I struggled to come up with something to write about for this week’s blog. I did several searches online for information security and related topics, but nothing jumped out at me. So, I decided to write about something that came up last night I got to think about everyday personal security and privacy. I am co-founder of local ghost hunting group and we just accepted three new members into our organization last night. We take what we do seriously because we going to people’s private homes and wander around in the dark unsupervised. There is a high level of trust these individuals are placing us when they let us into their homes to do this. This means we have to choose new members carefully because they are going to be representing us. We need people who are going to respect the homeowners policy regarding what we see in the house (not just paranormal – we seen some really hot stuff that people have).
Friday, November 9, 2012
The paranormal side of privacy and security
I struggled to come up with something to write about for this week’s blog. I did several searches online for information security and related topics, but nothing jumped out at me. So, I decided to write about something that came up last night I got to think about everyday personal security and privacy. I am co-founder of local ghost hunting group and we just accepted three new members into our organization last night. We take what we do seriously because we going to people’s private homes and wander around in the dark unsupervised. There is a high level of trust these individuals are placing us when they let us into their homes to do this. This means we have to choose new members carefully because they are going to be representing us. We need people who are going to respect the homeowners policy regarding what we see in the house (not just paranormal – we seen some really hot stuff that people have).
The most important thing is safeguarding the person’s privacy. Most of our clients are genuinely scared of whatever activity is going on in their home, and we are often their final attempt at a resolution. The very last thing they want is someone blabbing about the fact that they think they have ghosts in their house or business. Fortunately, we are able to debunk probably 75 – 80% of activity as everyday stuff like doors don’t latch properly or plumbing noises, et cetera. Even though that is the case, it still doesn’t mean that they want word to get out. The reason it’s so important to them is that it can affect how they are perceived by others. In the case of a business, it can cost the money customers believe you hear that the place is haunted, or that the owner is a little “off” for thinking that might be haunted.
So, we teach our new members to speak generically when telling investigation stories. Instead of saying something like Bob’s house in Central Omaha, we would just say a house in Omaha. It may seem like a small thing, but it really matters to our clients. The case files and pictures because our website are labeled in the same generic way (unless the home or business owner has given us permission to use their names, like Mystery Manner or the Squirrel Cage Jail in Council Bluffs).
I struggled to come up with something to write about for this week’s blog. I did several searches online for information security and related topics, but nothing jumped out at me. So, I decided to write about something that came up last night I got to think about everyday personal security and privacy. I am co-founder of local ghost hunting group and we just accepted three new members into our organization last night. We take what we do seriously because we going to people’s private homes and wander around in the dark unsupervised. There is a high level of trust these individuals are placing us when they let us into their homes to do this. This means we have to choose new members carefully because they are going to be representing us. We need people who are going to respect the homeowners policy regarding what we see in the house (not just paranormal – we seen some really hot stuff that people have).
Friday, November 2, 2012
Disaster Planning
I was initially going to do a post about Mac versus Windows and the ease of establishing VPNs for this weeks post. It’s a topic that would have tied into the general theme that is kind of present in my previous post, but hurricane Sandy got me thinking about disaster recovery from a business aspect. After I read the article in the link below, I was especially interested in this topic. So, join me on my deviation, won’t you?
DTCC is a company I have worked closely with for years, and their location in lower Manhattan was directly in Sandy’s path. The wall to their vault where they store the stock certificates borders the East River, so their lower levels are underwater and they are still unable to go in and assess the damage. Here is the first sentence from the article, “trillions of dollars worth of stock certificates and other paper securities that were stored in a vault in lower Manhattan may have suffered water damage from superstorm Sandy.” As of Friday, they have been able to reopen and now except physical security deposits at an alternate location in Brooklyn. This means that clients will be able to trade on the physical securities that has been deposited to their brokerage accounts, this is important because clearing firms can once again contact this business as normal. Unfortunately DTCC is still unable to process settlements, which means clearing firms are unable to settle trades based on the physical certificates already in DTCC’s custody. This was runs into regulatory and delivery issues, that at this point, I’m not sure how we will work around. I assume FINRA is going to grant exceptions and waive the extension fees that would normally apply, but something that will take a lot of planning and communication to all the broker/dealers.
