Securing the perimeter is not an easy task. There are a multitude of Problems businesses have to consider, especially when it comes to their own employees. The article "7 Ways to Keep your Employees Happy" gives readers several points that I personally believe business owners should consider when it comes securing their perimeters.
Karsten Strauss, the author of the article, believes that having employees build ownership within their company is imperative for them to be comfortable in it. I say yes and no to this. Yes, because its good for employees to have the mind set that a companies successes are their successes, and its failures and their failures. I say no its not good, because what if an employee in the IT department takes too much "ownership" over all that he surveys. What if that employee decides he doesn't want to trust other employees (or personnel that may one day be in his current position) with administrative access or lower types of access? This employee may feel like others won't be able to live up to his standards.
Keeping your team informed sounds nice, and I'm sure a lot of employees would appreciate it. But in some fields, certain amounts of knowledge just aren't necessary for employees to know. It's important to make sure employees know the direction the company is trying to take, but if you give too much in depth info, you're just creating potential security risks for yourself.
Overall, the article brings up several useful tips for businesses. Those businesses that do consider the ideas from this article need to be careful how interpret these tips for use in their own business though.
Blog by Hans Harvey
Blog Post 13
Sources-
Author: Karsten Strauss
Title: 7 Ways to Keep your Employees Happy (and Working Really Hard)
Address: http://www.forbes.com/sites/karstenstrauss/2013/09/08/7-ways-to-keep-your-employees-happy-and-working-really-hard/
Tuesday, December 10, 2013
Tuesday, December 3, 2013
Thoughts on personal devices being the biggest threat to corporate security / Managing the Security of Mobile Devices in the Enterprise
Managing the security of mobile devices in the corporate world is not as easy as setting a policy and telling employees to follow it. The author of the article, Personal devices pose biggest threat to corporate security, brings up several points in her article that I believe any corporation or business should consider when thinking about the security of mobile devices.
First, you would think having a password enabled for all employees is common sense, but when an employee has to re-enter their password over and over again to get in, it gets tedious and annoying. This is why, even if a policy that asks employees to have a password on their phone exists, most don't. I agree that in the corporate setting, there should be a password and there should be a way to make it easier for employees, so there should be some kind of a balance. One solution I could think of for this is to have a password, but to remove the sleep or power save functions. So long as employees bring chargers, they could just leave their mobile devices on when they are there using them, and lock them when they aren't. It's a simple solution, but its better than just having no password at all, or having employees pissed off at management.
Secondly, Corporations should allow employees to bring their own devices. If a corporation has a policy where they give employees mobile devices to use at work, employees are simply going to sneak their personal devices in.
If a corporation can compromise with employees, I believe the security of mobile devices will be far less of a challenge.
Blog by Hans Harvey
Blog Post 12
Sources-
Author: Liz Bolshaw
Title: Personal devices pose biggest threat to corporate security
Address: http://www.ft.com/cms/s/0/e4b53190-4b82-11e3-a02f-00144feabdc0.html#axzz2mQaruiQ1
First, you would think having a password enabled for all employees is common sense, but when an employee has to re-enter their password over and over again to get in, it gets tedious and annoying. This is why, even if a policy that asks employees to have a password on their phone exists, most don't. I agree that in the corporate setting, there should be a password and there should be a way to make it easier for employees, so there should be some kind of a balance. One solution I could think of for this is to have a password, but to remove the sleep or power save functions. So long as employees bring chargers, they could just leave their mobile devices on when they are there using them, and lock them when they aren't. It's a simple solution, but its better than just having no password at all, or having employees pissed off at management.
Secondly, Corporations should allow employees to bring their own devices. If a corporation has a policy where they give employees mobile devices to use at work, employees are simply going to sneak their personal devices in.
If a corporation can compromise with employees, I believe the security of mobile devices will be far less of a challenge.
Blog by Hans Harvey
Blog Post 12
Sources-
Author: Liz Bolshaw
Title: Personal devices pose biggest threat to corporate security
Address: http://www.ft.com/cms/s/0/e4b53190-4b82-11e3-a02f-00144feabdc0.html#axzz2mQaruiQ1
Tuesday, November 19, 2013
Thoughts on .NET Web Services Security / Secure Web Services
After having a look at the article, .NET Web Services Security, I feel as though the author was very informative for readers to understand what is required of a .NET secure web service. The article informs readers as to why security in web services is important, and what goes along with that security, such as several authentication techniques, and the log-in method.
