Wednesday, October 28, 2009

Final Reflection

Final reflection


Your final reflection in this course should look back over the whole semester. Go back to your first blog post and write about how your initial impressions have or haven't changed. Think (and write) about:





What you have learned most from completing this course
I think that the thing I have learned most from completing this course would be that there are many risks for everyone who used the internet or computers and having the right security system is a crucial step in preventing sensitive information being stolen. I have learnt a lot more about information security, which as i recall was what I wanted to learn the most from my first blog post.



How what you've learned complements other areas of knowledge you have or hope to gain? As I am in my final year of university and upon completion of my degree I will be working in the corporate world I think the knowledge I have learned in relation to information security has been very beneficial. I believe when I start work next year in an Accounting Firm what I have learned and gained from this course will provide me with a good sense of how to protect not only my sensitive information but that of the firm I will be working for. I hope in the future I will be able to expand my knowledge of information security further as I find it very interesting.

What you consider to be the most important aspects of information security and why?I think the most important aspects of information security are minimising risk and ensuring that you have the best and most up to date anti-virus software to protect your private information. I think that just knowing there are many risks out there and how to avoid them is crucial to protect sensitive information, whether it be yours or that of the company you are working for.

What you haven't learned but had hoped to?

I would have liked to have learned more about fraud, in particular identity theft and measures to reduce the risk of having sensitive information stolen. I think that in today’s society and the way the world seems to be lately reducing the risk of your identity being stolen is a very important thing and I don’t think many people realise just how easy it is for someone to steel their identity.

How your perceptions of corporate information security have changed (if at all)?

I never knew that so many companies had security breaches.

What aspects of information security interested and/or bored you the most?

The aspects if information security that I am interested in are risk management and physical security. I am interested in these aspects because I like to think I take all the necessary precautions when it comes to my personal security in regards to using my computer. The aspect of information security that bored me the most was security and personel. I think this topic bored me the most because it was towards the end of the course where I had a lot of assignments for other units and I dont think I spent as much time as I should have understanding it.

What topics you found particularly easy or difficult to grasp?
I found the topics on legal, ethical and professional issues and implementing security the easiest topics to grasp. I think I found them easy to understand because I had previously covered parts to those topics in previous university units, also it seemed to be in a way common sense with the legal, ethical and professional issues topic. The topic I had the most trouble grasping was planning for security, I think I found this one harder to understand because there seemed to be a lot of content, new content, which i had trouble getting my head around. I think this was reflected in the result I got on my quiz, after getting many answers wrong I got so frustrated, I really like doing the quizzes and getting good marks so it annoyed me I didn't do that well with that topic.


How the course could have been facilitated better to assist your understanding and knowledge?
I think it would have been a good idea if we had done a mid semester test online, to provide general feedback as to how we are going with the unit. I have found with other online courses and with courses on campus that doing a test in the middle of the semester is a great way for us as students to gain an understanding of where we are at with the course and the areas we need to improve on.

I have really enjoyed this course, my favourite part of each weeks work was the quizzes, and I thoroughly enjoyed them :). I found that the quizzes assisted my learning, in the sense that I listened to the lecture as well as searching information about the topics to help me get the correct answer. I think it was good that we could go back over the quizzes and re-do them to get the best mark we could. I must admit the first times I took the quizzes I wrote down the answer for future reference when I re-did the quizes... it was not until I re-did the quiz that I realized the answers change, so for example, in one question the answer I got the first time was (a) but when I re-did the quiz the answer was (c), I soon learnt I should have written the answer, not just the letter. I have found the blog a very useful learning tool, especially with revision, as I can just go back over what I have done and re-enforce what I have already learnt. I thoroughly enjoyed this course, every aspect of it I liked doing. I am a bit nervous about the coming exam, but I know if I study and put the effort in I will do fine :)



Oh one more thing, I found this the other day and just thought it was interesting and related to information security.

“Ten Commandments of Computer Ethics” from the Computer Ethics Institute

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Information Security Maintenance - Week 12

Weekly reflection
Maintenance is an essential task that is often considered to be dull. In information security, penetration testing may be wrongly perceived as being a “hacker-like” activity. In fact, when done correctly, ethical hacking is an important part of risk management. In your blog, write about ways that penetration analysts limit the risk they pose to internal systems. You may need to conduct research to fulfill this task.

