Risk Management

It is important for businesses to create risk management plans that are appropriate for their company.  They may look to best practices as a guide to create their risk management plans, but a cookie cutter approach does not always work.  Every business is different even if they are in the same industry.  They each have their own acceptable levels of risk and their assets are not always valued at the same level as another company. 

            The amount of money a business spends on their risk management plan also varies from company to company.  A small or large budget may be required, but how effective and well managed their risk management plan is will play a large role in the overall cost of it.  Companies that compare how much they each spend on risk management may prove to not be as helpful as some have previously believed.  It could help determine a general guideline for how much the company might need to spend, but it is not an absolute amount.  Jack Jones has given a great example on how to determine how much you should spend.  He compares it to buying car insurance.  You can get an estimate how much most people are paying, but you will not use that as your only reference.  You would want to know how much coverage you would need based on risks and assets as well as if are there enough funds to pay for it. 

            Leadership can often be left out of this equation.  If management does not believe that there is much risk despite what they have been told, the company will surely be in poor condition in regards to the risks they are taking.  Risk management should influence company policies, priorities, initiatives and actions.  If a business only has the tolerance for low risk, their decisions should reflect that.  Keeping this in mind is key to successful risk management.  It is also important to make changes to the risk management plan when necessary.  If the company cannot mitigate a risk that they previously could, they need to evaluate how it will affect the company overall and change their policies accordingly.  Keeping employees informed of risks and how their decisions can affect the company’s overall risk is also important. 

            Every business faces their own unique types of risk.  To manage their risk appropriately they must examine how much risk they face, what level of risk they can tolerate, how much they can spend to mitigate their risks and how their policies reflect their risk.  Using best practices as a guideline will help keep them on track to effectively managing their risk.  Ultimately it is up to the company to develop their own risk  management plan that is tailored to meet their needs.

References:

Jones, J. (2011). To Be FAIR About It A perspective on risk and risk management. Retrieved Oct 22, 2013, from Risk Management Insight: riskmanagementinsight.com/wp-content/uploads/2011/03/to-be-fair-about-it-v1.pdf

Last 9 Weeks

            Over the past nine weeks my previous blog posts have been over varying topics, but primarily they were about how companies need to better educate their employees about network security and how the company needs to improve network security.  Several of the blogs discussed how employers needed to educate their employees, as well as themselves, on the risks of bringing your own device to work and educating employees on how to create secure passwords and not writing them down for others to find.  Edward Snowden stealing information from the NSA proves that no matter how secure companies believe they are there is always room for improvement.  Another blog discussed the need for more collaboration between companies to share information about the types of security threats that each company faced and what they have done to prevent future threats like these.

            I chose the above-mentioned topics because I believe these are areas that most businesses and employees need education and training on.  I used a variety of sources through the past nine weeks.  I believe that this type of blog can be useful to an information security professional.  The best way to stay up to date on current trends and information is to read information in magazines, on web sites and subscribe to newsletters

How important is network security?

     The majority of companies are aware that they need to keep their networks secure.  However, there are still some out there that believe it is just an added expense. This is because they are not aware of how important network security is.  An easy way to understand how secure your company's network security should be is to consider how important is your company's information.  What would happen if your customers' information (addresses, credit card numbers, etc.) were stolen?  Would they stop being your customer?  Would they sue you?  How much would it cost to repair the security breach?  It is necessary to consider possible lost revenue from having to stop business while the security breach is fixed and also what would the actual cost be to increase network security.   Other expenses would include regulatory fines as well as possible law suits. 

     When it becomes apparent how expensive network security is when it was not adequate, companies begin to realize just how important it truly is.  To get a better idea of just how expensive it is, the average cost of a data breach is $5.5 million.  Can your business afford this for every data breach?  Not to mention an average of $3 million in lost revenue due to the breach and $1.5 million for post data breach expenses.  Is it still an unnecessary business expense?  No, and remember just because it has not effected your company does not mean that it never will.

For more information:
http://www.sys-con.com/node/2749391?goback=.gde_38412_member_262017002

Threat Intelligence Sharing

   Threat intelligence sharing is getting greater attention.  Businesses are encouraged to share the new security threats they are encountering with their peers.  This collaboration will better ensure the security of all companies that could be threatened by a similar attack.  Working together to find a solution to ending and preventing these attacks can create a more beneficial information security platform for all involved.

