Obviously, I think this blog would have been better if I had been able to keep up with it and post every week like I was supposed to. Unfortunately, life got in the way, between illness and surgery, and I was forced to post several of my assignment posts at the end. I've had many blogs in the past, and that seemed to always be my problem. I was gung ho in the beginning, and then as life gets in the way, blogging went by the wayside. I had a pretty popular political blog about 15 years ago, but then I got diagnosed with rheumatoid arthritis, and my interests got pointed elsewhere, and I took it down.
For my topics, I focused mainly on IT security issues, but there were a few deviations. For sources, I searched the internet to find articles rather than using our textbook. I tried to choose topics for each week that were interesting to me so that I can learn as well.
I think that a blog could be very helpful for a security professional. One, you can make a name for yourself if you are a good blogger. You can network and make contacts as well. Also, as a security professional, you should always be learning and reading about new things. A blog is a good way to keep yourself up to date, and push you to find interesting topics to read and learn about.
Saturday, June 3, 2017
Week 11: What to Do When an Employee Leaves
Employees come and go, and from a security standpoint, this is an issue. What steps should you take each time an employee leaves? CSO Online offers these checklist items:
1. Conduct an Exit Interview
During this interview, you should review document retention requirements, and discuss any equipment that needs to be returned. All company accounts should be discussed, and the employee should be reminded of any confidentiality agreements signed when they started. You should also insure that you have contact information if the company needs to contact the employee after they leave.
2. Collect all company-issued mobile devices, USB flash drives, backup disks, etc.
IT should have an inventory list of what devices an employee has been issued to insure everything is returned when the employee leaves. By keeping good records, you can insure no data or device loss.
3. Deactivate all company email accounts, access rights, and remote access accounts
This step may seem like common sense to you, but you would be surprised at how often this is overlooked. All accounts that are assigned to an employee should be tracked in the event of employee departure to make account termination easier. This should be done immediately after the employee leaves, on the day of departure, especially if the employee is disgruntled in any way. Ideally, if an employee is being let go, their accounts should be disabled WHILE they are being let go so that they don't have a change to enact any revenge.
4. All shared passwords need to be changed
You should change all passwords that are used by multiple people that the employee might know. Again, this sounds like common sense, but it often gets overlooked.
For more checklist items, go here.
1. Conduct an Exit Interview
During this interview, you should review document retention requirements, and discuss any equipment that needs to be returned. All company accounts should be discussed, and the employee should be reminded of any confidentiality agreements signed when they started. You should also insure that you have contact information if the company needs to contact the employee after they leave.
2. Collect all company-issued mobile devices, USB flash drives, backup disks, etc.
IT should have an inventory list of what devices an employee has been issued to insure everything is returned when the employee leaves. By keeping good records, you can insure no data or device loss.
3. Deactivate all company email accounts, access rights, and remote access accounts
This step may seem like common sense to you, but you would be surprised at how often this is overlooked. All accounts that are assigned to an employee should be tracked in the event of employee departure to make account termination easier. This should be done immediately after the employee leaves, on the day of departure, especially if the employee is disgruntled in any way. Ideally, if an employee is being let go, their accounts should be disabled WHILE they are being let go so that they don't have a change to enact any revenge.
4. All shared passwords need to be changed
You should change all passwords that are used by multiple people that the employee might know. Again, this sounds like common sense, but it often gets overlooked.
For more checklist items, go here.
Week 10: Security and Project Management
For many Project Managers out there, security doesn't always play an important in what they do. However, security should be at the forefront of any IT project. When security is thought out and built into a project, your risks are reduced substantially. Security considerations should be injected into every phase of a project, no matter what type of project it is. Even during the actual project process, there are security concerns that should be planned for, such as backups for your project files in case of catastrophic computer failure, or an important file has been corrupted. Project Managers should follow the CIA triad of information security:
Confidentiality
Integrity
Availability
All projects can benefit from following the CIA triad.
To learn more about Security Best Practice for IT Project Managers, go here
Confidentiality
Integrity
Availability
All projects can benefit from following the CIA triad.
To learn more about Security Best Practice for IT Project Managers, go here
Week 9 - Physical Security Innovations in 2017
Many people think that computer security is the most important issue in technology today, but you cannot discount the importance of physical security. There are new innovations in technology that have shown that physical security needs to continue to adapt and innovate as well. I'm going to discuss a few of those new technologies that have pushed physical security innovation.
1. Drones
The ever expanding number of drones being used by private citizens has caused a need for physical security measures that can combat them. It doesn't take long for a technology such as drone technology to be hijacked for malicious purposes. Drones can be used for industrial espionage, terrorism, and even surveillance for future crimes. DroneTracker from Dedone has a system of interactive sensors that detect various types of drones based on noise, shape, movement.
2. Hostile Vehicle Threats
Vehicles targeting large crowds with the purpose of mass casualties is a burgeoning threat.
Vehicle barrier suppliers have their work cut out for them. Companies such as ATG Access
offer many products that would prevent a vehicle from ramming into a building or a central-crowded area.
