Reading Questions
- What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
- Who or what do you think is the most significant risk to any organization?
- Security education is spoken of often. Why is it important?
- Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
- How much attention do you pay to the security of your device, data, and behaviors?
The iPremier Case
Read all three parts of the iPremier Case. Consider these questions when you prepare for class (Jan’s section) or Webex (Rich’s section).
- How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
- The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?
Andres Galarza says
This is going to be a fun question to answer and see everyone’s response to.
I think it’s an interesting window into the paranoid/appropriate behaviors of a bunch of current/future security practitioners.
I think I pay an appropriate amount of attention to my data/devices and their associated behaviors. As a technology baseline: I use (almost exclusively) Windows or Google/Android devices. I grew up with the internet (I’m 32) and, more specifically, I grew up playing online computer games and taking part in online discussion forums. I think this influences my view on privacy and devices.
So, this is a list of some of my behavior (not all of it logical).
1. I’m keenly aware of what I post online, be it on social media or online discussion forums/Reddit. I don’t consider anything that I say online to have an “iron-clad” assumption of privacy, and as a result I don’t really contribute much in my Facebook/Twitter circles. I consume a lot of social media and I do a fair amount of posting on online forums and Reddit. However, I do it fully understanding that, if someone tried hard, anything I say online can be traced back to me.
2. I use a lot of Google services and have an Android phone. I like a lot of Google’s offerings and I know this sacrifices a bit of privacy (go check out Google’s My Activity, myactivity.google.com if you’ve never done it before). However, I make the illogical choice to regularly scrub my account/internet history. Before you get your minds into the gutter, I don’t really have anything to “hide” on my search history or activities, it just makes me feel more comfortable to hit the “reset” button on my activity. Again, I think this makes me a little crazy. I do a lot of browsing in Chrome in “Incognito” mode.
3. I use a paid VPN (when I can remember to turn it on). Now, admittedly, I don’t always do this due to privacy. My wife and I are weird and we don’t have a television, so we watch a lot of sports/shows on my computers.
4. I totally subscribe to the “turn a phrase into a secure 12-16 digit password” behavior. This annoys my wife sometimes because it means our wifi network password is long as hell.
At the same time as doing the above, I think I have a pretty cavalier attitude about some of my data.
1. I keep the books in my family and look at my finances on a regular basis, so I’ve done something silly like send my credit card information to a vendor in an email because I wanted to order some delicious pies for Thanksgiving and they didn’t have a payment form.
2. My social security number was printed on a lot of my old military equipment, and my information was compromised in the Office of Personnel Management, so I don’t “fear” identity theft that much.
Andres Galarza says
Oops. This is an answer to question number 5, “How much attention do you pay to the security of your device, data, and behaviors?”
Ahmed A. Alkaysi says
Very good point about social media Andres. I am the same way. Although I have a profile I rarely update it with recent events. It is mind boggling to me how much information people actually put on Facebook. You can almost learn a persons entire history by looking at some of the profiles. This data can easily be used in social engineering attacks. Minus the obvious security issues that can arise with this…it can also lead to cyber bullying and stalking.
I am also thinking about getting a VPN service in the future. Although it probably won’t be a service I would use all the time, it will be a great option to have in time of need. I have noticed more and more people are becoming aware of VPN and have adopted it for their safe surfing needs.
Joseph Henofer says
I’m in the same boat with you guys when it comes to social media, I have an account but never update it. As far as what type of information people post on their social media account, I’m not shocked. The Internet has exploded into a far superior tool than what is was primary intended for, thus introducing a new outlet of threats. The normal social media user doesn’t take in the account that the data they post is somewhere on the internet and potentially not secure. They look at it as hey my friends can see the beautiful time I had in the islands or look at my sons birthday party. From the surface of both these cases it’s not a problem, but if I’m a threat agent I know that for a week you were in the islands I could have broken into your house.
Neil Y. Rushi says
I really enjoy your answers Andres. So I guess you are never asked for the Wi-Fi password from guests haha! But I am the same way – I use my phone more than my laptop to play games, surf the web, use social media and read/send email. I do get paranoid sometimes about getting a virus or getting hacked but I do make sure to scan for viruses. If I do online banking and make purchases, I use my laptop since it’s more secured to me than my phone. I don’t feel comfortable to use my phone for that.
Folake Stella Alabede says
u’re quite right Andres,
even though i love Firefox for some weird reasons, i will never use it on a public computer.
about “turn a phrase into a secure 12-16 digit password” behavior, i am in full and total agreement. like i said in my post, A 9-character password in lowercase+ uppercase + nos and symbols can be cracked in 44,530 years, so the longer and the more complex the password is, the better
And about social media, i just don’t get it. you can practically tell the story of a person’s life just by looking at their Facebook profile and pictures. some people post pictures everyday, every trip, every step, there is even this app that says “xyz was at abc”
sometimes back, it dawned on me that my status on facebook was still single and my pictures were years old, so i put a handful of pictures (more like 5 pictures) and changed my status to married, but my husband refused to acknowledge the post (he works with the investigative and fraud unit of a bank), he said that is giving people too much information about him, he didn’t want people knowing information about him or his family through social media, which i understood perfectly.
And like Ahmed, i’m also thinking about getting this VPN service, sometimes in the foreseeable future.
Sachin Shah says
Excellent post Andres. I am literally taking down your second answer. I am trying to abandon apple and be dependent on Google and less using and “hard” drives and only cloud storage. Yet I need to have a plan and the key part of security. I also do not want my search history saved.
Also with Social Media – people put way to much information I feel. I have a Facebook account, and I have peers who laugh at me for not having instagram, twitter, etc. I dont trust social media as it can make someone out to something they are or are not – basically it has lack of credibility. Also postings by peers are monitored either through work policy or by co workers involuntarily. They may read something you post and than it goes through the gossip grapevine. EVERY company has issues with the gossip or water cooler talk.
Vaibhav Shukla says
Professor Jan Section
Security education is spoken of often. Why is it important?
It is the first line of defense against security risks as its obvious we cannot protect our-self against something that we are unaware of ,any technical defense or preventive control measure would be useless if the employee is not cyber-aware.A lot of cyber attacks are organized through social engineering thus a good security program requires security education.Example the personal computer has antivirus and firewalls installed to prevent any malicious attacker to gain access to important information but the employee has not been educated to be cautious using internet then he may be tricked out by some hacker to gain access to important information thus all controls remain ineffective.
At present times there are number of laws that require employees of organizations to undergo certain forms of security awareness training thus if we have proper education training it builds a trust level and good rapport among peer and managers. Furthermore if we have security awareness education, then it will be easy to understand the security objectives of our employer and feel obliged to act in line with them
Mengxue Ni says
Nice post Vaibhav!
The most important use of security education is improving awareness of information security. Soem employees may be not cyber-aware. Most companies couldn’t survive from data breaching or losting. So it is very nessesary to educate employees before any security issues happen.
Sachin Shah says
great posting both Vaibhav and Mengxue. I work with some older people who are just unaware of security risks. These people are IT professionals so you expect them to know, but they are zoned in as programmers or application support, or sales that their focus is so locked in on that role that unless you teach them about Security Awareness, they may never take the step to voluntarily learn it. I agree that teaching employees about security breaching and preventive control makes a company become proactive in terms of Security.
Sean Patrick Walsh says
I completely agree that security education is the first line of defense. When security education training is implemented in an effective manner, personnel are aware of the many facets of security. Being aware is the first step, but more importantly the personnel who are properly trained in security will hopefully be proactive with their knowledge and make positive security related decisions for the business.
Ahmed A. Alkaysi says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The 10 processes are as followed:
Security Governance: lack of security governance can create an environment full of security issues within an organization.
Policy Management: without a policy management, IT will not be aware of how its functions are affecting business risk appetite.
Awareness and Education: employees must be aware and trained in IT security or the company will be plagued with security flaws in either insecure applications or weak passwords.
Identity and Access management: having an IAM system will mitigate the chance of an unauthorized user gaining access to internal systems.
Vulnerability Management: without vulnerability management systems and applications can easily be exploited. The company must be proactive in making sure all vulnerabilities are being patched.
Incident Response: lack of incident response plan will just increase the losses of any event that occurs.
Change Management: knowing who and when someone made a change is integral for auditing and mitigating issues.
Business Continuity Management and Disaster Recovery Management: without DR management can completely destroy a business in a case of major data loss events.
Project Life Cycle Management: this helps mitigate any security issues that might arise in implementing changes.
Vendor Management: having a plan in place to manage partners also helps reduce security risks. By working together with vendor, security of IT can become even stronger.
All these processes are included in running an IT organization. Having controls around these processes will strengthen the security and integrity of the company. They will mitigate any security issues that may occur and have a plan in place to quickly respond to any incident. The impact to IT providing business value will be reduced as well.
Sachin Shah says
very detailed job in answering the questions and thoroughly defining the processes. These controls help and give preventive measures and puts a company in a proactive mode. When you establish an IT department the controls need to be established or else it will be harder to implement that longer a company waits.
