Week 12
Over a year and a half ago, I posted a blog entitled The End. That blog discussed the class that was finishing at the time (Information Security Management). Well, it is now the end of not just another current class but also my MS in Cybersecurity degree. I have learned a lot over the course of the past 2 years. I will have to say that I have a much stronger understanding of everything that goes on behind the scenes to make a company more secure, not just in the network but as a whole. Some classes were great; others were not.
If I were to have to pick a class that was the hardest on me, it would have to be Computer Forensics. The reading and writing in that class was by far the hardest to put my head around. The class that I would have to chose as the easiest on me would have been none of them but my favorite was Risk Management Studies. Being able to look at risks in a different light than I already was really made me respect the topic much more than I already did.
Going into my final class (Current Trends in Cybersecurity), I would have to say that I wish I would have known more about threats; threat modeling in general. Jumping right into this subject in the first week got me very worried that I was not ready for it, but I overcame the fears and was able to learn the subject matter. Threat modeling was by far the hardest part of the class. I feel that if I would have had the proper text material, it would have been easier for me, but with the lack of material, it was not that fun to deal with.
If I could do it over, I would have worked it to only take Current Trends by itself in the final session rather than taking another heavily active class. Taking just the one class would have helped calm my nerves down during the weeks while doing my research for both classes. Even though all classes built up to the Current Trends class, it did work out for me in the long run taking the one I did along with it (Security Architecture & Design). The two classes built off the same scenario so I had the scenario fresh in my mind on a weekly basis.
Overall, the Cybersecurity degree at Bellevue University is not for the faint of heart, so to speak. I went into the degree thinking that it was going to be more of just IT Security subjects. Cybersecurity is an entire view of IT security. It encompasses everything dealing with IT security and even physical security. The word of advice to those that think they are getting into an easy degree; you are not. Not that I came into this degree thinking that; I just felt that with my experience with IT security, I would do just fine. I will say, though, that this was one of the best decisions I have ever made. This degree has taught me everything I wanted to know and more.
Friday, May 23, 2014
Saturday, May 17, 2014
Bring Your Own Device AKA BYOD
Week 10
Something that has been a growing trend of late is Bring Your Own Device (BYOD). Companies are allowing their employees to bring a device from home to use and connect to their network. You probably see this more than you think. Phones and tablets are two of the most used devices that people bring and use while at work. The downside to this, in my opinion, is the fact that they must use the company's wireless connections. This can open up their network for serious security threats. If a company is not set up properly, they can end up causing more damage by allowing BYOD.
I, for one, am not fond of this technology. A company network normally has some sort of confidential or sensitive information. If that part of the network is exposed to the Internet through a device, it could have huge ramifications for that business. Let me just use a specific scenario to get your attention.
Joe brings in his Samsung Galaxy 5. On his break, he decides that he wants to get on his phone and play some sort of game (app). The wireless connection allows his phone to connect to it so that his apps can process correctly. While Joe is playing an app, a link shows up offering him a game for free. Joe clicks on the link and begins the download. Little does he know, a virus is slowly making its way onto his phone. Now, the virus is on his phone and the company's network is exposed to it because the company's wireless connection was used. The virus is now slowly creeping onto the company's network. The network has now been infected with a virus. The network's data is now compromised.
Not a good scenario is it? Let's just say that this is what could happen if the company does not have a proper security process in place for BYOD. One of the first things you should do prior to allowing BYOD is to perform a risk assessment on the network to find the most vulnerable areas so those can be secured properly. You also need to ask the questions, Why should we allow BYOD? and Is it beneficial to the business? If the only answer to the first question is to allow employees to do something during break, you honestly don't need to be allowing it. If the second question's answer is, No, again, it shouldn't be allowed.
When it comes to securing BYOD, there is an awesome whitepaper written by Bradford Networks that discusses 10 steps in general to securing BYOD. The 10 steps are:
These steps will help secure BYOD better than it probably already is. You can follow the link in the reference section for more detailed information about each step. Don't just set up your network and allow employees to bring in their own devices without first going through the proper steps to secure your network. You do not want what happened to Joe's company happening to you.
