Looking back over this semester, undertaking this course was a new and different experience for myself after completing e-Business foundation unit the previous semester. Venturing back to my very first blog entry in this subject my reason for deciding to undertake this course was structured only having online content and no set classes. After completing this course the reasons were what i expected and there were no real surprises in the subject.
I stated in my first blog entry that i hoped to learn several aspects out of completing this subject. These included that i hoped to expand my knowledge of areas such as online security, protection of my personal information and learn about new areas that i was not aware of before completing this subject.
After going through this subject i have definitely expanded my knowledge of online information security. Vast amounts of information and detail were covered over the duration of the subject. It can be said i learnt and took something out of each topic. In some of the topics i already had some knowledge of the content that was covered. For example i already knew a bit about physical security from working and training in the workplace, i have also learnt about physical security through general knowledge. But even in this topic i discovered vast amounts of new information and areas that i had absolutely no idea about before participating in this course.
In my very first blog entry i also stated that i hoped from under taking this subject i could use my knowledge gained to help me in my professional life as an accountant. In the world of accounting, accountants are privy to vast amounts of financial information which they need to keep secure for any individual or company that is a client of their firm. Information security plays a huge role in this area and is a very important aspect that accountants needs to be aware of. Going back through most of, if not all of the topics covered in this course, including the need for information security, Risk management, implementing security, etc.., all of these are relevant and can be of use to any accountant in the business world. Hopefully, knowledge i have learnt here can be of use to me in my professional life in the accounting field. Knowledge from completing corporate information security hopefully can complement knowledge i have learnt and will learn in the future in all areas of business.
Personally i do not believe that one particular area of information security is more important than another area. Together all the aspects of information security work together to strengthen any entity's information security system. Having a weak link in the chain will allow the entity to be vulnerable to threats and attacks of various natures. If there is one weak link then the entire system is vulnerable, an entity must be willing to employ several individuals or a team that can look after an entity's information security needs.
Aspects which i thought i may have learnt more about were more technically based computer knowledge. I expected to learn about how to actually install and implement information security, even if it was only on a small basis such as just a personal computer, for example my own. I thought the course may involve more technical jargon and computer based work, as i do not really understand this sort of stuff it may have been useful to learn. However technical aspects about computers do not really interest me, so them not really being part of the subject did not really bother me.
Before participating and undertaking in corporate information security i had a very limited understanding and idea of the depth and importance that this aspect of a business can have to protect entity's. I suppose from never doing a lot of this sort of work, except for a bit of Risk management in some other business subjects i never really understood the full meaning of information security.
The aspects of this subject which i found most interesting were the topics of the need for security and the legal, ethical and professional issues. I found the legal, ethical and professional issues topic interesting as i have completed a few law subjects and this related to those involving aspects of the law, they were new aspects that i did not previously know about and i found interesting to learn about. Aspects of the subject which i found uninteresting and appealing to myself were topics which included a lot technical jargon as i am not really interested in that sort of stuff as i stated previously. I also did not find topics that were over flowing with information to interesting either.
Other than the first topic which was an introduction to information security, the topic on physical security was another topic which i found relatively easy to understand. None of the topics covered in the subject were too difficult to get a basic understanding of, concepts in each topic required some reading and thought. To master these topics though is a task which would take years of training, experience and practice.
In regards to how this subject was facilitated, overall i found it fairly sufficient. I personally feel that going to lectures and tutorials aids my learning style a lot better as i am a more kinaesthetic learner and learn by doing, rather reading slides and slabs of text which at times i find it does not really help to learn new concepts.
Thursday, November 18, 2010
Monday, November 1, 2010
Week 12 Blog Entry
Write about ways that penetration analysts limit the risk they pose to internal systems.
Ways that penetration analysts limit the risk they pose to internal systems:
- A penetration test, which offers an invalueable and compelling way to establish a baseline assessment of security as seen from outside the boundaries the organisation's network. Properly done these tests can show vulnerabilities that may exist and network penetrations thet may be possible.