Ahmed A. Alkaysi says
2. Who or what do you think is the most significant risk to any organization?
I believe the biggest risk to an organization or its employees. There are many different ways a security event can occur with employees, whether due to a weak password, gossip, or a rogue employee. If a system has a vulnerability, a company can release a patch to fix that vulnerability. If an employee is disgruntled, if you even know about it, you just hope they won’t share their password or steal/sell confidential information. You never know what your employees can truly do, there is a trust factor involved. This is why I think that employees are extremely risky when it comes to security in an organization.
Mengxue Ni says
I could not agree more. Human is always the biggest threat to a organization. Some employees didn’t leak information on purpose, they are negligent due to different reasons. Some employees are called intellectual thevies. They are “spy” for other companies or for benefits. Also, human can not be controlled, so the most significant risk to any organization should be human risk.
Sean Patrick Walsh says
I agree that employees are the most significant risk for an organization. One of the biggest challenges when it comes to personnel is how to properly evaluate the risk they all pose individually, as well as collectively. It is very difficult to evaluate the risks they pose to the company. On top of that difficulty, it is also harder to mitigate the risks associated with employees beyond SoD, policies, and access controls. Even with robust mitigation techniques in place, employees pose a unique risk since they can adapt to those techniques and overcome them if they are malicious personnel in nature. Another risk such as a fire does not adapt or overcome obstacles like a human being does.
Ahmed A. Alkaysi says
3. Security education is spoken of often. Why is it important?
A company that wants to have strong security, must promote a culture with security in mind. With a security focused culture, employees within a company will be able to take practical measures to promote security. Developers will be creating applications that are strong in security and have limited vulnerabilities. Project managers will make sure the SDLC is well documented. The organization will have a strong incident response plan and disaster recovery management. This all starts with educating employees on security.
Anthony Clayton Fecondo says
Ahmed, I didn’t even think of the question in that context, but you make a great point. In relation to question 2, employees are often the biggest security threat and the best way to combat that risk is by having a strong risk aware culture within the company. Speaking about security to instill it in the culture raises risk awareness in every day activities as well as operations.
Ahmed A. Alkaysi says
5. How much attention do you pay to the security of your device, data, and behaviors?
I used to not pay all that much attention with security, however, that has changed. After recent hackings of companies and the Target breach a couple years ago, I have become much more conscious in security. My passwords are much stronger, I check for viruses often, and do not connect to any public WIFI. I have also started checking my credit score and report more often. It helps that my company is extremely serious about making sure their employees become cognizant of IT security as well. Educating us and promoting strong security within the company has translated to my day to day life. I haven’t gotten to the point of using VPN or proxy sites to navigate the internet yet, but with seeing deals on VPN services on occasion, I think that in the future I might move towards it.
Mengxue Ni says
Before I studied cyber security, I think security means firewalls and anti virus software. I used to believe this two applications can help me to secure my computer in a perfect way. I was totally wrong by getting virus even when my firewalls and anti-virus software are running. We can easily get malwares by downloading files, so I started to use strong password, back up my data in different places in order to improve my information security level.
Neil Y. Rushi says
2. Who or what do you think is the most significant risk to any organization?
I think the top 2 risks to any organization are employees and financial market. The employees have the insider knowledge of how the company operates, access to the systems and can cause mayhem to the organization with malicious intent or harmless methods. It’s important to get the employees educated on proper operating methods, security training and segregation of duties. Financial market is a risk because it can be an unpredictable factor on an organization’s ability to stay competitive and invest in IT security to protect from outside and inside attacks. An organization has to keep up with the financial market and have a plan in case the market crashes – because if it can’t, then it will have trouble protecting its assets and may not be able to keep the systems protected with current technology.
Sean Patrick Walsh says
I agree with your point that employees are a risk, but I am unsure about your use of the term “financial market” as a risk. From what you are describing it sounds like the economy may be a better term to describe the risk you mean. I do think the economy is definitely a risk for any business in any industry, but I’m not sure the financial market is a risk for a business that doesn’t utilize financial markets for funding of its business.
Said Ouedraogo says
Professor Jan Section
Who or what do you think is the most significant risk to any organization?
In my humble opinion, employees and customers (depending on the business) are the most significant risk to an organization. When you think about it people are the weakest link in IT security and represent a danger to themselves. Most of the time, it is by people that hackers intrude systems. It is important that employees and customers understand the danger of cybersecurity and protect their information. The root of the problem is that people want convenience and don’t think about the consequences. Some employees write down their passwords or use the same password for different accounts, and are subject to, intentional or unintentional, fraudulent activities.
Richard Flanagan says
Said,
How could customers become a problem? I am thinking that they would be isolated from any of the internal access needed to hack the company. What did you have in mind?
Mengxue Ni says
It is an interesting idea; customers should be people who you want to satisfy. I see the point of human is the weakest part in an organization. Also, customers’ account can be a “door” for hackers to intrude organizations’ system. But I think it should be easier to get into financial information or other vital information by hacking an internal employee’s account. Customer should have security awareness as well, however, employees should be required to study security importance.
Loi Van Tran says
Who or what do you think is the most significant risk to any organization?
Although I do agree that employees is one of the most significant risk to any organization, but it seems that the threat landscape is expanding with the adoption of new technology. Organizations are all in pursuit to be more efficient and effective with technology as an enabler. Companies may adopt these new technology without the proper security considerations; like adding devices, printers,& sensors, onto their network without properly vetting the devices for vulnerabilities. With that said, I believe that weak governance, lack of policy and change management is also a significant risk for the organization.
Andres Galarza says
Loi,
You raise an important point. Some of these IoT devices that have glaring vulnerabilities that can’t easily be fixed by an end-user pose challenges that go beyond a user having bad cyber hygiene habits.
Richard Flanagan says
Has anyone actually gone onto one of their IoT devices to see if its using publicly available default passwords, etc.?
Andres Galarza says
Not an IoT device (or is it) but I changed my router’s default login/password because that’s an easy thing to miss.
Priya Prasad Pataskar says
1. Security education is spoken of often. Why is it important?
A. Security awareness now has a formal word Security Awareness Training (SAT). There a new domain altogether SAT Management, which comprises of understanding IT issues in company, control solutions, studying the trend in industry and the organization and designing training programs focus on vulnerable areas. Companies heavily invest on security education.
The fact is that, and all high-profile security breaches have proven that even if the company manages to get best IT infrastructure, best IT security team, best DLP, antivirus software and develop the best security framework, unless the end user is aware of the security to do’s, the framework stands major chance of failing.
The goal is to keep security at alertness always and fresh in their minds. Security is responsibility of each employee and associate with the company. However, while performing day to day activities, employees may forget about their responsibility towards security. To keep the belonging to security and let employees feel the ownership towards following policies it is important that we let them know the repercussions breaches. The idea behind a campaign is to motivate people to take information security seriously and respond accordingly.
An awareness will help employees to make right use of technology to ensure security of all platforms without affecting operations. Awareness about cyber threats will help in creating alertness and assist employees in taking security driven decisions.
Binu Anna Eapen says
3. Security education is spoken of often. Why is it important?
Security education is very crucial in any organization. No matter how much or what an IT does to make it secure, the lack of awareness of security practices creates the greatest vulnerability in an organization. Risk inherent in using computing systems cannot be addressed through technical security mechanisms alone. An active security awareness program can greatly decrease the risks by addressing the behavioral part of security through education and continuous application of awareness techniques. Hence strong leadership, direction and commitment is required from the senior management on security training. This can be achieved by providing formal security training to all its employees. Organizations should incorporate this in the orientation program when an employee joins and do consider it as one of the most important aspects and spend on training their employees on a regular basis ranging from quarterly to yearly or as needed till the employee leaves the organization.
Security awareness program usually focuses on security concerns such as password polices, appropriate use of computing resources, email and web browsing safety, social engineering, backup and mandate PC compliance policies defined by the organization etc and should be tailored according to the audience.
Other than natural threats and environmental threats which are typically rare for most organizations, employees pose the greatest threat to the organization. Human threats can be intentional or unintentional. Most of the cases of data breach it is due unintentional error made by the employees within the organization due to lack of proper awareness of the consequences to their actions.
Users are the people who are exposed to issues on a daily basis and can be directly involved in identifying threats that may not be detectable by automated means. Employees must be trained to identify and report any incidents they think might be a threat to organization. Each employee must be aware of whom to report and who they can escalate to in case of such occurrence to reduce any possibility of data loss.
It is one way of ensuring compliance within an organization. Every employee must be aware of their responsibilities in regard with the information security. Security of the organization does not depend only on the IT security team or the senior management but it is task of every employee. It should become the culture of an organization, for it to be able to mitigate the risks to a great extent.
Richard Flanagan says
Binu,
What controls would you put into place to make sure that the employees in your company are security aware and practice good cyber hygiene?
