Final Reflection

Final reflection


Your final reflection in this course should look back over the whole semester. Go back to your first blog post and write about how your initial impressions have or haven't changed. Think (and write) about:





What you have learned most from completing this course
I think that the thing I have learned most from completing this course would be that there are many risks for everyone who used the internet or computers and having the right security system is a crucial step in preventing sensitive information being stolen. I have learnt a lot more about information security, which as i recall was what I wanted to learn the most from my first blog post.



How what you've learned complements other areas of knowledge you have or hope to gain? As I am in my final year of university and upon completion of my degree I will be working in the corporate world I think the knowledge I have learned in relation to information security has been very beneficial. I believe when I start work next year in an Accounting Firm what I have learned and gained from this course will provide me with a good sense of how to protect not only my sensitive information but that of the firm I will be working for. I hope in the future I will be able to expand my knowledge of information security further as I find it very interesting.

What you consider to be the most important aspects of information security and why?I think the most important aspects of information security are minimising risk and ensuring that you have the best and most up to date anti-virus software to protect your private information. I think that just knowing there are many risks out there and how to avoid them is crucial to protect sensitive information, whether it be yours or that of the company you are working for.

What you haven't learned but had hoped to?

I would have liked to have learned more about fraud, in particular identity theft and measures to reduce the risk of having sensitive information stolen. I think that in today’s society and the way the world seems to be lately reducing the risk of your identity being stolen is a very important thing and I don’t think many people realise just how easy it is for someone to steel their identity.

How your perceptions of corporate information security have changed (if at all)?

I never knew that so many companies had security breaches.

What aspects of information security interested and/or bored you the most?

The aspects if information security that I am interested in are risk management and physical security. I am interested in these aspects because I like to think I take all the necessary precautions when it comes to my personal security in regards to using my computer. The aspect of information security that bored me the most was security and personel. I think this topic bored me the most because it was towards the end of the course where I had a lot of assignments for other units and I dont think I spent as much time as I should have understanding it.

What topics you found particularly easy or difficult to grasp?
I found the topics on legal, ethical and professional issues and implementing security the easiest topics to grasp. I think I found them easy to understand because I had previously covered parts to those topics in previous university units, also it seemed to be in a way common sense with the legal, ethical and professional issues topic. The topic I had the most trouble grasping was planning for security, I think I found this one harder to understand because there seemed to be a lot of content, new content, which i had trouble getting my head around. I think this was reflected in the result I got on my quiz, after getting many answers wrong I got so frustrated, I really like doing the quizzes and getting good marks so it annoyed me I didn't do that well with that topic.


How the course could have been facilitated better to assist your understanding and knowledge?
I think it would have been a good idea if we had done a mid semester test online, to provide general feedback as to how we are going with the unit. I have found with other online courses and with courses on campus that doing a test in the middle of the semester is a great way for us as students to gain an understanding of where we are at with the course and the areas we need to improve on.

I have really enjoyed this course, my favourite part of each weeks work was the quizzes, and I thoroughly enjoyed them :). I found that the quizzes assisted my learning, in the sense that I listened to the lecture as well as searching information about the topics to help me get the correct answer. I think it was good that we could go back over the quizzes and re-do them to get the best mark we could. I must admit the first times I took the quizzes I wrote down the answer for future reference when I re-did the quizes... it was not until I re-did the quiz that I realized the answers change, so for example, in one question the answer I got the first time was (a) but when I re-did the quiz the answer was (c), I soon learnt I should have written the answer, not just the letter. I have found the blog a very useful learning tool, especially with revision, as I can just go back over what I have done and re-enforce what I have already learnt. I thoroughly enjoyed this course, every aspect of it I liked doing. I am a bit nervous about the coming exam, but I know if I study and put the effort in I will do fine :)



Oh one more thing, I found this the other day and just thought it was interesting and related to information security.

“Ten Commandments of Computer Ethics” from the Computer Ethics Institute

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Information Security Maintenance - Week 12

Weekly reflection
Maintenance is an essential task that is often considered to be dull. In information security, penetration testing may be wrongly perceived as being a “hacker-like” activity. In fact, when done correctly, ethical hacking is an important part of risk management. In your blog, write about ways that penetration analysts limit the risk they pose to internal systems. You may need to conduct research to fulfill this task.

