This week's chapter is dealing with the fundamentals of contingency planning and it reminded me of a phone call I got from my younger brother about a computer problem he was experiencing recently. Most home users would not likely have any kind of contingency plan in place or even considered until it is too late as in my brother's case.
You see, he said he started to develop intermittent problems with shutting down his computer and the only way to shut it down was to do a hard shut off. It is hard to determine what the problem could have been when just talking with him on the telephone, but it could have been due to a virus, power issues, motherboard or CPU just gave up, etc.
What made him call me was because his college homework that was due in two days was still on his hard drive and he had no way of retrieving it. He did not want to hear the lecture of having a removable backup of important files when your computer is considered fairly old or other factors that could render his computer unusable.
Now coming up with a plan to mitigate some of the risks that you are exposed to in a home environment isn't that difficult. First, he should have identified possible incidents he would be susceptible to in his environment. He did say that the house he is renting did not have grounded power for starters.
This could have contributed to his system failing and may have been prevented if he ran his computer off of an uninterruptible power supply which regulated the power that the computer was using. This wouldn't help with his data access issue. Important files should be backed up on an external drive at the very least. He still would have his files even though the computer died. Another alternative would have been for him to email the files to himself or even upload them to a free online storage service.
He, like so many regular users, never even considered something like this would happen to him. It is a hard lesson to learn, but having a contingency plan even at home is a necessity depending on what you store on your computer.
Wednesday, September 21, 2011
Friday, September 16, 2011
Financial Industry Vulnerable to Cyberattacks
This article was found in the National Journal and was written by Josh Smith on 14 September 2011. It can be found at http://www.nationaljournal.com/daily/analysts-financial-industry-vulnerable-to-cyberattacks-20110914
I found the article mainly rehashing what we already know. Current laws are not adequate to stop the loss of money and information. The lack of employee education and training also makes the attacks that much easier.
"In a Sept. 2 security bulletin, the Homeland Security Department warned that the hacker group Anonymous has been using social media to ask employees at financial institutions for help gaining access to their networks." (Smith, 2011)
So no matter what best practices are implemented by an institution, the recurring theme is that employees tend to be the weak link in the security plan. If this is a known deficiency, why does it seem that nobody talks about training the employees? I have never seen what institutions spend on training employees and giving customers a better awareness. Is this an accepted risk the financial industry is willing to take due to the cost?
I found the article mainly rehashing what we already know. Current laws are not adequate to stop the loss of money and information. The lack of employee education and training also makes the attacks that much easier.
"In a Sept. 2 security bulletin, the Homeland Security Department warned that the hacker group Anonymous has been using social media to ask employees at financial institutions for help gaining access to their networks." (Smith, 2011)
So no matter what best practices are implemented by an institution, the recurring theme is that employees tend to be the weak link in the security plan. If this is a known deficiency, why does it seem that nobody talks about training the employees? I have never seen what institutions spend on training employees and giving customers a better awareness. Is this an accepted risk the financial industry is willing to take due to the cost?
Friday, September 9, 2011
Cybercrime Law
I found an article on the Infoworld websiteGrant Gross of the IDG News Service reported on 8 September 2011 that the main U.S. law targeting cyber crime may need to be changed because it has allowed law enforcement agencies to target people who simply violate websites' terms of service or their employers' computer use policies, two senators said Wednesday.
The article goes on to say that the law needs to further define the definition of illegal access to computers. What caught my attention about the article was that the law was being used to prosecute some for violation of computer use policies rather than going after actual computer crimes. Under the current law, employees could be charged with a crime if they access personal email or check the weather online in violation of their companies' computer use policies.
I wonder what companies would go to that kind of extreme and how would they enforce the policy fairly. How will they be able to differentiate between an acceptable use policy violation and a computer crime and still have enough teeth in the law to make a difference.
The article goes on to say that the law needs to further define the definition of illegal access to computers. What caught my attention about the article was that the law was being used to prosecute some for violation of computer use policies rather than going after actual computer crimes. Under the current law, employees could be charged with a crime if they access personal email or check the weather online in violation of their companies' computer use policies.
I wonder what companies would go to that kind of extreme and how would they enforce the policy fairly. How will they be able to differentiate between an acceptable use policy violation and a computer crime and still have enough teeth in the law to make a difference.
Tuesday, September 6, 2011
Physical Seccurity
As mentioned in previous classes, the insider threat is the biggest threat to deal with in the IT field. Today, I will talk about the various ways the physical security of your systems can be administered.
Depending on the layout of your facility and how much you are willing to spend on security will determine how tight your security can be made. Let's first look at a few ways that this can be accomplished. A few methods would be guards physically controlling access utilizing access lists to mechanical or electro-mechanical locks on the doors to gain entry.
Each of these by themselves can be defeated with some effort, but combining them creates a different dynamic called layered security. This term will be used quite often throughout most discussions about security.
If you have the luxury of a big budget for security, you can tighten it further with security cameras, biometric scanners, and stand-off areas to gain access to sensitive areas. There has to be a point that a security specialist has to accept the security in-place is good enough otherwise, the budget for security alone could become too large.
Any one of these methods is better to have than nothing at all as you tend to see in a lot of businesses.
Depending on the layout of your facility and how much you are willing to spend on security will determine how tight your security can be made. Let's first look at a few ways that this can be accomplished. A few methods would be guards physically controlling access utilizing access lists to mechanical or electro-mechanical locks on the doors to gain entry.
Each of these by themselves can be defeated with some effort, but combining them creates a different dynamic called layered security. This term will be used quite often throughout most discussions about security.
If you have the luxury of a big budget for security, you can tighten it further with security cameras, biometric scanners, and stand-off areas to gain access to sensitive areas. There has to be a point that a security specialist has to accept the security in-place is good enough otherwise, the budget for security alone could become too large.
Any one of these methods is better to have than nothing at all as you tend to see in a lot of businesses.
Subscribe to:
Posts (Atom)