Penetration Testing has been a part of information security since the early 1990’s, However it is still a misunderstood practice. Penetration Testing is considered by many as a "black art". Many CIOs and ISOs get excited at the thought of hiring a firm to perform a penetration test, because they imagine the very act of commissioning one somehow validates the idea that they are serious about the security of their organisation. This notion, combined with a lack of understanding of the realities of penetration testing and misconceptions about what penetration testing involves, tends to distort expectations about the penetration testing, especially the results.
(http://www.progllc.com/blogs/37-fed-sec/138-penetration-testing.html). A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and action to take to prevent them. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. A Penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system. Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system. (http://en.wikipedia.org/wiki/Penetration_test) The main advantage of penetration testing is that it gives you very accurate information about the real security position of your system.
A penetration test from a trusted provider offers an excellent means by which an organization can baseline its current security posture, identify threats and weaknesses, and start implementing strategies to remedy the threats and weaknesses. By identifying risk exposures and highlighting what resources are needed to correct them, penetration tests provide not only the basis for a security action plan, but also the compelling events, due diligence and partner interface protocols necessary to establish information security as a key corporate initiative.
(http://www.iss.net/documents/whitepapers/pentestwp.pdf)



Also, look at popular news sources for stories related to computer vulnerabilities. Research the vulnerabilities to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. Give examples.

SC Magazine
"A computer virus has made it onto the International Space Station (ISS), but Nasa says there is no danger to critical systems.Nasa has confirmed that a computer on the ISS has been infected by the Gammima.AG. virus, which tries to steal login names and passwords to popular online games like Maple Story, HuangYi Online and Talesweaver. It is not yet known how the virus got on board but the likely culprit is a USB drive taken up by one of the astronauts. All data traffic streamed direct to the station comes from Nasa uplink stations and is heavily screened before being sent into orbit.No critical systems have been infected according to the space agency and measures are being taken to expunge the malware from on-board systems.This is not the first time viruses have made it into orbit Nasa confirmed. In the past astronaut laptops have been taken up that have found to be infected but at no time were lives put at risk.Nasa now plans to beef up the security systems on the ISS to prevent such issues recurring"
(http://www.securecomputing.net.au/News/121093,computer-virus-hits-space-station.aspx)

BBC News: Computer Virus Makes it to Orbit.

A computer virus is alive and well on the International Space Station (ISS).
Nasa has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected.

Orbital outbreak: Space news website SpaceRef broke the story about the virus on the laptops that astronauts took to the ISS. Nasa told SpaceRef that no command or control systems of the ISS were at risk from the malicious program. The laptops infected with the virus were used to run nutritional programs and let the astronauts periodically send e-mail back to Earth.
The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection. Once it has scooped up passwords and login names the Gammima.AG worm virus tries to send them back to a central server. It targets a total of 10 games most of which are popular in the Far East such as Maple Story, HuangYi Online and Talesweaver. Nasa is working with partners on the ISS to find out how the virus got on to the laptop in the first place. The ISS has no direct net connection and all data traffic travelling from the ground to the spacecraft is scanned before being transmitted. It is thought that the virus might have travelled via a flash or USB drive owned by an astronaut and taken into space. The space agency also plans to put in place security systems to stop such incidents happening in the future. Nasa told Wired News that viruses had infected laptops taken to the ISS on several occasions but the outbreaks had always only been a "nuisance". (http://news.bbc.co.uk/2/hi/technology/7583805.stm)


The Gammima.AG. virus is a computer worm virus that propagates by copying itself to removable media. It also steals passwords information related to various online games. The article above states that the virus was likely to have gotten on board from a "USB drive taken up by one of the astronauts" The above definition says that the virus copies itself to removable media which is what they beleive happened in the NASA situation. The Virus was discovered by NASA onboard a computer in International Space Station on August 2007 though the virus did however not pose any threat to the International Space Station as it is a gaming virus made to steal login information for net-based computer games (Wikipedia (2009)).

Tuesday, October 27, 2009

Security and Personnel - Week 11

Weekly reflection
What actions can each person in an organisation take to minimize the risk of identity theft?

* Shred any confidential documents, especially ones that contain private information, such as address, phone number, tax file number etc.

* Use strong passwords on all your accounts and make sure you change your passwords regularly

* Do not use the same password for all of your accounts.

