LearnSecurity Blog

ACH Fraud on the Rise

donaldh@mazeassociates.com (Donald Hester) — Thu, 05 Nov 2009 17:52:29 +0000

FBI released a warning for local governments and small businesses to be on the lookout for ACH fraud.

The FBI issued a press release concerning a significant increase in the last few months of fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. The scam is a type of phsihing attack, whereby the unsuspecting finance person is lured into installing malicious software. The malicious software hides itself and records everything the person does on their computer. The malicious software will record user names and password used for everything including online banking and ACH. The software will then forward the usernames and passwords to the bad guys who will promptly use the information to transfer funds out of the organization’s bank account.

This new news is there is an increase in incidents, not the method of attack. In April of 2007, the City of Carson California was a victim of the same type of attack. The hackers were able to transfer $498,000 before the bank froze the account.

Local municipalities and small businesses are easy targets for hackers. Hackers know local municipalities and small businesses have little or no IT security budgets or staff with the necessary skills.

How do you protect your organization?

The Federal Government has recommended that state, local and tribal governments adopt National Institute and Standards and Technology (NIST) security guidelines. Recently NIST added guidance for small businesses as well, including video tutorials.

Following these guidelines and standards will not make an organization 100% secure. However, they go a long way in preventing these types of attacks. In fact, if an organization followed these NIST guidelines they would most likely will not fall victim to these attacks.

For more information:

FBI Press Release

http://www.fbi.gov/pressrel/pressrel09/ach_110309.htm

Small Business IT Security Guide

http://csrc.nist.gov/groups/SMA/sbc/index.html

http://www.csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

NIST Special Publications

http://csrc.nist.gov/

http://www.csrc.nist.gov/publications/PubsSPs.html

Donald E. Hester

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

A Prioritized Approach for Compliance

donaldh@mazeassociates.com (Donald Hester) — Wed, 21 Oct 2009 22:39:04 +0000

A recent trend in the information security industry has been the concept of a prioritized approach to implementing security controls and standards. With any of the standards or compliance requirements (FISMA, SOX, HIPAA, NIST, GLBA, ISO and PCI) it can be difficult for organizations to meet all of the requirements. All organizations have limited time and resources and are forced to choose to implement as many measures as possible and leave some undone.

The current economic situation is increasing pressure to cut budgets which in turn furthers the lack of resources available to protect information and systems. Organizations are often left wondering where they can cut or hold off implementation of security controls. With increasing requirements and finite resources something is going to have to give.

In order to find out what security measures can "wait" we need to determine the risk of not having the control in place has for our organization. We can determine the risk by researching recent attack patterns. We can then determine which attacks are most likely and which controls are most likely to prevent those attacks. We should look at the probability or likelihood of the attack and the impact of the attack on the organization. We can chart the results out into a four quadrant graph and rank each vulnerability as High, Moderate or Low. See the simple chart below.

Based on risk we can now determine which controls are "most" important now. This does not get the organization off the hook for any compliance standards because typically all the controls in the compliance standard are compulsory. A prioritized approach will make sure the organization is spending time and resources where they are needed most and will lead the organization down the path of compliance.

For example, in the news has been an increase in SQL Injection attacks on websites. We could rate this as high for probability based on the increase in this type of attack and the ease to which it can be executed. We also know that SQL Injection attacks have been widely successful in compromising millions of records containing personally identifiable information. We can rate the impact as high based on the millions of records lost and the millions of dollars organizations have spent dealing with these data breaches. Controls that can prevent such attacks should be given a top priority and organization should increase testing of those controls.

Recently the PCI Standards Council and the National Institute of Standards and Technology released guidance on implementing a prioritized approach to implementing their respective standards. These approaches recognize the limited resources of organizations and focus on implementing the most crucial controls first and continue on to implement the remaining controls. This does not mean an organization is PCI or FISMA compliant; it simply addresses the reality of limited resources.

A prioritized approach to implementing information security will not lead you to compliance today, it will however, ensure the organization focuses its resources where they are needed the most and where they will do the most good.

