It has been a while since my last blog, but I felt that today would be the day that I needed to add to it. Earlier today, for a split second, I witnessed on Yahoo, the word "Cybersecurity" as a top searched word. I'll be honest, I had never seen the word as a top searched word on Yahoo, ever! This actually gave me chills. What prompted people to start searching for that word in particular? Why has it never come up before, or at least that I have seen?
About a month ago, GoDaddy was hacked. This took down many sites, including some of the servers that my school has hosted through GoDaddy. For about 4 hours, I was without access to my school site. Believe me when I say that I was panicking, though, not from the actual outage, but not being able to gain access to my school. Now we are hearing of banks getting hacked. If you type, "Site Hacked" in the yahoo search bar (make sure you add the quotation marks) and click to filter by time of past month, and you will get 150 results. Look through them. It is amazing how many sites have been hacked and how they were hacked. Many of these resulted in data being released to the public.
I recently read somewhere that the field of Cybersecurity will be looking for employees in the future but will not have enough to fill the jobs available. Come on people! Understand that this field will be needed. The hacking that is going on and what is being released to the public just has to stop or at least be slowed. The country and even the world cannot have this happening on a daily basis. If none of you have had a chance to watch Cybergeddon by Yahoo & Norton, you need to find it and watch. Here is the link: http://cybergeddon.yahoo.com/#home One might think it is all fiction, well, the story might be but what is going on could in fact happen in the future. If you like the CSI shows, you should like this because it is produced by none other than Anthony Zuiker, who produced the original CSI's. If I have some facts incorrect there, please feel free to correct me.
What this all boils down to is managing your security on your computer properly. As I have mentioned in my previous posts; use strict passwords, firewall, anti-virus software, keep your computer up to date with all updates needed and keep all your information you use on the computer confidential. Follow these rules and you will help keep these types of attacks from happening.
Thursday, October 18, 2012
Wednesday, August 8, 2012
The End!
Well, this is the final week of my class in which this blog is a requirement. I had to discuss on the discussion board what I had spoke about over the past several blogs. I have to admit, I don't think I did too bad on the blogs. It helped that I had a good blogging background before I started, though. I have taken a lot away from doing this blog. I know it will help get me out to the Information Security world and will do good for me in the future for applying for jobs. I can just point them to this blog, which hopefully can help me score some brownie points with them. Any future employers reading this right now, please take into consideration my previous blogs and how well I did discussing each topic and not what I just posted about brownie points :)
I feel that everyone should blog. Blog about anything that interests you. Blog about your personal life to your family. In fact, I recommend that topic to any newcomers to blogging. Just tell your family what is going on in your life. It makes it much easier to ease into other topics of blogging. Be open when blogging. Don't worry about your readers. Blogging allows you to get your opinion out there. I'm not saying to go out there and go off on a person to the point where you are wishing them to not be here. That is wrong. Go out there and just give your opinion.
When it comes to Information Security, I am not as advanced in the subject as many might think that I am, but I am getting there. The class that I am taking has opened my mind to many aspects of the topic that I was unaware of, but has also touched on topics that I have come to love in the past several years. I feel that everyone should be knowledgeable in Information Security if they have their own computer. You need to have the base knowledge so that you can help secure your computer and data from the outside world. I suggest that if you are not planning on entering the IT world to go out and find a book on IT security and read it from front to back. Get the know-how to secure your computer or you will regret it. Thanks to all of you who have read my blog. Look for future posts, though, I am unsure when I will post next.
I feel that everyone should blog. Blog about anything that interests you. Blog about your personal life to your family. In fact, I recommend that topic to any newcomers to blogging. Just tell your family what is going on in your life. It makes it much easier to ease into other topics of blogging. Be open when blogging. Don't worry about your readers. Blogging allows you to get your opinion out there. I'm not saying to go out there and go off on a person to the point where you are wishing them to not be here. That is wrong. Go out there and just give your opinion.
When it comes to Information Security, I am not as advanced in the subject as many might think that I am, but I am getting there. The class that I am taking has opened my mind to many aspects of the topic that I was unaware of, but has also touched on topics that I have come to love in the past several years. I feel that everyone should be knowledgeable in Information Security if they have their own computer. You need to have the base knowledge so that you can help secure your computer and data from the outside world. I suggest that if you are not planning on entering the IT world to go out and find a book on IT security and read it from front to back. Get the know-how to secure your computer or you will regret it. Thanks to all of you who have read my blog. Look for future posts, though, I am unsure when I will post next.
Tuesday, July 31, 2012
Certifications!
I'll be the first one to tell you that I don't like the idea of getting certified on anything in the IT world. Don't get me wrong, I understand why one needs to be, but I don't like what you have to go through to get certified. You have to take a test and pay money for that test. Many will argue that the benefits of having the certificate out-way the costs. This, I feel, stems back to possibly the company in which people work in help pay for the tests. Heck, if my company offered to help pay for my testing, I would be certified out the ying-yang. Thing is, there are also a lot of employers that do not participate in this type of help.
