I'll be the first one to tell you that I don't like the idea of getting certified on anything in the IT world. Don't get me wrong, I understand why one needs to be, but I don't like what you have to go through to get certified. You have to take a test and pay money for that test. Many will argue that the benefits of having the certificate out-way the costs. This, I feel, stems back to possibly the company in which people work in help pay for the tests. Heck, if my company offered to help pay for my testing, I would be certified out the ying-yang. Thing is, there are also a lot of employers that do not participate in this type of help.
What chaps my hide is the fact that there are many jobs now that state you must have a certificate to be hired. Even the entry level positions such as help desk support or desktop support are requiring some sort of certification such as CompTIA A+ (basic computer skills over hardware and operating systems). My argument is that many people with multiple years of computer usage already have the majority of the knowledge to pass the A+ exam. I feel that employers are taking advantage of people when asking them to have the A+ before getting even looked at and interviewed. This test is basic. If you have an Associate and Bachelor degree in IT, chances are that you have enough knowledge to pass the A+. Thing is, the cost associated with it. At the current time, it costs $178 to take the test. Other than their fundamental tests, this is by far the cheapest test that they offer (CompTIA, 2012). I don't know about you, but that is too much just to have someone state that I am certified to play around on a computer.
Now, their other tests such as their Security+ and Network+ are a little more detailed and require one to have knowledge in that specific area. I can understand if you are applying for a job in that field (Networking or Security) that you need to have such qualifications. I can not tell you how many times I have been turned down by a job because I do not have the A+ certification. I live paycheck to paycheck and have a problem with forking out that much money to get a certification.
Now, with that off my chest, I want to take the time out to actually state that in today's economy, you need to get certified if you plan on getting into a specific area of IT. I completely agree with this notion. Here are a few suggestions for you if you are planning on the Network or Security specific IT areas of work:
Security - CompTIA Security+ or the Certified Information Systems Security Professional (CISSP) or both
Networking - CompTIA Network+ or the Cisco Certified Network Associate (CCNA) or both
You can do searches for the above tests to find them and to read more about them. I have no problem with getting certified in these areas, but when it comes to that general A+ certification, I am a bit peeved that it is a requirement to many entry level jobs. Good luck in your certification search. I know I will be getting my CISSP once I am done with school and possibly the others up there as well.
Reference
CompTIA. (2012). Exam Prices. Retrieved July 31, 2012 from http://certification.comptia.org/Training/testingcenters/examprices.aspx
Tuesday, July 31, 2012
Tuesday, July 24, 2012
Why Firewall?
Many people I have spoken to in the past about security on their computers have asked me about the same question; If I have anti-virus software on my computer, why should I even bother getting a firewall? It isn't that tough of a question to answer. Yes, you should use an anti-virus software, but what good is it without a firewall? Without a firewall, your computer is just setting out there on the Internet saying; here I am come and get me. You need that firewall!
Let's tackle a quick question here. What is a firewall? A firewall is what it sounds like. It is a wall, but it isn't made of fire. It is a device, albeit a hardware or software device, that sets on a computer or network and prevents or blocks information from entering or leaving it (Whitman & Mattord, 2010). There are many types of firewalls out there on the market, but it would take too much time to discuss them all here so I am just going to stick with the basics.
(Smart PC Support, 2012)
Take a look at the above picture. This gives a general idea of what a firewall does. The Earth is pictured here as the Internet. There is a wall (firewall) and then your computer behind it. A firewall has rules or in this case bricks that define how it is to react to certain information. If the information trying to get in has been deemed inappropriate or unwanted by your computer, it will deflect it and keep it out (red arrows). If the information coming in is wanted, it will get through (green arrow).
OK, now that you understand what a firewall does, can you see why you need it? An anti-virus tool can only set behind that firewall. It waits to see if anything does get through that is not allowed and then it takes care of it. Without a firewall, all information will get in. There is no wall. There is no deflection. It doesn't take me long to describe this to my friends and family that ask why they really need a firewall. Without it, your computer will let everything in. Do you want that? I don't think so!
I'm not going to go into detail about what kind of firewall you should get because chances are if you have an anti-virus software, you might just have that firewall. Most firewalls now a days come bundled with an anti-virus software. Check the case that you got your anti-virus software in and see. If it does not, then I do advise to buy one preferably from the same manufacturer of your anti-virus software. Just go to their site and find a way to get it because you need it.
If you want more information on firewalls and to get an idea of what product to pick up, you can go to think I provide here: http://personal-firewall-software-review.toptenreviews.com/. This is packed with more information and an interactive graph that will allow you to choose what ratings you want to see. Just click on the Firewall Performance link. Check it out and get that firewall!
References
Smart PC Support (2012). Image borrowed from their site @ http://www.smartpcsupport.net/firewall.html
Whitman M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Wednesday, July 18, 2012
Risk Control!
Last week, my blog spoke on identify and assessing risks that you have on your computer. Hopefully, you have gone through and done just that. Now is the time to control those risks. You can do this by one of four strategies; avoidance, transference, mitigation, or acceptance. These four are in order on a proactive (taking care of a problem before it happens) stance for strongest security to weakest:
Avoidance is the strategy that uses safeguards to help eliminate or reduce your uncontrolled risks.
