-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
-
The article I read is about the rising tension between China and the US and what the cybersecurity front had to do with this. From the US’s perspective, China is the “leading suspect” in the largest breach of government-help personal data in US history, stealing 22 million people’ data from the US Office of Personal Management (OPM). The article goes into how the US pushes back harder against cyber theft of company data and trade secrets.
“It is far more firm and that’s the line that the U.S. is trying to draw — ‘It’s okay to spy on governments, everybody does that. It’s not okay to spy on company secrets’,” Washington Post Beijing bureau chief Simon Denyer tells me in the latest episode of CNN’s “On China.”
Companies, across all industries, are often targeted for trade secrets, business plans, marketing plans, product design, scheduled releases, etc. Chinese, US, and many of the world’s countries have companies that are also targeted. Apparently a set of world “road rules” is a lofty goal and a US/China cyber agreement is not likely anytime soon.
http://www.cnn.com/2015/08/26/asia/china-cybersecurity-stout/index.html
-
The article I found is about the danger of the apps we download on our phone and how they can be the source of data leakage. This article is specifically related to android users and the fact that unofficial app downloaded from third party can have spywares which gather user’s contacts; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory and more.
The spyware can cause long-term damage by giving other people access to users’ online accounts, bank information and more.
Users should be aware of these malicious apps and act accordingly.http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/
-
Synopsis of “Microsoft Patches Zero-Day Flaw Used by Malvertising Gangs”
The software giant, Microsoft, has once again found itself in the news about it’s software vulnerabilities and delayed response to patching up the vulnerabilities in its software, like IE versions 9 to 11, Office, Exchange Server and more.
The article specifically talk about a zero-day vulnerability that was exploited by a Malvertising firm for over two years. The significance of this event was that it was a non-critical or low-level bug but threat actors were able to exploit and used it to serve malvertising campaigns to over 5 million users a day. Malvertising is the use of internet advertisement to spread malware. The vulnerability existed in Microsoft Internet Explorer/Edge and the attackers used steganography, hiding attack code in plain sight like a image file , to spread the malware.
So if you are a Windows user, please make sure you run your updates.
Source: http://www.databreachtoday.com/microsoft-patches-zero-day-flaw-used-by-malvertising-gangs-a-9398
-
New regulation proposed by the Governor to protect New York State from Cyberattacks:
The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. This forces the financial services industry to have an obligation to protect its customers and to have necessary safety measures and its system to be up to date and have sufficient protection.
The regulated entities will be held responsible and must certify compliance annually with this regulation.
Source: http://www.securitymagazine.com/articles/87438-new-york-proposes-cybersecurity-regulations-for-banks
-
Seagate faced with class-action lawsuit following whaling scam
According to the article found on IT Governance USA’s webpage, Seagate, the computer hardware manufacturer, is now facing a class-action lawsuit due to a “whaling scam”. The article states that over 10,000 employees of the company had information leaked which included W-2 forms and personally identifiable information (PII). As most of us know, PII is information that can tie to a specific individual and W-2’s includes that information such as Name, Social Security Number, and Address. However, how the information was leaked is very interesting. Again, as most of us know, a phishing scam is when a “bad guy” tries to obtain sensitive information from another individual through deception. Very similar to a phishing scam, is a whaling scam, which is a phishing scam directly targeted at high level officials. In the case of Seagate, the whaling scam was targeted at the CEO who believed the email was legitimate and provided the requested W-2 forms of his 10,000 subordinates. This is a clear cut example of why education and training to identify phishing scams is highly important even to someone like the CEO. While the incident happened earlier in the year, the employees are now seeking legal matters to remediate the negligence of the CEO.
Article: http://www.itgovernanceusa.com/blog/seagate-faced-with-class-action-lawsuit-following-whaling-scam/
-
News: “Data-Stealing Malicious Apps Found in Google Play Store.”
According to this article, people today usually underestimate the impact of malicious Apps on smart phone, which has potential risk to steal users’ personal information include some sensitive data like the passwords and credit card numbers. Researchers from Lookout’s Security Research and Response team identified four apps available in Google’s app store can steal huge amounts of personal data from its users. The data includes the users’ contracts, phone number, email address, and the network ID. The researchers also point out that the unofficial android apps usually have potential safety risks, the smart phone users should notice that and keep it in mind that not only PCs have malicious software and data leak problems, smart phone today also needs to be protected or the attackers can easily steal personal identify information from those unknown apps.
Source: http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/
-
https://www.cnet.com/roadshow/news/ford-could-replace-your-key-fob-with-radio-button-passcodes/
This article is addresses vehicle theft and how wireless keys aren’t secured enough to prevent a car from being stolen. Ford’s idea is to add an extra layer of security to get the car into gear by using random user designed codes. It allows the owner of the car to create a sequence of codes, so it can include the brakes, radio button, etc. It’s a great idea to add this extra set of security and as the report says, we may not see it in place ever but it’s certainly worth a look. It’s harder to guess the sequence than it is copying a wireless key fob.
-
“cyber-breach of government data is often regarded as fair game.”
This statement made me boil a bit. They should say that to the 22 million previous, current, and prospective federal employees who have ALL of their information compromised (financial records, fingerprints, SSN, medical records). Basically their whole life were in the data that has hacked from OPM. It is not OKAY, to say it’s okay to steal government data, when it affects its citizens. A good number of that personal information is for high ranking military and federal employees that could be used for who knows what. They should do more to protect its information rather than saying its ok.
-
The article I read this week was titled “Amazon Implements Password Reset after Credentials Leaked Online.” This articled talked about that recently, a couple websites leaked customer email addresses and passwords online. So Amazon sent to Amazon customers emails to let them reset their passwords. The reason is that password re-use is rampant, and a customer may use one same password for all different online accounts. Amazon said that they take their customer’s security and privacy seriously, even the leaked list of email addresses and passwords were not Amazon-related. Amazon resent a temporary password to Amazon account for these whose email addresses and passwords were on the list online.
The article also introduced a way to set password, because the longer and more complex the password, the safer it will be, said by Darran Rolls, CTO at SailPoint. One example from the article, “Mary had a little lamb its fleece was white as snow 987654”, becomes “MhalLifwwaS98754”. In addition, the password should be at a minimum of 12 characters and it should avoid using dictionary words.
I think Amazon did a great way because: 1) it helped its customers secure accounts safety; 2) it wins customer satisfaction; 3) it prevents Amazon accounts leaking and stealing by hackers, so it avoids troubles itself. Amazon well managed the risk and reduced the possibilities of risks.
Source from: http://www.infosecurity-magazine.com/news/amazon-implements-password-reset/
-
In addition, Temple requires everyone to re-set his password every 6 month(I guess). and the requirement for that is:
Your password must contain:One uppercase letter
One lowercase letter
One number
8 to 15 characters longso the example will be TUowlsr#1
-
Data-Stealing Malicious Apps Found in Google Play Store
http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/Researchers from Lookout’s Security Research & Response team identified a piece of spyware hiding in four apps available in Google’s official app store. The spyware has been dubbed Overseer, and is capable of stealing “significant amounts” of personal data from users.
The spyware will lead to long-term damage through giving other people access to users’ online accounts, bank information and personal information. This may lead to the crime. -
Great article Alex!
I just read it, and wow I am definitely going to be taking this into account when I download apps. You can reduce your risk of downloading an outright malicious app to almost zero by acquiring apps only from your operating system maker’s app store.
-
Alex,
One issue with Android phones, and google software is that it is “Open Source”. Which means the code is made public and can be modified by anyone. This means, a person can create a “flashlight” app for the android and hide malicious code within the application and you would never know.
This is why Apple is so successful at security with their apps because a developer must submit the code to Apple for verification and approval. The Google process is much less restrictive.
-
Cry Ransomware uses UDP, Google Maps, Imgur
A dubbed Cry pretends to come from The Central Security Treatment Organization (CSTO), a fake organization which encrypts a victim’s files and then appends the .cry extension to encrypted files claiming ransom of 1.1 bitcoins ($625) to access them. What is unique in this new threat is the ability to track victim using Google maps API using nearby wireless SSIDs. It also tracks information like victim’s Windows version, installed service pack, Windows bit-type, username, computer name, and CPU type, then sends these details via UDP to 4096 different IP addresses to c2(Command and Control Server) and hosts this information on public sites like Imgur.com, Pastee.org.
The victim’s information is uploaded along with a list of encrypted files to public sites by compiling all details in a fake PNG image file and the ransomware broadcasts the filename over UDP to inform the C&C server.
The malware was also observed creating a backup of certain shortcuts on the victim’s desktop and saving them in a folder called old_shortcuts, though the purpose of this folder is yet unknown.
The attack also uses vssadmin delete shadows to delete shadows files. It also posts random notes on victim’s computer displaying unique ID and payment information to Tor site.
The attack also has a feature where victim can communicate with the malware to get a sampled copy of decrypted files to trust to further decrypt all files and pay the amount.
In some cases, they were unable to decrypt files and hence victims are advised not to pay. -
Russian Hackers Leak Simone Biles, Serena Williams Medical Records
A Russian APT group known as Fancy Bear has leaked confidential medical information for US Olympic gymnastics star Simone Biles as well as Serena Williams.
The documents don’t show that the athletes “doped”. They do suggest Biles has ADHD and takes medication for that, and that Williams was treated with CORTICO steroids for injuries.
I think all the athletes will use some sort of medicines to help them. But it is hard to define which medicines are absolutely needed to be restricted. Russian athletes were all denied to join the Rio Olympics because of “doping”. However, I don’t think all of them are doped. It was very pity that they didn’t compete at all.
The U.S. Anti-Doping agency explained for the documents, “The TUE application process is through and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field”. I am not familiar with medicines but I hope athletes can compete without using any kind of medicine in order to make the competition fair.
Fancy Bear also indicated that it will release confidential records from other national Olympic teams.Links: http://www.infosecurity-magazine.com/news/russian-hackers-leak-simone-biles/
-
My weekly news post is about a video that relates Wells Fargo fraud. As we talked about it last week, Wells Fargo was fined $190 million because of 1.5 million fake accounts created by multitude employees. Out of the $190 million fine only $5 million will go to the victims.
The company fired more than 5,000 employees and said they will invest in training and improve their control. The outrageous thing is that nobody is going to jail. A fraud has been committed and no one is being held responsible for it. This kind of fraud should result up to 15 years in prison.
Plus, the fine represent only 3% of Wells Fargo revenue ($5.6 billion) in the second quarter of 2016. The government should be stricter, otherwise other banks will do the same knowing the punishment won’t be hard.
https://www.facebook.com/BenSwannRealityCheck/videos/1205025702895711/
-
Right! I don’t know how they are saying that it is just accepted that government data is “fair game”. A couple years ago, I would have guessed that Government data would have been harder to steal that corporate company data. It doesn’t make sense that it is not because the government should have the best security, technology, infrastructure, ect.
-
This is interesting. I know Apple has more of a process for getting apps “accepted” into their app store. I wonder if it is largely due to security reasons. Stories like this may cause Androids app approval process to become more of a process. Very interesting article.
-
http://www.technewsworld.com/story/83866.html
The article I read goes into detail about how the FBI has begun investigations into the cyberattacks on the electronic election infrastructures in Illinois and Arizona. The first attack in June led to the illegal download of personal information of 200,000 Illinois voters. However, this second attack, hackers were able to penetrate the systems in Arizona but failed to download voter information.
The article goes into further explanation, stating that the vulnerabilities within the voter registration, has been an issue for years. Secretary of Homeland Security, Jeh Johnson hosted a conference call with top state election officials to discuss the cybersecurity issue and the need to protect voting infrastructures.
“DHS has planned to launch a Voting Infrastructure Cybersecurity Action Campaign, Johnson said during the call, enlisting experts of all levels from the government and private sector”. -
It’s a really useful article, because I’m a Windows user. Indeed, the IE explorer usually has a lot of internet advertisement, and sometime I miss clicked the image and went to another page or downloaded unknown software. But actually, I didn’t update my IE explorer, instead, I use other explorers like Google Chrome or Firefox.
-
Drone hacking Threat
Insurance giant Allianz has warned that the increasing volume of drones in the sky can lead to cyber security threat, potentially resulting in loss of life.
Unmanned aircraft system (UAS) are expanding rapidly from their original use in military and are set to become a part of multi billion dollar business.
The prospect of hackers may take remote control of a drone “causing a crash in the air or on the ground resulting in material damage and loss of life.
The term ‘spoofing’ refers to attempts to take control of a UAS via hacking the radio signal and sending commands to the aircraft from another control station. This is a very real risk for UAS since they are controlled by radio or Wi-Fi signals. Companies which claim to sell devices to specifically bring down or take control of UAS can be found online.
There’s also a risk of data loss from the UAS if a hacker manages to intercept the signal, or hack the company gathering the data.
-
The article I read and would like to share with the class is about the US government mistakenly granting citizenship to 800 immigrants from countries of concern to national security or with high rates of immigration fraud. It was found that the immigrants had used different names or birthdates to apply for citizenship and these discrepancies weren’t caught as the immigrant’s biometric information was missing from the government databases.
The gap was due to older paper-based records never being linked to the fingerprint databases. The US government has known about this information gap since atleast 2008 when 206 immigrants were identified who had used different biographical information to apply for citizenship.
Granting citizenship mistakenly to someone who has been deported has severe implications as US citizens can apply for and receive security clearances and be employed in security-sensitive jobs. There has been multiple such cases where a number of such immigrant-turned-citizens have obtained aviation licenses or transportation worker credentials and one is also a law enforcement officer. The Auditors have recommended that all of the outstanding cases be reviewed and their biometric information be added to the government’s database besides creating a system to evaluate each of the cases of immigrants who were improperly granted citizenship. The DHS has accepted the recommendations and stated that the agency is in the process of implementing the required changes. -
Tech giants team up to improve internet security
Major tech companies such as Twitter, Dropbox and Uber have joined forces and launched the Vendor Security Alliance (VSA), a coalition whose goal is to improve internet security. VSA’s goal is to streamline the evaluation process for vendors through a standardized cyber security evaluation to assess security and compliance practices. The evaluation include a set of questionnaire updated yearly to determine if a vendor has all the appropriate security controls in place. The questionnaire will be evaluated, audited and scored by an independent third party auditor. The vendors who participate in this evaluation will receive a score rating measuring their cybersecurity risk level, including procedure, policies, privacy, data security and vulnerability management. The vendors can then use their score to when seeking to offer their services to any business in the VSA without having to go through further audits.
http://www.securityweek.com/tech-giants-team-improve-internet-security
-
The article I read is about malicious apps exists on Google app store. Researches from lookout security identified a piece of spyware hiding in four apps available in Google’s official app store. This spyware is able to steal personal data from users including name, phone number, email, and times contacted; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory; Device IMEI, IMSI, MCC, MNC, phone type, network operator, device and Android information.
This spyware targets foreign travelers, who are using app to find their embassy when they are abroad. Most recently, Kaspersky researchers found a rogue app disguised as a Pokemon Go guide. That app was capable of installing and uninstalling apps and displaying adverts.Google has removed the apps from the Google Play Store. However, didn’t release any details of how many downloads the apps had, or how many devices were potentially affected.
http://www.infosecurity-magazine.com/news/malicious-apps-found-in-google/
-
Nice point Alexandra.
For certain operating systems and applications of those operating systems are allowed to use app’s internal data.Applications should not be able to communicate with other applications to use the internal data. The user must be notified when the application needs to use internal data from another application.
The fault also is with Original Equipment Manufacturer (OEMs). The group states that “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities. -
Hi Fangzhou,
This is a great example to show that most people today underestimate the potential risk of malicious installed on smartphone. Unlike Apple’s Appstore, the google play store is open for any app developer without a serious vulnerability check before publishing on the store for users to download. I actually had the experience where my personal information was stolen by an unofficial application I downloaded from the google play store. We mostly don’t have risk controls or protections such as firewall stalled on our phones.
-
Hi Said,
I agree that the fine for a large corporate firm is not deterrent at all and should be stricter because it is only 3% of its revenue and doesn’t hurt them. Wells Fargo will face the challenge of improving its risk controls and set up strict policies and procedures from the top management.
-
Malicious Pokémon Go App Targeting Android Discovered
The Pokemon Go app is very popular since it first published. This article talks about an app, called Guide for Pokémon Go, can seize root access rights on Android devices and use that power to install and uninstall apps and display unwanted adverts. It has been downloaded over 500,000 times, and infected over 6,000 Android smartphones. And now it’s been removed by Google.
What happened was the “interesting features” of the app enables it to bypass detection once on a device. Instead of running as soon as it’s downloaded, the app waits for the user to install or uninstall another application and then runs checks to see if it’s on a real device or a virtual machine. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.”
I think everyone should be aware of what types of application they download from the app store. They should read the reviews and check the creditability of the app developers before downloading the app.
http://www.infosecurity-magazine.com/news/malicious-pokmon-go-app-targeting/
-
Biometrics a Hit with UK Consumers
The article I read for this week is about nearly two out of three UK consumers favor to use biometrics to authenticate payments, with fingerprint scans the most popular method. The credit card giant polled around 2000 consumers in the UK as part of a Europe-wide Biometrics Payment study. According to the study, research has shown trust in biometrics appears to have grown over the past 12-24 months, with banks (85%), payment networks (81%), global online brands (70%), and smartphone companies (64%) all being trusted to offer these types of authentication method. However, there is another interview done on 1000 people about their attitudes to biometrics. More than half (51%) said they wouldn’t use the technology, either because they don’t trust it (29%) or they don’t understand it (22%). On the other side, only a third (36%) said they’d consider it while 13% claimed they already use biometrics. What surprised me is the age group least likely to migrate to the new authentication tech appeared to be between the age of 18 to 24.
My personal thought on this article is I would support it because as mentioned in the article biometrics introduce better fraud detection, better identity management, better audit trails, and better internal controls. I agree with it, everyone has his or her unique finger print so I think it’s safer than the chip or using the pin because those information can be leaked very easily. The main concern or what holding up the process of implementing this biometrics is how does the government able to prove to the consumers that it is using the latest security measures and looking after consumer data. I am actually very excited to see how does this biometric fingerprint payment method turns out.
Source:http://www.infosecurity-magazine.com/news/biometrics-a-hit-with-uk-consumers/
-
“Cyence Raises $40M to Help Insurers Assess Cyber Risk”
The article I chose for this week is about a new firm established to help insurance companies assess cyber risk. Cyber insurance premiums are projected to grow to $7.5 billion annually by 2020 from $2.5 billion in 2015. While this growth is an opportunity for insurers, it also a large risk because there is very little data to use for models. Cyber Risks also evolve rapidly as opposed to a hurricanes or auto data. Accurate models require large, accurate, and reliable data to forecast losses.