What chaps my hide is the fact that there are many jobs now that state you must have a certificate to be hired. Even the entry level positions such as help desk support or desktop support are requiring some sort of certification such as CompTIA A+ (basic computer skills over hardware and operating systems). My argument is that many people with multiple years of computer usage already have the majority of the knowledge to pass the A+ exam. I feel that employers are taking advantage of people when asking them to have the A+ before getting even looked at and interviewed. This test is basic. If you have an Associate and Bachelor degree in IT, chances are that you have enough knowledge to pass the A+. Thing is, the cost associated with it. At the current time, it costs $178 to take the test. Other than their fundamental tests, this is by far the cheapest test that they offer (CompTIA, 2012). I don't know about you, but that is too much just to have someone state that I am certified to play around on a computer.
Now, their other tests such as their Security+ and Network+ are a little more detailed and require one to have knowledge in that specific area. I can understand if you are applying for a job in that field (Networking or Security) that you need to have such qualifications. I can not tell you how many times I have been turned down by a job because I do not have the A+ certification. I live paycheck to paycheck and have a problem with forking out that much money to get a certification.
Now, with that off my chest, I want to take the time out to actually state that in today's economy, you need to get certified if you plan on getting into a specific area of IT. I completely agree with this notion. Here are a few suggestions for you if you are planning on the Network or Security specific IT areas of work:
Security - CompTIA Security+ or the Certified Information Systems Security Professional (CISSP) or both
Networking - CompTIA Network+ or the Cisco Certified Network Associate (CCNA) or both
You can do searches for the above tests to find them and to read more about them. I have no problem with getting certified in these areas, but when it comes to that general A+ certification, I am a bit peeved that it is a requirement to many entry level jobs. Good luck in your certification search. I know I will be getting my CISSP once I am done with school and possibly the others up there as well.
Reference
CompTIA. (2012). Exam Prices. Retrieved July 31, 2012 from http://certification.comptia.org/Training/testingcenters/examprices.aspx
What chaps my hide is the fact that there are many jobs now that state you must have a certificate to be hired. Even the entry level positions such as help desk support or desktop support are requiring some sort of certification such as CompTIA A+ (basic computer skills over hardware and operating systems). My argument is that many people with multiple years of computer usage already have the majority of the knowledge to pass the A+ exam. I feel that employers are taking advantage of people when asking them to have the A+ before getting even looked at and interviewed. This test is basic. If you have an Associate and Bachelor degree in IT, chances are that you have enough knowledge to pass the A+. Thing is, the cost associated with it. At the current time, it costs $178 to take the test. Other than their fundamental tests, this is by far the cheapest test that they offer (CompTIA, 2012). I don't know about you, but that is too much just to have someone state that I am certified to play around on a computer.
Now, their other tests such as their Security+ and Network+ are a little more detailed and require one to have knowledge in that specific area. I can understand if you are applying for a job in that field (Networking or Security) that you need to have such qualifications. I can not tell you how many times I have been turned down by a job because I do not have the A+ certification. I live paycheck to paycheck and have a problem with forking out that much money to get a certification.
Now, with that off my chest, I want to take the time out to actually state that in today's economy, you need to get certified if you plan on getting into a specific area of IT. I completely agree with this notion. Here are a few suggestions for you if you are planning on the Network or Security specific IT areas of work:
Security - CompTIA Security+ or the Certified Information Systems Security Professional (CISSP) or both
Networking - CompTIA Network+ or the Cisco Certified Network Associate (CCNA) or both
You can do searches for the above tests to find them and to read more about them. I have no problem with getting certified in these areas, but when it comes to that general A+ certification, I am a bit peeved that it is a requirement to many entry level jobs. Good luck in your certification search. I know I will be getting my CISSP once I am done with school and possibly the others up there as well.
Reference
CompTIA. (2012). Exam Prices. Retrieved July 31, 2012 from http://certification.comptia.org/Training/testingcenters/examprices.aspx
Tuesday, July 24, 2012
Why Firewall?
Many people I have spoken to in the past about security on their computers have asked me about the same question; If I have anti-virus software on my computer, why should I even bother getting a firewall? It isn't that tough of a question to answer. Yes, you should use an anti-virus software, but what good is it without a firewall? Without a firewall, your computer is just setting out there on the Internet saying; here I am come and get me. You need that firewall!
Let's tackle a quick question here. What is a firewall? A firewall is what it sounds like. It is a wall, but it isn't made of fire. It is a device, albeit a hardware or software device, that sets on a computer or network and prevents or blocks information from entering or leaving it (Whitman & Mattord, 2010). There are many types of firewalls out there on the market, but it would take too much time to discuss them all here so I am just going to stick with the basics.