* Update the software on your computer frequently. This includes your operating system, firewall, anti-virus and anti-spam software

* When you are using email do not open any emails or attachments from people you dont know

* Always use a virus scanner when you open attatchments

* Ask about securty practices at your workplace and find out who has access to your private information



Discuss and generate a list of concrete actions each student can take to control this risk at UB.

It is very important to control the risk you have of someone gaining access to your private information. To control risk at the university of ballarat I recomend that each student:

* Manages their personal information cautiously

* Change their passwords on a regular basis and do not tell anyone their password

* Do not open any emails where you dont know the sender



How do you think the Information Security department at UB is structured? You don't need to know the correct answer to this, but based on your understanding of UB's size and the types of information it needs to secure, what roles do you imagine exist here?

I think the Information Security department at UB is structured where security measures are updated regularly, such as implimenting new software and changing passwords regularly. I would also think that there would have to be a very secure place where all students private information is stored and I think they would have a good backup system and anti-virus software.

Implementing Security - Week 10

Weekly reflection
In your blog, write about your understanding of the outsourcing process. You may need to do some extra research for this. In particular, describe your knowledge of RFPs, evaluation, contract award, and exit strategies. Give an example of why an exit strategy would be necessary if outsourcing the implementation of an information security blueprint

Outsourcing saves time and money, and helps to avoid risk. The promised benefits of outsourced security can be very attractive to businesses. The potential to increase network security without hiring more people and spending more money is one of the reasons outsourcing is becoming more popular. The primary argument for outsourcing is financial as a company can get the security expertise it needs at a smaller cost by hiring someone else to provide it. One of the major dificulties in decing to outsource is who to get to do the work for you, the potential risks of outsourcing can be considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.When decising to outsoruce the risk levels of potential vendors must be identified "Key information security considerations that should be tracked as part of this stage include: Information Security Policies, Audit Results and Methods, Standards and Certifications, Technical Controls, Security Architecture, Local Regulatory Compliance Requirements and Law Enforcement Practices" (A CISO’s Guide to Security Outsourcing (2009))

RFPs
The RFP document is one of the most important documents in the vendor selection process. The RFP defines the work to be done and the additional conditions to be met in order to win a contract.

Evaluation
An outsourcing evaluation should follow a disciplined, managerial approach from planning through negotiation and implementation, to ongoing management of the relationship

Contract award
The legal basis of any outsourcing agreement is of course the contract. This determines the legal parameters of the service and the responsibilities of each party

Exit strategies
It is important to plan your exit strategy before you buy. It’s critical to plan how you’ll get out of an outsourcing contract should the need arise. An exit strategy would be necessary if outsourcing the implementation of an information security blueprint because you may not like the blueprint and by having an exit strategy you are not stuck with it.

Tuesday, October 6, 2009

Physical Security - Week 9

In your blog, reflect on your understanding of the content in section 9.
Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information and it provides information on how to prevent an attack from occuring to your information. It can be as simple as a locked door or as elaborate as multiple layers of armed security guards and multiple security safeguards, such as passwords updated daily, alarms, motion detectors or biometrics such as finger print varification. A good example of physical security is an automatic teller machine which is protected by spoiling the money inside when they are attacked. Money tainted with a dye could act as a flag to the money's unlawful acquisition. One of the main goals with physical security is to convince potential attackers that the likely costs of attack exceed the value of making the attack. There are at least four layers of physical security: Environmental design, Mechanical and electronic access control, Intrusion detection and Video monitoring.




How safe is the data on your computer, especially if your computer is lost or stolen?
I dont think the data on my computer would be very safe, the computer I have is sort of older, so not as high tech as most of the computers on the market today... I think if there are people out there who can hack into security networks of major companies, and even countries, then my desk top wont stand a chance... not that there is anything of value on here, mostly essays, lecture notes and family photos, more sentimental value.






If you were working for a large multinational business or government department, what measures do think might be in place to mitigate the risks of physical theft or loss?


Key cards, security passowrds that are changed daily or weekly at least, finger scans, or eye scans, voice recognition, survelance cameras, i think that the networks would all be connected to a computer that can detect if something is going on that shouldnt be.

Wednesday, September 16, 2009

Technology & Design Issues Surrounding Information Security - Week 8

Weekly reflection
In your blog, answer the following questions. You may need to conduct some research to answer these questions adequately.