Persons looking for insight on creating .NET web services should understand why it is important to include security with that service. Web service are all about connecting businesses, and if your service isn't safe, no one will want to do business with you. If a web service has no authentication or passwords, there will be no way to create a reliable user base for persons to shop / communicate on the web service.
A web service needs authentication, otherwise there is no way to validate that a user is actually who they say they are. Basic authentication requires callers to send credentials to the server. There are several different paths that can be used for authentication on a web service. The following are some of the authentication that the author of the article mentions: Basic Windows Authentication, Digest Windows Authentication, Integrated Windows Authentication, and Custom Authentication.
The log-in method is a very basic method used by a web service to accept a users credentials. It should only be used over HTTPS since credentials are sent over clear text (easily visible, not hidden or encrypted).
I believe that anyone interested in creating a .NET web service should highly consider security as one of their top concerns. If their is no authentication, or even the use of the basic log-in method and its requirements, then two things will most likely happen: Your business won't be trusted by users or especially other businesses, and the web service will probably become a playground for a hacker somewhere who would see an unsecure web service like a child sees a candy store.
Blog by Hans Harvey
Blog Post 11
Sources-
Author: Juval Lowy
Title: .NET Web Services Security
Address: http://www.codemag.com/Article/0307071
Persons looking for insight on creating .NET web services should understand why it is important to include security with that service. Web service are all about connecting businesses, and if your service isn't safe, no one will want to do business with you. If a web service has no authentication or passwords, there will be no way to create a reliable user base for persons to shop / communicate on the web service.
A web service needs authentication, otherwise there is no way to validate that a user is actually who they say they are. Basic authentication requires callers to send credentials to the server. There are several different paths that can be used for authentication on a web service. The following are some of the authentication that the author of the article mentions: Basic Windows Authentication, Digest Windows Authentication, Integrated Windows Authentication, and Custom Authentication.
The log-in method is a very basic method used by a web service to accept a users credentials. It should only be used over HTTPS since credentials are sent over clear text (easily visible, not hidden or encrypted).
I believe that anyone interested in creating a .NET web service should highly consider security as one of their top concerns. If their is no authentication, or even the use of the basic log-in method and its requirements, then two things will most likely happen: Your business won't be trusted by users or especially other businesses, and the web service will probably become a playground for a hacker somewhere who would see an unsecure web service like a child sees a candy store.
Blog by Hans Harvey
Blog Post 11
Sources-
Author: Juval Lowy
Title: .NET Web Services Security
Address: http://www.codemag.com/Article/0307071
Tuesday, November 12, 2013
Thoughts on A DHL Delivery which is nothing but Malware - Windows Users Warned of Attack / Email Management and Security
After having a look at the article, A DHL Delivery which is nothing but Malware - Windows Users Warned of Attack, it seems fairly apparent that email systems can come under attack from just about anything. If you aren't a skeptic about something that looks even remotely out of the ordinary, you can get burned. I believe in order to prevent people from falling for phishing attacks, they need to be enlightened to look for the signs of a harmful email.
When recipients received emails from a fake (but legitimate looking) DHL email that a package failed to deliver, recipients cant help but be curious what the email is about. Attached to the email was a link to a webpage or an attachment to a document. If any of the recipients had opened any of the contents within the email, their computers would have been infected with malicious software.
Users need to be cautious at all times, and its not good to be too trusting with emails. Anti-virus and other malware protection can give a false sense of security, and there is no such thing as absolute security.
If an email looks suspicious, its better to not trust it outright. You can Google to see if anyone else has received the email, and to find out the legitimacy of the email. You could go to the legitimate site of the 'supposed' email (not clicking on a link from a suspicious email, but Googling the site) to see if there is any news about it, talking to customer support or something. If you have knowledge with HTML you could have a look at the source code of the email, to try and find anything that looks out of place.
I believe the best advice I would give is to just be a skeptic at all times with your email. Whenever anything looks odd or out of place, go with your gut feeling and second guess an emails legitimacy. It's always better to be cautious, than to risk getting your computer infected with malicious software.
Blog by Hans Harvey
Blog Post 10
Sources-
Author: Graham Cluley
Title: A DHL Delivery which is nothing but Malware - Windows Users Warned of Attack
Address: http://nakedsecurity.sophos.com/2013/03/20/dhl-delivery-malware/
When recipients received emails from a fake (but legitimate looking) DHL email that a package failed to deliver, recipients cant help but be curious what the email is about. Attached to the email was a link to a webpage or an attachment to a document. If any of the recipients had opened any of the contents within the email, their computers would have been infected with malicious software.
