In my course this week we covered a varity of topics but the one I want to cover is certifications. I am on the fence with the whole idea of certifications. I agree that they can show a level of compatency in an individual but setting them as specific criteria for jobs is going overboard in my opinion. Let me explain why I say this;
We go to college and get our degrees and we learn what we should and come out better and with allot of school loan dept, but in today's society have a degree is not good enough. You need a degree and certifications. The problem with this is that there are services that you can buy that will give you all of the questions to just about any certification that there is. When this happens we get people with certification who do not know the material and then when it comes to a job their resumes get push through the system and someone who may know their job but just don't have the pieces of paper that says CERTIFICATION wont even get the chance to interview. I call these people idiots as I have worked with many a technician/manager with certifications in just about everything but can troubleshoot their way out of a paper bag.
Sunday, November 9, 2014
This week we covered biometric access control systems and the many, like millions, of different ways you can implement them. Biometrics is a method of
establishing a person’s identity based on chemical, behavioral, or physical
attributes of that person, and is relevant in large-scale identity management
across a wide range of applications. One of the most common uses for biometrics
is providing access control for restricted facilities, areas, or equipment. In
addition, this technology can be implemented to regulate access among computer
networks, financial transactions, or transportation systems. The main purpose of
biometrics in these applications is to determine or verify someone’s identity
in order to prevent unauthorized people from accessing protected resources.
Unlike password-based systems or access card systems, which rely on information
that can be forgotten or items that can be lost, biometrics techniques provide
access based on who people are rather than what they have in their
possession. In principle, a
biometric system is a pattern recognition unit that gathers a specific type of
biometric data from a person, focuses on a relevant feature of that data,
compares that feature to a preset group of attributes in its database, and then
performs an action based on the accuracy of the comparison. There are a variety
of characteristics that can be used for biometric comparisons, such as fingerprints,
irises, hand geometries, voice patterns, or DNA information, and although there
are certain limitations to biometric capabilities, an effective system can
precisely identify an individual based on these factors. A standard biometric
access control system is composed of four main types of components: a sensor
device, a quality assessment unit, a feature comparison and matching unit, and
a database. Unlike password based system there is a start-up cost associated with these types of systems and they can very from moderately inexpensive to impressively expensive.
Continuing with our topic of Risk Assessment, companies looking for better ways of
prioritizing their defensive efforts need to look beyond vulnerabilities. How
to find the real threats to your business before they find you The basic equation for risk is
simple: If an adversary or threat can exploit a vulnerability to harm an asset,
then you have risk. Yet far too
many companies focus on the two components of risk that are typically internal
to their networks: assets and most of all, vulnerabilities. Increasingly,
security professionals advise companies to do their homework and gauge what
threats may be targeting their networks and data. One issue is that most
defenders wait behind their firewalls for the attackers -- effectively giving
up the initiative. Companies instead need to model the threats to their network
and gather intelligence on possible adversaries. To that end, a good start is
for companies to make a short list of the threats they face to their business.
Not just cyber-criminals and online adversaries but other events that could
cripple the company. Most companies will find that advanced persistent threats
and hacktivists are likely not among their major worries.
Below are a few things companies can do to
get a jump on attackers;
Watch for the
attacks
Pump your vendors
for threat data
Meet with your
competitors
Find a threat
analyst
So this week we covered risk Management in my Masters course. So I wanted to talk a liitle bit about operational risk management.
Operational risk is perhaps the most
significant risk organizations face. Virtually
every major loss that has taken
place during the past 20 years, from Enron to Worldcom
and Baring’s Bank, has been driven by
operational failure. Many financial institutions have spent tens of millions of
dollars trying to develop a robust framework for measuring and managing
operational risk. Yet, in spite of this huge investment, for many firms developing
a viable operational risk management (ORM) program remains an elusive goal. Why
is this so? A lot has to do with the way organizations have approached this problem
and the underlying assumptions they have made. Many financial firms believe
that operational risk is not a material risk. This can be seen in the low
capital charge allocated to this risk relative to
other risks (e.g., 15% to 20% of
total economic/regulatory capital). Many view operational risk as just
back-office operations risk, and executives generally believe that ORM is
fundamentally about managing control weaknesses in the processes at a tactical
level. These views have largely shaped funding and staffing decisions, which
have in turn affected resource allocation and methodology development.
Sunday, November 2, 2014
Okay and we are back to discussing componets to a good internal security awareness program;
Computer Based Training
CBT is the most omnipresent component of security awareness programs, as it is the most clearly accepted method of achieving compliance. Per our past article, this is a case where people confuse Security Training with Security Awareness. CBT provides a set body of knowledge and tests people to ensure short-term memory retention. However the reliance specifically on CBT as a Security Awareness program is what creates the bulk of the criticism about Security Awareness in general. Despite what the critics say, this is still a vital component.
Computer Based Training
CBT can range from 3 minutes to hours long(which I do not suggest the later, as your people will go into I dont care mode after a time) with varying degrees of interactivity. It can summarize the most important lessons you would like your employees to learn. Unless the CBTs are on the shorter side, it is limited to one time per year, as you can't have employees taking extended training on multiple occasions. However, multiple short CBTs can be used to reinforce many concepts throughout the year and can be very valuable.
This next topic is one of the most important componets in my opinion
Security Portal
An internal security portal provides several functions. First it provides a Knowledge base that can be time-consuming to create and maintain, but can provide a huge return on investment with includes information on security related topics, such as securing a mobile device, creating a strong password, and travel security. It is also important to include information on home and personal security strategies, such as protecting children online and securing social media accounts. If you provide information that personally engages employees, the behaviors can translate to secure work habits.
