Week 8 Blog

Risk Management Process

Since we are covering Risk Management in class this week, I chose to write something about understanding the Risk Management Process.

Internal auditors in an organization help identify the risks and the impact the risk can have on the organizations performance and processes. In addition to that, their job is to make sure there is enough security measures to safeguard the assets of an organization and ensure proper controls are in place to mitigate the threats. So having a risk management process helps an organization and their auditors to provide quality recommendations for the organizations needs and requirement regarding threats and risk before they happen.

Risk management is the identification, assessment and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.  Every risk management process comes with certain objectives which the auditors should recommend the organizations to examine the best practices.  The main objective of risk management is to eliminate negative risks, reduce risks to an acceptable level and to transfer risks by means of insurance. Knowing yourself, knowing the enemy and accountability for risk management are some of the crucial topic for risk management. 

References:

http://en.wikipedia.org/wiki/Risk_management

https://iaonline.theiia.org/understanding-the-risk-management-process

Week 7 Blog

Sony Hackers Used Phishing Emails to Breach Company Networks

This article talks about how Sony Pictures Entertainment computer network was hacked in 2014. It was found that the hackers used phishing emails to infiltrate the system. After talking to the CEO of the computer security firm Clyance, Stuart McClure states that there was a database of Sony emails which was downloaded following a pattern of phishing emails. The whole process started with employees getting fake emails to verify their Apple ID which lead to victim prompted to enter their Apple ID information into a fake verification form. After getting all the information, it enabled hackers to connect with the employees LinkedIn account where they were able to figure out their Sony login information thinking the employees might be using the same credentials for their accounts. The credentials helped the hackers to code into a strain of malware which is known as Wiper led them into the company’s networks.

It was later found out that the hacking responsible party were the North Korean government when they posted the links to a collection so stolen document which includes financial records and private keys to the Sony’s server. Regarding the hack, the CEO mentioned that companies need to implement some safeguards that will better protect user credentials if they are to avoid becoming the victim of attack like they did to Sony. He also stated that companies should use some form of memory process injection protection and password reuse should be avoided not to become a victim like that again.

References:

Bisson, D. (2015, April 22). Sony Hackers Used Phishing Emails to Breach Company Networks. Retrieved on April 26, 2015 from http://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/

Week 6 Blog

Wombat Security Technologies Unveils New Security Awareness and Training Modules to Help Protect Companies Against Advanced Cyber Threats

Wombat Security Technologies is an organization who offers a software-based training platform and spear-phishing filters to combat cyber security attacks. They help organizations combat cyber security attacks by providing a uniquely effective software-based training platform and spear-phishing filters. In this article, they announce about having introduced two new awareness training modules, security essentials and mobile device training. They also mentioned about adding two more languages to make it easy for global companies to raise the security bar against phishing, social networking and other security threats. They have been successful business organization to provide the best tools to help other organization to protect their valuable information from cyber threats.

The Security Essentials Training Module is one the new awareness training they introduced recently. It is a scenario based training module which introduces employees to deal with the security issues which happens in daily basis. The article states that this training helps the new employees providing them the basics and best effective way to improve their security knowledge in and outside the organization. It can also act as a refresher for the other employees to keep up with the new technologies and the threats.

The Mobile Devices Security Training Module is another training module which helps employees how to deal with threats regarding their mobile communication. This module helps the importance of physical and technical safeguards and how to improve the security on both personal and company issued mobile devices.

In addition to the training modules, they translated their educational content into two different languages which includes Russian and Dutch in their already robust language library. Wombat is already known for their high class security awareness and training market and they are still working on to provide better service and more security to their customers.

References:

http://www.marketwired.com/press-release/wombat-security-technologies-unveils-new-security-awareness-training-modules-help-protect-2005292.htm

Week 5 blog: 5 Information Security Trends that will Dominate 2015

The level of cyber threats and breaches are increasing every day. Cyber criminals and hackers are getting better and more sophisticated than they were ever. The authors of this article talks about five trends that professionals need to understand and worry about to face and deal with the threats.

