Tuesday, May 22, 2018

Insider threats to security

I find this article, titled, “Are your biggest security threats on the inside? ", by David Weldon particularly interesting.  The article deals with The so-called "infamous Madison website". The website notorious for infidelity was hacked in 2015.  As stated in the article

The now infamous Ashley Madison website has had a pretty successful run at helping its clientele be disloyal. So perhaps some would view it as poetic justice if the website became one of the most scandalous breaches in history at the hands of one of its own

After thorough "IT security analyst John McAfee, who noted recently, "yes, it is true." The website was not hacked by an outsider but rather by an insider.  The article stated that there is a strong indication that the website data were stolen. There has always been strong believe by organizations that most threats to security are external, though empirical evidence has always supported the fact that most attacks to security are from sources outside the firm's immediate environment. In most cases, external attacks are motivated by the desire to profit from either by selling the information in the black market or by blackmailing the firm.

The article focuses on new trends of threats either by disgruntled, unsatisfied or disengaged employees in stealing sensitive data from their employers. Furthermore, the article also gave another instant "where four former Gillette Company employees", where accused of disclosing confidential information and trade secrets to direct competitor. The trend shows that more and more firms are subjective to an insider attack.


In many cases, when we talk insider threat, the person may no longer be with the company – so if you add that piece to the definition you can see why it becomes pretty big; much bigger than people probably think about

More attention is being paid to activities within the organization; from negligence employees to suspicious activities y employees. In retrospect, to mitigate against security breach from employees, the articles noted that changes in employee behavior could be a good pointer in spotting a potential rogue employee.


References
Weldon, D., (2015). Are your biggest security threats on the inside? Retrieved from:

An organization's issue-specific security policy (Sample)


Issue specific security policies are designed to focus on areas of current and important concerns to an organization's operation. Further, such policy may focus on a firm's contingency plan, risk, acceptable use and so forth. Below is a sample of issue specific security policy for an organization. 




Title: Responsible use of First-trade’s Wireless LAN Technology
This document is intended for internal use only.

OMA Technology is an ISP provider with the mission of providing high quality and affordable internet service to its constituents.
Scope
The policy stated in this document is intended for the safe use of OMA Wireless Technologies. The policy addresses the safe use of the company's hardware, software, and protocols associated with WLANs. This document is intended for authorized users within OMA Technologies only. This document is not meant for external consumption. Authorized users are defined as anyone with granted access to OMA Technologies infrastructures.

Policy
The use of devices including laptops, Smartphones, Flash drive are permitted, are allowed with prior approval from management to use such device within the facility of First-trade. Internet access is restricted to job use only; any personal use is not permitted. First trade retains the right to access any data transmitted within its network. Any private use of OMA internet service must be approved before such use. Use of non-standard devices including hardware, software and protocols are strictly forbidden by First-trade. Accessing unauthorized websites, emails, downloading, copying or pirating software and electronic files that are copyrighted or without authorization is extremely prohibited.  In the event of inappropriate use of OMA wireless technologies, OMA reserves the right to take whatever steps necessary for the particular situation including, but not limited to, termination of employment and legal action.

Disclaimer

OMA assumes no liability for unauthorized acts that violate legal local, states or federal laws. In the event of such laws being violated, OMA holds the right to terminate its relationship with such employee or violator and will provide no legal assistance in such instances.
EMPLOYEE ACKNOWLEDGEMENT FORM
I have received, read and understand the Information Security Policy. I understand that it is my responsibility to comply with it.
Printed name: ___________________________________________
Signature:  _____________________________________________
Date: __________________________________________________
References
GFI Software, (2016). Sample of internet usage policy. Retrieved from: http://www.gfi.com/pages/sample-internet-usage-policy

Whitman, E., & Mattord, J., (2010). Management of Information Security (Page 183). Cengage Textbook. Kindle Edition.