Creating the knowledge base can seem a bit like Sisyphus and the rock, especially since it must also be kept up to date to reflect changing technologies. However, the time is worth it as it engages employees, and provides information that is not being covered by other awareness efforts, but is still important to the employee.
The other critical aspect of a security portal that should be included is a method to contact the security staff with questions. This provides a way for people to report potential incidents, and just reach out with general questions and concerns.
Computer Based Training
CBT is the most omnipresent component of security awareness programs, as it is the most clearly accepted method of achieving compliance. Per our past article, this is a case where people confuse Security Training with Security Awareness. CBT provides a set body of knowledge and tests people to ensure short-term memory retention. However the reliance specifically on CBT as a Security Awareness program is what creates the bulk of the criticism about Security Awareness in general. Despite what the critics say, this is still a vital component.
Computer Based Training
CBT can range from 3 minutes to hours long(which I do not suggest the later, as your people will go into I dont care mode after a time) with varying degrees of interactivity. It can summarize the most important lessons you would like your employees to learn. Unless the CBTs are on the shorter side, it is limited to one time per year, as you can't have employees taking extended training on multiple occasions. However, multiple short CBTs can be used to reinforce many concepts throughout the year and can be very valuable.
This next topic is one of the most important componets in my opinion
Security Portal
An internal security portal provides several functions. First it provides a Knowledge base that can be time-consuming to create and maintain, but can provide a huge return on investment with includes information on security related topics, such as securing a mobile device, creating a strong password, and travel security. It is also important to include information on home and personal security strategies, such as protecting children online and securing social media accounts. If you provide information that personally engages employees, the behaviors can translate to secure work habits.
Creating the knowledge base can seem a bit like Sisyphus and the rock, especially since it must also be kept up to date to reflect changing technologies. However, the time is worth it as it engages employees, and provides information that is not being covered by other awareness efforts, but is still important to the employee.
The other critical aspect of a security portal that should be included is a method to contact the security staff with questions. This provides a way for people to report potential incidents, and just reach out with general questions and concerns.
For this post I thought I would talk about a few things that are vital to any security program to inform internal personal about security awareness. As stated earlier this is just some things that I think a program would need.
Collateral
Collateral is a broad term for internally distributed materials. These are things like newsletters, blogs, and other internal communications. These types of internal communication serve as a simple reminder to your users that security is important and gives you an opportunity to educate them once you have their attention. Try to keep these communications bite-sized but give them a link back to a lengthier article if they want more information. Work within acceptable corporate guidelines, but be aware of limitations. If newsletters are the only way, still go for it, but try to appeal to different demographics.
For example, while older people tend to respond to traditional newsletters, Millennials might respond better to a blog or Twitter like activities. Also consider the possibility that some media types might be too congested. For example, newsletters might be deleted unread out of habit by many employees, so they might not be the best choice of venue for your Security Awareness program. Whichever formats you choose, make sure you set up your process to enable you to capture metrics on readership and click throughs. Metrics will allow you to determine where to focus future efforts.
Posters
Posters are a tried and true method of raising awareness. While some people believe they are old-fashioned and outdated, they can be very effective when they are well designed. The Smokey the Bear and the now ubiquitous "See Something, Say Something" campaigns are testament to the effectiveness of posters. If you lack the skills to come up with a catchy tagline and your best shot at drawing still limits you to stick figures, it's okay to branch out to your internal marketing team or contract a graphic designer. This way you can ensure the style of poster and messaging matches your corporate culture.
Also consider including a QR code that will bring users back to your internal knowledge base, if you have one. This will accomplish two things: 1) Give your employees more information on the given topic, and 2) Collect metrics on how many employees are reading your poster and look for more information. Lastly, make sure your posters are placed in highly trafficked areas where they will receive maximum visibility. You don't want to place them where they become background noise.
My next post will have a few more components for a good internal security awareness program.
Collateral
Collateral is a broad term for internally distributed materials. These are things like newsletters, blogs, and other internal communications. These types of internal communication serve as a simple reminder to your users that security is important and gives you an opportunity to educate them once you have their attention. Try to keep these communications bite-sized but give them a link back to a lengthier article if they want more information. Work within acceptable corporate guidelines, but be aware of limitations. If newsletters are the only way, still go for it, but try to appeal to different demographics.
For example, while older people tend to respond to traditional newsletters, Millennials might respond better to a blog or Twitter like activities. Also consider the possibility that some media types might be too congested. For example, newsletters might be deleted unread out of habit by many employees, so they might not be the best choice of venue for your Security Awareness program. Whichever formats you choose, make sure you set up your process to enable you to capture metrics on readership and click throughs. Metrics will allow you to determine where to focus future efforts.
Posters
Posters are a tried and true method of raising awareness. While some people believe they are old-fashioned and outdated, they can be very effective when they are well designed. The Smokey the Bear and the now ubiquitous "See Something, Say Something" campaigns are testament to the effectiveness of posters. If you lack the skills to come up with a catchy tagline and your best shot at drawing still limits you to stick figures, it's okay to branch out to your internal marketing team or contract a graphic designer. This way you can ensure the style of poster and messaging matches your corporate culture.
Also consider including a QR code that will bring users back to your internal knowledge base, if you have one. This will accomplish two things: 1) Give your employees more information on the given topic, and 2) Collect metrics on how many employees are reading your poster and look for more information. Lastly, make sure your posters are placed in highly trafficked areas where they will receive maximum visibility. You don't want to place them where they become background noise.
My next post will have a few more components for a good internal security awareness program.
Subscribe to:
Posts (Atom)