(http://www.isss.net)
- Perform tests during off peak times, when systems are not in use. Doing this means that even if the systems have slow or if its performance is hampered, the impact will not be huge.
(http://corpinfosec.blogspot.com/2009_11_01_archive.html)
Looking at News stories related to computer vulnerabilities.
Network Security Magazine. com (http://www.network-security-magazine.com)
Network Security Threats
- How Advanced Persistent threats bypass your network security.
Advanced Persistent Threats have been attacking hundreds of companies around the world. It is reported in the article that "Advanced Persistent Threats(ATP's) are sophiticated forms of cyber attacks through which hackers mine for sensitive corporate data over the long term". The ATP's are not easily purged from the system and usually take days to erase.
This description of an ATP is very accurate and in line with what is written by researchers.
Ways that penetration analysts limit the risk they pose to internal systems:
- A penetration test, which offers an invalueable and compelling way to establish a baseline assessment of security as seen from outside the boundaries the organisation's network. Properly done these tests can show vulnerabilities that may exist and network penetrations thet may be possible.
(http://www.isss.net)
- Perform tests during off peak times, when systems are not in use. Doing this means that even if the systems have slow or if its performance is hampered, the impact will not be huge.
(http://corpinfosec.blogspot.com/2009_11_01_archive.html)
Looking at News stories related to computer vulnerabilities.
Network Security Magazine. com (http://www.network-security-magazine.com)
Network Security Threats
- How Advanced Persistent threats bypass your network security.
Advanced Persistent Threats have been attacking hundreds of companies around the world. It is reported in the article that "Advanced Persistent Threats(ATP's) are sophiticated forms of cyber attacks through which hackers mine for sensitive corporate data over the long term". The ATP's are not easily purged from the system and usually take days to erase.
This description of an ATP is very accurate and in line with what is written by researchers.
Tuesday, October 26, 2010
Week 11 - Blog entry - Security and personnel
What actions can each person in an organisation take to minimise the risk of identity theft?
Individuals within an organisation can take several actions to minimise the risk of identity theft-
- Hard records or information on paper should be kept and stored in locked filing cabinets, and only authorised individuals should have access or other individuals without authorisation need to be supervised.
- All computer networks should be password protected, so no one can freely browse through someones computer. Information databases should have passwords and restricted access to only authorised personnel.
- Information that is no longer of any use to the organisation should be disposed of correctly, eg. shredded.
- They can avoid openly releasing personnal information.
Discuss and generate a list of concrete actions each student can take to control this risk at UB.
- Students can change their password regularly, as the universityalready makes us do every six months, maybe more often than this.
- Do not leave their computer unattended whilst logged in.
- Do not give personal information to anyone who they do not trust.
- Report the loss of ID card if lost.
How do you think the information security department at UB is structured? You do not need to know the correct answer to this, but based on your understanding of UB's size and types of information it needs to secure, what roles do you imagine exist here?
The University of Ballarat is not the biggest University around, but it would still have an information security structure similar to anywhere else.
The University's information security structure may include functions such as:
- A Cheif Security Officer: who would be at the top of the tree. This person would overlook the university's information security program. This person would also approve information security policies, develop security budgets, make recruiting, hiring and firing decisions or reccommendations. They would also be the spokesperson for the information security division and would have the required qualifications.
- A Security manager: who would run the day-to-day operation of the information security program.
-A information security adminisatrator
-Physical security: Most likely one main physical security officer who overlooks all the physical security and report to the cheif security officer. There would also be other personnel who go around computer rooms and areas to ensure computers are up to correct standard and ensure computers are safe and secure. There would be several security guards who may ensure everything is locked at closing time and ensure the overnight labs are constantly safe and secure, this may be outsourced to a security company.
- An Information security technician: Who configures security and hardware , this indivdual or individuals would be specialised and have needed qualifications.
