• #Cybersecurity #Culture - #NCSAM

    Towards the end of his life, Benjamin Franklin penned a letter to a friend. Inside of it he coined one of his most popular phrases, “Nothing can be said to be certain, except death and taxes”. If he were living in our times Franklin would almost definitely add cybersecurity threats to the list. The news media has become a constant stream of reports regarding new breaches. This has in turn lead to a heightened awareness beyond the realms of IT security departments regarding the topic.

    This article is meant to serve as an introduction to the cultural mechanisms at work in the information security community. A number of elements assist in the development and spread of knowledge amongst the people that comprise it.

    INDUSTRY COMPLIANCE

    There are a variety of compliance standards that are dedicated to many sectors of business. Whether your company is engaged in the exchange of money or financial services and must adhere to the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX) as well as Gramm-Leach-Bliley Act (GLBA) or deals with medical records and must respect patient confidentiality through the Health Information Portability and Accountability Act (HIPAA) or is tasked with keeping the lights on by ensuring the integrity of the power infrastructure in accordance with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), there is a compliance standard that aids in keeping information safe. Even the federal United States government has its own set of regulations, Federal Information Security Management Act (FISMA), for agencies to conform with to work with it.

    CONCERNS

    While compliance standards are different from one industry to another, many of the basic concerns are the same. Protecting sensitive information and keeping systems secured are the critical functions of those employed and responsible for cybersecurity within an organization.

    Those that hold these types of positions should be looking to establish a formal security policy that is tailored to the organization’s needs. This process can’t be outsourced because it is unique and based upon objectives relevant to the company and industry it operates within to do business.

    Due in part to the publicity campaign surrounding the Heartbleed bug identified earlier this year, “Executives are now drilling down into information security staffs to inquire what is being done to maintain security,” remarked Robert Johnson, president and CEO of Cimcor. His company develops the file integrity monitoring software solution, CimTrak, and therefor deals regularly with many of the issues related to the compliance standards previously mentioned above.

    Those outside of the IT department need to understand what is at stake as well. So, employee training at any organization should be based on expectations for its usages of enterprise technology. “[We] need to welcome people to report that something is not correct in a system” Johnson noted.

    EVENTS

    Conferences provide a great opportunity for those in the industry to meet as well as to learn about the methods and technology that provide the backbone to an enterprise’s networks and systems. For those looking to establish themselves as an authority in the industry, conferences become channels to position themselves as Thought Leaders. These events book professionals to become speakers as well as lead seminars, roundtables or become a member of a panel made up of experts. Another great advantage of these types of events is that vendors can connect with teams that are actively deployed in the field.

    Data Connectors is an organization that hosts events throughout North America in the United States and Canada. Their series provides a platform for product and service oriented information security industry businesses to connect with regional IT professionals within the context of an educational environment. For those in attendance, time spent in the conference room listening to speaker presentations is worth Continuous Professional Education (CPE) credit.

    BEST PRACTICES

    As noted previously, each industry is different operationally on the ground. However, there are some common themes that exist amongst many of them. It is vital the IT teams stay aware of the best practices to protect a company’s IT infrastructure.

    “One of the biggest problems right now in companies are their networks being bogged down by employees that are online doing other things besides work,” said Dawn Morrissey Co-Founder and Managing Partner of Data Connectors. Risky online behavior can lead IT departments “to worry about spamming and phishing,” she added. Many organizations are looking for good methods to monitor what employees are doing and lock down networks to conserve bandwidth.

    One thing to begin with is to secure networked workstations so that social media sites are locked down. Another issue is that employees are looking to utilize their own tablets or smartphones on the company network. So generating a Bring Your Own Device (BYOD) policy would be valuable too. As users gravitate towards cloud services it will become important to put in place security measures to protect against threats that may emerge from their usage also.

    #CYBERSECURITY TRENDS

    There certainly is a lot of development in this sector. It can seem daunting to know where to start in terms of learning the landscape of terminology and applications. Begin the process of becoming better informed about the industry by checking into Facebook and Twitter to search hashtagged terms such as #cybersecurity or #infosec. Through those platforms you will find a wealth of timely information from many companies and organizations that are committed to spreading the message of this quickly evolving and rapidly growing industry.

     

    COMMUNITY ORGANIZATIONS

    Want to connect with other professionals? Look for a chapter in your region.