Reference:
Bradford Networks. (2011). Ten Steps To Secure BYOD. Retrieved May 17, 2014 from http://www.cadincweb.com/wp-content/uploads/2012/04/CAD_BRAD_Ten_Steps_to_Secure_BYOD.pdf
Something that has been a growing trend of late is Bring Your Own Device (BYOD). Companies are allowing their employees to bring a device from home to use and connect to their network. You probably see this more than you think. Phones and tablets are two of the most used devices that people bring and use while at work. The downside to this, in my opinion, is the fact that they must use the company's wireless connections. This can open up their network for serious security threats. If a company is not set up properly, they can end up causing more damage by allowing BYOD.
I, for one, am not fond of this technology. A company network normally has some sort of confidential or sensitive information. If that part of the network is exposed to the Internet through a device, it could have huge ramifications for that business. Let me just use a specific scenario to get your attention.
Joe brings in his Samsung Galaxy 5. On his break, he decides that he wants to get on his phone and play some sort of game (app). The wireless connection allows his phone to connect to it so that his apps can process correctly. While Joe is playing an app, a link shows up offering him a game for free. Joe clicks on the link and begins the download. Little does he know, a virus is slowly making its way onto his phone. Now, the virus is on his phone and the company's network is exposed to it because the company's wireless connection was used. The virus is now slowly creeping onto the company's network. The network has now been infected with a virus. The network's data is now compromised.
Not a good scenario is it? Let's just say that this is what could happen if the company does not have a proper security process in place for BYOD. One of the first things you should do prior to allowing BYOD is to perform a risk assessment on the network to find the most vulnerable areas so those can be secured properly. You also need to ask the questions, Why should we allow BYOD? and Is it beneficial to the business? If the only answer to the first question is to allow employees to do something during break, you honestly don't need to be allowing it. If the second question's answer is, No, again, it shouldn't be allowed.
When it comes to securing BYOD, there is an awesome whitepaper written by Bradford Networks that discusses 10 steps in general to securing BYOD. The 10 steps are:
- Determine which mobile devices are allowed on the network - Are you going to allow phones only or both phones and tables? Also, are you going to allow outside laptops?
- Determine which OS versions are going to be allowed - Microsoft? Linux? UNIX?
- Determine which applications are mandatory and prohibited for each device - Are you going to allow only company apps or gaming as well?
- Determine which groups of employees will be allowed to use BYOD - All? Management? Security?
- Define the who, what, where and when of network access - Who will be able to access what content from where and when they are able to access it.
- Educate employees about BYOD - Make sure employees know the hazards of using BYOD and what they can do to defend against them.
- Inventory authorized and unauthorized devices - Find out what devices are being used and if they are authorized or unauthorized.
- Inventory authorized and unauthorized users - Determine if the users that are using the devices are authorized or unauthorized to use them.
- Control access based on the need to know - Limit access to areas just as you have it set up in your directory. Security gets to see security. HR gets to see HR.
- Continuous vulnerability assessment and remediation - Continuously monitor BYOD to make sure all policies and procedures are being followed.
These steps will help secure BYOD better than it probably already is. You can follow the link in the reference section for more detailed information about each step. Don't just set up your network and allow employees to bring in their own devices without first going through the proper steps to secure your network. You do not want what happened to Joe's company happening to you.
Reference:
Bradford Networks. (2011). Ten Steps To Secure BYOD. Retrieved May 17, 2014 from http://www.cadincweb.com/wp-content/uploads/2012/04/CAD_BRAD_Ten_Steps_to_Secure_BYOD.pdf
Saturday, May 10, 2014
Anti-Virus Software is Dead!
Week 9
According to the former U.S. Chief Technology Officer, Aneesh Chopra, anti-virus software is dead! Earlier this week, during an interview, Chopra mentioned that the technology is dead because most of the hackers are able to get into a network and its computers because the programs written for the software are too big and cumbersome. They are millions of lines of code, but yet an attacker can just right a few hundred lines and get in (Chopra, 2014).
The point to be made here is that the software is not doing its intended job. It is being found that more and more hackers are getting into networks and devices than before. Even with anti-virus software located on the devices, they are still getting in. Too many people are relying on simply that software to keep them safe. They are not doing anything on their end to keep them safe. They are relying on the software 100%.
This now brings up the question; If anti-virus is dead, why are we still buying it? This shouldn't be a hard question to answer. Devices still need to monitor the many common virus signatures that are out there. They can do this with the anti-virus software. That is what the software is for. Thing is, it isn't there to hold your hand and tell you that you don't need to do anything else to keep your computer safe because it will do everything for you. If you believe that the only thing that you need to do is to install the software and walk away, you are dead wrong. The software cannot do everything for you. Yes, you can set up the policies within the software but it will not keep you 100% secure. In fact, nothing can keep you 100% secure.
