Tuesday, November 17, 2009

Final Reflection: Week 12

As mentioned in my first blog, the first and foremost reason I chose Corporate Information Security as a unit this semester was because it was the only unit available for my schedule. I did not have many expectations about how the unit would be or whether I would enjoy it or not. It turns out, the topics that were covered in the chapters were interesting and it made me realize that there are so many things we do unintentionally or without realizing that could be potentially dangerous, not only for oneself but the company that one works for as well. Doing this course has helped me realize that everyone should really think twice before doing anything, especially when it is related to corporate information security. The first case study in the first chapter was a very good example of how many people do not know what Internet Security means and how it can affect a whole business in a matter of minutes. Rapid development in technology has made it far easier for people to take advantage of lack of knowledge, training in this area.

Having worked for IBM, I did have a basic knowledge of some of the topics covered in this unit (Risk management, Outsourcing IT security and workings of Remote Access), which I believe made this unit a bit more easier for me, however I was glad I had the opportunity to delve deeper into why Information Security has become an important issue in recent years and what to expect in a real work situations. Being a business graduate, I will be aiming to find employment in a large company, therefore I believe knowing about Information Security will help me be more cautious in what I do and how I do it at work. IT has now become the lifeblood of business, where both IT and Business complement each other, I would like to work in areas related to Project Management, and therefore it makes even more sense for me to be aware of the issues that were raised while doing this unit.

The most important aspect of Information Security after undertaking this unit is the fact that employees working in an organization should be made aware of the risks of Information security, proper training should be provided so that they know what can and cannot be done. A company can have the best security measures in place; however it will not work if the employees are not made aware of the risks and the consequences of putting the company at risk.

Although I did not have a lot of expectations, when I first enrolled for the unit, I remember thinking this unit might be very technical in nature. I was half expecting to learn more about the technical part of the different means and measures used for securing information.

As mentioned earlier, having worked for IBM, I had known, seen and been through some of the measures and workings of Information Security measures taken by the company. I knew in general, what was taken as a breach of security and what simple things we could do, to make our area safe. Therefore, my perceptions about Information Security have not changed a whole lot.
While doing this unit, the topics that were most interesting were Physical Security. Within that topic, I found biometrics and cryptography very interesting so I ended up doing a bit of extra reading on the internet with the newer types of biometric security that researchers have come up with and how cryptography works. The most boring topic in this unit, I thought was Chapter 3 (Legal, Ethical and Professional Issues in Information Security), the legal area was the worst, however, I did find the article posted on Moodle titled ‘U.K. Hacker's Extradition Appeal Rejected’ was very intriguing and the fact that I learnt there is a lot of gray areas relating to international laws about Information Security.

The topics that I found that were the easiest was chapter 11 (Security and Personnel) and that was because it was mostly theory about what type of information security personnel to look for, what qualifications they require and how to conduct employee intakes. Within Chapter 2, topics related to the different types of attacks were also easy to understand, but that was mainly because I was interested in the topic. I find things easier to understand when I find it interesting. Prior to undertaking this unit, a friend of mine who is currently studying IT had explained how he had seen a documentary on hackers which he told me about, and I thought that was pretty interesting.

There were several areas that I found to be difficult. There were different Information Security Models that were hard to understand and required me to really read everything a few times; however I am still unsure if I have understood those completely. Those particular models were the NSTISSC Security Model, the VISA International Security Model and the ISO Network Management Model. Chapter 12 in particular was difficult as a whole, the most difficult chapter by far, but that was probably because it was the last chapter and I did not really pay too much attention and try to really understand it.

When I first enrolled in this unit, I was not aware that this was an online unit. As a student, I think it is better to have a face-to-face lecture and tutorial because it’s easier for me to understand the issues and topics discussed rather than self learning from the Internet. Yes, it has its benefits, but i prefer the traditional way of studying. Therefore, I would recommend, there be at least 3 lectures during the whole semester where students have to attend lectures. By doing so, I think will provide students with the chance to better understand topics and clarify their doubts about previous topics. I do understand that there is a place in Moodle where questions can be asked, but it does not feel personal.