Cybercrime:  With all these new innovations and better network, the internet has been a great hunting ground for cyber criminals, terrorists and trouble makers. Incidents related to money, personal records and much other critical information are stolen and misused by these hackers for their personal benefits. 2014 was a great year for them since they were able to dominate the security due to their performances and moderns tools available. 2015 will be a challenging year for everyone. The article emphasizes that organization must be well prepared for the unpredictable and unforeseen events that might increase risk of hacktivism and increase the cost of recovery from these kinds of incidents.

Privacy and Regulations: According to the article, most governments have created or in process to create the law that impose organization to create regulations to safeguard and use of PII. They might have to deal with penalties if the valuable information and PII are compromised which might lead to damage in reputation and loss of customers due to security breaches.

Threats from Third-Party Providers: A large amount of information is shared during the transactions between organization and their supplier. When the suppliers share that information with a third party vendor or organization, there is no direct control of information. For example, when the attack happen in Target last year, the hackers broke the application the HVAC vendor used to submit the invoices. The hackers broke into the HVAC vendors online services and stole millions of valuable information of Target customers. Now since there is risk of information being stolen from the third party providers, it is hard for them to continue their services and provide assurance of data C.I.A. So, to be on safe side, the contracting services should work with the IT personnel to make sure the information are not compromised.

BYOx Trends in workplace: Bring your own device trend is increasing every day in organizations. Since all the personal devices comes with a lot of applications and cloud based storage, and when they are accessed in work places, organizations are seeing the increase of security risk related to valuable information from both inside and outside threats. Even though, organizations make regulations related to use of personal devices at work, employees will find a way to use it. Since this trend is increasing, organization should at least take some serious security measures to make themselves vulnerable.

Engagement with your people: And it all comes to people. The article states that people are the greatest assets and they are the most vulnerable. Organizations have been spending a lot of money educating and providing valuable knowledge about their responsibilities. Authors in the article states that organization should rather change to creating solutions and embedding information security behaviors than promoting awareness of the issues.

As a conclusion, 2015 is not going to be an easy year regarding security of information. Organization should take all the available security measures to save themselves from being a victim from cyber threats and hackers.

References:

http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html

Week 4 Cyber-security: The new business priority

Information Security has been the most challenging topic for every business organization in this digital world. Still, companies fail to give much priorities to this crucial matter with all these threats and attacks roaming around within their boundary. All these incident starts with stolen customers information, disclosure of confidential financial data and security measure employed.

According to this survey on US business impact of security incidents, it shows that the cyber attacks caused 37.5% financial losses, 31.8% Intellectual property theft, 31% Brand/reputation compromised, 15% Fraud, 12.2% Legal exposure/lawsuit, 11.3% Loss of shareholder value and 7.1% Extortion. (Source: PwC, CIO and CSO 2012 Global Security State of Information Security Survey).

Most of the business organization thinks their security measure are good enough to handle the threats. But in reality, it is not. Most of these organizations have different obstacles and barriers regarding an effective cyber-security. Some of them are Insufficient funding for capital expenditures, Bad leadership, Absence or shortage of in-house technical expertise, Insufficient funding for operating expenditures, Lack of an effective information security strategy, lack of an actionable vision or understanding and poorly integrated or overly complex information/IT systems. (Source: PwC, CIO and CSO 2012 Global Security State of Information Security Survey).

With the development of new technologies, companies not only have to fight the risk already existed, but also have to keep up with the new innovations. Adapting to these new technologies, companies also have to deals with risks such as Cloud  security, social media security, mobile devices security and security associated with employees use of personal devices. The power of employee and mobile devices makes companies increasingly vulnerable. 

The success and failure of any organizations depends on their valuable information. Cyber-security is the key to safeguard all these valuable assets like intellectual property, customer information, financial data, employee records and many more. It also acts as a better tool for their position with business partners, customers, investors and other stake holders. To better serve the topic, companies need to understand the importance and meaning of cyber security. Keep checking and testing the tools they have as a security measures for the information security helps a big deal. Having a back up plan and business strategy to move on when something like this happens gives the companies a before hand to deal with the attacks. Its always better to have knowledge of what kind of information the company holds and where they are at the moment helps manage the valuable information.                                                                                                                                                                                                                                                                                                                                                     References:

http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.jhtml