Whitman, Mattord & Green's Blog

Sort by: Most Recent | Most Viewed | Most Commented

  • What is GRC? Why do you care?

    There are really two camps in the information security discipline. You may want to call them managerial and technical. You might call them computer security and information assurance. You can come up with as many terms to explore this division as you like, but it boils down to how we go about establishing a system of controls to reduce risk. One aspect is the implementation of the technical aspects of one of many types of controls that affect limiting the actions a system can be used to take. These are things like firewalls, intrusion detection and prevention, programs that use vulnerability to diagnose and repair vulnerabilities, and so on. Think of these things as ways to make systems able to be more secure, more reliable or more resistant to misuse. The other aspect is that of creating the organization needed to plan and implement secure systems. This is done with establishing and maintaining governance of the IT and security functions (that's the G), Establishing and maintaining...

  • If you hated SOPA, you'll just loathe CISPA

    As I'm sure most of you recall, the "Stop Online Piracy Act", or SOPA, was a piece of federal legislation that was winding it's way through the approval process just a few months ago. It was killed, in part, due to public outcry from various sources. Congress saw the writing on the wall, and the bill was tabled in December 2011. SOPA was roundly criticized by many privacy organizations and DNS experts as an ineffective way to combat online piracy, as well as being dangerous to DNS. Recently, the Cyber Intelligence and Sharing and Protection Act, or CISPA, was submitted to the House of Representatives for consideration. This bill would allow the sharing of Internet traffic and associated details between the federal government and certain companies. The stated goal of CISPA is to allow the federal government to investigate potential cyber threats, while protecting against cyber attacks. Sounds great, right? The devil is always in the details, however - and there are really...
    Filed under: , , , ,

  • Just Because You Can... Doesn't Mean You Should

    Just because you can...doesn't mean you should. I'm going to share a story from one of my fellow professors about a student in his information security class. He observed a student using his cell phone in class against course policy. THe student proudly bragged the following: "He acknowledged he was actively scanning a fellow student's system without permission. He had downloaded an Android app used for network scanning and penetration testing, and was playing with it. He scanned the network, found a system with a fellow student's name on it, and claimed he was about to scan it when I called him out on his use of a mobile phone in class." Now realize this is an advanced information security class and the students have already had several classes where they were educated and informed about the legal and ethical responsibilities of an information security professional. In fact in each of these classes, the students sign agreements (White Hat Agreements) that specifically...

  • Microsoft's Plans for Authentication in Windows 8

    It seems Microsoft will add some new capabilities for authentication to Windows 8 we have not seen before and is also sparking some debate about how secure some of it will be. Three new authentication methods will be available in the standard implementation of Windows 8. These join the legacy model of Username and Password. Each of the new options are drawing criticisms from security professionals. One is the new picture password. The picture password allows users to use the touchscreen feature of the hardware and OS to use gestures to perform the act of authentication. Critics think this is very susceptible to long-distance viewing (think video camera) and will result in an easily breakable way to bypass basic security. As others have noted, Windows allows users to keep the current password model in place and that can be used with strong passwords to deploy good security for the system. Also, how will you be able to recall the pattern if you forget? Perhaps, as some have observed, this...

  • 2012 Verizon DBIR

    Verizon recently released their yearly data breach incident report. For those of you not familiar with the document, it is a pretty thorough analysis of confirmed breach cases that have been investigated by : Verizon Australian Federal Police Dutch National High Tech Crime Unit Irish Reporting and Information Security Service Police Central e-Crime Unit United States Secret Service The study looks at data gleamed from a total of 855 incidents, with 174 million compromised records, and has some interesting numbers to take a look at (the number in parenthesis represents the change from last year's survey: 98% of breaches stemmed from external agents (+6%) 81% of breaches were caused by some form of hacking (+31%) 69% of breaches were incorporated some type of malware (+20%) 79% of victims were targets of opportunity (-4%) 96% of attacks were not highly difficult (+4 %) 85% of breaches took weeks or more to discover (+6%) 92% of incidents were discovered by a third party (+6%) 97% of breaches...
    Filed under: , , , ,