Overall, I am glad I decided to do this unit and I believe I have taken some knowledge that will help me in the future.

Information Security Maintenance: Week 12

Write about ways that penetration analysts limit the risk they pose to internal systems. You may need to conduct research to fulfill this task.Also, look at popular news sources for stories related to computer vulnerabilities. Research the vulnerabilities to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. Give examples.

There are several ways penetration analysts limit the risk they pose to internal systems and they are:

- Testing/Development Environments
- Perform tests during off peak times

By performing penetration tests on testing environments, analysts are able to show what a successful attack could do the environment without affecting the live environment. In doing so, situations such as network performance degradation etc, are not seen by the company or its customers.

Another method of limiting the risk is by performing all tests during off peak time, i.e. when the systems are not in use. By doing so, even if the systems have are slow or if its performance is hampered, it will not have a large impact on the business.
1) July 28. 2009 saw the release of a out-of-band (emergency patch) by Microsoft for an Internet Explorer Vulnerability. This vulnerability was in Microsoft’s web browser, Internet Explorer allowing remote code execution (through Microsoft Active Template Library (ATL). This vulnerability was reported widely, however there were varying information on news websites, with not all information given by Microsoft being released or correctly reported on. Two examples of this are:

• Microsoft source (http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx) states the vulnerability is seen as critical on, Windows 2000, XP & Vista. Age article only quotes the 2000 and XP vulnerability.

• The Age website (http://www.theage.com.au/technology/security/microsoft-releases-security-patch-for-ie-20090729-e0m5.html ) reports that "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system whereas the Microsoft website does not stipulate that other users will not be affected. Microsoft states, they have less likely chance, by the comment “ Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. “

Late 2008 (November 21st, 2008) saw the reign of the Conflicter Virus (http://www.microsoft.com/security/worms/conficker.aspx), taking advantage of the Microsoft Vulnerability MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) which saw the Windows Operation systems Server Service allow remote code execution in Microsofts Windows 2000, XP, Vista, Server 2003 & Server 2008 operating systems. It uses flaws in Windows software to co-opt machines (zombies) and link them into a virtual computer that can be commanded remotely by its authors (capable of ddos attacks). News reports came out days before the defined “go live” date of the 1st of April (co-inciding with April Fools day). SMH articles hyped the virus up, however failed to mention that patches had been previously released in 2006 to correct this issue (http://www.smh.com.au/technology/security/conficker-worm-threatens-april-fools-chaos-20090615-c9o8.html) .

This was also the case for the Slammer Virus in 2002, which took advantage of a Buffer Overrun in the Microsoft SQL Server 2000 (Microsoft MS02-039), where a large ddos’s like attack took place, disrupting internet services around the world within 10 minutes of going live. The Slammer exploit was first corrected almost 7 months earlier by Microsoft. Since the slammer attack, more reports are coming on news websites, advising risks of new outbreaks, with system administrators taking these alerts more seriously.

Monday, November 16, 2009

Security and Personnel: Week 11

What actions can each person in an organisation take to minimize the risk of identity theft? Discuss and generate a list of concrete actions each student can take to control this risk at UB. How do you think the Information Security department at UB is structured? You don't need to know the correct answer to this, but based on your understanding of UB's size and the types of information it needs to secure, what roles do you imagine exist here?

There are several ways through which the risk of identity theft can be minimized, these are as follows:
- Information containing personal information should be disposed of through a shredding device.

- Physical business records, such as customer records and other data on paper should be stored in locking filing cabinets – the cabinets should be locked at night, or at those times during the day when the area is not being “supervised” such as during lunch time.

- It’s easy for someone to pretend to be someone they’re not on the phone. Whether it’s someone who wants personal information on a particular customer, or someone who claims they need to verify some personal accounts, information over the phone should not be given out unless one can positively confirm the caller’s identity.

- Computer networks need to be password protected, so that anyone who wanders through the office cannot access the network. The issues of internal network access should also be considered. Programs or databases that may contain sensitive information should be Password protected and access granted on a “need-to-know” basis to help cut down identity theft.