Transference is the strategy that allows you to shift risks to other areas.
Mitigation is the strategy that helps reduce impact if an attacker successfully exploits a vulnerability.
Acceptance is the strategy, well; it isn't even a strategy in my opinion because it is understanding the consequences of deciding not to control your vulnerabilities.
(Whitman & Mattord, 2010).
My honest opinion is to use the strategy of avoidance. Within this strategy, you apply some sort of policy. This helps control and manage procedures that everyone must follow. You also allow and apply education and training to all those involved with the security of your computer. Within this strategy, you counter your threats by using defense mechanisms such as your security controls and safeguards (Whitman & Mattord, 2010).
Transference and mitigation both come with risks. Transference allows you to take your problems and push them somewhere else. The main concern is outsourcing. Are you going to trust your risks in the hands of someone else? I sure won't. I plan to manage them myself. Mitigation just allows you to plan for issues through the use of specific plans such as an incident response or disaster recovery plan (Whitman & Mattord, 2010). I don't know about you, but I want to make sure those risks are taken care of now and not find out that a control did not work. Don't get me wrong, I am all for creating these plans, but you need to be proactive and reactive not just reactive.
If you decide to go with acceptance as your strategy, be forewarned that you will be susceptible to attacks. This is, in my opinion, a choice to do nothing in protection of your assets. If you chose to go this route, say hello to hackers such as Anonymous taking control of your system. You will be very easy to hack. I will be honest, I will not be sorry for anyone taking this route and then losing all their important data. Control your risks by implementing a secure strategy.
Reference
Whitman, M & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Avoidance is the strategy that uses safeguards to help eliminate or reduce your uncontrolled risks.
Transference is the strategy that allows you to shift risks to other areas.
Mitigation is the strategy that helps reduce impact if an attacker successfully exploits a vulnerability.
Acceptance is the strategy, well; it isn't even a strategy in my opinion because it is understanding the consequences of deciding not to control your vulnerabilities.
(Whitman & Mattord, 2010).
My honest opinion is to use the strategy of avoidance. Within this strategy, you apply some sort of policy. This helps control and manage procedures that everyone must follow. You also allow and apply education and training to all those involved with the security of your computer. Within this strategy, you counter your threats by using defense mechanisms such as your security controls and safeguards (Whitman & Mattord, 2010).
Transference and mitigation both come with risks. Transference allows you to take your problems and push them somewhere else. The main concern is outsourcing. Are you going to trust your risks in the hands of someone else? I sure won't. I plan to manage them myself. Mitigation just allows you to plan for issues through the use of specific plans such as an incident response or disaster recovery plan (Whitman & Mattord, 2010). I don't know about you, but I want to make sure those risks are taken care of now and not find out that a control did not work. Don't get me wrong, I am all for creating these plans, but you need to be proactive and reactive not just reactive.
If you decide to go with acceptance as your strategy, be forewarned that you will be susceptible to attacks. This is, in my opinion, a choice to do nothing in protection of your assets. If you chose to go this route, say hello to hackers such as Anonymous taking control of your system. You will be very easy to hack. I will be honest, I will not be sorry for anyone taking this route and then losing all their important data. Control your risks by implementing a secure strategy.
Reference
Whitman, M & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, July 10, 2012
Identifying Risks!
I have hacked your system and I have all your information. I'm looking at your SSN, address, credit card numbers, and all other personal data. I'm laughing at that picture of you at what looks like a company party. Your system was just too easy to hack. Why did you allow me into your system? Did you not assess your data and realize that you had very personal and confidential data on your system? Of course, the preceding sentences are not true. I am just trying to get your attention. Did I? Good! Let's proceed.
I bet the majority of you reading this blog have some very important information and data stored on your computers. In fact, there is probably some very confidential data there as well. You don't want that data stolen do you? What you need to do is a Risk Identification. This is where you go through all your data stored on your computer and prioritize them based on their importance to you. Thing is, it is very tedious due to all the data on your computer, but it is absolutely necessary to help you identify any weaknesses with that data and the threats that are present that threaten that data (Whitman & Mattord, 2010).
First, look at all your data that is located on your computer. Don't start prioritizing the list, just jot down the data. You should have information jotted down such as your files, pictures, personal information among many other things. Now, look at the list and start classifying that data as either confidential (pretty much for your eyes only), sensitive (could harm you if the wrong person gets a hold of it but not quite confidential), and public (everyone can view this data). You should now have two columns with your data along with its classification. The last column you should make is the impact that data has on you. It can be critical (will harm you if in the wrong hands), high (potential to harm you still very high in the wrong hands), medium (not too harmful, but watch who you give it to), and low (shouldn't hurt you if put in anyone's hands). Examples follow:
Picture at company party - Sensitive - Medium
SSN - Confidential - Critical
I'm hoping that if you have your SSN on your computer you are treating it as a confidential and critical piece of information because if you are not, you are in for a rude awakening if you are hacked.
