Park, KyeongSeob- Information Security: 2014

Sunday, March 2, 2014

Week 12 - Summary of the Blog for Week 1 to 12.

This Post Blog was done on Feb, 27 2014
I was change the the blogger design, but whole posting date is change by current date and time.

Question: Time to finish up your blog. This last assignment should be a retrospective look at your postings over the last 11 weeks. Time for a little analysis. Write up an entry that provides a summary of what you chose to write about.

I wrote a different topic for each Weeks, getting my sources from the textbook and the internet.

The week 1: Microsoft patches vulnerability attackers used to target IE users.
Explain about the ActiveX component vulnerability for security hole. (Need patches).
The week 2: Management Controls.
Explain the scope of the security management (Risk, Control, Plan, and Measure)
The week 3: Hacking behavior.
Explain of the hacking use the software for the taken your information.

The week 4: Two part of planning for the information security.

Explain the organizational planning and contingency planning.

Week 5: Information Security Policy.
Explain the policy for the organization group limited access control.

Week 6: Security Education, Training, and Awareness.
Explain why we need the security education to employee.
Week 7: Security Architecture Models.
Explain different of situation model for study that give more security knowledge.

Week 8: Risk assessment for identification and TVA.

Explain estimate of impact damage cost by simulation for risk plan.
Week 9: Without risk plan that will make unbelievable cost occur.

Explain example of the history damage value for without risk plan.

Week 10: Network device of Firewall configuration.
Explain electronics component for the protection data.

Week 11: Job position of security

Explain Job requirement and description of field.

Question: First, you need to categorize your topics of choice. Did you write primarily on operating system issues? User errors? Viruses? Or did you write about a variety of topics? Why did you choose those topics?

Week1:
Categorize – IE Microsoft Operating System Browser for the virus.
The internet browser is a gate to the cyber world for finance of home banking, checking the social security information, and inputting the knowledge information at the database.
We have to authenticate for validation that will identity myself by the digital code and authorization for permission to be granted to access, update, or delete information asset.
When, the IE browser has vulnerability from the hacker then we aren’t in the safe zone anymore.
We need to patch the browser to a service provider like, Microsoft.
I choose this topic, because they have to get the correct information to protect our information.

Week2:
Categorize – Organization management controls topics for user errors.
There are many different sources that can threaten our life, we don’t know, when, how, and/or what kind of prosperity damage or body injury it will make. But we can be prepared from all of the different situations for our data and reduce the damage from a big wave.
Especially, the organization needs a much more detailed plan to each department managers and staff duty.
I choose this topic for the responsibility of the separated group and tracking the schedule inside of the company.

Week3:
Categorize – Hacker’s Behavior for the virus
The system policy is very important in the company or IT system for the protection of data.
We have to find out the hacker’s behavior to patch the internal hole to block the intruder gate.
I choose this topic, because the percentage of the damage are increasing by the hacker’s attacks.

Week4:
Categorize – The IT controls the system by two different plans for the user errors.
The operation plan for the non-stopping operates the company rule from an incident, and makes a fake model for a virtual scenario and practice it for minimizing the damage plan.
When we have some of experience, we can quickly respond to those things.

Week5:
Categorize – Policy for the virus.
The policy is limited accessing control for the different groups for protecting the data and controlling the system.
In this topic, it is important to understand the security management.

Week6:
Categorize – Education IT Security for the user errors.
The most fault damages that occur is a mishandling by an inner employee.
The company has to educate the employees about security awareness.
This topic will update the employee’s knowledge information through the regularly training schedule.

Week7:
Categorize – Model of the fake simulation for the user errors.
The company tries to reduce damage by exercising the model.
It has a good standard security model for industrial.
So, they can practice as much as they want to get the experience.

Week8:
Categorize – Estimate the damage value for the budget control – the user errors.
They have to input the estimated future damage value to control finance.
I selected this topic from the text book, so we can simply estimate the number of impact.
That number is really helpful to us for preparing the company asset balance.

Week9:
Categorize – Disaster -
We can’t control the natural disaster, which is a major problem to all managements.
We have to find the best solution for the IT security management from a natural disaster.
Distributing the data structure will save the system or using the cloud system is better for this scenario.

Week10:
Categorize – Internal protection device for the virus.
The firewalls is a network protection device.
Two different things are required for this topic.
One is hardware device selection, and two is configuration system device.
First they have to understand that each different layer structure for communication data, like the client Layer – Web Layer – Application Layer –ODBC Layer – Database Layer for controlling the firewalls device and configuration.

Week11:
Categorize – Job Position
The job title has different responsibilities and requirements for certification or field experience.
I choose this topic, because if someone didn’t know how to contact a person to solve this problem.
They have to understand the IT organization flow chart supports different education knowledge.

Question: Next, you need to include an analysis of where you got your material. Did you use the same source each week? A variety each week?

My main source is from the text book, and a relative topic is from a Web site.
I like the text book source for most of the topic knowledge, because the book has a professional filtering information on the security management knowledge.
I also used the Web source that has so many information out there, that I couldn’t judge which source is best for me, but I tried to find a very similar Web site on the topic like the textbook has.

