The article I chose for this week’s blog is called “Taking the cyber attacks threats seriously,” and it talks about some of the large-scale dangers that hackers pose to the united states.  In the op-ed piece, President Obama specifically talked about the dangers to our infrastructure. He talks about the need for legislation that strengthens cyber security practices, and makes it easier for governments to communicate with companies or vice versa regarding specific threats.  I think this is a good idea. It would require industries to meet a certain minimum, and establish protocols for threats. Once the new policies are put in place, it would eliminate confusion over how to proceed in the event of an attack. The forward planning would potentially reduce the damage inflicted, and create a shorter timeframe or recovery.

Not only would companies be better prepared in the event of an attack, they would be better prepared to prevent an attack. If there was some kind of legislation that require a minimum standard, some companies may not have to do anything, but others may have to adjust their procedures to conform with the new policies. Even if a hacker overrides what ever the new protocols are, the companies will be better prepared to manage the situation.

http://www.whitehouse.gov/blog/2012/07/23/taking-cyberattack-threat-seriously?utm_source=related

The article I chose for this week’s post discusses the various interval threats faced by organizations to their information security.  He listed 10 breaches that took place at an organization in which he was working, and labeled them “the oops.”  Most of them are instances of actions which inadvertently affected the state of the company’s information security.  For example, an executive who plugs his personal computer into the network and unleashes a virus, or a failure to remove a departing employee’s login from the system.  He was later able to go back in and access information.  Another example involved an IT member who purposely built a route around the firewall because the firewall was too difficult to maintain.  This was in place for five years before discovery and manipulation by a hacker.  The author provided some other examples of internal breaches, but the majority of of items on the list were “oops.”  These three incidents, as well as the others in the article, could have been avoided through awareness and skills training.  He went on to list some other factors that may have caused “the oops” problems such as, lapse in judgment, accident, mistake, sheer stupidity, full moon.”  However, I think training, which leads to better awareness, would have been enough to eliminate the emergence of these situations.  Except maybe for the full moon.  

I think training in information security is critical.  I worked for a corporation that was very conscious of not only security the digital data, but the physical data as well.  Over the last year, they instituted new practices and procedures for the protection of physical assets that, while a pain in the ass to follow at times, make a lot of sense.  I’m not going to go into what they guidelines are, or how they were changed, because it is part of their internal policy.  But back to the main point, we had to undergo a lot of training so that we could understand and practice the new rules,  We were also trained on the repercussions of we failed to follow them

http://www.securityweek.com/security-not-just-external-dont-forget-other-security

iPhone Thoughts

After all the recent news of the iPhone being hacked, naturally I was concerned about my own phone and whether or not I was going to pick up a virus on my phone.  When I bought it the Apple Store assured me that it would be difficult for any virus to take up residence on an Apple product, and the iPhone was no exception.  They explained to me that as long as I purchased my apps through the App Store, it was going to be safe. All the apps that are approved by Apple have been checked for any kind of malware or anything that might cause damage to my phone.  And that maybe true, but what about viruses embedded in websites I visit? Or, what if I opened the wrong thing on email?  When I did a Google search for iPhone virus, or iPhone 4 virus, primarily what I found was discussions among users answering their own questions.  Any official answers, or what I would consider a reliable source versus some random person on the Internet talking about a virus, most of the responses are from Apple saying there’s no viruses for the iOS operating system. And this makes me skeptical because there seems to be an air of complacency in those kind of statements.  In my opinion this borders on irresponsibility.  Especially with the iPhone 5 coming out in a couple of months, more people are going to become iPhone users. Granted many of the iPhone 5 purchases are going to be an upgrade from previous versions, but with the new changes others might be tempted to switch from their android phones over to a new iPhone.  Unless Apple starts taking proactive action to shield their phones and the iOS operating system they’re going to learn the hard way of how important protection is.  I don’t want to wake up one morning and discover that my phone no longer works or that all my information has been compromised simply because there are no available safeguards. I think the likelihood of something like this happening increases as Apple continues to gain more consumers because the more users they have, the more attractive and worthwhile it’s going to be for hackers to target them.

I don’t have any specific sources of reference for this post because it’s kind of an overview of several Google searches and what different individuals in the Apple Store for me. So this week’s posting is my opinion. It’s just something that’s been bothering me lately, especially in light of the news stories regarding the iPhone information being released.

I couldn’t come up with a topic idea for this week’s post, so I just checked what Google had to say when when I entered “information security” in the search.  Through a series of sub searches, I came across the topic of Information Security Policy Definitions, which is basically a company’s rules dictating how to keep information safe.  This made me think about all the different levels of information that need to be addressed when a company designs a program.  I’m talking about information that is outside of the technology sphere.  

First, there are the rules about what employees can say over the phone, and this is going to change according to who the caller is.  For some callers, a whole series of account security questions needs to be asked, and for others, information can be release just by verifying the name.  In some situations, no information can be given at all.  

Second, there is the security of physical information.  This includes paperwork that is no longer required and thrown away.  Does it need to be placed in a secure recycle bin?  Who has access to the bin, and how often is it emptied?  Can it be shredded, or does it need to be burned?  Then there are the documents a company needs to keep for a designated period of time.  Decisions need to be made regarding how long it is kept, where it is kept (what kind of facility), and who has access to it.  

Third is the security of digital information and networks.  I;m not going to go into detail on this section this week because I will have more to say about it on a later post.  This post is dedicated to the different kinds of security that need to be managed and protected.  

When planning an information security program, there a a lot of different factors that need to be taken into consideration at all levels of the organization.  It’s something employees need to learn and practice, and it’s something that needs to be constantly reviewed and updated as needed.  

Well, this was startlingly easy to set up as my first ever blog.  Here we go...

Every so often, I check in with the National Security Council's website to see what they have to say.  The most recent posting opens with a sentence stating, "President Obama has declared that the 'cyber threat is one of the most serious economic and national security challenges we face as a nation' and that 'America's economic prosperity in the 21st century will depend on cybersecurity.'"  I agree with this sentence, but I want to focus on the second half since this covers an arena whith which I am most familiar due to my years in the finance sector.  

I spent the last decade and a half working for an online broker/dealer, where security of our systems was paramount to our success.  Not only did our tech department have to maintain a secure network, but those of us who used the network had to be mindful of our own security practices.  A slip might cause a loss to the company, but the damage it could do to one of our clients could be potentially catastrophic.  Or at the very least, the client might be faced with the annoying task of making sure their information is still secure in the event they are notified of a leak.  I had to deal with this a while back when my information at UNO was hacked.  It was a pain in the ass to go they and update my information and set up a watch on my bank account for unusual activity.  But these are the things that face us all -we don't even need to be a factor in the online business performed by companies becasue they deal with each other electronically.  For example, I might have an account with Company X who does online business with Corporation T, but T was hacked.  So once again, my information was compromised.  The last two examples are on an individual level, but if you take it up to the cooperate level, where an entire company suffers an invasion, it could be devastating.  Especially if one or more of the larger financial institutions in America is compromised.  

This posting focused on the personal and financial aspect of the President's statement, but the same concerns can be said for the security of our government and military assets as well.  Regardless of who you are, or who you do business with, cyber security plays a role in your life.  Even if you're the guy storing money under your mattress, at some point you are going to do business with someone who performs an online transaction.  

Taken from
http://www.whitehouse.gov/cybersecurity