Deepali Kochhar says
1. Security education is spoken of often. Why is it important?
Security refers to collection of technologies, standards, policies and management practices that are defined to protect an organization against any kind of internal or external threat.
In today’s high technology environment, organizations are becoming more and more dependent on their information systems. The clients and the stakeholders are increasingly concerned about the proper use of information, particularly their personal data. The threats to information systems from criminals and terrorists are increasing. Many organizations will identify information as an area of their operation that needs to be protected as part of their system of internal control as it one of the main component of the business.
As an example, when you leave your house for work in the morning, you probably take steps to protect it and the contents from unauthorized access, damage and theft (e.g. turning off the lights, locking the doors and setting the alarm). This same principle can be applied to security – steps must be put in place to protect it. If left insecure, it can be a threat to the organization. Security of information is important as if it falls into the wrong hands, it can lead to loss such as bring down businesses, finances and reputation. Quite often, ensuring that information is appropriately protected is both a business and legal requirement. In addition, taking steps to protect your own personal information is a matter of privacy retention and will help prevent identity theft.
Having a security program means that you’ve taken steps to mitigate the risk of losing data and have defined a life cycle for managing the security of information and technology within your organization.
Security education is important as:
1. It helps in creating awareness amongst the employee on how to protect the information, physical appliances safe from external threats.
2. It is the first line of defense against security risks
3. It will help the organization to be in compliant with regulatory requirements
4. It will create a trust and loyalty in the stakeholders
5. Another purpose of periodic security awareness training is to develop essential competencies, new techniques and methods that are essential in facing possible security issues.
Nathan A. Van Cleave says
2. Who or what do you think is the most significant risk to any organization?
People have been and continue to be the most significant risk to any organization’s security. It is people that are the culprits in phishing attacks and it is human factor that clicks on those unknown attachments or links form people they know or think they know. Generally, people are becoming more aware of these types of tactics, and for the most part, don’t fall for the poorly written emails mentioning a winning jackpot or a get rich quick scam. An organization can have the best of breed technology and all the policies to help ensure data and systems remain protected, but there will always be a person on the inside that forgets that HR would/should never email them asking for their SSN to update their files.
Nathan A. Van Cleave says
5. How much attention do you pay to the security of your device, data, and behaviors?
If I’m just being honest here:
At work I pay a great deal of attention to security and my behaviors. I will not open emails from people I don’t know (I can thank my company for instituting an ongoing anti-Phishing initiative). I always lock my PC when I walk away, even just to walk down the hall to drink some water. No one has ever asked me for my password, and I would never give it to anyone, even my most trusted co-worker. I have become more and more aware of policies around the handling of company data, whether on-site, or off.
Now, on a personal level. I know I have some work to do. There are times when browsing or researching that I’ll inadvertently click on the first link I see without examining what the URL looks like or any related information in the search. With email, I generally do not open spam email unless I know for certain I want to look at it. I have to say social engineering is getting much better, so I am tempted at times to click on something that looks completely legit. But then I stop and ask myself, why would this person email me anything?
One area I am really lacking a security minded approach is my mobile device. I take for granted that I am rarely on WiFi and that I don’t do much actual browsing or email through my phone. But there are times that I think back and realize, “Wow, that was pretty risky or flat out stupid of me!” I’ll just say, that I’ve started using a VPN on my mobile when I am actually on a public WiFi.. just in case.
Andres Galarza says
Nathan,
I included something about this in my own response, but I completely empathize with your mobile device habits. I think I’ve mentally accepted that some of these risky behaviors I’m willing to do the work it would take to undo the harm, and I have pretty good visibility (detective controls) for the objects in question.
Xiaodi Ji says
Nathan,
I have same feeling with you. Sometime, I know something are not safe but when I cannot find something, I choose to use this method.
The first example is that, we all know that public Wifi is very dangerous. We should not connect it and check our bank account and get email. However, sometime when I do not have enough data for the cellphone and have to check them. I always think this is not a big deal because I just use this once. I am not out of luck to lose my account and password.
The second one is that, when I want to find some solution for programing, I will click the links which shows on the Google one by one to make sure I can find right answer and do not ignore any chances to get it. Sometimes, I even do not care about what this websites looks like. I just need my answer.
I think many people know how to keep security for their data and devices. However, if we want to keep safe for them, we need to do a lot of extra approaches which make our life more complex. On the other hand, in the work, we care about anything and click anything carefully. If we do the same things in daily life, it would make our life so serious. Therefore, it is real hard to balance this relationship.
Abhay V Kshirsagar says
Security education is spoken of often. Why is it important?
Operating businesses is challenging as there a million of things to worry about and every second of the time is valuable. And, with all of this in motion, organizations also have to worry about bad guys trying to steal their company information putting all the stakeholders at risk. Thus, training employees shouldn’t just be a preventative measure, customers, vendors and even insurance companies may have security education as a requirement for to do business with them. Proactively training employees can reduce the risks; as number of employees trained go up, the security incidents go down.
The security education can be expensive if done internally if an organization wants an effective training programs. Security education is about changing the culture. It is about making the fabric of an organization; companies have to be cynical. And, as people can be very gullible, security training thus becomes critical.
Yang Li Kang says
Professor Jan Section
Who or what do you think is the most significant risk to any organization?
As everyone has mentioned, the organization’s employees carry the most significant risk to the organization. First of all, employees are people and everybody are prone to human errors i.e, adding an extra 0 when entering a number, overlooking a simple statement, accidentally clicking something or forgetting something. The second layer is the human factor. It is human nature for people to think the best in others. Whenever we do something, we never really think about the negative harm that other will do to us. Unfortunately, reality is not so kind. People take advantage of this and exploit other people for their own gain. If an organization’s employees are not made aware of this, bad people can take advantage of an organization’s employee and use them to gain access into the company. Lastly, people generally prioritize themselves first over others. So, employees may want convenience such as writing down passwords so they don’t have to remember it without realizing that they are actually putting their company at risk.
Joseph Henofer says
Yang,
I would also add that it’s human nature for people to want to know the unknown. For example, you may have received an email from your favorite store stating that you won a shopping spree, but I told you not to open it because it may contain a virus. Now knowing what you know about security you would agree with me and say ok, but if your not educated about security it may drive you crazy because you need to know.
Ming Hu says
Security education is spoken of often. Why is it important?
According to the European Network and Information Security Agency, “Awareness of the risks and available safeguards is the first line of defense for the security of information systems and networks.” Security education is a critical component of the information security program. It is the vehicle for disseminating security information that the workforce, including managers, need to do their jobs to raise their security awareness regarding the protection of the physical and, especially, information assets of that organization, and establish and maintain a robust security environment. That will ensure that personnel at all levels of the organization understand their information security responsibilities to properly use and protect the information and resources entrusted to them. Agencies that continually train their workforces in organizational security policy and role-based security responsibilities will have a higher rate of success in protecting information.
Yulun Song says
1. Security education is spoken of often. Why is it important?
Since the fact that data and security breaches happen, organizations start requiring employees to have trainings and educations on security. Organizations also face the continued increase in security threats and identity theft, they start increasing their thousands of dollars to security education. Many employees within any sized organizations lack the basic knowledge of security, and they have made or have potential to make mistakes. For example, employees use passwords that are poorly coined or that are easy to guess or manipulate; employees fail to update firewalls and antivirus software, which may lead to infection of computers with malicious programs; employees have careless and improper control of PCs, laptops, smart phones, and other devices that may hold vital information; employees may download files and email attachments that contain malicious programs, etc.
With adequate training on security, employees will recognize and protect an organization from possible security risks. In other words, having adequate security and awareness training will give employees the knowledge and enlightenment they need in order to better protect an organization’s physical and information assets through security-conscious and proactive measures.
http://www.expertsecuritytips.com/employees-security-education-awareness-training/
Yu Ming Keung says
Who or what do you think is the most significant risk to any organization?
I believe that the most significant risk to any organization is its employees. According to the triangle of people, technology, and process, which represents the IT process of a company, people is the biggest risk to any organization because they are sophisticated.
1. they often click on phishing emails,
2. do their personal stuff while using the company’s computer
3. Employees can also setup passwords that are easily guess.
4. They carried computer’s information to finish in their home.
Above inappropriate actions are dangerous to an organization in terms of confidentiality, integrity and availability of its information data.
Company should provide the following to educate its employees to mitigate the internal risks.
Identity and access management – Define roles for different users within your environment
Information security organization – Make everyone responsible for security.
Training and awareness – Develop a brand and marketing plan for security.
Professor Jan’s section:
Loi Van Tran says
Thanks for your post and for bring up the information security “Golden Triangle” (People, Process, Technology). I believe that the People aspect of this trio, is the weakest due to the inability of the organization to completely control all aspects of human behavior. Processes can be detailed and very specific which can limit the risk exposures. Technology is used to facilitate those processes, which further mitigates exposures from the malicious or unintentional act of people. As you can see, technology and processes are completely controlled by the organization, while people, although can be trained or made aware, can still expose the company to significant risks.
