Week 4  Post Assignment.

The  information security planning has two big picture of it.
One is the organizational planning and the other is the contingency planning.
The organizational planning has business strategic, tactical and operational planning for running the company rule.
The contingency planning has incident response, disaster recovery and business continuity plan for reduce company threat by any reason.
The role of planning require Top-Bottom approach and Bottom-Top approach depend on the responsibility for their duty and vision of mission for department.

Today, let me explain the contingency planning part for information security plan.
The example or the sample of the scenario of disaster for exercise will be get better than ever than do nothing for the future impact. That will be reduce the people injure and the value of asset.
I had experience about this kind of scenario from War game in Military base.
We did created the virtual land map of Korea and deploy the units to bother line to DMZ.
North Korea attach the South Korea, the government announce to public about staring Korean War.
They destroy the government building and structure and keep move to South, also they are using the chemical weapon that make the worth flight situation to South Korean Army.
US trooper are supporting the Koran army, and North Korean move back to North and finally they give up.  This kind of excise, we did it every year at winter with US army for reduce Korean people injury and protect Korean people value of asset for country.      
We learned potential idea of recovery action and protect the land area through the program plan.
The company is small size of the country model.
They need everything check point plan for survival.  

How many people know about outside hacker are looking for your information.
Let me write some of information is the below link site and brife inforamtion.

Due to the lower propertion of internal threat agents, Misuse lost its pole position among the list of threat action categories.
Hacking and Malware have retaken the lead and are playing dirtier than ever.
Absent, weak, and stolen credentials are careening out of control.
Gaining quickly, however, is a newcomer to the top three-Physical.
After doubling as a percentage of all breaches in 2009, it managed to double again in 2010.
Maybe cybercrime is getting less "cyber"? Misuse and Social, though lower in percentage, were still high in number and provided some amazing examples of misbehavior, deception, and plotting for the highlight reel.

Reference.
" 2010, 2011, 2012 Data Breach investigations Report"

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

I have a good resource for the computer security, my professor make link this site for me.
Someone still don’t get the security information for using the personal computer or company resource system. I think this site give a lot of information about why we need the patch software and up to date version of software.

http://www.onguardonline.gov/articles/0009-computer-security

I found the good source of information security management, this web described the detail management for how can handle and audit and controlling the IT section.  

 

4 MANAGEMENT CONTROLS

 

4.1 Risk Assessment and Management

·        Describe the risk assessment methodology used to identify the threats and vulnerabilities of the system.  Include the date the review was conducted.  If there is no system risk assessment, include a milestone date (month and year) for completion of the assessment.

 

4.1.1 Performance Measures

• Performance measures should be established around criteria such Data Integrity, Access to Application (unauthorized access attempts) or other measures that reflect application security.  Detail what performance measures are in place for this application.

 

4.1.2 Configuration Management Information

• Identify the Configuration Management Plan for this system (Name, Date and Version of the document).  Is there a separate CCB Charter for this system (Yes or No)?  Provide the names of the Configuration Control Authority (CCA), Configuration Management Authority and the Designated Accrediting Authority (DAA).

 

4.2 Review of Security Controls

·        Have there been major changes or upgrades to the application in the current year.  If so, list any independent security reviews conducted on the application.

·        Include information about the type of security evaluation performed, who performed the review, the purpose of the review, the findings, and the actions taken as a result.

 

4.3 Rules of Behavior

·        A set of rules of behavior in writing must be established for each system.  The rules of behavior should be made available to every user prior to receiving access to the system.  It is recommended that the rules contain a signature page to acknowledge receipt.

·        The rules of behavior should clearly delineate responsibilities and expected behavior of all individuals with access to the system.  They should state the consequences of inconsistent behavior or non-compliance.  They should also include appropriate limits on interconnections to other systems.

·        Attach the rules of behavior for the system as an appendix and reference the appendix number in this section or insert the rules into this section.

 

4.4 Planning for Security in the Life Cycle

Determine which phase(s) of the life cycle the system, or parts of the system are in.  Describe how security has been handled in the life cycle phase(s) the system is currently in.

 

        4.4.1 Initiation Phase

·         Reference the sensitivity assessment that is described in Section 3.7, Sensitivity of Information Handled.

 

4.4.2 Development/Acquisition Phase

·         During the system design, were security requirements identified? 

·         Were the appropriate security controls with associated evaluation and test procedures developed before the procurement action?

·         Did the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures?

·         Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented?

