Friday, November 20, 2015

Week 12 -Blog Summary

Week 12
November 19, 2015
Summary of Blog Posts.
            When I started this blog, I was not sure what I am going to write. I thought that I would just address some issues we will discuss during this course. So, I tried to include security risk, vulnerability, and policy and practice along side with ethical aspect as my theme.  Throughout my blog, I was just trying to pull some strings, so that I will have a good grip on these issues and tie together as I move forward.
Week first was really a good insight to look the different aspect of information security and organization’s system confidentiality, integrity, and availability. So, addressing these three aspects of information security by McCumber Cube model and added extended theory by Sean M. Price, which describes the present context how practitioners are benefiting with McCumber cube model and risk-based approach by adding countermeasures to match the each attacks against the system. 
Later, this blog addressed the different aspects of risk management and I found the hard truth that “ risk management is project manager’s friend, if done well”. Since we are reading a lot about NIST special publication 800, so I thought to take insight of all those documents such as NIST SP 800-144, 14, 30 (Rev. 1), and 111. 
As a InfoSec personal, we always need to have our necessary plan on place for all risk and vulnerability to minimize the damage and provide efficient security measures but what happen when your plan trip over, so week 4 was focused on the importance of contingency planning and having Plan B as is the best solution. So, my few other blogs describe how to manage and predict risk and how we could put security measures such as email security, as well as, some common issues to address the possible threats as the development of technology introduced to us.  There is no risk management without talking about risk assessment, so this was my learning curve to be familiar with the risk assessment, risk management such as accessing and controlling risk and how to encrypt data at rest to secure critical data and organization’s valuable assets.
As the threats could have different faces, could exploit system’s vulnerabilities, but it is our responsibility as a security personal to identify these faces and address them with proper measure, training and awareness, and outlining on the security policy. It is true that organizations are investing huge amount of budget to deal with external threats but the most of the threats are insiders. So, CERT document dealt with preservation and detection of insider threats. In this post (week 11), I tried to outline some examples and real-time practice cases and situations documented about insider threats, as well as recommendation for these threats/issues.
This blog has been a good learning experience for me, where I have been able to explore some of the aspects we came across our 12 weeks of study and security issues we are trying to address to solve. This practice gave me a real boost to exercise through blog and exploring my thoughts as well as put some important issues in front of all of us.



Friday, November 13, 2015

Week-11, CERT - Common Sense Guide to Prevention and Detection of Insider Threats

Week 11
November 13, 2015
CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1
            This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss about using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.
While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. These possible vulnerability emphasizes the need to build multi layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access for these assets should be limited to small practicable group and system administrator.
Therefore, while providing remote access to critical data, processes and information system, organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipments, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.
            Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to indentify insiders who intended to attack. It helps to point out the intruder directly, but organization have to cautious when intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.
According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using application like PC Anywhere.  Although, the intention could be for personal benefit or any other business benefit, or other possible opportunity, or business advantage, it ultimately cost organization a big loss and possibly could run out of the business. So it is very important to consider providing extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.
References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Friday, November 6, 2015

Week -10 “Guide to Storage Encryption Technologies for End User Devices”

Week 10
November 6, 2015
NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors where as the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identify theft and other possible fraud. Threats could be in many forms such as: internal, when employee involve in misusing his/her position to access critical information; and external, when someone remotely access to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.   
1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.
Some encryption solutions requires that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and deices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)
2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.
Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)
3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.
Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)
4.  Organizations should select appropriate user authenticators for storage encryption solutions.
Storage encryption solutions requires users to authenticate successfully before accessing the information that has been encrypted such as passwords, personal identification numbers, cryptographic tokens, biometrics, and smart cards (NIST, 2011). Organization should consider using existing enterprise authentication tools such as Active Directory or a public-key infrastructure instead of adding another authenticator for users. This usually is acceptable if two-factor authentication already is being used. Organizations should not use any passwords that are transmitted in plain text as single-factor authenticators for encryption. (Jackson, 2009)
5.  Organizations should implement measures that support and complement storage encryption implementations for end user devices.
Sometimes storage encryption will not be adequate security for stored information, so selecting additional security controls based on the categories for the potential impact of a security breach on a particular system outlined in FIPS 199 and NIST SP 800-53 recommended for minimum security control. (NIST, 2011).
Supporting controls includes:
·               Revising organizational policies as needed to incorporate appropriate usage of the storage encryption solution.
·               Securing and maintaining end user devices properly, which should reduce the risk of compromise or misuse. This includes securing device operating systems, applications, and communications, and physically securing devices.
·               Making users aware of their responsibilities for storage encryption, such as encrypting sensitive files, physically protecting mobile devices and removable media, and promptly reporting loss or theft of devices and media. (NIST, 2011).

 

References:

·               NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·               Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx