Friday, November 20, 2015

Week 12 -Blog Summary

Week 12
November 19, 2015
Summary of Blog Posts.
            When I started this blog, I was not sure what I am going to write. I thought that I would just address some issues we will discuss during this course. So, I tried to include security risk, vulnerability, and policy and practice along side with ethical aspect as my theme.  Throughout my blog, I was just trying to pull some strings, so that I will have a good grip on these issues and tie together as I move forward.
Week first was really a good insight to look the different aspect of information security and organization’s system confidentiality, integrity, and availability. So, addressing these three aspects of information security by McCumber Cube model and added extended theory by Sean M. Price, which describes the present context how practitioners are benefiting with McCumber cube model and risk-based approach by adding countermeasures to match the each attacks against the system. 
Later, this blog addressed the different aspects of risk management and I found the hard truth that “ risk management is project manager’s friend, if done well”. Since we are reading a lot about NIST special publication 800, so I thought to take insight of all those documents such as NIST SP 800-144, 14, 30 (Rev. 1), and 111. 
As a InfoSec personal, we always need to have our necessary plan on place for all risk and vulnerability to minimize the damage and provide efficient security measures but what happen when your plan trip over, so week 4 was focused on the importance of contingency planning and having Plan B as is the best solution. So, my few other blogs describe how to manage and predict risk and how we could put security measures such as email security, as well as, some common issues to address the possible threats as the development of technology introduced to us.  There is no risk management without talking about risk assessment, so this was my learning curve to be familiar with the risk assessment, risk management such as accessing and controlling risk and how to encrypt data at rest to secure critical data and organization’s valuable assets.
As the threats could have different faces, could exploit system’s vulnerabilities, but it is our responsibility as a security personal to identify these faces and address them with proper measure, training and awareness, and outlining on the security policy. It is true that organizations are investing huge amount of budget to deal with external threats but the most of the threats are insiders. So, CERT document dealt with preservation and detection of insider threats. In this post (week 11), I tried to outline some examples and real-time practice cases and situations documented about insider threats, as well as recommendation for these threats/issues.
This blog has been a good learning experience for me, where I have been able to explore some of the aspects we came across our 12 weeks of study and security issues we are trying to address to solve. This practice gave me a real boost to exercise through blog and exploring my thoughts as well as put some important issues in front of all of us.



Friday, November 13, 2015

Week-11, CERT - Common Sense Guide to Prevention and Detection of Insider Threats

Week 11
November 13, 2015
CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1
            This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss about using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.
While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. These possible vulnerability emphasizes the need to build multi layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access for these assets should be limited to small practicable group and system administrator.
Therefore, while providing remote access to critical data, processes and information system, organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipments, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.
            Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to indentify insiders who intended to attack. It helps to point out the intruder directly, but organization have to cautious when intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.
According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using application like PC Anywhere.  Although, the intention could be for personal benefit or any other business benefit, or other possible opportunity, or business advantage, it ultimately cost organization a big loss and possibly could run out of the business. So it is very important to consider providing extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.
References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Friday, November 6, 2015

Week -10 “Guide to Storage Encryption Technologies for End User Devices”

Week 10
November 6, 2015
NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors where as the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identify theft and other possible fraud. Threats could be in many forms such as: internal, when employee involve in misusing his/her position to access critical information; and external, when someone remotely access to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.   
1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.
Some encryption solutions requires that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and deices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)
2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.
Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)
3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.
Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)
4.  Organizations should select appropriate user authenticators for storage encryption solutions.
Storage encryption solutions requires users to authenticate successfully before accessing the information that has been encrypted such as passwords, personal identification numbers, cryptographic tokens, biometrics, and smart cards (NIST, 2011). Organization should consider using existing enterprise authentication tools such as Active Directory or a public-key infrastructure instead of adding another authenticator for users. This usually is acceptable if two-factor authentication already is being used. Organizations should not use any passwords that are transmitted in plain text as single-factor authenticators for encryption. (Jackson, 2009)
5.  Organizations should implement measures that support and complement storage encryption implementations for end user devices.
Sometimes storage encryption will not be adequate security for stored information, so selecting additional security controls based on the categories for the potential impact of a security breach on a particular system outlined in FIPS 199 and NIST SP 800-53 recommended for minimum security control. (NIST, 2011).
Supporting controls includes:
·               Revising organizational policies as needed to incorporate appropriate usage of the storage encryption solution.
·               Securing and maintaining end user devices properly, which should reduce the risk of compromise or misuse. This includes securing device operating systems, applications, and communications, and physically securing devices.
·               Making users aware of their responsibilities for storage encryption, such as encrypting sensitive files, physically protecting mobile devices and removable media, and promptly reporting loss or theft of devices and media. (NIST, 2011).

