Information Security
Friday, August 29, 2014
Fascinating research being conducted by Genome expert Svante Paabo that looks to DNA history to define population genetics. Follow the link to read the article
http://www.technologyreview.com/review/530031/the-history-inside-us/
Friday, August 9, 2013
Blog Summary
A major newsworthy topic and central to my blog
content was the ongoing debate surrounding the National Security Agency and the
security breach resulting from leak of classified documents to a U.S. news
agency by a contract employee, Edward Snowden. A retrospective analysis of my
blog content and the sources used reveal a progression of topics dealing with
various security issues from outsourcing security personnel and its associated risks
to lack of adequate security processes creating vulnerability and ultimately a
threat to the NSA. Numerous sources were used during the course of the blogging
exercise consisting of the course text, The Huffington Post, Bloomberg News,
Daily Finance, ABC news, and Tech Target.
The initial posting served as an introduction to
readers on the purpose of the blog followed by the introduction of the NSA
topic where scrutiny of the NSA’s hiring practices along with privacy versus
security debate highlighted. Understanding threats became an important topic
and the need to mitigate risks through proper development of a SecSDLC was
discussed as an important priority for the NSA. The drive to outsource IT
functions and the pros and cons of this IT strategy in dealing with highly
classified information was debated with questions to the need for policies,
training and education and whether these things could have prevented the
security breach. A close monitoring of the NSA’s response to the security
breach continued followed by a suggestion to use the SSE-CMM mature security
model as a framework to protect the agency from threats. It was learned that
the NSA would employ the two man rule as a measure to prevent highly classified
information from walking out the door.
The initial July posting focused on the documented evidence to support
implementation and management of basic security measures as critical to
decreasing security vulnerability. This information tied in with the NSA’s lack
of attention to securing data from internal threats that created the security
breach and their administrative oversight solution to prevent future breaches.
Week 7 focused on the anti-leak control measures the NSA implemented that
included a physical security layer, encryption,
among others previously highlighted as basic security measures necessary
to build a solid control management program. U.S. citizen’s privacy and the
need for laws to protect overreach by organizations such as the NSA were
discussed as was the easy access to one’s personal data through legal means
with a question about the privacy and security of information in general. The
final security blog posting tied in with the course human resource recruiting
topic by delving into the hiring practices of the NSA and IT personnel working
for organizations such as Booz Allen Hamilton (BAH), a subcontractor to the NSA
and former employer of Edward Snowden. There seemed to be a stark contrast on
the vetting process at both organizations with the NSA taking up to a year to
process a new hire unlike the BAH employee reporting his hiring process took a
total of a week.
In all honesty, when
first learning that a weekly blog entry was a course requirement, I was less
than enthusiastic but found that thinking through a topic of importance related
to my coursework was stimulating and thought provoking. In retrospect, my blog
entries became lengthier as the weeks progressed showing a growth in IT
security knowledge. This was a bit of an epiphany. A suggestion for future
classes would be to incorporate comment requirements to blog entries by
classmates, maybe in lieu of a discussion post response requirement. I believe following a topic of interest where
a broad source of security measures can be addressed makes for good blogging!
Chronology
of topics
·
Week 1—Blog introduction
·
Week 2—Contractor Vetting process and
feedback on what the NSA should have done differently to maintain adequate
security
·
Week 3—NSA SecSDLC was inadequate
·
Week 4—Outsourcing positions as a measure
to prevent security breaches
·
Week 5—Need for use of the
SSE-CMM mature security model as a framework
·
Week 6—Breakdown in
utilization of basic security measures cause breaches
·
Week 7-- Anti-leak control
measures, a step in the right direction for a control management policy
·
Week 8—Heightened awareness of
U.S. securities agency practices in targeting citizen’s internet activity.
·
Week 9—Stringent NSA hiring
practices versus Booz Hamilton Allen, subcontractor practices
Sunday, August 4, 2013
Stringent NSA job requirements
This week in my information security class the focus was on staffing the security function in the organization. In keeping with the NSA focus for this blog, I researched the NSA's postings and hiring requirements for their cyber security openings. It goes without saying that getting hired by the NSA can be a long drawn out process depending on what you are applying for and security level required. It can take upwards of a year for some folks to get hired. Keeping that timeline in the forefront of my thoughts, I wondered whether the hiring process for Booz Allen Hamilton candidates required the same rigorous process as those for the NSA.
All applicants at the NSA must be able to obtain high-level security clearance with medical screening, polygraph and drug testing and an extensive background check. Every applicant is required to have a Top Secret/Special Intelligence clearance and they tell you to anticipate the process taking longer than that in the private sector. "If you are identified as competitively qualified for a position, the average time for processing is generally three to six months, but depending on a variety of individual factors, the processing time may take up to approximately a year. "
In clear contrast to the NSA's screening requirements are those of Booz Allen Hamilton whose security screening practices enabled Edward Snowden to slide through their hiring process even though there were known education discrepancies reported by Snowden during the interview process. The NSA requires top security clearances of contracted employees however there is growing concern that the processes for screening these individuals lacks the necessary security scrutiny. On a blog site, one BAH employee reported the hiring process took a week because there was an immediate need to fill the position.
