Dear bloggers,

What a great article I’ve come across to tie beautifully into our reading assignment this week! Who is really responsible to protect America from data loss? by Kevin Pouché touches on both the importance of data security in the corporate environment and how little respect, attention, and budgetary allowance it’s given to protect data assets.

Cyber threats not only affect our economy but also our national security. It’s no wonder government legislature has introduced bills in an effort to alleviate the threats. Those bills include the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA), the Cybersecurity Act of 2012, and the Cyber Intelligence Sharing and Protection Act (CISPA). While the desired outcome of these bills is the reduction of data breaches, the bills are met with controversy so the process to move from a bill to a law is very time consuming.

The author of the article, Pouché, is a firm believer that the protection of data is the responsibility of the company that holds the data, not the government, and I strongly agree with that point of view. The threat to data security however is so strong that the need for government regulation and control has brought forth the bills mentioned previously.

“It’s time for businesses to get serious about data security” quotes Pouché (2012). Oftentimes conversations with security professionals are productive and the need for more secure procedures is identified. When the conversation moves to the corporate executives however, those talking points fall on “deaf ears” (Pouché, 2012).

The impact of data loss on revenue is rising, from 0.6% in 2012 to an estimated 0.77% in 2013 to 1.6% in 2018. Unless conversations can be productive with realistic goals set and met by corporations, this business of data breaches and insecurity is estimated to get wildly out of control.

What are your thoughts?

Until next time….

Reference

Pouché, K. (June, 2012). Who is really responsible to protect America from data loss? Retrieved from http://www.scmagazine.com/who-is-really-responsible-to-protect-america-from-data-loss/article/246351/

Dear Bloggers,

It seems like the most common question these days are “where were you when twitter went down?”. If you read the comments on twitter (and I don’t) however, they are reiterated within news stories about the event. This apparently was a major catastrophe last Thursday and yet……not being twitterpated myself, I’m came away from it completely unscathed. I’m almost disappointed I missed it. Now the big question is…..what really happened? Twitter blames a “cascading bug” found in an infrastructure component (that would be a new one for me). However, an individual by the name of Cosmo from the hacking group UGNazi has claimed responsibility for the outage citing a DDoS (distributed denial of service) attack. The folks at Twitter remain firm in their response to the attack with a “we don’t have a comment on that”. Even with Thursday’s outage, Twitter is experiencing its highest period of reliability in the last six months. So while Cosmo might have caused a stir, it seems like it’s just a bump in the road for the Twitter machine.

What are your thoughts?

Until next time…..

Reference

Claburn, T. (2012, June). Twitter Crash: Hack Or Hardware Fail? Retrieved from http://www.informationweek.com/news/security/vulnerabilities/240002516

Dear Bloggers,

I ran across an article last week that put the use of the McCumber Cube in a different light with respect to protecting and defending a network while keeping a security goal in mind. It’s convenient and coincidental since we just ran across the McCumber Cube last week. While it’s still fresh in our minds I think this is an excellent topic for this week’s blog!

Sean Price is the author of our article and by his credits is seemingly a pretty savvy guy in the world of Information Security. Here is his view of the McCumber Cube:

He has a different view of the McCumber Cube and how it can be expanded to cover network information security.

 Instead of picking one of 27 cells for instance transmission + integrity + technology or storage + confidentiality + people to address information security programs, Mr. Price introduces the proposed extension to the McCumber Cube: start with an attack or threat to the system, determine the information state (green section), identify the countermeasures (orange section), to reach a security goal (blue section).

This proposed extension is represented graphically here:

This may sound confusing at first but I think a couple of examples with help to clarify this process. Take for example network confidentiality. The process would look like this: Sniffer (the attack method) + Transmission (the information state) + Encryption/Key Management/Training (Countermeasures) -> to reach the security goal of Confidentiality. Another fun graphic to describe this particular example is:

Notice how the Countermeasures section includes all three pieces of Technology, Policy, and People. This is how Mr. Price has incorporated the extension into the McCumber Cube. It’s just a different way of looking at information security.  Are you ready for another example? Let’s go!!

Let’s take a look at network information integrity with ARP Spoofing as the attack, Transmission as the information state, Port Scanning/Periodic Scans/Investigators as the countermeasures with a security goal of Integrity.

Graphically that would look like this:

Our last example covers the availability of the network. The attack is Denial of Service, the information state is Transmission, the countermeasures are Intrusion Detection/Monitoring/Incident Response with a security goal of Availability which looks like this:

Using this extension model by Mr. Price helps to focus on a specific threat, the countermeasures for that threat and because of this will more accurately define the risk assessment for an environment. Just by taking a different look at the McCumber Cube, an IT environment has the ability to better prepare themselves to prevent and tackle threats that come their way.

That's all for now, happy blogging!

Reference

Price, S. (2008). Extending the McCumber Cube to Model Network Defense. ISSA Journal. September 2008, 14-18.

Dear Bloggers,

My name is Stefanie and I live in Nebraska. 
I've been working for the local school district as a Network Systems Manager for the past 10 years. Out of college I worked as a Information Techology Technician, hopped over to a System Administrator gig and then found my home here at the district and have been here ever since.

I'm working on my Masters Degree in Management Information Systems with an endorsement in Computer Information Systems.

I'm new to information security and even newer to blogging so I hope this blog turns out to be informational and entertaining at the same time. 

That's all for now.

Until next time.....