3. Smart Phones and BLE
Rather than adopting Near Field Communication, some in the field believe that smart phones and Bluetooth Low Energy might be the innovation of the future. This technology could make access cards obsolete.
Find out more here.
1. Drones
The ever expanding number of drones being used by private citizens has caused a need for physical security measures that can combat them. It doesn't take long for a technology such as drone technology to be hijacked for malicious purposes. Drones can be used for industrial espionage, terrorism, and even surveillance for future crimes. DroneTracker from Dedone has a system of interactive sensors that detect various types of drones based on noise, shape, movement.
2. Hostile Vehicle Threats
Vehicles targeting large crowds with the purpose of mass casualties is a burgeoning threat.
Vehicle barrier suppliers have their work cut out for them. Companies such as ATG Access
offer many products that would prevent a vehicle from ramming into a building or a central-crowded area.
3. Smart Phones and BLE
Rather than adopting Near Field Communication, some in the field believe that smart phones and Bluetooth Low Energy might be the innovation of the future. This technology could make access cards obsolete.
Find out more here.
Week 8: Will Quantum Computers Break Cryptography?
There has been a lot of speculation that with the development of Quantum computers, cryptography will become obsolete. Mark Kim, contributor at Quanta Magazine, thinks not. Quantum computers are capable of calculations that are far beyond standard computers, and they would be able to factor a large number much more quickly. This puts standard encryption algorithms at risk. Since Google recently claimed that it quantum computers will be outperform any standard computer by the end of this year, cryptographers are concerned. Who will develop the quantum-proof security standard?
According to a paper on the Cryptology ePrint Archive, as fast the quantum computers might be, the RSA algorithm used in current encryption is faster.
Read more here
According to a paper on the Cryptology ePrint Archive, as fast the quantum computers might be, the RSA algorithm used in current encryption is faster.
Read more here
Week 7 - The Future of Intrusion Detection
With the Internet of Things exploding, the need for intrusion detection grows exponentially as well. As more devices move online, the risk of attack goes up. cyber criminals continue to evolve and develop new ways and techniques, including anti-forensic techniques. Right now, most intrusion detection systems focus on, from the name, detection. However, systems in the future will more than likely detect suspicious events and let the security person decide if an investigation is necessary rather than detect intruders. There will be more forensics teams involved in incidents that are suspected to be intrusions. Also, artificial intelligence algorithms could come into play. Prevention will also be the emphasis in the future. A method that might come in to play more in the future is to obfuscate the attack surface so that the vulnerabilities are not able to be found. This type of defense is referred to as Moving Target Defense. Humans will become more involved in all aspects of cyber security as well. Human analysis will become more important, as well as forensic teams.
If you want to read more about this article has more in-depth information.
If you want to read more about this article has more in-depth information.
Week 6 - Remote workers and VPN
In today's workplace, telecommuting and remote workers are becoming more common place. But, from a security perspective, this causes some security concerns. How do you keep your data safe while allowing workers o work from home? The answer is VPN! But how do you use VPN safely and efficiently for your remote workers?
First, you must consider your IT policies. Risk management is very important here. Go over your policies and create new policies where yours are lacking. You should make sure that your policies are clear and that your remote workers are trained in what they are allowed to do, and what they are not. You should set up clear guidelines and processes to request remote access, and have it set up on the employee's computer. It would be best to only allow company-owned devices to connect so that you can control what is on the computer. If security policies are set properly that will reduce your risk. Allowing employees to use their own devices brings up more security issues, but those could be mitigated as well.
Here is the article in whole
First, you must consider your IT policies. Risk management is very important here. Go over your policies and create new policies where yours are lacking. You should make sure that your policies are clear and that your remote workers are trained in what they are allowed to do, and what they are not. You should set up clear guidelines and processes to request remote access, and have it set up on the employee's computer. It would be best to only allow company-owned devices to connect so that you can control what is on the computer. If security policies are set properly that will reduce your risk. Allowing employees to use their own devices brings up more security issues, but those could be mitigated as well.
Here is the article in whole
Cultivating a Risk Intelligence Culture - week 5
What is a risk intelligence culture? Scott Baret, a partner and global financial services leader with Deloitte & Touche LLP’s Enterprise Risk Services, says that risk culture intelligence is being aware of the risks a company faces, AND requires planning and focused effort. Creating a RIC is purposeful; where each employee is trained to understand how to make correct, risk-based decisions. Baret says that EVERYONE is involved in such a culture. Four things that a company can do are:
1. Training to help employees understand risk.
2. Create positive motivations to manage risk.
3. Work to strengthen relationships within the company.
4. Companies need to be prepared to change and implement company-wide changes.
Read more about this here.
1. Training to help employees understand risk.
2. Create positive motivations to manage risk.
3. Work to strengthen relationships within the company.
4. Companies need to be prepared to change and implement company-wide changes.
Read more about this here.
