I wanted to look more into what is known as the Octave Method as this was not the focus of my discussion board post, however, it did intrigue me.  “The original Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was developed with large organizations in mind (300 employees or more), but size is not the only consideration” (CERT.org).  What OCTAVE does is allow an a company’s InfoSec department to evaluate and deal with risk in a way that allows it to balance the necessity to protect critical assets/data with the costs that it takes to do so. 

There are two other forms of OCTAVE, OCTAVE-S, which is intended for smaller organizations (about 100 users) and OCTAVE-Allegro, which can be described as a streamlined approach for InfoSec assessment and assurance (Whitman & Mattord, 2013). 

The OCTAVE Method is known to work in three phases:

·         Phase 1: Build Asset-Based Threat Profiles

·         Phase 2: Identify Infrastructure Vulnerabilities

·         Phase 3: Develop Security Strategy and Plans

Again according to CERT.org, The OCTAVE method utilizes the knowledge of risks from multiple levels within the organization and focuses on identifying critical assets and the threats that endanger them.  By identifying the vulnerabilities the organization develops protection strategies and risk mitigation plans to assist the organization's mission and priorities.  Please see the link below for further information regarding the OCTAVE Method as well as the training sessions that are offered by the Carnegie Mellon University and Software Engineers Institute.

Link:

http://www.cert.org/resilience/products-services/octave/octave-method.cfm? 

References:

Whitman, Michael E.; Mattord, Herbert J. (2013-10-07). Management of Information Security (Page 332). Cengage Learning. Kindle Edition.

http://www.cert.org/resilience/products-services/octave/octave-method.cfm?  

Sun Tzu and the Connection to InfoSec

In my research efforts for this weeks discussion question I stumbled across quite an interesting post about Sun Tzu and its relation to the InfoSec world.  The author of the post discusses several of Tzu's quotes, which are hundreds of years old, and how they can be applied to today's technical world.  This was posted to The Security Pub by a fellow InfoSec blogger.

For example, the author made the following connection between a Tzu quote and today's cyber wars.  For more, see the link below.

Quote: Knowledge of the enemy’s disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone.

My Thoughts: The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websiSun Tzu quotes from The Art of War

http://www.thesecuritypub.com/2013/10/29/sun-tzu-quotes-from-the-art-of-war-compared-to-information-security/

I found a great video that describes the differences between Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Rule/Roll-Based Access Control (RBAC).  Our text did not cover RBAC too extensively so I thought it was good information for that reason alone.

RBAC is similar to DAC in the sense that it is at the discretion of the IT department or manager chooses the access level for individual employees based on their role or company rules about the amount of information that are authorized to see/manipulate.

The video is a bit rudimentary since the presenter uses paint or a similar tool to hand write out the each items discussed but the content and explanations of each are spot on.  He even discusses the differences between each of the items.

Here is the video...

https://www.youtube.com/watch?v=kGpAdbBudOU

I came across a very interesting article from the SANS Institute that provides so very insightful information about security awareness training.  There are some statistics, aspects of training, and other resources and links that can assist  companies looking to maybe roll out a new security awareness training program.

http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013