(Smart PC Support, 2012)
Take a look at the above picture. This gives a general idea of what a firewall does. The Earth is pictured here as the Internet. There is a wall (firewall) and then your computer behind it. A firewall has rules or in this case bricks that define how it is to react to certain information. If the information trying to get in has been deemed inappropriate or unwanted by your computer, it will deflect it and keep it out (red arrows). If the information coming in is wanted, it will get through (green arrow).
OK, now that you understand what a firewall does, can you see why you need it? An anti-virus tool can only set behind that firewall. It waits to see if anything does get through that is not allowed and then it takes care of it. Without a firewall, all information will get in. There is no wall. There is no deflection. It doesn't take me long to describe this to my friends and family that ask why they really need a firewall. Without it, your computer will let everything in. Do you want that? I don't think so!
I'm not going to go into detail about what kind of firewall you should get because chances are if you have an anti-virus software, you might just have that firewall. Most firewalls now a days come bundled with an anti-virus software. Check the case that you got your anti-virus software in and see. If it does not, then I do advise to buy one preferably from the same manufacturer of your anti-virus software. Just go to their site and find a way to get it because you need it.
If you want more information on firewalls and to get an idea of what product to pick up, you can go to think I provide here: http://personal-firewall-software-review.toptenreviews.com/. This is packed with more information and an interactive graph that will allow you to choose what ratings you want to see. Just click on the Firewall Performance link. Check it out and get that firewall!
References
Smart PC Support (2012). Image borrowed from their site @ http://www.smartpcsupport.net/firewall.html
Whitman M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Wednesday, July 18, 2012
Risk Control!
Last week, my blog spoke on identify and assessing risks that you have on your computer. Hopefully, you have gone through and done just that. Now is the time to control those risks. You can do this by one of four strategies; avoidance, transference, mitigation, or acceptance. These four are in order on a proactive (taking care of a problem before it happens) stance for strongest security to weakest:
Avoidance is the strategy that uses safeguards to help eliminate or reduce your uncontrolled risks.
Transference is the strategy that allows you to shift risks to other areas.
Mitigation is the strategy that helps reduce impact if an attacker successfully exploits a vulnerability.
Acceptance is the strategy, well; it isn't even a strategy in my opinion because it is understanding the consequences of deciding not to control your vulnerabilities.
(Whitman & Mattord, 2010).
My honest opinion is to use the strategy of avoidance. Within this strategy, you apply some sort of policy. This helps control and manage procedures that everyone must follow. You also allow and apply education and training to all those involved with the security of your computer. Within this strategy, you counter your threats by using defense mechanisms such as your security controls and safeguards (Whitman & Mattord, 2010).
Transference and mitigation both come with risks. Transference allows you to take your problems and push them somewhere else. The main concern is outsourcing. Are you going to trust your risks in the hands of someone else? I sure won't. I plan to manage them myself. Mitigation just allows you to plan for issues through the use of specific plans such as an incident response or disaster recovery plan (Whitman & Mattord, 2010). I don't know about you, but I want to make sure those risks are taken care of now and not find out that a control did not work. Don't get me wrong, I am all for creating these plans, but you need to be proactive and reactive not just reactive.
If you decide to go with acceptance as your strategy, be forewarned that you will be susceptible to attacks. This is, in my opinion, a choice to do nothing in protection of your assets. If you chose to go this route, say hello to hackers such as Anonymous taking control of your system. You will be very easy to hack. I will be honest, I will not be sorry for anyone taking this route and then losing all their important data. Control your risks by implementing a secure strategy.
Reference
Whitman, M & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Avoidance is the strategy that uses safeguards to help eliminate or reduce your uncontrolled risks.
Transference is the strategy that allows you to shift risks to other areas.
Mitigation is the strategy that helps reduce impact if an attacker successfully exploits a vulnerability.
Acceptance is the strategy, well; it isn't even a strategy in my opinion because it is understanding the consequences of deciding not to control your vulnerabilities.
(Whitman & Mattord, 2010).
My honest opinion is to use the strategy of avoidance. Within this strategy, you apply some sort of policy. This helps control and manage procedures that everyone must follow. You also allow and apply education and training to all those involved with the security of your computer. Within this strategy, you counter your threats by using defense mechanisms such as your security controls and safeguards (Whitman & Mattord, 2010).
Transference and mitigation both come with risks. Transference allows you to take your problems and push them somewhere else. The main concern is outsourcing. Are you going to trust your risks in the hands of someone else? I sure won't. I plan to manage them myself. Mitigation just allows you to plan for issues through the use of specific plans such as an incident response or disaster recovery plan (Whitman & Mattord, 2010). I don't know about you, but I want to make sure those risks are taken care of now and not find out that a control did not work. Don't get me wrong, I am all for creating these plans, but you need to be proactive and reactive not just reactive.