- In all these functions there would be other personnal who work with each section to assist them in completing their job.
Individuals within an organisation can take several actions to minimise the risk of identity theft-
- Hard records or information on paper should be kept and stored in locked filing cabinets, and only authorised individuals should have access or other individuals without authorisation need to be supervised.
- All computer networks should be password protected, so no one can freely browse through someones computer. Information databases should have passwords and restricted access to only authorised personnel.
- Information that is no longer of any use to the organisation should be disposed of correctly, eg. shredded.
- They can avoid openly releasing personnal information.
Discuss and generate a list of concrete actions each student can take to control this risk at UB.
- Students can change their password regularly, as the universityalready makes us do every six months, maybe more often than this.
- Do not leave their computer unattended whilst logged in.
- Do not give personal information to anyone who they do not trust.
- Report the loss of ID card if lost.
How do you think the information security department at UB is structured? You do not need to know the correct answer to this, but based on your understanding of UB's size and types of information it needs to secure, what roles do you imagine exist here?
The University of Ballarat is not the biggest University around, but it would still have an information security structure similar to anywhere else.
The University's information security structure may include functions such as:
- A Cheif Security Officer: who would be at the top of the tree. This person would overlook the university's information security program. This person would also approve information security policies, develop security budgets, make recruiting, hiring and firing decisions or reccommendations. They would also be the spokesperson for the information security division and would have the required qualifications.
- A Security manager: who would run the day-to-day operation of the information security program.
-A information security adminisatrator
-Physical security: Most likely one main physical security officer who overlooks all the physical security and report to the cheif security officer. There would also be other personnel who go around computer rooms and areas to ensure computers are up to correct standard and ensure computers are safe and secure. There would be several security guards who may ensure everything is locked at closing time and ensure the overnight labs are constantly safe and secure, this may be outsourced to a security company.
- An Information security technician: Who configures security and hardware , this indivdual or individuals would be specialised and have needed qualifications.
- In all these functions there would be other personnal who work with each section to assist them in completing their job.
Thursday, October 14, 2010
Blog entry - Section 10 - Implementing Information Security
Outsourcing in very simple terms refers to the process of contracting work to a third-party, in this situation information security. The decision by organisations to outsource or fulfill tasks themselves may be depend on certain factors including costs, availability of resources and capital. Depending on the situation it may be beneficial to complete the task ourselves or outsource the task.
Advantages of outsourcing information security may include-
- Improved service
- Improved skiils on tasks/projects
- Improved Return On Investment(ROI)
- Reduced costs
- Shorter implementation cycles
- Business can concentrate on their core business operations
Disadvantages of outsourcing information security may inclyde-
- May risk brand or reputation
- Investments that you may have already made in this area become sunk
- Loss of control to some point
- May not be able to control quality of service
What is a RFP?
Request For Proposal or RFP is an invitation for providers of a product or service to bid on the right to supply that product or service to thwe individual or entity that issued the RFP. As in this situation a request of information security may be made via an RFP, then the organisation can decide how to proceed once they recieved and looked over each RFP.
Evaluation
After recieving RFP's from interested businesses, their proposals need to be evaluated to explore their options of picking one of the proposals and to ensure it is a good option. Before choosing to go into business with another business the business should do thorough investigation and inspection into the prospective business partners history, reputation and products, to ensure a good decision is made.
Contract Award
Is where the business informs the bidding business partner of their acceptance of the submitted bid.
Exit Strategy
There may need to be an agreement between customer and outsourcer, that in the situation the relationship is not working, either party can pull out of the agreement. There may need to be some rules put in place to guide such an event.
"The goal of an information secuity blueprint is to gather an organization's requirements, provide a visualization of those requirements and initiate the process of interweaving information security as part of the organization's culture. The blueprint explains an organization's needs, desired results, factors that could influence the outcome and a strategy to execute",
(http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1319948,00.html).