1.Which architecture for deploying a firewall is most commonly used in businesses today? Why?


Although literally hundreds of variations exist, there are four common architectural
implementations of firewalls, they are; Packet filtering routers, Screened host firewalls, Dual-homed host firewalls and Screened subnet firewalls


The most commonly used in business today is Screened Subnet Firewalls. Wikipedia states that "in network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure". It is the most coomonly used because it is an entire network segment that performs two functions:
· It protects the DMZ systems and information from outside threats by providing a
network of intermediate security and It protects the internal networks by limiting how external connections can gain access to internal systems.
DMZs can also create extranets, segments of the DMZ where additional authentication
and authorization controls are put into place to provide services that are not available
to the general public.



2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?
The reasons include:
Cost benefits: IP VPNs will always be less costly to run than Frame Relay for sites in different cities. There's no need to pay for data between offices or teleworkers at per MB rates.
Simplified management: you'll receive one point of contact for your VPN, rather than having to deal with a phone carrier for the transport and a separate ISP or division for IP data.
Improved security: there is no longer a need to run confidential data across the Internet. An AlwaysONLINE VPN is built on a separate network, removing the need to punch holes in firewalls or make exceptions to IT security policies.
Separate your Internet access from your inter-office connections: we provide the option of connecting your VPN to the Internet. This access can be placed in front of a firewall reducing the points of interconnect between your network and the Internet.
(http://www.alwaysonline.net.au/vpn/advantage.html)



3.Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?

Yes biometrics will involve incription. Biometrics is the term given to the process of using body measurements, such as fingerprints, palm prints, iris pattern and facial recognition. Biometric technologies are dependant on the use of cryptography because most of the technologies that scan human characteristics convert these images to some form of minutiae, which are unique points of reference that are digitized and stored in an encrypted format when the user’s system access credentials are created.

Tuesday, September 1, 2009

Risk Management - Week 6

This week the thing I found most challenging was the quiz, I did not like the time box thing, every time i scrolled down the page to read a question it blocked my view which was very annoying. I did not find this set up of the quiz very constructive and helpful to my learning, when I do the quizes I use the notes and look up information on the internet, I find this way is much more useful for my learning as I am actually researching the answers. I found I did not have time to look at either of these things, and my result shows this, I did not do as well as i usually do because I guessed a lot. I have read the notes once and just once is not enough for me to have the information imprinted in my brain so I can do quizes without more resources. In conclusion I would prefer to not have a time restraint on future quizes.

Recently my log in page to online banking with my bank had the following message "Bank will never send an email asking you to follow a link to this logon page; or to any page requiring account or access ID details. If you receive such an email, it is not from Bank but is a hoax. This logon page should only be accessed directly from Bank’s website – not through an email link." I just though that this was an interesting thing to mention as this course is about security.


What is the best value that should be assessed when evaluating the worth of an information asset to the organization - replacement cost or lost income while repairing or replacing?
I would say lost income, if it takes longer than expected to repair something then the lost income will be greater than anticipated.



What is the likelihood value of a vulnerability that no longer must be considered?
I'm not sure about this answer. I will come back to it if i have a chance.



In what instances is baselining or benchmarking superior to cost benefit analysis?
Benchmarking is a process of comparing an organization's or company's performance to that of other organizations or companies using objective and subjective criteria. Baselining is a method for analysing computer network performance. The method is marked by comparing current performance to a historical metric, or "baseline". Cost-benefit analysis is the name given to the process of weighing up the costs and benefits of undertaking a project. (Wikipedia) Benchmarking or baselining are superior to cost benefit analysis because they take into account other factors, such as the performance of other organisations, this will give them a better idea of how there project could work.




How can we find out what an organization's risk appetite is? Why is this important?
Risk apetite is determining the level of risk an organization has. The purpose of this is to control directly how people make decisions on behalf of an organization in the face of risk and uncertainty by specifying the importance of risk in some way. We can find out an organizations risk apetite by looking at the following questions:
* Where do we feel we should allocate our limited time and resources to minimise risk exposures?
* What level of risk exposure requires immediate action?
* What level of risk requires a formal response strategy to mitigate the potentially material impact?
* What events have occurred in the past, and at what level were they managed?
(http://www.continuitycentral.com/feature0170.htm)
It is important to know an organizations risk apetite to ensure that the right levels of risk are being used.