Security Awareness

I recently read some subject matter on some commandments of information security awareness. After looking over them, they make perfect since, to me. The one that jumped out at me was the first one; Information security is a people, rather than a technical, issue (Whitman & Mattord, 2010). Why this one stood out more than the others is because it is truer than you think. Just the other day, I was speaking to someone at work and they were talking about getting their wife a birthday gift. I asked what he got her, and he told me "one of those tablet thingy’s from Barnes and Noble, not for sure what they are called, but that is what she wanted." I asked if it was a Nook, which he answered yes.

I proceeded to ask him how he was getting it. He said that he had his mom and dad buy it off the Internet. I asked him why he didn't do it and he was like, "I have no clue what I am doing on the computer, but my parents know what they are doing so I asked them to get it. I just know how to check my bank statement and pay my bills." At this point, I thought I would take the advantage to delve deeper into finding out his computer usage. I asked him if he had a computer. He said he did but only used it for what he mentioned earlier. I then asked him what kind of security he had on his computer in which he replied, “I don’t know. I think it came with something that I could have activated when I bought it, but I didn’t.” I proceeded to make him aware of what all could happen while he was online checking his bank account and paying his bills. He actually thought that the computer was already secure and that he did not have to do anything on his end to keep is information secure. He vowed that when he left work he would go and get a security software that I had suggested and get someone to help him set it up.

This is where he slipped up. He actually thought that the technology was already working and in place. He did not realize that it fell on him to do the actual securing of his computer. There are many like him that needs to realize that they are the ones responsible for their security and not the technology that is on their computer. Yes, the technology does do its job, but only as long as the person with the technology puts it in place. My honest opinion is that a document needs to be placed in every computer box that is sold that elaborates on how to secure a computer, and the consequences of not properly securing a computer. Everyone needs to understand the first commandment of information security awareness in that it is a people and not a technical issue.

Reference:

Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, 

             MA: Course Technology, Cengage Learning.

Policies, Hacking, and the Punishments!

In a recent discussion post that I submitted for class, I had to create an issue-specific security policy (ISSP). This strictly relates to an overall security policy for a specific area of a business, in my case it was for a home network.  Within my policy, in the limitations of liability section, I stated in a way that any violators of the policy would not be supported by me or the home if any laws were broken.  This encompassed any user that would be using the computer or network in my home.

A student commented back to my post asking me even if my daughter had brought in her husband, and he were to break the law while on my network and it was traced back to him, that I wouldn't even defend him.  Well, it didn't take me long to answer.  I might be called cold-hearted for this one, but I would not defend him.  I have a feeling someone might comment asking about others in the immediate family and if I would defend them.  The short answer there is that I wouldn't have to.  My household completely understands what they can and can not do while on the Internet.  I made it a point to teach them early and I keep pounding it into their heads on the outcome if they were to get caught doing something illegal.

The punishments are too big to be caught doing illegal things such as copyright infringement or hacking.  Though, I am not 100% certain that these are legit, I came across some of the punishments on an online site. I can say that from what I have read about and seen on the news, the sentencing is pretty close to what they are getting.  For copyright infringement, it depends because the violations are vast, but it is 5 years in prison for first offence and 10 for the second.  For hacking or unlawfully accessing systems, it also varies but 5 years is the minimum.  Breaching national security equals more than 10 years.  Financial information hacking equals 5 years.  Hacking and installing malicious code equals 10 years.  Threatening to harm a computer equals up to 10 years.  Some of these offenses even come with getting your privileges to use computers in the future taken away (Federal Crime Lawyer, 2010).

Again, I am unaware how accurate these are now, but those punishments should be enough to steer anyone away from doing any illegal acts while on a computer.  Thing is, it doesn't.  There are still people out there that do it on a daily basis.  I wouldn't want my network associated with such a crime.  I would not want to be considered an accomplice to the crime either.  This is why I stated it the way I stated it in the limitations of liability section of my policy.  I advice those of you who do not have a policy create on right away to protect yourself from things such as this in the future.

Reference:

Federal Crime Lawyer. (2010). Overview of federal computer crimes. Retrieved June 18, 2012 from  http://www.federalcriminallawyer.us/2010/11/04/overview-of-federal-computer-crimes/

Managing A Simple Security Feature

Last week I spoke on all the hacking that has been going on.  Since that blog, another two big sites were hacked and millions of accounts and their passwords were put in danger.  LinkedIn and eHarmony were both hacked and users passwords were posted on forums for the world to see (Rodriguez, 2012).  Honestly, the LinkedIn hack was much worse than many people think.   What many don't understand is that LinkedIn, like many other social sites, uses your email to connect with you.  They also allow you to connect your other sites to your account such as your Twitter.  With the LinkedIn hack, the hackers could eventually make their way to your other accounts that you have linked to it.  If you use the same email and password for those sites, well, you probably are going to have those accounts hacked as well. 