An exit strategy may be necessary if outsourcing this above process because the process which has been outsourced is not being fulfilled effectively and is not up to the standard of that business, therefore they may wish to have an exit strategy so they can end that partnership at any time as it may not be beneficial to the business but more of a disadvantage.
Advantages of outsourcing information security may include-
- Improved service
- Improved skiils on tasks/projects
- Improved Return On Investment(ROI)
- Reduced costs
- Shorter implementation cycles
- Business can concentrate on their core business operations
Disadvantages of outsourcing information security may inclyde-
- May risk brand or reputation
- Investments that you may have already made in this area become sunk
- Loss of control to some point
- May not be able to control quality of service
What is a RFP?
Request For Proposal or RFP is an invitation for providers of a product or service to bid on the right to supply that product or service to thwe individual or entity that issued the RFP. As in this situation a request of information security may be made via an RFP, then the organisation can decide how to proceed once they recieved and looked over each RFP.
Evaluation
After recieving RFP's from interested businesses, their proposals need to be evaluated to explore their options of picking one of the proposals and to ensure it is a good option. Before choosing to go into business with another business the business should do thorough investigation and inspection into the prospective business partners history, reputation and products, to ensure a good decision is made.
Contract Award
Is where the business informs the bidding business partner of their acceptance of the submitted bid.
Exit Strategy
There may need to be an agreement between customer and outsourcer, that in the situation the relationship is not working, either party can pull out of the agreement. There may need to be some rules put in place to guide such an event.
"The goal of an information secuity blueprint is to gather an organization's requirements, provide a visualization of those requirements and initiate the process of interweaving information security as part of the organization's culture. The blueprint explains an organization's needs, desired results, factors that could influence the outcome and a strategy to execute",
(http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1319948,00.html).
An exit strategy may be necessary if outsourcing this above process because the process which has been outsourced is not being fulfilled effectively and is not up to the standard of that business, therefore they may wish to have an exit strategy so they can end that partnership at any time as it may not be beneficial to the business but more of a disadvantage.
Friday, October 8, 2010
Blog Entry - Section 9 - Physical Security
The concepts discussed throughout section 9 (this weeks work) were fairly straightfoward and self explanatory. As the topic was Physical security a lot of the concepts were of general jnowledge such as physical access controls including ID cards, badges, locks, keys, etc... The detail of these concepts and how they linked with the issue of physical security were not as well known to myself, so it was beneficial to learn about these concepts in more detail. This section taught me a lot of new things i knew about but did not fully understand such as how locks and keys actually work and the different types that are out there. This topic really pulled together a lot of ideas such as fires, physical security measures and many concepts and they can be of great importance within any organisation, with my new found knowledge of these things hopefully i can utilise some of these concepts now and in the future to my benefit.
In regards to the physical security of the data and information on my computer, it is probably not that secure. The only defense mechanism on my computer is a password or fingerprint access into my user. If i was to lose or my computer was stolen, it probably would not be that hard to break into my user and steal any information that is contained on my computer.
In the situation of me working for a large multinational business or government department, measures which i could take to mitigate the risks of physical theft or loss may be vast. The main measure i could take would be to ensure i never left my computer alone and always have it with me, especially whilst travelling.
There are a couple of measures which could help me including CompuTrace and Burglar Alarms.
In regards to the physical security of the data and information on my computer, it is probably not that secure. The only defense mechanism on my computer is a password or fingerprint access into my user. If i was to lose or my computer was stolen, it probably would not be that hard to break into my user and steal any information that is contained on my computer.
In the situation of me working for a large multinational business or government department, measures which i could take to mitigate the risks of physical theft or loss may be vast. The main measure i could take would be to ensure i never left my computer alone and always have it with me, especially whilst travelling.
There are a couple of measures which could help me including CompuTrace and Burglar Alarms.
Friday, September 10, 2010
Week 7 Blog entry
1.Which architecture for deploying a firewall is most commonly used in businesses today? Why?