Security Policies that don't keep up with Technology - Week 4
Technology today moves so quickly, but companies are constantly running behind with their technology policies. The law seems to be even further behind. This article
discusses this very topic. The author explains that policy that doesn't keep up with technology puts companies at risk in two ways. 1. Fear of lacking policy makes you hesitant to adopt new technology and 2. Accepting innovation without thinking about policy puts you at risk for security and ethical breaches. Part of them problem according to this article is that we in technology need to work harder on adopting widespread, agree-upon standards and bolster up deficient guidelines. The question is: who is going to lead the charge?
discusses this very topic. The author explains that policy that doesn't keep up with technology puts companies at risk in two ways. 1. Fear of lacking policy makes you hesitant to adopt new technology and 2. Accepting innovation without thinking about policy puts you at risk for security and ethical breaches. Part of them problem according to this article is that we in technology need to work harder on adopting widespread, agree-upon standards and bolster up deficient guidelines. The question is: who is going to lead the charge?
Tuesday, May 23, 2017
The Evolution of Technology Outpaces Moral and Legal Considerations - Week 3
Today's technology reaches every aspect of life. Everyone has access to a world on information everywhere they go with that smart phone in the their pocket. We have smart everything; smart phones, smart tvs, and even smart houses. The advent of Amazon's Echo has expanded our technology horizons even more. Echo sits silently, waiting to hear the magic word "Alexa", but what else is it hearing in the meantime? There are concerns about the information that Alexa is collecting about its users. Private conversations are being overheard, but what happens to them? Current technology laws don't really address what SHOULD be happening to such information. So are Amazon's Echo users at the mercy of Amazon with what they collect about their users? Possibly.
Even if legal code is behind the time, what about morality and ethics? Society's mores would tell us that Amazon should not collect and save any of that information, but I think we know better than to assume that. This new 'Internet of Things' world in which we find ourselves seems to need its own moral code, in addition to the legal code that will be required.
The line between respecting personal privacy and the potential for social good is discussed in this article:
https://www.theatlantic.com/technology/archive/2017/05/internet-of-things-ethics/524802/
What do you think?
Even if legal code is behind the time, what about morality and ethics? Society's mores would tell us that Amazon should not collect and save any of that information, but I think we know better than to assume that. This new 'Internet of Things' world in which we find ourselves seems to need its own moral code, in addition to the legal code that will be required.
The line between respecting personal privacy and the potential for social good is discussed in this article:
https://www.theatlantic.com/technology/archive/2017/05/internet-of-things-ethics/524802/
What do you think?
Sunday, April 2, 2017
Ethical Dilemmas - week 2
I have worked in IT since 1999, so I have had my share of ethical dilemmas in the line of duty, so to speak. One thing that I found difficult was teaching young people about ethical behavior vs. illegal behavior. I found that teens didn't have the ethical issues that I did with certain things. For example, the millennials grew up with music and movies available to download whenever they wanted. They grew up with bittorrent and peer to peer sharing. For them, if it was available to download, then it was okay to do it. When I was teaching high school, I tried to teach that just because something might be legal, doesn't make it ethical, or just because something is freely available, it doesn't make it legal or ethical to take advantage of it. To be honest, it was the same thing when it came to teaching about copyright, intellectual property, and plagiarism. Cheating ran rampant because they didn't see anything wrong with it, or copying things off of the internet. It's very important to teach ethics to IT students, especially to the millennials who grew up with technology at their fingertips. How would you go about teaching ethics to today's IT students?
Sunday, March 26, 2017
Week 1 - Introduction
Hello, World!
I thought it was fitting to start this blog off with the phrase you learn to program first in every language I've studied. I am an IT security student at Bellevue University, studying to get my Master's in Computer Information System with a security concentration. My ultimate goal is to be a college professor. I have worked in the IT field since 1999, and before that, I was a hard core computer tinkerer. True story: The X-Files got me into computers. I was a huge fan of the show, and a friend told me that there was tons of stuff online about the show. One search, and I was hooked. I was making websites in no time, and teaching myself programming and computer maintenance skills from there. I have worked at an ISP, done tech support, web design, systems administration, worked as an IT Director and computer teacher at a small private school, and now work at a university managing a computer lab. I hope you will enjoy my perspective on IT security!
~Amy
I thought it was fitting to start this blog off with the phrase you learn to program first in every language I've studied. I am an IT security student at Bellevue University, studying to get my Master's in Computer Information System with a security concentration. My ultimate goal is to be a college professor. I have worked in the IT field since 1999, and before that, I was a hard core computer tinkerer. True story: The X-Files got me into computers. I was a huge fan of the show, and a friend told me that there was tons of stuff online about the show. One search, and I was hooked. I was making websites in no time, and teaching myself programming and computer maintenance skills from there. I have worked at an ISP, done tech support, web design, systems administration, worked as an IT Director and computer teacher at a small private school, and now work at a university managing a computer lab. I hope you will enjoy my perspective on IT security!
~Amy
Subscribe to:
Comments (Atom)