My point to all this rambling is this. While DTCC’s disaster planning and recovery plan has obviously gone into effect, there has been a trickle-down effect that has created an immediate consequences on businesses here in the Midwest for very far from any kind of physical storm damage. There is no primary disaster plan for the company to put into place in this situation, but we still have to react and create new policies based on the East Coast conditions. There are workarounds to using DTCC as the primary certificate processing facility, but it is a lengthy and sometimes more expensive alternative. I guess the purpose to this writing is to bring up the fact that just because the company does not directly suffer any kind of disaster or damage, the planning team still needs to take outside factors into consideration. They need to plan for alternative ways to conduct business if one of our primary partnerships loses the ability to operate.
Thursday, October 25, 2012
I don’t have an article to reference for this weeks blog post because I want to talk about something that happened at work this week. It turned out to be I’m not even, but the level of awareness (or lack of) has me concerned. Here’s what happened:
Friday, October 19, 2012
Access Control and Training
In the chapter we rent this week, the book referred to access controls. There are two sides of this: the electronic and the physical. Naturally, the electronic access controls are going to address what systems and information can be accessed by which users. While that is a topic that would sustain its own lengthy conversation, I want to focus on the physical side of access control, specifically some of the dumb reasons why people I work with think it should apply to them. I know that sounds like a negative statement, but seriously it’s one of my pet peeves. Physical access control has been a factor in most of my adult working life. First in the military, then my career within the financial industry. Maybe it’s due to my time in the service that doesn’t bother me now, but it really seems to be a hassle for some people to grasp the importance of it.
I work in a building which requires that we have badge access not only for the building itself, but to get into my specific department. The entry points and key areas within my office are monitored with security camera, and there are additional measures that I’m not going to discuss for security reasons. All of this security is because we work with a lot of high-value and very portable assets. If someone were to run off with one of them, it could literally cost the company millions of dollars. All of these controls make sense to me, and I understand the reasoning behind the need for them, but I’ve heard people complain about them daily. Here are some examples of the complaints from just this week, “Do I really need to wear my badge everywhere?” “I should be able to have people visit me in the office if I want to – other departments allow it.” “It’s a violation of my rights for them to record me coming in and out of the office.”
First, is it really that much of a hassle to put a badge on your belt loop, or to talk to the friend over chat instead of having to come to your desk. That one I understand can be a little bit frustrating when you can just walk into other departments, but the no visitor policy does reduce the risk of lost assets. And lastly, a violation of your rights? Seriously? How do you survive going into a mall? or a gas station?
Enough of the rant. I think a lot of the issues in access control compliance come down to training. A company can deploy risk management policies all day long, but if employees are trained in how the procedures related them into their daily work, we are going to understand why it’s so important. According to DiversifiedRiskManagement.com, “probably the simplest and most cost-effective precaution one can take is to see that every employee is involved in maintaining a safe and secure work force and work area, and through employee awareness training and empowerment of the workforce to get involved in daily security at work, even the most skilled intruder can be stopped in his tracks.” I think this statement meals the solution to the problem of getting employees to follow risk management procedures.
http://www.diversifiedriskmanagement.com/articles/access-control.html
Saturday, October 13, 2012
Career Thoughts
I had a weird week. I spent some time in the hospital, and whenever I was trying to do homework someone would come into the room and asked me what I was studying. This resulted in my having the same conversation several different times with different people. I would explain that I am enrolled in a cyber security program degree program. This would invariably would get the reaction, “I didn’t know that was a job.” I told them it is and what the program was about, and that I hope to get a job as a civilian contractor once I graduate. If I’m lucky enough to do this, it means I can apply my active-duty time towards a government retirement. Even though this has been my plan all along, I got to thinking about other possibilities for a career in cyber security. Since there’s nothing else to do in the hospital other than daytime TV, I did some research on the web and came across an article in which the interviewees complained about the lack of inspiration of their government jobs.
The article interviewed a couple different individuals who work in cyber security capacity for the government, and both called the boring and unimaginative. They talked about how regulated the environment is, and the lack of access to the computers they are actually protecting. They went on to talk about the restrictions they face when it comes to the type of security programs that can be applied. In the article said that individuals working in cyber security for the government were essentially acting as a gate keeper who spent their time explaining to people what they can or cannot do ensuring that they either do or don’t do it. There was nothing in this article that the sweets me from my original goals.