The most commonly used architecture for deploying a firewall is screened subnet firewalls (with DMZ). The DMZ or Demilitarised zone can be a dedicated port on the firewall device linking a single bastion host or it can be connected to screeened subnet. A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network. Connections from the outside or untrusted network are routed through an external filtering router. Connections from the outside or untrusted network are routed in to and then out of a routing firewall to the separate network segment known as the DMZ.
Screened subnet firewalls are the most commonly used architecteture for various reasons including that it provides flexibility especially for internet based applications, such as e-mail, Web services and e-commerce. It also allows servers that must be accessible to the interent while still protecting back office services on the secure internal network or intranet. The use of the DMZ can harden up the exposed servers by using security Tools and Checklists for server operating systems.
The subnet firewall rather than using only the packet-filtering router as the front door to the DMZ, a second firewall is added behind for further inspection of traffic. These features of a screened subnet firwall (with DMZ) are why it is the most commonly used architecture for deploying a firewall.
2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?
A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPN's are commonly used to extend securely an organisation's internal network connections to remote locations beyond the trusted network.
Reasons why VPN technology has become the dominant method for remote workers to connect to the organisations network include that it allows employees to safely log into company networks from anywhere. It is extremely convinient for individuals who travel as they can stay connected to the to the corporate intranet over long distances. The VPN allows users to use public networks like the internet rather than to rely on private leased links that are expensive, this alows the organisation to also cut costs. Individuals from the organisation can thus work at customer sites, business partners, hotels and other untrusted locations to access the corporate network safely over dedicated private connections. This comes throught the use of restricted-access networks that utilise the same cabling and routers asd a public network, and they do so without sacrificing features or basic security.
3.Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?
Encryption is the process of converting an original message into a form that is unreadable by unauthorised individuals.
Biometrics "is the science and technology of measuring and analysing biological data. In information technology biometrics refers to technolgies that measure and analyse human body characteristics, such as DNA, fingerprints, eye retinas and irises, voice patterns and hand measurements for authentification purposes", (http://searchsecurity.tehtarget.com/sDefinition/0,,sid14_gci21166,00.html). Yes, biometrics will involve encryption. Biometric encryption is the process of using a characteristic as a method to code or scramble/ descramble data. Encrypted biometric information is going to make it very difficult for an attacker to steal or break passwords or personal identification numbers. As biometric data is one of a kind human information it is very difficult to copy and if it is encrypted it is difficult to make this information rreadible by a user.
Cryptography " can be difined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network" (www.barcodesinc.com).
Biometric technologies are dependent on the use of cryptography as it allows Biometric information to be scrambled into code which can be sent across networks.
The most commonly used architecture for deploying a firewall is screened subnet firewalls (with DMZ). The DMZ or Demilitarised zone can be a dedicated port on the firewall device linking a single bastion host or it can be connected to screeened subnet. A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network. Connections from the outside or untrusted network are routed through an external filtering router. Connections from the outside or untrusted network are routed in to and then out of a routing firewall to the separate network segment known as the DMZ.
Screened subnet firewalls are the most commonly used architecteture for various reasons including that it provides flexibility especially for internet based applications, such as e-mail, Web services and e-commerce. It also allows servers that must be accessible to the interent while still protecting back office services on the secure internal network or intranet. The use of the DMZ can harden up the exposed servers by using security Tools and Checklists for server operating systems.
The subnet firewall rather than using only the packet-filtering router as the front door to the DMZ, a second firewall is added behind for further inspection of traffic. These features of a screened subnet firwall (with DMZ) are why it is the most commonly used architecture for deploying a firewall.
2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?
A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPN's are commonly used to extend securely an organisation's internal network connections to remote locations beyond the trusted network.
