Vulnerability Assessment

This week we discussed the listing of information technology assets with the purpose of prioritizing them.  This helps with the taking threat and vulnerability assessments and generating the risk analysis.  In doing so, I found an interesting company matching our topic of discussion this week. 


USA.NET, a Perimeter e-Security Company informs their future clientele with the following information on vulnerbilities:

Vulnerability Assessments are critical components of an organization's network security policy. With new vulnerabilities created daily, it's important that an organization keeps an updated view of its current security posture. Vulnerability Assessments have become such a standard best practice that many regulatory bodies strongly recommend or require institutions to have a policy that includes them. The PCI Security Council, publisher of the PCI-DSS set of requirements, is among these bodies now requiring organizations to perform assessments at least quarterly. With so many reasons to scan, it makes sense to consolidate all these scans inside one easily accessible location that includes scan scheduling, report review, and remediation recommendations. (USA.NET. 2012)

They then discuss the three types of scanning devices they are able to provide to help with this:

• External - this vulnerability assessment utilizes Perimeter's cloud-based scanners to perform scans on your externally facing devices. Performing scans from this perspective helps you understand what an individual trying to break into your network sees. The same web-based portal is included for easy service management and reporting with this service as is included in the Internal service. (USA.NET. 2012)

• Internal - this assessment performs scan from inside your network, revealing vulnerabilities that an individual would see once they are past the edge devices. The same web-based portal is included for easy service management and reporting with this service as is included in the External service. Scanner software is provided to you with this service that can be installed on a dedicated device or virtual machine, or can be loaded as needed on a shared device.(USA.NET. 2012)

• PCI- this external scan is customized to include the required Statement of Attestation and Self-Assessment Questionnaire mandated by the PCI-DSS set of requirements.. In addition to the management and reporting portal, this option provides additional reporting options including an overview of your PCI compliance status and more insight into any areas that are currently out of compliance. (USA.NET. 2012)

The information security of the organization is rests with its vulnerabilities and how they are handles. It is very important that threat and vulnerability assessments are thoroughly detailed and that risk analyses receive the appropriate amount of senior leaders' time and attention. We discuss so much that IT teams should be scrubbing the system for vulnerabilities and while that is true, companies like USA.NET are available to assist organizations with their vulnerabilities.

Cited:
USA.NET. (2012). Perimeter e-Security Company: Vulnerability Assets. Retrieved at: http://www.perimeterusa.com/services/network-security/vulnerability-assessments/

Top 10 Threats for 2012

I was reading a post by Dawn Kawamoto from Daily Finance and she brought some interesting threats to discussion for 2012. Now I know 2012 is almost over, but it will be interesting to see if we see the ones that didn't widely occur in 2013. With cell phones and automobiles becoming more computerized, hackers have an even wider selection of devices to infect with viruses and other malicious threat, says Mrs. Kawamoto. Her listed top 10 threats are listed below:

Top 10 Threat Predictions for 2012:

10. Increased industrial attacks. Many industrial systems are not prepared for cyber attacks, and attackers may engage in blackmail or extortion. 

9. 'Legalized' spam. Legitimate advertisers are purchasing email lists of consumers who have authorized receipt of online ads, a move that comes as global spam volume has dropped over the past two years.

8. Hacktivism. Online activists will join forces with physical demonstrators, targeting public figures, industry leaders, and other entities.

7. Cyberwar showoffs. Countries are expected to demonstrate their cyber-war capabilities to send a message that they are not vulnerable to cyber attacks against their infrastructures (such as utilities).

6. Rogue certificates. Production of fake digitally signed certificates, which are used as a means of assuring consumers and their security software that the website they are viewing is legitimate, will increase.

5. Blinking online traffic lights. Legislative issues are expected to stall efforts to develop Internet traffic "rules of the road," which could aid in reducing instances in which hackers steer users to an unintended server.

4. Advances in operating systems directing hackers elsewhere. New security features included in the operating system will force hackers to find alternative entry points in a consumer's computer.

3. Threats to virtual currency. Hackers will increasingly target the growing use of cyber currency, which is often not encrypted, as a means to steal money and spread malware.

2. Embedded hardware. Cars, medical devices, routers, digital cameras, and other items use embedded systems designed to control specific functions. Once these embedded systems are hacked, an attacker can have complete control over the hardware, such as asking a car's GPS system to tell the hacker where you live.

1. Mobile threats bypassing PCs. Attackers will improve their craft with an eye toward launching mobile banking attacks. For example, consumers may eventually see SpyEye and Zeus, two Trojan banking attacks, migrate from the computer to the smartphone.

Cited:

Kawamoto, Dawn. 2012. Daily Finance: The Top 10 Looming Computer Security Threats of 2012. Retrieved at: http://www.dailyfinance.com/2012/01/03/the-top-10-looming-computer-security-threats-of-2012/

Reasons for Security Awareness!

This week we were studying the reasons for having a good security awareness within our organization.

According to a writer at Native Intelligence Inc., awareness isn't just a good idea, it's the law.

Laws requiring security and privacy awareness or training programs apply to:

•The Federal Government (Federal Information System Security Managers' Act)

•The health care industry (Health Insurance Portability and Accountability Act)

•Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)

•Publicly-traded companies (Sarbanes-Oxley Act)

The Federal Information System Security Managers' Act (FISMA) requires government agencies to report on their security awareness and training efforts annually. (Unknown, 2010)

NIST SP 800-53, Recommended Security Controls for Federal Information Systems, addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is "security awareness training." (Unknown, 2010)

National Institute of Standards and Technology (NIST) SP 800-53 also says that the awareness program must comply with:  5 Code of Federal Regulations (C.F.R.) Part 930.301 and NIST SP 800-50, Building an Information Technology Security Awareness and Training Program. (Unknown, 2010)

5 C.F.R. Part 930.301 states that everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

1.All users — security basics

2.Executives — security basics and policy level training in security planning and management

3.Program and functional managers — security basics and management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.

4.Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) — security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.

5.IT function management and operations personnel — security basics; management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.

As we all know from our research and reading, the biggest risk to an information system is easily the personnel working for the organization.  The consistent need to keep our people trained in good security practices is turning into a increasing trend.  The easiest thing for threat agents to exploit our systems, is to find the gaps within our practice.

Cited:

Unknown. (2010) Glenelg, MD Native Intelligence, Inc.: Information Security Awareness Courses, Posters, Daily Tips.Retrieved at: http://www.nativeintelligence.com/ni-programs/whyaware.asp