Magaly Perez says
Professor Jan Section:
Who or what do you think is the most significant risk to any organization?
The most significant risk to any organization are its employees. There are numerous ways employees can be risk. Employees have the insight on how the company operations such as access to the systems and their weaknesses. Conversely, an employee can put the whole organization at risk if they are disgruntled or just simply by their human error. It’s important to properly educate your employees as well as do background checks. Overall, organizations never fully understand what their employee’s intentions are and must hire on a trust basis. However, with that being said they should most definitely attempt to mitigate the risk employees pose to an organization, whether it be by education, SOD, access management, background checks, etc.
Loi Van Tran says
Thanks for the post Magaly,
I think what you brought into the conversation with SOD and Access management is very insightful. Considering that awareness training and education does not completely mitigate risks associated with malicious or unintentional acts towards an organizations information system. Access control measures implemented within the technology, such as SoD, access management, lease privilege, etc, will better reduce the risk impacts than just educating employees.
Brou Marie Joelle Alexandra Adje says
Professor Jan Section:
Who or what do you think is the most significant risk to any organization?
To me employees and Information security risks are the most significant risks to any organization. Indeed, every organization depends on its IT but, despite investment in policies, training and IT security teams, serious data breaches and incidents continue to occur. The risks are compounded because, not only do firms face external attacks, but most of the employees admit to violating their company’s security policies. Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage. Similarly, employees who are not trained in security best practices and have weak passwords, visit unauthorized websites or open email attachments pose an enormous security threat to their employers’ systems and data.
Folake Stella Alabede says
5. How much attention do you pay to the security of your device, data, and behaviors?
I think I’m very security conscious to an extent.
I’m in the process of buying a new phone and I’m in a serious tug of war deciding between an iPhone and an Android (I currently use an android) recently, a friend was talking about how he suspected his wife was cheating, and he was able to install a tracking app device on his wife’s Samsung phone, this tracking device basically does everything, shows him where she is, who she’s with, what she’s doing, eating, saying, practically everything. I didn’t like that, and after some further research I found out you couldn’t do this on an iPhone (I might be wrong-someone please correct me if I am). Hence my dilemma, I mean I don’t have anything to hide, but I’m just security conscious to the point that I don’t want to have a phone/device that is susceptible to easy hacking or whatever.
Also, I was in a cyber security training recently and, even though I know how you must have a complex password, the why finally dawned on me, I used to be lazy with complex passwords but this training was an eye opener.
If you have a password as simple as “12345” or “password,” it would take a hacker just .29 milliseconds to crack it
A 6-character password in lowercase can be cracked in just 10 minutes
A 6-character password in lowercase + uppercase can be cracked in 10 hours
A 6-character password in lowercase + uppercase + nos and symbols can be cracked in 18 days
Fast forward- A 9-character password in lowercase+ uppercase + nos and symbols can be cracked in 44,530 years
So now, I know the longer and the more complex my password is, the better
I’m also very skeptical about anything I want to do that asks for my full social security number (as opposed to the last 4 digits)
I think that generally, i just have a second thought when i have to do anything involving passwords, PII’s, the internet, wi-fi, just name it, i think it over and I’m never spontaneous/compulsive – i think it over
Paul Linkchorst says
Professor Yeoman’s Section
How much attention do you pay to the security of your device, data, and behaviors?
For the most part, I would consider myself to pay more attention to the security of my data/devices than the average user. Some of my security practices are listed below:
• I use a 7 digit passcode to unlock my cell phone (Android)
• My cell phone is encrypted
• I am a proponent of “phrase passwords” and use them myself for all my passwords. I also rarely use the same password for multiple sites/accounts. Surprisingly, I have gotten to the point where I remember which site’s/account’s password is which without hesitation.
• Take some risk avoidance measures by refusing to use convenience applications such as Venmo, PayPal, or mobile banking and would much rather visit the bank/pay someone in cash. While I do think such applications are the way of the future, I am little hesitant to hop on board.
• I am very careful about my online social media presence and would say I am more of a consumer than a poster/provider.
• Use 2FA on my Gmail account, online banking accounts, and file sharing services.
On top of this, one of the security measures that I developed when growing up was a “separation of church and state” attitude when it came to my cellphone and other devices. For my cell phone and laptop, I generally kept these as “clean” as possible in the sense that I don’t download very much to these devices and avoid visiting any nefarious sites. On the flip side, for my Android tablet and desktop I will be less careful when visiting sites and downloading software such as games/emulators as well as just toying around with the technology. My thinking behind this was that if the security of such devices were compromised, it would not affect those “clean” devices. Therefore, I would do anything important (such as online banking or storing important files) on the clean devices and mess around on the others. In reality, I don’t think there is major difference between separating out my activities to different devices. However, when I was younger and not as security savvy, that is what I would do and the habit remains to this day.
While to the average user this might seem overkill, I think the most extreme security measure I take is using long passwords for different websites/accounts and that I separate out my devices by what I do on them. Eventually, I think all individuals will be compromised in some form with either there device getting a virus or credit card information being stolen. With that being said, I do think covering one’s basics can put you just one step ahead of the rest and protect a user’s security.
As a side note, I have been an avid Android user for a long time (on my 5th android device) but have been considering making the switch to an iPhone solely due to how the two different businesses operate. Apple’s major business operation is to get users on their platform while Google’s is using user’s data to advertise to consumers. Likewise, Android phones have been extremely slow to get security updates as opposed to iPhone’s which receives theirs rather quickly. With that being said, I am not convinced that I should make the switch or not but I do think privacy/security will play a key role in my next purchase decision.
Andres Galarza says
Paul,
Have you looked at the Nexus/Pixel line of Android phones? I had similar concerns about “slow” updates given to the most popular Android phones, but I wanted to switch from the iPhone 4 that I had. The “pure” Android devices get updates the same day that Google releases them, but you have a much smaller range of choices.
Google’s Pixel (https://madeby.google.com/phone) is the next generation of this kind of phone.
Paul Linkchorst says
Hi Andres,
I actually have a Nexus tablet as well as had the original Moto X and currently the Moto X Pure which both run the “pure” edition of Android. The original Moto X received updates fairly quickly. When I bought my current phone (Moto X Pure), Motorola was still owned by Google. However, about a month after I owned the phone, Google sold Motorola to Lenovo and basically all the updates to the phone were cut off. I have been keeping an eye out on the new Pixel phone myself, but am waiting to see how quickly their updates come.
Mansi Paun says
3.. Security education is spoken of often. Why is it important?
It is well-known that Employees are considered to be one of the biggest risks to an organization’s security. Employees may knowingly or unknowingly be a threat as they have the organization’s trust, access and inside information. This could possibly expose the organization’s infrastructure to attacks or breaches despite having sufficient controls in place. An organization could have all the best security controls implemented and yet if the employees are lax about security, the organization risks experiencing security incidents.
Therefore it is of utmost importance that employees are made aware of workplace and workstation security practices. By providing security education or security awareness training, employers can underline the importance of secure practices being followed and also expect employees to be more vigilant and accountable towards the organizations security.
Andrew P. Sardaro says
Mansi,
Great summary as to why security education is so important. I also feel that educating your employees as to the organizations policies regarding workplace and workstation security practices should take a high priority.
An organization with weak security governance run a higher risk of their employees committing security violations which will directly impact the security and integrity of the organization.
Where I work, our security department works with our computer communication departments to draft/deliver emails to our faculty, staff and students reminding them the risks of engaging in email and phone scams. We have had success with this education/communication method, and will continue to do so going forward.
Richard Flanagan says
Andrew,
You say you’ve had success with your company’s education program. How do they know? What kinds of data do they look at?
Andrew P. Sardaro says
Professor Flanagan,
The success results I am seeing are from users reporting/forwarding suspicious emails to our helpdesk and security abuse email address. The emails sent by our security and communications departments clearly state, our computer services department will never ask for your username or password. Reporting users have said to me, I know your department does not ask for our logon information.
Alexander B Olubajo says
2. Who or what do you think is the most significant risk to any organization?
I would suggest that employees are the “who” and a lack of security governance to be the “what” in regards to the most significant risk to any organization. I don’t think I need to expatiate further on how employees are/could be a risk to any organization. A typical example will be untrained or improperly trained employees having access to unauthorized data and/or working a process/function within the organization. This by itself is a big risk to any organization because countless things could happen/go wrong. As for a lack of security governance being a risk to any organization, the way I see it security governance is a very important factor in ensuring that the execution of IS is successful and relevant to the business of the organization. Therefore, without a properly implemented security governance, an organization is at risk.
Noah J Berson says
3. Security education is what gives value to your employees in maintaining security. A lack of education can lead to whole processes becoming ineffective. This makes it a keystone function as all other functions rely on this being in place. An organization that focuses on encouraging security awareness and behavioral changes with get a lot of value. Maintaining security education for all employees will also encourage new employees to be in line with the current programs. A security that forgets to educate their employees regularly will fall behind in the times and lose battles against threats if one should arise. This can end up costing a lot more than educating staff. It is also important to quantify this data with metrics to see if the organization is improving each year.
