In Summary

The last twelve weeks have led me to research a variety of Information Security related topics; primarily surrounding data security and breaches. Learning from the exposures found at Healthcare.gov, Target, Home depot and Dairy Queen we can begin training our companies and ourselves how to handle these constantly changing risks, which will keep us employed for many years to come. We have new technology and methodologies to help us, but we must take it upon ourselves to be always vigilant in maintaining the data that we possess and how we handle it. I found my topics from a variety of sources, starting each week with a Google search of news items related to Information Security. I think this type of blog is useful for a professional in that it necessitates staying current with security topics. Always trying to stay one step ahead of the bad guy.

Target Completes Overhaul of New Security Staff

Target announced this week that they have hired a new chief risk and compliance manager, Jacqueline Hourigan Rice, who will report directly to the company's CEO. Her position will work directly with the new CISO who was hired in June, Brad Maiorino, who reports to the new CIO that was hired in April, Bob DeRodes. This complete overhaul of information security and risk policy, as well as elevation of the new and existing positions within the company, should help Target stay one step ahead of the next attack. The new focus also gives me a strong sense that I have made a wise decision and selected a field that is in high demand for my post-graduate degree.

Russia and China to agree in Information Security measurements

It was announced this week that officials from Russia and China are seeking to establish an agreement on information security, specifically to stop any potential escalation from cyber attacks. At first glance I am skeptical of any agreement between Russia and China, mainly because of.....history. However, it appears on the surface that they are taking these steps in order to simply "cooperate" (whatever that means).

Federal Government to Use Pin and Chip Technology

I was in South Africa earlier this year for business. The first night out at dinner our group split the check evenly, two of us being from the US found it very strange when the waitress approached the table with a portable credit card terminal. It turned out that most countries in Africa use advanced chip and pin technology in order to prevent credit card fraud. Our dinner mates found it very strange that we would just hand our cards off to a complete stranger to take across the restaurant to pay the bill...I had to agree this was not the best method. Last week I ordered my first chip and pin card from my credit card company, which happened to arrive on the same day that President Obama ordered all federal agencies to begin using chip and pin terminals for transactions. Seems a bit late, but at least we are taking steps to securing ourselves against fraud.

Standards of Due Diligence

In chapter 7 of our text standards of due diligence is discussed as certain organizations being legally required to maintain a certain level of security(Whitman & Mattord, 2014). A quick Google search led me to this article on on hedge fund businesses and how they must always stay ahead of the technological curve. They can no longer simply state that their due diligence has been done, they must often prove how it has been tested. Thinking about the worlds financial markets, and the hundreds of billions of dollars in hedge funds, it makes sense to me that standards for security will be developed here. People with that kind of money are always targets, and it is easy to understand why their systems must be completely secure. Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security. Stamford: Cengage.

Security Awareness Training Is Top Priority

According to a study published this week by PWC, security related incidents continue to rise, creating staggering losses for large companies. The main cause for the incidents remain to be employees; which by no surprise may lead to why employee security awareness training programs are the top priority among the firms surveyed. Education and prevention is by far much more favorable than spending on recovery efforts. For some reason this makes me think of Smokey the Bear and his motto, "Only You Can Prevent Forest Fires". InfoSec needs a spokesbear, too.

Dairy Queen Breached?

Forbes reported this week on "The Top 5 Information Security Breaches No One is Talking About". It was interesting to me to hear about the different, very large, companies and organizations that had been breached but that the major news organizations did not report widely on. This makes me wonder: where is the corporate responsibility in regards to reporting breaches, or ensuring that consumers are aware that they may be impacted? I know that I have gone to Dairy Queen several times this summer and I never received any type of notice that I might be impacted. When Target was breached, I hadn't shopped there in months and I received a new debit card any way. Are there laws that dictate when consumers must be informed of breaches?? I will look in to this more....

Healthcare.gov Security Risks

An independent panel reported that there are more than 20 security flaws on the government run website healthcare.gov. This panel advised that the government took huge risks by going live when it did by not being fully tested, as well as failing to provide consistent maintenance on the site (i.e. patches). This is particularly concerning to me as this site has full record of millions of American's personal data; income and Social Security number included. Without getting in to the politics that surround this initiative, I think it certainly is in the governments best interest to ensure all patching is up to date and the data they collect is as secure as it reasonably can be; it does not appear that they have done a very good job so far. Should this be a surprise considering the amount of data that Snowden was able to walk out with? Perhaps not.

Home Depot Breached

Home Depot reported this week that their systems had been breached, potentially by the same malware which impacted Target last year. The period of time spanned from April of this year until last week, and there may be over 60 million customers impacted. My question to Home Depot (as well as to other retailers), is why was this malware not found sooner? Is it not a known vulnerability that you should have protected your systems against? It is beyond my comprehension to think that the same attack could be used again after Targets staggering losses were reported. In my opinion, any CISO or equivalent entity would have taken steps to plug that gap. I should withhold further judgement until all details are known and confirmed; but I will take this as a point that we should learn from other's mistakes, as well as always keep patches up to date. *Edit It has since been reported that different malware was used in the Home Depot attack http://www.csoonline.com/article/2606380/data-protection/researcher-disputes-report-blackpos-used-in-home-depot-target-attacks.html

Linux Vulnerabilities

An article caught my eye this week, titled "Linux systems infiltrated and controlled in a DDoS botnet". The reason this caught my attention is that I usually think of Linux as being a safe OS. I don't know where I got this impression, but this article reminded me why it is important to stay up to date with security patches on all operating systems. Where ever there is a potential vulnerability it is in our best interest to keep our organization's front lines of defense up to date. Leaving unpatched or out of date servers on the network is a risky business; if it is meant to be retired, unplug it! No sense in being a tool for someone else's malicious attack.

Introduction CIS608

My name is Kevin Story, and I am a software release manager in Omaha, NE. My duties typically consist of reading software designs and assessing them for potential client impact for when the code is introduced into our client's production environments. Once I identify any potential risk, I then take steps to help mitigate that risk. My goal is always to have zero impact on day one of implementation. Our clients should never notice when we introduce new code, unless it is something that they specifically requested. Recently I have been tasked with coordinating patching for for all of our servers across all operating systems that we use (Windows, AIX, Solaris, and Linux). This duty has brought me up close and personal with the risks that our systems face on a day to day basis, as well as why it is important to protect them and update them on a regular basis. Throughout this course I hope to gain some additional insight into industry best practices surrounding patch releases and implementing into production systems.