  • Ramblings

    I was recently asked to make some comments about the 'State of Infosec' from my perspective. I jotted down these rambling thoughts. Since I like to reuse my ideas as much as possible, I thought I would share with this audience as well. Security in the balance of 2012 is not likely to be revolutionary, just the continued evolution of threats, attacks and attackers. This will continue recent movement toward hacking for profit and away from hacking for amusement and visibility. Apathy and status quo thinking will continue to put business assets at risk. Realistic risk-based planning and control implementation must be used to focus limited resources on as many ways to limit risk as possible. Anyone who claims something is 'new' or 'different' and requires a point solution to address a risk is probably trying to sell you something. Maximum effect still comes from doing the essential security processes as efficiently and effectively as possible to gain conformance with...

  • Career Tracks

    From watching the comings and goings of students and the recruiting of students by employers, there are a few ways that folks get into the information security profession. While these paths are not all new, the relative number of people on each path seems to be changing over time. I've got the job, now I need a degree Folks who start work without a completed degree often find that hard work and being a diligent employee get them so far, but in order be transferable or promotable (or even in some cases keepable), they need a BS or BBA degree. This comes from HR department sometimes, and from contract requirements or other outside factors. But, I meet a significant number of students that are motivated to get a degree to keep a career moving forward. This is good, since the students are on a career track the want to be on, but maybe just having a few bumps on the way. I've got a job, but I want a job in the security field, and, I need a degree These folks see the security career track...

  • It's all fun and games, until the Red Team shows up

    Perhaps you've heard about the National Collegiate CyberDefense Competition ( NCCDC ). Here at Kennesaw State University, we have been involved with the student competition since 2006 and help to sponsor the South East Regional CCDC. In fact, we are so convinced that the CCDC adds value for students of information security that we have added a course to our degree program called CyberDefense. KSU Students who are majoring in the BBA in Information Security and Assurance degree take a capstone course - ISA 4710 CyberDefense. That course pulls together an entire degree's worth of learning into a semester-long business simulation. It's one thing to learn how to set up a Firewall or IDPS in a lab. But, its another experience altogether to review the Firewall policy, draft a project plan, get that plan approved by corporate change control, coordinate with the corporate project office, schedule implementation into the allowable change windows, work with others on your team to coordinate...
    Filed under:

  • Mind the Gap

    I spent Summer term last year teaching two security courses in London. One commonly seen souvenir is a shirt or coffee mug that has "Mind the Gap" printed on it. I even bought a deck of cards for my grand-daughter that had that printed on it. Of course, this phrase is speaking to the need for travelers on the London Underground to watch out for the opening between the platform and the subway cars when you get off or on the Underground. The PA system reminds us to "Mind the Gap". Students sometime ask what it takes to be a successful InfoSec Manager or consultant. My answer is to "Mind the Gap". This is a useful way to remember that an overarching approach we use to improve security is the process known as Gap Analysis. So, what is Gap Analysis. Very simply it is a process of finding out where you are, then identify where you want to be -- this can help identify the gap between where you are and where you want to be -- the gap. Then, everything else we do is...

  • Passwords - How much longer?

    As part of some recent research I asked a panel of experts how much longer should we expect passwords to be used in authenticating Web-based information systems? The answers they gave lead me to think that while most of them think password-only authentication is pretty weak, passwords are going to be around for quite a while. Almost half of the experts think that password-only authentication use for Web-based systems is poorly suited for some types of systems. But still fully 70% of the expert panel concur that usage it will decline but will remain a significant form of authentication for at least ten years. Interestingly, only 9 percent of those who expressed an opinion think that password-only authentication use for Web-based systems is inadequate for any systems and will be completely replaced as a form of authentication in ten years. What does this mean for teachers and students studying information security now? Password-only authentication is very heavily used now and will remain...