Users need to be cautious at all times, and its not good to be too trusting with emails. Anti-virus and other malware protection can give a false sense of security, and there is no such thing as absolute security.
If an email looks suspicious, its better to not trust it outright. You can Google to see if anyone else has received the email, and to find out the legitimacy of the email. You could go to the legitimate site of the 'supposed' email (not clicking on a link from a suspicious email, but Googling the site) to see if there is any news about it, talking to customer support or something. If you have knowledge with HTML you could have a look at the source code of the email, to try and find anything that looks out of place.
I believe the best advice I would give is to just be a skeptic at all times with your email. Whenever anything looks odd or out of place, go with your gut feeling and second guess an emails legitimacy. It's always better to be cautious, than to risk getting your computer infected with malicious software.
Blog by Hans Harvey
Blog Post 10
Sources-
Author: Graham Cluley
Title: A DHL Delivery which is nothing but Malware - Windows Users Warned of Attack
Address: http://nakedsecurity.sophos.com/2013/03/20/dhl-delivery-malware/
Tuesday, November 5, 2013
Thoughts on Database Security: At Rest, but not at risk / Role of Database Activity Monitoring in Database Security
After having a look at the article, Database Security: At rest, but not at risk, It becomes pretty apparent that a large magnitude of companies do not do all that they can or should to prevent database security breaches. About 174 million companies were compromised in 20ll. A survey by the independent Oracle Users group revealed that 31% of the respondents anticipated major data breach. Why then, were all of these companies so unprepared? I believe these companies would benefit from attempting to find potential vulnerabilities in their database security systems, and from finding ways to prevent the vulnerabilities from happening. If these companies don't find the weaknesses to their security systems themselves, others will, and that will have far worse consequences.
It would also be beneficial to make any solutions to vulnerabilities simple. There is a greater possibility that a new vulnerability will be created, if the solution to said vulnerabilities is too complex.
One of the concerns many of these companies may have, is the amount of money it would cost to upgrade their database security systems to an acceptable level. Is it better to save $10,000 and not have an effective security system in place, or have a breach, and have all of your customers information get leaked because you didn't spend that 10 grand?
Businesses are being faced with more and more sophisticated database attacks every year. If they aren't prepared, they will end up as just another statistic on a short blog like the one I found. If businesses want to avoid that, they should adhere to better practices, such as finding and removing vulnerabilities, keeping solutions relatively simple, and spending that extra money to keep up to date with database security systems.
Blog by Hans Harvey
Blog Post 9
Sources-
Author: Mary Brandel
Title: Database Security: At Rest, but not at risk
Address: http://www.csoonline.com/article/712460/database-security-at-rest-but-not-at-risk
It would also be beneficial to make any solutions to vulnerabilities simple. There is a greater possibility that a new vulnerability will be created, if the solution to said vulnerabilities is too complex.
One of the concerns many of these companies may have, is the amount of money it would cost to upgrade their database security systems to an acceptable level. Is it better to save $10,000 and not have an effective security system in place, or have a breach, and have all of your customers information get leaked because you didn't spend that 10 grand?
Businesses are being faced with more and more sophisticated database attacks every year. If they aren't prepared, they will end up as just another statistic on a short blog like the one I found. If businesses want to avoid that, they should adhere to better practices, such as finding and removing vulnerabilities, keeping solutions relatively simple, and spending that extra money to keep up to date with database security systems.
Blog by Hans Harvey
Blog Post 9
Sources-
Author: Mary Brandel
Title: Database Security: At Rest, but not at risk
Address: http://www.csoonline.com/article/712460/database-security-at-rest-but-not-at-risk
Tuesday, October 29, 2013
Thoughts on Best Practice for Windows File/Folder Security Management / Fundamentals of Effective File Server Security
After looking at the article, Best Practice for Windows File/Folder Security Management, I can see why people can have troubles with folder and file security. Bruno Lenski, the author of the article, provides several best practice rules for permission management. Personally, I find myself agreeing with all of Lenski's best practice rules.
The first best practice rule Lenksi mentions, is "never remove the administrator entry." If the administration entry were removed, which is used to access file information, then backups would not be carried out anymore, or recovering a file would take longer or be more difficult.
The next best practice rule mentioned, involves never using the "deny" permission. Lenski recommends using the allow permission instead, because deny is an overriding permission, that takes priority over the allow permission.