If you decide to go with acceptance as your strategy, be forewarned that you will be susceptible to attacks. This is, in my opinion, a choice to do nothing in protection of your assets. If you chose to go this route, say hello to hackers such as Anonymous taking control of your system. You will be very easy to hack. I will be honest, I will not be sorry for anyone taking this route and then losing all their important data. Control your risks by implementing a secure strategy.
Reference
Whitman, M & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, July 10, 2012
Identifying Risks!
I have hacked your system and I have all your information. I'm looking at your SSN, address, credit card numbers, and all other personal data. I'm laughing at that picture of you at what looks like a company party. Your system was just too easy to hack. Why did you allow me into your system? Did you not assess your data and realize that you had very personal and confidential data on your system? Of course, the preceding sentences are not true. I am just trying to get your attention. Did I? Good! Let's proceed.
I bet the majority of you reading this blog have some very important information and data stored on your computers. In fact, there is probably some very confidential data there as well. You don't want that data stolen do you? What you need to do is a Risk Identification. This is where you go through all your data stored on your computer and prioritize them based on their importance to you. Thing is, it is very tedious due to all the data on your computer, but it is absolutely necessary to help you identify any weaknesses with that data and the threats that are present that threaten that data (Whitman & Mattord, 2010).
First, look at all your data that is located on your computer. Don't start prioritizing the list, just jot down the data. You should have information jotted down such as your files, pictures, personal information among many other things. Now, look at the list and start classifying that data as either confidential (pretty much for your eyes only), sensitive (could harm you if the wrong person gets a hold of it but not quite confidential), and public (everyone can view this data). You should now have two columns with your data along with its classification. The last column you should make is the impact that data has on you. It can be critical (will harm you if in the wrong hands), high (potential to harm you still very high in the wrong hands), medium (not too harmful, but watch who you give it to), and low (shouldn't hurt you if put in anyone's hands). Examples follow:
Picture at company party - Sensitive - Medium
SSN - Confidential - Critical
I'm hoping that if you have your SSN on your computer you are treating it as a confidential and critical piece of information because if you are not, you are in for a rude awakening if you are hacked.
Now that you have an understanding of what you need to do, take the steps to help secure it. Go out and buy a security software that includes a firewall and anti-virus tool. Most of these tools will also come with an intrusion detection service; use it! If you are using a standard Microsoft office tool to save the data, use the encryption tool option within the save as method to help encrypt your data. Of course, there are other means of securing your data and this is a little tip. This blog was meant to give you the basics of assessing risks. Remember, a hacker can get into your system and gain all this information. Assess the data and the risks and help secure them.
References:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
I bet the majority of you reading this blog have some very important information and data stored on your computers. In fact, there is probably some very confidential data there as well. You don't want that data stolen do you? What you need to do is a Risk Identification. This is where you go through all your data stored on your computer and prioritize them based on their importance to you. Thing is, it is very tedious due to all the data on your computer, but it is absolutely necessary to help you identify any weaknesses with that data and the threats that are present that threaten that data (Whitman & Mattord, 2010).
First, look at all your data that is located on your computer. Don't start prioritizing the list, just jot down the data. You should have information jotted down such as your files, pictures, personal information among many other things. Now, look at the list and start classifying that data as either confidential (pretty much for your eyes only), sensitive (could harm you if the wrong person gets a hold of it but not quite confidential), and public (everyone can view this data). You should now have two columns with your data along with its classification. The last column you should make is the impact that data has on you. It can be critical (will harm you if in the wrong hands), high (potential to harm you still very high in the wrong hands), medium (not too harmful, but watch who you give it to), and low (shouldn't hurt you if put in anyone's hands). Examples follow:
Picture at company party - Sensitive - Medium
SSN - Confidential - Critical
I'm hoping that if you have your SSN on your computer you are treating it as a confidential and critical piece of information because if you are not, you are in for a rude awakening if you are hacked.
Now that you have an understanding of what you need to do, take the steps to help secure it. Go out and buy a security software that includes a firewall and anti-virus tool. Most of these tools will also come with an intrusion detection service; use it! If you are using a standard Microsoft office tool to save the data, use the encryption tool option within the save as method to help encrypt your data. Of course, there are other means of securing your data and this is a little tip. This blog was meant to give you the basics of assessing risks. Remember, a hacker can get into your system and gain all this information. Assess the data and the risks and help secure them.
References:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, July 3, 2012
Sound Policy?
You've probably heard someone state that they have a sound policy or that they must create a sound policy. In the past, before I had heard what it exactly meant, I wondered what the statement actually meant. While reading a section from a book, I even read where the first principle to the NIST SP 800 - 14 (Generally Accepted Principles and Practices for Security Information Technology Systems) was to establish a sound security policy as the foundation for design (Whitman & Mattord, 2010). Well, what does it mean?