Penetration Testing has been a part of information security since the early 1990’s, However it is still a misunderstood practice. Penetration Testing is considered by many as a "black art". Many CIOs and ISOs get excited at the thought of hiring a firm to perform a penetration test, because they imagine the very act of commissioning one somehow validates the idea that they are serious about the security of their organisation. This notion, combined with a lack of understanding of the realities of penetration testing and misconceptions about what penetration testing involves, tends to distort expectations about the penetration testing, especially the results.
(http://www.progllc.com/blogs/37-fed-sec/138-penetration-testing.html). A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and action to take to prevent them. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. A Penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system. Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system. (http://en.wikipedia.org/wiki/Penetration_test) The main advantage of penetration testing is that it gives you very accurate information about the real security position of your system.
A penetration test from a trusted provider offers an excellent means by which an organization can baseline its current security posture, identify threats and weaknesses, and start implementing strategies to remedy the threats and weaknesses. By identifying risk exposures and highlighting what resources are needed to correct them, penetration tests provide not only the basis for a security action plan, but also the compelling events, due diligence and partner interface protocols necessary to establish information security as a key corporate initiative.
(http://www.iss.net/documents/whitepapers/pentestwp.pdf)



Also, look at popular news sources for stories related to computer vulnerabilities. Research the vulnerabilities to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. Give examples.

SC Magazine
"A computer virus has made it onto the International Space Station (ISS), but Nasa says there is no danger to critical systems.Nasa has confirmed that a computer on the ISS has been infected by the Gammima.AG. virus, which tries to steal login names and passwords to popular online games like Maple Story, HuangYi Online and Talesweaver. It is not yet known how the virus got on board but the likely culprit is a USB drive taken up by one of the astronauts. All data traffic streamed direct to the station comes from Nasa uplink stations and is heavily screened before being sent into orbit.No critical systems have been infected according to the space agency and measures are being taken to expunge the malware from on-board systems.This is not the first time viruses have made it into orbit Nasa confirmed. In the past astronaut laptops have been taken up that have found to be infected but at no time were lives put at risk.Nasa now plans to beef up the security systems on the ISS to prevent such issues recurring"
(http://www.securecomputing.net.au/News/121093,computer-virus-hits-space-station.aspx)

BBC News: Computer Virus Makes it to Orbit.

A computer virus is alive and well on the International Space Station (ISS).
Nasa has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected.

Orbital outbreak: Space news website SpaceRef broke the story about the virus on the laptops that astronauts took to the ISS. Nasa told SpaceRef that no command or control systems of the ISS were at risk from the malicious program. The laptops infected with the virus were used to run nutritional programs and let the astronauts periodically send e-mail back to Earth.
The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection. Once it has scooped up passwords and login names the Gammima.AG worm virus tries to send them back to a central server. It targets a total of 10 games most of which are popular in the Far East such as Maple Story, HuangYi Online and Talesweaver. Nasa is working with partners on the ISS to find out how the virus got on to the laptop in the first place. The ISS has no direct net connection and all data traffic travelling from the ground to the spacecraft is scanned before being transmitted. It is thought that the virus might have travelled via a flash or USB drive owned by an astronaut and taken into space. The space agency also plans to put in place security systems to stop such incidents happening in the future. Nasa told Wired News that viruses had infected laptops taken to the ISS on several occasions but the outbreaks had always only been a "nuisance". (http://news.bbc.co.uk/2/hi/technology/7583805.stm)

The Gammima.AG. virus is a computer worm virus that propagates by copying itself to removable media. It also steals passwords information related to various online games. The article above states that the virus was likely to have gotten on board from a "USB drive taken up by one of the astronauts" The above definition says that the virus copies itself to removable media which is what they beleive happened in the NASA situation. The Virus was discovered by NASA onboard a computer in International Space Station on August 2007 though the virus did however not pose any threat to the International Space Station as it is a gaming virus made to steal login information for net-based computer games (Wikipedia (2009)).

Security and Personnel - Week 11

Weekly reflection
What actions can each person in an organisation take to minimize the risk of identity theft?

* Shred any confidential documents, especially ones that contain private information, such as address, phone number, tax file number etc.