Question: As the last part of this entry, include whether or not you thought this type of blog might be useful to an information security professional and provide a few lessons learned for the next group of students.

My blog will help other students for reference, because following the textbook that contains a lot of information of security management.
I did not mixed up the topic and subject to focus on the information security.
When following my Weeks on my blog, they will draw a bigger picture on the information security management.

Reference.

Whitman, M. & Mattord, H. (2010). “Management of Information Security.”
Boston, MA, Course Technology, Cengage Learning.

Wednesday, February 19, 2014

Week 8. Risk Associated with the four vulnerabilities.

The Mesusa Corporation has three information assets to evaluate for risk management as listed below. Create a ranked list of risk associated with the four vulnerabilities. You can begin with the columns from the Ranked Vulnerability Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk rating, and then include percentage of current control and the uncertainty rate to come up with a final risk -rating estimate. Use the formula as described in this chapter.

Switch L47 connects a network to the Internet. It has two vulnerabilities; (1) susceptibility to hardware failure, with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75% certainty of the assumptions and data.

Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such and attack is estimated at 0.2. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of vulnerability by 75%. There is an 80% certainty of the assumptions and data.

Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90% certainty of the assumptions and data.

Likelihood

Likelihood is the overall rating—a numerical value on a defined scale (.1 – 1.0)—of the probability that a specific vulnerability will be exploited.

Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high,

Assessing Potential Loss

To be effective, the values must be assigned by asking:

· Which threats present a danger to this organization’s assets in the given environment?

· Which threats represent the most danger to the organization’s information?

· How much would it cost to recover from a successful attack?

· Which threats would require the greatest expenditure to prevent?

· Which of the aforementioned questions is the most important to the protection of information from threats within this organization?

Percentage of Risk Mitigated by Current Controls

If a vulnerability is fully managed by an existing control, it can be set aside.

If it is partially controlled, estimate what percentage of the vulnerability has been controlled.

Uncertainty

It is not possible to know everything about every vulnerability.

The degree to which a current control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it consists of an estimate made by the manager using good judgment and experience.

Risk Determination

For the purpose of relative risk assessment, = (risk equals likelihood of vulnerability occurrence) x (value (or impact)) – (percentage risk already controlled) + (an element of uncertainty).

Ranked Vulnerability Risk worksheet.

Asset	Asset Impact	Vulnerability	Vulnerability Likelihood	Risk-Rating Factor
Switch L47	90	Susceptibility to Hardware failure (90x0.2)-0%+25% (90x0.2)-((90x0.2)x0.0)+(90x0.2)x0.25)	0.2	22.5
Switch L47	90	Susceptibility to an SNMP buffer overflow attack (90x0.1)-0%+25% (90x0.1)-((90x0.1)x0.0)+(90x0.1)x0.25)	0.1	11.25
Server WebSrv6	100	Web site and performs e-commerce transactions. Web server software that is vulnerable to attack via invalid Unicode-values. (100x0.2)-75%+20% (100x0.2)-((100x0.2)x0.75)+((100x0.2)x0.2)	0.1	4.5
Operators MGMT45	5	Control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. (5x0.1)-0%+10% (5x0.1)-((5x0.1)x0)+((5x0.1)x0.1)	0.1	0.45

From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.

------------------------------------------------------------------------------------------------------
I have two opinion for this case.

Opinion 1: The system is in control and give maintenance for the impact risk, but other devices such as the Switch L47 is not in control and the MGMT45 will increase that risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.

Opinion2: The Switch 47 has the highest risk, but other side of WebSrv6 has impact value is 100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.

Deliverable	Purpose
Information asset classification worksheet 1. WebSrv6 for E-commerce BIZ case 1.The Switch L47 has a high risk at the Hardware and Mid(high)-Software 2. Switch L47 2. WebSrv6 : risk rate is low, but the impact value is 100 which requires a non-stop operation. 3. Operations MGMT45 controls the console to monitor the operation Low risk-rating factor, but the user has to use the password to login into the system.	Assembles information about information assets and their impact on or value to the organization. 1. They need the system & software controls by the schedule of maintenance. * Check the system device & replace it with a high quality component or system. 2. They have to use the backup server through the cloud system or use the cluster operation server system for backup. 3. They have to setup the policy for the monitoring system operator.
Weighted criteria analysis worksheet	Assigns a ranked value or impact weight to each information asset
Ranked vulnerability risk worksheet	Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair

Reference.
Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.

Week 11 Information Security Positions.

Week 11. Information Security Positions.

When hiring information security professionals at all levels, organizations frequently look for individuals able to:

· Understand how organizations are structured and operated

· Recognize that information security is a management task that cannot be handled with technology alone

· Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills

· Acknowledge the role of policy in guiding security efforts

· Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem

· Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks

· Understand how technical controls (including firewalls, IDSs, and antivirus software) can be applied to solve specific information security problems.

· Demonstrate familiarity with the mainstream information technologies, including Disk Operation System (DOS) and/or the Windows command-line, Windows XP/Vista/2003 and 2008 Server, Linus, and UNIX

· Understand IT and InfoSec terminology and concepts.

