Blog Blog

 
And now , the moment you’ve all been waiting for!   Yes, it is here… The blog about my blog.  What did I write about?  Where did I get my information from?  And, to whom would this whole thing be useful?  This is an interesting exercise, a fairly rare look back at something to see what was gained. 

My intention at the beginning was to find a theme and stick with it throughout the semester, to gain a deeper knowledge about one or two topics.  This isn’t what ended up happening.  In reality, what I seemed to do was browse around, and the first time I found a topic that interested me, I wrote about it.  Topics were truly all over the board – simply whatever grabbed my interest.  Some had very little personal input, while some had a little more of my philosophy.  I think the best was when I found a story by someone else, and then looked to see if outside facts supported the claims – if I had to do it over again, I would do that more often.

My approach to finding material was simple.  If I didn’t get curious about something during the week – I simply started clicking on the recommended links from the first week until something grabbed my eye.  If I read it, and was interested, that became my topic for the week.  I guess the approach was close to leafing through a newspaper and commenting to others in the area about it.  My biggest sources ended up being Infosec Island and Security Week.

I really don’t know if a security professional would get much out of my blog – perhaps some weeks, but I think a lot of it would be simply “Well, duh” stuff to a professional.  I would really recommend starting with a theme (or 2-3 related themes), sticking to them, and doing more investigating of topics.  I have to admit that, at 20 points per week, I tended to give this lower priority than I should have.  Usually, I would complete my post late on Sunday, think “This was fun, I’ll get a head start on it next week!” and then all my good intentions would go for naught.  I’d really recommend students do this for themselves – really think of a way they can create something they can be proud of, and might even want to continue after the class is done.

 

Us vs Them

Gant Redmon recently published an interesting piece on privacy issues (http://www.securityweek.com/simple-guide-privacy-outrage), a topic which seems to come up more frequently every day.  He indicates there are 4 main privacy perceived threats for most people - the US government, foreign powers, social media, and e-mail providers.  Individuals are likely to feel threatened by some or all of these sources, depending on their perception of them.  If one trusts the US government is acting purely to protect the nation, for example, they probably aren't concerned about NSA looking at their e-mails.  If they believe Facebook just wants to make sure they find out about products they want, then they probably are ok with targeted advertising.  This really comes down to Us vs Them - Whoever we consider to be 'Us' we probably don't mind if they peek into our business a little - if it is Them though, we are outraged.

Old and in the way

Reading about the Athena botnet at http://blogs.mcafee.com/mcafee-labs/athena-botnet-shows-windows-xp-still-widely-used got me thinking - if I wanted to create a general attack, I'd go after the oldest operating system I could.  Why go after the brand new machines, with the latest protections?  Why not go after an old operating system, with no internal protection?  Many of these computers might have no protection at all!

Even More Linked In

LinkedIn has a new app which will route all of your e-mails through their servers http://www.infosecisland.com/blogview/23444-LinkedIns-Email-Proxy-Scheme-Described-as-Man-in-the-Middle-Attack.html.  In effect, this works as a man in the middle attack.  While technically users are okaying this, it is likely most don't really realize what is happening.  I would expect this will cause many companies to block LinkedIn from company phones - which would probably cause many users to leave the service.

Seven Habits of Cyber Security

How much of security is just habit?  Many things that seem like a big hassle are actually very minor if you simply make them a habit.  Reading http://www.securityweek.com/seven-habits-security-conscious got me thinking about just how easy it is for the typical person to keep reasonably safe.  None of these steps take much time - really, if they are all added up, it might only be a few hours per year.  In comparison with the actual costs in time and money of not following these steps... Virtually nothing!  It reminded me of how much of a hassle it seemed to be to put on a seat belt once laws starting to be passed enforcing wearing them.  It seemed like a pain.... Now I can't actually even remember the last time I put one on!  Not because I don't wear one, but because it has become such a habit it is subconscious.  This should be our goal with many security habits - make them subconscious!

Security Shutdown?

Is it possible that the government shutdown has left us more open to cyber terror?  According to Security Week, http://www.securityweek.com/us-government-shutdown-creates-serious-cyber-risks-experts this is the case.  While essential employees were to stay on duty, many governmental sites have shut down or been reduced in scope - and security personnel have been furloughed.  With the reduction in user traffic, is the reduction in security justified?  Are the claims that security personnel shouldn't have been furloughed simply self interest?

