Security as a business enabler

One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security gets in the way of doing business, or sometimes even drives business operations. That is why when other business functions see us coming you here them mumble statements like, "here come those security geeks again, what do they want us to do NOW?" instead of, "Hey, here comes the security pros, I wonder what wonderful business enhancers they have for us today?"

There are some security experts that believe that security is NOT a business enabler because according to them, "in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition it would require the product that is sold to be security centric or the use of security as a competitive differentiators for the product line."

I have to disagree with this statement. According to Businessdictionary.com an enabler is, "Capabilities, forces and resources that contribute to the success of an entity, program, or project. This definition stated nothing about revenue stream, although I would argue that if security contributes to success, and success in business is earning revenue, then it is indeed an enabler.

I believe that it is about time Security is getting the respect it deserves. For many years security has been treated as the proverbial "step child" of business. Like custodial services, security guards, and other things of this nature, IT security has been regarded as a necessary evil, or a money drainer for businesses. However, business leaders are now beginning to "see the light". They are now recognizing the value of excellent IT security to their reputation, security, and yes, the bottom line, profit.

My detractors argue that "security as an enabler" was a concept "created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines. They say it is "designed to feed the undying need to provide security with a tangible evidence of it's importance. It is analogous to asking for a ROI on an insurance policy." to them this concept is nothing more than a way to sell security and it's services. I say NAY, I will argue that good security processes can help increase revenue up to 10% and you cannot measure the return on investment of good security stopping a security breach and preserving the companies good night...just ask Target EBay, and others. 

Learn more about cyber security at my new SQUIDOO lense

Cyber-Sense at Squidoo

Defending against Denial of Service Attacks

The Denial of service attack, also known as DoS, is one of the most common attacks on the internet so it is important that you understand how it works and know how to defend against them.

The Denial of service attack is any attack that has a goal to deprive you the use of your computer system or network.  It is not a hacker trying to infiltrate, break into, your system to critical information.  Instead, its goal is to prevent users from having access to your system.  This could mean a loss of millions of dollars to a business.

The thing is, DoS attacks are rather easy to perpetrate.  They can even be downloaded from the internet and put into action by amatuers.  The key is not the ease of launching a DoS attack..it is covering tracks and not getting caught.

The concept of the DoS is that all devices has operational limits to their capacity to perform.  These are composed of such things as the maximum numbers of users, the speed of data transmission, or the amount of data that can be stored. Exceeding limits such as these will cause the system to stop responding.

One example of a type of DoS attack is called the SYN Flood.  The SYN flood consists of simply sending a flood of "pings" or connection requests very rapidly and then fail to respond to the expected reply that is sent as a result of them (more to the attack than this bu,t a little complicated to explain here). In other words the attacker requests a connection to your system, then never follows up with the rest of the connection sequence.  This leaves the connection to your system "half open" and the buffer memory allocated to the system reserved and not available to other applications...or people trying to connect. They SYN Flood is a primative method of causing a DoS, but makes my point.

Their is no guaranteed way to prevent DoS attacks, however there are steps you can take to minimize the danger.  The defenses fall into two catagories, technical and procedural.  Technical defenses are those items you can install on your system to make it safer.  These include such things as antivirus software, micro blocks, RST cookies, and stack tweaking.  Procedural defenses include such things as modifying your system usage behavior as related to security measures.  Things like not downloading suspicious files that might have DoS software inbedded and not opening unverified attachments.

It should be obvious that protecting your system is critical, and you must do what you can to deny...a denial of service.



 

Come join me in the wonderful and lucrative world of cyber security

CHa Ching!!! Following a number of very high profile cyber-attacks, some of the largest companies in the world are hiring security specialists, not just to fulfill security roles, but also to join corporate boards and provide cyber security guidance from the top down.

Due to these attacks companies have lost hundreds of millions of customer records, including financial details, in attacks.  

With all this happening, this is a GREAT time to become a Chief Information Security Officer (CISO.)  CISOs at major organizations can typically command pay packets of more than $500,000, with some earning as much as $2m.

CISOs typically report to the CIO, however many of the companies now hiring CISOs are looking to make them report directly to the CEO and the board - in some cases, putting them on the board, too.

According to Reuters, global bank JPMorgan Chase, drinks company PepsiCo, US medical giant Cardinal Health, agricultural machine maker Deere & Co and the US Automobile Association (USAA)are just a few of the Fortune 500 companies looking to recruit chief information security officers (CISOs) in order to tighten up their organization’s cyber defenses.

The reason behind this is that that boards fear that they lack the knowledge to make the right decisions on IT security. Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it" Bottom line…if you had not considered a career in cyber security, now might be the time to do so.

