Tuesday, November 17, 2009

Final Reflection: Week 12

As mentioned in my first blog, the first and foremost reason I chose Corporate Information Security as a unit this semester was because it was the only unit available for my schedule. I did not have many expectations about how the unit would be or whether I would enjoy it or not. It turns out, the topics that were covered in the chapters were interesting and it made me realize that there are so many things we do unintentionally or without realizing that could be potentially dangerous, not only for oneself but the company that one works for as well. Doing this course has helped me realize that everyone should really think twice before doing anything, especially when it is related to corporate information security. The first case study in the first chapter was a very good example of how many people do not know what Internet Security means and how it can affect a whole business in a matter of minutes. Rapid development in technology has made it far easier for people to take advantage of lack of knowledge, training in this area.

Having worked for IBM, I did have a basic knowledge of some of the topics covered in this unit (Risk management, Outsourcing IT security and workings of Remote Access), which I believe made this unit a bit more easier for me, however I was glad I had the opportunity to delve deeper into why Information Security has become an important issue in recent years and what to expect in a real work situations. Being a business graduate, I will be aiming to find employment in a large company, therefore I believe knowing about Information Security will help me be more cautious in what I do and how I do it at work. IT has now become the lifeblood of business, where both IT and Business complement each other, I would like to work in areas related to Project Management, and therefore it makes even more sense for me to be aware of the issues that were raised while doing this unit.

The most important aspect of Information Security after undertaking this unit is the fact that employees working in an organization should be made aware of the risks of Information security, proper training should be provided so that they know what can and cannot be done. A company can have the best security measures in place; however it will not work if the employees are not made aware of the risks and the consequences of putting the company at risk.

Although I did not have a lot of expectations, when I first enrolled for the unit, I remember thinking this unit might be very technical in nature. I was half expecting to learn more about the technical part of the different means and measures used for securing information.

As mentioned earlier, having worked for IBM, I had known, seen and been through some of the measures and workings of Information Security measures taken by the company. I knew in general, what was taken as a breach of security and what simple things we could do, to make our area safe. Therefore, my perceptions about Information Security have not changed a whole lot.
While doing this unit, the topics that were most interesting were Physical Security. Within that topic, I found biometrics and cryptography very interesting so I ended up doing a bit of extra reading on the internet with the newer types of biometric security that researchers have come up with and how cryptography works. The most boring topic in this unit, I thought was Chapter 3 (Legal, Ethical and Professional Issues in Information Security), the legal area was the worst, however, I did find the article posted on Moodle titled ‘U.K. Hacker's Extradition Appeal Rejected’ was very intriguing and the fact that I learnt there is a lot of gray areas relating to international laws about Information Security.

The topics that I found that were the easiest was chapter 11 (Security and Personnel) and that was because it was mostly theory about what type of information security personnel to look for, what qualifications they require and how to conduct employee intakes. Within Chapter 2, topics related to the different types of attacks were also easy to understand, but that was mainly because I was interested in the topic. I find things easier to understand when I find it interesting. Prior to undertaking this unit, a friend of mine who is currently studying IT had explained how he had seen a documentary on hackers which he told me about, and I thought that was pretty interesting.

There were several areas that I found to be difficult. There were different Information Security Models that were hard to understand and required me to really read everything a few times; however I am still unsure if I have understood those completely. Those particular models were the NSTISSC Security Model, the VISA International Security Model and the ISO Network Management Model. Chapter 12 in particular was difficult as a whole, the most difficult chapter by far, but that was probably because it was the last chapter and I did not really pay too much attention and try to really understand it.

When I first enrolled in this unit, I was not aware that this was an online unit. As a student, I think it is better to have a face-to-face lecture and tutorial because it’s easier for me to understand the issues and topics discussed rather than self learning from the Internet. Yes, it has its benefits, but i prefer the traditional way of studying. Therefore, I would recommend, there be at least 3 lectures during the whole semester where students have to attend lectures. By doing so, I think will provide students with the chance to better understand topics and clarify their doubts about previous topics. I do understand that there is a place in Moodle where questions can be asked, but it does not feel personal.

Overall, I am glad I decided to do this unit and I believe I have taken some knowledge that will help me in the future.

Information Security Maintenance: Week 12

Write about ways that penetration analysts limit the risk they pose to internal systems. You may need to conduct research to fulfill this task.Also, look at popular news sources for stories related to computer vulnerabilities. Research the vulnerabilities to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. Give examples.

There are several ways penetration analysts limit the risk they pose to internal systems and they are:

- Testing/Development Environments
- Perform tests during off peak times

By performing penetration tests on testing environments, analysts are able to show what a successful attack could do the environment without affecting the live environment. In doing so, situations such as network performance degradation etc, are not seen by the company or its customers.