Opt-In??

Often when you go to order something online, just before you click on "Order" there are some boxes along the lines of "Please add me to your mailing list" and "Please send me information on more products I might like."  These boxes can be opt-in (not pre-checked) or opt-out (pre-checked).  One of my pet peeves is when I notice the Opt-Out box just after I click 'Send'.  What does this have to do with anything?  Read here - http://www.infosecisland.com/blogview/23414-Why-iOS7s-AirDrop-Is-Risky-for-Business.html to learn about some of the risks of using AirDrop.  In a nutshell, what if comes down to is one has to 'Opt Out' to keep files safe on mobile devices.  When we get a new phone, tablet, etc, how many of us actually spend a lot of time to consider how secure our information is?  Would it be smarter to have all of the neat 'convenience' options be opt in, so that people aren't less secure than they think?

Continuing Education

In a recent article, Allan Pratt made the claim that most companies today do not provide training for their IT employees - assuming that if they gain this training, they will leave the company and take their new knowledge elsewhere.  http://www.infosecisland.com/blogview/23388-Invest-in-Employees-vs-Pay-for-a-Data-Breach.html  This is very different from my personal experience, so I thought I would investigate a little.  Is it really rare for large companies to assist IT employees in continuing their education?  Wouldn't this be a huge disadvantage for any company to do this?

Pratt's claims seem a little exaggerated.  The first link I found details the educational assistance programs of 25 Fortune 500 companies http://www.affordablecollegesonline.org/financial-aid/top-company-college-tuition-reimbursement-programs/.  Many of these programs are modest - say, 75% of tuition costs up to $5,000 per year, for example.  However - assuming most employees wouldn't be full time students, this could cover a large amount of the costs.  Perhaps not surprisingly, Walmart is one of the lowest...

What I found interesting is almost every company seems willing to help at least somewhat with continuing education - but none seem willing to really embrace it fully.  How much SHOULD a company be willing to spend?  Does it make sense to scrimp a bit on educational assistance... And then pay a fortune due to a data breach?  What is the best way to educate employees - making them happy and loyal?

Key Loggers and Democracy

Wanna buy an election cheap?

http://www.fbi.gov/news/stories/2013/august/election-hack-stealing-votes-the-cyber-way/election-hack-stealing-votes-the-cyber-way

This story is amazing on many levels.  Probably the most amazing thing is that someone would be willing to risk this much to rig an election to student council.  If he'd been just a little more clever, he could well have gotten away with it - and who knows, maybe in ten years he'd have been rigging an election to congress!

Save the Date!

Wednesday, September 18, will be the monthly meeting of Omaha's Cyber Security Forum.  This meeting will be from 11:00am-1:00pm at Johnny's Cafe.  The topic will be Data Risk Assessment - Approach and Methodology.  For more information, check out http://www.nebraskacert.org/CSF/

The Best of the Best

Why not take a look at the winners of this years Social Security Blogging awards?  For Best Corporate Security Blog, we have  the Naked Security Blog - http://nakedsecurity.sophos.com from Sophos.  In the category of Best Security Podcast, the winner is the cleverly named PaulDotCom, hidden at http://www.pauldotcom.com - gotta love a site that has Drunken Security News!  The most Educational Security Blog is Krebs on Security, http://krebsonsecurity.com featuring Brian Krebs who was a reporter for the Washington Post for 14 years.  This blog also won for the Blog that Best Represents the Security Industry.  The Most Entertaining Blog prize goes to psilva's prophecies at http://psilvas.wordpress.com.  And finally, the award for the single best Blog / Podcast of the year goes to Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees): http://www.forbes.com/fdc/welcome_mjx.shtml.  If you are interested in information security - this is a good place to start!

First Post....Testing....1 2 3.....

This is just a test post for what I'm hoping will be an interesting blog.  No idea what I'm doing here.... But I've thought of doing this for a while now, so my Information Security Management class is a good opportunity!  This will be updated at least weekly - no real idea yet which direction it will take, for now just getting set up and trying to get comfortable.  Here goes!