- Avoid broadcasting information

- Disconnect ex-employees immediately

A list of actions that students at UB can take to prevent identity theft is:
- Change their passwords frequently
- When accessing computer labs after-hours, make sure that people do not tail gate
- Not leave the computers on unattended
- Report student ID’s lost immediately
- Not give sensitive information out to just anybody, always ask why that information is required

The University of Ballarat is a relatively small university compared to many other universities in Australia. The structure of the Information Security department would be the same as any university, but on a much smaller scale. For an Information Security department to work smoothly, there are several functions that need to be fulfilled, they are:

- IT function:
This includes the management of networks, software updates/deployment, internet and intranet, helpdesk facilities. A security technician/consultant who sits in the library to help students out with their computer issues. There is also an Information security officer who updates information about security on the university homepage.

- Physical Security:
This includes checking if the areas with computers are secure every night, the university has security guards who perform rounds of all areas in the uni with computers and make sure that everything is locked up every single night.

- Administrative Services:
This function includes services of purchasing hardware and software for the use of the university, purchasing/renewing licenses etc.

Tuesday, October 27, 2009

Implementing Security: Week 10

As businesses are gaining more and more connectivity to the Internet and other business partners, the number of options for security holes increases. As hardware and software becomes more complex, so does the possibility of security holes. Many security exploits are found and not reported and even more considerable is the fact that there are still many potential security exploits yet to be discovered. Therefore Information security becomes an important factor for many businesses.

Outsourcing is subcontracting a service, such as product design or manufacturing, to a third-party company, in this case, it is information security. The decision whether to outsource or to do it in-house depends upon costs, available resources and capital. In some instances, it is better to do it in-house where as in other cases outsourcing is the way to go.

Some advantages of Outsourcing Information security include:

- Businesses no longer have the hassles or the costs of trying to hire security professionals ,it can be cheaper and provide access to superior, real-time service and specialized knowledge
- An outsourcer will have qualified customer-focused staff to align security management with your business goals
- The outsourcer will be qualified to provide you with ongoing support and will be up to date on the latest security issues, and should be able to separate the facts from the myths.
- Outsourcers will have extensive knowledge of the security market, both locally and globally to keep you informed and make recommendations that help your business grow whilst enhancing security.

Distadvantages Include:
- Loss of Control
- Viability of Service Providers
- Quality of Service Provided
- Differing goals of business and outsourced security personnel

A request for proposal (RFP) is like tendering where invitations are sent to suppliers asking them to submit a proposal on a specific commodity or service. By doing so, it brings structure to the procurement decision and allows the risks and benefits to be identified clearly upfront. The added benefit of input from a broad spectrum of functional experts ensures that the solution chosen will suit the company's requirements.

Before deciding to draw up a contract with a third party service provider, it is important that the contract is evaluated and the viability of the service provider is thoroughly appraised. There have been a number of immediate and dramatic instances of failure of managed security service providers (MSSPs), which threatened the ability of customers to stay in business. Before entering into a service-provider arrangement, the prospective purchaser of the services should perform a complete and detailed due diligence process.

After evaluation, comes contract award, where the Project Manager accepts the most appropriate and satisfying bid from third party organizations.

Exit Strategy:
The agreement between the customer and outsourcer should anticipate the potential failure of the service provider and include provisions for such an event. These provisions should include a set of contingency plans allowing the customer organization to avail itself of alternative facilities and resources or to take over those resources of the outsourcer that have been applied to the customer’s particular service.

There are many reasons why a company might go out of the service-provider business. Some are due to internal factors, such as poor management, inadequate funding, and employee misdeeds. Others relate to external factors, such as industry trends, downturns in the general economy, and mergers and acquisitions. One of the most insidious causes for failure is damage to reputation. This can be real or perceived. A major factor can be broad awareness of customer dissatisfaction if it is made known through disparaging articles in the press, badmouthing among industry members, or other forms of communication.