    The challenge of threat intelligence sharing is how to securely and effectively communicate this information with others.  Those involved must also determine how timely should this information be shared with others and will allow it to still remain effective.  The current information that has been shared is only what security threats are out there, but no solutions on how to stop these types of threats.  Smaller corporations are the ones typically struggling to find solutions to these threats and would have a greater benefit from being assisted in finding the appropriate solution. 

     What is stopping this full platform of threat intelligence sharing?  Is the competitive nature of business a part of this?  Whatever the underlying cause is that inhibits sharing information that helps all involved contributes to the failure of national intelligence sharing.  More thoughts on this topic are being discussed at the annual Black Hat conference that is occurring July 27 through August 1st.  All interested will have to continue to monitor the input generated from the conference this year to see if a coordinated effort can be configured. 

Companies have greater security risks when following standards

    A common occurrence for many businesses is that they become so focused on following industry guidelines and checking off boxes to ensure they are following these requirements, they lose track that they also need to prevent cyber threats.  By being overly concerned with meeting the requirements of government and industry standards companies are forgetting the big picture.  They are leaving themselves open to becoming targets of cyber criminals by being unprepared. 

     To prevent this from occurring companies need to expand their security guidelines to include greater threat assessments along with industry standards.  They need to place their focus on going above and beyond industry standards rather than just meeting them so they are in compliance.  This will help secure their businesses by staying one step ahead of security threats rather than waiting to take action until it is too late.  Companies who have not experienced cyber attacks do not realize the importance of increasing threat assessments.  They must take the advice of others who have experienced cyber threats and take necessary steps to prevent it from occurring to their company.  If industry standards do not change to include greater focus on cyber threat assessments companies need to take it upon themselves to increase it on their own.

See the link for more information  http://www.computerworld.com/s/article/9237254/IT_security_managers_too_focused_on_compliance_experts_say

YOU MAY BE SURPRISED WHO CAN VIEW YOUR INTERNET CONNECTED DEVICES

     If your business or home has a live video camera you might be surprised who can view it.  Just imagine your conference room has the ability to have live video conferences with clients, if it is not secure others may be able to watch and listen in on all of your meetings.  Additionally if the feed is always live as in security cameras in businesses, stores, restaurants, traffic cameras, etc. a person can view this live feed anytime.  If a security feed is not secure and someone gains access to confidential company information, just imagine the chaos that may ensue if that information is exposed or sold to a competitor.

    There is a search engine called Shodan that allows searches for all devices connected to the Internet.  This includes live web cams, refrigerators, routers, GPS receivers, even swimming pool, industrial and medical device control panels.  How does Shodan receive this information?  Simple it asks these devices "What can you tell me about yourself?" Most of the information discovered is from people who are not even aware that this information is viewable to others.  A man was viewing open web cam feeds and discovered a woman yelling and hitting an elderly woman.  Shocked by his discovery he recorded it, traced the IP address and submitted it to the police. 

     John Matherly is the creator of Shodan and is currently the only one maintaining it.  Typically the work he does is only done by criminals.  He supports this project by charging security companies for access to his entire database, which currently has more than 1.2 billion devices.  Currently anyone can search his database for free, but unlimited access will cost you a one time fee of $19.  With this information make sure that all of your Internet connected devices are secure.

http://www.wired.com/wiredenterprise/2013/07/shodan-search-engine/?cid=co9596534

How Secure is Your Information?

     The recent events of Edward Snowden stealing information at the NSA may seem something far fetched for most companies, but it is far more common than many believe.  The government is considered to be the most secure out of all businesses.  The fact that Snowden was able to access information that he should not have had access to proves that no matter how secure a business is there is always room for improvement.

     A recent article explains just how poor many companies network security is.  2.5 million Californians had their personal information (SSN, credit card and bank accounts) exposed by businesses between Nov 2010 and 2012.  These companies are by no means small corporations.  They ranged from retail stores such as Petco and Barnes & Noble to state universities and government agencies.  Some were only singular incidents, however American Express Travel was at fault 19 times.  Yes, 19 times.  One would think that after pertinent information was exposed once or twice the problem would be corrected, but apparently the company does not know how.  The businesses that had the most problems with data breaches were ones that handled financial transactions (mostly retail) and banks.  It really gives you pause before giving any information to any business.