After that, Lenski recommends using the group permission to set up permissions for multiple persons. If you took the time to set up permissions for every single user, rather than just setting up a group, and adding a new user into that group, you would be wasting a lot of time, and you could potentially be making permission errors for various users.
The final rule mentioned, has to do with checking user permissions incase of doubt. This rule should be common sense, to second guess whether or not you set something up correctly the first time or not, for people.
Overall, I feel that the best practice rules Lenski presents, clearly informs readers about how to appropriately deal with file/folder security management.
Blog by Hans Harvey
Blog Post 8
Sources-
Author: Bruno Lenski
Title: Follow Best Practice for Windows File/Folder Security Management
Address: http://cerncourier.com/cws/article/cnl/38514
The first best practice rule Lenksi mentions, is "never remove the administrator entry." If the administration entry were removed, which is used to access file information, then backups would not be carried out anymore, or recovering a file would take longer or be more difficult.
The next best practice rule mentioned, involves never using the "deny" permission. Lenski recommends using the allow permission instead, because deny is an overriding permission, that takes priority over the allow permission.
After that, Lenski recommends using the group permission to set up permissions for multiple persons. If you took the time to set up permissions for every single user, rather than just setting up a group, and adding a new user into that group, you would be wasting a lot of time, and you could potentially be making permission errors for various users.
The final rule mentioned, has to do with checking user permissions incase of doubt. This rule should be common sense, to second guess whether or not you set something up correctly the first time or not, for people.
Overall, I feel that the best practice rules Lenski presents, clearly informs readers about how to appropriately deal with file/folder security management.
Blog by Hans Harvey
Blog Post 8
Sources-
Author: Bruno Lenski
Title: Follow Best Practice for Windows File/Folder Security Management
Address: http://cerncourier.com/cws/article/cnl/38514
Tuesday, October 22, 2013
Thoughts on Privacy in the Cloud / Guidelines on Security and Privacy in Public Cloud Computing
After having looked at the article, Cloud Computing: Privacy in the Cloud, I can see why security and privacy in the cloud are big concerns. The author of the article, Vic Winkler, gives many reasons as to why people have their concerns when it comes to privacy in the cloud, and I personally find my self feeling the same way about Winkler's privacy concerns.
Whenever there's news about 'the latest data breach', 'security hacking' or anything of that sort, it makes people have second thoughts about how safe the cloud truly is. Many television commercials are also always reminding viewers about the importance of security devices of all kinds, which can only add to the lack of trust towards the cloud. Other persons may have concerns about whether or not their data is safe from their Cloud provider; organizations do have legal obligations to ensure the privacy of their employee's and clients though. Before going headlong into a Cloud environment, you should look into whether or not the service provider agrees to ensure and protect the privacy of data used by their clients.
Data is housed in known locations so that it can be ensured that laws and regulations are being followed. When getting involved in the Cloud though, you should wonder, "What happens if data is lost at one site?" Well hopefully the provider has a backup location or two, but it is still safe to make sure that a provider does have a backup location for data.
Anyone looking to get into the Cloud should know what they are doing before actually getting involved. If you understand the importance of security and privacy, and how a provider actually deals with these issues, then getting involved in the Cloud can be a very positive experience.
Blog by Hans Harvey
Blog Post 7
Sources-
Author: Vic (J.R.) Winkler
Title: Cloud Computing: Privacy in the Cloud
Address: http://technet.microsoft.com/en-us/magazine/jj554305.aspx
Whenever there's news about 'the latest data breach', 'security hacking' or anything of that sort, it makes people have second thoughts about how safe the cloud truly is. Many television commercials are also always reminding viewers about the importance of security devices of all kinds, which can only add to the lack of trust towards the cloud. Other persons may have concerns about whether or not their data is safe from their Cloud provider; organizations do have legal obligations to ensure the privacy of their employee's and clients though. Before going headlong into a Cloud environment, you should look into whether or not the service provider agrees to ensure and protect the privacy of data used by their clients.
Data is housed in known locations so that it can be ensured that laws and regulations are being followed. When getting involved in the Cloud though, you should wonder, "What happens if data is lost at one site?" Well hopefully the provider has a backup location or two, but it is still safe to make sure that a provider does have a backup location for data.
Anyone looking to get into the Cloud should know what they are doing before actually getting involved. If you understand the importance of security and privacy, and how a provider actually deals with these issues, then getting involved in the Cloud can be a very positive experience.
