I made it through all the week to
week 12! This class has been exciting, informative, and very stimulating. Believe
it or not, the most difficult part of this course was developing my own threat
model. The feedback from the professor and my classmates helped tremendously to
help me stay on track! One of the best parts of this class was the ability to
review other classmates’ assignments. This gave me a great opportunity to learn
from others in the class. I believe this class will help to push me into the
cyber security world in the company I work for, and I know the objectives and
concepts taught in this class will be a great starting point for me. I know
that I can now analyze the various elements of an information system, conduct
an analysis for risks, threats, and vulnerabilities, and develop a process
model to help identify the existing and future threat landscape.
This blog assignment was one of my
favorites, as it gave me an opportunity to explore other topics related to
current trends in cyber security, and to post my thoughts and opinions. I now
browse through several online sites weekly in search of the latest news related
to the world of cyber security, and this is a habit I will continue long after
the class is over. One of my preferred online sources is Security Week. This
online magazine was ablaze this week as the European Union’s new data
protection rules went into effect. The EU’s General Data Protection Regulation
(GDPR) seem to have far-reaching effects, as I have been receiving a large
amount of emails and mail with privacy update notices. This new law is supposed
to provide greater protection of people's online information, but as with many
other consumers, I am skeptical. I appreciate that individuals must explicitly
grant permission for their data to be used, but believe big companies will soon
find loopholes or other ways around it. Read more here: https://www.securityweek.com/eus-new-data-protection-rules-come-effect.
Now that we have the EU’s GDPR in
effect, how about someone start working on protecting us from the real bad guys?
I mean, it’s great that the GDPR is focused on big companies like Facebook,
WhatsApp, and Twitter, but is going after the hackers and other illegal actors
on the cyber security stage? The news is currently highlighting the attack by alleged
Russian hackers who have infected at least 500,000 routers and storage devices
in over 50 countries. Now the FBI is warning that the attackers could collect
user information or shut down network traffic on these home and office routers.
Read more here https://www.reuters.com/article/us-usa-cyber-routers/fbi-warns-russians-hacked-hundreds-of-thousands-of-routers-idUSKCN1IQ2DY
and here https://www.securityweek.com/us-disrupts-russian-botnet-500000-hacked-routers.
Now that we’ve potentially ordered big corporations to place better security
measures to comply with the GDPR, we need to also invest even more time and
resources into going after the bad guys, and stopping them before they can
attack.
My final entry for this class is a synopsis
of a really good article on Security Week by Joshua Goldfarb. He talks about
the 10 security behaviors that anger us. It is one of the most-commonsense pieces
of security advice I’ve read in a long time. One of the 10 security behaviors is
fire fighting; where a security team seems to running from one emergency to another.
Companies often bring this upon themselves, when they refuse to threat model,
or to hire enough properly trained It professionals. The result is a reactive
one, where the security team has to put out endless ‘security’ fires. Another
security behavior is probably the most common one: writing down passwords. We
all know that writing down passwords is considered a terrible security habit. Yet,
our password policies dictate that we create complex passwords that include
upper and lower case letters, mixed with numeric and special characters, and with
a particular length. If we didn’t write down our passwords somewhere, we’d be
kicked out of our computer systems constantly. Companies need to help us with
password management systems so we can keep track of all these unique passwords
we need. You can read the full article at https://www.securityweek.com/10-security-behaviors-anger-us.
Monday, May 28, 2018
Friday, May 18, 2018
The Action Plan CYBR650 Week 10
Week 10 feels good as we near the
finishing line of this class. The assignments are really empowering, as they
have been helping me to understand a part of our company business that I’m not
usually involved in. Developing the action plan really helped me to get a
better appreciation of our IT team. The action plan is a crucial document that
could go a long way in mitigating the risks that have been identified. I
believe one of the challenges our IT folks face is (sometimes) their inability
to communicate their findings in the kind of verbiage that upper management
(who are often not technical) understands. This is such a vital piece of the
equation; if the action plan properly conveys to management how you conducted
your assessment, along with your results and the plan to address the threats,
vulnerabilities, and risks, chances are management would approve it. The
learning objectives for these two weeks (9 and 10) gave us the opportunity to
review and provide constructive criticism on the action plan provide by our
classmates, and I really enjoyed it. While giving feedback, I am also taking
away ideas on how I can improve my own document.
A good action plan is extremely important for improved security in any organization. Just identifying threats and vulnerabilities is not good enough. Action must be taken to mitigate these risks, and that’s where the action plan with good security recommendations come it handy. Many security breaches can be avoided if organizations simply implemented some common security controls and best practices, like updating configurations and keeping operating systems up to date with latest security patches. Even the best of hardware and software tools, if not properly configured, cannot resist cyber attackers. Hackers seem to be at the top of their game, employing more enhanced and sophisticated techniques to perform their exploits. Successful data breaches yield a big payload to attackers, and often have a major impact on organizations, including loss of revenue, loss of customers, damage to their brand, and even fines!
Many companies without a dedicated security team are now getting into the habit of using a managed security provider, much like in the case of Harry and Mae’s Inc. It can often be more cost effective and with less distractions to an internal staff. The idea is to go on the offensive, rather then being defensive. While we embrace rapidly advancing technologies, we have to understand these technologies often pose a serious security risk to organizations. IT staff have to stay current on new threats and security best practices. In today’s world of compliance with industry standards and federal and state regulations, companies have to be very serious about security; non-compliance can often result in hefty fines and other consequences. The action plan is useful in that it prioritizes the vulnerabilities, giving companies the chance to work on those that pose a major threat to the organization.
