I learned a lot from this class

Week 12
Cybr-650

This is the last post for this class. I learned a lot from this class. I appreciate the feedback from the coach and other students. It helped me to dig more into the topics that I posted. I have been working past 4 years in IT Industries but never been involved with the Threat modeling process. This class helped me to put together what I was missing when someone was requesting me to apply the patch by this time. It also helped me to understand how valuable threat modeling can be to the organization. It helps the companies to understand more about the threat, vulnerability and risk and how to address them with appropriate countermeasure in a logical order starting with the threats that present the greatest risk.


.First, 2, 3, and 4th weeks of this class was a little harder for me. I had to grasp about threat process model quickly. I knew what was threats, vulnerabilities, and risks but threat process model helped me understand more about them and how the company can benefit with it. Harry and Mae Inc. case study was a good learning experience for me. It gave me real like experience if I were to engage threat process modeling for the future employer.Looking back to this class, I wish I had spent more time to understand the whole process more for the case study. My approach to the case study would have been different. For the threat action report, I introduced layered security. which I should have incorporated from the beginning After going through all this, now I understand that I should have looked at the case study with broach spectrum than weekly assignments. I must say Security Trends forum was difficult for me. I was not engaged as much as others. I wish it was weekly postings so easier to read and respond.
I am glad this class is under my belt. I have 1 more class to go after this and it will be with Coach Ron as well. I am looking forward to next class and finally, I can say I completed the MS in Cybersecurity. 

Anthem is another recent victim of the cyber attack

Anthem is another recent victim of the cyber-attack. Anthem, second largest US health insurer, the database was compromised database on December 10, 2014. It was only discovered on January 27, 2015, and it disclosed the information to public on February 4, 2015 (Ragan, 2015). There could be 80 million records compromised and the financial consequences of the data breach could reach beyond $1000 million (Osborne, 2016). Hackers were able to gain employees and customers personal information by using Phishing attack. Customers and employees need to be cautious about their personal information.

Anthem disclosed that five tech employees’ credentials were compromised. They could have been a victim of Phishing attack and stolen password. Hackers were able to obtain personal information such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem is working closely with FBI and FireEye’s Mandiant cyber forensics team to analyze the extent of the breach and the security failure (Ragan, 2015).

Anthem customers and employees should be worried about their personal information and monitor it closely. This incident is so bad that stolen information is more valuable than a credit card and bank information and it can be used tomorrow, next week or next year down the line. They can use the information for Medicare fraud and even identity theft. Customers and employees should be checking http://www.anthemfacts.com website regularly for current information about the data breach. They should also take advantage of Identity theft repair and monitoring service Anthem is offering for two years at no cost (Bradley, 2015). Customers and employees need to be vigilant about their information and prevent identity theft.

References:

·       Bradley, T. (February 10, 2015). 5 things all Anthem customers should do after the massive data breach <<<pcworld. Retrieved from http://www.pcworld.com/article/2880611/5-things-all-anthem-customers-should-do-after-the-massive-data-breach.html

·       Osborne, C. (February 12, 2015). Cost of Anthem’s data breach likely to exceed $100 million <<< cnet. Retrieved from http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/

Ragan, S. (February 9, 2015). Anthem: How does a breach like this happen? <<< CSO. Retrieved from http://www.csoonline.com/article/2881532/business-continuity/anthem-how-does-a-breach-like-this-happen.html

learning in this class

Week-7

I learned a lot from this class. I appreciate the feedback from the coach and other students. It helped me to dig more into the topics that I posted. I have been working past 3 years in IT Industries but never been involved with the Threat modeling process. This class helped me to put together what I was missing when someone was requesting me to apply the patch by this time. It also helped me to understand how valuable threat modeling can be to the organization. It helps the companies to understand more about the threat, vulnerability and risk and how to address them with appropriate countermeasure in a logical order starting with the threats that present the greatest risk.

First 3 weeks of this class was a little harder for me. I had to grasp about threat process model quickly. I knew what was threats, vulnerabilities, and risks but threat process model helped me understand more about them and how the company can benefit with it. Harry and Mae Inc. case study was a good learning experience for me. It gave me real like experience if I were to engage threat process modeling for a future employer.

Looking back to this class, I wish I had spent more time to understand the whole process more for the case study. My approach to the case study would have been different. For the threat action report, I introduced layered security. which I should have incorporated from the beginning After going through all this, now I understand that I should have looked at the case study with broach spectrum than weekly assignments. I must say Security Trends forum was difficult for me. I was not engaged as much as others. I wish it was weekly postings so easier to read and respond.