Insurers have trillions of dollars of exposures in buildings and other physical structures which are now vulnerable to a cyber attack. Cyence is hiring experienced professionals in technology and insurance to build a comprehensive data set and eventually an insurance model for cyber risks. Many current cyber insurance models focus on data breaches and identity theft and aggressively limit the insurer’s exposure. As more companies compete and the market continues to grow, more property will be insured against cyber risks. More data will allow insurance companies to offer more insurance with comparative premiums.
http://www.wsj.com/articles/cyence-raises-40m-to-help-insurers-assess-cyber-risk-1473334200
-
“The Department of Transportation just issued a comprehensive policy on self-driving cars”
Autonomous Vehicles (AV) are an emerging industry where many manufacturers think they will have decent capabilities by 2020. The Department of Transportation (DoT) has decided to not lag behind the times and release an intial framework for how they think laws and regulations with AVs will work. The proposed policy has four main categories.First is keeping the vehicle safe. Cars are already at risk of cyber attacks so when they work all on their own it will be an even more dangerous risk as they can be stolen by reprogramming the destination point. The regulations spell out that data should be collected for analysis later similar to airplane black boxes. It is important to also consider who is allowed to make decisions that affect life and death situations if that is allowed to be automated. Companies will have to consider where liability and risk for accidents lie with.
The rest of the guideline groups 2, 3, and 4 focus on state governments, existing regulations, and requests for new regulatory powers by the DoT. One of these powers is considering overriding a manufacturer with pre-market approval needed. DoT also wants to be able to inspect software updates before they go out as mistakes there could have cascading effects across the country.
Car and transportation companies are going to have to adapt to how the new logistics of travel will work in the future.
http://www.vox.com/2016/9/19/12966680/department-of-transportation-automated-vehicles
-
I thought I posted the link to my story. It is an interview on NPR, speaking about the athletes and other United States figures being hacked by Russian lead groups.
-
Wow that is scary. I am sure that this is life or death for drone companies. I would imagine they would stop producing drones if drone companies can not up their cyber security game. Too risky to put human’s lives in danger if hacking into a drone is that easy.
-
This article goes into explanation about the massive hacks that have been happening via Dark Net to huge companies. A few of these heavy hitters that fell victimized include: Apple, DropBox, Uber, McDonald’s, Ebay, etc. As many of 85 companies have been targeted by these “Russian hackers”.
The article goes into further details that there is no knowledge regarding the identities of the perpetrators and no links have been established foreign governments. Yet, if the information that was seized by these hackers are valuable; they elude that we can expect to see these stolen credentials for sale on the dark web.
Source:https://www.hackread.com/dark-net-russian-hackers-hit-us-firms/
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
Presentation: Slides
Video:Video
Quiz w/Solutions: Quiz w/Solutions
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
-
the 3 types of risk mitigating controls are :
1- Preventive controls : they prevent a loss from occurring.
2-Detective controls : they monitor activities and identify issues. They can ameliorate preventive controls.
3-Corrective controls: they are used after a loss to restore the system to its original state.
In my opinion, the most important controls are the preventive controls because they minimize risk by preventing certain events from occurring. -
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are preventative controls, detective controls, and corrective controls. Preventative controls are, as the name implies, controls to prevent any problems or errors from occurring. Examples of preventative controls include username and passwords which prevent unauthorized users from access to information or an application. Detective controls are those that detect or identify an an error or problem after it has occurred. An example of a detective control is that of audit trails or user logs when certain employees access an application. Lastly, corrective controls are those that fall in between preventative and detective. These corrective controls are those that identify an error or problem but already have the necessary actions steps identified to resolve the issue. An example of a corrective control would be Antivirus, which identifies malware and removes it.
In my opinion, the importance of which type of control is highly dependent on how established the IT environment is within an organization. As stated earlier, preventative controls are implemented to prevent a risk from happening. Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? Therefore, for an IT environment that is developing, setting up proper preventative controls will be most important since they want to establish policies and procedures that will mitigate risks from happening in the first place. However, in today’s IT environment, data breaches are prevalent and some breaches go years without being noticed, one example being the recent Dropbox breach that went unnoticed for four years. Therefore, detective controls are more important for well-established IT environments since those organizations need to identify any areas of vulnerability or error. Knowing that there is usually a way to circumvent controls, it is important to first have those preventative controls established then focus on detective controls to really mitigate risks going forward.
-
Preventive – controls that prevent the loss or harm and reduce the risk from happening in the first place. Examples of preventive controls are segregation of responsibilities and firewalls
Detective – controls that monitor activity to record issues after it has happened. An example of detective controls is performing an audit.
Corrective – controls that restore the system or process back to the state prior to a harmful event
I believe detective controls are the most important controls because it is a response to review the logs to look for the inappropriate event where we can correct data error and recover the issues. If the IT auditors know what the issues are, it can help prevent the next event.
Corrective controls are not practical from a business standpoint because the business might lose business data or business tasks have to be redone and the controls do not help prevent the next event from occurring.
Preventive controls are used to minimize the risks but it is not able to remove all the risks from happening. I think the response after the event is relatively important. -
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are: preventative, detective, and corrective. All three play a significant role in ensuring that the company’s assets are properly secured and accounted for.
The most cost effective control is the preventive control because preventative helps avoid the loss of resources to begin with and are usually not very expensive to implement. Examples: employee background checks, employee training and required certifications, password protected access, physical locks, and security camera systems.
When preventive controls fail, detective controls seek to identify issues in order to prevent further errors, irregularities, and harm to company assets. Examples: bank reconciliations, physical inventory check
When preventative controls flop and detective control activities are forced to identify an error or irregularity, corrective control activities then kick in to fix it. Examples: new system implementation to prevent it from happening again, data backups.
In my opinion, all tree controls are equally important because the balance of the three will result in the most secure assets. However, for the sake of the question, corrective controls are the most important because when all else fails, you need an emergency plan to fix the mess up. Otherwise, the company’s assets are dead and gone.
-
Ian,
You detailed the three controls and gave great examples of the control flow. I also agree that all controls are important for a controlled environment.
However, I think of the most important control as Preventative control because it costs more money to react to a problem, than to prevent the problem. An example of this would be a firewall device. By spending $1,000 on a firewall device and 1-2 hours a week to manage it will reduce the chances of intruders penetrating the network. If you didn’t have the firewall, the intruder could bring down or hold your system hostage for a ransom. Much more than the initial cost and time investment.
It is similar to the medical care some people are practicing today. Some people are don’t go to the doctor out of fear, uninsured, religion, or maybe just don’t have enough time. After a few years without a regular check-up, it turns out the person developed high blood pressure, had a heart attack, rushed to the hospital, and almost dies. The medical costs for this situation are too high and out of my expertise, but rumor has it that it would be expensive. Much more expensive than the 30 minute visit, $20 co-pay, and medication.
The idea is to be pro-active vs. re-active because it is much more expensive to be reactive, and it is much more difficult to budget for multiple unknown disasters. ,
-
1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are:
Preventive controls:
They are controls that prevent any problems, losses and harms from happening. For example, segregation of responsibilities, if an employee authorizes a payment to Staples to order office supplies for the company, his supervisor or related person must approve it, which reduces the possibility to do it wrong.Other examples: secured accounts and passwords, segregation of duties, approvals, authorization, verifications, etc.
Detective controls:
They are designed to find errors or problems after they have occurred. For example, if a person does the general ledger or payment request, his supervisor may review and compare information to identify fraudulent payments.Other examples: bank reconciliations, physical inventory counts, counts of cash on hand, audits, etc.
Corrective controls:
They restore the system or process back to state prior to a harmful event. For example, if a company’s system was down, they may consider restoring its system.Other examples: data backups, data validity tests, insurance, training and operations manuals, etc.
Preventive controls are the most important. Because they prevent happening, which minimizes the possibility of loss or errors. They are proactive and emphasize quality.
http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html
https://www4.vanderbilt.edu/internalaudit/internal-control-guide/different-types.php
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
1. Preventive—some of the best controls prevent fraud, theft, misstatements, or ineffective organization functioning. For example, the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
2. Detective—a security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
3. Corrective—coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.I found the explanation and examples this website–on http://www.cfocareer.com/manage-risks-preventive-detective-corrective-controls/. I think the examples are excellent and helped me understand this three risk mitigating controls. In my own words, preventive controls act as a lock to prevent any “bad people” (fraud, loss etc.) to go inside. Detective controls act as a camera to detect any people who break the lock. Corrective controls act as an insurance. After something was stolen, the insurance will help you to minimize the loss. I think the most important one is preventive control because for example, if we can prevent any kind of virus, malware to intrude our computer, we don’t need detective and corrective anymore. However, when a new system invented, people can always find the defect and intrude it. Hopefully one day, someone will invite a program that is unbreakable.
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The 3 types of risk mitigating controls are:
– Preventive controls: stop a bad event from happening…
– Detective controls: record a bad event after it has happened…
– Reactive controls (aka Corrective controls: fall between preventive and detective controls, and provide a systematic way to detect bad events and correct them…In my opinion, the most important risk mitigating controls are preventive controls because they prevent bad events from happening.
-
Ian, your explanations and examples are well explained these three types of risk mitigating controls. I also agree with you that corrective controls can be important for the company to restore all systems and data.
However, I would like to say that as Paul said above, “Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? ”Thanks for sharing your points!
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are:
Preventative: Controls that prevent the loss or harm from occurring.
Detective: Controls that monitor activity to identify occurrences where practices or procedures were not followed.
Corrective: Controls that reestablish the system or process back to the state prior to a harmful event.
These risk all play a vital role in safeguarding an organizations assets. However, the most important control is Preventative. This control allows preventive measures to be installed to prevent harm/threats from happening; by taking the proactive approach, management is able to combat and minimize the possibility of loss in data, money or errors.
-
1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three forms of controls:
1. Administrative – These are the policies, laws that for overall governance.
2. Logical – These are the virtual controls
3. Physical – These are the environmental controls in physical spaceTo provide the degree to how how to mitigate risks, controls are classified as below,
1. Preventive – Actions taken to prevent a risk or failure.
ex. Establishing policies, governance.
2. Detective – These controls are which identified by a minor activity.
ex. Reconciliation of accesses of employees to confirm if the level of access is based on authorization.
3. Corrective – Corrective controls are actions taken to restore the system or process after an incident has occurred.All the controls play important role in risk management. However, preventive control is the most important one. They minimize the possibility of loss by preventing the event from occurring.
source [http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html]
-
Ans.1
The 3 types of risk mitigating controls are :
1) Preventive controls – These prevent or stop a security incident from occurring.
2) Detective control – through this type of control, a fault in the system is identified upon reviewing the system logs.
3) Corrective or Reactive control – This type of control falls between Preventive and Detective control – meaning that they automatically trigger a corrective action as soon as a fault is identified.
Of the 3 types, I believe that the most important type is the Preventive control. This is for the simple reason that it’s better to prevent an incident from occurring in the first place rather than trying to fix it. -
There are three types of risk controls:
1) Preventive ControlsPreventive Controls are designed to keep errors or irregularities from occurring in the first place. Example, installing firewalls, segregation of employee responsibilities, etc.
2) Detective Controls
Detective controls are designed to search for errors or irregularities after they have occurred. For example, Performance reviews, audits, physical inventories, etc.
To put light on performance reviews, managers can compare information about current performance to the prior periods, budgets, forecasts or any other benchmarks to identify
unusual conditions that may require a follow-up3) Corrective Control
A corrective control restores a process or a system back to the phase prior to an unwanted event.
Examples include submitting corrective journal entries after identifying an error, completing changes to IT user access lists in case of a change in an employee role, etc.Preventive control sounds the best of all the controls and As an IT manager, if I have resources, I will implement all the controls. But in case of limited resources, an IT manager will have to go with a balanced approach. Implementing preventive controls can be proven costly.
Source: https://www.newpaltz.edu/internalcontrols/about_preventative.html
http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html -
There are three types of risk controls:
Preventive controls. These controls are intended to proactively mitigate the occurrence and/or impacts of risks. Examples include policies and procedures, Firewalls, IPS/IDS.
Detective controls. These controls operate after the fact to identify if a predefined event occurred. Examples such as log file reviews, or scanning current configurations for unauthorized changes and to better enable incident and problem management, are detective in nature.
Corrective controls. These controls are tasked with restoring the current state to an approved state. It may be that a hacker has compromised a system or something has impaired data integrity. Examples include restoring a system and corresponding data from a backup service
I think the detective control is the most important control. Because the detective control can know the loss after attacking and it identifies and reports on all changes.
-
Paul,
I really enjoyed the way you answered the question regarding which control is the most important. I didn’t think about it in a hypothetical situational based manner.
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is the most important?
1. Preventive controls: it prevent the problem from occurring. For example, the gas station will launch a policy that not allowed anyone smoke.
2. Detective controls: I think the camera security is a good example, but most the time, it works after the problem occurred. For example, the supermarket will use surveillance camera to observe a specific area.
3. Corrective controls: When the “bad” thing happened, there is something to make it up. Data backups, and insurance is a good example.I think preventive control is the most important. As one phrase says, prevention is better than cure.
-
Fred I do not agree when you say that ” it costs more money to react to a problem, than to prevent the problem.” In fact, when assessing risk, organizations have 4 options :
Mitigate risk – activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss.
Avoid risk – activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity.
Transfer risk – activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance for example.
Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.
As you can see, accepting the risk is an example where it cost less money to react to a problem.
-
The 3 types of risk mitigating controls are:
1. Preventive Control – These are controls that prevent the loss or harm from occurring
Ex: Authorization and approval procedures;
-Use of passwords to stop unauthorized access to systems/applications
Supervision such as assigning, reviewing/approving, guidance and trainings
Segregation of duties on authorizing, processing, recording and reviewing;
Controls over access to resources and records.2. Detective Control – These controls monitor activity to identify instances where practices or procedures were not followed.
Ex: Reconciliations; verifications;
reviews of operating performances; and reviews of processes and activities.3. Corrective Control- These controls restore the system or process back to the state prior to a harmful event
Ex: Restore data from back upI think preventive control is most important and effective control among the three types of risk mitigating controls. Preventive control minimizes the possibility of loss in company’s assets by preventing the event from happening.
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The 3 types of risk mitigating controls are:
1) Preventive Control – A set of measures taken in order to reduce a risk from happening
2) Detective Control – Measure taken to determine the the cause of the loss event once it has already happened.
3) Corrective Control – Measures taken restore the loss once the loss event has already happened.
I believe that preventive control is the most important because it minimizes the chance of a loss ever occurring to the company. Although, preventive controls are most important, it can also be the most expensive. Thus, complete prevention is impossible. The other 2 controls are important in the event that preventive controls fail.
-
Preventive control is definitely most important, but complete prevention is impossible. From your Dropbox example, Dropbox may have taken the best preventative measure but they were still a victim of data breach. The other two measure are important when preventive controls fail.
-
While I do agree that preventive control is the most important, I think that both detective and corrective control are also very important and should not be downplayed. The key is that preventive control only MINIMIZES risk. They do not eliminate them. Loss can still happen, and when they do, the two other controls play a huge role in preventing similar future loss from happening as well as mitigating the effect of the loss.
-
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
There are 3 types of controls:
• Preventive – These controls prevent the loss or harm from occurring. Example: Firewall or the username, password which stops unauthorized access of data, color coded ID’s.
• Detective – These controls monitors, detects and records after the threat happens. For example, log files- Syslog, Event viewer.
• Corrective – These control detect and correct the situation once it happens. For example, connected backup- to retrieve data from a previous restore point.
Out of the three types of control preventive control is the best because it minimizes from the possibility of loss of data or asset by preventing the event from occurring in the first place. But preventive controls are usually very costly. Corrective controls minimize the impact of loss, by providing a backup but this takes some time and can result in loss of productivity time due to unavailability of the system or application etc. Least effective is detective control, as mostly the damage is done already. But having a detective system in place helps in identifying the threats and risks involved and plan for a better system in place.Controls can be preventive, detective, or reactive, and they can have administrative, technical, and physical implementations
1. Administrative – laws, policies or standards defined by an organisation. For example, password policy of having a length of minimum 8 characters with alphabets, numbers and special characters.
2. Logical/ Technical – Tools that logically control. Example: firewalls, anti-virus software, content scanner, single sign ons.
3. Physical – These risks are related to physical location of assets and its protection. Example video surveillance systems, gates and barricades, guards, locked doors and terminals, environment controls, and remote backup facilities.Source: IT Auditing Using Controls to Protect Information Assets.
-
I think along with detective controls there should be some preventive and corrective controls as well. Once some threat is detected and identified, a protective control has to be in place to avoid the same threat to reoccur. This could lead to loss of reputation of the company and may result in no credibility of the firm with their clients as it can be considered as negligence. Preventive and corrective controls give the clients also a reason to do business with the firm as it implies that you are serious with their data and protection of their assets as well.
-
Yes all the controls are important.
Yu Ming you mentioned that corrective controls are not useful. I disagree.
For example,
An employee may have worked ina company for almost 10 years and have worked on N no. of projects or have very confidential data on his laptop. What happens if his laptop crashes? All his data is lost. What can be done?
If there is a backup system available we should be able to restore to the nearest restore point, thereby restoring most of the data. Thus reducing the impact.
Now the same for an application server or router or firewall… These can have huge impacts and result in loss of business as well.
-
I agree with you all. I think that any control in an organization is really important and they support each other with no doubt. Without detective control, preventive controls won’t be as efficient because you have no clue about what to prevent from the harmful causes.
Binu,
I agree with you. However, you mentioned an organization should have a efficient system to minimize the impact. However, Do you agree that an efficient backup system would fall into the preventive controls category? Does an efficient preventive control bring a positive impact to corrective control? -
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
Three types of risk mitigation controls are preventative, detective, and corrective. Preventative risk controls can be passwords, encryption, firewalls, access restrictions, and other procedure or policy that reduces the probability that a risk or incident can occur. Detective controls can be log files, any type of system/network monitoring, or anything that can capture data to review after an incident to determine the root cause and use to predict/prevent future risks. Corrective controls can be back ups, which will enable the system to be restored to a level before the incident. These type of controls to do not prevent, or seek to determine why it happened. They simply serve to restore the damage.
Preventative controls are the most important controls. While corrective and detective controls are important, preventative controls will be used frequently and likely prove cost effective. Without proper preventative controls, many companies would suffer larger losses than if one of the other too controls were not implemented. If there is no file wall, encryption, login credentials, etc., then a company will most likely suffer a data breach/hack in addition to a myriad of other losses. Data integrity will be compromised which will impact core business functions in addition to many other problems.
-
Preventive – These type of controls preventing the loss from occurring. Segregation of duties is an example of this type.
Detective – monitoring activity and detect errors or irregularities that may occurred.
Corrective – Restore the system or process back to the state prior to a harmful event. Anti viruses example, correcting errors that have been detected.Preventive Controls is the most important one, since they minimize the possibility of loss by preventing the error from occurring. They are proactive controls that help to ensure departmental objectives are being met.
-
Agree with your point Magaly. Preventive Controls are designed to discourage errors from occurring. They are proactive in nature.
In some cases, detection of a irregularity that occurred is the only way to realize that the organization needs controls in that area.I have experience that I can share,
Objective – Visitor laptops are not allowed in dedicated clean room environments. It must be ensured that visitor do not carry laptops in clean room.