Let's start with the basics. What does the word sound mean? Merriam-Webster Dictionary defines the adjective (at it is used here) as; free from injury, flaw, defect, error, fallacy or decay. It also can mean solid, legally valid, logically valid, or even deep and undisturbed (Merriam-Webster, 2012). Most already knew that but now let's put that with the word policy, which is a set of guidelines for employees to follow (Whitman & Mattord, 2010).
Let's put these words together and come up with a meaning for a sound policy. A sound policy is a set of guidelines for employees to follow that is free of flaw, defect and error. What do you think of that? Pretty sweet explanation of a sound policy, huh! Well, how does one get a policy which is free of flaw, defect and error? The answer? Using a good security management model. A security management model provides common accepted information security principles that help a company develop a security blueprint (model) for their business. It also helps describe what principles a security team should help integrate into a security process (Whitman & Mattord, 2010).
References:
Merriam-Webster. (2012). Definition of sound. Retrieved July 3, 2012 from http://www.merriam-webster.com/dictionary/sound
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Let's start with the basics. What does the word sound mean? Merriam-Webster Dictionary defines the adjective (at it is used here) as; free from injury, flaw, defect, error, fallacy or decay. It also can mean solid, legally valid, logically valid, or even deep and undisturbed (Merriam-Webster, 2012). Most already knew that but now let's put that with the word policy, which is a set of guidelines for employees to follow (Whitman & Mattord, 2010).
Let's put these words together and come up with a meaning for a sound policy. A sound policy is a set of guidelines for employees to follow that is free of flaw, defect and error. What do you think of that? Pretty sweet explanation of a sound policy, huh! Well, how does one get a policy which is free of flaw, defect and error? The answer? Using a good security management model. A security management model provides common accepted information security principles that help a company develop a security blueprint (model) for their business. It also helps describe what principles a security team should help integrate into a security process (Whitman & Mattord, 2010).
The National Institute for Standards and Technology and
International Organization for Standardization are the two major resources for
providing these types of models. The
ISO's site can be located at http://praxiom.com/. NIST models can be found at
http://csrc.nist.gov. I suggest that if
you are planning on creating a security policy that you go to one of these
sites and go through their models. Find
one of the models that best suits your needs and follow it to the T. If you do, you will find that your end result
will be a sound policy!
References:
Merriam-Webster. (2012). Definition of sound. Retrieved July 3, 2012 from http://www.merriam-webster.com/dictionary/sound
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, June 26, 2012
Security Awareness
I recently read some subject matter on some commandments of information security awareness. After looking over them, they make perfect since, to me. The one that jumped out at me was the first one; Information security is a people, rather than a technical, issue (Whitman & Mattord, 2010). Why this one stood out more than the others is because it is truer than you think. Just the other day, I was speaking to someone at work and they were talking about getting their wife a birthday gift. I asked what he got her, and he told me "one of those tablet thingy’s from Barnes and Noble, not for sure what they are called, but that is what she wanted." I asked if it was a Nook, which he answered yes.
I proceeded to ask him how he was getting it. He said that he had his mom and dad buy it off the Internet. I asked him why he didn't do it and he was like, "I have no clue what I am doing on the computer, but my parents know what they are doing so I asked them to get it. I just know how to check my bank statement and pay my bills." At this point, I thought I would take the advantage to delve deeper into finding out his computer usage. I asked him if he had a computer. He said he did but only used it for what he mentioned earlier. I then asked him what kind of security he had on his computer in which he replied, “I don’t know. I think it came with something that I could have activated when I bought it, but I didn’t.” I proceeded to make him aware of what all could happen while he was online checking his bank account and paying his bills. He actually thought that the computer was already secure and that he did not have to do anything on his end to keep is information secure. He vowed that when he left work he would go and get a security software that I had suggested and get someone to help him set it up.
This is where he slipped up. He actually thought that the technology was already working and in place. He did not realize that it fell on him to do the actual securing of his computer. There are many like him that needs to realize that they are the ones responsible for their security and not the technology that is on their computer. Yes, the technology does do its job, but only as long as the person with the technology puts it in place. My honest opinion is that a document needs to be placed in every computer box that is sold that elaborates on how to secure a computer, and the consequences of not properly securing a computer. Everyone needs to understand the first commandment of information security awareness in that it is a people and not a technical issue.
Reference:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston,
MA: Course Technology, Cengage Learning.