After my years of working in Air Force Intel, I’m very well aware of government bureaucracy and what kinds of restrictions the place on various points of access. For example, I remember the IT guys coming into our secured work space , and every time they did, we had to secure the classified and bring everything down to zero before they could be escorted in. It was an Airman’s duty to watch them like hawks in case they found any kind loose paper, or anything that could potentially be classified. if they did come across something, we were actually instructed to grab it out of their hands before they could look at it. So yeah, I think I am prepared to face restrictions over what I can or cannot access.
Saturday, October 6, 2012
Poster Thoughts
Even though it’s off-topic from previous post I’ve made to this blog, I decided to just do a Google search for information security posters to see what comes up. And, there were a lot of examples. Some of them were quite clever, and got their point across using just visuals with very little commentary.
Sunday, September 30, 2012
The article I chose for this week’s blog is called “Taking the cyber attacks threats seriously,” and it talks about some of the large-scale dangers that hackers pose to the united states. In the op-ed piece, President Obama specifically talked about the dangers to our infrastructure. He talks about the need for legislation that strengthens cyber security practices, and makes it easier for governments to communicate with companies or vice versa regarding specific threats. I think this is a good idea. It would require industries to meet a certain minimum, and establish protocols for threats. Once the new policies are put in place, it would eliminate confusion over how to proceed in the event of an attack. The forward planning would potentially reduce the damage inflicted, and create a shorter timeframe or recovery.
Not only would companies be better prepared in the event of an attack, they would be better prepared to prevent an attack. If there was some kind of legislation that require a minimum standard, some companies may not have to do anything, but others may have to adjust their procedures to conform with the new policies. Even if a hacker overrides what ever the new protocols are, the companies will be better prepared to manage the situation.
Saturday, September 22, 2012
The article I chose for this week’s post discusses the various interval threats faced by organizations to their information security. He listed 10 breaches that took place at an organization in which he was working, and labeled them “the oops.” Most of them are instances of actions which inadvertently affected the state of the company’s information security. For example, an executive who plugs his personal computer into the network and unleashes a virus, or a failure to remove a departing employee’s login from the system. He was later able to go back in and access information. Another example involved an IT member who purposely built a route around the firewall because the firewall was too difficult to maintain. This was in place for five years before discovery and manipulation by a hacker. The author provided some other examples of internal breaches, but the majority of of items on the list were “oops.” These three incidents, as well as the others in the article, could have been avoided through awareness and skills training. He went on to list some other factors that may have caused “the oops” problems such as, lapse in judgment, accident, mistake, sheer stupidity, full moon.” However, I think training, which leads to better awareness, would have been enough to eliminate the emergence of these situations. Except maybe for the full moon.
I think training in information security is critical. I worked for a corporation that was very conscious of not only security the digital data, but the physical data as well. Over the last year, they instituted new practices and procedures for the protection of physical assets that, while a pain in the ass to follow at times, make a lot of sense. I’m not going to go into what they guidelines are, or how they were changed, because it is part of their internal policy. But back to the main point, we had to undergo a lot of training so that we could understand and practice the new rules, We were also trained on the repercussions of we failed to follow them
Thursday, September 13, 2012
iPhone Thoughts
After all the recent news of the iPhone being hacked, naturally I was concerned about my own phone and whether or not I was going to pick up a virus on my phone. When I bought it the Apple Store assured me that it would be difficult for any virus to take up residence on an Apple product, and the iPhone was no exception. They explained to me that as long as I purchased my apps through the App Store, it was going to be safe. All the apps that are approved by Apple have been checked for any kind of malware or anything that might cause damage to my phone. And that maybe true, but what about viruses embedded in websites I visit? Or, what if I opened the wrong thing on email? When I did a Google search for iPhone virus, or iPhone 4 virus, primarily what I found was discussions among users answering their own questions. Any official answers, or what I would consider a reliable source versus some random person on the Internet talking about a virus, most of the responses are from Apple saying there’s no viruses for the iOS operating system. And this makes me skeptical because there seems to be an air of complacency in those kind of statements. In my opinion this borders on irresponsibility. Especially with the iPhone 5 coming out in a couple of months, more people are going to become iPhone users. Granted many of the iPhone 5 purchases are going to be an upgrade from previous versions, but with the new changes others might be tempted to switch from their android phones over to a new iPhone. Unless Apple starts taking proactive action to shield their phones and the iOS operating system they’re going to learn the hard way of how important protection is. I don’t want to wake up one morning and discover that my phone no longer works or that all my information has been compromised simply because there are no available safeguards. I think the likelihood of something like this happening increases as Apple continues to gain more consumers because the more users they have, the more attractive and worthwhile it’s going to be for hackers to target them.