Conducting a Security Self-Assessment


Executive Summary
Flash Courier Inc. has one of the largest computer networks in the world due to its "32,000 facility with over 500,000 employees engaged in various activities and roles at this facility. Also, with so much employee conducting different activities in its facilities, it is imperative for Flash Courier Inc. to have a secure and reliable security system coupled with the nature of its' business and its constituent data it collects.

Introduction
As mentioned earlier, Flash Courier Inc. has one of the world’s largest computer network and also one of the biggest employer of labor in the United States. Furthermore, Flash Courier Inc. has one of the biggest customer data base in The United States not mentioning the over 700,000 employees both career and non-career employees. In the course of this security assessment, we will be looking at the measure taken by Flash Courier Inc. in securing it Systems. We will look at areas such as:
Management Control
Operational Control and
Technical Control.
            Further, at the end of this research, we should be able to tell how effective this security tools are in mitigating or curtailing threats to its infrastructures. The organizational chart of Flash Courier Inc. shows the Chief Information Officer reports directly to the VP Chief Executive Officer, while the Chief Information Security Officer reports to the CIO. This trend shows a healthy hierarchical reporting structure in the information department of firm.
Management Control
 As stated in his Text, " management controls security processes that are designed by the strategic planners and executed by the security administration of the organization" Whitman, M., E., & Mattord, H., J., (2010). For us to comprehend Flash Courier Inc. strategic plan on its security, it is imperative to examine its mission statement. Flash Courier Inc. mission statement states its strategically poised to

Provide courier services to bind the nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt reliable, and efficient services to patrons in all areas and shall render courier services to all communities Flash Courier Inc.

An audit of Flash Courier Cyber security culture in 2015 shows the firm has not made adequately provision for proper Cybersecurity culture as a core part of its security procedures. " Cybersecurity culture is demonstrated when staff members consider the security of information while using it" U.S.P.S (2015). Furthermore, in its security audit, there were strong indication that Flash Courier fell well below average in its Security awareness training.

The guiding security policy principles of Flash Courier Inc. are: (a), Information is a critical asset that must be protected, Information is restricted to authorized personnel for authorized use. (b), Information Security is a cornerstone of maintaining public trust. Security is a business issue- not a technology issue, Information Security is risk based and cost effective, Information security is aligned with Flash Courier priorities, industry-prudent practices, government requirement, and federal laws, information security, is directed by policy but implemented by business owners and Information is everybody's business. Flash Courier information data base is subject to The United States Privacy Act of 1974.
The Privacy Act requires all federal agencies, including the Postal Service, to adhere to a minimum set of standards for the collection and storage of personal data and restricts the disclosure of such Privacy Act information. Agencies are required to establish appropriate administrative, technical, and physical safeguards to protect Privacy Act data. These safeguards ensure the integrity and confidentiality of information resources containing Privacy Act data and protect against unauthorized disclosure of such data, which could result in substantial harm, embarrassment, unfairness, or inconvenience to an individual.


Operational Control
Under the Operation Control, we will be taking a look specific issues at Flash Courier Inc. like disaster recovery plan, Incident Response Plan which are all embodied under Contingency planning and also, Personnel security.
Flash Courier Inc. Incident Response Plan: In the case of a Data compromise, damaged or destroyed, Flash Courier Inc. requires that all information security incident be reported to the Computer Incident Response Team (CIRT).  Some of the process of Incident Response by Flash Courier includes security incident identification, prevention, reporting, and containment. The reporting of incident allows Flash Courier to review the security controls and procedures, establish appropriate corrective measures when necessary, in some cases, reduce the likelihood of recurrence.
Disaster Recovery Plan, Personnel/Physical Security: As stated in their Disaster Recovery statement, the DRP must meet the following requirements; Each application must have a disaster recovery plan documentation stored in the Technical Solution Life-cycle IT library. The Disaster Recovery Plan must be certified by the development organization and the executive sponsor. Application designated as Critical-High and Critical-Moderate must be tested within 180 days of going into production, Application designated as critical-High must complete an actual test 18 month, Application designated critical- Moderate must complete either a tabletop walk through or an actual every 36 months and lastly, all recovery plan documents must be protected as restricted information. Furthermore, some of the Personnel security procedure put in place by Flash Courier Inc. includes employees maintaining security clearance depending on their level of authorization, Finger printing, and background investigation to vet employee's credibility.