I am glad this class is under my belt. I have 1 more class to go after this and it will be with Coach Ron as well. I am looking forward to next class and finally, I can say I completed the MS in Cybersecurity. 

Malicious Advertising

Malicious Advertising (Malvertising) is used to online advertising to spread malware. Malvertising is a big business but there is a little oversight and it is least understood online threat today. Website publishers may not know the advertising on their sites is used for malicious intent. Malvertising accounts for huge amounts of cyber fraud and identity theft. Malvertising is a good tool to attackers because it can be reached by a large number of users easily through trustworthy companies websites. I believe there needs to be consensus on who is responsible addressing these threats. 

Malvertising exploits the outdated version of applications like Java, Flash Player, and Silverlight to install malicious programs. Recently popular websites like the Huffington Post, Yahoo News, AOL, TMZ and many other were being hit with Malvertising called Neutrino Exploit Kit (Seals, 2015). The website visitors presented with advertisements that infected their computers with ransomware. Computer owners were locked down and money was demanded to get back control of their devices. The surprising with this Malvertising was that users didn't even have to click on advertisements, computers were infected just visiting the websites. It was generating an estimated US$25,000 per day for the attackers (Huang, 2014). We will see more Malvertising issues in coming years since no one is taking responsible for stopping these threats.

Malvertising is hard to protect but website owners with advertising companies can help t reduce the risk. Website owners should work closely with third-party advertising delivery companies regarding what is advertised on their websites. They should only allow advertisements that click to pay. They should also use infection monitoring and detecting solutions to protect their website visitors (Zalvaris, 2015). Their best interest should be to protect their website visitors rather than making money for long-term company viability.

References:

• Seals, T. (Jan 8, 2015). Malvertising Campaign Affects 1.8 Billion <<< InfoSecurity. Retrieved from  http://www.infosecurity-magazine.com/news/malvertising-campaign-affects-18/ 

• Zavlaris, P. (Jan 16, 2015). The Truth About Malvertising <<< dark reading. Retrieved from http://www.darkreading.com/vulnerabilities---threats/the-truth-about-malvertising---/a/d-id/1318641?

• Huang, W. (Oct 22, 2014) . Malware in Ad Networks Infects Visitors and Jeopardizes Brands <<< Proofpoint threat insight. Retrieved from http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php

Week -5

Threat model process 

Cybr-650

Identify system to be assessed – The first step of managing threats and the risk is to identify which system needs to be assessed. It needs to be done when you are assessing new assets to be added to the environment.

Gather system information: During to the first step, we identify system and on this process the information is gathered regarding the systems that need to be assessed. Information gathered document needs to be checked in a document repository. The process we can use it is called “Brainstorming” during this process to collect the information.

Identify/Review-Before we go to this process, we will identify system and gather system information, then after threat and vulnerabilities are identified from this step. This process helps to identify and provide detail information about Threat and Vulnerability. The collected information is also further reviewed. After Reviewed we can validate the threat and vulnerabilities on the database of national vulnerabilities and antivirus.

Document Information. On this process, information is collected from the previous steps and then documented properly. We can use the tool called “Microsoft Threat Modeling Tool”. This is a tool will help to retrieve the information if it is needed for review or analysis for in future.  Physical, logical and data flow system information is also documented on this tool.

Risk Categorization: On this process, we categorized the information using the security risk analysis. Companies have different policies and procedures. They need to check the risk according to the company policies and procedures and the company standard. Threat categorization will help to categorization and identify it systematically in structured. We can figure it out will the help to risk management team whether to accept the risk or transfer the risk.

Implementation and control: After risk categorization step is completed then threat and vulnerabilities countermeasures are implemented per risk category. After the threat impacts are understood by the team of the company, they should try to identify countermeasures that could be prevented threats from causing the impacts. The team, who is working on an issue, they need to ensure the suggested countermeasures work properly.

Evaluate Control: After Implementation is completed.it will require validation. After validation is made control needs to be evaluated time to time.

The process should be repeated if there are new vulnerabilities or threats, so the process won’t end.

