Fascinating research being conducted by Genome expert Svante Paabo that looks to DNA history to define population genetics. Follow the link to read the article

http://www.technologyreview.com/review/530031/the-history-inside-us/

Blog Summary

A major newsworthy topic and central to my blog content was the ongoing debate surrounding the National Security Agency and the security breach resulting from leak of classified documents to a U.S. news agency by a contract employee, Edward Snowden. A retrospective analysis of my blog content and the sources used reveal a progression of topics dealing with various security issues from outsourcing security personnel and its associated risks to lack of adequate security processes creating vulnerability and ultimately a threat to the NSA. Numerous sources were used during the course of the blogging exercise consisting of the course text, The Huffington Post, Bloomberg News, Daily Finance, ABC news, and Tech Target.

The initial posting served as an introduction to readers on the purpose of the blog followed by the introduction of the NSA topic where scrutiny of the NSA’s hiring practices along with privacy versus security debate highlighted. Understanding threats became an important topic and the need to mitigate risks through proper development of a SecSDLC was discussed as an important priority for the NSA. The drive to outsource IT functions and the pros and cons of this IT strategy in dealing with highly classified information was debated with questions to the need for policies, training and education and whether these things could have prevented the security breach. A close monitoring of the NSA’s response to the security breach continued followed by a suggestion to use the SSE-CMM mature security model as a framework to protect the agency from threats. It was learned that the NSA would employ the two man rule as a measure to prevent highly classified information from walking out the door.  The initial July posting focused on the documented evidence to support implementation and management of basic security measures as critical to decreasing security vulnerability. This information tied in with the NSA’s lack of attention to securing data from internal threats that created the security breach and their administrative oversight solution to prevent future breaches. Week 7 focused on the anti-leak control measures the NSA implemented that included a physical security layer, encryption,  among others previously highlighted as basic security measures necessary to build a solid control management program. U.S. citizen’s privacy and the need for laws to protect overreach by organizations such as the NSA were discussed as was the easy access to one’s personal data through legal means with a question about the privacy and security of information in general. The final security blog posting tied in with the course human resource recruiting topic by delving into the hiring practices of the NSA and IT personnel working for organizations such as Booz Allen Hamilton (BAH), a subcontractor to the NSA and former employer of Edward Snowden. There seemed to be a stark contrast on the vetting process at both organizations with the NSA taking up to a year to process a new hire unlike the BAH employee reporting his hiring process took a total of a week.

In all honesty, when first learning that a weekly blog entry was a course requirement, I was less than enthusiastic but found that thinking through a topic of importance related to my coursework was stimulating and thought provoking. In retrospect, my blog entries became lengthier as the weeks progressed showing a growth in IT security knowledge. This was a bit of an epiphany. A suggestion for future classes would be to incorporate comment requirements to blog entries by classmates, maybe in lieu of a discussion post response requirement.  I believe following a topic of interest where a broad source of security measures can be addressed makes for good blogging!

 

Chronology of topics

·       Week 1—Blog introduction

·       Week 2—Contractor Vetting process and feedback on what the NSA should have done differently to maintain adequate security

·       Week 3—NSA SecSDLC was inadequate

·       Week 4—Outsourcing positions as a measure to prevent security breaches

·       Week 5—Need for use of the SSE-CMM mature security model as a framework

·       Week 6—Breakdown in utilization of basic security measures cause breaches

·       Week 7-- Anti-leak control measures, a step in the right direction for a control management policy

·       Week 8—Heightened awareness of U.S. securities agency practices in targeting citizen’s internet activity.

·       Week 9—Stringent NSA hiring practices versus Booz Hamilton Allen, subcontractor practices

Stringent NSA job requirements

This week in my information security class the focus was on staffing the security function in the organization. In keeping with the NSA focus for this blog, I researched the NSA's postings and hiring requirements for their cyber security openings. It goes without saying that getting hired by the NSA can be a long drawn out process depending on what you are applying for and security level required. It can take upwards of a year for some folks to get hired. Keeping that timeline in the forefront of my thoughts, I wondered whether the hiring process for Booz Allen Hamilton candidates required the same rigorous process as those for the NSA.

All applicants at the NSA must be able to obtain high-level security clearance with medical screening, polygraph and drug testing and an extensive background check. Every applicant is required to have a Top Secret/Special Intelligence clearance and they tell you to anticipate the process taking longer than that in the private sector. "If you are identified as competitively qualified for a position, the average time for processing is generally three to six months, but depending on a variety of individual factors, the processing time may take up to approximately a year. "

In clear contrast to the NSA's screening requirements are those of Booz Allen Hamilton whose security screening practices enabled Edward Snowden to slide through their hiring process even though there were known education discrepancies reported by Snowden during the interview process. The NSA requires top security clearances of contracted employees however there is growing concern that the processes for screening these individuals lacks the necessary security scrutiny. On a blog site, one BAH employee reported the hiring process took a week because there was an immediate need to fill the position.