Reasons why VPN technology has become the dominant method for remote workers to connect to the organisations network include that it allows employees to safely log into company networks from anywhere. It is extremely convinient for individuals who travel as they can stay connected to the to the corporate intranet over long distances. The VPN allows users to use public networks like the internet rather than to rely on private leased links that are expensive, this alows the organisation to also cut costs. Individuals from the organisation can thus work at customer sites, business partners, hotels and other untrusted locations to access the corporate network safely over dedicated private connections. This comes throught the use of restricted-access networks that utilise the same cabling and routers asd a public network, and they do so without sacrificing features or basic security.
3.Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?
Encryption is the process of converting an original message into a form that is unreadable by unauthorised individuals.
Biometrics "is the science and technology of measuring and analysing biological data. In information technology biometrics refers to technolgies that measure and analyse human body characteristics, such as DNA, fingerprints, eye retinas and irises, voice patterns and hand measurements for authentification purposes", (http://searchsecurity.tehtarget.com/sDefinition/0,,sid14_gci21166,00.html). Yes, biometrics will involve encryption. Biometric encryption is the process of using a characteristic as a method to code or scramble/ descramble data. Encrypted biometric information is going to make it very difficult for an attacker to steal or break passwords or personal identification numbers. As biometric data is one of a kind human information it is very difficult to copy and if it is encrypted it is difficult to make this information rreadible by a user.
Cryptography " can be difined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network" (www.barcodesinc.com).
Biometric technologies are dependent on the use of cryptography as it allows Biometric information to be scrambled into code which can be sent across networks.
Sunday, September 5, 2010
Week 6 Blog entry
Incident classification is based on the judgement of the information security professionals involved. How would you determine if any given circumstances is business as usual, an incident or a disaster?
Classifying information securtiy incidents is normally done into three categories business as usual, an incident or a disaster. Business as usual means incidents which occur in the normal course of an activity, mainly in circumstances that occur on a day-to-day basis. These may just be small events which happen daily. An incident would be an occurrence or event which interupts normal procedures, this type of event would not occur on a daily basis. It would be events which occur from time to like security threats or warnings. A disaster on the other hand would be an event which causes widespread destruction and distress, this may occur if the whole information security system is taken out, major amounts of information stolen or a major breach of security.
It's often said that information security begins with solid policy. Why is this so?
A policy is desribed as a principle or rule to guide decisions and achieve rational outcomes. Which this kept in mind if managers use solid policy to guide them when dealing with infomation security they should be able to make more informed and educated decisions. Thus leading to more successful information security and protection of their information.
Keeping policy current is critical. How do you think policy needs to be updated to accomodate current events? Give examples where possible.
Policy needs to be continuously controlled and monitored to accomodate current events as technology is forever evolving and growing, organisation's policy must stay constantly new and with the times to ensure they can plan their security measures and processes. All sorts of new attacks and threats are occuring daily, these need to be countered by organisation's to ensure they are not vulnerable to any threats.
Classifying information securtiy incidents is normally done into three categories business as usual, an incident or a disaster. Business as usual means incidents which occur in the normal course of an activity, mainly in circumstances that occur on a day-to-day basis. These may just be small events which happen daily. An incident would be an occurrence or event which interupts normal procedures, this type of event would not occur on a daily basis. It would be events which occur from time to like security threats or warnings. A disaster on the other hand would be an event which causes widespread destruction and distress, this may occur if the whole information security system is taken out, major amounts of information stolen or a major breach of security.
It's often said that information security begins with solid policy. Why is this so?
A policy is desribed as a principle or rule to guide decisions and achieve rational outcomes. Which this kept in mind if managers use solid policy to guide them when dealing with infomation security they should be able to make more informed and educated decisions. Thus leading to more successful information security and protection of their information.
Keeping policy current is critical. How do you think policy needs to be updated to accomodate current events? Give examples where possible.
Policy needs to be continuously controlled and monitored to accomodate current events as technology is forever evolving and growing, organisation's policy must stay constantly new and with the times to ensure they can plan their security measures and processes. All sorts of new attacks and threats are occuring daily, these need to be countered by organisation's to ensure they are not vulnerable to any threats.
Subscribe to:
Comments (Atom)