Another method of limiting the risk is by performing all tests during off peak time, i.e. when the systems are not in use. By doing so, even if the systems have are slow or if its performance is hampered, it will not have a large impact on the business.
1) July 28. 2009 saw the release of a out-of-band (emergency patch) by Microsoft for an Internet Explorer Vulnerability. This vulnerability was in Microsoft’s web browser, Internet Explorer allowing remote code execution (through Microsoft Active Template Library (ATL). This vulnerability was reported widely, however there were varying information on news websites, with not all information given by Microsoft being released or correctly reported on. Two examples of this are:

• Microsoft source (http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx) states the vulnerability is seen as critical on, Windows 2000, XP & Vista. Age article only quotes the 2000 and XP vulnerability.

• The Age website (http://www.theage.com.au/technology/security/microsoft-releases-security-patch-for-ie-20090729-e0m5.html ) reports that "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system whereas the Microsoft website does not stipulate that other users will not be affected. Microsoft states, they have less likely chance, by the comment “ Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. “

Late 2008 (November 21st, 2008) saw the reign of the Conflicter Virus (http://www.microsoft.com/security/worms/conficker.aspx), taking advantage of the Microsoft Vulnerability MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) which saw the Windows Operation systems Server Service allow remote code execution in Microsofts Windows 2000, XP, Vista, Server 2003 & Server 2008 operating systems. It uses flaws in Windows software to co-opt machines (zombies) and link them into a virtual computer that can be commanded remotely by its authors (capable of ddos attacks). News reports came out days before the defined “go live” date of the 1st of April (co-inciding with April Fools day). SMH articles hyped the virus up, however failed to mention that patches had been previously released in 2006 to correct this issue (http://www.smh.com.au/technology/security/conficker-worm-threatens-april-fools-chaos-20090615-c9o8.html) .

This was also the case for the Slammer Virus in 2002, which took advantage of a Buffer Overrun in the Microsoft SQL Server 2000 (Microsoft MS02-039), where a large ddos’s like attack took place, disrupting internet services around the world within 10 minutes of going live. The Slammer exploit was first corrected almost 7 months earlier by Microsoft. Since the slammer attack, more reports are coming on news websites, advising risks of new outbreaks, with system administrators taking these alerts more seriously.

Monday, November 16, 2009

Security and Personnel: Week 11

What actions can each person in an organisation take to minimize the risk of identity theft? Discuss and generate a list of concrete actions each student can take to control this risk at UB. How do you think the Information Security department at UB is structured? You don't need to know the correct answer to this, but based on your understanding of UB's size and the types of information it needs to secure, what roles do you imagine exist here?

There are several ways through which the risk of identity theft can be minimized, these are as follows:
- Information containing personal information should be disposed of through a shredding device.

- Physical business records, such as customer records and other data on paper should be stored in locking filing cabinets – the cabinets should be locked at night, or at those times during the day when the area is not being “supervised” such as during lunch time.

- It’s easy for someone to pretend to be someone they’re not on the phone. Whether it’s someone who wants personal information on a particular customer, or someone who claims they need to verify some personal accounts, information over the phone should not be given out unless one can positively confirm the caller’s identity.

- Computer networks need to be password protected, so that anyone who wanders through the office cannot access the network. The issues of internal network access should also be considered. Programs or databases that may contain sensitive information should be Password protected and access granted on a “need-to-know” basis to help cut down identity theft.

- Avoid broadcasting information

- Disconnect ex-employees immediately

A list of actions that students at UB can take to prevent identity theft is:
- Change their passwords frequently
- When accessing computer labs after-hours, make sure that people do not tail gate
- Not leave the computers on unattended
- Report student ID’s lost immediately
- Not give sensitive information out to just anybody, always ask why that information is required

The University of Ballarat is a relatively small university compared to many other universities in Australia. The structure of the Information Security department would be the same as any university, but on a much smaller scale. For an Information Security department to work smoothly, there are several functions that need to be fulfilled, they are:

- IT function:
This includes the management of networks, software updates/deployment, internet and intranet, helpdesk facilities. A security technician/consultant who sits in the library to help students out with their computer issues. There is also an Information security officer who updates information about security on the university homepage.

- Physical Security:
This includes checking if the areas with computers are secure every night, the university has security guards who perform rounds of all areas in the uni with computers and make sure that everything is locked up every single night.

- Administrative Services:
This function includes services of purchasing hardware and software for the use of the university, purchasing/renewing licenses etc.