To do this week
Use the discussion forum in this week's section to post information relating to legal aspects of information security in Australia. That is, find links to relevant Australian laws and resources. They could include:
General computer crime laws
* Commonwealth Cybercrime Bill 2001 "was approved by the Parliament with minor amendments on 27 September 2001. The legislation was an overbroad knee-jerk reaction to then recent well-publicised virus attacks, and has the potential to criminalise innocent behaviour such as possession of security software. It also introduced an alarming law enforcement provision requiring release of encryption keys or decryption of data, contrary to the common law privilege against self-incrimination"
Link - http://www.efa.org.au/Issues/Privacy/security.html
privacy laws
Privacy Act 1988
Link - http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgmentattachments/1B0AD21B8A87AD58CA2576080018DAEF
"To help safeguard your privacy, the Australian Government has released a StaySmartOnline website with information and tips on how you can protect yourself online. Cybersmart, developed by the Australian Communications and Media Authority, provides resources and practical advice to help young kids, kids, teens and parents safely enjoy the online world"
Link - http://www.privacy.gov.au/topics/technologies
Copyright laws
Copyright Act 1968
Link - http://www.austlii.edu.au/au/legis/cth/consol_act/ca1968133/
Internet Security
The Australian Internet Security Initiative (AISI)
"The ACMA developed the Australian Internet Security Initiative (AISI) to help address the emerging problem of compromised computers (sometimes referred to as 'zombies', 'bots', or 'drones'). Computers can become compromised through the surreptitious installation of malicious software (malware) that enables the computer to be controlled remotely for illegal and harmful activities without the computer user's knowledge"
Link - http://www.acma.gov.au/WEB/STANDARD/pc=PC_310317
In your blog, write about the research procedure you undertook to find these resources, and which resources you consider to be most important to information security
I looked up a lot of the information I found on the internet. I considered the resources that had a legitimate source the most important, in particular the ones from australian government websites as i beleive these have more credability.
Do you see any disparity between local (Australian) law and International law? What could be the implications when information security breaches cross borders?
Extradidtion, face the laws in the country you broke the law in... e.g. drug trafficing laws are vaslty different in australia compared to bali, thailand where there is a death penalty.
Sunday, August 30, 2009
Monday, August 17, 2009
The Need for Security - Week 4
Weekly reflection
In your blog, write about a time when you (or a relative/friend) have had to deal with the effects of one of the following:
virus
trojan horse
back door
worm
What happened, and what measures did you take to protect yourself afterwards?
Ive had an experience with a trojan horse once before, thankfully I have a good security system installed on my computer and nothing major happened, the software picked up the trojan horse and I guess got rid of it. When I got this computer I made sure I had all the nessecary security measures in place. I only really use my computer for university work anyway so even if a virus or trojan horse did get through the security system I dont have anything stored on my computer other than homework.
Look for an article on the Internet that relates to an organization having lost its security due to one of the above mentioned threats. What measures did they have to take to protect themselves? What was the impact of any loss or corruption of data that occurred?
What measures do you think UB has in place to deal with these threats?
As the university has sensitive information on thousands of students it is critical it has a good security system in place to protect this information. I think the university would have anti-virus software and they would definently have to have a secure log in system, I know from experience that whenever I open a new window, such as my student centre, moodle or my email I have to re enter my user name and password, its annoying to do this, but important for security reasons. I'd rather spend a minute logining in than have someone else be able to access my information if i did not log off the system properly. I have noticed on the ubgateway webpage that any security alerts are posted there, I think this is a good way to inform students of any risks.
On the UB website it states that "unfortunately there are no "Silver Bullets" when it comes to computer security. However, ICT Security has implemented a number of strategies to protect our data, services and systems. These measures include:
state of the art firewalls (software and hardware)
virus & spyware protection
anti-spam software
multi tiered password protection
secure login via Access@UB
secure data storage
security alerts
educating UB students and staff
access to free anit-virus software(Sophos)
Here's something to think about next time you're at a train station: how secure is their network?
If an ordinary citizen can hack their network with a mobile phone then their network is not very secure at all, its scary to think what someone is able to do with just a mobile phone!