Andrew P. Sardaro says
1.What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
-Security Governance: without proper security governance, IT is not doing the right things to ensure the organization is protected while meeting the needs of the business. Security issues would be a reoccurring problem without proper security governance.
-Policy Management: without a policy management, IT will not understand what its security position is, and what their acceptable risk appetite is.
-Awareness and Education: employees must go through effective training on IT security policies within an organization as to not be the weak link to a security issue/breach. Employees must understand that they are responsible for safeguarding the organization.
-Identity and Access management: with an IAM system, you understand who works for the organization, and the proper rights can be assigned for job responsibilities. An IAM reduces the chance of unauthorized users and access.
-Vulnerability Management: without vulnerability management unauthorized users can take advantage of exploits and gain access to systems/Information. Without knowing and understanding the risk, how does one prioritize the risk impact?
-Incident Response: without an incident response plan, an organization runs the risk of exacerbating the loss during the event. Can you learn from the event for future risks? Can you protect other assets during the breach?
-Change Management: Letting anyone make a change to our already secure systems. Does the organization know they are secure?
-Business Continuity Management and Disaster Recovery Management: without BC and DR management a company may not be able to recover from an event where systems were hijacked or held for ransom.
-Project Life Cycle Management: Significant changes occur during project implementations of new technology. Without PLCM, and organization might not be aware or be able to stay ahead of these implementation risks.
-Vendor Management: If IT does not partner with approved vendors, you can open your network and systems to unknown risks.
Having controls in place for the mentioned processes reduces the organization security risks as a whole. These controls also allow the organization to react quickly and efficiently for when an incident occurs.
Andrew P. Sardaro says
5. How much attention do you pay to the security of your device, data, and behaviors?
Being in the IT business I have always had a security conscious approach when it comes to safeguarding my systems and devices. Due to the increase in intricate IT risks, I am more aggressive with the frequency that I patch/backup my devices and change passwords.
Things I Do:
-Change passwords frequently for accounts
-Always apply latest OS patches (Windows, Android)
-Use personal MiFi device when travelling (never use public or hotel)
-Use encryption software on laptop HD and RMD
-Perform frequent virus and malware scans
-Use an external drive to back up my computer (never leave mounted)
-Browse in private with Incognito mode (Chrome)
-Setup purchase notifications on my debit and credit cards
– Check my credit scores
-I have been putting off purchasing a VPN service, but I am going to do this very soon.
As others have stated, I am amazed at the amount of personal Information people place on social media. I do my best to limit this type of information post.
Loi Van Tran says
Thanks for sharing Andrew,
I do most of the things you’ve mentioned above. Regarding latest OS updates, I tend to wait a couple weeks before updating, just in case the new update has vulnerabilities. Unless the update is to patch previously discovered vulnerabilities, I typically wait. In addition to your list, I use internet proxies to see what information is requested and being sent from the websites that I visit.
Andrew P. Sardaro says
2. Who or what do you think is the most significant risk to any organization?
Employees are the most significant risk to an organization. Your organization can have the proper controls in place to mitigate vulnerabilities and risks, but it takes one careless, poorly trained or rogue employee to allow the risk in.
I have seen improvement with user awareness when it comes to certain security issues (phishing, emails from unknown sources, phone scamming), however I still see too many users falling victim to this.
I also feel that an organization with weak security governance run a higher risk of their employees committing security violations.
Wen Ting Lu says
2. Who or what do you think is the most significant risk to any organization?
Like everyone else pointed out, I also think that employee is the most significant risk to any organization. People are the most important assets, at the same time they are the most vulnerable assets for any organization. There are many ways that employees can bring signification risks to the organization because they are the one who process business activities, and they are the people who have controls on how an organization operates. According to the survey over 1,000 office workers and 500 IT professionals conducted by Harris Interactive for Quest Software, 52% of the office workers admit to sharing log-in details with colleagues, while 23% still have access to log-in details from previous employment. As that being said, employees often sacrifice security for convenience. A good example of how security is undermined by employees can be seen through employees careless set up simple, unprotected password and leave it to the public. In addition, employees often lack the awareness of opening phishing emails and doing whatever they want on the internet might lead to data breach problems. Lastly, human error such as miss entry of information might bring significant risk to any organization.
In order to mitigate the risk, controls such as segregation of duties, employee training on security awareness and policy are very important. Employers must educate their employees on the following practices:
1. Make sure all the employees regularly change passwords, using complex passwords, which include lower and upper-case letters, numbers, and symbols
2. Trainings on how phishing scams work, what are the impacts of phishing scams, and what the telltale signs for them. All employees need to know how to look for phishing scams that may hit their inbox.
3. In order to best protect the data, accounts that have access to important information need to be using secondary security features, like two-factor authentication
Source:
http://www.infosecurity-magazine.com/news/office-workers-often-sacrifice-data-security-for/
http://www.altexsolutions.com/newsletter-content/chances-are-your-employees-care-more-for-convenience-than-network-security
Ryan P Boyce says
2. Who or what do you think is the most significant risk to any organization?
I believe the greatest risk to any organization are the employees of that organization. The majority of cyber attacks originate from user error such as clicking on phishing scams or being careless with password use. For years now the focus has been on protecting the perimeter of a company’s information systems. More recently, however, the focus has shifted to bolster internal defense and employee training and awareness is at the forefront of this initiative. Human beings will always be the most vulnerable part of the most vulnerable part of the information system because we are the ones most prone to error.
Ryan P Boyce says
3. Security education is spoken of often. Why is it important?
Security education is so critical because the ways in which hackers can exploit a system changes extremely rapidly. The life span of an encryption methodology is very short presently-it does not take hackers long to crack encryption techniques. State sponsored hacking brings on a new level of cyber crime. Educating an employee base on what cyber crime/hacking is, how it is done, and how each and every individual can counter it is massively important. Educating anyone who comes in contact with a computer on security awareness is as important as it as to teach a secretary how to use Microsoft Word in the late 1990s.
Ryan P Boyce says
4. How do the topics there relate to Gartner’s top 10 security process?
The security processes listed by Garner are a direct result of the work an executive board with a cybersecurity focus. The processes are, essentially, what the board should aim to implement and oversee. Take the change management process for example. The organization I work for has a very formal change management process that is overseen by the Change Management Board. When a change to a production system needs to take place, a formal change request needs to be submitted and applicable CM Board members need to sign off on it. Normally, changes are implemented without much questioning so the main goal of the board is to be able track changes that are taking place. The board has the power to deny a request, of course, and I have seen this happen. A good example of denying a change is when a change is requested during a freeze or black out period in which all production machines must remain unaffected as the risk for downtime is greater than at any other period. I personally have had a change denied because the implementation time was scheduled for a production freeze.
Ryan P Boyce says
5. How much attention do you pay to the security of your device, data, and behaviors?
I pay a good amount of attention to the security of my devices. I regularly run scans and check that no network ports are open to malicious websites/services behind the scenes. As far as my data is concerned, I use monitoring tools that check changes to my accounts but at this point with my information in many different systems, its difficult to say how “well” I pay attention to it. What makes data integrity/security even more difficult today is how much companies share data with third parties.
Folake Stella Alabede says
hmmn, i thought i was security conscious and paid a lot of attention to my devices Ryan, but i see your security is on a greater level. (in reference to your statement “I regularly run scans and check that no network ports are open to malicious websites/services behind the scenes.)
i also agree with your statement ” What makes data integrity/security even more difficult today is how much companies share data with third parties.” i know the spam mails i receive regularly (every day/every other day etc), but i also know when i start getting a fresh spam mail (after registering with a new wholesaler/retailer/seller etc)
I think companies sharing data with third parties is a practice that should be frowned on. i always look out for that statement ” your personal information will not be shared with 3rd parties’ when i’m trying to register or do transactions
Joseph Henofer says
2. Who or what do you think is the most significant risk to any organization?
I would have to say that internal users are your most significant risk to any organization. They are the most significant risk because they’re either not educated enough or aware of the threats. For example, a user who is not fully aware or educated on the threats of malicious email attachments may open an email that contains a virus. All users need access to email, but understanding what a legit email is from a fake email can go along when trying to mitigate the risk in your company. Another reason why internal users are your most significant risk is privilege creep. In my experience, a user may be moving from sales to the accounting department, but still needs to retain some of the access in the sales department for the transition of projects. This poses a risk because if the end user is not removed from the sales group after the transition the user can potential be dangerous with the having more access than needed.
Sean Patrick Walsh says
I agree that employees are risky because of lack of security and/or threat education and awareness. Properly training employees to be aware of vulnerabilities, risk, and threats helps fortify that “first line of defense” in employees. Although, I would add that malicious employees are the other half of that risk with employees. Employees are already what the military labels “inside the wire” in regards to employees being a threat inside the physical barrier. Not only are malicious employees inside the physical barriers and obstacles a business puts in place, but some employees are also inside the digital wire with the various types of access they have to data and information that in the wrong hands could cause catastrophic damage to a business and/or its customers.