Now that you have an understanding of what you need to do, take the steps to help secure it. Go out and buy a security software that includes a firewall and anti-virus tool. Most of these tools will also come with an intrusion detection service; use it! If you are using a standard Microsoft office tool to save the data, use the encryption tool option within the save as method to help encrypt your data. Of course, there are other means of securing your data and this is a little tip. This blog was meant to give you the basics of assessing risks. Remember, a hacker can get into your system and gain all this information. Assess the data and the risks and help secure them.
References:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
I bet the majority of you reading this blog have some very important information and data stored on your computers. In fact, there is probably some very confidential data there as well. You don't want that data stolen do you? What you need to do is a Risk Identification. This is where you go through all your data stored on your computer and prioritize them based on their importance to you. Thing is, it is very tedious due to all the data on your computer, but it is absolutely necessary to help you identify any weaknesses with that data and the threats that are present that threaten that data (Whitman & Mattord, 2010).
First, look at all your data that is located on your computer. Don't start prioritizing the list, just jot down the data. You should have information jotted down such as your files, pictures, personal information among many other things. Now, look at the list and start classifying that data as either confidential (pretty much for your eyes only), sensitive (could harm you if the wrong person gets a hold of it but not quite confidential), and public (everyone can view this data). You should now have two columns with your data along with its classification. The last column you should make is the impact that data has on you. It can be critical (will harm you if in the wrong hands), high (potential to harm you still very high in the wrong hands), medium (not too harmful, but watch who you give it to), and low (shouldn't hurt you if put in anyone's hands). Examples follow:
Picture at company party - Sensitive - Medium
SSN - Confidential - Critical
I'm hoping that if you have your SSN on your computer you are treating it as a confidential and critical piece of information because if you are not, you are in for a rude awakening if you are hacked.
Now that you have an understanding of what you need to do, take the steps to help secure it. Go out and buy a security software that includes a firewall and anti-virus tool. Most of these tools will also come with an intrusion detection service; use it! If you are using a standard Microsoft office tool to save the data, use the encryption tool option within the save as method to help encrypt your data. Of course, there are other means of securing your data and this is a little tip. This blog was meant to give you the basics of assessing risks. Remember, a hacker can get into your system and gain all this information. Assess the data and the risks and help secure them.
References:
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Tuesday, July 3, 2012
Sound Policy?
You've probably heard someone state that they have a sound policy or that they must create a sound policy. In the past, before I had heard what it exactly meant, I wondered what the statement actually meant. While reading a section from a book, I even read where the first principle to the NIST SP 800 - 14 (Generally Accepted Principles and Practices for Security Information Technology Systems) was to establish a sound security policy as the foundation for design (Whitman & Mattord, 2010). Well, what does it mean?
Let's start with the basics. What does the word sound mean? Merriam-Webster Dictionary defines the adjective (at it is used here) as; free from injury, flaw, defect, error, fallacy or decay. It also can mean solid, legally valid, logically valid, or even deep and undisturbed (Merriam-Webster, 2012). Most already knew that but now let's put that with the word policy, which is a set of guidelines for employees to follow (Whitman & Mattord, 2010).
Let's put these words together and come up with a meaning for a sound policy. A sound policy is a set of guidelines for employees to follow that is free of flaw, defect and error. What do you think of that? Pretty sweet explanation of a sound policy, huh! Well, how does one get a policy which is free of flaw, defect and error? The answer? Using a good security management model. A security management model provides common accepted information security principles that help a company develop a security blueprint (model) for their business. It also helps describe what principles a security team should help integrate into a security process (Whitman & Mattord, 2010).
References:
Merriam-Webster. (2012). Definition of sound. Retrieved July 3, 2012 from http://www.merriam-webster.com/dictionary/sound
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Let's start with the basics. What does the word sound mean? Merriam-Webster Dictionary defines the adjective (at it is used here) as; free from injury, flaw, defect, error, fallacy or decay. It also can mean solid, legally valid, logically valid, or even deep and undisturbed (Merriam-Webster, 2012). Most already knew that but now let's put that with the word policy, which is a set of guidelines for employees to follow (Whitman & Mattord, 2010).
Let's put these words together and come up with a meaning for a sound policy. A sound policy is a set of guidelines for employees to follow that is free of flaw, defect and error. What do you think of that? Pretty sweet explanation of a sound policy, huh! Well, how does one get a policy which is free of flaw, defect and error? The answer? Using a good security management model. A security management model provides common accepted information security principles that help a company develop a security blueprint (model) for their business. It also helps describe what principles a security team should help integrate into a security process (Whitman & Mattord, 2010).
The National Institute for Standards and Technology and
International Organization for Standardization are the two major resources for
providing these types of models. The
ISO's site can be located at http://praxiom.com/. NIST models can be found at
http://csrc.nist.gov. I suggest that if
you are planning on creating a security policy that you go to one of these
sites and go through their models. Find
one of the models that best suits your needs and follow it to the T. If you do, you will find that your end result
will be a sound policy!
References:
Merriam-Webster. (2012). Definition of sound. Retrieved July 3, 2012 from http://www.merriam-webster.com/dictionary/sound
Whitman, M. & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.
Subscribe to:
Posts (Atom)