So what else do you need to do when it comes to securing your system? Chopra does mention that better password management and watching where you click on the Internet are good starts. He is right. I cannot tell you the amount of people I have spoken to in the past that have used a very easy password such as 'password' or even 'pw1234'. It is ridiculous! How can you feel safe with that password? Those are some of the first ones that a hacker will try after they have made it onto your system. If you can't think of anything good when it comes to a password, use a password generator. Set the character length and make sure it has a symbol or two and generate it. Don't write it down somewhere. Keep it in your mind and memorize it.
Clicking on links on the Internet can end up being very dangerous. 'Look, I can get a free Xbox One if I fill out this survey!' 'Let me just click this link to go and take it.' Now you have a virus installing in the background destroying everything in its path. It is that simple folks! If the deal looks too good to be true, chances are it is. If you have never heard of the site, don't go there. Research it first and determine if it has a good reputation.
I keep anti-virus software on my computer and up to date. Am I going to get rid of it or stop buying it because it is dying out? No! I am going to continue buying it, plus doing all the other things that I need to do to help take the load off of it. Managing my passwords and changing them regularly. Also, watching where I go and click on the Internet is always something that I have done and teach to others. Don't take this news as you should stop using an anti-virus software. Take it as a push to beef up the way you maintain your other security actions while you are on your computer.
References:
Chopra. A. (2014). Is anti-virus dead? Former U.S. tech czar weighs in. Retrieved May 10, 2014
from http://www.cnbc.com/id/101643106
According to the former U.S. Chief Technology Officer, Aneesh Chopra, anti-virus software is dead! Earlier this week, during an interview, Chopra mentioned that the technology is dead because most of the hackers are able to get into a network and its computers because the programs written for the software are too big and cumbersome. They are millions of lines of code, but yet an attacker can just right a few hundred lines and get in (Chopra, 2014).
The point to be made here is that the software is not doing its intended job. It is being found that more and more hackers are getting into networks and devices than before. Even with anti-virus software located on the devices, they are still getting in. Too many people are relying on simply that software to keep them safe. They are not doing anything on their end to keep them safe. They are relying on the software 100%.
This now brings up the question; If anti-virus is dead, why are we still buying it? This shouldn't be a hard question to answer. Devices still need to monitor the many common virus signatures that are out there. They can do this with the anti-virus software. That is what the software is for. Thing is, it isn't there to hold your hand and tell you that you don't need to do anything else to keep your computer safe because it will do everything for you. If you believe that the only thing that you need to do is to install the software and walk away, you are dead wrong. The software cannot do everything for you. Yes, you can set up the policies within the software but it will not keep you 100% secure. In fact, nothing can keep you 100% secure.
So what else do you need to do when it comes to securing your system? Chopra does mention that better password management and watching where you click on the Internet are good starts. He is right. I cannot tell you the amount of people I have spoken to in the past that have used a very easy password such as 'password' or even 'pw1234'. It is ridiculous! How can you feel safe with that password? Those are some of the first ones that a hacker will try after they have made it onto your system. If you can't think of anything good when it comes to a password, use a password generator. Set the character length and make sure it has a symbol or two and generate it. Don't write it down somewhere. Keep it in your mind and memorize it.
Clicking on links on the Internet can end up being very dangerous. 'Look, I can get a free Xbox One if I fill out this survey!' 'Let me just click this link to go and take it.' Now you have a virus installing in the background destroying everything in its path. It is that simple folks! If the deal looks too good to be true, chances are it is. If you have never heard of the site, don't go there. Research it first and determine if it has a good reputation.
I keep anti-virus software on my computer and up to date. Am I going to get rid of it or stop buying it because it is dying out? No! I am going to continue buying it, plus doing all the other things that I need to do to help take the load off of it. Managing my passwords and changing them regularly. Also, watching where I go and click on the Internet is always something that I have done and teach to others. Don't take this news as you should stop using an anti-virus software. Take it as a push to beef up the way you maintain your other security actions while you are on your computer.
References:
Chopra. A. (2014). Is anti-virus dead? Former U.S. tech czar weighs in. Retrieved May 10, 2014
from http://www.cnbc.com/id/101643106
Subscribe to:
Posts (Atom)