I proceeded to ask him how he was getting it. He said that he had his mom and dad buy it off the Internet. I asked him why he didn't do it and he was like, "I have no clue what I am doing on the computer, but my parents know what they are doing so I asked them to get it. I just know how to check my bank statement and pay my bills." At this point, I thought I would take the advantage to delve deeper into finding out his computer usage. I asked him if he had a computer. He said he did but only used it for what he mentioned earlier. I then asked him what kind of security he had on his computer in which he replied, “I don’t know. I think it came with something that I could have activated when I bought it, but I didn’t.” I proceeded to make him aware of what all could happen while he was online checking his bank account and paying his bills. He actually thought that the computer was already secure and that he did not have to do anything on his end to keep is information secure. He vowed that when he left work he would go and get a security software that I had suggested and get someone to help him set it up.
This is where he slipped up. He actually thought that the technology was already working and in place. He did not realize that it fell on him to do the actual securing of his computer. There are many like him that needs to realize that they are the ones responsible for their security and not the technology that is on their computer. Yes, the technology does do its job, but only as long as the person with the technology puts it in place. My honest opinion is that a document needs to be placed in every computer box that is sold that elaborates on how to secure a computer, and the consequences of not properly securing a computer. Everyone needs to understand the first commandment of information security awareness in that it is a people and not a technical issue.
Reference:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston,
MA: Course Technology, Cengage Learning.
Monday, June 18, 2012
Policies, Hacking, and the Punishments!
In a recent discussion post that I submitted for class, I had to create an issue-specific security policy (ISSP). This strictly relates to an overall security policy for a specific area of a business, in my case it was for a home network. Within my policy, in the limitations of liability section, I stated in a way that any violators of the policy would not be supported by me or the home if any laws were broken. This encompassed any user that would be using the computer or network in my home.
A student commented back to my post asking me even if my daughter had brought in her husband, and he were to break the law while on my network and it was traced back to him, that I wouldn't even defend him. Well, it didn't take me long to answer. I might be called cold-hearted for this one, but I would not defend him. I have a feeling someone might comment asking about others in the immediate family and if I would defend them. The short answer there is that I wouldn't have to. My household completely understands what they can and can not do while on the Internet. I made it a point to teach them early and I keep pounding it into their heads on the outcome if they were to get caught doing something illegal.
The punishments are too big to be caught doing illegal things such as copyright infringement or hacking. Though, I am not 100% certain that these are legit, I came across some of the punishments on an online site. I can say that from what I have read about and seen on the news, the sentencing is pretty close to what they are getting. For copyright infringement, it depends because the violations are vast, but it is 5 years in prison for first offence and 10 for the second. For hacking or unlawfully accessing systems, it also varies but 5 years is the minimum. Breaching national security equals more than 10 years. Financial information hacking equals 5 years. Hacking and installing malicious code equals 10 years. Threatening to harm a computer equals up to 10 years. Some of these offenses even come with getting your privileges to use computers in the future taken away (Federal Crime Lawyer, 2010).
Again, I am unaware how accurate these are now, but those punishments should be enough to steer anyone away from doing any illegal acts while on a computer. Thing is, it doesn't. There are still people out there that do it on a daily basis. I wouldn't want my network associated with such a crime. I would not want to be considered an accomplice to the crime either. This is why I stated it the way I stated it in the limitations of liability section of my policy. I advice those of you who do not have a policy create on right away to protect yourself from things such as this in the future.
Reference:
Federal Crime Lawyer. (2010). Overview of federal computer crimes. Retrieved June 18, 2012 from http://www.federalcriminallawyer.us/2010/11/04/overview-of-federal-computer-crimes/
A student commented back to my post asking me even if my daughter had brought in her husband, and he were to break the law while on my network and it was traced back to him, that I wouldn't even defend him. Well, it didn't take me long to answer. I might be called cold-hearted for this one, but I would not defend him. I have a feeling someone might comment asking about others in the immediate family and if I would defend them. The short answer there is that I wouldn't have to. My household completely understands what they can and can not do while on the Internet. I made it a point to teach them early and I keep pounding it into their heads on the outcome if they were to get caught doing something illegal.
The punishments are too big to be caught doing illegal things such as copyright infringement or hacking. Though, I am not 100% certain that these are legit, I came across some of the punishments on an online site. I can say that from what I have read about and seen on the news, the sentencing is pretty close to what they are getting. For copyright infringement, it depends because the violations are vast, but it is 5 years in prison for first offence and 10 for the second. For hacking or unlawfully accessing systems, it also varies but 5 years is the minimum. Breaching national security equals more than 10 years. Financial information hacking equals 5 years. Hacking and installing malicious code equals 10 years. Threatening to harm a computer equals up to 10 years. Some of these offenses even come with getting your privileges to use computers in the future taken away (Federal Crime Lawyer, 2010).
Again, I am unaware how accurate these are now, but those punishments should be enough to steer anyone away from doing any illegal acts while on a computer. Thing is, it doesn't. There are still people out there that do it on a daily basis. I wouldn't want my network associated with such a crime. I would not want to be considered an accomplice to the crime either. This is why I stated it the way I stated it in the limitations of liability section of my policy. I advice those of you who do not have a policy create on right away to protect yourself from things such as this in the future.