Since information security job disciplines are in their infancy relative to other established professions, there is some uncertainty within organizations as to what qualifications constitute the right skill set necessary to ensure a security work force with the core competencies required to mitigate security risks and threats to the organization. With the growing need for security professionals, has a lack of qualified candidates forced organizations like BAH to settle ultimately compromising our national security?
http://www.huffingtonpost.com/2013/06/20/booz-allen-hamilton-edward-snowden_n_3475518.html
All applicants at the NSA must be able to obtain high-level security clearance with medical screening, polygraph and drug testing and an extensive background check. Every applicant is required to have a Top Secret/Special Intelligence clearance and they tell you to anticipate the process taking longer than that in the private sector. "If you are identified as competitively qualified for a position, the average time for processing is generally three to six months, but depending on a variety of individual factors, the processing time may take up to approximately a year. "
In clear contrast to the NSA's screening requirements are those of Booz Allen Hamilton whose security screening practices enabled Edward Snowden to slide through their hiring process even though there were known education discrepancies reported by Snowden during the interview process. The NSA requires top security clearances of contracted employees however there is growing concern that the processes for screening these individuals lacks the necessary security scrutiny. On a blog site, one BAH employee reported the hiring process took a week because there was an immediate need to fill the position.
Since information security job disciplines are in their infancy relative to other established professions, there is some uncertainty within organizations as to what qualifications constitute the right skill set necessary to ensure a security work force with the core competencies required to mitigate security risks and threats to the organization. With the growing need for security professionals, has a lack of qualified candidates forced organizations like BAH to settle ultimately compromising our national security?
http://www.huffingtonpost.com/2013/06/20/booz-allen-hamilton-edward-snowden_n_3475518.html
Sunday, July 28, 2013
Matt Brownell recently wrote an article on information gleaned by a spy agency he'd hired to uncover personal information through legal means using publicly available information. Limited to a 2 hour window, Brownell was pretty astonished at what the spy agency was able to uncover. The recent revelations based on leaked classified documents from the National Security Agency (NSA) have brought a heightened awareness of U.S. securities agency practices in targeting citizens internet activity. However what Brownell highlighted was that it's not only the government who can obtain this information, anyone accessing public sites can gather a great deal of information on you legally.
Might we as U.S citizen's need to reconsider our privacy policies? The EU has proposed a “Right To Be Forgotten” legislation that could be finalized sometime in 2014. Ninety percent of EU citizens support the data protection directive law across Europe. The EU currently restricts flow of data from its countries to the U.S. under the protection directive due to its view that our privacy protections are not adequate. The recent NSA debacle only adds to the perception that the U.S. privacy protections are inadequate. The previous dictatorships of ‘Old Europe’ countries who are part of the EU where government intrusion was a reality see how U.S. business and government are working together to share data as problematic to maintaining citizens privacy. Google, Microsoft, Yahoo, and Facebook are just some of the large U.S. technology organizations sharing data with the U.S. Government under the guise of the PRISM program. PRISM is the code name for the U.S. government’s data mining efforts. Multiple EU agencies have voiced concern for right to privacy and data protection by EU citizens. The EU is demanding legislative change in the U.S. in order to foster multinational talks that could lead to agreed upon standards. Discussions between the European Council and U.S. officials ensue post the NSA information leaks to address the U.S. data mining and internet surveillance practices.
Thursday, July 18, 2013
Anti-leak control measures are being implemented at the NSA to mitigate risks like the ones that created the platform for Edward Snowden to walk off with 4 laptops and highly classified documents. These new measures include processes used in the nuclear industry to protect security assets. The 2 man system rule which has been used in the nuclear industry for some time is one of the security processes the NSA will implement. Ensuring that information is not concentrated on one server as well as providing a physical security layer with locked rooms are measures the NSA is currently applying. Seen as a basic security measure, encryption will also be deployed to protect the NSA's information assets. These risk based policies are a step in the right direction of a solid control management program.
Tuesday, July 9, 2013
The latest report from the California attorney General's office discloses that the majority of security breaches in 2012 were due to a breakdown in utilization of basic security measures. What boggles the mind is how lack of security process and management continues to be a persistent problem in all business sectors. Simple solutions such as encrypting sensitive personal information don't appear to take priority leaving the organization and it's clients vulnerable to security threats. The report disclosed that 55% of the breaches were due to deliberate intrusions by outsiders or unauthorized insiders. The NSA debacle surrounding the U.S. Intelligence leak of classified documents by William Snowden a former contract employee have highlighted the importance of securing access data from internal threats and breaches within the organization. The NSA's newly implemented 'two-man rule' provides administrative oversight as a means to protect sensitive data and has brought a heightened awareness on the need to address the internal threat. Implementing access controls and role based monitoring to secure data against threats is a step in the right direction and something every organization should addressing to ensure a secure data environment.
http://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-theft?asrc=EM_ERU_22439892&utm_medium=EM&utm_source=ERU&utm_campaign=20130709_ERU%20Transmission%20for%2007/09/2013%20(UserUniverse:%20607658)_myka-reports@techtarget.com&src=5144272
http://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-theft?asrc=EM_ERU_22439892&utm_medium=EM&utm_source=ERU&utm_campaign=20130709_ERU%20Transmission%20for%2007/09/2013%20(UserUniverse:%20607658)_myka-reports@techtarget.com&src=5144272
Sunday, July 7, 2013
The debate rages on regarding NSAs security measures, or lack there of
As Edward Snowden continues to evade the US government, debate continues on what could be done differently to ensure sensitive classified information is maintained as top secret. It appears that if the NSA used the SSE-CMM mature security model as a framework to protect the agency's assets from threats, that adequate measures would have been implemented to ensure their data was secure. This does not seem to be the case. Following the Snowden's whistleblowing incident, the agency is putting in place actions to track system administrators with a policy called the two man rule. While hind site is 20/20, it is evident the agency's security department did not take the adequate measures to mitigate the risk of information freely walking out the door.
Subscribe to:
Posts (Atom)