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

IT and Security Business Alignment

donaldh@mazeassociates.com (Donald Hester) — Thu, 08 Oct 2009 17:29:05 +0000

IT and Security Business Alignment

Questions you might hear from a board member, council member or senior management:

What is the purpose of IT?

What is the purpose of Security?

IT's place in an organization?

Security's place in an organization?

Business managers often need a reminder of what the value of information technology and security brings to the organization. Some see information technology and security as cost centers and not as business enablers. Best in class organizations see information technology and security as strategic and business enablers. The question I often get is, how do we get senior management to buy in on this maxim?

We need to go back to the basics; Business and Management 101. I like to quote from Peter F. Drucker, the famous business consultant and writer on management and business topics, and apply that wisdom to technology and security. Here is the quote:

"Business enterprises - and public-service institutions as well - are organs of society. They do not exist for their own sake, but to fulfill a specific social purpose and to satisfy a specific need of a society, a community, or individuals." Peter F. Drucker

This is a great business maxim and is often quoted. To apply this maxim to information technology simply substitute the organization with IT. Once you read the quotes you will see how clear the purpose of IT and security in the organization.

"Information technology is an organ of the organization. It does not exist for its own sake, but to fulfill a specific organizational purpose and to satisfy a specific need of the organization."

Apply this maxim to information security:

"Information security is an organ of the organization. It does not exist for its own sake, but to fulfill a specific organizational purpose and to satisfy a specific need of the organization."

Here is another Drucker quote that is great for a maxim.

"Business exists in a society and community and, therefore, has to discharge social responsibilities, at least to the point where it takes responsibility for its impact upon the environment." Peter F. Drucker

Here are the new maxims for information technology and information security:

"Information technology exists in an organization and, therefore, has to discharge organizational responsibilities, at least to the point where it takes responsibility for its impact upon the organization."

"Information security exists in an organization and, therefore, has to discharge organizational responsibilities, at least to the point where it takes responsibility for its impact upon the organization."

Armed with these maxims alignment of information technology and security with the organization should be clear. Here is how we ensure business alignment at Maze & Associates:

Maze & Associates Mission

"We are in business to help our clients succeed."

Information Systems Department Mission

"We help our clients succeed by helping them secure and manage their technology investment."

IS Department Internal Clients: We support Maze and Associates by securing and managing the IT systems. By supporting the staff of Maze and Associates we can help them help their clients to succeed.

IS Department External Clients: We help clients align their IT investment with their business goals and vision. We can help them lower the total cost of ownership by proper IT governance.

Our information systems department mission statement is fully aligned with our overall business mission. The mission of our information systems department support the overall business mission.

In the military a drill instructor or platoon sergeant will call cadence as a way to keep all members of the platoon in step with everyone else and going the same direction. In the opening scene of the movie “A Few Good Men” starring Tom Cruise as a Navel JAG officer we are shown the world famous Marine Corps silent drill team as they practice drills all in locked step and precision movements. One impressive aspect is no one calls cadence and yet they are in unison. It looks impressive because everyone is marching in precise unison. If one person is off you will notice it and the entire platoon will become an unorganized cluster and will not reach its intended destination.

The Silent drill team is able to maintain unison only after extensive practice. In other words they don't need the cadence because of all the practice they have had.

Think of this illustration in your organization. Is the entire organization in step? If not who is going to call cadence to get everyone in step?

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Types of Error

donaldh@mazeassociates.com (Donald Hester) — Wed, 16 Sep 2009 19:59:47 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a reader:

Thanks Don. I am looking for a good definition or comparison difference between a false positive and a false negative. I googled it, but the definition provided appears vague. My take is a false positive is a hit, but it doesn't apply to the system and a negative is that the opposite but someone else is connected to your network. I am still researching because it could be on the next exam and want to make sure I get those two terms straight.

Answer:

There are two main error types we have in testing and in systems that make selections:

Type I error which is also, α error, or false positive

Type II error which is also, β error, or a false negative

These terms are used in statistics and applied in information security to SPAM filtering, anti-virus, vulnerability scans, intrusion detection and biometrics authentication. In each instance they mean the same thing.