This week has been very interesting, there are so many threats to our personal information out there, that it is crucial to take the nessecary steps to prevent sensitive information getting into the wrong hands. I found finding an article I liked difficult, there were so many to choose from... I guess a lot of organizations did not have good security systems in place... maybe they should have worked on a better SecSDLC. I found it interesting when reading the notes this week that 79% of organizations had had cyber security breaches in the past 12 months and 45% had financial losses of $141 million
In your blog, write about a time when you (or a relative/friend) have had to deal with the effects of one of the following:
virus
trojan horse
back door
worm
What happened, and what measures did you take to protect yourself afterwards?
Ive had an experience with a trojan horse once before, thankfully I have a good security system installed on my computer and nothing major happened, the software picked up the trojan horse and I guess got rid of it. When I got this computer I made sure I had all the nessecary security measures in place. I only really use my computer for university work anyway so even if a virus or trojan horse did get through the security system I dont have anything stored on my computer other than homework.
Look for an article on the Internet that relates to an organization having lost its security due to one of the above mentioned threats. What measures did they have to take to protect themselves? What was the impact of any loss or corruption of data that occurred?
Office of U.S. Marshals infected by Neeris virus Article: By Angela Moscaritolo May 25, 2009 9:24 AM
The office of U.S. Marshals was infected with a computer virus on Thursday that was able to infiltrate their computer network because the federal law enforcement agency was running an out-of-date anti-malware solution.The virus is believed to be Neeris, a new malware variant that has been customised to exploit the same vulnerability as the notorious Conficker worm, Nikki Credic, a spokewoman for the Marshals confirmed to SCMagazineUS.com on Friday. She added that there may have been multiple computers infected. Within the public relations office alone, one or two people noticed suspicious changes in their computers.“Neeris and Conficker look for missing patches. If the PCs and servers are patched, the malware doesn't work,” John Pescatore, research director and vice president at Gartner, told SCMagazineUS.com in an email on Friday. “The patch for this has been out since October 2008.”The United States Marshals Service (USMS), a federal law enforcement agency within the U.S. Department of Justice, is the nation's oldest federal law enforcement agency, having served the country since 1789. The virus in its computer network was discovered early Thursday morning. At that time, the IT staff disconnected the marshals' computers from the Justice Department's network to prevent further spread, Credic said. In addition, the marshals' internet connection was shut off all day Thursday, and only internal email was functional, Credic said.Working with anti-virus vendor, Trend Micro, the IT staff updated its anti-virus software and pushed updates to all agency computers, Credic said.“They had an out-of-date product as far as we know,” Michael Sweeny, global public relations director at anti-virus company Trend Micro, told SCMagazineUS.com on Friday.By Friday morning, email and internet connections were back up and running at the USMS, Credic said. “It appears they have resolved the problem."Credic added that no data was compromised or at risk as a result of the virus infection. The FBI is said to be having similar problems, the agency told the Associated Press on Thursday. When contacted by SCMagazineUS.com on Friday morning, a spokesman at the FBI's press office said his email was down, but did not provide additional details. “We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," FBI spokesman Mike Kortan told the AP. Gartner's Pescatore said that this incident illustrates the importance of making sure computers are patched. Also, email and PC anti-virus programs should be kept up-to-date. And, a web security tier that blocks incoming malware from web connections is equally important, he said. “It sounds like the problem here was both missing patches and missing AV – definitely below a due diligence level of protection,” Pescatore said" (http://www.securecomputing.net.au/News/145860,office-of-us-marshals-infected-by-neeris-virus.aspx)
What measures do you think UB has in place to deal with these threats?
As the university has sensitive information on thousands of students it is critical it has a good security system in place to protect this information. I think the university would have anti-virus software and they would definently have to have a secure log in system, I know from experience that whenever I open a new window, such as my student centre, moodle or my email I have to re enter my user name and password, its annoying to do this, but important for security reasons. I'd rather spend a minute logining in than have someone else be able to access my information if i did not log off the system properly. I have noticed on the ubgateway webpage that any security alerts are posted there, I think this is a good way to inform students of any risks.
On the UB website it states that "unfortunately there are no "Silver Bullets" when it comes to computer security. However, ICT Security has implemented a number of strategies to protect our data, services and systems. These measures include:
state of the art firewalls (software and hardware)
virus & spyware protection
anti-spam software
multi tiered password protection
secure login via Access@UB
secure data storage
security alerts
educating UB students and staff
access to free anit-virus software(Sophos)
Here's something to think about next time you're at a train station: how secure is their network?
If an ordinary citizen can hack their network with a mobile phone then their network is not very secure at all, its scary to think what someone is able to do with just a mobile phone!
