A Company's Biggest Risk!

What is your company’s biggest risk?  Many would probably say that it was the fact that they do business through the Internet.  Being connected to the Internet and making all your transactions online is a big risk, but is it the biggest?  I recently read an article in Security magazine entitled, People – Your Most Important Asset and a Significant Risk.  This article discusses the importance of the employees and what they do for a company.  It also discusses the fact that due to human nature, people are a significant risk to the company.  I would have to not only agree that they are a significant risk but also the biggest.  Why?  We have the ability to think and act for ourselves.  

Set back and think of how you would program a robot to guard the front door of your company.  You would probably be able to program that robot to guard that door better than anyone else could ever think of guarding the door.  This robot would follow the programming perfectly.  It would make sure that all security obligations are met. It would not let the person in if they were not authorized.  Now, place yourself in the shoes of the robot.  Someone comes in and starts up a conversation with you.  You, being friendly with them, decide to communicate back and strike up a long conversation.  You begin to feel comfortable with that person.  You decide that he or she can be let in.  Even if they were not a threat, you just committed a severe security infraction against your company.  What if that person was a social engineer?  They just did their job and made it past you.  A robot would not allow this. 

People come with flaws.  None of us are perfect.  More often than not, people make more mistakes than computers do.  Company’s take a huge risk relying on people to do their jobs for them because of the mistakes that we can and do make.  People key data into databases incorrectly more than you can imagine (trust me; I know this because I work at a DBA helpdesk).  Even though the majority of the article in which I reference stems to the new hire employees more so than the longer tenured employees, the article’s main point is still the fact that employees in general are a significant risk to the company.  What companies need to do when they are looking over their risks is to not forget their employees.  They are by far, in my opinion, the biggest risk that a company has to deal with. 

Reference:

Brennan, J. & Mattice, L. (2013). People – Your Most Important Asset and a Significant Risk. Security Magazine. August 2013. Pg. 28.   

My User ID And Password Is.....

Have you ever struck up a conversation with a stranger?  Someone you had no idea who they were?  What if I told you that you might have given that stranger your User ID and Password to all your data!  No, you didn't specifically state, This is my User ID and This is my Password!  If you told this stranger anything about yourself; where you were from, what you did for a living, wife's name or other personal information, you might have started the fuse for them to find out what you use as your User ID and Password for particular sites or even for your computer.  Now you are saying, Nope, I don't use personal information for that type of stuff.  Well, chances are, you do!  Most people use a User ID and a Password that they will remember easily.  This means that they use information from their personal lives to make up that data.

There is a group of people out there that call themselves Social Engineers.  They are trained in the art of human hacking.  In the quoting of Star Wars, They are strong in the ways of the force of gaining as much information about someone as they can so that they can hack their way into that person's life.  This might seem scary to you, but honestly, it should strike some fear into you about what you share with others.  The thing is, there are several sites that help one understand Social Engineering, the tools that are used and how to defend against it.  Some sites include:

(LifeHacker) http://lifehacker.com/5933296/how-can-i-protect-against-hackers-who-use-sneaky-social-engineering-techniques-to-get-into-my-accounts

(CSO Online) http://www.csoonline.com/article/514063/social-engineering-the-basics

(Cisco) http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html

Those are only a select few in thousands of sites.  These sites above really help the reader understand what Social Engineering is and how to defend against it at a level that anyone should be able to understand.  Social Engineering is a great tool for people to find out information about other people.  Don't let someone hack their way into your life by figuring out your User ID and Password.  Defend against Social Engineering on a personal level before you find out that you are living in another state with another spouse and kids that aren't even yours!

What is Information Warfare?

Throughout the last six weeks in my current class at Bellevue University, Information Warfare, I have been asked to look at and compare a few of the many definitions of warfare to each other and also compare each of them to that of information warfare (if they weren't already definitions of information warfare).  It has got me wondering; why are there so many views and definitions of warfare and information warfare for that matter?  Is it because one person just doesn't like the definition that another person has given?  Is it due to the topic area being so vast?  Shouldn't warfare be simply the conflict between two or more parties?  You would think that so many definitions would cause an issue in to understanding what warfare and information warfare really is.

