Annual reports dating all the way back to 2001 are provided at this link.
http://www.ic3.gov/media/annualreports.aspx
Sunday, November 16, 2014
Cybercrime Statistics
In this week's assignments we were tasked with researching and discussing different elements of cybercrime. In doing so I became aware that the FBI is one of the leading agencies that take on certain cybercrime. I went to the link shown below and found that they have tons of information and statistics about cybercrime. This information was compiled by the FBI's Internet Crime Complaint Center, an online resource for people to report cybercrimes.
Friday, November 7, 2014
Work Experience vs. Certifications
I happened to come across a great article that spoke to a lot about what we discussed this week. There is a fine balance that needs to be met between practical and hands-on work experience and industry-related certifications. This article discusses both, positives to experience and certifications.
The article is also specific to the Information Security industry, making it even more relavant.
One of the major takeaways I got from this article can be summed up in the following quote. "...we’ve provided two different perspectives with a long-standing debate between technical work experience versus certifications. Although the feeling is that most technical hiring managers would prefer a combination of both, if we had to choose one or the other, the general consensus from our IT recruiters is that there is no substitute for experience" (avidtr.com).
As I stated in other posts this week, I believe, as does the author of this article, that experience cannot be matched. To also quote every sports coach and school teacher ever, "practice makes perfect".
Follow this Link:
http://www.avidtr.com/Job-Seekers/Industry-Articles/Work-Experience-vs--Certifications---What-Do-Emplo.aspx
The article is also specific to the Information Security industry, making it even more relavant.
One of the major takeaways I got from this article can be summed up in the following quote. "...we’ve provided two different perspectives with a long-standing debate between technical work experience versus certifications. Although the feeling is that most technical hiring managers would prefer a combination of both, if we had to choose one or the other, the general consensus from our IT recruiters is that there is no substitute for experience" (avidtr.com).
As I stated in other posts this week, I believe, as does the author of this article, that experience cannot be matched. To also quote every sports coach and school teacher ever, "practice makes perfect".
Follow this Link:
http://www.avidtr.com/Job-Seekers/Industry-Articles/Work-Experience-vs--Certifications---What-Do-Emplo.aspx
Sunday, November 2, 2014
I stumbled across and article
that discussed the usability and effectiveness of personal firewalls. The
article was appropriately named "Usability and Effectiveness of Personal
Firewalls by Computer and Information Science professors Herzog & Shahmehri
at Linköping University in Sweden.
There is some interesting information within this article about
firewalls. It describes some of the
basics as well as how users can increase the security of their personal devices
via a strong firewall. What else is
described is the methodology behind the testing of the products included in the
study. Please follow the link below to
the article:
Herzog, A., & Shahmehri, N. (2007). Usability and
security of personal firewalls. In New Approaches for Security, Privacy
and Trust in Complex Environments (pp. 37-48). Springer US.
Sunday, October 26, 2014
I wanted to look more into what is known as the Octave
Method as this was not the focus of my discussion board post, however, it did
intrigue me. “The original Operationally
Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was
developed with large organizations in mind (300 employees or more), but size is
not the only consideration” (CERT.org).
What OCTAVE does is allow an a company’s InfoSec department to evaluate and
deal with risk in a way that allows it to balance the necessity to protect critical
assets/data with the costs that it takes to do so.
There are two other forms of OCTAVE, OCTAVE-S, which is
intended for smaller organizations (about 100 users) and OCTAVE-Allegro, which
can be described as a streamlined approach for InfoSec assessment and assurance
(Whitman & Mattord, 2013).
The OCTAVE Method is known to work in three phases:
·
Phase 1:
Build Asset-Based Threat Profiles
·
Phase 2:
Identify Infrastructure Vulnerabilities
·
Phase 3:
Develop Security Strategy and Plans
Again according to CERT.org, The OCTAVE method utilizes the
knowledge of risks from multiple levels within the organization and focuses on identifying
critical assets and the threats that endanger them. By identifying the vulnerabilities the
organization develops protection strategies and risk mitigation plans to assist
the organization's mission and priorities.
Please see the link below for further information regarding the OCTAVE
Method as well as the training sessions that are offered by the Carnegie Mellon
University and Software Engineers Institute.
Link:
http://www.cert.org/resilience/products-services/octave/octave-method.cfm?
References:
Whitman, Michael E.; Mattord, Herbert J. (2013-10-07).
Management of Information Security (Page 332). Cengage Learning. Kindle
Edition.
http://www.cert.org/resilience/products-services/octave/octave-method.cfm?
Thursday, October 16, 2014
Sun Tzu and the Connection to InfoSec
In my research efforts for this weeks discussion question I stumbled across quite an interesting post about Sun Tzu and its relation to the InfoSec world. The author of the post discusses several of Tzu's quotes, which are hundreds of years old, and how they can be applied to today's technical world. This was posted to The Security Pub by a fellow InfoSec blogger.
For example, the author made the following connection between a Tzu quote and today's cyber wars. For more, see the link below.
http://www.thesecuritypub.com/2013/10/29/sun-tzu-quotes-from-the-art-of-war-compared-to-information-security/
For example, the author made the following connection between a Tzu quote and today's cyber wars. For more, see the link below.
Quote: Knowledge of the enemy’s disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone.
My Thoughts: The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websiSun Tzu quotes from The Art of War
http://www.thesecuritypub.com/2013/10/29/sun-tzu-quotes-from-the-art-of-war-compared-to-information-security/
Sunday, October 12, 2014
I found a great video that describes the differences between Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Rule/Roll-Based Access Control (RBAC). Our text did not cover RBAC too extensively so I thought it was good information for that reason alone.
RBAC is similar to DAC in the sense that it is at the discretion of the IT department or manager chooses the access level for individual employees based on their role or company rules about the amount of information that are authorized to see/manipulate.
The video is a bit rudimentary since the presenter uses paint or a similar tool to hand write out the each items discussed but the content and explanations of each are spot on. He even discusses the differences between each of the items.
Here is the video...
https://www.youtube.com/watch?v=kGpAdbBudOU
RBAC is similar to DAC in the sense that it is at the discretion of the IT department or manager chooses the access level for individual employees based on their role or company rules about the amount of information that are authorized to see/manipulate.
The video is a bit rudimentary since the presenter uses paint or a similar tool to hand write out the each items discussed but the content and explanations of each are spot on. He even discusses the differences between each of the items.
Here is the video...
https://www.youtube.com/watch?v=kGpAdbBudOU
Sunday, October 5, 2014
I came across a very interesting article from the SANS Institute that provides so very insightful information about security awareness training. There are some statistics, aspects of training, and other resources and links that can assist companies looking to maybe roll out a new security awareness training program.
http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013
http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013
Subscribe to:
Posts (Atom)