Week -4

Car Security Threat 

CYBR-650

   I am the owner of a Toyota Prius so thought about posting car with new technology and its vulnerability. I really did not think about the security while buying the car. It seems with all the gadgets added to cars nowadays, they have become more susceptible to being hacked. Automotive industry may have focused on adding new technologies for the convenient reason but it also exposes more vulnerability to the car security systems. Silvio Cesare, an Australian security researcher, was able to unlock the car wirelessly using some radio equipment and ingenuity. He was able to trick the car into thinking that it's being unlocked with the standard wireless key fob  when actually it's being pinged with a signal from a software-defined radio attached to a laptop. He was able to unlock the car by  finding the frequency of the key fob and then cracking the encryption using a brute force attack.

            Similarly, Charlie Miller, Twitter security engineer, and  Chris Valasek, director of vehicle security research at IOActive, surprised automotive industry with the news of car hacking last year. They were able to show how they were able to hack Toyota Prius and Ford Escape from inside the car. They were able to exploit vulnerabilities in the electronic control units of the car. They were able to by connecting to the vehicle's OnBoard Data Port and was able to take control of the car's locks, headlights, horn, steering and braking system. They made the presentation at the Black Hat USA security conference in Las Vegas last year and released a list of 20 vehicles and rated them on their vulnerability to being hacked. Their vehicle ratings were based on three factors - the vehicles' network architecture, their "attack surface" via wireless access such as Bluetooth and cyber-physical systems such as autonomous braking and steering. They found vehicles' network architecture being the weakest link.

            I like the way how electric carmaker Tesla Motor is doing. They are taking aggressive and proactive strategy for securing its car technology. They brought in the renowned white hat hacker Kristen Paget to oversee vulnerability testing and security for Tesla cars. They are looking to recruit more hackers to help sniff out security vulnerabilities in its software which controls the vehicles. I am glad security engineers likes of Charlie, Chris and Silvio are testing the car security systems. We may think car hacking isn't mainstream and it is very difficult and costs lots of money today and it might change soon in future. So it is important automakers to pay more attention to the car security systems and hire more security expert to do their due diligence regarding security risks. In future, I will make sure to check the car security system rating before buying the car and you should too.

References:

·       Danigelis, A. (October 16, 2014). Is Car Hacking the Next Big Security Threat <<< LiveScience? Retrieved from http://www.livescience.com/48310-car-hacking-security-threats.html

·       Estes, A.C. (August, 04, 2014).Wirelessly Hacking--And Unlocking--Cars Is Easier Than It Should Be <<< gizmodo.com. Retrieved from http://gizmodo.com/wirelessly-hacking-and-unlocking-cars-is-easier-than-1615693270

·       Higgins, K.J. (December 11, 2014). Hiring Hackers To Secure The Internet of Things <<< darkreading.com. Retrieved from http://www.darkreading.com/vulnerabilities---threats/hiring-hackers-to-secure-the-internet-of-things/d/d-id/1318107?

Week -3 
Cybr-650
Project Zero, Google’s Secret Team of Bug-Hunting Hackers 

Project Zero is Google's new security project to dedicated to finding flaws on the Internet. Project Zero objective is to reduce the number of people harmed by targeted attacks and make the Internet safer. So far Google security team have worked hard to secure their products like Google Search, Gmail, and Drive. And with this project, it plans to look into non-Google technologies. It wants to locate and report large numbers of vulnerabilities and conduct new research into mitigations, exploitation, program analysis. Once the vulnerabilities are located, they will notify software's vendor about the bug and they will give them 60-90 days to resolve the issue. After the deadline, it will make the information public from Project Zero website. I think it's the right way to do it and this will motivate other software vendors to fix their vulnerabilities faster.

Project Zero wants to assemble the best and brightest security researchers to track down and neutering the most insidious security flaws in the world's software. The team has recruited security experts like Chris Evans who led the Google's Chrome Security Team earlier, Ben Hawkes, who has been credited with discovering dozens of bugs in software like Adobe Flash and Microsoft Office apps, and George Hotz, who was able to crack AT&T iPhone in 2007.

Project Zero is a good initiative by Google. It is recommendable their effort to improve Internet security for all Internet users. I hope other giants like Yahoo, Microsoft, Facebook will follow Google's lead to liberating Internet. Google might be spending more on this project. It also helps Google to recruit top talents. Google also benefits having more users on the internet clicking ad on Google related sites. According to Evans, "People deserve to use the internet without fear that vulnerabilities out there can ruin their privacy with a single website visit." But time will tell if it was Google's PR stunt or really trying to help the Internet community.