* Use strong passwords on all your accounts and make sure you change your passwords regularly

* Do not use the same password for all of your accounts.

* Update the software on your computer frequently. This includes your operating system, firewall, anti-virus and anti-spam software

* When you are using email do not open any emails or attachments from people you dont know

* Always use a virus scanner when you open attatchments

* Ask about securty practices at your workplace and find out who has access to your private information



Discuss and generate a list of concrete actions each student can take to control this risk at UB.

It is very important to control the risk you have of someone gaining access to your private information. To control risk at the university of ballarat I recomend that each student:

* Manages their personal information cautiously

* Change their passwords on a regular basis and do not tell anyone their password

* Do not open any emails where you dont know the sender



How do you think the Information Security department at UB is structured? You don't need to know the correct answer to this, but based on your understanding of UB's size and the types of information it needs to secure, what roles do you imagine exist here?

I think the Information Security department at UB is structured where security measures are updated regularly, such as implimenting new software and changing passwords regularly. I would also think that there would have to be a very secure place where all students private information is stored and I think they would have a good backup system and anti-virus software.

Implementing Security - Week 10

Weekly reflection
In your blog, write about your understanding of the outsourcing process. You may need to do some extra research for this. In particular, describe your knowledge of RFPs, evaluation, contract award, and exit strategies. Give an example of why an exit strategy would be necessary if outsourcing the implementation of an information security blueprint

Outsourcing saves time and money, and helps to avoid risk. The promised benefits of outsourced security can be very attractive to businesses. The potential to increase network security without hiring more people and spending more money is one of the reasons outsourcing is becoming more popular. The primary argument for outsourcing is financial as a company can get the security expertise it needs at a smaller cost by hiring someone else to provide it. One of the major dificulties in decing to outsource is who to get to do the work for you, the potential risks of outsourcing can be considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.When decising to outsoruce the risk levels of potential vendors must be identified "Key information security considerations that should be tracked as part of this stage include: Information Security Policies, Audit Results and Methods, Standards and Certifications, Technical Controls, Security Architecture, Local Regulatory Compliance Requirements and Law Enforcement Practices" (A CISO’s Guide to Security Outsourcing (2009))

RFPs
The RFP document is one of the most important documents in the vendor selection process. The RFP defines the work to be done and the additional conditions to be met in order to win a contract.

Evaluation
An outsourcing evaluation should follow a disciplined, managerial approach from planning through negotiation and implementation, to ongoing management of the relationship

Contract award
The legal basis of any outsourcing agreement is of course the contract. This determines the legal parameters of the service and the responsibilities of each party

Exit strategies
It is important to plan your exit strategy before you buy. It’s critical to plan how you’ll get out of an outsourcing contract should the need arise. An exit strategy would be necessary if outsourcing the implementation of an information security blueprint because you may not like the blueprint and by having an exit strategy you are not stuck with it.

Physical Security - Week 9

In your blog, reflect on your understanding of the content in section 9.
Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information and it provides information on how to prevent an attack from occuring to your information. It can be as simple as a locked door or as elaborate as multiple layers of armed security guards and multiple security safeguards, such as passwords updated daily, alarms, motion detectors or biometrics such as finger print varification. A good example of physical security is an automatic teller machine which is protected by spoiling the money inside when they are attacked. Money tainted with a dye could act as a flag to the money's unlawful acquisition. One of the main goals with physical security is to convince potential attackers that the likely costs of attack exceed the value of making the attack. There are at least four layers of physical security: Environmental design, Mechanical and electronic access control, Intrusion detection and Video monitoring.




How safe is the data on your computer, especially if your computer is lost or stolen?
I dont think the data on my computer would be very safe, the computer I have is sort of older, so not as high tech as most of the computers on the market today... I think if there are people out there who can hack into security networks of major companies, and even countries, then my desk top wont stand a chance... not that there is anything of value on here, mostly essays, lecture notes and family photos, more sentimental value.






If you were working for a large multinational business or government department, what measures do think might be in place to mitigate the risks of physical theft or loss?


Key cards, security passowrds that are changed daily or weekly at least, finger scans, or eye scans, voice recognition, survelance cameras, i think that the networks would all be connected to a computer that can detect if something is going on that shouldnt be.