  • Passwords and Passphrases

    Normal 0 false false false EN-US X-NONE X-NONE It’s such a simple idea really. In order to protect your online account (or other asset), you are asked to create a word only you will know; the password. But the problem is we are humans with human frailties including (for most of us) poor memories for complex things. So we default to the familiar. Something simple, perhaps? Or maybe something comfortable, that is easy for us to relate to: b irthdays, mom’s maiden name, pet names. And that’s where we weaken the armor, the defenses that protect our online information. The most egregious of these “simple” passwords is the PIN, or Personal Identification Number. A 4 digit code originally only intended to be associated with other security access controls like the bank card. The bank card, or ATM card, is one third of a security control designed to protect a bank account. One must have a) access to an authorized terminal (the ATM), b) the card itself, and c) a PIN...

  • Organizational Security Culture

    What is an organizational security culture, and why do you care? The work of information security and assurance is always done in the context of the organization for which it is designed and that pays the bills for that work. Organizational security culture is the collection of human awareness, attitudes, perceptions and exhibited behaviors regarding information security by the members of an organization (Lacey, 2010). The reason we care about the organization culture is that it will influence the outcomes for information security programs and infrastructure. In some cases, prior security campaigns have already failed to get the desired level of security desired by management.. Before trying again, it may be necessary to change the culture, but at the very least it is necesary to understand the existing organizational security culture. Changing culture might be done with negative motivators. Lacey (2010) wrote that this might rely on fear of negative consequences from the application of...

  • SMBs Need Security

    The odds are many Information Security and Assurance (ISA) students will go to work for small and medium-sized businesses. While your classroom preparations will often focus on the needs and complexities of the corporate environment, where largish problems are solved with largish budgets, much of the work in the ISA field is done by IT workers as 'other duties as assigned' and funded on a shoestring budget. SMBs face all of the same risks of loss as bigger companies, perhaps on a smaller scale, and perhaps not. Every issue -- from governance to policy to network security -- is going to face the ISA practitioner working at an SMB. Remember that the skills you learn in the classroom and on the job preparing for the corporate world will be fully transportable to the SMB world, but you might have to be flexible in how you apply that knowledge. Some of the issues that SMBs face might also be even more critical that the equivalent issue in the corporate world. This might include Business...
    Filed under:

  • The Digital Forensics Job Market

    OK, I may be a bit controversial here... About once a semester I get a student who asks "What courses do I need to take to pursue a career in forensics?" Contrary to what my colleagues might say, I usually reply: Dual Major in Criminal Justice and Information Security. You see, there just aren't that many entry level jobs in Forensics. Digital Forensics is an extremely complicated and technical fields, and while there are a few exceptional institutions around the U.S. with degree programs in forensics (Mississippi State comes to mind), there just aren't a lot - because there aren't a lot of employers demanding graduates. Most of the jobs in the state of Georgia are in law enforcement - hence my comment on dual major in criminal justice and InfoSec. Virtually all forensics jobs around here are performed by sworn officers - detective grade, who then attend specialized training in forensics. There is an increasing interest in organizations to have forensics qualified...

  • It's all about the Benjamins... and Susans and Bobs and Marys...

    I've just returned from the annual CISSE conference. For those of you not familiar with the event, it's the Colloquium for Information Systems Security Education, co-hosted by the National Security Agency and a rotating panel of academic and professional (industry) organizations. One of the keynote speakers was a high-level executive in ... well let's say a VERY well know security training organization that hosts several technical certifications (know who I mean?). This individual was invited to speak on the future needs of the information security profession, in an attempt to sway the largely-academic audience in their curriculum development efforts. The jist of his presentation was that due to the large breakout in some very recent and highly technical attacks – including attacks on IMF, RSA and Google, what the nation needed was a dramatic increase in very technically capable future information security professionals. He went on to elaborate extensively on the current...