Blog by Hans Harvey
Blog Post 7
Sources-
Author: Vic (J.R.) Winkler
Title: Cloud Computing: Privacy in the Cloud
Address: http://technet.microsoft.com/en-us/magazine/jj554305.aspx
Tuesday, October 15, 2013
Thoughts on the Seven Deadly Sins of Security Policy / Developing Security Policies
The article I looked over, The Seven Deadly Sins of Security Policy, states the importance of not making policies that do not manage an organization's risks. Joan Goodchild, the author of the article shares seven points that she believes should never be used in creating a security policy. Personally I would agree with Joan, I believe any company that does any of Joan's seven sins is going to have trouble.
Failing to do a risk assessment before a policy is even made will result in a company creating policies that may have absolutely nothing to do with anything that could complicate that companies path towards completing its goals.
The one size fits all process could definitely lead to problems for a company. If a new company adopts a policy that one of its competitors has, the policy may have no legitimate use for your company, and a new company will accomplish nothing.
Not having a standards template is also bad. Companies should have consistencies for policies within their organization.
Having policies that only look good on paper is certainly going to lead to bad policies. If policies have no realistic chance of being accomplished, they shouldn't be put down.
If management doesn't believe a policy will work, and does not buy into it, then it may as well not even be there, because management wont enforce employees to then adhere to those policies.
Writing a policy after a system has already been deployed will only lead to a game of catch-up. If security policies aren't instilled in the earliest phases for a company, then systems wont work in their environments effectively. "When security is an add-on, it cant help but be incomplete, insufficient, and, in many ways, inadequate for the task," says Cresson Wood who was interviewed by Joan
And Finally, a lack of follow up, which I believe is one of the most important sins, is something that can make or break a company. Companies that have the drive to do their policies will thrive.
Companies should never overlook security policies. Those that do are only dooming themselves and their business to failure.
Blog by Hans Harvey
Blog Post 6
Sources-
Author: Joan Goodchild
Title: The Seven Deadly Sins of Security Policy
Address: http://www.csoonline.com/article/504314/the-seven-deadly-sins-of-security-policy
Failing to do a risk assessment before a policy is even made will result in a company creating policies that may have absolutely nothing to do with anything that could complicate that companies path towards completing its goals.
The one size fits all process could definitely lead to problems for a company. If a new company adopts a policy that one of its competitors has, the policy may have no legitimate use for your company, and a new company will accomplish nothing.
Not having a standards template is also bad. Companies should have consistencies for policies within their organization.
Having policies that only look good on paper is certainly going to lead to bad policies. If policies have no realistic chance of being accomplished, they shouldn't be put down.
If management doesn't believe a policy will work, and does not buy into it, then it may as well not even be there, because management wont enforce employees to then adhere to those policies.
Writing a policy after a system has already been deployed will only lead to a game of catch-up. If security policies aren't instilled in the earliest phases for a company, then systems wont work in their environments effectively. "When security is an add-on, it cant help but be incomplete, insufficient, and, in many ways, inadequate for the task," says Cresson Wood who was interviewed by Joan
And Finally, a lack of follow up, which I believe is one of the most important sins, is something that can make or break a company. Companies that have the drive to do their policies will thrive.
Companies should never overlook security policies. Those that do are only dooming themselves and their business to failure.
Blog by Hans Harvey
Blog Post 6
Sources-
Author: Joan Goodchild
Title: The Seven Deadly Sins of Security Policy
Address: http://www.csoonline.com/article/504314/the-seven-deadly-sins-of-security-policy
Tuesday, October 1, 2013
Thoughts on Data Protection Reporting and Follow up / Data Protection and Compliance in Complex Environments
Data protection reporting and follow up is a key piece required for any business to survive. If information isn't kept safe and secure, employees or the company itself can be exploited. In The Smell of Bullshit Part 6 - Data Protection, the author makes several points about data protection, that I believe would help any business.
If a group email is sent out to numerous customers, and any recipient can see the email address of other recipients, that is an unsecure method, putting all recipients at risk. I agree with the author that making this mistake once is forgivable, so long as the mistake didn't happen again. But if it were to happen again, that is when management should find out why it is happening again. If its because the employee's weren't taught appropriately, then the company needs to adjust there methods so that employees understand how to deal with group emails.
The example the author describes, about the Lush International Forum, is a solid example of how a lack of data protection can piss off people. The fact that the company made the mistake of not using BCC to hide 170 email addresses, more than one time, should be a lesson for all other companies. Many customers responded to Lush, releasing their anger for the lack of protection with their emails. The lack of data Protection by the Lush International Forum could have potentially lost them a big chunk of their customers.
