Physcial Security, Security Management

Incident Response – Know what to do when “it” hits

There are four primary responsibilities of security: Prevent, Deter, Detect, and Respond.  We often focus much of our efforts on prevention and detection and neglect deterrence and response.  In today’s post, I want to focus on the latter: how security professionals should respond to incidents and what they need to have in their “toolkit” to be ready when “it” hits the fan.

Be prepared” is the boy scout motto.  It should also be a motto for security.  We never really know when something bad will occur. It’s usually at the worst possible time (see Murphy’s Law and its corollaries). It’s crucial that security professionals are ready for it and know what to do when “it” hits.   The websites linked below provide great resources to help you be prepared for anything that comes your way.  It includes procedures, templates, and forms that you can use in your security program so you are ready.

Security should have plans and checklists ready to use when there’s an incident. This is for both physical and IT incidents. That way they don’t miss any critical element. I’ve also seen that checklists help in these situations to reduce the impact of any emotions that occur in high stress situations.

My second law of incident response is “Don’t Panic, ” which is also the first line in the Hitchhiker’s Guide to the Galaxy. It works for security as well.  It’s important to respond to problems rather than react.  Response is positive while reaction is negative and is often associated with panic.  We react without thinking leading to mistakes. If you are prepared, then your poised to respond in a positive manner.  Think even for a second before you act.  Use your resources and respond.

Albert Einstein sums it up best, ” You can never solve a problem on the level on which it was created.”

Please feel free to comment on your ideas and suggestions to improve incident response.

Cyberwar, Forensics, Security Management

Cyberthreats – Are You Ready?

Within the last week, there have been two articles on major news sources regarding the importance of Cybersecurity in the Information Age.   I’ll summarize them below. These articles demonstrate how everyone needs to have an awareness of cyber threats and the ways to handle them.  We’ve seen a good trend in that Cybersecurity is now (finally!) taking a priority for organizations. Whether it’s protecting from Cyberthreats or responding to Cyber incidents, Companies need a security plan of action. They can no longer hide from Cyber risks, but proactively address them.

ABC News – FBI Director Says Cyberthreat Will Surpass Threat From Terrorists (http://abcnews.go.com/blogs/politics/2012/01/fbi-director-says-cyberthreat-will-surpass-threat-from-terrorists/)

FBI Director Robert Mueller and National Intelligence Director James Clapper testified this week before the Senate Select Committee on Intelligence on Cyberthreats. The threat of economic fraud and espionage from state actors such as Russia and China is a real and growing concern. “We foresee a cyber-environment in which emerging technologies are developed and implemented before security responses can be put in place,” Clapper said. The article lists many of the complex computer breaches that highlight the wide array of threats the officials were testifying about.

 

 USA Today – Want CSI without the blood? Investigate computer forensics                                                                                    

The Television show CSI and its spin-offs has greatly enhanced the profile of forensics practices. Of course, it’s not as easy as it looks on TV. Computer forensics is a skilled discipline that takes years of practice to perfect to ensure all evidence is properly obtained and secured. Today, there’s a huge need as most investigations involve some aspect of information technology. 

This article in USA Today discusses the increasing prevalence of computer forensics in law enforcement and investigations. It quotes that “Bureau of Labor Statistics estimates computer forensics jobs are expected to grow more than 13 percent in the next several years.”  The growth isn’t limited to only computer forensics, but all aspects of Cybersecurity.  The National Security Agency has plans to hire 3,000 specialists to combat the thousands of cyberattacks every day in the United States, while the Department of Homeland Security is hiring about 1,000 more Cybersecurity specialists

These articles show that a new warfront is cyberspace. As a nation, individuals and organizations need to step up their cyber protections and be ready when cyber attacks occur.

We will discuss this and many other aspects of Cyberwar in our webinar / live debate on Wednesday, February 22nd.  See http://www.bellevue.edu/cyberwar/ for details and to register.

Security Management

Ten Years of Trustworthy Computing

I have to admit it, I’m proud of Microsoft.  After taking a beating for many years, Microsoft has gotten security right.  It’s embedded in their development lifecycle and their update strategy has become a de facto standard.  Many companies now provide regular patches and have made it easy for end users to ensure their applications are up-to-date.

Ten years ago on January 15, 2002, Bill Gates released a historical memo announcing the new strategy of “Trustworthy Computing.” This required security to be a priority and that secure practices be embedded throughout the development and maintenance of their products.  This started a history of openness for Microsoft on many security initiatives. You can view the history of Trustworthy Computing at http://www.microsoft.com/about/twc/en/us/history.aspx.

Even though they don’t share their source code, they do share many other things such as their Security Development Lifecycle.  This is the process for assuring that security is considered as an application is being developed.  Microsoft requires their developers follow this process and understand the concepts of developing secure products.  In my opinion, all development efforts should have this requirement, but it seems that it continues to be lacking.

Also part of the Trustworthy computing initiative started ten years ago is Microsoft’s update strategy. Initially, patches were released as they were ready. That caused problems for systems administrators, so Microsoft decided to roll out patches once a month on the second Tuesday.  That practice continues today.  To ensure there are no surprises, Microsoft even provides advanced notification a week before, which provides a high-level overview of what to expect.  The Microsoft Security Bulletins page (http://technet.microsoft.com/en-us/security/bulletin) shows current and past updates.

Microsoft, you’ve come a long way baby.  You are a leader who has taken their role seriously and provided many good products, resources, and references. You continue to live and breathe Trustworthy Computing.  I just hope you can keep it up.

References:

Online Safety Tips, Security Education, Security Management

2012 Webinar Announcement

2012 – The Year of Online Protection

2011 was the year of the breach.  2012 should be the year was get security right and start protecting ourselves, communities, organizations and families online.