A Type I or 'false positive' is simply a positive result that is false. For a SPAM filter it would mean the email was tagged 'positive' as SPAM but it wasn't SPAM. For vulnerability scanners the result would indicate a vulnerability that did not exist. For biometrics a false positive is when the scanner identifies a person as someone else; someone is able to impersonate someone else. In biometrics a false positive is often referred to as false acceptance.

A Type II or 'false negative' is simply a negative result that is actually true. For a SPAM filter it is the SPAM that gets past the filter, in other words the filter did not detect it as SPAM. A false negative on a vulnerability scan would be a result that indicates a vulnerability where no vulnerability exists. Finally in biometrics a false negative is when the system fails to authenticate a legitimate user. In biometrics a false negative is often referred to as false rejection.

A related term you might see is Crossover Error Rate.

"Crossover Error Rate (CER) is a comparison metric for different biometric devices and technologies. It is the error rate at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over."

Pasted from <http://www.javvin.com/networksecurity/CER.html>

Ideally in a perfect world we don't want false negatives or false positives; we want the system to be 100% accurate 100% of the time. Since we don't live in a perfect world, statistically, we want these error rates to be low in our SPAM filters, anti-virus, vulnerability scans, intrusion detection and biometrics systems. The lower the better.

Note:

These terms maybe found on a number of security certification exams, such as CISSP, Security+, CISM etc…

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Account Hacked

donaldh@mazeassociates.com (Donald Hester) — Tue, 15 Sep 2009 17:42:16 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a reader:
What do you do if your online account at a social media site has been hacked?

Take Action

1. Make sure you contact the website ASAP and let them know your account was hacked
2. Make sure his home computer has not been compromised - or any computer he uses to log onto the site
3. Reset all your passwords, even for unrelated sites

Prevention: The easiest way to protect your computer and account

1. Make sure he has anti-virus and it is set for automatic updates
2. Make sure he has a complex password (not easy to guess) and change your password regularly
3. Make sure you only login on the real and not pages that look like it (spoofed sites)
4. Make sure his computer has the most up-to-date patches (this can and should be automated)
5. Upgrade to Internet Explorer 8, it has features to detect fraudulent websites
6. A healthy skepticism, be skeptical of offers, emails and communications

How do hackers get into my online account?
There are a number of ways hackers can gain access to your online accounts. In order for a hacker to gain access to your online account they need to get your password. This means protecting your password is very important.

One of the main ways to get your password is to get spyware on your computer. The spyware can track your activities including the key strokes you make. This type of spyware is called a keystroke logger. Once it gets on your computer it can track your moves and capture your password when you log onto any site. With this a hacker can gain access to password you type which could be to every site you visit or use.

This happened to a City in Southern California. Spyware was introduced to a computer in finance and when the employee logged on to the Banks website to view the City's account the spyware captured the username and password. The hackers wasted no time transferring hundreds of thousands of dollars out of the City's account.

The best protection against spyware is to have up-to-date anti-spyware and anti-virus software.

Another way hackers gain access to your passwords is called phishing. This technique is just like it sounds. They use bait to lure you into giving them your username and password. Typically they setup a website that looks like the login page of the website you want. You type in your username and password thinking it is the real site, but you have just given the hackers your password.

Web browsers such as Internet Explorer 8 have anti-phishing protection and some antivirus packages are now adding anti-phishing protections in. It is important to be a little skeptical and keeping your browser, anti-virus and computer up-to-date.

Of course it isn't just hackers you have to watch out for. Other people such as family members, friends and fellow employees may get your password if you are careless and use your accounts for who knows what.

It is important that you do not share your password with others, change it often and use a complex password no one else will guess.

Of course following these prevention measures is no guarantee of security, constant vigilance is needed.

Donald E. Hester

Albert Gonzalez, Cyber Criminal

donaldh@mazeassociates.com (Donald Hester) — Fri, 21 Aug 2009 21:33:04 +0000

Albert Gonzalez, a 28 year old from Florida, is suspected of being involved in most of the major security breaches dating back to 2003 when he became an informant for the US Secret Service. With his assistance they were able to breakup "the shadow crew group" one of the largest online black markets for stolen identities. Of the 28 people arrested 27 of them pled guilty and one is on the run.