Thursday, October 22, 2009

Physical Security: Week 9

After reading chapter 9, I now understand why there are security policies and procedures in place. I did not realize that there were that many threats that could affect information. After reading about tailgating, thinking about it, I realized I have done a bit of tailgating myself without realising it and I didn’t get pulled up on it. It takes a lot of planning to make a facility secure, with electronic monitoring, security related to physical theft, fire threats and many other forms that I wouldn’t even have thought of until reading this chapter.

After reading this chapter, I have come to realise the many security procedures that I need to go through at uni as well as my workplace. For example, we need to swipe our uni cards to enter the IT and business Labs afterhours, CCTV’s placed all over uni, are just some examples of the making the university secure.

I have a Toshiba laptop with a biometric feature (fingerswipe). You can log into the computer with either a password or by swiping your finger. When I first purchased the laptop, I had all my fingerprints stored into the system and no one can get into the computer unless i swipe my finger or if they know what my password is. With windows XP, there are a few softwares that you can use to either change the windows logon password or find out what it is whereas for windows vista, these softwares that i have encountered, do not work. In that sense, i think the information in my laptop is pretty secure.

For multinational businesses, they would definitely have electronic identity cards that must be worn at all times while working; they would have security guards in place, electronic monitoring (CCTV), alarm systems and fire detection systems. For people working in government organizations, in addition to the measures mentioned above, I would assume workers also need to go through a background/police check before being allowed to work for the government.

Sunday, September 20, 2009

Security Technology: Week 8

1. Which architecture for deploying a firewall is most commonly used in businesses today? Why?

The most commonly used and dominant architecture is the screened subnet firewall. This type of firewall creates a DMZ (Demilitarized Zone). A demilitarized zone (DMZ) isolates hosts which are accessible from outside the network (e.g. a web server or FTP server) from internal servers. The external hosts are placed in a separate network zone, on a separate adapter, connected to the firewall. This creates the DMZ. This is easily achieved with a firewall with three or more interfaces.

Each sub network is also configured with its own security zone (e.g. the Finance network, the Sales network, etc.) by connecting it to a separate firewall adapter. All traffic between zones, and all traffic from the Internet to all zones, is checked by the firewall. In this way, each zone is isolated, and the systems in each zone only trust other systems within the same zone. Therefore, if a hacker succeeds in breeching an accessible host, the other hosts within the network are still safe. DMZs are often used for special servers, such as web servers, which must be accessible from two separate networks. Usually an organization has one Internet connection, one local network and one DMZ with servers that must be both internally and externally accessible.


The screened subnet is an entire network segment that performs two functions:

· It protects the DMZ systems and information from outside threats by providing a network of intermediate security.
· It protects the internal networks by limiting how external connections can gain access to internal systems.

DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?
In terms of security, dial up connections are deemed to be more vulnerable to attacks than compared to VPNs (Virtual Private Networks). Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking intercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. This is the first and foremost reason for the dominance of this technology. Other reasons for popularity include:

- Cost savings

One way a VPN lowers costs is by eliminating the need for expensive long-distance leased lines. With VPNs, an organization needs only a relatively short dedicated connection to the service provider. This connection could be a local leased line (much less expensive than a long-distance one), or it could be a local broadband connection such as DSL service.

VPNs enable travelling employees to access the corporate network over the internet. By using remote sites’ existing Internet connections where available, and by dialling into a local ISP for individual access, expensive long distance charges can be avoided.

VPNs allow employees working at customer sites, business partners, hotels and other untrusted locations to access a corporate network safely over dedicated private connections.

VPNs allow an organization to provide customer support to clients using the internet while minimizing risks to the client’s computer networks.

3. Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?

Biometrics is the science and technology of measuring and analysing biological data. In information technology, biometrics refers to technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.

Encryption is a mathematical process that helps to disguise the information contained in messages that is either transmitted or stored in a database, and there are three main factors that determine the security of any crypto system; the complexity of the mathematical process or algorithm, the length of the encryption key used to disguise the message, and safe storage of the key, known as key management.