    ISACA: Founded in 1967, the organization is focused on IT governance. It serves more than 100,000 members in over 180 countries around the globe with certifications that are aimed at creating a community of well-informed professionals.

    ISSA: The Information Systems Security Association is a not-for-profit organization for IT professionals to network and learn about best practices in the field. There are regular meetings for members to increase their knowledge base. The organizations 10,000+ member come from more than 100 countries, internationally.

    CONTINUING PROFESSIONAL EDUCATION

    To stay certified and well informed, many information security professionals must acquire continuing professional education (CPE) credits. 

    (ISC)2: The International Information Systems Security Certification Consortium is a non-profit organization founded in 1988. It awards 7 different certifications that require continuous professional education (CPE) to maintain a certification in good standing. 

    CISSP: More than 90,000 people hold a Certified Information Systems Security Professional certificate which is accredited and launched in 1994. It is even approved by the Department of Defense (DoD). There are ten different domains which include access control, network security, telecommunications, information security governance and risk management, software development security, cryptography, security architecture and design, operations security, business continuity, disaster recovery, legal and regulations compliance as well as physical (environmental) security.

  • Cameron Banga | Cyberpunk Hacking & Security

    Cameron Banga Magnets Cyberpunk Security

    Keeping up with information technology can often be a tough and daunting task. In today's world of consistent and increasingly sophisticated online attacks it's essential for not only I.T. professionals, but essentially all users of technology to have some basic level of understanding with respect to internet data security.

    This harsh reality becomes difficult, as our dependence upon mobile phones, tablets and cloud services grows. In the past, due to limited internet access and rare access to mobile devices, individual users had very few ways in which attackers could gain priviledged access to a person's private information. But today, in an ever connected world of smartphones and wearable technology, the risk and available data has multiplied. Nearly every person today with a smart device of any sort lives in a world where personal banking information, private communications and detailed medical history are all available either on a physical device, or stored on a remote cloud server. And regardless as to where this data sits, it's often open for attack from many criminals across the planet.

    With these cold facts in mind, it's as important as ever for users to learn about how to best protect oneself on the internet. We live in a world that is becoming more connected every day, in so far that many people are now connecting their lightbulbs, garage doors, baby monitors, and even refrigerators on the Internet-of-Things (IoT). Not only will a potential robber know when you post pictures of your beach vacation on Facebook, but it will become inevitable that they'll be able to potentially know when the food in your house expires all through elaborate internet attacks, making it increasingly easy to avoid food poisoning when grabbing a quick snack while stopping to take valuables.

    As much as this sort of full out personal cyber warfare seems like science fiction and implausible, it's important to understand as an individual user, the gravity that accompanies a future where every private detail of our seemingly mundane lives is logged and tracked through smart devices. There is a lot of potential risk involved, which makes it increasingly important to become educated and remain current on internet privacy and security issues.

    As such, it was an honor and extremely enjoyable opportunity to talk about computer security, hacking, and our connected future during a Duneland Innovators Meetup. The most crucial key to personal information security is education. Technology moves extremely fast, and it's essential to remain current with potential risks and concerns. Thus, giving a talk to like-minded individuals locally was a great way to hopefully encourage others to take such considerations seriously. It's my hope that with continued discussions in the future, and increased interest and communication amongst technology enthusiasts locally, we can use such dialog to create a strong body of technology literate, security concerned computer users here in Northwest Indiana. And that over time such a group helps to keep fellow region citizens educated and safe.

     
    Cameron Banga | Cyberpunk Hacking & Security

    Cameron Banga speaks on Cyberpunk #Hacking & #Security in this #video#tech #nwIndiana #infosec

    Posted by Duneland Innovators on Thursday, January 7, 2016
  • Kim Hakim | Data Connectors Conferences

    On March 20th, Data Connectors brought their tech security conference to the Hyatt Regency at McCormack Place in Chicago, Illinois. The organization is a women-owned and operated company based in St. Louis, Missouri that hosts events all over North America including the United States and Canada.

    Though they do not host an event in northwest Indiana, their dates in Chicago and Indianapolis regularly attract attendees from the region. There are typically between 40 and 60 vendor booths from some of the largest tech security firms in the industry on display. Additionally, speakers from the host city are invited to give keynote presentations on topics such as cloud services, email security, VOIP, LAN security, wireless security and many other critical topics in the front of their peers.