In 2008, Gonzalez was indicted on charges related to security breaches at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority, Forever 21 and DSW.

On August 17, 2009 he was indicted a third time by a federal grand jury on charges related with data breaches at Heartland, Hannaford Bros. and 7-Eleven Inc. These three date breaches have exposed over 130 million credit and debit cards.

The Takeaway

To protect yourself you need to understand how hackers executed their attacks in order to determine how to protect your data. According to reports, Gonzalez and two other accomplices used SQL injection attacks, malware and packet-sniffing tools to detect and steal payment card data.

In previous attacks Gonzalez and his cohorts used flaws in vulnerabilities in wireless networks to gain access to company’s networks and steal payment card data directly from databases.

Organizations should protect their networks and data by ensuring they follow industry security standards. For example:

Strong wireless access controls and encryption

Intrusion Detection / Prevention systems

Web Development code reviews

Application Layer Firewalls

Vulnerability scanning

Penetration testing

Vulnerability patch management

Finally, constant vigilance is required, not an option

Following security standards is not a guarantee of protection. Some people mistakenly think that by following a security standards will offer complete protected from hackers. Security standards will never eliminate risk; they can only reduce the risk of hackers successfully breaking into your networks and accessing data.

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Archival Media

donaldh@mazeassociates.com (Donald Hester) — Thu, 06 Aug 2009 21:51:25 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a client:

I have a question regarding the definition of optical disk. For record retention, our City Clerk has been told they need to keep some of their records on optical disks that cannot be changed. What would qualify for this? Would something like a DVD-R? How about our backup tapes? Thanks.

When selecting an archive media you will need to consider the retention period and the degree of integrity needed for the data. The retention period will guide you on selecting media that has longevity beyond the required retention period. The degree of integrity will guide you in selecting media and technology that will protect the data from modification or alteration.

Integrity

Integrity is about protecting the data from intentional or unintentional modification or alteration. There are a number of ways to protect the data on the media from modification or alteration. Selecting DVD-R instead of DVD-RW because DVD-R media is write once media and DVD-RW is writeable multiple times.

If you need to use media that can be written to multiple times, such as DVD-RW, Hard Disk, Solid State Memory or Magnetic tape, you can use a one-way hash algorithm. A one-way has algorithm which is a mathematical function that is used to determine if the original data (file, message, etc..) has been altered in any way. If the data is altered, in any way, the hash algorithm will not work.

Hashes will work to tell you if someone has modified the original data not protect it from being changed. If you need to protect it, the best bet is to encrypt the data as well. I would recommend using encryption to protect the data from modification, alteration and disclosure. However, using encryption means you need to have a key management system.

A low-tech way to protect the integrity of data for archival purposes is to store multiple copies in different locations. If one copy has been compromised, you would be able to compare it with anther copy to see if there are any differences.

Availability (Retention)

You also need to consider the retention time. Regular CDs and DVDs have an expected life of 10 years! Backup tapes have a shorter life expectancy if used multiple times. Tapes used weekly are typically replaced annually. Is that long enough? Your media needs to be able to last as long, if not longer than, the life of the data.

If you use DVD-R media for storage you may want to look into special DVD-R media. Multiple manufacturers such as Memorex Verbatim and TDK make Archival Grade DVD-R media. They claim they will last up to 100 years.

If you use backup tapes you need to purchase tapes that are used to backup and store. In other words the tapes are not in the normal backup rotation. Backups and archives are not the same, they serve two different functions and have different requirements for the media. With backups the media is regularly reused; in archival use, the tapes would be written to once and stored. For archival purposes, you will need to purchase archival grade tapes with a 30-50 year life span.