References:

• Greenberg, A. (July 15, 2014). Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackers <<< Wired. Retrieved from http://www.wired.com/2014/07/google-project-zero/

Week 2
CYBR-650

We can almost anything on the web so it is the same for IT Security related information. As a Security Professional, you might want to limit your resources to credible sources. Below are some of the list that you should know as a security professional. 

Vendor websites - Vendor websites are one of the best resources to investigate to find out about the possible vulnerabilities. Vendor sites will provide you the security advisory notices with instruction on how to fix the issue. They also provide you latest patches/service pack. You can subscribe their newsletter so you are one of the first ones to know about the new products or security vulnerabilities. If your network is Windows related then you may want to visit http://technet.microsoft.com If you are using Unix, Linux and Mac OS then you have to visit their websites. 

National Vulnerability Database (NVD) - NVD is U.S. government repository of standards based vulnerability management data and it is under NIST's Computer Security Division. It supports the U.S. government many agencies like OSD, DHS, NSA, DISA, and NIST's Information Security Automation Program. NVD data helps to enable the automation of vulnerability management, security measurement, and compliance. It provides CVE vulnerabilities, checklists, US-CERT alerts and vulnerability notes. It provides CVE vulnerabilities with the CVSS score with rankings of Low, Medium, and High. 

https://nvd.nist.gov/home.cfm

United States Computer Emergency Readiness Team (US-CERT) -  US-CERT is another government entity under the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD). It was created to protect Internet infrastructure against cyber attacks. It is responsible for analyzing and reducing cyber threats, vulnerabilities, informing cyber threat warning information, and coordinating incident response activities. You can subscribe to their bulletins to get the latest information regarding the cyber attacks and security. You can also report cyber incident or software vulnerability through their website. 

https://www.us-cert.gov/

SANS Institute - SANS was established in 1989 as a cooperative research and education organization. It is a one of the most trusted source for computer security, training, certification, and research. It provides training in the diverse field of security administration, forensics, and auditing.  It maintains the largest collection of research documents related to information security for free. It maintains the Internet's early warning system called Internet Storm Center (ISC). ISC provides a free analysis and warning services to fight back against the attackers. It also founded Global Information Assurance Certification (GIAC) certification entity which helps validate the skills of information security professionals.

http://www.sans.org/about/

Antivirus Solution provider - There are many excellent antivirus solution providers like Symantec, McAfee, and Kaspersky. They have a website where you can find the latest threat activity. For example, Symantec has a page dedicated to Security Response at http://www.symantec.com/security_response/ It provides information on how to protect from security threats that include malware, security risks, vulnerabilities, and spam. It has a listing of known threats and risks with detailed information like what type of threat it is, threat assessment when it was discovered, what type of systems are affected and how it can be resolved.

CYBR 650 - Post 1

This is the blog site that I will be using for CYBR 650 - Current Trends in Cybersecurity class. This is a Capstone course of the MS in Cybersecurity program. We will be discussing the identification and management of threats and vulnerabilities within an enterprise security program. I am looking forward to reading/learn about the different technologies classmates will be presenting on. I have one more class to go to complete MS in Cybersecurity.

Week 11

CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1

          This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.

While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to an employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. This possible vulnerability emphasizes the need to build multi-layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access to these assets should be limited to a small practicable group and system administrator.

Therefore, while providing remote access to critical data, processes and information system, an organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, the organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipment, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.

          Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to identify insiders who intended to attack. It helps to point out the intruder directly, but the organization has to cautious when the intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.

According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using the application like PC Anywhere.  Although the intention could be for personal benefit or any other business benefit, or another possible opportunity, or business advantage, it ultimately cost the organization a big loss and possibly could run out of the business. So it is very important to consider providing the extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.

References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Week 10

NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors whereas the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identity theft and other possible fraud. Threats could be in many forms such as: internal when employee involve in misusing his/her position to access critical information; and external, when someone remotely accesses to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides a recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.  

1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.

Some encryption solutions require that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and devices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing the loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)

2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.

Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)

3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also, consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)

References:

·     NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·     Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx

Week 9 

Risk Management: Assessing and Controlling Risk

This week we discussed about risk management and risk control strategies.

Let's talk about some security mistakes we do in our everyday work.

·               The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures.

·               Leaving unattended computers on

·               Opening Email from strangers “I Love You Virus”

·               Poor password selection. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."