What the Lush International Forum should have done, after the first time they made the mistake of not using BCC to hide email addresses is obvious. The company should have responded to the mistake, not just with an apology, but with action. They should have made it so emails automatically go into BCC, or informed employees of the consequences of not using BCC in emails.
Data protection reporting and follow up is not something companies should take lightly, it can be very costly to not take the necessary measures to protect your customers and company itself at all times.
Blog by Hans Harvey
Blog Post 4
Sources-
Author: southsidesocialist
Title: The Smells of Bullshit Part 6 - Data Protection
Address: http://mitheringsfrommorningside.wordpress.com/2013/05/01/the-smell-of-bullshit-part-6-data-protection/
If a group email is sent out to numerous customers, and any recipient can see the email address of other recipients, that is an unsecure method, putting all recipients at risk. I agree with the author that making this mistake once is forgivable, so long as the mistake didn't happen again. But if it were to happen again, that is when management should find out why it is happening again. If its because the employee's weren't taught appropriately, then the company needs to adjust there methods so that employees understand how to deal with group emails.
The example the author describes, about the Lush International Forum, is a solid example of how a lack of data protection can piss off people. The fact that the company made the mistake of not using BCC to hide 170 email addresses, more than one time, should be a lesson for all other companies. Many customers responded to Lush, releasing their anger for the lack of protection with their emails. The lack of data Protection by the Lush International Forum could have potentially lost them a big chunk of their customers.
What the Lush International Forum should have done, after the first time they made the mistake of not using BCC to hide email addresses is obvious. The company should have responded to the mistake, not just with an apology, but with action. They should have made it so emails automatically go into BCC, or informed employees of the consequences of not using BCC in emails.
Data protection reporting and follow up is not something companies should take lightly, it can be very costly to not take the necessary measures to protect your customers and company itself at all times.
Blog by Hans Harvey
Blog Post 4
Sources-
Author: southsidesocialist
Title: The Smells of Bullshit Part 6 - Data Protection
Address: http://mitheringsfrommorningside.wordpress.com/2013/05/01/the-smell-of-bullshit-part-6-data-protection/
Tuesday, September 24, 2013
Thoughts on Employers not trusting employees / Information Risks and Risk Management
One of the biggest information risks a company can have is its own employees. It's a difficult risk to deal with however. Companies have to trust employees with information in order to accomplish just about any task. Employers generally have to have a mix of trust and a lack there of, in order to survive. Have too much of one or the other though, and you either end up with theft or unhappy employees.
As the article states, employee theft is not uncommon. Companies that aren't cautious about it can lose a lot of money, and some can go out of business; all because of a single employee taking advantage of trust. "On average, it takes about 18 months for an employer to catch an employee who is stealing." With that said, its very important for companies to assess the risks of trust at the start of a companies beginnings.
Personally I think employers need to give their employees a good amount of trust. At the same time, employers should set up measures to keep an eye on employees.
Employers should utilize basic accounting controls. If a company has accounting measures in place, the company can better determine if there are shortcomings or losses of any kinds in terms of employee theft.
Employers should also certainly have a greater degree of misplaced trust. If you let your guard down, you wont even see theft coming. If you are always on the lookout for suspicious activities, you will catch a thief before its too late.
Trust is a very iffy subject for employers. It's important to let your employees know you trust them with information, but its also important to never let your guard down.
Blog by Hans Harvey
Blog Post 5
Sources-
Author: Patricia Schaefer
Title: Employee Theft: Identify and Prevent Fraud, Embezzlement, Pilfering, and Abuse
Address: http://www.businessknowhow.com/manage/employee-theft.htm
As the article states, employee theft is not uncommon. Companies that aren't cautious about it can lose a lot of money, and some can go out of business; all because of a single employee taking advantage of trust. "On average, it takes about 18 months for an employer to catch an employee who is stealing." With that said, its very important for companies to assess the risks of trust at the start of a companies beginnings.
Personally I think employers need to give their employees a good amount of trust. At the same time, employers should set up measures to keep an eye on employees.
Employers should utilize basic accounting controls. If a company has accounting measures in place, the company can better determine if there are shortcomings or losses of any kinds in terms of employee theft.
Employers should also certainly have a greater degree of misplaced trust. If you let your guard down, you wont even see theft coming. If you are always on the lookout for suspicious activities, you will catch a thief before its too late.
Trust is a very iffy subject for employers. It's important to let your employees know you trust them with information, but its also important to never let your guard down.