Reference:
Federal Crime Lawyer. (2010). Overview of federal computer crimes. Retrieved June 18, 2012 from http://www.federalcriminallawyer.us/2010/11/04/overview-of-federal-computer-crimes/
Monday, June 11, 2012
Managing A Simple Security Feature
Last week I spoke on all the hacking that has been going on. Since that blog, another two big sites were hacked and millions of accounts and their passwords were put in danger. LinkedIn and eHarmony were both hacked and users passwords were posted on forums for the world to see (Rodriguez, 2012). Honestly, the LinkedIn hack was much worse than many people think. What many don't understand is that LinkedIn, like many other social sites, uses your email to connect with you. They also allow you to connect your other sites to your account such as your Twitter. With the LinkedIn hack, the hackers could eventually make their way to your other accounts that you have linked to it. If you use the same email and password for those sites, well, you probably are going to have those accounts hacked as well.
Why does this keep happening? Every where you turn, you hear of some sort of new hacking going on. My question is, can it be stopped? If their sites are properly managed and properly secured, it could help, but what about our individual security? Most of us have some sort of social profile such as Facebook, Google+, LinkedIn, or even MySpace. We then link those sites to other social sites. Are you one of the many that use the same passwords for all your sites? If so, you are in some serious trouble for future hacking.
When it comes to dealing with your own personal security maintenance, one of the best things you could manage is your passwords. As Michael Whitman and Herbert Mattord state in their book, Management of Information Security, technological obsolescence, which is when something technical becomes unreliable or untrustworthy, happens more than you know. One of the many problems is with password cracks. This is when a hacker will try to figure your password out. They will use any means necessary to attack your password data (Whitman & Mattord, 2010). This points to the fact that passwords are a viable security necessity.
My suggestion to you is to manage your passwords! They must be strong or it will allow a hacker easy access to them. A great site that I have always used is Microsoft's Check Your Password site. This site allows you to anonymously enter a password into their system, and as you type it, a box telling you how strong your password is will move from 'week' to 'best' (Microsoft, 2012) (Link provided in reference section below). Of course, you want to see a reading of 'strong' or 'best' for your password. You can get these readings by having a variety in your password such as upper and lower cased letters and numbers. Play around on the site until you get a 'strong' password at the least.
Another suggestion is to change your passwords often. I have read that some places ask you to change them once a week. That is just too many changes for me. Yes, that might make you more secure, but just as you are memorizing your new password, it would be time for a new one. I change mine once a month, unless I hear of some sort of hacking that has happened to a site I am involved with. I then immediately change my password. I would suggest you do the same. Remember, manage your passwords, keep them strong, and change them often, and your own personal security on web sites will be just that much more secure.
References:
Microsoft (2012). Check your password - Is it strong? Retrieved June 11, 2012 from https://www.microsoft.com/security/pc-security/password-checker.aspx
Rodriguez, S. (2012). Like LinkedIn, eHarmony is hacked; 1.5 million passwords stolen. Retrieved June 11, 2012 from http://www.latimes.com/business/technology/la-fi-tn-eharmony-hacked-linkedin-20120606,0,4578300.story.
Whitman, M., & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Why does this keep happening? Every where you turn, you hear of some sort of new hacking going on. My question is, can it be stopped? If their sites are properly managed and properly secured, it could help, but what about our individual security? Most of us have some sort of social profile such as Facebook, Google+, LinkedIn, or even MySpace. We then link those sites to other social sites. Are you one of the many that use the same passwords for all your sites? If so, you are in some serious trouble for future hacking.
When it comes to dealing with your own personal security maintenance, one of the best things you could manage is your passwords. As Michael Whitman and Herbert Mattord state in their book, Management of Information Security, technological obsolescence, which is when something technical becomes unreliable or untrustworthy, happens more than you know. One of the many problems is with password cracks. This is when a hacker will try to figure your password out. They will use any means necessary to attack your password data (Whitman & Mattord, 2010). This points to the fact that passwords are a viable security necessity.
My suggestion to you is to manage your passwords! They must be strong or it will allow a hacker easy access to them. A great site that I have always used is Microsoft's Check Your Password site. This site allows you to anonymously enter a password into their system, and as you type it, a box telling you how strong your password is will move from 'week' to 'best' (Microsoft, 2012) (Link provided in reference section below). Of course, you want to see a reading of 'strong' or 'best' for your password. You can get these readings by having a variety in your password such as upper and lower cased letters and numbers. Play around on the site until you get a 'strong' password at the least.