·               Laptops have legs. Physical security

·               Loose lips sink ships. People talk about passwords

·               Plug and Play (technology that enables hardware devices to be installed and configured without the protection)

·               Unreported security violations

·               Behind the times in terms of patches

·               Not watching for dangers within your own organization.

So, to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:

1.  Apply safeguards (avoidance)

Avoidance is accomplished through:

·               Application of policy

·               Application of training and education

·               Countering threats

·               Implementation of technical security controls and safeguards

2.  Transfer the risk (transference)

This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.

Some rules of thumb on strategy selection are:

§  When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.

§  When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent the occurrence.

§  When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.

§  When potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Week 8

Why you should adopt the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework comprises best practices from various standards bodies that are proven and successful when implemented, and it also may deliver a regulatory and legal advantage that extends well beyond improved cyber security for organizations that adopt it early.

The framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs.  It comprises three primary components: Profile, Implementation Tiers, and Core.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. An organization that adopts the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cyber security and privacy regulations.

It is impossible to include all the aspects of cybersecurity in one practice framework but NIST provides comprehensive, prescriptive guidelines for all entities across industries.  But the framework offers worthwhile standards for improving cybersecurity, it does not fully address several critical areas.

The NIST Cybersecurity framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. Organizations across industries may gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level given investment capital.

Although, Adopting the NIST Cybersecurity Framework have lots of benefits but implementation may involve certain challenges. Critical infrastructure owners and providers may find difficulties to assess their Implementation Tier, which demands a holistic view of the entire eco-system and the ability to the truly objective.

References:

• NIST 2014, “Framework for Improving Critical Infrastructure Cybersecurity”, Published on NIST.gov, on February 12, 2014. Retrieved from: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

·       PWC 2014, “Why you should adopt the NIST Cybersecurity Framework”, Published on PWC.com, on May 2014, Retrieved From: https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

 

 

 

 

 

 

Week 7

How to secure your Email communication?

Communication is important to any organization and email is getting more popularity than ever. Now-a-day, using email as the main tool to communication with all individuals related to your organization benefiting in many ways. There is no doubt that to the Internet-based organization; email is bringing several threats that most of the employees are not even aware of it. So, there is always a need for training and awareness regarding how to use email, what to access, what not to, how to find out your email is trustworthy or not.

Here are some common issues and consideration to use email in a secure way and be cautious of possible threats come across the development of technology and several possible threats.

1. Organization should implement acceptable use policy for email communication that all employees must comply with. This kind of policy will help the organization to protect employee and business. The policy should provide a necessary measure to monitor email communication on a regular basis.
2. All email should be encrypted, which help to protect the information system and security of an organization as well as organization’s assets. While sending sensitive information via email, it is necessary to use commonly used methods for email encryption such as PGP and S/MIME.
3. Take necessary measure while sending or replying email. When responding email-using reply all function could send your classified information to the non-related person, so it is important to check recipients carefully and avoid unwanted recipients from your email before sending your sensitive information.
4. Keep your software up to date to avoid possible malware or unnecessary threats, which could expose sensitive information or could be vulnerable to such threats.
5. Always use the secure software before spreading malware and victimizing from Phishing attacks. It is necessary to use trusted security software approved by your organization and keep them up to date malware prevention, and a securely configured firewall.
6. Avoid email from unknown users and the un-trusted email contains. Do not click any attached websites or any attachments to your email. Malicious emails often contain attachments that contain malware or hidden in your attached pdf and zip files. Always perform security scanning to your mail before opening any contents.
7. Always disable automatic content downloads, because that download could open the door to hackers to access your system and your organization’s sensitive information.
8. Always use the unique and strong password to your email to prevent an attacker from accessing your email account and sensitive information stored or linked to your system. Always use the algorithmic pattern to create a password, use at least 8 characters, and include numbers and special characters.
9. Always log out your system after checking or sending the email out. It will provide security measures and avoid unauthorized user accessing the system.
10.  Perform email filter and delete or archive old email or email which are no longer in use.

There is no doubt that all organization has their set of policies and guideline to use email in secure manners and avoid vulnerability of sensitive information from disaster. And always keep a close eye to monitor the security software and make sure all software has latest updates. 

 

References:

PJ 2009, “Secure Email Communication and Use”, Published on MindfulSecurity.com, Retrieved From: http://mindfulsecurity.com/2009/11/06/secure-email-communication-and-use/