Catch that phone thief!

Phone theft has become a really big problem lately.  Last year, 3.1 million Americans had their phones stolen, according to a Consumer Reports survey.  Here in DC our metro lines even has a voice message that constantly reminds you to be cognizant of your phone use while in the metro stations and on trains.  Today I heard about an app originally developed for iPhone that you can now get on your Android as well.  It is called iGotYa!

While iGotYa cannot keep your phone from getting stolen.  It may help you get it back.  Realistically 60% of stolen phones are never recovered.  but that leaves 30% that are.  With iGotya, if someone steals you phone, every time that someone try to unlock your device and enter a wrong code you will receive the thief's photo and location in your email immediately. You can also force your device to phone you if the thief tries to unlock it unsuccessfully for a few times.

Your phone will be safe and protected against thief thanks to iGotYa. You just need to enter your mail address and you will start receiving alerts in case your phone or tablet is being use without authorization.

iGotYa is the easy to configure, just activate it and type your mail and it's done. 

The mobile security firm Lookout also has something similar iGotYa.  they have anew tool for tracking down bad guys by providing a "theftie," a covert snapshot of someone trying to steal your phone.

Their app also alerts you to suspicious behaviors on your phone, like a screen password mistyped three times. With this one you also get an email containing your phone's location and a highly unflattering look at the person holding your phone—be they Samaritan or supervillain. 

Although these are made for catching a thief, think of the possibilities.  Do you want to know if your spouse or boyfriend is snooping in your phone...this might help.

.

Essential Security Resources

When it comes to cyber security it is essential that you often visit the available security resources to keep up with the latest security information.  While there are many sources of information I have found four that are a must for the security professional or just those interested in cyber security.

CERT (www.cert.org/). CERT stands for the Computer Emergency Response Team.  CERT, the first computer incident response team ever created, is sponsored by Carnegie Mellon University. If you are interested in securing your computer network you should visit the CERT sight on a regular basis.  The CERT site has a wealth of information and documentation including security policies and guidelines, cutting edge research, security alerts and a whole lot more.

SANS institute (www.sans.org/) is my next favorite. The SANS site provides detailed documentation on almost any aspect of cyber security.  The SANS institute also offers some awesome classes on various security topics and is respected as one of the best sources of cyber security training and information.  In addition, SANS also sponsors many security research projects to further cyber security knowledge and publishes information about the projects on their website.

Microsoft Security Advisor (www.Microsoft.com/security/) is my third recommendation because just about every computer in the world runs on Microsoft products. This site is a portal to all Microsoft security information, tools, and updates and you should definitely visit it often.

F-Secure Corporation (www.f-secure.com/) is another great source of security information.  This site provides a great repository for detailed information on virus outbreaks.  The site provides notification and detailed information on specific viruses.  The information provided includes details on how the virus spreads, how to recognize the virus, and the specific tools you will need to clean your system should it become infected with the particular virus.

As stated, there are many resources for obtaining security information.  These are but four of my favorites.

Paradigms of Cyber Security

The  are a variety of paradigms organizations can choose from when it comes to implementing cyber security. The chosen paradigm will drive and set the tone fro all other network security decision within the company. These paradigms can be classified by the how proactive the system need to be or the scope of the required security measures.

When a leader decides on the security approach his or her organization will use they must decide on how proactive or reactive the system needs to be.  The leader makes this decision by deciding on how much the security infrastructure and security policies are dedicated to preventative measures vs. simply responding to a breach after it has occurred.

A passive security approach does not take steps to prevent a security breach, or if it does...very little.  On the other hand a dynamic (proactive) security approach takes steps to actually prevent the breach before it happens.  AN example of this is using an intrusion protection system (IPS) to detect AND prevent a potential security breach. The IPS can also be used to gather information about the techniques an intruder uses to gain conduct an assessment of your net work.

A perimeter security paradigm focuses on protecting the perimeter of an organizations network.   The bulk of the security system might be composed of firewalls, password policies, proxy servers and other types of technologies that tries to lesson access to the network. This is a flawed paradigm as it makes no attempt to secure the internal network systems.  The perimeter is secure, but not the network itself.

A layered security paradigm focuses on the perimeter AND the internal systems of the network.  The servers, workstations, routers, switches, hubs and other components of the network are secured.  One approach to layered security is segmenting the network and then securing each of the segments.  This way if the perimeter is compromised the internal systems may not be.  Or if one of the segments is compromised the others won't be.

In a real system the best approach will likely be a hybrid approach with elements of each paradigm combined into one layered dynamic highly secure design.