Another suggestion is to change your passwords often. I have read that some places ask you to change them once a week. That is just too many changes for me. Yes, that might make you more secure, but just as you are memorizing your new password, it would be time for a new one. I change mine once a month, unless I hear of some sort of hacking that has happened to a site I am involved with. I then immediately change my password. I would suggest you do the same. Remember, manage your passwords, keep them strong, and change them often, and your own personal security on web sites will be just that much more secure.
References:
Microsoft (2012). Check your password - Is it strong? Retrieved June 11, 2012 from https://www.microsoft.com/security/pc-security/password-checker.aspx
Rodriguez, S. (2012). Like LinkedIn, eHarmony is hacked; 1.5 million passwords stolen. Retrieved June 11, 2012 from http://www.latimes.com/business/technology/la-fi-tn-eharmony-hacked-linkedin-20120606,0,4578300.story.
Whitman, M., & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, June 5, 2012
What is up with all the hacking!
Recently, in the April issue of Linux Pro Magazine, they spoke on the hacking group Anonymous. This is a group of activists that have been hacking and attacking sites across the Internet. In fact, the magazine mentions that they were probably the first virtual social activism group. They gain their numbers by posting on different chat sites and luring their future fellow activists into the group. They then go about hacking and even just spreading gossip over the Internet (Goasguen, Hoyt, & Cooke, 2012). I remember reading about one of their rumors back a few years ago. If anyone is a Harry Potter fan, you will remember that before the 6th book was released, *spoiler alert for those that have yet to read and watch the movie*.....pausing so those of you can leave......OK! It was announced on several chat sites that Dumbledore was killed Anonymous took responsibility for that announcement. How did they find that out? Well, they did! Someone was able to hack into the computer system that Rowling had stored her book on and found that out.
Now, I wake up this morning, go to my email, and I see that I have received my daily dark reading material. The top headline for today's email; U of Nebraska Breach Highlights Education In Crosshairs. Come on! Another big site hacked! According to the article, no one knows who done it just yet, but what they were after is known. Their database containing over 650,000 students, professors, and staff was hacked into. Why is this happening? They actually mention why in the article. There is no emphasis put on their security. Most universities focus just on their IT department (Chickowski, 2012). Well, there is your problem. I bet if you go to all the sites that have been hacked in the past, you will find that common problem. More emphasis is put into making sure that the IT department is just functional. No emphasis is found in their security department.
What each company needs to have is a dedicated IT security professional, and preferably a Cyber Security professional. A Cyber Security professional is trained in helping keep a site safe while it has access to the Internet, hence the word "Cyber". They need a person that is trained to look at every detail, every aspect, and every little piece of information before a site is put up and made operational. Yes, there are still people out there like Anonymous that will still try to get in, but your site is going to be that much stronger and safer if you have that security professional. Without that security professional, your site is a sitting duck!
References:
Chickowski, E. (2012). U of Nebraska Breach Highlights Education In Crosshairs. Retrieved June 5, 2012 from http://www.darkreading.com/database-security/167901020/security/news/240001240/u-of-nebraska-breach-highlights-education-in-crosshairs.html?cid=nl_DR_db-sec_2012-06-05_html&elq=a6187b4dd8544000ba508e549f16af0e
Goasguen, S., Hoyt, J., & Cooke, R. (2012). Hacked One. Linux Pro Magazine. April 2012.
Now, I wake up this morning, go to my email, and I see that I have received my daily dark reading material. The top headline for today's email; U of Nebraska Breach Highlights Education In Crosshairs. Come on! Another big site hacked! According to the article, no one knows who done it just yet, but what they were after is known. Their database containing over 650,000 students, professors, and staff was hacked into. Why is this happening? They actually mention why in the article. There is no emphasis put on their security. Most universities focus just on their IT department (Chickowski, 2012). Well, there is your problem. I bet if you go to all the sites that have been hacked in the past, you will find that common problem. More emphasis is put into making sure that the IT department is just functional. No emphasis is found in their security department.
What each company needs to have is a dedicated IT security professional, and preferably a Cyber Security professional. A Cyber Security professional is trained in helping keep a site safe while it has access to the Internet, hence the word "Cyber". They need a person that is trained to look at every detail, every aspect, and every little piece of information before a site is put up and made operational. Yes, there are still people out there like Anonymous that will still try to get in, but your site is going to be that much stronger and safer if you have that security professional. Without that security professional, your site is a sitting duck!
References:
Chickowski, E. (2012). U of Nebraska Breach Highlights Education In Crosshairs. Retrieved June 5, 2012 from http://www.darkreading.com/database-security/167901020/security/news/240001240/u-of-nebraska-breach-highlights-education-in-crosshairs.html?cid=nl_DR_db-sec_2012-06-05_html&elq=a6187b4dd8544000ba508e549f16af0e
Goasguen, S., Hoyt, J., & Cooke, R. (2012). Hacked One. Linux Pro Magazine. April 2012.
Subscribe to:
Posts (Atom)