Problem: There used to be a security guard to allow laptops based on the person is employee or visitor. During an audit I introduced myself as a employee and the guard let me take my laptop inside.
This is a finding that was detected.
Solution: The guard did not have list of laptops and their serial numbers that were assigned to employees. This problem was only resolved once detected.
Detective Control – Here audit was the detective control that could point out to the problem. -
Preventive controls – these controls proactively mitigate risks by preventing from occurrence, such as password protection, identity authentication, etc.
Detective controls – these controls are designed to find errors and within the organization, include audits, reviews of performance, etc.
Corrective controls – these controls help mitigate damage once a risk has materialized, such as recovery systems.For me, preventive controls is the chief one, while detective controls is the most important one. There’s no absolutely secure environment exists, all of the organizations in information age are exposed to risks more or less, the most important mission for top management is to detect, and then mitigate the potential risks to an acceptable level. Besides, the data from detective controls can feed predictive analytics tools and support preventive controls.
-
Alex,
You make great points about a companies options for handling risk. But, in each example, I believe it would cost more to be reactive vs. proactive. However, I will say that my belief is for a majority of the time. Each situation will need to be evaluated independently, but it is safe to assume being pro-active is less expensive than being re-active
You mention Accept risk as costing less to react but I disagree because you are not spending anything to be proactive. Your total preventative costs for accepting risk is $0.00, but reacting to the issue will cost at least $1.00.
-
3 types of risk mitigating controls are:
1. Preventive controls
2. Detective controls
3. Corrective controlsThe most important control is the preventive controls. Preventive controls are put in place to reduce the chances of the event from happening. If the preventive controls does the job, there will never be a need to detect or correct the issue because it was prevented.
Now, realistically there is no solution that will ever eliminate IT risk. That is why we need to be able to detect the issues the preventive controls missed, correct the issues, and readjust your preventive controls if need be.
-
Question: What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are preventive, detective, and corrective.
Preventive control – this type of mitigating control is preventing the harm of loss before them actually happened. For example, one person reports the monthly department administration expenses, but a second person should authorize it.
Detective control – This type of mitigating controls is monitoring activities to identify the problems which obey the rules or procedures.
Corrective control – Corrective controls restore the system or process back to the state prior to a harmful event. For example, the company may have a backup system, if some important data missed, the backup system can correct the mistakes.
I think the preventive control is the most important. Comparing with detective and corrective control, preventive control can stop the loss before it literally occur, and minimize the possibility of damaging the information assets for an organization. Indeed, the cost of preventive control like the firewall of corn servers is usually expensive, but it’s the best way to protect company’s information assets.
-
Good example of user name and passwords. The personal identification is a very important preventive control in business and mitigate the loss by data leak. I believe that the user name and passwords are one of the most commonly used tools in preventive control. Some organizations now even required the employees set a secondary password on the PCs, which can enhance the security level and better protect the sensitive business information would not have copied by attackers.
-
Alexandra,
Good example about a store manager install security cameras. I do agree with your opinion that the preventive control is most important. However, when management make a decision of controlling, the cost also should be considered. For example, the firewall and other security devices for core servers maybe costly, only use preventive control to mitigate the risks may have negative influence to the financial statements. Indeed, preventive control can stop lose before happening, but if management reasonable balance all three types of control, the organization may spend less money and lower the risks to an acceptable level.
-
Paul,
I agree with your opinion that which type of control is important really depends on the specific situation. Generally, the preventive control can stop loss before risks actually occurred, however, the preventive control related devices are usually costly. As for a main public corporation with millions of information assets, the preventive control maybe the most important one for it. But what if it is a new start or barely profitable company? In this case, the company don’t need a top level preventive device like a powerful firewall, or it can’t afford this. In this situation, a cheaper alternative like a backup plan (corrective control) maybe a better choice.
-
Thanks for your sharing, your reason looks like that one organization can’t live without corrective controls, so that’s the most important, well, organizations can’t live without preventive controls and detective controls as well, does that mean all of them are the most important? It’s not convincing.
But I do agree with you that the balance of the three will result in the most secure assets.
-
Well-put Yu Ming.
Layered controls implemented as a combination of preventive, detective and corrective controls, decrease the probability of failure exponentially. Systems that house sensitive information or are critical to business usually have layered controls for the same reason. -
Paul, you showed some great forethought into the question regarding the maturity of the environment we’re talking about and how detective controls could be more important than preventative controls. I honestly don’t think there is a true “correct” answer to the questions because it always depends on certain variables that we are left to assume. In this instance I would have to put preventative controls above detective controls, however, timing is everything. If the system had been put in place before any controls were put in place, what’s more important, attempting to stop future breaches or making sure that a breach hasn’t already occurred. To me it’s almost 6 to one half a dozen the other. Great perspective.
-
Jianhui,
I agree with you, Corrective controls restore the system or process back to the state prior to a harmful event. For example, a business may implement a full restoration of a system from backup tapes after evidence is found that someone has improperly altered data.
-
Fred/Brou,
Yes, there are situations where it costs more to prevent than respond to the risk. However, yes, if your response is to just accept the risk, than it obviously doesn’t cost more. There are situations where it costs more to prevent and respond and vice versa…
My point is yes, it may cost more money to respond but if you can’t respond to an attack, it will cost way more than it would have cost to just plan and executive a response to an attack. The way I look at it is, there is always a hole. You can spend all of your resources on prevention and someone will still get by. That is the way of the cyber world. No system is impenetrable. Therefore, although prevention is very important, I believe risk response is the most important.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
How you would apply the FIPS security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
-
Q 2. How you would apply the FIPS security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
FIPS applies security categorization in 2 ways:
1. SECURITY CATEGORIZATION APPLIED TO INFORMATION TYPES:
Establishing an appropriate security category of an information type essentially requires determining the potential impact for each security objective associated with the particular information type. The generalized format for expressing the security category, SC, of an information type is:
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE2. SECURITY CATEGORIZATION APPLIED TO INFORMATION SYSTEMS
Determining the security category of an information system requires slightly more analysis and must consider the security categories of all information types resident on the information system.
The generalized format for expressing the security category, SC, of an information system is:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGHInformation Security risk mitigation (safeguards) described in the FGDC guidelines are:
• The first is to change the geospatial data. You may find that the geospatial contain sensitive information that needs to be safeguarded but that changing data they would still be useful and could be made publicly accessible. This decision starts with your organization determining whether it has the authority to change the data. The idea of changing geospatial data includes redaction or removal of sensitive information and/or reducing the sensitivity of information by simplification, classification, aggregation, statistical summarization, or other information reduction methods.
• The second, and last, type of safeguard is to restrict access to, uses of, and/or redistribution of the data. At this step, you must decide if your organization has the authority to restrict the data. Some organizations have laws, regulations, policies, or concerns about liability that compel them to release data. Others have clear authority to restrict data.
Based on the decision taken from the two types of safeguards the security categorization of information type and information system is performed. The values are inserted in the formula and category is found.
EXAMPLE:
An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, SC, of these information types are expressed as:
SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},
and
SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is expressed as:
SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.
-
Great explanation and example Deepali!
Choosing the suitable security controls for an organization’s information systems can have tremendous repercussions on the operations and assets of an organization as well as the wellbeing of persons and the Nation as a whole.
-
Deepali, you provided clear explanations and examples on the security categorization.
I just want to add the potential impact definitions for each security objective—confidentiality, integrity, and availability and I believe it helps us learn the FIPS security categorizations in detail.
Security Objectives:
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.Integrity
Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.Availability
Ensuring timely and reliable access to and use of information.===============================================================
Potential impact:
Low
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.Moderate
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.High
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
-
Another example of how the FIPS security categorizations can be used to decide if each of the information security risk mitigation described in the FGDC guidelines is the redaction of classified documents before released to the public. There is no doubt that covert operations are taking place without public knowledge. An example is the hunt for Osama Bin Laden.
In this example the Security categorization would be something like this:
SC information Type= {(Confidentiality, HIGH), (Integrity, High), (Availability, Low)}Based on this SC, information leakage of Bin Laden’s location could have severe degradation to Seal Team 6’s mission, probably making the mission a failure. If integrity of the information provided by an intelligence group to Seal Team 6 was improperly modified it could have caused mission failure or loss of life to the operators. The availability of that information has limited affect to the USG, after all it did take them ten years to find Bin Laden.
SC Information System = {(Confidentiality, HIGH), (Integrity, HIGH), (Availability, High)}
For information systems, I’m specifically talking about the communication systems that Seal Team 6 had when executing the mission. If CIA security objectives were not met, then the loss of life would be imminent. If the enemy were able to hijack communication signals between the members of Seal Team 6, modify the communication between headquarters and the team, or scramble the communication of the team then the mission could have meet a severe or catastrophic ending.The FGDC guidelines were used to redact or modify mission records to protect the names of Seal Team 6. The released records did not contain pertinent mission information, like how the location of Bin Laden was obtained, preserving the methods of intelligence gathering by the USG.
-
I would create the table to match table 8.2 in the Information Security Handbook: A Guide for Managers publication. After reviewing the security risks for the company, I would categorize each risk as a low, moderate, or high impact. I would review the FGDC guidelines to determine if the risks levels require specific safeguard procedures.
If I’m understanding this, the FGDC has guidelines for collecting, processing, archiving, integrating, and sharing geographical data. A risk may be improperly labeling latitude and longitude, putting the users at risk with high impact.
-
Deepali,
You explained it very detailed and very well, thank you, I liked the example and the way you categorized the information.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
How you would apply the FIPS security categorizations to decide if each of the information […] -
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
Which two information security objectives could be put at risk if the alternative mitigations (i.e. “safeguards”) recommended by the FGDC guidelines are applied? Explain how each could be put at risk.
-
The FGDC guidelines recommends following safeguards in order to address the security concerns before disseminating the geospatial data to public .
1)Change the data
2)Restrict the data
Both the safeguards are posing the risk at the two important security objectives of INTEGRITY and AVAILABILITY.
When the data has been changed to mitigate the security concerns it is actually an act of improperly modifying the data which stands against the integrity principle of security objective.
When there is restriction on access of particular data in order to protect the particular information it is against the objective of availability of data. -
Great point.
The altering of data inadequately changes the data which contradicts the whole principle of Integrity. Additionally, the constraints on the public’s access to data, undermines the principle of Availability as well.
-
Integrity and availability are the two information security objective that could be put at risk if safeguards are applied.
In fact, Integrity refers to guarding against improper information modification or destruction whereas, safeguard offers the option to “change the data, to remove or modify the sensitive information and then make the changed data available”. Although organizations need to have the authority to make those changes, safeguarding the data may result in a lack of integrity.Similarly, availability refers to a reliable access and use of the information with no disruption. However, safeguards establish restrictions, on access to, use of, or redistribution of the, data.
-
Just restating what everybody has already said:
The FGDC guidelines for safeguarding Geospatial data are:
1. Change the data – changing the data to remove sensitive information and then make the changed data available without further safeguards.
2. Restrict the data by adding additional access controls or Defense-on-depth to protect the data from access, use , and redistribution.I agree with what everybody else said about how these two safeguards would adversely affect Integrity and Availability of the security objectives, Changing the data would definitely affect the authenticity of the data disseminated to the public, but Integrity is the “improper” modification or destruction of data. If the guidelines are appropriately followed through the decision tree, the originator of the data may modify the data in the interest of national security or public safety.
For instance, we know that America has fighter carriers and battleships deployed all over the world. We know that they’re in the Asia-Pacific, Atlantic Ocean, Mediterranean, etc, but we do not have access to exact GPS location data. Based on that, the US Government is in fact using both safeguards guidelines to protect the Navy’s fleet from unwarranted or targeted attacks. Their exact locations are available but are highly restricted to only those with required clearance.
Although those guidelines would hinder the Integrity and Availability of security objectives, it’s only towards the public. If proper controls are in placed for the data to be use by “privileged” personnel, then I believe that Availability and Integrity of that information will not be affected and probably meets the security objectives with flying colors.
-
The two information security objectives that could be put at risk are:
1. Integrity – You will lose the ability to see previously labeled items. I am not sure if this is a good example but Pluto was mapped as a planet, if the FGDC said it wasn’t there, it must be changed or restricted.
2. Availability – You won’t have access to the data on Pluto anymore because, as far as anyone is concerned, it never existed.
-
The government recognizes that other organizations may benefit from geospatial data it has collected. An issue arises when some of that data is considered sensitive, so guidelines were put in place before being allowed to publish the data. These change the way the data appears to users. The two information security objectives that could be at risk with the FGDC guidelines are confidentiality and integrity.
The first FGDC guideline is change the data. In this, they modify the data set so that sensitive information would be unrecognizable to the end user. This jeopardizes the integrity of the data. For safety, geographic points would be moved and the data set may end up not being usable by researchers. Ultimately, data is destroyed that may have been vital to the integrity of the data.
The second FGDC guideline is restrict the data. For this, they set up strong blocks that prevent access to the data relative the risk that the data holds. The confidentiality of the data is now at risk. The safeguards would have to vet those trying to the access the most sensitive data very closely. This may lead to an unauthorized disclosure to the public.
-
Noah,
The question asking two made it difficult for me to pick. I thought of Confidentiality in the same way because it would put the information at risk of being leaked,
I decided to go with integrity because they are restricting the truth and availability because it isn’t accessible, but confidentiality is also put at risk because now you restrict the information and there is a risk it may be leaked.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
-
“Can your device survive a USB power surge attack? 95% of all devices with USB ports can’t” usbkill.com.
The Hong Kong based company developed USB Kill 2.0 for the companies to test their systems against devastating USB power surge attacks that are capable of killing its host almost instantly. There are strict data security policies followed by companies to lock down ports to prevent data leak or infiltration, but such ports are unprotected against an electrical attack like this.
How does it work: When plugged in, the USB Kill 2.0 quickly charges its capacitors using the USB supply and then discharges.
“The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.”
Here is the video demonstration of how it works: https://www.youtube.com/watch?v=3hbuhFwFsDU
This can be useful for whistleblowers, activist and cybercriminal who don’t want their data to fall in the hands of law enforcement.
This looks like a mechanical attack, and it will interesting to see how the security professionals are going to mitigate such risk.
Source: http://www.zdnet.com/article/now-you-can-buy-a-usb-stick-that-destroys-laptops/
-
The article I read is about how President Barack Obama is set to sign the most substantial piece of cyber security legislation in years. You have heard the “information sharing” topic in the news often. This bill will solve the info sharing issue and is designed to give companies legal cover to share data about cyber attacks with each other and with the government. The legislation would protect those companies from being sued for sharing that information, for example from antitrust claims. The idea of the bill is that cyber attackers use the same techniques and tactics repeatedly on a wide range of targets. Therefore, allowing those organizations to communicate what they see and how they block it with each other, then, would give companies defending their computer networks an upper hand against hacks.
http://www.cnn.com/2015/12/18/politics/cybersecurity-house-senate-omnibus/index.html
-
IDENTITY THEFT
Regulators Slam Wells Fargo for Identity Theft
For years’ wells Fargo employees subscribed the bank’s customers to products they didn’t request and this has now triggered a fine of $185 million in fines.
The bank allowed its employees to access customer’s personal information to subscribe them for products such as credit cards that generated revenue for the bank as well as commissions for salesperson. Reports say that around 2 million bank deposits and credit cards were opened without customer’s knowledge.
This represents one of the LARGEST INCIDENT OF ORGANIZED IDENTITY THEFT ever recorded.
PRODUCT PUSHING
The bank boasted that its customers held an average of six different Wells Fargo products but as a part of its “Gr-eight” initiative, pushed for salespeople to increase the average to eight which was unattainable.
To achieve the goal, the employees used tactics such as “PINNING”, which involved bank employees to enroll customers without their knowledge into online banking and bill paying products. Employees generated ATM’s for dummy accounts and assigned pin numbers usually “0000” to the cards for which they received compensation.
To do this employee filled fake email id’s such as 1234@wellsfargo.com which endured that the customers were unaware of signed up to a new product.
For some cases employees also used “simulated funding” where they withdrew money from the authorized accounts to pad unauthorized fee generating deposit accounts that customer did not know existed.
Wells Fargo must now retain an independent consultant to review its sales practices, review training procedures and create a compliance plan.SOURCE: http://www.databreachtoday.com/regulators-slam-wells-fargo-for-identity-theft-a-9388
-
This article explains the growing threat of ransomware, as well as the “5 Things Partners Need to Know about Ransomware. The 5 things being: How Big Is The Problem?, Who Are The Targets?, How To Know If You’ve Been Hit, What To Do In The Event Of A Hit and Partners Can Prepare Their Clients.
Lately, many companies have fallen victim to this ever increasing threat. Ransomware is explained as a type of malware that when successfully used, it renders the accessibility to the company’s important data, in exchange for a ransom amount. Recently, this strategic tool has become a very profitable industry for hackers. According to the 2016 Verizon Data Breach Investigations Report, “ransomware represented the biggest jump in crimeware, with 148 reported incidents in 2015 out of a total 348 incidents”.
Stephen Cobb, a senior security researcher at San Diego-based Internet security vendor ESET, stated, “Ransomware doesn’t discriminate when it comes to business targets”. The first indication of a ransomware attack is the inability to access data or receiving a request from hackers. Unfortunately, it’s a little too late, by then the malware has already began. Conversely, Cobb stated, the first step should be contacting the IT department, to alert them. Secondly, he recommends, that the “users unplug their machines and disconnect them from the network to prevent the message from spreading to other devices”. Lastly, “there are steps that partners can take to protect their clients from the impacts of a ransomware attack”, Cobb states. His multi-level approach, begins with user education about ransomware and protection. He then, reveals by “keeping systems up to date with patching, limits vulnerabilities that the ransomware can exploit”. To conclude, Cobb says it is crucial to make sure resilient backup and recovery systems are in place, as well as a reaction plan to combat those technologies in the event of an incident.
Source: http://www.itbestofbreed.com/slide-shows/5-things-partners-need-know-about-ransomware
-
Kaspersky Lab Presents the First Cybersecurity Index
Read more at:
http://economictimes.indiatimes.com/articleshow/54170898.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
http://www.securitymagazine.com/articles/87428-kaspersky-lab-presents-first-cybersecurity-indexKasperky is launching its first Cybersecurity Index which is first global index to measure the current cyber threat levels faced by internet users. It has three key indicators:
1. The concerned indicator: which shows the ratio of people who know that they are exposed to cyber threats
2. The affected indicator: which shows the no. of people affected during the effected timeframe.
3. The protected indicator: which shows the no. of people who have installed security solutions on devices both phone and computers.According to the first survey taken in August 2016 among 21 countries across the globe the cybersecurity index shows as 21-29-60 meaning 21 % are aware of the threat, 29% are the victims and 60 have security solutions installed.