Since information security job disciplines are in their infancy relative to other established professions, there is some uncertainty within organizations as to what qualifications constitute the right skill set necessary to ensure a security work force with the core competencies required to mitigate security risks and threats to the organization. With the growing need for security professionals, has a lack of qualified candidates forced organizations like BAH to settle ultimately compromising our national security?

http://www.huffingtonpost.com/2013/06/20/booz-allen-hamilton-edward-snowden_n_3475518.html

Matt Brownell recently wrote an article on information gleaned by a spy agency he'd hired to uncover personal information through legal means using publicly available information. Limited to a 2 hour window, Brownell was pretty astonished at what the spy agency was able to uncover. The recent revelations based on leaked classified documents from the National Security Agency (NSA) have brought a heightened awareness of U.S. securities agency practices in targeting citizens internet activity. However what Brownell highlighted was that it's not only the government who can obtain this information, anyone accessing public sites can gather a great deal of information on you legally. 

Might we as U.S citizen's need to reconsider our privacy policies? The EU has proposed a “Right To Be Forgotten” legislation that could be finalized sometime in 2014. Ninety percent of EU citizens support the data protection directive law across Europe. The EU currently restricts flow of data from its countries to the U.S. under the protection directive due to its view that our privacy protections are not adequate. The recent NSA debacle only adds to the perception that the U.S. privacy protections are inadequate.  The previous dictatorships of ‘Old Europe’ countries who are part of the EU where government intrusion was a reality see how U.S. business and government are working together to share data as problematic to maintaining citizens privacy. Google, Microsoft, Yahoo, and Facebook are just some of the large U.S. technology organizations sharing data with the U.S. Government under the guise of the PRISM program. PRISM is the code name for the U.S. government’s data mining efforts.  Multiple EU agencies have voiced concern for right to privacy and data protection by EU citizens. The EU is demanding legislative change in the U.S. in order to foster multinational talks that could lead to agreed upon standards. Discussions between the European Council and U.S. officials ensue post the NSA information leaks to address the U.S. data mining and internet surveillance practices.

http://www.dailyfinance.com/2013/06/28/identity-theft-protection-test/

Anti-leak control measures are being implemented at the NSA to mitigate risks like the ones that created the platform for Edward Snowden to walk off with 4 laptops and highly classified documents. These new measures include processes used in the nuclear industry to protect security assets. The 2 man system rule which has been used in the nuclear industry for some time is one of the security processes the NSA will implement. Ensuring that information is not concentrated on one server as well as providing a physical security layer with locked rooms are measures the NSA is currently applying. Seen as a basic security measure, encryption will also be deployed to protect the NSA's information assets. These risk based policies are a step in the right direction of a solid control management program.

The latest report from the California attorney General's office discloses that the majority of security breaches in 2012 were due to a breakdown in utilization of basic security measures. What boggles the mind is how  lack of security process and management continues to be a persistent problem in all business sectors. Simple solutions such as encrypting sensitive personal information don't appear to take priority leaving the organization and it's clients vulnerable to security threats. The report disclosed that 55% of the breaches were due to deliberate intrusions by outsiders or unauthorized insiders. The NSA debacle surrounding the U.S. Intelligence leak of classified documents by William Snowden a former contract employee have highlighted the importance of securing access data from internal threats and breaches within the organization.     The NSA's newly implemented 'two-man rule' provides administrative oversight as a means to protect sensitive data and has brought a heightened awareness on the need to address the internal threat. Implementing access controls and role based monitoring to secure data against threats is a step in the right direction and something every organization should addressing to ensure a secure data environment.

http://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-theft?asrc=EM_ERU_22439892&utm_medium=EM&utm_source=ERU&utm_campaign=20130709_ERU%20Transmission%20for%2007/09/2013%20(UserUniverse:%20607658)_myka-reports@techtarget.com&src=5144272

The debate rages on regarding NSAs security measures, or lack there of

As Edward Snowden continues to evade the US government, debate continues on what could be done differently to ensure sensitive classified information is maintained as top secret. It appears that if the NSA used the SSE-CMM mature security model as a framework to protect the agency's assets from threats, that adequate measures would have been implemented to  ensure their data was secure. This does not seem to be the case. Following the Snowden's whistleblowing incident, the agency is putting in place actions to track system administrators with a policy called the two man rule. While hind site is 20/20, it is evident the agency's security department did not take the adequate measures to mitigate the risk of information freely walking out the door.