 

References:

·               NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·               Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx

Friday, October 30, 2015

Week 9- "Risk Management: Assessing and Controlling Risk"

Week 9
October 29, 2015
Risk Management: Assessing and Controlling Risk

This week we discussed about risk management and risk control strategies.
Lets talk about some security mistakes we do in our everyday work.
·             The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures.
·             Leaving unattended computers on
·             Opening Email form strangers “I Love You Virus”
·             Poor password selection. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."
·             Laptops have legs. Physical security
·             Loose lips sink ships. People talk about passwords
·             Plug and Play (technology that enables hardware devices to be installed and configured without the protection)
·             Unreported security violations
·             Behind the times in terms of patches
·             Not watching for dangers within your own organization.
So, to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.
Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:
1.    Apply safeguards (avoidance)
    Avoidance is accomplished through:
·    Application of policy
·    Application of training and education
·    Countering threats
·    Implementation of technical security controls and safeguards
2.    Transfer the risk (transference)
This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.
3.    Reduce impact (mitigation)
Mitigation is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability.
This approach includes three types of plans:
                               i.                    The disaster recovery plan (DRP),
                              ii.                    Incident response plan (IRP), and
                            iii.                    Business continuity plan (BCP).
Mitigation depends upon the ability to detect and respond to an attack as quickly as possible.
4. Understand consequences and accept risk (acceptance)
This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure.
    The only valid use of the acceptance strategy occurs when the organization has:
§     Determined the level of risk to the information asset
§     Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
§     Approximated the ARO of the exploit
§     Estimated the potential loss from attacks
§     Performed a thorough cost benefit analysis
§     Evaluated controls using each appropriate type of feasibility
§     Decided that the particular asset did not justify the cost of protection
Some rules of thumb on strategy selection are:
§  When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.
§  When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent occurrence.
§  When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.
§  When potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Sunday, October 25, 2015

Week-8, “Guide for Conducting Risk Assessments”

Week 8
October 25, 2015210
NIST SP 800-30 Rev.1 “Guide for Conducting Risk Assessments”
As the technological advancement and easily accessible Internet everywhere providing sophistication where as the complex and sophisticated threats are being imminent too.  Therefore, implementations of risk assessments are an essential tool for any organizations as a part of a comprehensive risk management program.
Risk assessments could help organizations to determine the most appropriate risk response to ongoing cyber attacks or threats for disaster (man-made or natural). It will guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations, assets, individuals, and other organization’s issues. Risk assessments also helps to maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.
This updated National Institute of Standards and Technology Special Publication (NIST SP) 800-30 focuses exclusively on risk assessments, one of four steps in the risk management process. The risk assessment guideline has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determine Information Security (InfoSec) risk including threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of the threat.  The three-step process mentioned in this special publication describes including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.
Along with the comprehensive approach in the process for assessing organization’s InfoSec risk, the SP 800-30 provides a specific guidelines, which describes how to apply the process at the three tiers in the risk management hierarchy the organization level, business process level, and information system level.  It also provides a framework for individual or groups to conduct risk assessments within organizations, a set of exemplary templates, tables, and assessment scales given maximum flexibility in designing risk assessments based on the organization’s purpose, scope, assumptions, and constraints established.

References:
NIST SP 800-30 Rev.1, “Guide for conducting Risk Assessments”, Published on NIST.gov on September 2012. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf


Sunday, October 18, 2015

Week 7 Post- Why you should adopt the NIST Cybersecurity Framework?

Week 7

October 18, 2015

Why you should adopt the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework comprises best practices from various standards bodies that are proven and successful when implemented, and it also may deliver a regulatory and legal advantage that extends well beyond improved cybersecurity for organizations that adopt it early.
The framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.  It comprises three primary components: Profile, Implementation Tiers, and Core.
For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. Organization that adopts the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cybersecurity and privacy regulations.
It is impossible to include all the aspects of cybersecurity in one practice framework but NIST provides comprehensive, prescriptive guidelines for all entities across industries.  But the framework offers worthwhile standards for improving cybersecurity, it does not fully address several critical areas.
The NIST Cybersecurity framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. Organizations across industries may gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level given investment capital.
Although, Adopting the NIST Cybersecurity Framework have lots of benefits but implementation may involve certain challenges. Critical infrastructure owners and providers may find difficulties to assess their Implementation Tier, which demands a holistic view of the entire eco-system and the ability to the truly objective.

References:

·      NIST 2014, “Framework for Improving Critical Infrastructure Cybersecurity”, Published on NIST.gov, on February 12, 2014. Retrieved from: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

·      PWC 2014, “Why you should adopt the NIST Cybersecurity Framework”, Published on PWC.com, on May 2014, Retrieved From: https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

Sunday, October 11, 2015

Week -6- How to secure your Email communication ?