The index was created to draw the attention of users/media to the issue of cybercrime and importance of cybersecurity
-
Yelp Launches Public Bug Bounty
Yelp is well known as search engine for local business, restaurant and hospitality reviews and tips. Starting today, the door will open to researchers and bug-hunters who are invited to participate in Yelp’s public bug bounty. The company has, for two years, participated in a private bounty program with HackerOne. On September 6,2016, the program goes public, and it’s fairly expansive with a number of areas of its infrastructure in scope, including its desktop site, mobile application and public API. Yelp said the payouts will go as high as $15,000, with a minimum bounty of $100. Bounty participants are urged to seek out mobile-specific vulnerabilities on both IOS and Android apps platforms. Bug bounty programs are a sign that everything under it is mature and in shape, you can’t launch unless you have architectural reviews, a SDLC and other critical processes in place. Organizations think they have it, but don’t really know until they try it out, said by HackerOne CTO Alex Rice.
Many organizations started to invite people to attack their system and find out the vulnerabilities in order to protect their system which is a very smart decision. In the past, most hackers were individuals instead of an official group or business. They had skills but they didn’t know where to show it. So they attacked lots of system just for fun or showing off, but those companies which were attacked could go bankrupting. Today is different, organizations encourage and invite individuals to come and help them to find defect of their systems.
Links: https://threatpost.com/yelp-launches-public-bug-bounty/120369/
-
Researchers have said that US 911 emergency phone system vulnerable to DDoS attacks, They have found a way to disable the service across an entire state for an extended period.
The researchers claim that they have found a way to disable the emergency system across entire state by using TDos attack(Telephony denial of service). The emergency infrastructure in 911 depends on routing the calls to public safety answering points. Hackers can cause mobile phones to call 911 and clog the line and prevent the legitimate users from doing so.
This is basically because of the Federal Communications Commission (FCC) regulation which states that all calls has to be forwarded to PSAP. This is an excellent example that the IT systems and its regulations has to be updated on a regular basis and the threats have to identified soon and necessary action has to be taken at appropriate time.
-
This is interesting. I never knew that sharing information about cyber attacks were sue-able. This is definitely a step in the right direction towards combating the same enemy. But it also makes me wonder, what if the cyber attack came from a competitor?
-
Binu,
Very interesting article. It didn’t really ever strike me that even 911 service is exposed to an attack like TDOS. It surely pose a big threat to the critical infrastructure of the country (if i may). And, I strongly agree: With time and evolution taking place in technology and the environment, systems should be updated as well.
-
“A new hacker money-making strategy: Betting against insecure companies on Wall Street”
The article discusses a cyber security research firm named MedSec that found a flaw in a medical device from St. Judes Medical and then partnered with a financial firm to release the results publicly. MedSec received a portion of the profits from short selling St. Jude’s stock instead of disclosing the vulnerabilities to St. Judes. The vulnerabilities concern a heart implant and could allow an unauthorized user to speed up the pace to dangerous levels, or quickly drain the batteries. Typically research firms share their findings with the companies to fix the vulnerabilities before they are released publicly, preventing hackers from exploiting them. MedSec contends that the revenue will help support the time intensive research required to discover flaws. Critics worry that publicly disclosing vulnerabilities before they are fixed will allow hackers to exploit them before they are fixed.
-
The article I read this week is called “Google to Shame Unencrypted Websites,” written by Tara Seals from Infosecurity magazine. The article talked about that Google Chrome, a web browser, will start “shaming” unencrypted websites beginning in January. It will mark HTTP login pages as “not secure” in a window next to the address bar, using a red triangle indicator.
Chrome indicates that when someone loads a website over HTTP, other people on the network can look at or modify the site before it gets to you.
So how do people do for now?
A substantial portion of web traffic has transitioned to HTTPS, and more than half of Chrome desktop page loads now served over HTTPS.However, many organizations and companies still blindly trust all encrypted traffic. So hope more and more users pay attention to those sites and reduce cyber-attacks.
In addition, HTTP stands for Hypertext Transfer Protocol, and HTTPS stands for Hyper Transfer Protocol Secure, Instead of acting as its own application layer protocol, it uses separate protocols called SSL(Secure Sockets Layer) and TLS( Transport Layer Security).
http://www.infosecurity-magazine.com/news/google-to-shame-unencrypted/
-
DARPA Cyber Grand Challenge (CGC)
Back in 2013, the Defense Advanced Research Projects Agency (DARPA) hosted a worldwide competition to develop the world’s first autonomous bung-hunting machine with a $2 million dollar first place prize. Three years later, Aug 6. 2016, seven finalists presented their prototypes to DARPA and all seven team received awards and DARPA is on it’s way to preventing Zero Day attacks.
The final competition resulted in the machines being able to author 421 replacement binaries that was more secure than the original and 650 unique proofs of vulnerability. According to DARPA CGC Program Manager Mike Walker, the machines were able to detect Zero day attacks and respond to the attack immediately.
The CGC winner were challenged to a “capture-the-flag,” where the team is given a network full of weaknesses, with some of the best competitors at DEFCON 24. The team must simultaneously patch their network to defend from attacks while also developing breaches for the opposing team’s network. Unfortunately, the CGC winner took last place in the competition. Although Mayhem, CGC winner machine, has not meet it’s maturity, it has opened a new door for predictive cyber defense.
You can read more here: http://www.defense.gov/News/Article/Article/906931/three-teams-earn-prizes-in-darpa-cyber-grand-challenge
-
REPORT OUT ABOUT THE WORST CYBER ATTACK ON A FEDERAL AGENCY
A breach that occurred first in 2014 and which was detected only in April 2015 at the Office of Personnel Management, a Federal Agency points to poor security control processes followed in the agency. This was the worst cyber attack on a federal agency in recent history. As many as 22 million federal employees’ private records were said to have been exposed.
Investigation into the breach found that the agency management was lax about following safety measures w.r.t cybersecurity and that there were a number of known vulnerabilities that were left unfixed way before the breach occurred in 2014. Even when the initial breach was identified, the agency focused only on containing the attack and not fixing the vulnerabilities. While the agency focused on containing the initial breach, another group of hackers stole millions of highly personal background check records.
Source : https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/
-
The US Gets Its First Cyber Security Chief
Last Thursday, the White House named a retired brigadier general as the government’s first federal cyber security chief. In fact, General Gregory Touhill will be the first Chief Information Security Officer (CISO) of the United States of America. His job will be to protect government networks and critical infrastructure from cyber threats. President Obama announced the new position in February and proposed a budget of $19 billion to the Congress for cyber security across the US.
With the multitude breaches against the government and the private sector these past year, the Obama administration has decided to make cyber security a top priority. Most recently, the US intelligence officials have suspected Russia for the state election system breaches. They think Russia was trying to interfere with the US presidential election.
General Touhill is currently a deputy assistant secretary for cyber security and communications at the Department of Homeland Security, and will begin his new role later this month.
Source: http://www.thefiscaltimes.com/2016/09/08/US-Gets-Its-First-Cyber-Security-Chief
-
EU Enacts New Law To Improve Critical Infrastructure Cyber Security
According to the article found on Security Magazine’s website, the European Union has enacted a new law named the EU Network and Information Security (NIS) directive. This law is one of the first of its kind for the EU and aims to improve cyber security around critical infrastructure. The NIS directive requires each country to identify key infrastructure which can include services such as energy, transportation, banking, health, drinking water supply, and even cloud services. These services will need to comply with this new IT infrastructure framework which will be required by all member nations. The goal of this initiative is to create a baseline cyber security standard across the EU and use this as a way to collaborate among the different countries. On top of this, each country will have to establish a “Computer Security Incident Response Teams to handle incidents and risks, discuss cross-border security issues and identify coordinated responses”.
It seems that as cyber security issues continue to arise, governments around the world are looking to step up their cyber security practices to mitigate these cyber risks. One can look at Said’s post which states that the United States has just hired its first CISO and proposed a budget of $19 billion to Congress for cyber security across the United States. Since the EU is extremely connected much similar to the states within the United States, this directive not only allows for collaboration but now each nation is responsible to address the cyber risks that can affect them all. With both the EU and United States taking measures to make sure that they protect their key infrastructure from any cyber threats, hopefully this could result less cyber-attacks.
-
Security from the Ground Up: The Need for Data Classification
The article I found is about data classification and its importance within an organization. This article emphasizes the fact that when talking about data breaches we too often think about external threats and focus on firewalls, encryption and network monitoring as best tools to secure data. However, the biggest data threats are the threats from within, caused by employees who constantly use data sharing tool such as email or social media without even knowing the negative consequences. Most of the time, employees do not know the value of the data they are sharing. It is important to familiarize them with correct policy procedures and properly train and inform them. The idea is not to install technologies to protect data and expect employees to use them. We all know that too much security can be tedious and employees can definitely get around it unless they know the value of the data they are sharing. In this optic the articles mention data classification a goo security tool. Indeed “When data is classified, organizations can raise security awareness, prevent data loss and comply with records management regulations. By classifying data, employees will be aware of the information they are handling and thus adopt a more careful behavior
In sum, the idea of data classification is to keeps security top of mind for employees as they classify every piece of data they handle.
http://www.infosecurity-magazine.com/opinions/security-ground-data-classification/
-
12th Sept 2016
Patch management, yet again proved to be most important preventive control!
Dawid Golunski, a researcher has found many vulnerabilities in exiting MySql version. One of the most critical vulnerability is the zero day vulnerability, an attack the IT industry dreads about. The vulnerability is tracked as CVE-2016-6662, which can be targeted by running arbitrary code using the root privileges.
How is the vulnerability exploited?
A web interface like phpAdmin can be used to alone with SQL injection to authenticate to MySql server without direct connection.How many systems are affected?
The MySql versions 5.5,5.6,5.7 are all exploitable. Linux security models are not enough to protect from this attack.Is this true?
Dawid Golunski has submitted proof of concept code to Oracle.Does it affect you?
The patches released by PerconaDB and MariaDB developers were made available in public repositories, potentially allowing malicious actors to start exploiting the weakness.What is the solution?
Oracle must dispatch patches to close this vulnerability.Source {http://www.securityweek.com/critical-mysql-zero-day-exposes-servers-attacks}
-
“The Ransomware Dilemma: Is Paying Up a Good Idea?”
With the booming development in smart phone industry, personal smart phone is becoming a new approach for attackers to earn money through the ransomware. Different from PC users, smart phone users usually underestimate the importance of protecting themselves from ransomware, some of them don’t even know what the ransomware is. If someone download the ransomware to his phone, then the operation system of the smart phone will be locked, and only the attackers know the code or password to unlock the phone. But if the smart phone user wants to recover his phone, in most cases he has to pay the attackers. What people should really do is preventive control the risk and don’t click in those fishing website or download ransomware.
Source: http://www.securitymagazine.com/articles/87431-the-ransomware-dilemma-is-paying-up-a-good-idea
-
Rightly pointed out Alexandra. Employees unknowingly can do certain things which can be a big challenge. Especially while transferring data.
I think solution like Data Loss Presentation software can be used and will prove beneficial in highlighting if any sensitive data is being sent outside organization. -
That is huge. Exploiting vulnerabilities at the cost of someones life is a biggest threat that humans can experience.After reading your article did some research myself and I am shocked as attack on medical devices has been number one threat in 2016!
Hackers are exploiting vulnerabilities to deploy ransomware. Let alone devices like pacemakers, insulin pumps, think about attacks on surgical robots! All of this has put out human life at stake.
Earlier this year, the FDA issued a letter warning hospitals and patients that a pump commonly used to ration out proper dosing of medicine in IVs could be vulnerable to attack.
source – http://www.popsci.com/hackers-could-soon-hold-your-life-ransom-by-hijacking-your-medical-devices
-
Indeed, identity theft is a serious problem. The article mentioned the bank allowed the employees to access customer’s personal information, which is a potential risk to cause data leak. Actually, my best friend lost over 6K USD couple months ago because someone steal his personal information and use his credit card purchase in different websites. Therefore, I think this article has a good point.
-
“Companies more concerned with private data than with hackers”
As information security has became a priority, business concerned more on the loss of private data(47%) than the disruption of hackers(26%). The employee misuse the new technology(7%) has become a new and growing threat.
Nowadays employer focus more on the employee’s data security education, but still have 20% of the employer still have no awareness to educate their employee on data security.
-
2.5 Million Possibly Impacted by New Malware in Google Play
2 Malwares managed to slip through Google Bouncer and made available via Google Play. The two malwares were disguised as apps as well as embedded in many top rated apps in the store. The first malware called CallJam was designed to make fraudulent phone calls through the allure of free in-game currency. The second malware called DressCode creates a botnet of infected device, most probably to generate ad clicks and false traffic.
http://www.securityweek.com/25-million-possibly-impacted-new-malware-google-play
-
“Millions of iOS Users Install Adware From Third-Party App Store”
The article I’m interested in is about adware on iOS. Even though Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store, millions of iOS users still can’t free from malicious apps which would not only display ads, but also consume victims’ mobile data traffic and expose their personal information.
The loophole is: Apple allows organizations to create and distribute in-house apps that are signed using an enterprise certificate. so once the enterprise certificate is misused, and then developers released malicious apps on a Third-party app store, those adware can easily escape from control, For example, On a Vietnam-based HiStore, experts discovered a adware-laden Pokemon GO app that had been downloaded more than 10 million times.
In order to cope with this situation, the company is quick to revoke misused certificates, however, the adware developers could also quickly replace the revoked certificates – experts found more than five certificates being used in 15-day.
From the view of preventive controls, Apple could evaluate and reassess their policies where loopholes exist to prevent re-occurrence. From the view of customers, well, don’t download apps from third-part store.
Source: http://www.securityweek.com/millions-ios-users-install-adware-third-party-app-store
-
Creating a Culture of Data Safety Through Classification
This article explains the importance of data classification in implementing security solutions. As we all know the weakest link in security chain in employees and this article emphasizes on the importance of creating a security-focused work culture. Data classification is one solution that helps organizations to enforce security policies, educate and remind users about data security and empower employees to take responsibility for data security.
Data classification can help everyone in an organization, not just the IT team; take part in the security of their data and of their reputation. -
Ming,
Nicely pointed to preventive controls ! Try to not download malicious apps from third-part store is the way that can help mitigating the risk.
-
That’s a great point. I would argue that there are cyber cases where competitors would absolute attack a competitor for information. Also, in some cases, the competitor happens to be an international entity. I have read about other foreign governments attempting to steal latest designs on US government equipment and assets. Great point and definitely something interesting to think about both domestic competitors in the US and international competitors around the world.
-
Uber reportedly invested $500 million to build a better mapping system
The article I read is about Uber reported its plan to invest $500 million to build a better mapping system. In addition, Uber hired Microsoft engineers to support its map work. I was glad to hear about this news because I take Uber very often, especially when Uber launched the Uber Pool service. So I am actually very excited to test out this new uber experience.
The goal of this investment is to improve core elements of the Uber experience. The street imagery captured by the mapping cars will have a better ideal pick-up and drop-off points and the best routes for riders and drivers.
Nevertheless, Uber also benefits from mapping to collect data by drivers driving to different locations globally. Combine with the data Uber will gathering with its expanded mapping system, I believe it’s a win-win strategy for Uber and it definitely worth of the investment.Source :
Uber reportedly invested $500 million to build a better mapping system -
Are the actions that MedSec and the financial firm partnership took legal? I would assume not. Definitely a scary thought. I would be curious to know the amount of cyber attacks that are taken for financial gain. I would also assume that it would be a large number of the total attacks per year. I think with the ability to release things to the public anonymously, this is tough to track and correct. I see issues/stories like this increasing the need for cyber strategies and investments.
-
I’ve read that it is more difficult for developers to release apps on iOS than Google Play which can be both frustrating but also beneficial from a security perspective. Google approves apps much faster than Apple, but they are more prone to security risks.
Security is one of the main reasons why I have kept my iPhone. Not that there aren’t any issues with iPhones, but it does generally have better security than Andriod devices. Most Android phones do not have the latest OS because every manufacturer and carrier must release it themselves, as opposed to Apple which can release updates at will. I’ve always worried about a security flaw being discovered and having to wait a year to receive an update to fix it.
-
Last week on Bloomberg radio 1130AM, John McAfee, the creator of McAfee security products went on the air to talk about new innovation in the security arena. He is a CEO for MGT Capital Investments, an investment firm working on numerous futuristic technological products. On exciting claim he has made was how he believes his product will eliminate the ‘cloud’. But this isn’t what I am posting. I am posting about another product in the company portfolio. It is a pro-active security application.
He explained, Malware can only be detected after it has been installed on a device, and may take months to detect or you may not detect it at all and find out on the news that your company information has been breached. His new product will pro-actively monitor areas of the system used by hackers. He has hired some of the world’s best hackers to create a strategy to target the people they once identified as.
You can see the entire interview on Bloomberg radio, but wanted to share a quick 2 minute video about his take on U.S. Cyber security, and how he talks about a 15 year old child hacking into the FBI database.
http://www.bloomberg.com/news/videos/2016-09-07/john-mcafee-u-s-is-not-no-1-in-cybersecurity
-
The article is “Say Goodbye to Passwords, and Hello to Security Keys”
http://www.infosecurity-magazine.com/news/say-goodbye-passwords-hello/If somebody’s personal device can recognize its user, and authenticate them securely to a remote resource, passwords can become a thing of the past. These were the words of Google’s Christiaan Brand speaking at the Gartner Security & Risk Management Summit in London this week. Security keys were specifically designed to address the issues with one-time password-based two-step verification.
For Brand, this comes down to three main hurdles that are yet to be fully addressed across the industry:
Does it work for mobile? How do we deploy at scale? What if the key is lost? -
I referred to this last week in the News section…
Very scary situation. The government has recently contacted the people affected and provided them a risk response to identity theft. It takes some effort and costs money for the individual! I am sure it costs money on both ends (meaning those affected and the US government).
I find this very interesting and I think this is proof that EVERYONE ( from small-large businesses, individuals, etc)needs to invest in their cyber infrastructure and strategy.
-
The article talks about the important nature of data is driving laws and regulations, and security controls. Business enterprise spectrum is now faced with the challenge of how to classify data.
To implement an effective data management program
¥ Improving enterprise awareness around the importance of data classification
¥ Abandoning outdated or realistic classification schemes in order to adopt less complex ones
¥ Clarifying organizational roles and responsibilities while simultaneously removing those that have been tailored to individuals
¥ Focus on identifying and classifying data, not data sets.
¥ Adopt and implement a dynamic classification model.A company must either build these competencies in-house or work with a trusted third party to move through these steps in terms of the awareness of data classification.
Source:
Is Data Classification a Bridge Too Far?
http://news.sys-con.com/node/3896295 -
For the legality, it is possible to argue that this is not insider information. It is close to a “short and distort” but that has the intent that the rumor they spread is false while in this case the flaw is true. We are also not dealing with pure financial information as the information doesn’t guarantee a rise or fall in the stock, although it often would send it down. What if someone wanted to short Apple after hearing they removed headphone jacks from their signature item? It doesn’t seem like the SEC has done anything to Muddy Waters (the financial firm) yet but they are within their rights to try the case even if it fails.