Technical Control
To protect Flash Courier Inc. from unauthorized access, disclosure, modification including; supporting identity management such that Flash Courier can enforce identity and access control policies on authorized and public users. The access control also includes the capability for the firm to access to its data selectively available to other users. Some of the access control measures put in place includes: 15 characters’ alphanumeric password, uses of a secondary security system (PIN), the use of Tokens.
 Furthermore, the use of peripheral device like Bluetooth requires authorization from either the Vice President or assignee's written approval. Flash Courier approves the use of encryption software to encrypt sensitive and sensitive-enhanced information sent by e-mail and give recipient the recovery keys and decryption instructions. There is a required password change every six months, Flash Courier deploys access control and intrusion detection systems at the Contingency Plan and conduct an independent assessment to verify that they are in place.
Analysis of Result
  Although Flash Courier has made adequate provision to counter and mitigate threats to is data infrastructure, there are strong indications of a weak information security culture within the organization. Among the issue found out during this assessment include fewer users completing security awareness training which is below industrial standard. As mentioned earlier, weak cybersecurity culture on the part of the organization. Furthermore, inadequate risk information on majority of the company's systems. And lastly, In the review of the organization’s network, there are indications of maintenance of weak and outdated operating systems and software.
Recommendation.
There are strong indications of a perpetual neglect on the part of management in meeting up with recent technological advancement especially in the area of Information security. It is imperative to state that for a company which engages in collection of data of its constituencies should make appropriate provision to protect such data from both internal and external threat and breach the gap thereof. To breach these gaps, the management of Flash security first, needs to update its systems and software to meet current trends especially in this age of data reaches and espionage on the part of employees. Also, management should en-devour emphasis regular security awareness program and concurrent security policy update to meet up with current security threats. Furthermore, emphasis should be placed on changing the organization’s security culture from top to down. Lastly, management should perform regular security audit to be informed on gaps within the security infrastructures and make necessary changes to eradicate such gap or mitigate the threat.




References
 Miller, J., (2012). USPS fighting back against the insider threat. Retrieve from:http://federalnewsradio.com/in-depth/2012/07/usps-fighting-back-against-the-insider-threat/
Usps.com, (2015). Information Security Requirement for All Personnel. Retrieved from: https://about.usps.com/handbooks/as805c.pdf
USPS.com, (2001). Mission Statement. Retrieved from: https://about.usps.com/strategic-planning/cs01/c4a-2.htm
USPS.com, (2016). About. Retrieved from: https://about.usps.com/handbooks/as805/as805c13_002.htm
Usps.com, (2015). Information Resource Certification and Accreditation(C&A) Process. Retrieved from: https://about.usps.com/handbooks/as805a.pdf
USPS.com, (2015). About; Size and Scope. Retrieved from: https://about.usps.com/who-we-are/postal-facts/size-scope.htm
Usosoig.gov, (2015). U.S Postal Service Cybersecurity Functions. Audit Report. Retrieved from: https://www.uspsoig.gov/sites/default/files/document-library-files/2015/usps_cybersecurity_functions.pdf
 Usosoig.gov, (2015). Address Management System Data. Retrieved from: https://www.uspsoig.gov/document/address-management-system-data
Whitman, M., E., & Mattord, H., J., (2010). Management of Information Security (Page 85). Cengage Textbook. Kindle Edition.

Insider threats to security

I find this article, titled, “Are your biggest security threats on the inside? ", by David Weldon particularly interesting.   The ar...