Week 6

October 10, 2015

How to secure your Email communication?
Communication is important to any organization and email is getting more popularity than ever. Now-a-day, using email as the main tool to communication with all individuals related to your organization benefiting in many ways. There is no doubt that to Internet based organization; email is bringing several threats that most of the employees are not even aware of it. So, there is always a need of training and awareness regarding how to use email, what to access, what not to, how to find out your email is trustworthy or not.
Here are some common issues and consideration to use email in a secure way and be cautious of possible threats come across the development of technology and several possible threats.
1.    Organization should implement acceptable use policy for email communication that all employees must comply with. This kind of policy will help organization to protect employee and business. The policy should provide necessary measure to monitor email communication in a regular basis.
2.    All email should be encrypted, which help to protect the information system and security of an organization as well as organization’s assets. While sending sensitive information via email, it is necessary to to use commonly used methods for email encryption such as PGP and S/MIME.
3.    Take necessary measure while sending or replying email. When responding email-using reply all function could send your classified information to non-related person, so it is important to check recipients carefully and avoid unwanted recipients from your email before sending your sensitive information.
4.    Keep your software up to date to avoid possible maleware or unnecessary threats, which could expose sensitive information or could be vulnerable to such threats.
5.    Always use secure software before spreading malware and victimizing from Phishing attacks. It is necessary to use trusted security software approved by your organization and keep them up to date malware prevention, and a securely configured firewall.
6.    Avoid email from unknown users and un-trusted email contains. Do not click any attached websites or any attachments to your email. Malicious emails often contain attachments that contain malware or hidden in your attached pdf and zip files. Always perform security scanning to your mail before opening any contents.
7.    Always disable automatic content downloads, because those download could open door to hackers to access your system and your organization’s sensitive information.
8.    Always use unique and strong password to your email to prevent an attacker for accessing your email account and sensitive information stored or linked to your system. Always use algorithmic pattern to create password, use at least 8 characters, and include numbers and special characters.
9.    Always logout your system after checking or sending email out. It will provide security measures and avoid unauthorized user accessing to the system.
10.  Perform email filter and delete or archive old email or email which are no longer in use.
There is no doubt that all organization has their set of policies and guideline to use email in a secure manners and avoid vulnerability of sensitive information from disaster. And always keep a close eye to monitor the security software and make sure all software has latest updates.  

 References:


PJ 2009, “Secure Email Communication and Use”, Published on MindfulSecurity.com, Retrieved From: http://mindfulsecurity.com/2009/11/06/secure-email-communication-and-use/

Sunday, October 4, 2015

Information Security Policy

Week 5

October 4, 2015

Information Security Policy

Information Security Policy (ISP) is designed to safeguard the confidentiality, integrity, and availability of all physical and electronic assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. ISP should outline the overall goals of an organization such as: compliance with laws, regulations, and guidelines; comply requirements of confidentiality, integrity, and availability for organization’s employees and other users; establish necessary control for protecting information and information systems against theft, abuse and other form of harm and loss; motivate employees to maintain the responsibility for, ownership of the knowledge about information security, in order to reduce the risk of security incidents; and etc. (Whitman and Mattord)
The ISP should be address current business strategy and framework for risk management and provide guidelines for identifying assessing evaluating and controlling information related risks through establishing and maintaining the ISP. So, to secure operations at organization even after incidents, and should ensure the availability of continuity plans, backup procedures, defense against damaging code and malicious activities, system and information access control, incident management and reporting.
One of the examples of ISP is Bull’s-eye model. This is a proven mechanism for prioritizing complex changes, and a widely accepted among InfoSec practitioners. This model is focused on systematic solutions where issues are addressed by moving from the general to the specific. (Whitman and Mattord)
It is necessary that policy should directly address how issues should be addressed and technologies should be used, rather than specifying the proper operation of equipment or software. ISP should outline the consequences for unacceptable behaviors.
                        For an organization to have a complete ISP, management has to define Enterprise Information Security Policy (EISP), Issue-Specific Security Policies, and System-Specific Security Policies (SysSP) which are based on NIST SP 800-14 published on 1996. While developing these policies, first organization has to create the EISP, which is the highest level of policy and than after that, general security policy needs tare met by developing ISSP and SysSP policies. (Whitman and Mattord)
                        NIST SP 800-14 generally accepted principles and practices for securing IT systems describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print. Described principles that should be integrated into the information security process. The more significant points made in the SP 800-14 are:
·    Security supports the mission of the organization
·    Security is an integral element of sound management
·    Security should be cost-effective
·      Systems owners have security responsibilities outside their own organizations
·    Security responsibilities and accountability should be made explicit
·    Security requires comprehensive and integrated approach
·    Security should be periodically reassessed
·    Security is constrained by societal factors
                        In fact, policy drives the performance of personnel in ways that enhance the InfoSec of as organization’s information assets. InfoSec policies are the least expensive means of control, they are often the most difficult to implement.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information
Security”, Published by Cengage Learning, Fourth Ed