Whatever media you end up using, there will also be storage requirements such as:

Temperature
Humidity
Light exposure (for optical media and possibly for magnetic media is the light source creates heat)
Magnetic exposure (for magnetic media)

Helpful links

Much more could be said about archiving procedures, data retention, data destruction, media handling and security requirements related to this topic. If you would like more information, check out the links below:

NIST study on optical media:
http://nvl.nist.gov/pub/nistpubs/jres/109/5/j95sla.pdf

NIST Special Publication 500-252 Care and Handling of CDs and DVDs —A Guide for Librarians and Archivists:
http://www.itl.nist.gov/iad/894.05/docs/CDandDVDCareandHandlingGuide.pdf

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

FaceBook at work?

donaldh@mazeassociates.com (Donald Hester) — Sat, 25 Jul 2009 02:43:21 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a client:

How should we address web 2.0 and social media in our Computer Terms of Use policy?

There is no doubt about it Social Media has its good points and its bad points. Businesses can use it to reach their customers better. Local government can use it to better reach it's citizens. Social Media can be used to promote you organization and deliver the information you want to interested parties. Social Media is especially good for local governments who want to promote transparency in government.

Social media sites can also help with productivity. I often use FaceBook and other sites for collaborative research on various topics. Most recently I used FaceBook and associated friends to do some research on privacy issues of social media sites.

The downside is employees may spend all day on social media sites to the neglect of their work. Social Media sites are addictive, that is why they are a great medium for getting information out fast. In fact, this blog is listed on various social media sites such as blogs, FaceBook, YouTube, Twitter and LinkedIn. As a result of its addictive nature people have found themselves spending hours on social media sites not realizing they have been on the site for hours. At work this could mean the loss of countless hours of productivity.

What should organizations do with this dilemma? Do they restrict all access, do they allow unlimited access and hope employees do the right thing? Maybe there is a way to strike a balance between the two extremes.

There are two issues to address, one as to whether or not the organization will use social media as a way to communicate to interested parties and second as to whether employees will have access to such sites during work hours and on work computers.

Here are three ways to handle the use of social media sites for employees.

Option 1

The best case scenario is to have the most liberal approach possible. By that I mean a policy like the following:

"Employees are considered professionals and are expected to act professionally, ethically and legally. Employees will be treat as professional. Failure to act professionally, ethically and legally will result in disciplinary action. Employees use of such services should be incidental and not interfere with their normal job duties or deadlines."

This policy obviously has a lot of gray area but it provides enough room for reasonable use and restrictions. It gives plenty of room for interpretation and for that reason it should have a training component included with it. For example security awareness training that covers security and privacy issues of such sites and services. You may even consider ethics training similar to that required for CPAs and other professionals.

Note: We use this type of management philosophy and Maze & Associates and attorneys often advise a less flexible approach.

Option 2

Not all organization can have a policy with that much latitude. Allowing limited access to social media site in conjunction with a more defined policy. In those cases there are a number of considerations you look for in a use policy. If you have use polices they should be reviewed and you should add stipulations for the use of social media sites and services and to what extent they can be used and accessed.

Things to consider:

Restrictions on posting internal organizational information or confidential information.
Restrictions on cyber stalking and harassment.
Employees should be required to attend training on security and privacy issues related to such sites.
Definition of what is considered reasonable use and reasonable times.
You may be able to track or restrict the amount of time employees use such sites with firewalls and web filtering devices. (If you track internet activity of employees remember that you need to warn them that there is no expectation of privacy for what they do on your systems.)

Option 3

Blocking all social media sites is another option but not a very good one. Remember legitimate uses social media sites. Blogs such as this one provide information that can be used by staff in conjunction with their normal duties. In addition, many sites use YouTube to deliver technical training. If you block all such sites you will limit access to information staff may need to complete their tasks efficiently.

In addition, restricting access to such site creates a perceived attitude that management does not trust employees to do the right thing. Remember happy employees are more productive than unhappy ones. Not to mention the stress employees feel from police state type of controls. If you can avoid restricting all access your organization will be better off.

Conclusion

Whatever path you chose to go down don't ignore the issue. Bring it up, make a decision and implement your approach. If you ignore it, it will become a problem.

Remember, if you are reading this blog, you are using social media.