Information Security Community:

· InfoSec department manager

· Access control system administrator

· Internal InfoSec consultant

· InfoSec engineer

· InfoSec documentation specialist

· InfoSys contingency planner

· Local InfoSec coordinator

IT Community:

· Chief information officer

· InfoSys analyst/business analyst

· Systems programmer

· Business applications programmer

· Computer operations manager

· Computer operator

· InfoSys quality assurance analyst

· Help desk associate

· Archives manager/records manager

· Telecommunications manager

· Systems administrator/network administrator

· Web site administrator/commerce site administrator

· Database administrator

· Data administration manager

General Business Community:

· Physical security department manager

· Physical asset protection specialist

· Building and facilities guard

· Office maintenance worker

· Internal audit department manager

· EDP auditor

· Internal intellectual property attorney

· Human resources department manager

· Human resources consultant

· Receptionist

· Outsourcing contract administrator

· In-house trainer

· Insurance and risk management department manager

· Insurance and risk management analyst

· Business contingency planner

· Public relations manager

· Chief financial officer

· Purchasing agent

· Chief executive officer

Reference.

Whitman, M. & Mattord, H. (2010). “Management of Information Security.”
Boston, MA, Course Technology, Cengage Learning.

Wednesday, February 12, 2014

Week10 Firewalls.

We need information about why we have to install the firewall for our system.
The below text book information given to us a lot of idea for the subject.

Selecting the Right Firewall.

When evaluating a firewall for you networks, ask the following questions:

· What type of firewall technology offers the right balance between protection and cost for the needs of the organization?

· What features are included in the base price?
What features are available at extra cost?
Are all cost factors known?

· How easy is it to set up and configure the firewall?
How accessible are the staff technicians who can competently configure the firewall?

· Can the candidate firewall adapt to the growing network in the target organizations?

Managing Firewalls.

The constraints of their programming and rule sets in the following ways:

· Firewalls are not creative and cannot make sense of human actions outside the range of their programmed responses.

· Firewalls deal strictly with defined patterns of measured observation. These patterns are known to possible attackers and can be used to their benefit in an attack.

· Firewalls are computers themselves and are thus prone to programming errors, flaws in rule sets, and inherent vulnerabilities.

· Firewalls are designed to function within limits of hardware capacity and thus can only respond to patterns of events that happen in an expected and reasonably simultaneous sequence.

· Firewalls are designed, implemented, configured and operated by people and are subject to the expected series of mistakes from human error.

There are also a number of management challenges to administering firewalls:

1. Training. Most managers think of a firewall as just another device, more or less similar to the computers already humming in the rack.

2. Uniqueness. You have mastered your firewall and now every new configuration requirement is just a matter of a few clicks in the Telnet windows; however, each brand of firewall is different, and the new e-commerce project just brought you a new firewall running on a different OS.

3. Responsibility. Since you are the firewall guy, suddenly everyone assumes that anything to do with computer security is your responsibility.

4. Administration. Being a firewall administrator for a medium or large organization should be a full-time job by itself; however, that’s hardly ever the case.

Reference.

Whitman, M. & Mattord, H. (2010). “Management of Information Security.”
Boston, MA, Course Technology, Cengage Learning.

Monday, February 3, 2014

Week9 Post for Information Security Management.

What I found the good book for reference that is the below review message.
I’m interesting the subject and description that make focus on me.

From the Inside Flap

The 2008 credit crisis, terrorism, Katrina, computer hackers, and air travel disasters all have something in common-the methods used to assess and manage these risks are fundamentally flawed. If risks cannot be properly evaluated, risk management itself becomes the biggest risk. The Failure of Risk Management shows you how to identify and fix these hidden problems in risk management.

Ineffective risk management methods, often touted as "best practices," are passed from company to company like a bad virus with a long incubation period: there are no early indicators of ill effects until it's too late and catastrophe strikes. Exploring why risk management fails—the failure to measure and validate methods as a whole or in part; the use of components known not to work; and not using components that are known to work—The Failure of Risk Management shows you how to measure the performance of risk management in a meaningful way, identify where risk management is broken, and fix it.

Respected expert and bestselling author Douglas Hubbard-creator of the critically praised Applied Information Economics (AIE)—uses real-world examples to reveal the serious problems in our current approaches to risk analysis. Hubbard skillfully illustrates how to use a calibrated risk analyses approach, and the many benefits that go along with it, along with checklists and practice examples to get you started.

One of the first resources to apply risk management across all industries, The Failure of Risk Management provides you with the tools you need to hit the ground running with radically better risk management solutions.

Here, you'll discover:

· The diversity of approaches to assess and mitigate risks

· Why many influential methods-both qualitative and quantitative don't work

· Why we shouldn't always trust assessments based on "experience" alone

· The fallacies that stop you from adopting better risk management methods

· How those who develop models of risks justify (in error) excluding the biggest risks

· Adding empirical science to risk management

Reference.

The Failure of Risk Management: Why it’s Broken and how to fix it.
https://www.societyinforisk.org/reading-list