One very popular strategy in many action plan recommendations for better security is the development and implementation of a strong security policy, along with ongoing employee education and training, and monitoring for compliance. Employee education and training is beneficial to the employee and ultimately to the company. As employees practice good security measures, especially when it comes to passwords, etc., they’re doing their part to help keep the company safe and secure from data breaches. Employee education and training also helps to improve productivity, and it definitely goes a long way in adherence to quality and other industry standards. The action plan also provides a man to help track action ownership, resource estimates, priorities, target dates, etc. As it defines the recommended risk and compliance-related mitigation actions needed to improve the organization’s risk posture, it also provides a way to identify the company’s high priority assets and the owners or prime points of contact for these assets, which could come in very useful during or after an attack.
A good action plan is extremely important for improved security in any organization. Just identifying threats and vulnerabilities is not good enough. Action must be taken to mitigate these risks, and that’s where the action plan with good security recommendations come it handy. Many security breaches can be avoided if organizations simply implemented some common security controls and best practices, like updating configurations and keeping operating systems up to date with latest security patches. Even the best of hardware and software tools, if not properly configured, cannot resist cyber attackers. Hackers seem to be at the top of their game, employing more enhanced and sophisticated techniques to perform their exploits. Successful data breaches yield a big payload to attackers, and often have a major impact on organizations, including loss of revenue, loss of customers, damage to their brand, and even fines!
Many companies without a dedicated security team are now getting into the habit of using a managed security provider, much like in the case of Harry and Mae’s Inc. It can often be more cost effective and with less distractions to an internal staff. The idea is to go on the offensive, rather then being defensive. While we embrace rapidly advancing technologies, we have to understand these technologies often pose a serious security risk to organizations. IT staff have to stay current on new threats and security best practices. In today’s world of compliance with industry standards and federal and state regulations, companies have to be very serious about security; non-compliance can often result in hefty fines and other consequences. The action plan is useful in that it prioritizes the vulnerabilities, giving companies the chance to work on those that pose a major threat to the organization.
One very popular strategy in many action plan recommendations for better security is the development and implementation of a strong security policy, along with ongoing employee education and training, and monitoring for compliance. Employee education and training is beneficial to the employee and ultimately to the company. As employees practice good security measures, especially when it comes to passwords, etc., they’re doing their part to help keep the company safe and secure from data breaches. Employee education and training also helps to improve productivity, and it definitely goes a long way in adherence to quality and other industry standards. The action plan also provides a man to help track action ownership, resource estimates, priorities, target dates, etc. As it defines the recommended risk and compliance-related mitigation actions needed to improve the organization’s risk posture, it also provides a way to identify the company’s high priority assets and the owners or prime points of contact for these assets, which could come in very useful during or after an attack.
Monday, May 7, 2018
Threats and Vulnerabilities CYBR650 Week 9
Delving into week 9 brings the
stark reminder that no one: no company, no organization, be it private or
government, profitable or non-profit, no one is exempt from a cyber attack, no
one is ever 100% secure from a cyber attack. While we laud the rapid pace of
technological advances, and the comfort it brings us (I’m writing this blog
while working from home today, so I don’t want to be too hypocritical), the
problem is that this same technology is misused tremendously by cyber
attackers. Despite the increasing wave of data breaches over the past few years
to companies like Home Deport, Chase Bank, and Experian, it seems like
companies are not doing their best to keep their data (and our data) as safe as
possible. Just a few days ago Twitter announced that a bug in their system
may have exposed user passwords internally. While the company quickly said that
no breach occurred, and must be commended for coming out publicly very quickly,
the fact remains that this information was available to hackers for a period of
time, so Twitter can never be 100% sure that the compromised data was not
acquired by attackers! I am leery that Twitter’s own internal investigation showed
no signs of a breach or misuse; let’s get an independent auditor to confirm
Twitter’s findings! Read more about it here: https://www.trendmicro.com/vinfo/us/security/news/online-privacy/change-your-passwords-twitter-bug-exposes-user-passwords.
The Twitter accounts’ compromise
and the other data breaches is a reminder to all users, personal or corporate, of
the need to practice good security measures on social media accounts. The top
on the security list is creating and using strong passwords that follow
complexity rules. If your password is easy for you to guess or remember, it is more
likely to be an easy target for hackers. Also, always check your security and
privacy settings. Don’t use the system default settings. Adjust the default
settings as much as necessary so you can protect your personal information.
Every time I hear about a new
technology or device being introduced, I get a little fearful. Take Amazon’s virtual
assistant, Alexa, for example. Amazon has made several Alexa-enabled devices,
and other manufacturers are building Alexa into many types of devices like
phones and thermostats. I thought to myself: great; now let’s say see what
hackers will do with it! Just two weeks ago, an article on the Trend Micro
website stated that Alexa can be programmed to eavesdrop on its users and
transcribe the information, which is a great potential for hackers to steal private
information. As far as most (if not all) users understand it, the Alexa digital
assistant is supposed to end the active session until prompted for another active
session. However, it seems attackers can prompt Alexa to believe it has
informed the user that the device is still actively listening, and can
transcribe and send the information to the programmers. Read more about it at https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/alexa-can-listen-indefinitely-potentially-exploited-to-transcribe-information-to-cybercriminals.
The need for education of users in
the area of cyber security and general security measures remains strong. People
must understand that they are responsible for maintaining the security on their
products, and should not rely entirely on vendors and manufacturers. While
manufacturers may identify vulnerabilities and provide patches and system
updates, it is still the user’s responsibility to actually download these firmware
and software updates. Good security practices, like using strong passwords, not
using the same passwords on different accounts, and changing passwords
regularly should be followed. Operating systems and browsers should always be
kept up-to-date in regards to patches and security updates. And make sure to
keep regular backups of data; this comes in useful if an attacker targets and
corrupts your data – a backup can save you time, money, and a lot of headaches.
Subscribe to:
Posts (Atom)