CIS608 Final Post

During CIS608, I wrote on many different security topics.  The topics included training against phishing attacks, risk management, data breaches and risk management, wireless security, employee termination, training, acceptable use policies, the Target data breach and Google Glass.  During the semester I tried to write on a topic in the class or something that was big in the news at the time.  As the semester started the two biggest topics that I wrote about was the security breach at Target and Google Glasses.  The other weeks I tried to find more information on a topic of choice from the weekly reading.  I chose these topics so I could learn more on the topic.

The bulk of the sources that I chose for my blog postings came from CNet and CNN.  These are areas that I frequent so during my daily reading I would typically find a topic at some point during the week that correlated with a topic within the weekly readings.  The remaining sources were found by performing searches via search engine (Google).   The blogs that I wrote may or may not be of use to future students because my topics generally followed the news at the time.  This could potentially still be applicable in the future due to the content more than the example.  The lessons learned that I found about doing this weekly blog was to be more aware of security topics in the news.  When reading the news daily I was always interested in any topic that may assist me in completing my blog assignment.  The side effect was that I got to learn/apply the topics better through research.

Employee Termination

This week’s topics in my CIS608 class included personnel issues with regard to IT security to include job and duty descriptions, certification, employment policies, interviews and personnel security practices.  The topic that I found to be the most interesting was IT security issues involved when terminating an employee.  I found this to be the most interesting because it is the topic that I have the least experience with of all of the topics covered this week so I wanted to learn a little more about it.  While doing research I found an article on about.com called “Employee Termination from an IT Perspective The IT Department Needs to Be Involved in Employment Termination” by Richard Jones at http://humanresources.about.com/od/whenemploymentends/a/it_termination.htm.

  

In the article the author discusses the need to involve the IT department into the termination of employees.  Some of the key facts that the author points out are:

• ·         Prompt notification to the IT department when an employee is being terminated

• ·         Policies should be in place to notify all key parties when an employee is being terminated immediately

• ·         Policies on revocation on network access

• ·         Keep key data and logs from employee in case there are legal issues that arise

• ·         Have data retention and redundancy policies in place to protect key data

I found all of these issues to be very interesting and something that should be thought of for every company.  I’m sure that the company that I work for has policies like these in place already but I’m not part of the process.  I can definitely see where this is something that should be addressed sooner or later by organizations in order to protect their proprietary and business interests.

Wireless Security

Reading over this week’s topic in my CIS 608 class and the fact that my parents just called me about needing a new wireless router for their house brought to mind the topic of wireless security.  Although a few of the best practices that I have been using for years came to mind such as changing the default passwords and using WPA2 security, I thought I would do a quick internet search to see what some experts say are ways that you should secure your wireless network.  The search netted varying articles with different opinions but the one that I found to be interesting was the article by Samara Lynn of PCMag.com called “5 Ways to Secure Your Wireless Router”.   The article can be viewed at: http://www.pcmag.com/article2/0,2817,2409751,00.asp.  

The five ways that the article tells users they should secure their wireless network are:

1.       Password Encryption using WPA2 security

2.       Turn off SSID broadcasting

3.       Disable guest networks

4.       MAC Filtering

5.       Get a network monitoring app

All of these suggested protections seem to be pretty basic to me.  Although I do not utilize all of these methods of protection I can see definite value in following these suggestions.  The only protection that I don’t currently run is MAC address filtering.  That is primarily because this is a very inconvenient thing for me to do with the constant influx of new devices that require access into my network.   I may again someday re-enable MAC filtering but as for now I don’t do this.  Some other measures that I personally have run on wireless networks are to run extremely long passphrases for the security password.  Typically the phrase will consist of letters, numbers and special characters and be at least 50 characters.   Although there are many different protections out there for wireless networks it is important for users to protect them using suggestions such as the advice given in this article in order to secure their network.

Data Breaches and Risk Management

After reading a couple of articles are IT security breaches that are currently being investigated by the US Secret Service, I have to wonder if the companies involved had properly tried to control the risks or if they decided that they could live with the risk and not put controls into place.  The first article that I found was one about security breaches for a hotel management company called White Lodging.  The article can be found at http://www.nytimes.com/2014/02/01/technology/latest-sites-of-breaches-in-security-are-hotels.html?_r=0.  The second article is about security breaches at Michaels craft store and can be found at http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-stores/.  

In both articles the data seems to have been breached in a similar fashion as the breach at Target and Neiman Marcus department stores where a malware is uploaded to the point of service machine where credit cards are swiped.  The data is captured during the processing request where data is unencrypted in RAM for a brief period of time.  After reading both articles, I couldn’t help but associate the breaches with risk management for IT security.  I wondered was this type of breach something that was even thought of during the risk management analysis.  Did the companies try to control this risk or did they decide that they had enough control in place to minimize the risk enough to accept it? 

I’m certain that the magnitude at which these breaches have spread were not part of their risk management process but were likely the percentage of unknown risk that is associated with any project.  I’m certain that with the wildfire that has spread on this type of data breach that companies that take credit cards as well as credit card vendors are taking notice and will have to either put controls into place to reduce the likely hood of such large data breaches or be forced out of business with all of the expense associated with the cost of clean-up after these events occur but then again maybe they will just put the cost onto the consumer.

Risk Management

In the past couple of days it was released that stolen vendor credentials were used in the huge Target data breach.  I first saw an article on this at:  http://money.cnn.com/2014/01/29/news/companies/target-breach-password/ .  As I was later reading the weekly reading assignment for my Information Security Management course about risk management, I wondered if some of these principles had been properly applied by the vendors as well as Target themselves. 

I wonder if the vulnerability of stolen vendor user credentials was even part of targets risk assessment.  After all risk assessments are only performed on risks that have been identified.  If they did think of this as a potential risk, what did Target do to address this risk?  Certainly they reacted properly, or at least it appears they acted appropriately, once they found the breach.  The real problem is why did it take 3 weeks to discover the breach?  

In this case the potential loss for Target was huge since they are one of the larger US retailers.  One would think that protecting their customer’s data would be one of the most important things for the company.  After all look at all of the money they are now spending to try to recover from this breach.  They have spent money handing out discount cards, offering credit monitoring services and extra time and effort in damage control.  This money spent doesn’t even take into account the lost revenue they have likely seen from less customers in the stores and online.  All of this makes me wonder if they would have saved time and effort by doing a better job of assessing risk and implementing controls to prevent the data breach in the first place.