This week has been very interesting, there are so many threats to our personal information out there, that it is crucial to take the nessecary steps to prevent sensitive information getting into the wrong hands. I found finding an article I liked difficult, there were so many to choose from... I guess a lot of organizations did not have good security systems in place... maybe they should have worked on a better SecSDLC. I found it interesting when reading the notes this week that 79% of organizations had had cyber security breaches in the past 12 months and 45% had financial losses of $141 million
Tuesday, August 11, 2009
Weekly Reflection - Week 3
Weekly reflection - In your blog, reflect on your understanding of section 1 - the main things you've learned, what you find difficult to understand, what interests or doesn't interest you. Also, find a recent news article (on the Internet) and summarise it in your blog, referring to how it relates to the principles of information security that you have been introduced to so far.
During this week I have learnt that information security is defined as the protection of information, it requires "a well-informed sense of assurance that the information risks and controls are in balance" (Jim Anderson 2002). Since the first mainframe was established information security was developed, although back then it was not considered such a big issue, or a high priority. As technology progressed so to did the risks associated with using it, this caused a shift of information security being a relatively low priority to one that has become a huge issue for many people the world over, attracting huge amounts of attention in the media, particulary with social networking becoming so popular and identity theft and fraud on the rise. This week I have also learnt that there are 6 layers of security for a successful organisation, which are: physical security, personal security, operations security, communications security, newtowrk security and information security. It was interesting to leanr that Computers can be the subject of an attack or the object of an attack, so essentially the computer can either be attacked or be the attacker. I didn't know this before and I found it a bit ironic that we spend so much money and time trying to proctect ourselves from security threats and even with all this effort our own computer could be used as the "attacking weapon".
The ways that this newspaper articles relates to the principles of information security that I have been introduced to so far are: Corporations taking steps to prevent leaks of sensitive information as information security is a huge issue for many businesses. Implementing protection procedures to ensure information is kept secure. This article also shows how much of a problem that the internet can cause for businesses, emails and social network sites such as myspace and facebook have caused many companies to implement better security systems to protect information. Social networking sites, e-mail and youtube to name a few have all been major concerns for businesses, with sensitive information being leaked, whether intentional or unintentional. Having a good security system in place is essential in ensuring sensitive information stay secure and within the organisation, and montitoring emails is one way to ensure no sensitive information is leaked.
During this week I have learnt that information security is defined as the protection of information, it requires "a well-informed sense of assurance that the information risks and controls are in balance" (Jim Anderson 2002). Since the first mainframe was established information security was developed, although back then it was not considered such a big issue, or a high priority. As technology progressed so to did the risks associated with using it, this caused a shift of information security being a relatively low priority to one that has become a huge issue for many people the world over, attracting huge amounts of attention in the media, particulary with social networking becoming so popular and identity theft and fraud on the rise. This week I have also learnt that there are 6 layers of security for a successful organisation, which are: physical security, personal security, operations security, communications security, newtowrk security and information security. It was interesting to leanr that Computers can be the subject of an attack or the object of an attack, so essentially the computer can either be attacked or be the attacker. I didn't know this before and I found it a bit ironic that we spend so much money and time trying to proctect ourselves from security threats and even with all this effort our own computer could be used as the "attacking weapon".
I have learnt about the SDLC in previous courses I have done, it was nice to refresh my memory :). I have however never heard of the SecSDLC, you learn something new everyday :)There is a lot of work, research, and maintenance involved in keeping a security system up to date and running smoothly, there are a lot of risks out there and having a good security system is vital for an organization to succeed. So far there has been a lot of content, and getting my head around all the new terms is a challenge, but im up for it :). I really enjoyed doing the quiz, I found it really helped my learning and understanding of the content for section 1, I found that the quiz was a great way to do more research and expand my knowledge base. I may have guessed a couple of the answers... they are the ones that I didn't get right the first time... in future I think I'll just keep researching until I get the right answer :)
NEWSPAPER ARTCILE
News article link - http://www.securityfocus.com/brief/993
Survey: More companies monitoring e-mailPublished: 2009-08-11
The article I found related to companies monitoring / analyzing e-mail content. The survey was conducted by data-loss prevention firm Proofpoint who surveyed 220 organizations and found that one third of companies surveyed employ staff to monitor / analyse e-mail content. The survey also found that 46% of the companies surveyed regularly audit their out-bound e-mails in an attempt to prevent the leaking of confidential information and the number of staff who focused on analysing / monitoring e-mails have almost doubled since 2008. A third of the companies had had leaks of sensitive information in the past year, and e-mail was the reason for the largest number of data leak investigations at 43%. 18% of the companies surveyed had investigated employees because of a blog post, youtube postings or instances on other sites and one third of companies had fired a worker for violating information sharing policies. Proofpoint argued that the reason for this increase lays with the use of social media and the current difficult economic times.