To help kick-off the New Year, I’m hosting an online seminar titled, “Protecting yourself and your company from the evils of the internet in 2012.”  It is scheduled for Wednesday, January 25 1-2 p.m. CST and you can see it freely online, once you register.

From our Seminars and Outreach page:

Ron Woerner, Director of Bellevue University’s Master of Science in Cybersecurity program, will discuss the perils of the Internet, how hackers can take over your computer and how they access your private information. It’s not all doom and gloom, though. Woerner will suggest ways to protect yourself and your company in 2012. Come to this online presentation with your questions on online safety and security. You will have the opportunity to participate in a live question and answer session with Woerner following the presentation.

It’s going to be more than just your typical & basic keep yourself safe online talk.  I will be providing detailed tips, tricks, and techniques to keep 2012 from being another Year of The Breach. It will end with a chance for you to ask your questions about online protection to help you focus your security activities in 2012.

Please join in the conversation if you want to learn more about online safety, hear about our Cybersecurity programs, or are just looking for certification credits.

To learn more and register for the event, go here: http://www.bellevue.edu/cybersecurity/.

Security Management

2011 USSTRATCOM Cyber and Space Symposium

USSTRATCOM has just released the symposium videos from the speaker and panel presentations.  If you missed the symposium, I encourage you to view some of the videos.  Video files and presentations from the featured speakers and panel sessions are available at http://www.afcea.org/events/stratcom/11/presentations.asp.

One panel that I found to be most enlightening (maybe because I have been saying some of the same things!), was the Cyber Industry panel.  It is all very good, but if you are in a hurry, listen to Scott Montgomery speak (minutes 44 to 48) on this clip: http://www.slideshare.net/afcea/stratcom-day2-session-12

What do you think?  How do we integrate/use/capitalize on all the newest concepts and still maintain sound security practices?

Security Education, Security Management

Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise

Fresh off the press:  The Department of Homeland Security (DHS) has published and released strategy guidelines for the enforcement of cybersecurity. It provides a road map for cybersecurity efforts while observing the need to preserve civil liberties, protect privacy, bolster national security, and provide the ability for the private sector to effectively operate and innovate in cyberspace. The full text of the Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise can be found here:

Source:  http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf

I think it is a sound document that is probably worth taking the time to read, especially for cybersecurity professionals whether working in government or private sectors.   Let’s face it, we all share the same cyber “ecosystem.” 

One area in the blueprint caught my attention:

…10. Develop the Cyber Workforce in the Public and Private Sectors: Maintain a strong cadre of cybersecurity professionals to design, operate, and research cyber technologies, enabling success against current and future threats.

Core capabilities for the homeland security enterprise are:

Development of a rigorous cybersecurity and software assurance curriculum, and sustained enrollment in targeted fields of study. Relevant disciplines include science, technology, engineering, and math. The National Initiative for Cybersecurity Education (NICE) will strengthen formal cybersecurity education programs and use competitions to develop skill sets from kindergarten through 12th grade, and in higher education and vocational programs. Additionally, four-year colleges and graduate-level universities may apply to be designated as a National Center of Academic Excellence in Information Assurance Education.

There are two points I would like to highlight from this quote:

1.  The fact that you are reading this blog on the Center for Cybersecurity Education website means that you are making an effort to increase your knowledge on cybersecurity issues.  Good job!

2.  Bellevue University is very serious about developing the rigorous curriculum described above.  In fact, BU is in the process of applying to be designated as a National Center of Academic Excellence in Information Assurance Education.  We should know the results in the next few months.

 So, what are your thoughts about the blueprint? Is it relevant or useful?

Security Management

Introducing the Bellevue University Cybersecurity Blog

Welcome to the Bellevue University Cybersecurity Center Blog (a member of the Bellevue University blogging network). 

In this blog, you will hear a variety of perspectives on Cybersecurity from different voices.  The topics include its purpose, methods for security management, current threats and vulnerabilities, and Cybersecurity news. It’s our way of sharing with the students and community and spreading the word about protecting yourself in the cyber world. With more than 2 billion Internet users, there are many threats: malicious, unintentional, and natural.  We need to ensure there are basic protections in place to protect our cyber world, so it’s safe for all users. To do that, we need to continually educate ourselves and each other.

What is Cybersecurity?

The practice of Cybersecurity is preventing, deterring, detecting, and responding to threats to the confidentiality, integrity, and availability of information systems.  This is my definition based on feedback from a number of friends and colleagues.  What do you think about it? Is it complete?  Feel free to leave a comment below with your thoughts.

The one element that I think is missing is risk and risk management.  Security is a component of risk management and is a method, process, or tool for protecting critical organizational assets.  Security should be based on the identified risks and balanced with usability and cost.

Why should I care?

Security is both an action and a feeling.  We need to take that into account when designing, implementing, and managing security controls.  You need to ask intelligent questions about the risks and the protection methods to ensure you’re hitting the sweet spot between too much security and not enough.  Some questions to ask are:

  • Why are you implementing security? 
  • What problem(s) are you trying to solve?
  • What is the level of protection you need to provide security and feel secure?
  • Is it more important to feel secure or be secure?

Answering these questions also answer the question of “Why should I care about security?”  They help you and your organization justify the right level of security.

Why should I read this blog?

Granted, there are many other security blogs out there.  We hope to provide different perspectives on Cybersecurity.  It is also our hope to give a voice to the Bellevue University students, faculty and community.  

It’s a big, wild cyber world out there.  While we trust others to help us be secure, it’s also up to us to do our part.  Reading this blog is one way to do it.  Another is to comment on our blog posts.  We want to hear from our readers.  What is important about security for you?  Are there any topics you’d like to see covered? Let us know.