Joseph Henofer says
3. Security education is spoken of often. Why is it important?
Security education is important for many reasons, below are just a few
• It’s the first line of defense – Protection is very difficult if you don’t know the threat exist, so being aware of threats both physical and information security can go a long way in preventing damaging to your assets.
• Comply with regulatory requirements – Due to the high number of laws that require employees of organizations to undergo, the increase of security awareness training will also be needed. These training sessions are particularly important because it allows the users to understand what is required from them in their job role.
• Every business now needs it – The days of security education only for internet base companies are gone. Just about every business does some kind of work on the internet so security education needs to be address. Having a solid background in security will help your become an asset to a business no matter the industry.
• You will be able to enlighten others – Understanding security awareness will allow you to teach others on how to protect physical and information assets that belong to a an individual or an organization thus leading to a productive employee.
• Your mindset will align with your employer’s objectives – You can have all the security controls in the world but if your employees do not understand or have the education on security then your controls are not as effective. Once your employees have the knowledge of the security objectives as part of their mindset the risk of compromises internally are decreased.
Loi Van Tran says
Joe,
I can’t agree more with “It’s the first line of defense.” In the past, most companies viewed information security as just part of the IT function and that IT alone should be able to thwart off all cyber threats. This ideology soon became obsolete as end user’s required more convenience and functionality with their technology solutions. As IT loosen the grip on logical security, for end user’s convenience, it exposed businesses to more risks. In order to compensate for the lessen logical security, the company had to develop a more holistic view of cyber security and educate the entire organization. Along with end user’s, IT professionals also has to continually be educated about new threats, procedures, coding languages, etc., to ensure that they can keep delivering convenient IT services with effective security controls.
Joseph Henofer says
4. How much attention do you pay to the security of your device, data, and behaviors?
Before I started in the security field I would say that I would only pay attention to security half of the time. Now that I have been working in security for the last few years my attention to security has increased significantly. Now I regularly look at my devices to see if patches or hot fixes need to be installed and my mind set has shifted more to the caution side when it comes to my devices or data. Even my spending profile on where I spend my money and from whom has also changed significantly. For instance, I will only use cash when shopping at Target because of the breach they had 2 years ago. I could honestly say before this instance I wouldn’t have given a second thought to using my debit card at Target.
Folake Stella Alabede says
2. Who or what do you think is the most significant risk to any organization?
As has often been said so many times, ‘humans are the weakest link’. And this could be accidentally or maliciously
Referencing cio.com as well as so many lectures we’ve been taught, the no 1 risk is employees, especially disgruntled employees. Internal attacks are one of the biggest threats facing data and systems.
Cortney Thompson, CTO of Green House Data says that “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage. There were rumors that the Sony hack was not carried out by North Korea but was actually an inside job”
Organizations should implement necessary protocols and infrastructure to track, log and record privileged account activity and create alerts, to allow for a quick response to malicious activity and mitigate potential damage early in the attack cycle.
Alexander B Olubajo says
3. Security education is spoken of often. Why is it important?
Security education is indeed spoken often and rightfully so because in a time where technology has become a driving force of businesses today, it has only become more important than ever. It is very important to educate the users of technology on its security in order to create that awareness of the potential risks and incidents that could occur as well as the consequences that may arise as a result of such negligence. Not everyone is technology savvy, however every now and then employees may be required by their respective jobs/employers to use new application software and due to some lack of security education they could be performing actions that put the company’s data or business secrets at risk simply because that proper education wasn’t provided that will have created the awareness.
Mengxue Ni says
3. Security education is spoken of often. Why is it important?
Some security problems come with human ignorance or careless, others come with technology vulnerabilities. According to Gartner, only 6 percent of companies survive longer than two years after losing data. However, most security problems can be solved before it happens, so security education is very important to prevent vital security issues.
A security education program can be defined as an educational program that is designed to reduce the number of security breaches that occur through a lack of employee security awareness. Awareness programs explain the employee’s role in the area of information security. The aim of a security awareness effort is participation. Technology alone cannot solve a problem that is controlled by individuals.
Folake Stella Alabede says
Yes Menqxue, I quite agree with you on that last statement that “Technology alone cannot solve a problem that is controlled by individuals”. Even when a task is performed by a machine or Robot, you still have to consider the human part of the operation (the input).
So the aim of the security awareness like you said is really participation. It’s a collective effort. An organization with state of the art technology and the best security is only as weak if they have ignorant or uneducated employees.
Xiaodi Ji says
Mengxue,
I agree with your idea that sometime technology is weakness in front of the human’s stupid activities. Take wifi password as an example. Science already try them best to find a lot of method to improve it from WEP to WAP2. WEP can be break from the ACK but WAP2 cannot, which just can be break by using dictionary. However, in this case, some people set their password as “12345678” which is so easy to test by computer.
Therefore, as you say that just 6 percent company can survey after losing data. Security for the company’s employees are real important. Although, we all know security is real important, I think a lot of companies ignore this education before employees enter the enterprise. They just take action after problems show, which is so late for making up.
Jason Wulf says
2. Who or what do you think is the most significant risk to any organization?
The most significant risk in an organization is executive management. They often want complete access to all of the organization, access privileged information, and have significant influence. The term whaling comes to mind when targeting executives with social engineering and phishing attacks. The education of executive management is essential to reducing risk in an organization. Once executive management is educated, their support on programs such as security, risk, organizational awareness, compliance, and risk reduction programs typically follow suit.
3. Security education is spoken of often. Why is it important?
I don’t hear of security education spoken often, I usually hear of security training and awareness. Training and education are two very different animals.
Security training and awareness are important for compliance and they reduce the number of security incidents within the organization.
I find security education used in organizations where users are allowed to use personal computers to connect to the corporate network.
5. How much attention do you pay to the security of your device, data, and behaviors?
I implement solutions on my home network to minimize personal active monitoring of my devices. My firewall has antivirus, intrusion detection, and antispam built into the gateway. On the hosts have file integrity checking/Host based intrusion detection, antispam, antivirus, and a separate malware detection program installed. On wireless, I’ve implemented MAC Address filtering, with WIDS, WPA-Enterprise and my SSID is not advertised. All systems are set to auto update. I routinely delete my browser history, run scans before credit card transactions, and use VPN services with separate DNS services to avoid behavior tracking.
If I see a rogue process running, I usually run a utility to check the processes and services running on the box. If I’m not satisfied, I look at the event logs and track down where the process is going to. Sometimes I run the sniffer and look at the network traffic if I’m running into a real problem.
Folake Stella Alabede says
3. Security education is spoken of often. Why is it important?
Security education is important because it is the most effective way to communicate the dangers associated with phishing, whaling, spoofing, social engineering, cyber crimes etc. It is more in line with raising awareness of people; don’t open/click emails you’re not expecting, don’t enter your card details on sites you’re not absolutely sure about, don’t open suspicious mails, etc. Sometimes the list can be endless, but I believe once a person is security aware, security conscious and security educated, cyber related crimes will be reduced.
According to an article from cio.com, the second biggest security risk is being Careless or Uninformed.
Ray Potter, CEO, SafeLogic says employees who are not trained in security best practices and have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments pose an enormous security threat to their employers’ systems and data.
Similarly, “A careless worker who forgets his unlocked iPhone in a taxi is as dangerous as a disgruntled user who maliciously leaks information to a competitor”
Employees, individuals (and most especially the adults and elders) should be trained on cyber security best practices and offered ongoing support.
Bill Carey, vice presdient of Marketing for RoboForm says “Some employees may not know how to protect themselves online, which can put your business data at risk,” So it’s essential to “hold training sessions to help employees learn how to manage passwords and avoid hacking through criminal activity like phishing and keylogger scams. Then provide ongoing support to make sure employees have the resources they need.”
Candace T Nelson says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
Security Governance – Lack of adequate security governance controls could result in failure to provide the level of security the business needs in order to achieve its strategic objectives, whether there are too few controls to ensure information is maintained confidentially, that it retains integrity, and that it is always available to the right persons for the right reasons. There is also a risk that controls would not be cost beneficial, or that they are too stringent and could impede goal achievement.
Policy Management – If security policies are defined by IT without input from a broad range of business stakeholders, they may not align with the business risk appetite. Without executive sponsorship or buy in, it is less likely that such policies will be adhered to. IT will also have difficulty obtaining the needed financial and human resources to implement and maintain an effective control environment.
Awareness and Education – If employees are not aware of the pervasive nature of IT and information security threats and vulnerabilities, the company’s IT assets are at risk, regardless of whether robust security governance and policies exist. Additionally, failure to train employees how to comply with Information Security policies will likely lead to non-compliance. Since a control environment is only as strong as its weakest link, if employees are educated about and made accountable for the implications of their actions, they will be more likely to behave compliantly.