Yes, Biometrics will involve encryption. Biometric Encryption is the process of using a characteristic of the body as a method to code or scramble/descramble data. Physical characteristics such as fingerprints, retinas and irises, palm prints, facial structure, and voice recognition are just some of the many methods of biometric encryption being researched today. Since these characteristics are unique to each individual, biometrics are seen as the answer to combat theft and fraud, particularly when dealing with commerce over the internet. The reason that this new technology is believed to be superior to the use of passwords or personal identification numbers (PINs) is that a biometric trait cannot be lost, stolen, or recreated, at least not easily. As one industry expert put it, "Unless criminals are going to start cutting off peoples fingers to gain access to their accounts, biometric encryption is an excellent method for controlling access to those who should have it."

Cryptography is defined as the conversion of data into a secret code for transmission over a public network. Today, most cryptography is digital, and the original text ("plaintext") is turned into a coded equivalent called "Ciphertext" via an encryption algorithm. The Ciphertext is decrypted at the receiving end and turned back into plaintext.

Biometric data are noisy; being made of attributes of the human body; it makes the individual bits in the template unreliable; only an approximate match can be expected to a stored template. On the other hand, cryptography demands correctness in keys; it requires that keys be exactly right, or protocols will fail. It would be better to have a more general, protocol-level approach, combining cryptography and biometrics to achieve reliability and protection that biometrics alone will not provide.

Tuesday, September 15, 2009

Risk Management: Week 6

1.What is the best value that should be assessed when evaluating the worth of an information asset to the organization - replacement cost or lost income while repairing or replacing?

The best value that should be assessed while evaluating the worth of an information asset depends on the type of organization and the type of information assets it uses. Both aspects can be equally important depending on the type of job an organization does. A business may have an information asset that generates a lot of revenue, for some organizations, a lot of revenue depends on a particular asset, they may also be important to service delivery. In such cases, lost income is important. In other cases, organizations may be carrying unique assets that are highly valuable. Such machines/assets may be worth more than their cost as spare parts for such machines may not be easily available. In such cases, replacement costs need to be taken into consideration.

2. What is the likelihood value of a vulnerability that no longer must be considered?

Likelihood is defined as “the probability that a specific vulnerability within an organization will be successfully attacked”. While performing risk assessment, a numeric value is assigned to vulnerability, the stronger the vulnerability, the number assigned will be closed to 1.0 and vice versa. Therefore, the value of a vulnerability that no longer must be considered will be close to zero as chances of the vulnerability exisiting is zilch.

3. In what instances is baselining or benchmarking superior to cost benefit analysis?

Benchmarking is defined as ‘the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization’. Baselining is related to the concept of benchmarking where a ‘value or profile of a performance metric can be compared with changes in the performance metric’. Cost benefit Analysis on the other hand is an analysis of ‘the worth of the information asset to be protected and the loss in value if those information assets were compromised by the exploitation of a specific vulnerability. By using CBA (Cost Benefit Analysis), companies can determine whether or not an information asset is worth protection and if so, how much it is going to cost to place sufficient controls in order to protect the organization from threats and vulnerabilities. Baselining or benchmarking is viewed as superior to cost benefit analysis in cases where organisations want information regarding the performance of their company compared to another, it can be used to determine strategic areas of opportunity rather than just getting the financial value of information and whether or not it is acceptable to implement security as an acceptable percentage of that value.

4. How can we find out what an organization's risk appetite is? Why is this important?

Risk appetite is defined as ‘the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility’. Each organization has different views and they view risk differently. It is difficult to determine what an organizations risk appetite is unless one speaks to senior level management about this issue. The level of risk appetite also depends upon the type of work a company does. If it is a government organization, the risk appetite may be very low whereas if it’s a small business owner, the risk appetite may be high. It is important to know what the risk appetite of an organization is so that proper security measures can be put in place according to the needs, wants and budget of the business organization.
Notes on understanding the Chapter:
This chapter was a bit more technical with lots of IT terms that were used, other than that, once i had read the chapter thoroughly, I was able to make a basic understanding of risk management.