    Co-Founder Kim Hakim sat down and gave Duneland Innovators some time to discuss Data Connectors origins and where they might go next. “We started about 15 years ago. The business really took off after 9/11. - We deal with all the major industry leaders in security, anyone you’d see on the shelves in Best Buy” Hakim continued with the follows comments, “Before this company I was in data sales, I was networking with some that was doing this. - We started with McAfee, they wanted us to do a series of events with them.” Things really took after after that, she added, “We do this conference in 52 cities all over the United States and Canada America, 1 or 2 shows a week.”

    When asked about further goals for the future Kim said, “We’ve pretty much tapped everything in North America. - I just had a few gentlemen walk up a few minutes and ask if we’d be interested in going to Saudi Arabia or Dubai. We’d probably continue to grow overseas."

    As mentioned in an earlier piece that focused on the CES event in Las Vegas, conferences that bring together industry professionals would be a valuable addition to the northwest Indiana region. These types of events would aid in putting our region on the map and make it a larger factor in discussions that go around the country. If you are interested in attending the next Data Connectors event near our area it will be August 21st in Indianapolis.

     

    Dawn Morrissey @MorrisseyDawn Managing Partner of Data Connectors @DataConnectors talks about how they got startedhttp://bit.ly/1sTooPo

    Posted by Duneland Innovators on Sunday, May 17, 2015
  • Pursuing an IT Degree

    Going to college for Information Technology has been a daunting and lengthy task for me. However, the experience has prepared me to enter a field that is expanding rapidly. The classes at George Mason University specialize in a wide range of subject matter, such as IT in the Global Economy. That course examined the influence of globalization on information technology trends. Another singular class that followed this example is Computer Crime & Forensics, it took an in depth look at both the human aspects and engineering of these two sub topics. This particular class focused on decryption and analyzing problems rather than basic memorization. This can add a lot to the atmosphere of the classes, and makes the knowledge applicable to working in the field. That is one of the most enjoyable aspects: the engaging, thought provoking conversations. 

    On the other side of the coin are the non-core classes, those not directly related to security but required for a four year degree. The grading methods can be unforgiving in those classes.  The trend seems that classes of this nature are packed with memorization and are set up to weed out students. In some cases, 1% of the final grade is equal to a single question on an exam.  My experience with this type of environment has been hit or miss and depends heavily on the subject matter in question.

    However, studying other subjects has its benefits as well. Classes such as accounting and statistics allow students to better analyze and digest raw data from other sectors of the professional world. This gives students a broader understanding of how decisions are made within a business and an industry. Overall I feel as you go deeper into the curriculum, classes become a more stimulating experience and provide an overall better understanding of information security. 

  • Security & Privacy in the Mobile Age

    mobile device security privacy

    Setting the Scene

    It was a cool, brisk Autumn evening. My contact had agreed to meet and discuss the subject of this article in a well-lit, public space. After purchasing some smoothies, we sat down outside to conduct the interview.

    Cameron Banga is an app developer that works in both the iOS and Android platforms. Though he champions Apple's product line, Banga feels that both of the market-dominating mobile platforms are on equal ground when it comes to the data security of their customers.

    Cameron Banga 9MagnetsWith that said, the responsibility of data security and privacy starts with us as users. “Given the power with these mobile phones today we have an exponential conflict that’s occurring when it comes to keeping yourself private and secure versus the messaging abilities we have,” Banga noted before continuing, “the problem is we have a computer in our pocket that goes with us 24/7 and is always connected and knows everything we’re doing.”

    One of the most important components in the relationship between tech companies and their customers or users is the concept of transparency. In order to maintain trust, companies must be open about not only what data they are recording but also how they are putting it to use. In the wake of the revelations the former CIA system administrator Edward Snowden revealed last year, the typical mobile device user is now more aware of the government's access to their devices as well.

    “Users need to know, if you put something on a server that you don’t have control of and you didn’t encrypt yourself, if that ever ends up in the public access or domain, don’t be surprised,” Cameron remarked.