-
I wish the article went more into the guts of these systems. The tone is almost of a battlebots competition more than of a game of chess. It is hard to tell if they are coding brand new services from scratch or if they already know what a secure framework is supposed to look like in general then working from there to make new code. I’m sure the competition is not a good spectator sport as it would look mostly like The Matrix code flying across screens as they’re written in the short timespan of the rounds.
I do like that technology is increasing its role in assisting experts. Bug hunting is tedious work; large companies often place bounties on their bugs instead of troubling their own developers hoping the wisdom of the masses would figure them out. Maybe coding software will have these as their back-end one day nudging you to more secure coding.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 1 month ago
Excellent work discussing the questions, augmenting each other’s assessments, assertions and recommendations in your blog posts! Also, nice job getting started with your research and finding articles for the […]
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
Summary
It was great to meet you in class. Thank you for our classroom discussion and your excellent questions, comments, and pointing out issues and inconsistencies between the Blog and Syllabus […]
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
-
http://www.securityweek.com/kelihos-botnet-triples-size-overnight
This article is about how a low profile botnet distributor, Kelihos, managed to infected over 34,000 computers by sending spam. Kelihos’ botnet was only affecting users in low numbers, but recently, it started to drastically increase and affect people by the thousands. It used something called Ransomware, a type of malware that infects email unless users pay a ransom to get back access. Since it has no targeted geography, it seems almost anyone can get affected. This is a major security issue because any email that doesn’t look threatening may pose a threat because it looks like a real company sent it. For example, if an user received an email from UPS and they open it, it could be fake if the user hasn’t ordered anything to be delivered. It is something we should look out for more carefully since some email accounts do not filter spam properly.
-
Kimpton Hotels was subject to a credit card breach at over 60 of their restaurants and hotels from February to July 2016. A high risk in the hospitality industry is the loss of customers’ data. In the past other breaches to hospitality companies have come from malware on the point-of-sale system. The malware for this breach, however, was was installed on the servers that process the payment card information. They currently do not know what the source of the malware was. The most troubling thing about the breach is how long it took to identify. Because the hospitality industry is such a hot target for criminals looking to steal customer data and payment card information companies must do everything they can to prevent and detect cyber breaches. Kimpton Hotels cyber security program failed its customers as they did not have vigorous enough protocols in place to prevent or detect this breach for 6 months.
-
That is huge damage! As posted by Mandiant in 2015, on an average hackers spend 146 days on the system before the attack is noticed. This is a positive sign considering the average time of 205 days in 2014.
In the news you posted, the attackers probably used the data to exploit users. Mandiant has claimed that since 2014 the number of disruptive attacks have increased where hackers delete all critical business data. -
The accident is supposed to have happened in May 2016 which was published around August 1st 2016.
-
Hacker Claims to have access to 200m Yahoo user records! Yahoo says they are investigating!
A hacker named Peace has claimed that he has access to 200m credentials of Yahoo users. The hacker confirmed with the Motherboard that he was selling these accounts privately and now they are on the dark web for sale. The cost of each credential is around 3 bitcoins that is $1860.
This dataset is from year 2012 as per the investigations from Motherboard..The verification:
Motherboard had around 5000 records that were tested. Most of the accounts (around 100) returned values that said that the account does not exist. This proves that the data is not current or accounts have been disabled. There is a possibility that the users must have changed passwords and hence the result.What Yahoo says:
Yahoo has neither accepted nor denied the claim. They say they are investigating the matter to confirm.What users must do:
Generally when accounts are compromised, providers ask users to reset the account passwords. Users must rest the credentials to be on safer side.Source : [https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web]
-
A Canada-based PoS (Point of Sale) vendor, Light Speed suffered a hacker attack to it’s central database which contained customer information. Lightspeed has more than 38,000 customers across 100 countries, processing transactions to the tune of $12 billion annually. As per Eduard Kovacs at Securityweek.com, Lightspeed stated that there was no evidence of information being taken or misused. Despite the central database containing sales, products, and customer information such as encrypted passwords and electronic keys, the attackers wouldn’t have been able to get the Credit card numbers or other sensitive data due to the encryption technology in place. The card data is encrypted at the PoS and Lightspeed does not store the encryption keys thereby preventing access to Credit card info.
This could serve as an example of how having multiple types of control in place is beneficial in case of failure/breach of one control.Original article at : http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach
-
I read the article: “Why Your Firm Should Demonstrate Information Security”. It was written by the Chief Information and Security Office at Dickinson Wright PLLC, Michael P. Kolb. The article described how law firms are finding an increase in audits and as a result how firms are starting to commit to information security. For Dickinson Wright, this commitment involves being ISO/IEC 27001 certified and three key steps: Inter-Departmental Cooperation, Educating Employees on the Importance of Information Security, and Developing a Proactive Approach to Information Security. The ISO/IEC 27001 was designed to: “preserve the confidentiality, integrity and availability of information by applying a risk management process while providing confidence to interested parties, particularly clients, that risks are being adequately managed.” The team was able to get certified and as a result Michael has already seen some of the payoffs. He has seen his company have increased inter-departmental support as well as an increased mindfulness among his employees regarding the importance of information security management. The firm is also better prepared to respond to audits and secure their data.
Why Your Firm Should Demonstrate Information Security (Perspective)
-
These issues tend to scare me. It reminds me of a 2015 story (to a lesser degree) that involved the US government being hacked of 21 million social security numbers. The government is now notifying and helping the individuals that were affected. The affected individuals have to do way more than the above Yahoo users. Just shows how important cyber security is these days. Everyone (including the Government) needs to invest more in the cyber field to secure their medical records, social security numbers, bank account info, ect.
-
http://www.usnews.com/news/articles/2015/07/09/more-than-21-million-affected-by-government-hacking
^here is an article that goes over what I was referring to. Thanks, Priya. Great article post!
-
Article: “Inteno Router Flaw Could Give Remote Hackers Full Access.”
According to this article, a critical new router vulnerability could allow “remoter attackers to replace the firmware on a device to take complete control over it, and monitor all internet traffic flowing in and out.”There are three models confirmed exist the potential risk to give hackers full access of the system include Inteno EG500, FG101, and DG201 routers. The F-Secure believes that there are more other models may have the same issue. According to F-Secure cybersecurity expert, Janne Kauhanen, if the attackers change the firmware, they can change any rules of the router, which means the internet traffic flowing no longer safe. But Janne also points out the importance of the users keep browsers and other software updated to prevent hackers attack the router. In addition, the antivirus software can also prevent many malware downloads, which can also prevent hackers gaining the initial foothold into the network.
Source: http://www.infosecurity-magazine.com/news/inteno-router-flaw-remote-hackers/
-
Thank you for sharing the link Ian. I read the article and I think declining a attack would be the worst mistake. Even if there is a possibility of attack, organizations should alert the users so that they can take preventive steps.
ex. Changing the credentials so that the hacked data is obsolete. -
http://www.technewsworld.com/story/83860.html
The article reveals how information security is important to the defense sector.The hackers have stolen more than 22000 secret pages pertaining to scorpene class submarine.
Its a submarine which has been acquired as a part of defence purchase by Indian Navy from french defense Contractor DCNS.
The defense manufacturer was expected to deliver the 6 submarines by end of year and there were definite talks within the Indian Navy to order more submarines from the defense manufacturer in the coming time.
But with the leakage of critical data the submarine manufacturer may loose its future contracts for submarine manufacturing from Indian Gov as well as other countries like Australia who were thinking of purchasing the Scorpene class submarines from the contractor. -
Article: “Modernizing Security”; Topic: Understanding an Organization’s Risk Environment
The clear business security issues were shown:
-Most employees steal proprietary data when quitting or getting fired from an organization.
-Nearly all employees are vulnerable to exploit kits.
-Four out of five breaches go undetected for a week or more. Some take up to a year.
-Just over a third of global organizations feel they are prepared for a sophisticated cyberattack.
-Generally, when an organization is targeted for attack, the attackers need only minutes to bring about a compromise.
-Most organizations lack the means to track and control their most sensitive data.
-Most organizations lack clear security guidelines, policies, and reinforcement through training.
It is time for each person to know that every action must be viewed through the prism of security, and activity must be conducted in accordance with defined, attendant, values and standards. Today, the organization must value security: it must train to, and perform to, specific security standards in direct match to the organization’s business, environment, risk, and related needs – actually in excess of those – being that risk is escalating all the time. Security must occupy a priority in new employee orientation, with updated refresher trainings, internal organizational newsletters, and addressal in various meetings and internal forums. Be aware that data security is not the sole-province of IT. It is the province of the organization.Source: http://windowsitpro.com/security/modernizing-security
-
Synopsis of “Report on Cardiac Device Cyber Vulnerabilities Fuels Debate”
It is no doubt that technology has expanded into great lengths, especially in the medical industry. Researchers are working with pacemaker and implanted defibrillators that is as susceptible to cyber attacks as any new technology on the market. This article specifically talks about St. Jude’s Medical implantable devices that were “ethnically” hacked by security research company MedSec. Instead of reporting the vulnerabilities to the manufacturer and the FDA, MedSec released the information to Muddy Water’s Capital, which later short sell St. Jude’s medical stock.
MedSec CEO, explained that St. Jude Medical failed to correct known vulnerabilities of their devices and basically took matters into their own hand. They publicly announced that their were vulnerabilities, but the details were not revealed, leaving doubts in the public. Although MedSec did nothing illegal, they are criticized on how they went about reporting the problem and legitimacy of their findings due to their ties with Muddy Water Capital.Source: http://www.databreachtoday.com/report-on-cardiac-device-cyber-vulnerabilities-fuels-debate-a-9365
Do you think that MedSec did the right thing?
-
The article I chose is about Dropbox and, the lessons learned from the data breach they suffered from, 4 years ago. For those of you who were not aware, in 2012, millions of stolen usernames and passwords were used to successfully access some Dropbox accounts that had crucial information on individuals and businesses.
Following that incident Dropbox reinforced their information security. Below is a list of what Dropbox and users can do differently in order to protect sensitive data.
1. Never re-use a password
2. Change passwords regularly
3. Enable two-factor authentication or 2FA (which is an extra layer of security that in addition to requiring a simple username and password, ask user for something that only the user know)
4. Never completely trust service providers (which adopting a customer –first approach and have an open dialogue about security.)
5. Take responsibility for data protection: users should be responsible for what they decide to store in Dropbox and not entirely rely of third party security measures.
6. Use data-centric security
7. Get visibility of enterprise data in the cloud: firms need to monitor and control the type of data exposed in the cloud
8. Monitor for anomalous activity: businesses, Dropbox included need to carefully monitor technologyAs we can see from this article, users represent information security vulnerabilities for Dropbox and vice versa.
http://www.computerweekly.com/news/450303585/Lessons-from-the-Dropbox-breach
-
All of my information was captured in that OPM hack from my SF-86 data for my govt clearances.
-
“Creating a Risk Intelligent Organization”
This article discusses how many businesses have spent a lot of time building risk frameworks and processes to mitigate risks, but how they often fail from a lack of risk oriented culture. The author describes the importance of how risk awareness throughout a business’s culture, from the top to the bottom, is the most important part of risk control because as employees take a meaningful and committed approach to risk awareness it filters positively to their individual jobs and processes they have roles in for the business. Key elements of a “Risk Intelligent Organization” are given to provide a better understanding of the concept and to be able to identify a successful implementation.
-
“Creating a Risk Intelligent Organization”
This article discusses how many businesses have spent a lot of time building risk frameworks and processes to mitigate risks, but how they often fail from a lack of risk oriented culture. The author describes the importance of how risk awareness throughout a business’s culture, from the top to the bottom, is the most important part of risk control because as employees take a meaningful and committed approach to risk awareness it filters positively to their individual jobs and processes they have roles in for the business. Key elements of a “Risk Intelligent Organization” are given to provide a better understanding of the concept and to be able to identify a successful implementation.
-
The New Security Mindset: Embrace Analytics To Mitigate Risk
This article relates how security professionals have been working to find weaknesses in their system. According to the author Todd Thibodeaux, “fewer than half of information security professionals feel their organizations’ security is completely up to par”. In fact, businesses spent millions on their enterprise security. However, investing in infrastructure and security solution is not enough today. The mindset has been “think like a hacker to stop a hacker”, and yet systems are still vulnerable. IT leaders have to innovate and initiate a different way of thinking.
The new approach, according to Thibodeaux, would be “to properly analyze today’s networks to see where traditional security measures fail”. In other words, security professionals should conduct a deep analysis of their network and then analyze the results in order to identify key areas of risks. He also recommends that security professionals must figure out what makes their organization an attractive target and tackle cybersecurity from a data-driven viewpoint. The bottom line is to be as much as creative than hackers in order to protect networks and systems.
-
The first point in the article is very important and why controls around terminating employee access are so important. When an employee leaves an organization their access needs to be disabled as quickly as possible to prevent them from taking as much proprietary information with them as possible. Most companies have a termination control in place that says something to the effect of ‘when a user is terminated their access is deactivated in a timely manner’ and every organization defines timely differently. One company I worked with went a step further with their termination control which I thought was very smart. They split out people who were leaving the company into two different groups, people who resigned and people who were fired. For people who resigned the termination control was that their access would be terminated within 2 days of them leaving. For people who were fired their control stated that the aces would be terminated before the user was informed that they were being fired. They did this because they believed that users who voluntarily left were a lower risk than those who were being fired. They believed that users who were fired would be more disgruntled and therefore more likely to try to steal proprietary information before leaving.
-
Cyber Threat Grows for Bitcoin Exchanges
The article describes a recent hack of a bitcoin exchange of $70 million and the risks of bitcoin exchanges. The hack is the largest since a 2014 when hackers stole $350 million from a Tokyo bitcoin exchange. According to the article, between 2009 and 2013 approximately 33% of bitcoin exchanges have been hacked, and 48% of bitcoin exchanges closed between 2009 and 2015. Many exchanges also allow customers to hold virtual currency in the exchanges, similar to a traditional banks. Unlike banks, bitcoin exchanges are not required to purchase federal deposit insurance, leaving customers with little recourse to recoup lost assets.
Each loss is handled differently. In the hack referenced in the article customers lost 36% of assets on the exchange, and were compensated with equity in the parent company. The bigger the exchange, the larger target they become for hackers.
http://www.nytimes.com/reuters/2016/08/29/business/29reuters-bitcoin-cyber-analysis.html
-
This article goes into explanation on how this past Thursday, Apple fixed critical vulnerabilities in its Safari desktop browser and their OS X operating system. This security issue revealed that iOS system let malware spy on and monitor a users’ phone calls and text messages. This flaw not only affected Safari’s mobile devices but the desktop version as well due to sharing the same codebase. Apple’s advisory stated, “Safari 9.1.3 bug could allow a hacker to execute arbitrary code on an unsuspecting victim’s Mac by tricking the person into visiting “a maliciously crafted website.”
Unfortunately, this vulnerability was made aware when human rights activist Ahmed Mansoor’s iPhone was penetrated by hackers, who used the same hacking technique. Ahmed stated, “He received a text message from a cyber war company with a link to malware that would have jailbroken his handset and installed surveillance software”. If activated, Ahmed would have allowed NSO access to the phone’s camera, microphone, and GPS. According to Citizen Lab researcher Bill Marczak, “Not only could NSO infect iPhones at the touch of a link, but it seems that the vulnerabilities they were exploiting could be weaponized to target many different platforms”.
Conversely, due to Ahmed Mansoors willingness to share his story; he allowed Apple to form security improvements. Apple was able to fix the issue, by improving how iOS devices access memory, as well as a reinforcement, which prevents visits to malware-laden websites.
http://www.pcmag.com/news/347562/apple-patches-safari-os-x-flaws-to-prevent-snooping
-
Sensitive User Data Exposed in OneLogin Breach
This article is about a breach in one of OneLogin’s service Secure Notes, which allows users to store sensitive information such as passwords and license keys. You would think that such service would keep security their number one priority but apparently a bug caused the data to be visible in clear text in OneLogin’s log management system before it was encrypted and stored in the database. Hackers were able to tap into this vulnerability and viewed the logs containing the information after stealing an employee’s password. 1,400 enterprises were affected but OneLogin responded by limiting login access to limited IP addresses and resetting password.
Source: http://www.securityweek.com/sensitive-user-data-exposed-onelogin-breach
-
Kimpton Hotels Hit with 6-Month Card Data Breach
This accident happened between February and July 2016 and it was published recently. The hotel chain confirmed that a credit card breach at its 60+ restaurants and hotels front desks. The details of the damage is still unknown. Kimption said the malware was installed in its servers that processed credit cards. The malware which is different from the normal Point of Scale malware, is able to track, read and record data from the magnetic stripe of a credit card as it was routed through the affected server. Also, free wifi is also profitable breach target because it is easy to install malware with low protection.
This control risk environment is very important for an organization especially the hospitality companies. The must deploy the latest developments in endpoint protection in place to protect its customers. Securing the web gateways that actually prevent breaches through the most advanced methods available to the industry today is also a very effective way to protect sensitive data.
http://www.infosecurity-magazine.com/news/kimpton-hotels-hit-6-month-card/
-
The news that I wanted to share for this week is related to vulnerability of web-based accounts demonstrated by Romanian hacker.
A former Romanian taxi driver was able to hack emails and social media accounts of celebrities and political late may this year. He gained access through weak password and then accessing their corresponded.
In this article password management is explained. It was mentioned that although the authentication of web-based systems is week, however he was able to access accounts from rural Romania to U.S. account holders. Including revealing Hillary Clinton using private email.
In order to mitigating authentication risk, implementing unique and strong tow-factor authentication process and using password manager, is suggested.http://www.databreachtoday.com/guccifer-hacker-sentenced-to-52-months-a-9379
-
Paul,
It is funny you mention this article because I was going to post the same incident. I can’t seem to find the episode, but I remember watching Bill Mahar last season and he was talking about Hillary’s private server and how other high level officials are using similar private systems for government business. The reason was mentioned by an FBI technology expert who suggested our governments system is so outdated, it is more efficient to use a private network.
I am not expert but if this is true, will ever be secure if we don’t modernize our systems, and implement higher level security solutions?
-
INCIDENT: It is required by all businesses that handle cardholder information to comply with PCI-DSS, which is Payment Card Industry Data Security Standard. Despite implementing PCI-DSS, Hutton Hotel’s payment processor notified a possible breach compromising their customer’s credit card information.
According to the breach notification, “Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system.”
To make the matter worse, the customer’s payment card details were compromised since more than three years as the breach included payment card information of the people who placed reservations with the hotel from September 19th, 2012.
RESPONSE: Hutton Hotel is now using a stand-alone payment processing drive; they didn’t explain how that will be a better solution. Hutton Hotel is also working with the payment card companies to identify its affected customers.
MALWARE: Just like in the case of Hutton Hotel, POS malware has been targeting processing points inside the payment systems: A point where card gets swiped, but before it gets stored is where the data maybe unencrypted. POS malware attacks have stolen card data before from POS retailers like Target, Michaels, Staples and even mom-and-pop shops. It is for the criminals who are seeking best returns with the lowest associated risk.