Why does this keep happening?  Every where you turn, you hear of some sort of new hacking going on.  My question is, can it be stopped?  If their sites are properly managed and properly secured, it could help, but what about our individual security?  Most of us have some sort of social profile such as Facebook, Google+, LinkedIn, or even MySpace.  We then link those sites to other social sites.  Are you one of the many that use the same passwords for all your sites?  If so, you are in some serious trouble for future hacking. 

When it comes to dealing with your own personal security maintenance, one of the best things you could manage is your passwords.  As Michael Whitman and Herbert Mattord state in their book, Management of Information Security, technological obsolescence, which is when something technical becomes unreliable or untrustworthy, happens more than you know.  One of the many problems is with password cracks.  This is when a hacker will try to figure your password out.  They will use any means necessary to attack your password data (Whitman & Mattord, 2010).  This points to the fact that passwords are a viable security necessity. 


My suggestion to you is to manage your passwords!  They must be strong or it will allow a hacker easy access to them.  A great site that I have always used is Microsoft's Check Your Password site.  This site allows you to anonymously enter a password into their system, and as you type it, a box telling you how strong your password is will move from 'week' to 'best' (Microsoft, 2012) (Link provided in reference section below).  Of course, you want to see a reading of 'strong' or 'best' for your password.  You can get these readings by having a variety in your password such as upper and lower cased letters and numbers.  Play around on the site until you get a 'strong' password at the least. 

Another suggestion is to change your passwords often.  I have read that some places ask you to change them once a week.  That is just too many changes for me.  Yes, that might make you more secure, but just as you are memorizing your new password, it would be time for a new one.  I change mine once a month, unless I hear of some sort of hacking that has happened to a site I am involved with.  I then immediately change my password.  I would suggest you do the same.  Remember, manage your passwords, keep them strong, and change them often, and your own personal security on web sites will be just that much more secure.

References:

Microsoft (2012). Check your password - Is it strong? Retrieved June 11, 2012 from https://www.microsoft.com/security/pc-security/password-checker.aspx

Rodriguez, S. (2012).   Like LinkedIn, eHarmony is hacked; 1.5 million passwords stolen. Retrieved June 11, 2012 from http://www.latimes.com/business/technology/la-fi-tn-eharmony-hacked-linkedin-20120606,0,4578300.story.

Whitman, M., & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.

What is up with all the hacking!

Recently, in the April issue of Linux Pro Magazine, they spoke on the hacking group Anonymous.  This is a group of activists that have been hacking and attacking sites across the Internet.  In fact, the magazine mentions that they were probably the first virtual social activism group.  They gain their numbers by posting on different chat sites and luring their future fellow activists into the group.  They then go about hacking and even just spreading gossip over the Internet (Goasguen, Hoyt, & Cooke, 2012).  I remember reading about one of their rumors back a few years ago.  If anyone is a Harry Potter fan, you will remember that before the 6th book was released, *spoiler alert for those that have yet to read and watch the movie*.....pausing so those of you can leave......OK!  It was announced on several chat sites that Dumbledore was killed   Anonymous took responsibility for that announcement.  How did they find that out?  Well, they did!  Someone was able to hack into the computer system that Rowling had stored her book on and found that out. 

Now, I wake up this morning, go to my email, and I see that I have received my daily dark reading material.  The top headline for today's email; U of Nebraska Breach Highlights Education In Crosshairs.  Come on!  Another big site hacked!  According to the article, no one knows who done it just yet, but what they were after is known.  Their database containing over 650,000 students, professors, and staff was hacked into.  Why is this happening?  They actually mention why in the article.  There is no emphasis put on their security.  Most universities focus just on their IT department (Chickowski, 2012).  Well, there is your problem.  I bet if you go to all the sites that have been hacked in the past, you will find that common problem.  More emphasis is put into making sure that the IT department is just functional.  No emphasis is found in their security department.

What each company needs to have is a dedicated IT security professional, and preferably a Cyber Security professional.  A Cyber Security professional is trained in helping keep a site safe while it has access to the Internet, hence the word "Cyber".  They need a person that is trained to look at every detail, every aspect, and every little piece of information before a site is put up and made operational.  Yes, there are still people out there like Anonymous that will still try to get in, but your site is going to be that much stronger and safer if you have that security professional.  Without that security professional, your site is a sitting duck!

References:

Chickowski, E. (2012). U of Nebraska Breach Highlights Education In Crosshairs. Retrieved June 5, 2012 from http://www.darkreading.com/database-security/167901020/security/news/240001240/u-of-nebraska-breach-highlights-education-in-crosshairs.html?cid=nl_DR_db-sec_2012-06-05_html&elq=a6187b4dd8544000ba508e549f16af0e

Goasguen, S., Hoyt, J., & Cooke, R. (2012). Hacked One. Linux Pro Magazine. April 2012.