    Encryption

    HTTPS – Hypertext Transfer Protocol Secure adds an additional layer of protection with SSL/TLS to improve the security of browsing sites on the web. Also, this protocol encrypts communications between servers and clients communicating with them. So look to see if the sites you surf are using this standard.
    PGP – If securing data is a behavior you want to make second nature, then find an easy solution. Pretty Good Privacy (PGP) is a standard that has been around for 20+ years and allows users to encrypt their own data for storage or transmission purposes.

    It is important to note that accountability extends beyond the consumer base of gadgets as well. Companies have a responsibility to make sure their databases as well as the security measures of third party contractors or B2B relationships are aware of how to keep things such as APIs secure. With all of the data security incidents that have occurred through the last year, extending back to the Target breach in late 2013, there is a sense that on a consumer-level, cyber insecurity awareness is reaching a boiling point.

    “What is the scale of data breach that you think is going to make it hit that tipping point? If it’s not Target, if it’s not Home Depot…”, I asked him. “I think it’s a personal data breach. I really think what it’s going to be is a Snapchat having a whole database of photos leak. It would be huge”, Cameron replied. Soon after this declaration, we headed off in separate directions to attend to other commitments for the evening.

    Then it happened…

    Just a few days later it was announced online that a cache of Snapchat photos that had been backed up via the third-party service Snapsave had been compromised. The guilty party had revealed the hack bringing the debate regarding the concept of “ephemeral” media to the forefront. Within days thousands of “private” images flooded the Web.

    Are We Ready to Turn the Corner?

    It’s going to take a lot of continued efforts to create an improved understanding of the best practices that are necessary when it comes to protecting personal private data. The emergence of smartphones and mobile culture has generated an environment of lax personal identity security that is ripe for those with the skills to exploit it.

    Mobile Messaging

    FireChat - An app that allows device users to communicate with one another via Bluetooth or Wi-Fi. It does not need to utilize any cellular network to work. Therefore, users can still communicate if cellular networks are down for whatever reason.

    Protesters in Hong Kong used this messaging tool to stay off the overburdened grid and stay in touch with each other. The more concentrated the users, the stronger the network.

    Cyber Dust - An app that seeks to give text message users more privacy. The app works similarly to regular texting or messaging app for sending text. However, messages that are sent are not saved by the sender, and deleted automatically soon after they are red by the receiver. The information is not stored on any local drive or server, and no previous conversation gets saved. Championed by Mark Cuban.

    Screenshots are still possible, which has always been a contentious issue for and feasible with Snapchat as well. Like in the old mobster movies: if you want something to stay within the boundaries of the people involved (and perhaps the few people they whisper secrets to), do it in person.

    Dawn Morrissey Data ConnectorsHowever, there are measures that can be taken to improve our security posture at the personal level. Dawn Morrissey, Managing Partner of Data Connectors (a technology security event series), provided a few tips that she has picked up managing events on their event circuit.

    “When you’re installing apps make sure they are coming from recognizable companies because there are a lot of apps that can infect your phone. Be aware of what permission you’re granting. For example if it is asking for GPS information or access to all your photos,” Morrissey noted. “[Smartphones] should be treated like a wallet and be password protected.”

    Robert Johnson Cimcor CimTrakRobert Johnson, President and CEO of Cimcorand producer of CimTrak (an IT security software suite), added the following thoughts, “Mobile devices contain your most personal data but in essence they are computers. They are extremely complex operating systems. Those operating systems, just like all others, need to be patched. They need to be at the latest version at all times. That’s a critical part of a person’s strategy for their personal mobile devices.”

    The truth is that no matter whether it is a banking app, social media network or simply a messaging channel, we need to make sure that we take the steps that are necessary to keep ourselves and data safe. As it has always been, information in the wrong hands can be used against us.

    Furthermore, it is not just on individuals to improve. Companies and organizations must commit their efforts to transparency and disclosure regarding how they are storing and using client or users data as well. Perhaps one of more important undertones regarding the “Snappening” and the iCloud celebrity photo leak is that there needs to be a better and louder dialog between service providers and the population they serve about protecting information together.

    1 Extra Step

    As consumers and creators of content that travels the Internet, it is in our best interest to take one extra step to safeguard our presence online. How this manifests itself will vary for each person. It might be strengthening passwords or encrypting sensitive data. It could be teaching our parents to recognize social engineering scams or illustrating to our children why it’s a bad idea to sext their friends. Whatever the measures, we all need to go a little further to secure the future.