Source: http://www.databreachtoday.com/nashville-hotel-suffered-pos-breach-for-three-years-a-9381
-
Amanda,
This sound like a POS Malware that also affected Hutton Hotel on September 4th. After Kutton Hotel, Noble Hotel and now Kimpton, it looks like POS has gained popularity.
As I mentioned in my post, I believe that one of the reasons could also be that the risk associated for the attacker is low and rewards are more. Even back in 2014, over a thousand businesses ranging from big corporate retail stores to mom-and-pop shops were affected by Backoff, a POS malware.
Source: http://www.bankinfosecurity.com/1000-businesses-hit-by-pos-malware-a-7230
-
100 Million Accounts Stolen From Russian Web Portal Rambler
This article talks about hackers stole the detail of more than 98 million user accounts from Rambler, one of Russia’s largest web portals. For those of you who are not familiar with Rambler, it is like the “Russian version of Yahoo”, which offers web search, news aggregation, email, e-commerce and other services. Breach notification service LeakedSource learned recently that Rambler.ru was hacked on February 17, 2012. Interestingly, the data set was provided by same individual who revealed that the 2012 Last.fm mega breach impacted at least 43 million accounts. Each record contain: a username/email address, password, ICQ# and some other internal data. The passwords on rambler.ru were stored with plain text, no encryption or hashing. The most common passwords found in the dump are “asdasd,” “asdasd123,” “123456” and “000000.”
I think Rambler should take the responsibility of leaving users extremely vulnerable to hackers. It surprised me that Rambler still uses plain text to store password like VK.com, which was hacked before this taking place. Data breaches like these are extremely valuable to hackers because they can use the login details to try login other services that users have account with. Most likely, it will be the same password because we are having the habit of re-use the same password for all the accounts we have. What I learned from this article is everyone should has different passwords for different accounts, no matter it’s for work or personal. The passwords that one sets up must be strong and unique. In addition, organizations should provide trainings to employees and awaken them how risky it is to use simple passwords, or even re-use passwords.
Source: http://www.securityweek.com/100-million-accounts-stolen-russian-web-portal-rambler
-
The article talks about a malware designed for Android users by using Twitter instead of command-and-control (C&C) servers for an Android botnet, it’s innovative and even harder to discover or block. The threat spreads through SMS or malicious URLs sent to its victims, then may download malicious application without victims’ consciousness, switch to a different C&C Twitter account. and cause victims’ information disclosure.
It represents how vulnerabilities personal information are, even our social accounts could be a breakthrough for hacker to access to our personal information. More worse, to normal people, there’s no effective technology methodologies to block such malware, what we can do seems only be caution to those untrusted apps and URLs, keep our devices updating timely.
Finally, as a very popular word in China, on the way to information age, each of us are streaking.
http://www.securityweek.com/android-botnet-uses-twitter-receiving-commands
-
This is a news called “FBI denies denies claims of Apple ID hack”. In this news, it talks about the hackers have stolen more than 1 million iPhones and iPads information and post more than 12 million IDs. And this claimed had been viewed 370,000times in less than 24 hours.
After I read this news, I have to think about how important about the information and how much Apple.inc have to pay this data breach problem if the hackers claimed is true. However, the interesting in this news is about people think about this is not a true thing. In fact, Apple Inc still keep the silence, is that means Apple is so confidence of their own protect information safety system?http://www.cnn.com/2012/09/04/tech/web/fbi-apple-id-hack/index.html
-
At the G20 summit in Hangzou, China, there are a number of US Senators strongly urging President Obama to open up a dialogue and start on an international action plan to address cyber-security on a global scale with partners. Due to the nature of hackers not having any real geographic boundaries, an international coalition against hackers is an imperative. The most recent activities that have driven this request are a number of thefts from a system called SWIFT. Apparently, this is the system that financial institutions use to transfer funds between one another. The most recent cases have been the theft of almost $1 Billion from Bangladesh central bank and another $87 Million heist from Federal Reserve of New York. The money was then subsequently moved to the Philippines and laundered through casinos. These are just 2 of the numerous thefts that occurred after the SWIFT (messaging system used by financial institutions to transfer funds) system was compromised. They interviewed the CEO of CyberGRX asking what good a discussion would be at G-20 and from his take the failure occurred was in “third-party cyber risk management.” Ultimately due to the real-time nature and ever changing nature of hte threat it is critical to open up lines of communication across the globe in order to try to stay on top of the ever changing dynamic that are cyber criminals. In his mind, “Collaboration and information-sharing at all levels are the keys to effectively mitigating the persistent and potentially damaging threats from cybercriminals.” This just goes to show the real threat that these criminals pose to everyone. It is real damage and not just a hacking of someone’s Twitter account and posting some distasteful tweets to the world.
http://www.infosecurity-magazine.com/news/us-senators-urge-obama-cyber-g20/
-
Hackers claim to have stolen important hacking tools straight from the NSA. This group, calling themselves the Shadow Brokers, have decided that its more profitable to sell the tools than to keep this hack secret to themselves. Being the only ones who know of an exploit can earn a bad guy a lot of money. The group has set the asking price at what seems to be a Dr. Evil-inspired 1 million bitcoins, which has a street value of roughly half a billion dollars. The hackers posted a manifesto claiming that the tools are from the creator of the infamous stuxnet virus. The names of some of the tools, such as EPICBANANA corresponds with information that Edward Snowden had previously leaked, lending credibility to the hackers’ story.
I think this news is a reflection of how dangerous hackers can be. They are able to demand multi-millions of dollars because someone else is willing to pay that price to break into secure systems. This shows just how hard it will be to work against persistent hackers when they are backed by money.http://motherboard.vice.com/read/hackers-hack-nsa-linked-equation-group
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
Provide an example of a measurement used in quantitative information security risk analysis.
What challenges are involved in calculating such a measurement?
-
Quantitative Information Security Risk Analysis is when you are able to examine a risk by looking at its risk factors in order to place a dollar amount or another type of value to the specific risk.
An example is having 100 employee’s sensitive bank account numbers, bank router numbers, and other direct deposit information in a database in order to allow the employees to directly deposit their pay-checks into their accounts. When the board of directors analyzed the option to allow the employees to use direct deposit or not, they determined that if this data was stolen, it would cost the company $500 per employee. This $500 dollar cost is an average that was calculated by looking at a population/sample of people, their bank account info (like amount), and several other factors. The $500 amount would include: investigating to determine exactly which employees were affected, contacting the employees to notify them, replenishing the amount of actual money stolen, and the cost it would take to pay for the employee to change the information that was stolen. The max loss for this particular risk is $50,000.
In my above example, I made the risk value in terms of a dollar amount and I made the elements of the risk fairly simple. This is not always the case. In fact, risk can have more elements and there is not always an element that you can put a dollar amount to. Complexity of risk and the likelihood of partial or full risk loss are two factors that also make risk difficult to quantify. Lastly, there is no standard in each industry that tells you what each risk element is worth in terms of money or any type of value and that makes determining the quantitative risk value very difficult because each risk situation is unique.
-
In your simplified example, how might you approach attempting to quantify the loss to the business of “good will” from a data loss scenario (i.e. hacking data)? Would the business have to also quantify the loss due to compliance lawsuits like Target did in its security breach a couple years ago?
-
Sean to answer your query, you can study provided by one of SANS whitepaper, Quantitative Risk Analysis Step- by- Step
[ https://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 ]To summarize the steps are as below,
1. Determine risk factors
2. Determine values of assets under risk
3. Determine historical data of incident occurrence and loss
4. Determine Annualized rate of occurrence (ARO)
5. Determine counter measures to overcome risk
6. Determine Annualized Loss Expectancy (ALE)
7. Conduct safeguard cost analysis by calculating difference between ALE before and after implementing countermeasures
8. Using values in step 6 & 7 calculate Internal Rate of Return (IRR)
9. Present summarized results to managementFormulas you will need
Exposure factor (ex 40%), Single loss expectancy (ex 1000$ at 20% likelihood), Annualized Rate of occurrence (ex. 01. In 10 years), Annualized Loss Expectancy, Safeguard cost/benefit analysis,To answer your question, “loss of goodwill” will come under calculating risk factor for intangible assets .
There is an example given in the whitepaper that you can read. -
Quantitative Data-Data derived from mathematical and statistical figures
Risk Assessment-Process to identify potential risk to a business process.
So as the name suggest quantitative information security analysis is placing mathematical figure in terms of dollar value to the threat or asset involved in information security analysis.An example of quantitative information security analysis is an organization XYZ is using a software or a tool worth $300 which has a risk of being hacked down by potential hackers.
The department analyzes that the hacking may result in 90% software corruption
So the true asset value is 300*90/100=270.
The organization may incur a loss of $270 in case of software being hacked and results are a part of information security analysis
Furthermore challenges involved in such risk measurement is posed in a question “How can you identify the estimate of loss occurred until the actual threat occurred”.The risk can be greater or even lesser than the actual threat estimated and there can be lot of other elements and subject getting involved when actual threat occurs -
I agree with Shukla. Simply to say, the quantitative information security risk analysis is use mathematical and statistical way to figure out the potential risk of information of a business process. and the example is very clearly to show the risk and the loss. And I more think that this analysis is like a expect of loss, and the result will show the maximum outcome to us.
-
What is quantitative information security risk analysis? Provide an example of a measurement used in quantitative information security risk analysis. What challenges are involved in calculating such a measurement?
Quantitative information security risk analysis tries to estimate monetary value (dollar value) for each data leak event with potential data loss. Example: in case of health care company, Quantitative information security risk analysis produces estimated loss of 150K for every data loss of 10K patient personal information. Estimating expected loss requires calculating probability of data loss, and the extent of data loss if breach does happen.
Expected loss $ = Expected Consequence * Expected Frequency (probability)What challenges are involved in calculating such a measurement?
The apparent issue will be accuracy of both measures needed to calculate Expected Loss $ (Consequence and Frequency) , in addition to difficulty calculating probability of breach event when multiple data loss events can and are interdependent.
-
When communicating metrics, it is important to remember that Baseline Defenses Coverage is not the only line of defense that an organization has. Looking through these numbers would frighten any executive who is being told that this firewall that they are spending a lot of money to maintain has flaws. They must be informed of the importance of having layers of security so that even if an attach breaches the firewall, they are prevented or detected in another way. Communicating metrics is a delicate conversation and using industry averages and numbers from outside trusted sources such as the Computer Security Institute is helpful for them to understand that the situation is not as bleak as the numbers initially may appear. knowing best practices and what others in the industry are doing can help when deciding if paying for various baseline defense technologies is worth it to an organization.
-
Magaly,
Great McDonalds example. The most difficult thing in economics is to put a cost on the impact of a policy. For example, how do you put a price on carbon dioxide put into the atmosphere? The risks of burning coal are known but putting a value on it and selling it to an emerging country is a difficult thing because all they see is short-term profits, rather than long-term tragedy.
Similar to companies who don’t value the risks of IT. It may not end well.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
-
Information security is both a technical problem and a business problem in which both parties need to work together on establishing and solve. It’s a technical problem because the technical side know that without a proper framework in place, a business can go down if it’s not well protected against threats from technology or other outside forces. It’s a business problem because management is a key stakeholder and needs to work with the IT team to figure out how to keep the business safe. Management has the business knowledge, such as revenue and access to resources to help with these projects. IT Security alone can’t be an IT issue because they can only go so far to try and mitigate these problems. The business side has to get involved so they know how to provide ways to maintain it.
-
Information security is a technical problem and a business problem. Since information is digitized to such a degree today, its security is in the hands of IT professionals. Their training and expertise is needed to properly secure data and to create safe and reliable methods to access and transport data. The IT personnel need to develop training plans to train employees how to properly control information security at their individual levels and how to safeguard data in their control. IT personnel need to constantly stay up-to-date on the latest threats to the security of data and to institute physical and software updates to safeguard the data.
Information security is just as much in the hands of the rest of the business too. Again, with the digital nature of data today, businesses have a key role to safeguard data. The data plays a significant role in profitability to both its business and its competitors. Employees need to be properly trained to safeguard the data at all times, and to understand the importance of the integrity of the data. If employees are not properly trained, or get careless, their actions can cause significant interruptions to a business to the point of halting operations and potentially even as far as bankruptcy.
Since information security is both a technical and business wide issue, all employees should be invested with its importance. IT personnel can do everything possible on the technical side, but without employees doing their part in security the data can be lost, destroyed, or fall into a competitor’s hands. If employees have the keenest senses of security, but the IT personnel lack the ability to institute proper protocols and security measures, data can be just as easily, lost, destroyed, or fall into a competitor’s hands. Information security is a technical problem that the entire business must properly understand and address collectively to properly safeguard.
-
I agree with your opinion. An organization that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in insurance premiums. A secure organization can use its security program as a marketing tool, demonstrating to clients that it values their business so much that it takes a very aggressive stance on protecting their information. Therefore, the company should combined the technical problem and business problem.
-
I agree with you. The company should provide security training for IT staff now and forever. Because management does not understand technology, they are not in a very good position to judge a person’s depth of knowledge and experience in the field. Decisions are often based on the certifications a person has achieved during his or her career. Many certifications require nothing more than some time and dedication to study and pass a certification test. IT staff meet the new technology, they will figure it out, however, a strong security posture requires significant training and experience. In addition, very few organizations have a stagnant infrastructure; employees are constantly requesting new software, and more technologies are added in an effort to improve efficiencies. Each new addition likely adds additional security vulnerabilities. (CAIS CH1)
-
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is a technical problem and a business problem. Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. If the company lost important data, it will be lead to business problem. When we implement any security mechanism, it should be placed on the scale where the level of security and ease of use match the acceptable level of risk for the organization. For example, employees can easily copy data from the devices to their devices to their home computers before the devices are returned. it easily lead to data leak. If the employees left their position, they may take the important information leave to competitor company. So the problem is the technique problem and the a technique problem. The company should invest employees’ background before recruiting, and it is important for an organization to establish policies outlining the acceptable use of these devices as well as implement an enterprise-grade solution to control how, when, or if data can be copied to them. Using some products that can protect against this type of data leak, such as DeviceWall from Frontrange Solutions and GFI Endpoint Security.
-
2. Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is not solely a technical problem as it involves not just technical glitches but also the intention of the intruder. More that considering Information Security as a technical problem, I would consider it as an ethical issue where people tend to misuse the privileges for financial gains or getting proprietary ideas or are just ignorant of the best practices or want to try new things out of curiosity endangering critical and confidential data. It is a business problem as security of the confidential data or PII’s is important for the reputation of the firm and also building trust with the clients. If a company loses it credibility it looses it business.
The employees whether current, former employees or contractors who have the knowledge about the company policies, processes, procedures and technology can exploit this knowledge to provide the information to external attackers for gain or they themselves can facilitate attacks or accidently reveal information to potential attackers. A company can have the best infrastructure in place with the latest and the costliest security controls and still be a victim to data security breach because of one user who forgot to lock his machine while going for a break or by an employee who decides to save the PII content on his personal desktop which does not have the same security policies and is exposed to malwares and information theft.
Yes it is a technical issue with open ports available or no latest update on anti-virus protection in place which makes the system vulnerable for threats but more than that I think it is the human factor involved here that can make a difference. So everyone in the organization: management, IT department and employees should make sure that they are complaint with the organizations policies and make effort to make sure that their machines are compliant too. The management should educate its employees of the consequences and take necessary steps to mitigate the risks involved and thus provide a secure business to the client that they can rely on. -
Question: Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
The information security is a technical and a business problem. First of all, the information security of an organization requires some basic technical devices like hardware and software to protect the information assets. For example, in order to prevent the unethical hacking or unknown internet attack, a firewall is necessary for the core servers. Besides, the antivirus software on each PCs in the organization also needs technical support. From this perspective, the IS is a technical problem. Moreover, the IS is also a business problem. For example, according to the Sarbanes-Oxley Act, Section 302 and 404, the management of an organization must take the responsibility of Internal Control System in writing, and disclose the effectiveness and weakness of the organization’s internal control in the ICS report with confirmation from external auditor. After the accounting scandals in several major public corporations like Enron and Worldcom, the importance of the control environment and internal control of an organization was enhanced. Furthermore, a weak information security system may cause a huge loss of company’s information assets. For instance, without the data backup and disaster recovery plan, the organization may lose all information about contracts, orders, and clients’personal information by the damage of core servers. Therefore, the information security is both a technical and a business problem.
-
In an organization both technical and business problem of Information security must be solved.
Many businesses believe that by implementing secure infrastructure and utilizing security tools such as firewall, IDS and anti virus program, they can create secure organization. However, the security chain is as strong as the weakest link, and the weakest link in the IT security chain are the employees.Security is process, all security products are as secure as people who configure and maintain them. In order to get most effective result of implementing security tool in an organization, IT strategy should be aligned with business strategy. For example, IT professionals mostly focus on technical view of security, and the management mainly focus on revenue, profitability and ROI.
IT professional should Implement the technical infrastructure in a cost-effective manner that would be beneficial to the organization.
-
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is business problem that must be solved by an organization but it requires adequate technical support by the information security manager. A business needs the proper security in place to manage business risk and mitigate intrusion. The organization could face a huge risk in data breach if it does not maintain a clear perspective of all areas of business that require IS protection through collaboration with other department.
According to Computer and Information Security Handbook By John R. Vacca, “through collaboration with all business units, security manager must work security into the proves of all aspects of the organization, from employee training to research and development. Security is not an IT problem, it is a business problem.”
-
I agree with you Neil and Wenlin. Every business is different and thus the threats it will face be business dependent. That is why it is necessary for security team members to understand the business processes in order to formulate risk analysis and form a secure IT framework.
Also as rightly pointed out by Wenlin, robust security can be used for marketing. Acquiring certifications and being complaint to global standards increases brand value of the company. Adhering to the standard, company follows best practices and that helps gain trust from the users.
-
Information security is not just a technical problem anymore. It is a technical and business problem that the entire organization must frame and solve. Data breach has become a significant security risk to all business. I have done a case study of Home Depot data breach in 2014 which could be the largest breach after Target. They detected the crisis after 6 months. 56 million cards’ information were stolen and they lost at least $62 million. This is also an example of what might happen if organizations didn’t pay enough attention on their information security. Data breach is only one risk of information security and it can’t be protected only by IT department. Information is one of the most important asset in a company and many people have accesses, therefore it is hard to control and protect. Usually, many executives believe “information security” is the same as “IT security” and is therefore the responsibility of the IT manage. This belief might explain why the question “Is our information secure?” is often answered with “Yes, we have firewalls.” The lack of incentives for businesses to invest in cyber security and lack of understanding from business about the nature of information flows play important role in this. If any organizations want to completely protect their information, the whole organization needs to be aware of the threatens and look beyond the risk. Therefore, information is a business problem more than a technical problem now.
-
Question 2
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
In my opinion, information security is both a technical and business problem that an organization has to frame and solve. Information security, as most know, is the practice of protecting information from those who do not have authorized access. While the concept might sound simple, protecting information can require a great deal of technical skill since most information today is kept and transferred via computers and networks. Due to this, positions such as Chief Information Officers, Security Directors, and many others require employees to have the technical knowledge to prevent access to this information. What makes this a business problem as well is that information security is only as good as its weakest link, in which case in the non-technical computer user within an organization.