I don’t have any specific sources of reference for this post because it’s kind of an overview of several Google searches and what different individuals in the Apple Store for me. So this week’s posting is my opinion. It’s just something that’s been bothering me lately, especially in light of the news stories regarding the iPhone information being released.
Friday, September 7, 2012
I couldn’t come up with a topic idea for this week’s post, so I just checked what Google had to say when when I entered “information security” in the search. Through a series of sub searches, I came across the topic of Information Security Policy Definitions, which is basically a company’s rules dictating how to keep information safe. This made me think about all the different levels of information that need to be addressed when a company designs a program. I’m talking about information that is outside of the technology sphere.
First, there are the rules about what employees can say over the phone, and this is going to change according to who the caller is. For some callers, a whole series of account security questions needs to be asked, and for others, information can be release just by verifying the name. In some situations, no information can be given at all.
Second, there is the security of physical information. This includes paperwork that is no longer required and thrown away. Does it need to be placed in a secure recycle bin? Who has access to the bin, and how often is it emptied? Can it be shredded, or does it need to be burned? Then there are the documents a company needs to keep for a designated period of time. Decisions need to be made regarding how long it is kept, where it is kept (what kind of facility), and who has access to it.
Third is the security of digital information and networks. I;m not going to go into detail on this section this week because I will have more to say about it on a later post. This post is dedicated to the different kinds of security that need to be managed and protected.
When planning an information security program, there a a lot of different factors that need to be taken into consideration at all levels of the organization. It’s something employees need to learn and practice, and it’s something that needs to be constantly reviewed and updated as needed.
Sunday, September 2, 2012
Well, this was startlingly easy to set up as my first ever blog. Here we go...
Every so often, I check in with the National Security Council's website to see what they have to say. The most recent posting opens with a sentence stating, "President Obama has declared that the 'cyber threat is one of the most serious economic and national security challenges we face as a nation' and that 'America's economic prosperity in the 21st century will depend on cybersecurity.'" I agree with this sentence, but I want to focus on the second half since this covers an arena whith which I am most familiar due to my years in the finance sector.
Taken from
http://www.whitehouse.gov/cybersecurity
Every so often, I check in with the National Security Council's website to see what they have to say. The most recent posting opens with a sentence stating, "President Obama has declared that the 'cyber threat is one of the most serious economic and national security challenges we face as a nation' and that 'America's economic prosperity in the 21st century will depend on cybersecurity.'" I agree with this sentence, but I want to focus on the second half since this covers an arena whith which I am most familiar due to my years in the finance sector.
I spent the last decade and a half working for an online broker/dealer, where security of our systems was paramount to our success. Not only did our tech department have to maintain a secure network, but those of us who used the network had to be mindful of our own security practices. A slip might cause a loss to the company, but the damage it could do to one of our clients could be potentially catastrophic. Or at the very least, the client might be faced with the annoying task of making sure their information is still secure in the event they are notified of a leak. I had to deal with this a while back when my information at UNO was hacked. It was a pain in the ass to go they and update my information and set up a watch on my bank account for unusual activity. But these are the things that face us all -we don't even need to be a factor in the online business performed by companies becasue they deal with each other electronically. For example, I might have an account with Company X who does online business with Corporation T, but T was hacked. So once again, my information was compromised. The last two examples are on an individual level, but if you take it up to the cooperate level, where an entire company suffers an invasion, it could be devastating. Especially if one or more of the larger financial institutions in America is compromised.
This posting focused on the personal and financial aspect of the President's statement, but the same concerns can be said for the security of our government and military assets as well. Regardless of who you are, or who you do business with, cyber security plays a role in your life. Even if you're the guy storing money under your mattress, at some point you are going to do business with someone who performs an online transaction.
Taken from
http://www.whitehouse.gov/cybersecurity
Subscribe to:
Posts (Atom)