Blog by Hans Harvey
Blog Post 5
Sources-
Author: Patricia Schaefer
Title: Employee Theft: Identify and Prevent Fraud, Embezzlement, Pilfering, and Abuse
Address: http://www.businessknowhow.com/manage/employee-theft.htm
Tuesday, September 17, 2013
Thoughts on phishing scandals / Controlling Malware, Spyware, Phishing, and Spam
The Facebook phishing scandal is a setup where unknown individuals send Facebook users a relatively legitimate looking email from Facebook. The email is actually a scam though, an attempt to get a user to respond to the email and unknowingly give their email address and password to the scammer. The email looks friendly enough, but the intentions behind the email are most certainly not friendly, and I would warn anyone who receives a suspicious email to not respond or click any links.
I personally have seen the emails from these scammers several times in my own email account. I glanced at it the first time I saw it, and immediately doubted the legitimacy of the email. The email was sent by a friend of mine on Facebook, that I had never actually talked to. That in it self was sketchy, but the entire email looked off as well.
In order to effectively protect yourself from the dangers of phishing, it is important to keep a cautious eye on all emails that you receive. Consider this, almost no admin or official of any organization or website is going to ask you for passwords, or security questions. If you get an email that does look relatively legit, but it does ask for a some kind of private information, a quick Google search about it, could solve whether a said email is in fact legitimate or not. Another option would be to look it up on the site, or contact a support admin or official of that site about it. Never click any links in emails without giving the link a quick examination. The email that the Facebook scammers were sending out, looked like it was coming from facebook.com, but it was actually coming from Fbaction.net.
Phishing is a scam that is becoming more and more common through emails, and it is important for everyone to know the dangers that could be lurking in their inboxes.
Blog by Hans Harvey
Blog Post 3
Sources-
Author: Paul Boutin
Title: Facebook Phishing Attack in Progress: Beware Fbaction.net
Address: http://gadgetwise.blogs.nytimes.com/2009/04/29/facebook-phishing-attack-in-progress/?_r=0
I personally have seen the emails from these scammers several times in my own email account. I glanced at it the first time I saw it, and immediately doubted the legitimacy of the email. The email was sent by a friend of mine on Facebook, that I had never actually talked to. That in it self was sketchy, but the entire email looked off as well.
In order to effectively protect yourself from the dangers of phishing, it is important to keep a cautious eye on all emails that you receive. Consider this, almost no admin or official of any organization or website is going to ask you for passwords, or security questions. If you get an email that does look relatively legit, but it does ask for a some kind of private information, a quick Google search about it, could solve whether a said email is in fact legitimate or not. Another option would be to look it up on the site, or contact a support admin or official of that site about it. Never click any links in emails without giving the link a quick examination. The email that the Facebook scammers were sending out, looked like it was coming from facebook.com, but it was actually coming from Fbaction.net.
Phishing is a scam that is becoming more and more common through emails, and it is important for everyone to know the dangers that could be lurking in their inboxes.
Blog by Hans Harvey
Blog Post 3
Sources-
Author: Paul Boutin
Title: Facebook Phishing Attack in Progress: Beware Fbaction.net
Address: http://gadgetwise.blogs.nytimes.com/2009/04/29/facebook-phishing-attack-in-progress/?_r=0
Tuesday, September 10, 2013
Thoughts on Information Security's Real Threat: Oversharing / Security Information Management
Managing security information is vital to the success of any business, especially one that is looking to reach out to its community through social media. Personally I do agree with the author of the story, that public missteps, and oversharing can be costly mistakes, and should be done cautiously.
Though there are risks with posting information on social media sites, it can certainly be beneficial for a company, so long as no vital security information is given out, or sensitive data is revealed.
New companies should assess risks such as leaks of information before any kind of involvement with social media ever occurs. Companies should know who is responsible for information. The questions companies should ask to find out who is responsible for information are as follows: who ever owns it, who ever stores it, who ever accesses it, and who ever manages it, is responsible for that information. If any secret information is then leaked, there should only be a handful of people who can be held responsible for the leak.
If an employee posts something that can damage the companies name, all they can really do for damage control, is to try and burry that incident, and make their customers/ community think of all the other things the company does well.
In conclusion, sharing information on social media sites is somewhat of a necessity in order to be successful in the business world, but companies should do so with caution. Oversharing and giving information that shouldn't be shared is where the problems begin. Monitoring what information is given to the public, and what employees have access to information is a priority that all businesses should take into consideration.