The article I found related to companies monitoring / analyzing e-mail content. The survey was conducted by data-loss prevention firm Proofpoint who surveyed 220 organizations and found that one third of companies surveyed employ staff to monitor / analyse e-mail content. The survey also found that 46% of the companies surveyed regularly audit their out-bound e-mails in an attempt to prevent the leaking of confidential information and the number of staff who focused on analysing / monitoring e-mails have almost doubled since 2008. A third of the companies had had leaks of sensitive information in the past year, and e-mail was the reason for the largest number of data leak investigations at 43%. 18% of the companies surveyed had investigated employees because of a blog post, youtube postings or instances on other sites and one third of companies had fired a worker for violating information sharing policies. Proofpoint argued that the reason for this increase lays with the use of social media and the current difficult economic times.
The ways that this newspaper articles relates to the principles of information security that I have been introduced to so far are: Corporations taking steps to prevent leaks of sensitive information as information security is a huge issue for many businesses. Implementing protection procedures to ensure information is kept secure. This article also shows how much of a problem that the internet can cause for businesses, emails and social network sites such as myspace and facebook have caused many companies to implement better security systems to protect information. Social networking sites, e-mail and youtube to name a few have all been major concerns for businesses, with sensitive information being leaked, whether intentional or unintentional. Having a good security system in place is essential in ensuring sensitive information stay secure and within the organisation, and montitoring emails is one way to ensure no sensitive information is leaked.
Tuesday, August 4, 2009
Task 1 Part A: Week 2 Questions
Why have you chosen to study this course?
I have chosen to do this course mainly because I needed an elective, I had done an online course previously (e-Business) and found I genuenly enjoyed it :), so much so I am now doing e-Marketing (another online course) as well as Corporate Information Security. I guess the appeal to the subject lays in the "no need to attend boring lectures and I can learn in my own time at my own pace". Not to mention I am actually interested in security and how the vast increases in the way the world uses the internet for commerce has led to the requirement for better security as fraud and identity theft increase with the ever increasing movements in technology and the internet.
What do you hope to learn this semester?
I hope to learn more about information security
What is your definition of information?
My definition of informations is the knowledge that is gained through research, such as reading, the internet, television and life experiences in general. Everything in life provides us with information, with the creation of the internet information on any possible subject you could want to know about is now but a mere click away... Information is knowledge and knowledge is power, or something along those lines
What is your definition of information security?
Information security the protection of personal information
How will the knowledge of information security you gain this semester help you in the future?
Technology will always be advancing and security is always going to be a major issue for business and consumers alike, at the moment I am a consumer, and any information that will help protect my security will be a great help :). I think this course will help me in the future, particularly in my future career.
I have chosen to do this course mainly because I needed an elective, I had done an online course previously (e-Business) and found I genuenly enjoyed it :), so much so I am now doing e-Marketing (another online course) as well as Corporate Information Security. I guess the appeal to the subject lays in the "no need to attend boring lectures and I can learn in my own time at my own pace". Not to mention I am actually interested in security and how the vast increases in the way the world uses the internet for commerce has led to the requirement for better security as fraud and identity theft increase with the ever increasing movements in technology and the internet.
What do you hope to learn this semester?
I hope to learn more about information security
What is your definition of information?
My definition of informations is the knowledge that is gained through research, such as reading, the internet, television and life experiences in general. Everything in life provides us with information, with the creation of the internet information on any possible subject you could want to know about is now but a mere click away... Information is knowledge and knowledge is power, or something along those lines
What is your definition of information security?
Information security the protection of personal information
How will the knowledge of information security you gain this semester help you in the future?
Technology will always be advancing and security is always going to be a major issue for business and consumers alike, at the moment I am a consumer, and any information that will help protect my security will be a great help :). I think this course will help me in the future, particularly in my future career.
Subscribe to:
Posts (Atom)