In protecting information, there is one limitation which is those who have authorized access to the information. Since you can’t restrict everyone from having access to that secured information, those who want to steal information generally take advantage of those who have this authorized access. This is often done through phishing scams or having susceptible users download malware. Regardless, since these authorized users have access to information but don’t necessarily have the technical skill to best protect valuable information, they are often the avenue that those trying to steal information go through. Even despite an organization have a well-designed IT policy, these users most of the time do not follow these IT policies and don’t care to understand the risk since they are not “technical”.
With all that being said, information security is certainly both a technical problem and business problem. You need to have technically skilled employees who have the computer and network knowledge to protect information from a wide range of attacks as well as create certain policies that prevent attacks. On top of that, there needs to be education and enforcement of these policies, making sure that even the least technical individual who has authorized access to information know the importance and consequences of not following the IT policies.
-
Information security is an everyone problem. Everyone at every level in an organization must work together to protect the information of an organization. A breach could come from anywhere in the organization, from a physical breach to the building, to a phishing scam, to a port breach. While protecting the information of an organization often times has a technical solution, that does not make it just a technical problem. If a breach occurs, it does not matter how the breach occurred, the entire organization will suffer as a result. Because the breach can come from anywhere, the entire organization must frame and solve the problem of protecting the information assets it possesses. The information that can be lost can affect the organization in a number of detrimental ways, reputational damage, competitors gaining proprietary information, using organizational resources for nefarious activities, and more. The entire organization must create a plan to define what they see as the highest risks and the most important to be addressed and a plan to address the risks. IT is used as a means to address many of these risks, and they will work together with the business to address them, but they alone cannot secure all of the organization’s information. Business processes must also be in place to secure the information and protect the organization from breaches.
-
I agree with Shahle, In the company security link, there has a lot of ways to protect the informationa safety by computer programs and employees. Like Vacca said in Computer and Information Security Handbook “Security is not an IT problem, it is a business problem.” IT problem can sloved by computer, but business problem need to slove by money and person. Company spent money and time to training their employees in order to decline the risk of the security.
-
I agree with Binue that think about the information security is a ethical issue. In fact, employees following the company framewor is like government staff fllowing the country rules, And under a complete system, there has a lot of rules to limit the staffs in order to decline the sefaty of a company. Employees may disclosure of confidential carelessly or on purpose for benefits, and the company will pay the loss. so it is a business decision that company need to have a baisc cost to imporve their employees` ethical.
-
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is a business and a technical problem. Organization must solve the information security due to it will cause many internal problems, such as data breach. In order to decline the risk of organization safety, organization should be training their employees about the information security aspect, which is not just a IT behavior at all.
-
Information security primarily being just a technical problem is indeed a myth. It all dials down to human behavior. The core security issue is that the computers were created without a thought to security and the computer users are unsophisticated but the people breaching security are very smart.
The role of IT from being in the basement as an “engine room” has changed and information/data has taken up the role of a business enabler. The value of a firm is in its data: customer details, product information, financial information’s CIA (confidentiality, integrity and availability) should be protected; failure to do so may result in legal repercussions & loss of goodwill in the market. Information is now the engine of global enterprise and information security should be viewed as a business problem and it should be a significant part organization’s overall enterprise risk management.
In addition to proper employee training, an organization’s information security must be aligned with its business goals and strategy.
-
Information security is both a technical problem and a business problem, however, is not necessarily a mutually exclusive argument. That is to say each individual security related event will always be a business problem, but not all security events will be a technical problem. Security can be compromised by a myriad of internal and external factors, some we can control while others are outside of any one human’s ability to control. While it is everyone’s responsibility inside the organization to be aware of and follow the policies and procedures put in place to minimize the vulnerability to a malicious attack there are certain events that can occur that no level of technical preparation or expertise would be able to prevent. For example, while it is critical to examine components such as environmental risks when creating a business continuity plan and determining where your most business critical information should be housed there is no guarantee that anyone can provide that there will be no force majeure to impact the datacenter location. As we all know, in recent years while we can do our best to predict where certain natural disasters can occur the exist is not exhaustive and definitive. Year after year additional exceptions are made and added. Therefore security risk can be strictly a business problem, but can never be strictly a technical problem because the analysis is always how it impacts the overall business.
-
Good point that the employee may become the weakest link in the IT security chain. Information security is a complex problem which related both technical and business. As what you mentioned about security process, IT professionals and the management sometimes focus on different strategies. Indeed, the technical tools like hardware, antivirus software, and firewall may cost a lot as a basic support for the IT security, but management should also realize the significance of protecting information assets instead of thinking the IT protection is wasting money. Therefore, I think employees and even management need to take a training about why information asset is so important for an organization and how to enhance the IT security.
-
Sean, thanks for the post. I think that people are the weakest link in any security program. Even with the right technology (hardware or software), if not configured or implemented correctly, can cause business disruptions. Like you have mentioned, IT personnel must stay abreast on all current attacks, vulnerabilities, and technology to become of any value to a company. It is no doubt that lack of training and awareness is a contributing factor with data breaches, but I don’t think it’s enough. Information security requires a certain mindset and a belief that nothing is ever completely secure. It requires a tone at the top, a organizational culture that is security sensitive. For example, how many times have we sat through cyber security PowerPoint and web applications that tells us not to open emails from unknown resources. Yet, a good amount of malware that are present in an organization’s network can be traced back to just that. Without strict enforcement of company’s policies, I believe that people just go through the motion.
-
Information Security is both a technical and a business problem that an organization must frame and solve. It doesn’t matter if you’re in IT, HR, or customer service. The information that you access to carry out your duties is the responsibility of the entire organization. IT(Technical) has the responsibility to secure that information within the bounds the organizations security policies. Their challenge is to provide a balance between security and accessibility. Even if IT have the resources and knowledge to employ all the latest and greatest security technology, it does not guarantee a 100% secure IT infrastructure. Intrusion Detection and Prevention Systems are only good for known vulnerabilities and cannot prevent Zero day attacks. In an effort to improve efficiency, companies will add new software and applications which adds new vulnerabilities to their security program.
Cybercriminals are far more sophisticated and persistent at finding new ways to exploit vulnerabilities with any given technology. If they can’t attack the system directly they will go to the next best thing, the people. People are the weakest link in any security program. They can be the victims and the perpetrators of adding malicious components into an organization’s network. Phishing, malware, and viruses can be added to an organizations network by unknowingly clicking a link on an email or downloading a word document.
The organization must create a security sensitive culture that enables collaboration between IT and its businesses. Technology can be implemented, but people need more than training and awareness. People need to be encouraged to practice security controls set forth in policies and processes. Having a policy is meaningless unless it is enforced and this has to be set from the tone at the top. -
There is no doubt that information security is both a technical and business problem and everyone should be responsible for it.
From the technical view, physical protection is greatly needed, proper information protection infrastructure ought to be established, such as the technology of firewall, encryption, identification, etc, so as to achieve that valuable information within the organization is only accessible to those authorized group, even though it would cost extra steps to process which may lead to certain inconvenience.
From the business view, a favorable security environment is very helpful to strengthen awareness and attitude of personnel toward information security, complements professional training to prevent both intentional and unintentional information leakage. Besides, based on existent resources, after assessing risk and balancing return and costs, how to formulate a most favorable information security strategy is also a critical issue from business aspect. So, it is clear that information security is a multifaceted problem.
-
I agree with Binu. This is a very good example to show how information security is not just a technical but a business problem. The example which you gave about the current and ex employees of the organisation, I would like to add one more thing to your point.
It is important to keep the entries of the present as well ex employees up to date in the risk register. For example, If an employee leave the organisation, the status of the employee should be changed in the risk register so that there are no more access privileges available in the name of that employee. If the risk register is not updated, it can be a big security issue for the business as anyone can use the access rights to fetch information. This can be a big loss to the business if any important information goes into the hands of an unauthorized person.
Many organisations fail during the audits as they don’t keep their risk registers updated. -
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is a technical problem and a business problem. IT security technical team ensures systems and network security through fortifying Operating Systems, firewalls, authentication and authorization systems. The business side should be concerned with human factor that may impact the company data. The business should have proper controls in place for data access and handling. Business develop policies for access data, levels of authorization, processes for data handling, in addition to business continuity planning in case of data leak. Business should be concerned with user’s education to prevent data leakage due to user’s error.
.
https://www.weforum.org/agenda/2015/03/why-information-security-is-not-just-a-technical-problem/ -
I believe that information security is both a technical problem and a business problem.
Information security is kind of IT issues. In term of risks, all the enterprise risk is related to IT. There is about 6 kind of enterprise risk, and they all have an IT component to IT. Like operational risks (the financial industry in the Basel II framework), Credit risk (poor IT security), strategic risk (enbler of new business initiatives) etc. IT risk should be treated like other key business problem. As business managers determine what IT needs to do to support their business and the use of IT can provide significant benefits to the enterprise, but also involves risk do, so IT issues is important, if IT risk occur, the failure of business objectives do as well.
The entire organization must frame and solve it. -
Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks. -
I agree with Wenlin. Good point raised. I have seen this happening in one of the organisation’s I have worked with. Not only employees but interns who were not permanent were allowed to use Personal USB Drives on their office laptops and computers.
In an incident one intern was caught copying some of important official data from project onto his personal USB drive. So this is a big security concern for which personal devices should not allowed in the premises of the organisation.
-
Rightly pointed Shahla. But just to say your point in a different way, employees are not the weakest link rather they can be the weakest link in an organisation if the organisation doesn’t have good security policies and standards.
I would like to quote an example to this to explain my point. I would differentiate the experiences which I had with two of the organisations I have worked. In my first organisation, Security policies were strong and employees were not allowed to enter inside the premises of the organisation without the ID’s and with any kind of personal devices such as pen drives. For this reason the environment was secure enough for any kind of security breach that may lead to data leakage.
On the other hand, with one more organisation I have worked with, there were some interns who were temporary and for the three months they worked, they were not issued any ID’s. They use to enter inside the office zone by just making an entry in the register. Also all the employees were allowed to bring any kind of personal devices. In this way due to weak standards and policies this organisation was vulnerable to any kind of security breach from employee’s end. -
I agree, IT in general are merely tools used to make business process run quicker and smoother. IT itself can never cause any harm or damage to the business. It is usually the human operating the IT systems will cause harm.As you mentioned, employees who are negligent towards IT are one of the main reason for data breaches in an organization. This can be avoided by fostering proper IT awareness and culture within an organization. This will tremendously reduce the risk of IT failures internally.
On the other hand, in order to avoid external breaches, the employees responsible for IT within an organization should always be aware of their own IT system’s security. They have to constantly update and audit their own system to prevent external intrusions.
-
I agree. It is crucial to have the entire company invest in Information Security. There needs to be a cross department collaboration to successfully implement the company’s Information Security plan. It definitely is a technical issue as well but that is part of the company’s plan that directly affects the company’s business and the ability to conduct their business most efficiently.
-
I agree with Mengxue, Information security is a techical and a business probelm. Information security problem such as dara breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said infromatyion security is not just a techical problem but also treat as a business problem.
-
I agree with Mengxue, Information security is a technical and a business problem. Information security problem such as data breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said information security is not just a technical problem but also treat as a business problem.
-
At the two companies I have worked for, all employees (in all departments) were required to take training on “Safe computer use”, IT security, etc. The training went through many of the same things as the video and had the same corny jokes too haha! It was definitely needed though and I think it definitely did help a lot of the employees that were not in the IT department. I think along with this, putting controls in place to safeguard and make sure that employees are practicing what they were trained on is important to success.
-
I agree with your opinion that the information security both related technical and business problems. You mentioned the potential risk in information leak because of the authorized access issues. If management barely have basic understanding in technical operation, they might underestimate the importance of protecting information assets. Without an effective control environment, the organization may be hacked through ineffective information security protection, which may cause huge lose for organization’s information assets.
-
Good point in mobile device management (MDM). Indeed, mobile device has potential risks in data leak includes personal information or even sensitive business documents. If the mobile device with internet connection information is stolen, the remoter attacker may have the access authority and replace the firmware on a device like router and take complete control over it. Therefore, the MDM is very important to enhance the information security in an organization.
-
Paul,
I completely agree with you. I would say, that information security is both a technical and business problem. The two entities overlap in many instances within an organization and must conjoin together to frame and solve the information security problems at hand. Even though, in some instances the issue may start off as a technical issue, eventually it will protrude/ evolve into a business problem, vice versa.
An example being:
-leaky repositories: firewalls are implemented to prevent intrusive hacking yet information doesn’t also live in the digital environment but also in the business environment as a hard physical copy. -
Laly,
Exactly. While physical copies of information might not be as easily accessible, they are still controlled as well with physical security. For large organizations, you have security monitoring who enters and exits the buildings as well as file rooms where the entrance to the room is locked by each department. Not only that, many companies try to implement a clean desk policy where all important information should be stored and locked when not at the desk. In fact, when I worked my Internal Audit internship, two of the auditors performed a walk through of the building to just see what exactly they could find that was out in plain site. Unfortunately, too much information was left out in the open and corrective actions had to be made. This is another example of how securing information is not only a technical problem but a business problem as a whole.
-
Paul,
You bring up a really good point that all information security is a business problem but not always a technical problem. You provided the example of a non-technical problem that can affect information security being how a natural disaster can affect a data center. Another example could be that a disgruntled worker who remains working for the organization and has access to information, decides to steal that information either to sell or damage the organization. No amount of technical knowledge could identify who is a disgruntled worker or not, therefore this would fall under as a business problem.
-
Great post, Tran!
I completely agree with you that if the latest and best security technology is being employed, it does not mean you are 100% safe. The new technology for now will become old obsolete in one day soon. Companies need to keep an eye on the zero day attack because it is hard to be detected by newest security.
When I was taking the cyber security class, I was taught that “people” is the weakest element because they like to click on insecure email or website and increase the profitability of getting hacked. Only through training sessions can really help people learn how to protect the organization from malwares and viruses.
-
Information security is a technical problem and a business problem everyone individual must be involved with the solution.
The technical problem lies with the equipment and network infrastructure. The proper system configurations, authentications, policies and security must be checked and tested on a regular basis to ensure proper functionality. It is a business problem because the business reputation is on the line. The business must protect all sensitive information to give, not just the shareholders, but also the stakeholders peace of mind. A security breach could ruin the reputation of an organization and raise doubt when using technological equipment from the company, from an investor, employee and customer aspect.
We can’t be passing the buck or keep saying, “it’s not my problem”. One of my favorite quotes from a movie is, “Information is the most valuable commodity in this world”. I may not agree with the character who said this but I do agree with the statement. Information is very valuable to many people and it needs to be protected by technological and business best practices.
-
Haozhu,
I strongly agree with you. There is a need of managers to proactively include information security in their risk management plan and make sure it is aligned with the organization’s objectives.
-
Ahbay,
I completely agree with your point that human factor is one of the biggest issue for information security. Every business is different so that an organization security is necessary to align with its business goals and strategy. How to defense the information from data breach is a technical problem. However, If the company lost its most valuable data, it will lead to a business problem such as loss of revenue, reputation and goodwill. Company should invest heavily on its internal training for those unsophisticated employees or the company can background check before recruiting to ensure the employees have basic security training and knowledge.
-
Yu Ming,
Yes, and in addition to training and workshops, I firmly believe that there has to be a mechanism in place that checks if they training is updated and in order to keep the employees updated, there should be half yearly or even quarterly security workshop setup by the IT team.
-
Rightly pointed out, Amanda. I too believe that it all comes down to human behavior. Even though an organization implements the highest security standards, if the employees are ignorant and are putting passwords on sticky notes, then there is very little standards and policies can do.
In my internship experience, even a top level executive had a habit to put his NetSuite ERP access information on his keyboard. And I agree, the mindset has to be changed and employees need to realize that not just the company’s information is at stake, it is also going to affect their identity.
-
Paul that’s a great point. I’m glad you guys agree with my stance. I think that it’s very easy for people that work in IT tend to start viewing things as tunnel vision when it’s absolutely critical that they keep an open mind and think outside of the box when analyzing problems or trying to determine where their vulnerabilities may lie. This is why social engineering is always a big part of any penetration testing that I sold through Verizon. It’s also definitely one of the most interesting subtopics in the overall umbrella of IT/IS Security posture.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
Do ITACS students represent information security vulnerabilities to Temple University, each other, or both?
Explain the nature of the vulnerabilities ITACS students represent in the context(s) you chose?
-
In my opinion, ITACS students do represent information security vulnerabilities to Temple University, and Temple represents information security vulnerabilities to ITACS students as well.
Based on the readings, Information security vulnerabilities can be considered to anywhere, anyone and anytime. First, Temple students can access to secured and sensitive information easier through internal way. For example, an ITACS student studying at Temple University, has some access passwords and codes for some rooms, software and public laptops, etc., so he would steal some sensitive information of Temple University by accessing from internal internet through these ways, and Temple would lose its secured and sensitive information because of this ITACS student uses internal way, rather than other outside people use external way, which is harder. Second, the trust from a professor would also be an information security vulnerability. If a person has the trust from a professor, the professor may behave negligence by allowing this student to access to some accounts which would be considered not allow to students. For example, if a professor wants to show something through his account, the student is there to watch the professor to access the account, and then, the professor may act negligence by typing his account name and password in front of this student, and the account may be stolen easily. Third, students or professors may have bad behaviors and collude with classmates and friends to steal information of Temple University. The possibility of this is tiny small but I think it can be also considered as information security vulnerabilities to Temple University.
In addition, Temple University also represents information security vulnerabilities to ITACS students as well in several ways. First, Temple University experts who control sensitive information of students and colleges may behave negligence and errors of operations to exposure information. Second, Upper management of Temple University also has a possibility to behave badly if the person is angry and criminal. Third, the change of MIS department dean or upper management may also bring some information loss and errors, because if the previous management person left, he may not have everything (information, account passwords, or secret system controls) to the new person.
-
ITACS students and Temple University both represent information security vulnerabilities to each other. Temple University stores Personally Identifiable Information (PII) of each student, which include grades, and financial information, and in some instances health-care information. A data breach to Temple University could target student’s social security numbers, personal banking account information, and medical information if a student is enrolled in a university sponsored plan. Temple University stores large amounts of sensitive information about students, which creates an attractive target for cyber criminals. Medical identity theft is a growing exposure for Temple University because medical information is more lucrative than financial information. Not all students enroll in the sponsored plans, some do, and others may use a medical service during their tenure at Temple. Students trust the university with sensitive data, which poses a risk to Temple because it is now responsible to safeguard the data.
