to explain that Curious.com will offer courses ranging from technology, to food, to fitness, to language, and business. 

This is good news for us technology junkies. Anyone wanna learn how code Android applications?  Well it's a free preview and then it'll cost ya $79.99 for the course. Not bad. While it's still a new organization, I am sure more courses will arrive for free or purchase. I am hoping for some security based courses at some point, maybe more in the business realm. 

And while Youtube.com may always be a viable option for learning new things, Curious.com seems a bit less "grab your camera and film something." There seems to be a better structure and more of a sense of real-ness to it's training/learning structure. They vet each video and give their "instructors" a guideline for course development. 

In the mean time, good old fashion books might be your best bet for information security subject matter....but one day I think we might find much of this in an online training course. Heck, I take online classes! Is it really that much different..not anymore, Curious.com also allows for questions/feedback, much like an online course...not like Youtube.com. Wow. I might have to go find a free course now! (Starving student and all...ok, not really, but free is free)

Sources: 
www.youtube.com
www.curious.com
http://www.cnet.com/news/curious-much-this-e-learning-site-may-have-the-answer/

Security policies, standards, and guidelines...Oh My!

Well Happy 2015!

Maybe we should talk about security policies, standards, and guidelines.

While this is a broad topic, I do find the need for it urgent. Especially considering our environment that seems to be overrun with security breaches, among other things...again poor Sony, how many times was that in 2014 they were hacked?

Either way any organization should have a security policy in place for day to day workplace instructions on how to properly behave regarding information systems and assets. When a security policy is in place that policy should drive the standards for the organization and in turn then the standards should help develop the procedural guidelines an organization needs.

Ironically, these ideas in practice go back up the model with practices and guidelines that need to meet the standards that carry the weight of the policy. Kind of a up, down, and up approach. They are all critical and valuable to the organization.

Without these in place beside the obvious visual of IT professionals running around looking like chickens with their heads cut off (no chickens harmed in the making of this blog), we see the value in these three (3) musketeers (policy, standards, and guidelines).

Things to consider:

• Policy can not conflict with legal law. Enron anyone? 
• Policy/standards/guidelines should contribute the organization how technology-based systems, information and data are used and stored.
• Policies like these could address liability issues (if necessary)
• The definition of who, what, when, and where is defined in these policies and standards

While even the company I work for (a small software company) has these in place, not every organization lays their foundation for these three (3) musketeers. And since they definitely help keep the organization in line and on top of their game, perhaps it being the new year...a new resolution is in order for those companies out there: create your security policies, standards, and guidelines. If there is one in place, make sure updates and new revisions are made if they haven't been done in awhile to keep up with our hectic online environment. 

Stay safe out there!