Tuesday, October 21, 2014

Masters Progress

As I (may have) stated, I finished my BSIT at WGU last year.  The program was really awesome - at WGU you are able to "accelerate" - this basically means you don't have to sit through an entire semester and wait to take a final exam.  At WGU your entire course of study is available - you have the syllabus and read at your own pace.  You can take the assessments as soon as you feel you're able.  If you've developed the competence required by the course, you pass the assessments and once complete, the course is done.  If that takes you 6 months, fine.  If it takes you 6 days that's also fine.  With this program I was able to complete 83 credit units in 3 6-month terms.  I was also selected to speak at the commencement ceremony.
Yeah that's me...

Don't get me wrong - the courses were tough.  I was just very motivated and pushed most things aside to dedicate at least 25 hours a week to school work.  

So either I'm a glutton for punishment or just an overachiever - I recently enrolled in the WGU Masters of Science in Information Security and Assurance (MSISA).  This is a 2-year program with the option to "accelerate" if you're able.  Since I had flew through the BSIT program, I figured this would be a cake-walk - it's in my area of expertise and I'm highly motivated.

Unfortunately I have come to the realization that the Masters program is MUCH more difficult than the BSIT.  There are 11 courses to complete - each class has at least 3 papers to write.  I'm presently enrolled in 3 courses - Emerging Technology, Cyberlaw and Hacking-something-or-other.  The first course on Emerging Technology required me to write an RFP to a company to develop an information sharing portal across regional offices, do an evaluation of rural Internet connectivity methods, and writing up a proposal on virtualizing a small city's IT infrastructure.  Each paper has been 10-15 pages and each submitted paper has been returned for re-writing due to something missing or not fully covering the topic.  

"UMM is not an answer!"
My second course is on Cyberlaw - I just finished two papers - one was on developing policy statements for a healthcare organization - one on new users and one on passwords.  The other paper was an analysis of a healthcare breach - determining what policy statements could have prevented the breach.  The final two papers are rewriting an SLA to protect the organization and doing an analysis of fraud at a fake bank.   Writing the papers is not too bad - reading all the legal stuff - court opinions - case studies - this is really dry stuff!  Glad I'm not studying to be a lawyer (I love you Judge Judy!)

I will attempt to write more as I progress through the program, for those who just don't have anything better to do, or for those who are considering attending WGU.  I think WGU is revolutionary in higher education - they offer a challenging program - they are an accredited school - all online - with the ability to accelerate through the program, which saves the student time and tuition costs.  I am so thankful for WGU - if you're as old as I am, you may have dreamed of such a school at some point.  Well I can tell you from experience that WGU is that school.  The student and course mentors are all great - the admissions process is not too bad.  They will turn you away if you don't match the criteria for the program.  If you want more information don't hesitate to reach out to me via the blog or LinkedIN.

As I said in my commencement speech, at WGU not only are you learning the subject matter, you are demonstrating and developing your skills in setting goals, getting things done,  multitasking, critical thinking, and self-motivation..  these are all crucial to success at WGU but even more so in the business world.  Any employer wants someone who can demonstrate that, without guidance, you can pick up a large task, organize it and work through to completion.  These are the characteristics of the leaders and executive managers, the positions we are all shooting for as we pursue a Master's Degree.  Of course having a Master's level foundation in all the subjects is also very helpful.

Along the way, I may try to relate my studies to some real world topics, just for entertainment or educational purposes.  It is a good way to take a break from all the reading and writing - or I could just play Angry Birds.... 

Wednesday, September 3, 2014

Guarding the Castle

Our network is our castle - we can never become complacent when trusted to protect our corporate assets, customer data or sensitive information.  All too often, we find ourselves asleep at the wheel, relying on all the security controls and processes we have implemented.  We must have a strong monitoring and auditing function built into our Information Security program.  Heathens are in the woods, watching our every move, waiting for the chance to storm the castle, slipping through a crack or blowing down the main gate, to invade, loot and pillage.

You have passed out administrative credentials to many employees.  How do you know those employees are not deviating from the expected and approved tasks?  This deviation could be malicious, or it could simply be a mistake.  Either way we face many risks when we allow employees to operate as an administrator on any system - we must have some oversight in place to detect and report on anomalous activity.  