Let's look at it in a history standpoint.  A hundred years ago, we did not have the weapons we have today.  All they had were guns and cannons and some road horseback into battle while others ran in on foot.  Over the years, war has added many different types of weapons; vehicles, bigger guns, tanks, planes, nuclear weapons and now computers.  Yes, computers are now being used as weapons.  Remember Stuxnet?  This was a virus that was instructed to find turbines within a plant overseas and destroy them.  It did so through a flash drive and made its way through the network even when some computers were not even on the network (New York Times, 2011).  The fact is, weapons are getting bigger and better.  As long as the weapons are changing, so should the definition of warfare and now information warfare, which Stuxnet was.

My honest opinion is that warfare and even that of information warfare is changing so much because the area (warfare) changes constantly and these definitions are just trying to keep up with the times.  There are some, in my opinion, that do not do the topic justice, but there are also some that put the whole topic into perspective.  I'm not going to add them here for there are just too many.  Just do a Google search for "Information Warfare" AND "Definition" and you will come up with many results.  Decide for yourself on which is the best.  My instructions to you, the reader, keep an open mind about the definitions you find.  Information warfare is something that happens on a daily basis.  Computers attack computers.  Information in some way, shape or form is used in these attacks.

If I were to give my own definition of information warfare, I would have to encompass both information and computers in one definition.  Something such as; Using the software and hardware on a computer to attack hardware or software of another computer.  Some would say that this definition wasn't fulfilling the entire topic of information warfare.  Some would probably say that it is lacking the ability of non computer information.  Well, take this into consideration, how can a paper document attack another paper document?  It physically cannot.  What is written on one paper might defend a topic while the other paper might dispute the same topic.  Is it information warfare?  It could be.  The thing is, in this writers mind, it does not encompass the true meaning of warfare; war against an enemy.  I'm not quoting anyone there for it is a general definition found in the dictionary.  This is also not war; conflict through the force of arms between multiple people.  Again, this is one that can be found in the dictionary.  Because the topic of warfare leads to conflict between people with force, I am not going to agree that a paper can attack a paper.

In conclusion, it is all up to the reader on whether they want to agree with my feelings on information warfare.  Everyone will have their own opinion, and they are entitled to it.  Keep in mind when you are reading about information warfare what warfare really is.  This will allow you to read the definition and determine if it truly is a good definition for information warfare.  Yes, the times have changed, but the major weapon that is being used is the computer.  They are the ones used for attacking and defending important information.  This is the true nature of information warfare.      

References:

New York Times, (2011). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved

June 19, 2012 from http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all

Security!

My current class dabbles in the topics of physical, personnel and operations security.  Throughout this class, I have touched on several subjects that I have already been introduced to in my current job.  The discussions are about security in fields other than that of the cyber field, so far!  I am accustomed to questions now a days as to why this class is even a requirement of my current degree (questioned about it when I tell family and friends what class I am in and what degree I am pursuing).  It has been asked so much in the past month that I have finally decided to type up a blog on why this is so important to the Cybersecurity field.

Security of all shapes and sizes is needed to help secure your business or home all together.  In your home, you probably have 1 computer at least.  Would you leave the doors unlocked?  No, you would lock them so that no one will steal your computer.  This is physical security.  Even though you have an id and password on your computer, you need that physical security to keep the computer safe from theft.  Departments throughout a business have different types of security that they must follow as well.  You can't just expect them to put your information in a file and put it on the cabinet so that someone can just walk in and look through it.  They also must follow specific security laws such as keeping your information private such as your address and social security number.  Cybersecurity wouldn't be what it is without multiple types of security in place to also keep it safe.

Laws must be followed.  Laws are a part of security.  Laws are introduced in these fields.  You can't have Cybersecurity without laws.  You get where I am going?  Laws need to be first followed before you can secure anything; personnel files, computers, and even a building.  When learning about these types of securities, I am also learning the laws behind what is right and what is wrong.  Let's take a quick example.  Let's say you want to put up Closed Circuit Television (CCTV) on your businesses public lot.  You have to look into and read the laws behind using CCTV before you can place the cameras on your lot.  Remember, security can't happen on its own; it needs the people within it to understand the laws that make it possible!