Blog by Hans Harvey
Blog Post 2
Sources-
Author: Brian Barnier
Title: Information Security's Real Threat: Oversharing
Address: http://www.informationweek.com/security/management/information-securitys-real-threat-oversh/240160548
Though there are risks with posting information on social media sites, it can certainly be beneficial for a company, so long as no vital security information is given out, or sensitive data is revealed.
New companies should assess risks such as leaks of information before any kind of involvement with social media ever occurs. Companies should know who is responsible for information. The questions companies should ask to find out who is responsible for information are as follows: who ever owns it, who ever stores it, who ever accesses it, and who ever manages it, is responsible for that information. If any secret information is then leaked, there should only be a handful of people who can be held responsible for the leak.
If an employee posts something that can damage the companies name, all they can really do for damage control, is to try and burry that incident, and make their customers/ community think of all the other things the company does well.
In conclusion, sharing information on social media sites is somewhat of a necessity in order to be successful in the business world, but companies should do so with caution. Oversharing and giving information that shouldn't be shared is where the problems begin. Monitoring what information is given to the public, and what employees have access to information is a priority that all businesses should take into consideration.
Blog by Hans Harvey
Blog Post 2
Sources-
Author: Brian Barnier
Title: Information Security's Real Threat: Oversharing
Address: http://www.informationweek.com/security/management/information-securitys-real-threat-oversh/240160548
Thursday, September 5, 2013
Thoughts on Edward Snowden / code of ethics
There isn't really a more blatant showing of a disregard towards a code of ethics than the example involving Edward Snowden. Snowden leaked classified details of U.S. Government surveillance programs to the world, and is now on the run from the U.S.. I believe Snowden's actions were wrong to leak classified documents to the world.
It's easy for all the people around the world to talk down about his actions, but how many of us, in his situation would be able to adhere to a code of ethics? Personally, I would have tried to live up to the standards of a code of ethics, but not everyone would be able to do that.
It's hard to imagine giving up your life to reveal secret documents to the world. Snowden was living a solid life too, making six figures, living in Hawaii with his girlfriend, and he gave it all up. "I'm willing to sacrifice all of that because I can't in good conscience allow the U.S. government to destroy privacy, Internet freedom and basic liberties for people around the world with this massive surveillance machine they're secretly building," Said Snowden to the Guardian.
When Snowden signed up for the contracting business, one of the documents he would have signed, would have involved a code of ethics, which would discourage him from doing exactly what he did; leaking Government documents to the world. In the SANS IT Code of Ethics, one line states, "I will not abuse my power. I will use my technical knowledge, user rights, and permissions only to fulfill my responsibilities to my employer." Another line states, "I will not steal property, time or resources." Snowden violated both of these lines in leaking documents to the world, showing a lack of commitment to any code of ethics. In Snowden's position, I too might not have agreed with the documents, but I would have adhered to the code of ethics.
Blog by Hans Harvey
Blog Post 1
Sources-
Author: Barbara Starr and Holly Yan from CNN
Title: Man behind NSA leaks says he did it to safeguard privacy, liberty
Address: http://www.cnn.com/2013/06/10/politics/edward-snowden-profile
It's easy for all the people around the world to talk down about his actions, but how many of us, in his situation would be able to adhere to a code of ethics? Personally, I would have tried to live up to the standards of a code of ethics, but not everyone would be able to do that.
It's hard to imagine giving up your life to reveal secret documents to the world. Snowden was living a solid life too, making six figures, living in Hawaii with his girlfriend, and he gave it all up. "I'm willing to sacrifice all of that because I can't in good conscience allow the U.S. government to destroy privacy, Internet freedom and basic liberties for people around the world with this massive surveillance machine they're secretly building," Said Snowden to the Guardian.
When Snowden signed up for the contracting business, one of the documents he would have signed, would have involved a code of ethics, which would discourage him from doing exactly what he did; leaking Government documents to the world. In the SANS IT Code of Ethics, one line states, "I will not abuse my power. I will use my technical knowledge, user rights, and permissions only to fulfill my responsibilities to my employer." Another line states, "I will not steal property, time or resources." Snowden violated both of these lines in leaking documents to the world, showing a lack of commitment to any code of ethics. In Snowden's position, I too might not have agreed with the documents, but I would have adhered to the code of ethics.
Blog by Hans Harvey
Blog Post 1
Sources-
Author: Barbara Starr and Holly Yan from CNN
Title: Man behind NSA leaks says he did it to safeguard privacy, liberty
Address: http://www.cnn.com/2013/06/10/politics/edward-snowden-profile
Subscribe to:
Posts (Atom)