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Question on IT Security Certifications & Career Planning

donaldh@mazeassociates.com (Donald Hester) — Thu, 09 Jul 2009 20:13:40 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a colleague:

Why would someone certify under CAP or CPP instead of SSCP or CISSP? Most network engineers would certify under CISSP, correct?

Each of the certifications covers a different set of skills and is made for different job positions. You should determine what job you want and build your resume for that dream job.

CISSP, SSCP and CAP are (ISC)2 certifications.

CISSP (Certified Information Systems Security Professional) is a high level tech or a manager certification.

The SSCP (Systems Security Certified Practitioner) is a certification for a tech.

The CAP (Certification and Accreditation Professional) is a specialty certification on National Institute of Standards and Technology (NIST) security framework and designed for management or a NIST/FISMA consultant. (The Federal Information Systems Management Act (FISMA) requires Federal government agencies to implement information security and NIST standards)

The CPP is a certification administered by ASIS International.

The CPP (Certified Protection Professional) is an executive management level certification that traditionally focused on physical security and more recently has added IT security topics. The CPP will focus on topics as broad as terrorism, retail theft prevention, executive protection, armored cars, workplace violence, safety and information security.

The government has recognized certification as the best way to determine personnel skill levels.

The Department of Defense (DoD) really got the ball rolling on certifications by mandating certification for all staff involved in Information Assurance. DoD Directive 8570.1 actually maps each of the certifications to either technical or managerial and then to levels in each. In addition there are specialty positions, such as auditor, that don’t have levels but have certifications. All DoD part-time or full-time personnel are required to have those certifications by 2010. (70% by 2009)

Here is information on the DoD directive:

http://www.isc2.org/dod-fact-sheet.aspx

There is talk that certifications like CAP will be added in the near future. Perhaps it was not selected because it was too general on certification and accreditation to fit in with the DoD. However, it is perfect for federal government agencies and anyone that wants to use NIST security standards like State, Local and Tribal governments. (Other organizations too, as NIST can be used by private organizations as well).

Some other Federal agencies are using DoD as a guideline for their staff as well. Which is a good idea. In the past hiring managers focused on degrees and experience. The problem with experience is being able to verify that the candidates experience matched the needs of the position to be filled. This is where certification come into play. A certification demonstrates a the holder has a particular knowledge or set of skills. In the end, you want to have both the experience and be able to demonstrate that experience with relevant certifications.

Degrees are a one time event and have the problem of being up-to-date with current technology and practices. For example, is a degree in computer science from 1980 relevant to today’s systems? With technology changing so rapidly any training you have is likely to be out of date; sometimes it is out of date before you have finished the training. The best bet is to combine continuing education with a degree.

There are 4 important qualities for a career in Information Technology or Information Assurance (IT Security).

1. A Degree, mostly to get you past any hiring manager that place a high value on a degree.

2. Experience, the longer you have been in the field the better.

3. Certifications, as a means to verify your experience.

4. Continuing Education, because this field changes rapidly and you have to keep up.

You will have a greater advantage over your completion the more you have in each of these areas.

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

iPhone on the Corporate Network

donaldh@mazeassociates.com (Donald Hester) — Tue, 07 Jul 2009 02:33:50 +0000

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a colleague:

Should organizations allow iPhones on the corporate network?

It depends (That's always the right answer). The only question is, is there a business reason for having them on the corporate network? Typically there is not a compelling business reason.

What we are really talking about here is wireless access directly into the internal organizational network. Not access to email server or website from outside. For example, connect to Exchange via ActiveSync is perfectly acceptable because the connection is controlled and the iPhone is not on the organization's network, it connects from the Internet.

Organizations should not allow unmanaged systems (those computers or devices the organization's IT does not exercise direct control over) on their networks. Simply put, if the iPhone (or any other mobile device) is not under organizational control it should not be on the network. In addition, security standards require control of mobile devices on the organization's network.

"The organization: (i) establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and (ii) authorizes, monitors, and controls device access to organizational information systems." - AC-19, NIST SP 800-53 rev 2

If the organization wishes to provide wireless access to the Internet for mobile device they can setup a wireless network that is segmented from the internal organizational network with a firewall separating them.

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.