How do you know your webserver is not under attack, right this very instant?  Webservers are notorious for being a primary target of attack while also being one area we find with the weakest security controls.  What if someone dropped some malicious code on your Linux webserver?  How would you know?

I suggest that, along with requirements definition around that latest firewall or antivirus platform, the coolest new email security product or the best-rated web filter, we include security monitoring, some form of configuration change detection, and the ability to capture, consolidate and filter logs from all our devices.  Many ways exist to do this properly, instead of just plugging in that shiny new firewall and then going back to sleep, we must remain diligent and on-guard - part of that is proper monitoring and mechanisms in place to quickly detect potential attacks.

If we utilize a Security Information and Event Monitoring solution, we can employ resources to review these logs, respond to alerts, and have some chance of catching an attack in progress, before it becomes a major emergency.  Those teams should be trained to know exactly what is suspicious and what is just noise.  The secops teams should be good enough to quickly scan the logs and anything out of place will catch their eye.  

In addition to active monitoring and review of logs, we must capture our configurations, whether that's a web server or a router, and then detect when that configuration has changed.  I've been in companies where they haven't made any updates or checked the configuration for years.  There are mechanisms or scripts you can write that will take a hash of the configuration of the router or the web server /var/www once a day.  The script does a compare of the hash from one day to the next.  If the hash value changes, something has changed in your config, or something has been modified in your web server.  

Once we've detected a change, we can inquire as to whether there was an approved change within the last 24 hours.  If there was, then the alert is simply a confirmation.  If there was no approved change, we must find out if an unapproved change was made, or if we've been compromised.  If the admin just forgot to send in a change control and added a line to the .conf file, then we just remind him of the policy and move on.  If no one knows of any internal change, we must suspect that we've been compromised in some way.  We must now go into Incident Response mode and try to find out what was changed and what that means.  From there, if we were compromised, we can quickly find it and kick them out of our server or our router.

Maintaining a secure network isn't rocket science but it does require expertise and diligence.  We must ensure we have the right tools, the right processes, and the right expertise to utilize those tools to the greatest effect.  The Information Security professional needs to understand how a router works, what a config looks like, what goes in the /var/www folder, how a Perl script works.  We must be able to quickly review logs and know what is normal and what is not.  It takes a while to get up to speed on all this, however your employer trusts that, in giving you the keys to the kingdom, that you have all the ports and moats covered properly.

Friday, April 18, 2014

Speaking of Mobile Security

I've been doing a fair amount of speaking about Mobile Security lately.  The audience has been financial operations - accounts payable and accounts receivable.  These folks are concerned with the evolution of mobile technology and how it is being progressively integrated into their operations.  They have found that the risks are pretty large, and no one seems to be paying attention to this.

We are racing headfirst into the mobile revolution, interweaving it into our everyday life.  I can check my bank account balance, transfer funds, make investment trades, take payments, even manage my company's finances all from a tablet device.  In healthcare, we have mobile apps which allow clinicians to check your chart, monitor your blood pressure, view x-rays, write prescriptions...  this increased mobility is a great thing - it adds productivity and mobility - but we have to balance the benefits with the risks.  In other words, we need to understand and control the risks as we continue to weave mobile technology into our world.

The risks of mobile technology are pretty scary.  I would bet that you have apps on your phone or iPad that have more permissions than you are aware of.  Most of the time, we install an app without checking the permissions.  It usually asks your permission to install and gives you a list of permissions you're giving the app.  But we don't really check those - we are in a hurry to get the benefits of the app!  But the rights you're giving this app may be excessive.  Do you want Angry Birds to be able to delete data off your iPad?  Do you want your fitness app to be able to read your contact list?  Do you want your travel app to be able to send emails in your name?  Can they do that now?  You had better check!

I will try to write more frequently - I'm going to do a series on Mobile Security, since that seems to be a really hot issue at the moment.  I just added a Speaking tab to the blog - you can check out where I've been speaking and also let me know if you'd like to have me out to speak at an event.