Identity and Access Management – If an employee’s identity is not properly authenticated, it is impossible to verify that they only have access to authorized information and systems needed in order to perform assigned functions. Other risks associated with insufficient authentication and access controls include improperly segregated duties and ineffective delegations of authority.
Vulnerability Management – Failure to identify security weaknesses preventatively increases the likelihood that intrusions will not be detected in a timely manner, which also negatively impacts an organizations ability to effectively respond to breaches. Additionally, lack of awareness of security vulnerabilities belies an organizations ability to proactively address risks, e.g. purchase of business interruption insurance.
Incident Response – Failure to implement a documented plan to respond to security events increases the likelihood that business will be interrupted for an extended period of time should a breach occur, and that the associated damages will be greater. Failure to test the incident response plan could also render it useless if there have been significant changes since its implementation, such as the communication plan (e.g. who to call and in what order).
Change Management – Ineffective change management controls increases the risk that a security vulnerability that didn’t exist prior to the change was inadvertently reintroduced.
Business Continuity Management and Disaster Recovery Management – Failure to implement and routinely test BCP’s and DRP’s increases the risk that a business will not effectively or efficiently recover from a serious disruption, and that the priority of system restoration may not be aligned with the overall business needs.
Project Life Cycle Management – Failure to maintain standard project methodology presents the risk that security considerations will not be included in the design, development and implementation of IT architecture, systems and applications.
Vendor Management – In light of the prevalence of information breaches associated with third party relationships, it is imperative that service agreements contain adequate provisions that require vendors to maintain a minimum level of security controls dictated by their client, and that routinely report the status of their security efforts throughout the engagement.
Candace T Nelson says
2. Who or what do you think is the most significant risk to any organization?
As a Certified Fraud Examiner, I would have to say that an employee presents the most significant risk to an organization based on Dr. Donald Cressey’s Fraud Triangle which contains the following three factors that must be present for an ordinary person to commit fraud:
• Opportunity
• Motivation
• Rationalization
An employee knows the business better than someone from the outside, and they have sufficient access to systems and information to perform their work. While doing so, they may discover vulnerabilities, such as a way to circumvent a control or a control gap. This is the opportunity.
The employee may not exploit this vulnerability immediately. However, should they find themselves in a situation brought on by financial distress, divorce, illness (e.g. addiction), they may be compelled to test the limits to which they can gain the system. This is the motivation.
The rationalization could be that the company owes me, or that anybody in a similar situation would do the same thing, or that they will only do it one time, or that they will eventually pay the money back. However, once they get away with it the first time they will continue to exploit the vulnerability to their advantage until they either get caught or they leave the organization to cover their tracks.
This is a simple but realistic example of the reason an employee can be a company’s greatest risk.
Candace T Nelson says
3. Security education is spoken of often. Why is it important?
It is common for someone in the IT field to be aware of security vulnerabilities and to perform their work in accordance with Information Security policies and procedures. However, a bigger threat to an organizations security is its employees who are unaware of the potential impact visiting a suspicious website could have on their company’s computing environment. In today’s world that is flush with social engineering tactics, it is more important than ever for the grass root employees to be made aware of information security implications. An otherwise strong information and IT security control environment can be rendered ineffective if the information and systems users do not behave compliantly, whether or not it is intentional.
Candace T Nelson says
5. How much attention do you pay to the security of your device, data, and behaviors?
I would say that I behave more compliantly than most, and I am definitely more aware of my actions regarding information security since enrolling in this course. However, without getting into details, there is definitely room for improvement!
Ryan P Boyce says
iPremier Questions:
iPremier performed ok during the attack as far as I’m concerned. With all things considered especially the lack of risk handling practices, everyone who should have been on board and assisting was there. The problem was that no one knew exactly what their role should be in that scenario. I would have said they did not perform well if people were flat out unavailable or non responsive. If I was Bob Turley, I think I would have been more assertive in wanting to pull the plugs on the system. This is a difficult decision, however, especially since he was in New York and was getting information in pieces. He also had to juggle the technical aspect and the executive aspect as he was the middle man between IT and corporate people. Even taking those obstacles into account I think he should have been more assertive and demanded production systems be shut down.
The company’s operating procedures were absolutely deficient in response to the attack. They knew there was a chance malware was left behind yet decided to take their chances and maintain production for fear of loss of sales from shutdown. Also, there were no operating procedures in place for them to move to a standby system (parallel production). Basically, there margins were tight and the CEO was focused on maintain those margins that any practical technical ideas were frowned upon. An additional procedure that certainly would have helped would to have had standby systems waiting to be enabled in the event they needed to transfer over. This would be looked at as a system that mirrors production but is not in use. Also, there should have been procedures in place to search for intrusion or malware after the attack. They maintained there was a “possibility” of malware but they were not certain.
Sachin Shah says
5. How much attention do you pay to the security of your device, data, and behaviors?
I try to pay attention to this but I am lazy on my PC at home and work. When I am at other or public computers I am overly cautious in that I always make sure I am signed off and leave no data. I have no shame in deleting all the PCs cookies, browsing data, or moving files to personal junk\pen drive. I look back and see lots of times, I have just given credit card on local sites to buy customized items and those are the sites that get hacked or are unsecure. I also have seen in life through emails or even copies I have given of my Social Security Number. I once met a student who was an investigator and getting his degree. He said to me, that he was not technically savvy but he could find so much information on anyone just on a SSN if he wanted too. That was what made me think more about my behaviors, etc.
Sean Patrick Walsh says
5. How much attention do you pay to the security of your device, data, and behaviors?
As far as my laptop, I am pretty diligent with security risks. I maintain my firewall at home at a higher protection level than recommended. I do not connect to public wifi hotspots with my laptop to prevent the vulnerabilities of doing so. I have downloaded and put anti-virus and malware protection services in place. I cannot say the same with regard to my smart phone though as I am not as well versed on the security options that are available for my phone as I am my laptop. In reference to my data, I am careful about what I send over the web. I try to use Paypal whenever possible for any purchases since they’re responsible for any losses incurred, and if Paypal isn’t an option I use a credit card to limit my responsibility for any losses. I monitor my credit regularly to see if any activity shows up that I’m not responsible for initiating. I also am very careful about giving my birth date, name, SSN, etc. to any site requesting it for any reason, but as a Veteran I do have to utilize web services that require a lot of PII usage to verify who I am at various times.
Anthony Clayton Fecondo says
2. Who or what do you think is the most significant risk to any organization?
This is a recurring question I’ve noticed in this program. The most significant security risks are always personnel. A firm can spend infinite amounts of money enhancing the security infrastructure with all the cutting-edge technology, but if employees slip up, whether they write down their password, use the same password for other accounts that get hacked, fall victim to social engineering, etc, then breaching the systems becomes a simple matter. Another factor is that an organization can strictly control the actions of all employees at all times.
Anthony Clayton Fecondo says
3. Security education is spoken of often. Why is it important?
Security education is important because the intricacies of technology are unknown to most people. The general population doesn’t understand how vulnerable they are to hackers and how severe the consequences of compromised information can be. In order to create risk awareness, security education is crucial. Even if someone knows the proper methods of practicing safe security habits, unless they believe that the reward is worth the effort, they won’t exert the effort. On top of being risk aware, security education can also help people to understand what the best practices are and how to be safe. Its hard to defend yourself against unknown threats.
Sachin Shah says
2. Who or what do you think is the most significant risk to any organization?
The most significant risk is the employees themselves. It may be via accident or intentional. For instance many employees at my job do not know it is a security breach to bring in their personal laptop and hard wire it to our network. Our department had to put so many security controls on our wireless environment now. For instance, employees I know would do their personal browsing on their phones or personal laptops….they would go on dating websites, google searches, job searches or even fantasy football sites on personal devices. The company had to put restrictions on all devices that access the wireless network as an employee or guest.
Anthony Clayton Fecondo says
5. How much attention do you pay to the security of your device, data, and behaviors?
Despite being relatively aware of all the risks on the internet, I have a bad habit of not being overly secure with my data. I have a tendency to reuse basically the same passwords for email accounts, website accounts, and other things that aren’t overly important. That being said, I use more secure passwords for banking and things with sensitive information and I use my credit cards rather than my checking account since they don’t hold me accountable for any fraudulent charges. I don’t worry much about privacy because I feel I don’t really have much to hide. I have a tendency to joke that if someone wants to steal my identity, go for it! and enjoy the college loans! The only time I really start paying attention is if I notice a change in my device’s performance or charges that I didn’t make.
Xiaodi Ji says
Who or what do you think is the most significant risk to any organization?
In my opinion, I think employees and electronic equipments are the most significant risk to any organization.
First of all, employees can reveal company’s information on purpose or without. The first situation is that competitor give them more money or their black background. The higher level they get, the more risk they make because they can get more sensitive information of the company. Some of information can decide the company’s future. The second situation is that employees do not know their activities are dangerous such as, using personal electronic equipment to store company’s information, sending sensitive information through Internet, or posting a photo about the program on the Internet. All of them looks like simple and some of activities is quit convenient for the employees or can make them more successful in their social media. However, all of these thing can become a hole for the competitor to get information.