·         If this is a purchased commercial application or the application contains commercial, off-the-shelf components, were security requirements identified and included in the acquisition specifications?

 

4.4.3 Implementation Phase

·         Were design reviews and systems tests run prior to placing the system in production? Were the tests documented?  Has the system been certified?

·         Have security controls been added since development?

·         Has the application undergone a technical evaluation to ensure that it meets

·         applicable federal laws, regulations, policies, guidelines, and standards?

·         Include the date of the certification and accreditation.  If the system is not authorized yet, include date when accreditation request will be made.

 

        4.4.4 Operation/Maintenance Phase

·         The security plan documents the security activities required in this phase.

 

        4.4.5 Disposal Phase

Describe in this section how information is moved to another system, archived,

discarded, or destroyed.  Discuss controls used to ensure the confidentiality of the

information.

·         Is sensitive data encrypted?

·         How is information cleared and purged from the system?

·         Is information or media purged, overwritten, degaussed or destroyed?

 

4.5 Authorize Processing

 

4.5.1 Certification and Accreditation

·        Provide the date of system certification and accreditation, name, and title of management official authorizing processing in the system.

·        If not authorized, provide the name and title of manager requesting approval to operate and date of request.  Include information on an formal Interim Accreditation

 

4.5.2 Privacy

• Detail information on conducting the Privacy Impact Assessment (PIA) including date conducted for this application.

Retrieved
"Annual Security Plans for Information Technology Systems"
http://www.ocio.usda.gov/sites/default/files/docs/2012/DM3565-001.htm

Introduction

I would like to share my personal information.
I was born on July 8, 1965 in Naju, South Korea, a city that is famous for its pear production in Korea.
I moved to Seoul when I was 7 years old, and grew up until I entered middle school. I’ve joined in the Air Force Academy Early College High School, it’s similar to ROTC School, but the hierarchical level structure to upperclassmen relationship is very hard to follow with class schedule. The upperclassmen makes up the rules in the school.
I wish to study about the Korea military aviation business and high technology for my future career, and I have also learned some military fighting skills and teaching skills to teach soldiers for leadership.
One year later, I left the military high school and enrolled into a private high school until graduation.
In Korea, every male students have to join the military to serve the country after they turn 19 years old.
If you live in a politician family, or have a military family member or a rich family member, your service in the military or working in the green zone will be reduced, but if you through the problem that I had to go through, you would have to go to a nearby DMZ area or deployed to DMZ for 30 months.
I joined the Army like everyone else did, and applied a higher rank position that required to extend my military service.   
I didn’t choose to go through the 30 months service, after joining army. I applied a 7 year service contract with the military service. Before I joined the Army, I took drama classes in High school and performed on stage several times.
I was an actor, I was in three films.
The actor life style and Military life style are really different from each other. Even if they were different from each other, I worked hard to get used to living the military life style. I really don’t like stay in warm water and then jump into cold water.

But I overcame the differences of living the military and acting lifestyle, then I had to overcome another problem similar to the one that I had just overcame, but it seems like nothing has changed from the past.
The problem that I am currently in is the Korean and English language structure. These two languages are really different from each other, the time zone between America and Korea is also different.
One of my weaknesses is learning other languages, especially English.
After I turned 27 years old, I moved to America and worked in the IT field, where I am now.
I married with my lovely Korean wife through the traditional way that Korean people had to go through, like match making traditions. I didn’t know her very well before we got married.
My mother suggested that I should get married, so I did, through the traditional way of a Korean marriage style.
Now I am living with my three loving kids (girl 15 years old, boy 13 years old and a 10 years old baby).

Now, I’m working at CACI and my job function is supporting new equipment training for operation and maintenance device and troubleshoots including repairs for the US military troops.

Microsoft Patches Vulnerability Attackers Used to Target IE Users

This topic is very interesting to me.

http://www.securityweek.com/microsoft-patches-vulnerability-attackers-used-target-ie-users


Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month's Patch Tuesday update.

The flaw, CVE-2013-3918, is a remote code execution vulnerability the InformationCardSigninHelper ActiveX component used by Internet Explorer. The issue was already set to be fixed in MS13-090 before FireEye discovered it, explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.  

According to Microsoft, the attack in the wild is targeting IE 7 and IE 8 on Windows XP. The exploit being used by the attackers actually combines two distinct vulnerabilities. In addition to the remote code execution bug, there is also an information disclosure vulnerability used as well to improve the reliability of the exploit and to create ROP (return-oriented programming) payloads specifically targeted for the victim's machine.