Showing posts with label Information Assurance. Show all posts
Showing posts with label Information Assurance. Show all posts

May 6, 2013

Learning IT Security By Consequences


This is a brilliant little video on IT Security. 

What I like about it is that it doesn't just tell you what not to do to stay safe, but rather it shows you the consequences of not doing the right things. 

Whether you are letting someone into your office, allowing them borrow your badge, leaving your computer unsecured, posting your passwords, and more--this short animated video shows you how these vulnerabilities will be exploited.

It is also effective how they show "Larry" doing these security no-no's with signs everywhere saying don't do this. 

Finally, the video does a nice job summing up key points at the end to reinforce what you learned. 

I think that while this is simpler than many longer and more detailed security videos that I have seen, in a way it is more successful delivering the message in a practical, down-to-earth approach that anyone can quickly learn core basic practices from. 

Moreover, this video could be expanded to teach additional useful IT security tips, such as password strengthening, social engineering, and much more. 

I believe that even Larry, the unsuspecting office guy, can learn his lesson here. ;-)

(Note: This is not an endorsement of any product or service.)
Share/Save/Bookmark

February 23, 2013

Analyzing The Law


So I am back in school AGAIN (I'm a life-long learner), augmenting my not so slow-paced job.

Let's just say that at this point, I recognize that the more I know, the more I don't know anything. 

The class that I am taking now is Cyberlaw, and while I did take law in business school--many moons ago--that was more focused on contracts and business organizations. 

This class looks interesting from the perspective of the legal and regulatory structure to deal with and fight cybercrime, -terrorism, and -war.

One interesting thing that I already learned was a technique for evaluating legal cases called IRAC, which stands for:

- Issues--the underlying legal matters that the case is addressing.

- Rules--what legal precedents can be applied.

- Analysis--whether those rules apply or not, in this case.

- Conclusion--rendering an opinion on the case.

This is a structured way to analyze any legal case. 

Of course, before you do these, you have to look at the facts--so that is the very first section. 

The problem with that is then you have F-IRAC and that can definitely be taken the wrong way. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

April 27, 2012

Securing The Internet: A Historical Perspective

This week, I had the opportunity take a great class in Cyber Security / Information Assurance.

As part of the class, we had to do a team project and my part was to present a brief history of the Internet and how this best positions the Federal Government to take the lead in securing the Internet.

Here is my part of the presentation:

Good morning. I am Andy Blumenthal, and I am here to talk with you today about the wealth of historical experience that the U.S. Federal Government has with managing the Internet and why we are best positioned to govern the security of it in partnership with the private sector and international community.

As you’ll see on the timeline, the U.S. Government has played a major role in virtually every development with the Internet from inventing it, to building it, and to governing it, and it is therefore, best prepared to lead in securing it.

It all started with the invention of the Internet by the government.

Starting in 1957 with the Sputnik Crisis, where the Soviets leaped ahead of us in putting the first satellite in Earth’s orbit—this caused great fear in this country and ultimately led to a space and technology race between us and the Soviet Union.

As a result of this, in 1958, the U.S. Government established the Advanced Research Projects Agency (or ARPA) to advance our technology superiority and prevent any future technology surprises.

In 1962, ARPA created the Information Process Techniques Office (IPTO) for enhancing telecommunications for sharing ideas and computing resources.

Finally in 1964, the concept of the Internet was founded with the publication by RAND (on contract with the Air Force) of “On Distributed Communications,” which essentially invented the idea of a distributed computing network (i.e. the Internet) with packet switching and no single point of failure.  This was seen as critical in order to strengthen the U.S. telecomm infrastructure for survivability in the event of nuclear attack by the Soviets.

The Internet era was born!

The U.S. government then set out to build this great Internet.

In 1968, ARPA contracted for first 4 nodes of this network (for $563,000).

Then in 1982, after 8 years of antitrust litigation, the U.S. government oversaw the breakup of AT&T into the Baby Bells in order to ensure competition, value, and innovation for the consumer.

In 1983, ARPANET split off MILNET, but continued to be linked to it through TCP/IP.

In 1987, the National Science Foundation (NSF) built a T1 “Internet Backbone” for NSFNET hooking up the nation’s five supercomputers for high-speed and high capacity transmission.

And in 1991, the National Research and Education Network (NREN, a specialized ISP) was funded for a five-year contract with $2 billion by Congress to upgrade the Internet backbone.

At this point, the Internet was well on its way!

But the U.S. government’s involvement did not end there, after inventing it and building it, we went on to effectively govern it. 

In 2005, the Federal Communication Commission (FCC) issued the Internet Policy Statement (related to Net Neutrality) with principles to govern an open Internet—where consumers are entitled to choice of content, apps, devices, and service providers.

And now, most recently, in 2012, we have a proposed bill for the Cybersecurity Act to ensure that companies share cyber security information through government exchanges and that they meet critical infrastructure protection standards.

You see, the government understands the Internet, it’s architecture, it’s vulnerabilities, and has a long history with the Internet from its invention, to its building, and its governance.

It only makes sense for the government to take the lead in the security of the Internet and to balance this effectively with the principles for an open Internet.   

Only the government can ensure that the private sector and our international partners have the incentives and disincentives to do what needs to be done to secure the Internet and thereby our critical infrastructure protection.

Thank you for your undivided attention, and now I will now turn it over to my colleague who will talk to you about the legal precedents for this. 

(Source Graphic: Andy Blumenthal)

Share/Save/Bookmark

September 9, 2011

Visualizing IT Security


I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Share/Save/Bookmark