Then, electronic equipments are dangerous too. We can say that now, we cannot ensure that all of our electronic equipments do not have bug, error, or leak. Firstly, we cannot make sure that all of them can work well all days. They will make mistake which will lose some information. Then, some hacker can use leak or error in them to get into our company to get information. Some leaks we can fix after we know them. However, some of leaks we cannot fix because them just are known by some hackers. Therefore, electronic equipments have same dangerous level as employees.
Xiaodi Ji says
How much attention do you pay to the security of your device, data, and behaviors?
Device:
For my computer, I choose install antivirus software and trojan detection software.
Data:
If these data is real important, I always save them into two mobile hard disk drive.
If these data is insignificant, I just save them in computer or one of mobile hard disk drive.
Behaviors:
I use special flash disk just for transfer files for other people.
I do not open the websites which design is real bad.
Each time when the websites ask me enter my password, I will double check the address of the websites.
Do not install or open any attach which come from stranger people.
Before I install software which I download, I will check it MD5.
Alexander B Olubajo says
Xiaodi,
Interesting to know we have similar behaviors in regards to both websites (I think most people also share this behavior) and software, especially open source applications or when I download them form a non-trusted or third-party source. I always obtain either the SHA or MD5 hash as well to compare and verify it is the same as which was released by the vendor. I am sure as you know, this helps to prevent downloading malicious software that may have been altered by a “man-in-the-middle”.
Anthony Clayton Fecondo says
Case question 2:
The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?
I think that the response to the attack demonstrated a lack of preparedness on iPremier’s part. As I was reading I identified several issues that I thought were major issues. The first is that iPremier treats IT as a cost-center and sacrificed security to cut costs. Examples of cutting corners includes, not enabling detailed logging and relying on a shabby third party vendor for data centers. Another issue that might go along with the first issue was the outdated nature of the firewall and business continuity plan, the lack of IDS, and the lack of testing the remote connection to QDATA. In addition to these problems, iPremier has no system for communicating during an emergency. No one knew who to contact for what information or who was responsible for what activities. As a result, there was wasted time trying to communicate and misinformation was getting around. The biggest problem is that the company never prepared for an event. If there had been any tests of the BCP, the firm would have known how insufficient/outdated their plans were and addressed that. Additionally, if the IT systems were audited, the flaws in the hardware and software might have been addressed prior to the attack.
Xiaodi Ji says
Security education is spoken of often. Why is it important?
Employees cannot know which is right and what they should do before security education. Many times, employees do not realize their normal activities can destroy the company. For example, they often send shopping list for the Black Friday for their friends through the email or take a picture after they buy them. For the enterprise, it could be a catastrophe because it will give many information for their competitor. In this case, we should teach employees to pay them attention that business information is real important for security.
On the other hand, people learn how your electronic for the Internet or other people who may not good at keep security. Thus, they just learn how to use it without leaning how to safely use. Take install software as an example. Now, it is quite easy to install for the computer and cellphone. However, they do not know never install unknown software from the Internet because some of them are setting back door from the hackers.
Therefore, people show take some security courses to learn how to use electrical equipment safely.
We, however, should also consider other situation. If some violent criminals often heart people on the street but police just tell us that we should never go to that street, how do you feel about this? It is the same situation for the security. In the one hand, people should know how to keep security by themselves. On the other hands, security people should make more security method and software to help people keep security.
Ivy M. McCottry says
Who or what do you think is the most significant risk to any organization?
People are the most significant risk to any organization which is why during security awareness month, everyone emphasized “you are the firewall” messages. People have the potential to intentionally and unintentionally create conditions that are adverse to IT security and information security. An unaware employee can be subject social engineering. An upset employee can plot revenge and act upon vindicate acts against IT infrastructure and information. Both types of people, good and bad, require risk mitigation.
Anonymous says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Looking back to the article on Cybersecurity and Boards, I was able to draw on some similarities between the topics on there and the top 10 security processes outlined by Gartner. I think the obvious similarity and/or relation between both are the emphasis that is being placed on how to go about implementing a proper and effective security process within an organization. However, I couldn’t help but single out how both were quick to identify the most important process to accomplishing this, which is determining who is responsible for the cybersecurity risk within the organization as well as its governance which is to ensure that the right actions are taken in successfully executing the other 9 security processes, They also both to some extent point out the role and expectations of the CISO and how they play a major role in positioning and aligning the management of risk to the business.
Alexander B Olubajo says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Looking back to the article on Cybersecurity and Boards, I was able to draw on some similarities between the topics on there and the top 10 security processes outlined by Gartner. I think the obvious similarity and/or relation between both are the emphasis that is being placed on how to go about implementing a proper and effective security process within an organization. However, I couldn’t help but single out how both were quick to identify the most important process to accomplishing this, which is determining who is responsible for the cybersecurity risk within the organization as well as its governance which is to ensure that the right actions are taken in successfully executing the other 9 security processes, They also both to some extent point out the role and expectations of the CISO and how they play a major role in positioning and aligning the management of risk to the business.
Ivy M. McCottry says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
Security Governance
Risk: not aligning security with business goals
Controls mitigate: misalignment with business goals; establish infrastructure for managing and monitoring security inputs and outputs to other processes and broader enterprise risk management
Policy Management
Risk: misunderstanding about risk tolerance and risk appetite and heightened risk (ex. non-compliance and other violations)
Controls: guidance documents that match security governance and provide awareness and procedures for managing risk
Awareness and Education* (I think that the same risks and controls for Policy Management apply here)
Identity and Access Management
Risk: the wrong people access the wrong information (confidential, sensitive, protected individual information, etc.)
Controls: IAM processes, procedures, and tools such as account management software help establish rules for who accesses systems and info and who doesn’t
Vulnerability Management
Risk: lack of visibility to vulnerabilities that can disturb or stop operations or allow breaches
Controls: scanning tools for monitoring (ex. IDS)
Incident Response
Risk: missteps when a breach occur such as blotched communications plans and prolonged triage
Controls: continuity plans that include communications plans for incident/crisis response
Change Management
Risk: unauthorized and adverse changes to equipment, settings, and information; introductions of malicious contact because of simple things like USB drives or software installations because permissions weren’t set to prevent
Controls: permissions and settings that prevent unauthorized installations and system changes
Business Continuity Management and Disaster Recovery Management
Risk: not knowing what to do during a crisis
Controls: continuity and disaster recovery plans with clear responsibilities
Product Life Cycle Management
Risk: obsolescence with tools and equipment that open the network up to vulnerabilities
Controls: policies, procedures, and tools such as software that track product life cycle (ex. software versions)
Vendor Management
Risk: vulnerabilities from vendor involvement
Controls: procedures, procedures, and tools such as training, policies, and IAM
Ivy M. McCottry says
Security education is spoken of often. Why is it important?
Since people are the biggest risk to organizations, security education is critical because it provides a platform for behavioral changes that promote security. Otherwise, high level commitment is ineffective on its own. We don’t simply want people to know about security, we want them to practice security and conduct activities that promote security soundness.
Ivy M. McCottry says
Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Governance sets the tone and road map for everything. The Garnter article starts with “Security Governance” and repeatedly speaks about how security governance feeds other processes associated with risk in the enterprise. Governance not only sets the tone and maps things out, it also allows for accountability for doing what’s necessary in IT security and information security for supporting the enterprise accomplish business goals.
Ivy M. McCottry says
How much attention do you pay to the security of your device, data, and behaviors?
My family is sensitive to the risk of the current environment. I check settings on the LAN and use multi-factor authentication. Additionally, I do not store certain information. We update passwords regularly and increasingly make behavioral changes. We encourage family and friends to also learn new habits especially when we see headlines for major breaches like the Yahoo breach.
Alexander B Olubajo says
5. How much attention do you pay to the security of your device, data, and behaviors?
I’d say I pay a moderate amount of attention to the security of my devices and the data that are both stored on them as well as being transmitted with them. I wouldn’t say I am paranoid but would say I am very conscious, which I guess breams from my background in IT and I guess my knowledge of security and threats that are out there, and it not that I am constantly thinking that I could be victim of security attack.
I have both personal and work devices (i.e laptops, desktops, phones) and I try as much as possible to distinguish them from each other whenever I use them. I use my work laptop strictly for work (and sometimes school) purposes. If I am tempted to do personal activities on my work laptop, I ensure I am not on the company’s network (rather on my personal network) and I go incognito mode with my browser sessions. These habits helps me not compromise anything work-related in case I screw up and helps protect me as I am aware data stored and transmitted with my company’s device is being monitored (not that I am hiding anything)
As for my personal devices, they are all password protected. I have a very strict Firewall policy/rule I setup on my home router that only allows predefined physical addresses of devices on my home network. That way nobody can just hop on my network using my WiFi or even worse try to hack into my network (not that I am wary of people around me doing so).