     How could these companies have better protected their customers information?  By simply encrypting the data.  These security breaches along with Snowden stealing information will hopefully make companies see the importance of properly securing their data and putting greater focus on access to data.  The breached information of Anthem Blue Cross of California cost them to pay out $150,000 and implement increased data security as well as limiting the amount of employees that can access SSN's.  Prior to 2012 companies in California were not required to report security breaches.  If other states take this same stance we may begin to see the much needed security improvements  when they are being held more accountable for their lack of security.

For more information on the story please see the link
http://www.mercurynews.com/business/ci_23587532/2-5-million-californians-exposed-data-breaches

Erasing employees bad security habits

     As technology changes so does the necessary security procedures that go along with it.  New stronger secure passwords may be overwhelming for many who quickly loose track or have difficulty remembering them.  This leads to people writing those passwords down or when able to they keep using less secure passwords and keeping the same password for several accounts.   Requiring stronger passwords will ensure that employees are using passwords of proper strength.  Having passwords expire every 90 days will also prevent employees from using the same passwords.  Getting employees to stop writing their passwords down can be more difficult.  Try having them create a password that is personal to them that they can easily remember, but not something simple as a child or a pet's name.

    Social networking sites that are used by employees at work can also put the company's network security at risk.  The simplest way to put a stop to this is to restrict the site.  Employees are smart and will often find several different ways to access these social networking sites so ensure you have blocked all of them.  Make sure employees are aware of the risks they are exposing the company to when they use unauthorized sites.  By having employees follow these security procedures they can help create safer networks and end their bad security habits.

http://solutions.webtitan.com/blog/bid/149486/Poor-email-security-habits-expose-confidential-corporate-data-with-the-click-of-a-mouse-how-to-prevent-this?goback=.gde_38412_member_253541085

Amazon Cloud

      Amazon has recently secured a contract with the CIA for cloud computing.  They beat IBM, who had previously dominated the federal contract sector.  What is interesting is what Amazon offered to do for the CIA.  In house cloud computing.  This may be a frontier for what large corporations will want.  Typically companies that wanted cloud services were only able to receive a copy of the existing public cloud.  Then it was to be modified to meet the company's needs.

     What does in house cloud computing provide that traditional cloud does not?  Greater security because it will not go over public internet like the majority of cloud services do.  This is very important to companies that are taking every precaution that their information is not stolen.  Up until recently Amazon was against this new type of in house cloud services, but I suppose a $600 million contract and the chance to pave the way for new in house cloud service was enough to convince the company.  This will most likely change the way large companies want and need their information stored, especially in regulated industries such as healthcare organizations who are required to provide more secure storage of their data. 

http://www.wired.com/wiredenterprise/2013/06/amazon-cia/

Bring your own device

     I've been reading about many employees that bring their own electronic devices to work.  A recent article states that more than 90% of employees store work information on them.  With this becoming so prevalent it is important for companies to keep and enforce policies on protecting company information.  Over 50% of employees want to be able to access their work information from anywhere.

     Studies have been conducted that explain the risks and benefits of BYOD.  Benefits include increased productivity, greater employee satisfaction, greater mobility.  The risks are malware, the user not securing their device and inadvertently allow unauthorized access to information, and data loss.  It is highly recommended that employers mandate that there is encryption on employees devices.  The companies should also understand that many employees do not understand what the risks are when they inappropriately access work information from their own device.  Before even allowing BYOD, companies need to create specific policies and outline not only why it is necessary but what can happen if the policy is not followed.  All employees should be able to understand what is required of them, this could be done through quiz's.  If an employee does not understand a 1:1 instruction should be provided and if this is not effective the employee would be banned from BYOD.

     The only way to make sure employees follow the security policies is to make them accountable.

http://www.computerweekly.com/news/2240185093/Workers-use-personal-devices-to-store-business-documents?utm_source=feedly

http://www.viaresource.com/media/20307/byod--risks_-trends-and-skills-in-byod-security.png

Introduction

Hello to everyone who reads my blog!

        I'm Stacey and this is my first blog so bear with me.  This blog was created in relation to one of my courses while working on my Masters in Cybersecurity.  I completed my BS in International Security and Intelligence in August of 2012.  During that program I realized the impact that Cybersecurity has on protecting our nation.  I am looking forward to learning more about Cybersecurity and the management of information security.