While Temple represents vulnerabilities to students, students also pose security risks to Temple. The university must create a tuportal account for every enrolled student, from which campus computers, and many other university services are accessed. There are over 30,000 students at Temple University, not including faculty and staff, which is a lot of accounts to monitor. Any student can find a flash drive on the ground, and then immediately connect it to a campus computer to download documents. Flashdrives can contain viruses and malware and can potentially spread to the network from a single access point. Prevalent use of removable storage is an important security vulnerability to Temple. Students can also access file attachments through email on the university network. If an attachment is infected with malware, it can now spread to the computer and then network. It would be difficult for Temple to limit access through the network because many departments rely on online software, require students to submit work online, and need to access data themselves. The same methods that are used to augment student academics also increase security vulnerabilities. -
I think everyone at Temple University represents information security vulnerabilities to Temple University. In fact, ITACS students and regular students do more than sending emails while on Temple internet connection. Even though, the university blocks some sites it does not stop students to go to insecure sites. I have been seeing some students shopping on the school computers. Somebody can voluntary or involuntary download a virus on the computers or the network.
Also, the laptops in MIS labs in rooms 602 and 603 are not really password protected as everyone knows the password. The only really credentials you need is your TU access username and password for the Wi-Fi. Once again an ill-intentioned individual can take advantages of this system. He/she can do bad things without being traced.
Temple University and its third parties’ partners can represent information security vulnerabilities for its students. What will happen if someone can hack the university system? In fact, some students have received phishing emails asking them to provide their passwords. The University system contains a lot of sensitive information like medical records, payments information… If there is a data breach, more than 30,000 persons will be affected. -
I believe when we are entering into any account, we might have lot of people around and we do enter our credentials in front of them. That is the reason why passwords are masked.
I agree with your point that eavesdropping can happen. Hence being alert while handling sensitive data is important. -
ITACS students represent vulnerabilities to Temple university and vice versa.
Both entities have access to confidential and restricted data of each other.
Vulnerabilities that students bring in:
1. University provides wifi to all students. The laptops, mobiles phones via which they connect to wifi is a door for hackers to plan Wireless network attacks. ex. Denial of Service, man in the middle, eavesdropping on the wifi, If data is not encrypted they payload is exposed and a sniffer can capture emails, passwords etc2. Students have access to confidential university data. If a student does not follow basic security practices university data like university intranet, contacts of faculty and other students, university news and events details is at threat.
3. Students have access to course work, assignments, lectures, power point presentations which are IP of the university.
4 Students can bring in visitors and if visitors if have malicious intend can cause harm.
5. If students use illicit software to develop a university software, it can cause huge damage.
How is student data vulnerable while it resides on university servers
1. University servers can be prone to data attacks on which student confidential and restricted data resides. Ex. student personal identifiers(SSN,address, contact numbers), financial details like bank details, transactions etc.
2. Student grades, resumes, photographs, medical information is also with the university. Data is present with the university not only in digital format but in form of paperwork which is easily vulnerable.
-
Am I the only one not being able to enter answer to other questions?
Anyways below is questions 2 and my answer :
Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks. -
I agree with Priya, Temple represent information security vulnerabilities to students because they have sensitive data, such as social security or bank account number, about us. Should a data breach happen we will all suffer consequences.
-
Said made a good point here. Temple university system doesn’t seem to be well protected and i’m not sure not all students are aware of the importance of information security. I personally went couple of times to the computer lab and witnessed students watching movies on third party website, shopping or networking on social media. Logically , one would think that an ITACS student is aware of information security and should be careful. However, that is not always the case. Human beings can be negligent and this is why students represent information security vulnerabilities to Temple.
-
Good point Alexandra. While doing activities like online shopping or online banking, a cross site request forgery attack can be launched. CSRF is combination of social engineering along with.
It becomes easy to launch CSRF attack when user session cookie details are stored. ex. IP address or credentials. The server will not know if it is a forged request.
Sometimes a attack can be launched with a hidden image which executes while the page is loading. The user does not understand the difference. If credentials are already stored by the browser, it becomes easy to authenticate.
-
In my opinion ITACS students represent vulnerabilities to Temple university and vice versa. Temple ITACS students are vulnerabilities to the university because they are they constantly logged into the system and are active users and therefore, their actions while on the system affect the university directly. The users ability to nagviate through the web without domain regulations not only, contribute but enable threats such as malware, which may affect the computers operation systems and the protection of personal information. However, the students aren’t the only ones who provide vulnerabilies, the university has an abundant amount of personal files of its students and employees, which can be accessed through hacking and software breeches. Thus, versatile vulnerabilities that are result of ITACS students and the university are subjected to human error. Human errors affect both entities as a whole and therefore, they are both to blame for vulnerabilities.
-
Do ITACS students represent information security vulnerabilities to Temple University, each other, or both?
Explain the nature of the vulnerabilities ITACS students represent in the context(s) you chose?
I do believe that ITACS students represent information security vulnerabilities to Temple University and the other way round.
Some vulnerabilities that ITACS students may bring in to Temple:
1. Computer hardware that students bring in such as flash drives or laptops may contain viruses that could infect Temple’s system when the hardware connects to Temple’s computers or wifi.
2. ITACS students will eventually learn how to hack. A student may attempt to try their newly attained skill on Temple’s computers or sites which may or may not cause harm.
3. A student may accidentally download malware, spyware or virus into Temple’s system when the visit insecure sites or click on suspicious links.
Some vulnerabilities that Temple may bring to students:
1. Temple University is a host to all students data and private information. Students can link their bank information in order to pay their tuition bills. Student Personal identifiable information such as SSN, contact information and address are all in Temple’s database. This can post as a target to potential hackers.
2. Temple employees who have access to all students data may not adhere to Temple’s control and may perform activities that increase the risk of security threats
3. Temple employees may also be negligent when handling students’ data. Wrong data may be inputted which may cause a chain reaction that can affect the student.
-
I believe ITACS students represent information vulnerabilities to Temple University; on the other hand, Temple University represent information vulnerabilities to ITACS students as well.
As Temple students, we have access to Temple’s wifi and computers. Everyone could possibly bring viruses to Temple’s network system when he or she connects hardware such as USB drives to Temple computers. This not only damage the computer that has the viruses, but it will also spread the viruses to other computers in the school because they all sharing the same network. In addition, a student may accidentally entering a website when they are click on links that they are not aware of. It is very essential that students should have awareness of the websites they are viewing. In addition, one other vulnerabilities that students may bring into Temple University is we all have access to blackboard and MIS Community site, students are able to download or make a copy of any documents that they have and share it with someone else who are not a part of the class or even not a part of Temple community.
Of course, Temple University represent information vulnerabilities to ITACS students as well. Temple has not only students’ unrestricted and sensitive information, but also restricted information such as social security number, Temple University ID, as well as billing information. The database that Temple has storing student information can rise a major potential target to hackers
-
Do ITACS students represent information security vulnerabilities to Temple University, each other, or both? Explain the nature of the vulnerabilities.
The ITACS students represent information security vulnerabilities due to several reasons. The students connect different types of devices to network (Laptops, Cell phones) that may not be secured and potentially spread viruses, malware, smart dust, or BOTNET on temple network proper. Students access university wide network and applications from their personal devices, opening the door for data leakage in case student device is hacked. -
ITACS students are a great vulnerability to Temple University. Vacca points out that power users, in this case students who have just started an advanced program, may know enough to install software while ignoring security policies. Bad guys looking to exploit vulnerabilities will target these users to get access to a network (Vacca, 4). Unless all students undergo security training, some may not understand the significance of some policies that are in place. There has been times where Temple has had to send out mass emails warning of phishing attacks targeted at Temple emails, meaning that someone must have let something bad in at some point. Another vulnerability that students have is their passwords. Some students may make theirs very weak or save them in obvious locations. The requirement to change your password every few months may make Temple systems less secure as students may lean towards easier passwords. An article I read a while ago showed how a hacker may try to decrypt hashed password files by comparing changes knowing that the user is only changing theirs slightly (https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
Temple University is a security vulnerability to ITACS students as well. Large organizations are seen as more lucrative targets for cybercrime groups. Temple holds a lot of PII, and for some students, PHI, which criminals can sell for a profit. Students need to trust that temple is taking all the steps to keep their information safe. Is Temple conducting background checks on IT employees? Are they spending money on security as a priority? Does Temple require IT professionals to continue to learn as the security environment changes? The real list that Temple has to do to stay secure is much longer than I can list here. The security issue is compounded by the multiple devices Temple must support. There are multiple buildings, multiple Wi-Fi networks across campus, and many new cellphones and tablets being hooked into the network every day. If a bad guy ever finds a way in, they can take a student’s information and exploit it. -
Agreed. Bringing in visitors may be a big concern to Temple University. because these people may be your friends, however, people’s behaviors are hardly to see clearly.
Software development is also a concern. Universities always develop new and professional students in the world. So if these kind of students want to try their solution of their new creation, Temple’s internal internet and all Temple computers and laptops may result in risks.
-
You are correct that Temple students are a security vulnerability to the university. On the other side, the university is also a security vulnerability to students. Temple stores a large amount of personal identifiable information on its students, from social security numbers to payment information and anything in between. Because the university has so many students and faculty connecting to its network with various personal devices, the university must be more vigilant in protecting its information. While students can bring viruses and other nefarious software to the university, the university has a lot more sensitive information about its students that if lost, would cost its students, and by result the university.
-
Your comment about larger organizations being more lucrative targets for cybercrime made me think about what a unique situation universities are in as opposed to other large organizations. In your average company the employees are supplied with the devices that they will use to connect to the organization’s network. At universities students all have their own devices. Even at organizations that have bring your own device policies, generally IT has some screening processes on the personal devices that are allowed to be used. The university has no control over what devices students are connecting to their network. They can monitor the traffic and prevent a student from downloading malware while on the network, but if they student picked up the malware while on another network and then connects to Temple’s network, Temple must have strong defenses in place to protect itself. Employees are also generally not downloading as many things from random websites on their work computers. People are generally more couscous with what they download onto their work computer than their personal computer. Since students are on their personal computers they may be less couscous with what they download.
-
As a student it is easy to see how your information is at risk and take that side. Priya, do you think that the university is more at risk with all of the students on their network or do you think that students are more at risk that their information could be stolen and held for ransom?
I just hope Temple practice what their Information Security professors teach. I hope that Temple invests an appropriate amount to keep their students’ data safe. I hope they invest in educating their employees and their students who are not in the IS field, I hope they have cross-department collaboration on this effort because successful Info Security takes an “all-in” approach. .
-
Hi Wenting,
I think you bring up some valid points as to how a data breach can be a problem with all the PII of students on the server. To go with that, restricting access to worker students is a huge issue too. For those say working in admissions, you need to make sure that access to PII is restricted from those student workers. Likewise, if students do have access to that information, you need to make sure that those student workers have the integrity to not steal that information or not be negligent enough to allow someone else access by not practicing standard computer security policies. A hacker can easily see a student worker as the weakest link and use them as an avenue to steal information.
-
I agree with you all. Not only ITACS students but everyone at Temple represents information vulnerabilities to Temple, and Temple represents information security vulnerabilities for all students as well because Temple stored our sensitive data in its database where it can be the target to hackers. Let’s say the “TUpay” got hacked, our payment card information including our account numbers or routing numbers may get stolen.
Temple should work with professors to offer workshops for students to learn about how to protect their personal information from being stolen at Temple.
-
Nice post Priya,
I just want to add some of my thoughts to your point 1. Temple provides wifi and printing services to all students. We can get access to the networked printing servers through Temple’s computers or our personal computer by sending email. It is easy, convenient and comfortable. However, the printer will store our documents in its hard drive which can easily become a target to hackers. Some students even print their sensitive information at Temple. We often ignore and overlook the vulnerability of the security of networked printer. Hacker with malicious intent may hack the printing system if it is not encrypted.
-
Yulun,
Great post! It reminded me about an incident that happened in one of the dorms at the Temple University. As you know that students living in dorms have access to use “TURESNET,” which is Temple’s own network for its dorm students. One of the students had connected his Xbox or Playstation onto the network and he got into an argument with a player online. Turns out that other player wanted to retaliate, and Temple student’s IP was tracked and there was a series of DDOS attacks, which disturbed the Temple’s network for a couple of days until they identified the cause. Student was not allowed to connect his Xbox/PlayStation on the network again.
This story was told by Prof. Larry Brandolph in the MIS intro class.
-
Ian,
Nicely point out, I think students are more at risks, and all personal or financial information might be stolen. I think these processes are not properly implemented and the network are properly secured!
-
Ian, I agree with Shahla
I also think that as students, we are more at risks.
The reason is that Temple has database that store over 30,000 students’s confidential data such as SSN# and bank information. If someone hack in Temple’s database, then it will bring a tremendous impact on students because all of their restricted information are stolen. In addition, Temple’s reputation will also be ruined. -
Wow! Inspired me!!!!! My professor said in MIS 2501(Mart Doyle) before, you can always plug a cord to the internet of your apartment’s building and see what your neighbors do. Trust me, for majority (like 99% of our students and professors) are still good to trust!
Thanks for sharing!
-
I was going to bring that study up but see you already mentioned it. I’ve seen other studies conducted where the percentage was extremely high, The one I’m linking below shows that the Department of Homeland Security found 60% of ‘dropped’ flash drives plugged in. I think people see them as if someone dropped a wallet and want to check to see if they can find the owner by identifying the files on the drive. If its blank, its like picking up a lottery ticket. People who have never heard of these risks will just plug it in to check to see if they’ve won.
-
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
Below are all the questions for this week. Pick a question to answer, and go to that
Questions:
Do ITACS students represent information security vulnerabilities to Temple University, each other, or both? […]
-
David Lanter wrote a new post on the site ITACS 5206 8 years, 2 months ago
In this course you will learn key concepts and components necessary for protecting the confidentiality, integrity and availability (CIA) of information assets. You will gain an understanding of the importance and […]
-
David Lanter's profile was updated 8 years, 3 months ago
-
David Lanter changed their profile picture 8 years, 4 months ago
-
David Lanter wrote a new post on the site Temple Univ. ISACA Student Group 8 years, 4 months ago
The IBIT Report – Threats & Opportunities in Geographic Information Systems (GIS) authored by ITACS Director David Lanter provides an insightful history of the development of GIS and related technologies, out […]
-
David Lanter wrote a new post on the site Advanced Penetration Testing 8 years, 7 months ago
DoD is about to be under siege from hackers – and it plans to pay – New Department of Defense Bug Bounty kicks off April 18, by Michael Morisy, WindowsIT Pro, March 31, 2016
The military is seeking the help […]
- Load More
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Principles and directives to create risk profile:
An organization’s information risk profile should include principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile. Principles include the following:
• Ensure availability of key business processes including associated data and capabilities.
• Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
• Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
• Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.
Risk profile for the business would contain the following:
• Key risk areas (e.g., strategic, operational, project)
• Strengths and weaknesses of the department/agency
• Major opportunities and threats
• Risk tolerance levels
• Capacity to manage risks
• Learning needs and tools
• The organization’s risk tolerance, priority setting and ability to mitigate risks
• Linkages between different levels of risks (e.g., operational and overall departmental priorities, business and program risks, sector specific and department-wide)
• Linkages with management processes of the department
Business can use the risk profile:
• To Identify potential risk areas and work on it.
• To classify the data (confidential, proprietary and internal use only, public)
• To identify the key business processes and capabilities which if impacted negatively can cause material impact to the operations.
• To identify stakeholders which are important in making risk management decisions.
• All this information if combined and effectively leveraged can be used in aligning business requirements with the expectations.
I agree with you. The small corporation used the risk profile and should focused on those aspects:
• key external influences on your business, e.g. political, social, legal
• key internal influences, e.g. organisational objectives
• risk management context, e.g. risk management requirements, objectives, timeframes
I would go about creating the information risk profile by conducting interviews with owners / employees to understand:
1. What the business does
2. How it sustains a competitive advantage
3. Resources utilized to sustain the competitive advantage
4. What would happen if one or all of the resources were compromised?
The information gathering sessions with owners / employees will help assign a value on each IT resource. The value assign will give us a starting point to budget for the risk-mitigation solutions.
The risk profile would include ISACA’s Key Elements of an Information Risk Profile, which gives a few options I would include on structuring an effective Risk Profile
1. Guiding Principles and Strategic Directives
This information discloses the key business processes, identifies the risk and evaluations of threats, risk-mitigating controls, and budget for risk-mitigation.
2. Information Risk Profile Development
Information on how the profile was created. Will reference those included in developing the Risk Profile
3. Business-State Representation of Information Risk
The Business-State Representation is the current-state of the IT environment. The information will outline the risks with a reasonably high probability of occurring.
4. Future-State Objectives and Requirements
The Future-State identifies what the organization’s ideal state of IT risk management and tolerance. The information will show the procedures in progress, a summary, timelines, and expected level of risk reduction
5. Key Business Processes & Capabilities
A list of key business processes and capabilities which could severely impacting the organization, and the risks for each process.
6. Key Data Elements
The Key Data Elements often include intellectual property, financial data, customer data, and other sensitive data assets.
7. Identification of Data Owners & Stakeholders
This information is used to assign ownership to company data. Assigning ownership provides key duties and responsibilities for each manager, and helps evaluate the solution.
8. Identification of Business Value
The Business value is a perception of what a company’s data is worth. The general rule is, securing the information should never cost more that the value of the information.
9. Data Classification Schema
This Schema categorizes the control objectives and requirements on data-handling. It should be simple and easy to understand for managements review.
10. Risk Levels and Categories
The Risk levels & Categories places each risk into separate levels and/or categories to provide a scale to represent the business impact for each risk. Risk Levels are broken up into the standard: High, Medium, Low. Risk Categories are broken up into Confidentiality, Integrity, Availability.
The business should use the Risk Profile to understand the risks associated with the critical business functions, the value of the critical functions, the severity of the risks, how you plan on mitigating the risks, and who will be responsible for the risk. It should be used as a guide and should be evaluated to determine the success and if it risk aversion solutions are cost effective.
http://www.isaca.org/JOURNAL/ARCHIVES/2013/VOLUME-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx
Great explanation Deepali and I completely agree with your suggestions. The data obtained through the risk identification process makes it possible to create a risk profile and then prioritize the various risks and profile categories. The profile exposes the gaps in a company’s ability to manage its risk across the spectrum of potential exposures such as legal, political, economic, social, technological, environmental, reputational, cultural, and marketing. Ranking in this situation shows the comparative importance of the risk, including the probability of threats and vulnerability and the probable business impact.
Right Magaly. Based on the ranking we can define the impact of the risk such that:
Catastrophic, Major, Moderate, Minor and negligible.
On the above identification we can make a decision on its safeguard procedures and mitigation plan.
Deepali, thanks for sharing.
I think you have a very good lists of principles and directives to create risk profile for small start up company , what risk profile for business contains, and the purpose of the risk profile include what it is for . In order to have a efficient risk profile, I would suggest to schedule appointments with employers to go over the background of the company to have a better understanding of the organization’s environment.
Great answer Deepali. As we are talking about startups, there will be two major factors that company has to keep account of one is expenditure on risk mitigation and two establishing of security framework.
The risk profile will help the startup understand the picture from broader perspective and help management in creating awareness.
Generally startups have budgeting issues and they will need to understand the tolerance level and determine how to prioritize risk handing.