Sunday, June 23, 2013

NSA Whistleblower Edward Snowden is Proof that Humans Are the Weakest Link in Security Systems

I've said it before in my other blog posts that regardless how secured you think a system is, there is always the chance of a compremise. You would think that out of all people the CIA would have known this.For this post, I'm going to focus on the biggest reason for system vulnerbility--humans. Internal controls may be put in place to mitigate risks and employees for whatever reasons will find ways to circumvent the controls. The computers, network devices, and softwares will malfunction here and there, but when you come their efficiency with humans hardware and software are more reliable.

In Edward Snowden case, he rationalized that he had justification to violate his organization's policy. NSA may have some shortcoming that violates the public's privacy, but I think Snowden went about this the wrong way. Just my humble opinion. Was Edward Snowden ethically right or wrong for leaking details of classified NSA mass surveillance program? Its hard for me to really answer that. The lesson to learn here is that people in your organization will be the most likely cause of information  leaks. People will always rationalize to justify the reason for violating company policy.

Some may argue that Edward Snowden just wanted publicity or some may say he was genuinely looking out for the American public. I say beware of who you trust with your information.

The Alphabet Soup of Security Regulations (SOX, GLBA, PCI-DSS, HIPAA)

The alphabet soup of security regulations (SOX, GLBA, PCI-DSS, HIPAA) is evidence of the growing concern of security issues with every organization, government agency, corporation, and military unit. Organizations need to protect their market share, customers, bottom line, follow the regulations, and still maintain their competitive edge. It pays to be familiar with the all the various security regulations because they provide guidelines to protect the public and help corporation be socially responsible. Here is a list of some of the regulations and their descriptions.


SOX is short for Sarbanes-Oxley Act of 2002. After the collapse of the fruadulent Enron and WorldCom, Senators Sarbanes and Oxley helped passed this securities law to protect investors. This bill affects IT because corporations that reports to the Securities Exchange Commission often use information technology and information systems to complete the company's financial accounting and reporting. SOX ensures that corporate have internal controls in place ensure the propare recording of accounting information and to mitigate the risk of fraud.


GLBA is short for Gramm-Leach-Bliley Act of 1999. The regulation requires that financial institutions to develop privacy notices and give their customers the option to restrict financial institutions from sharing their information with nonaffiliated third parties. There should be a written security policy in place the explains how customers information is being kept confidential.

PCI-DSS stands for Payment Card Industry Data Security Standard. This standard applies to all businesses that process, transmit, store, and accepts credit card data. There are 12 core requirements to follow which I may write about in future blogs.


Health Insurance Portability and Accountability Act (HIPPA) is a federal regulation enacted to standardize the handling of medical information by medical professionals and organizations. HIPPA provides the necessary framework and guidelines to ensure security, integrity, and privacy of patient's information. Fines for violation of this regulation can as much as $50,000 and one year in prison. The amount can go up to $250,000 and ten years in prison if the violation was do willingly and intentionally under false pretenses.

This is just a quick overview of the some of the major information security regulations and standards but the many more. I think every information security practitioner needs to become familiar with the laws, directives, and regulations in computer and information security to be able better serve their clients.  On my next post, I will talk about the various certifications that are available for information security practitioners.

Friday, June 21, 2013

The CIA of Information Security

In information security, CIA is a popular acronym that describes the three objectives of information security: confidentiality, integrity, and availability. There should also be a balance between them as well. Confidentiality is the objective of keeping the user's information private. The user could be a customer, client,  patient, etc. Some times confidentiality is required by law to have the individual's information confidential such as HIPAA for the medical field and some times it is a matter of being ethical and following best practice. As information security becomes more of a concern for the average user companies need to consider protecting their client's information as their corporate social responsibility initiative.

Integrity means that the information remains in tact. Whether its done intentionally or accidentally, providing stakeholders with incorrect information may have a huge impact on the bottom line of a business. Corporations may have to pay fines to SEC for misstatements; they may lose investors because of reduced confidence. Inaccurate information also increase information risk in which decision makers make decisions based on inaccurate information. Information security strives to ensure the accuracy of the data that people rely to be decision. As an example, think of a medical doctor verify the patient and the surgical operation that is to be performed. You could imagine the type error that could happen if the medical information system inaccurately display a patient for the wrong operation procedure. Another example is bank account information being mixed up.

Availability ensures that the information is there when users of the system need it. Some companies would lose millions because their online store website is down for a few hours. Denial of Service (DoS) is one type of attack that focus on making systems unavailable to users. Additional backup servers are needed as part of  a company's disaster recovery plan or contingency plan.

When you think of securing a system think of the security principles CIA--confidentiality, integrity, and availability.

Saturday, June 15, 2013

It Should Be Called Pass Phrase

Password is a misnomer. If you actually use a word from the dictionary as your password to any account, you are making life easy for hackers. As  a best practice, systems administrators should ensure their organization has a good password policy as its security baseline. The policy should be taught to all users and enforced.

Audits should be conducted using popular password creacking utilities such as Cain & Abel, John the Ripper, and Crack. The age of the password should be kept for a maximum of 60 days. The risk of dictionary attacks and brute force (when a hacker uses special software to guess a password) can be minimized if passwords are complex and changed frequently.

Keep in mind that your password should be based on a passphase instead of dictionary words, pets name, favorate teams, birthday months, etc. Also, remember all accounts and systems that you log in to are potentially important even thought it does not appear to have valuable information. Email accounts can be used to reset other accounts such as bank accountants. Accounts for social media sites such as facebook could be use to withdraw information from your friends and family by posing as you.

Here are some components of a good pass-"phrase":

  • Should be at least fifteen characters long
  • At least two of the characters should be uppercase (A-Z)
  • At least two of the characters should be lowercase (a-z)
  • At least two of the characters should be numbers (0-9)
  • At least tow or the characters should be special characters or punctuation marks )(*&^%$#@!?
  • No real words
  • Not the same as the login name or real first last name
  • Should be changed frequently

phrase: I love twitter and facebook

passphrase: !Lov3Twitt3r&FB

It would take password-cracking tools centuries to crack this passphrase and its easy for the user to remember.

Friday, June 14, 2013

I Like My Security System to be Like My Cake: Multi-layered

I'll tell you right now there is no system out there that is 100% secured for being hacked. "Black hat" hackers usually try a number of attacks until they find a vulnerbility with the system, then they exploit it. Security professionals have to counter all the various attacks by building up a security system that is multi-layed.

It pays to be able to think like the so-call "black hat" hacker. In fact security professionals should consider themselves as hackers and learn as much as possible from the hacking community with an open mind. How else are you going to be able to know what the bad guys are up to and be prepared to counter their attacks.

The layered approach is fitting for most modern information security threats. Training staff on general security concepts such as social engineering, phishing, vishing, shoulder surfing, dumpster diving and common email and online hoaxs should be the first layer to your organizations information security. Well writing policies, standards, guidelines, and procedures is another layer. Using the most up-to-date technology for encrypting confidential information is yet another layer. There are many more layers such as testing and applying updates regularly, having a security baseline, intrusion detection, system hardening, etc. The list of layers can go on endlessly.

Even though there are no garantees that an information system will be 100% secured, we can make it near impossible for it to be compromised.

Welcome to My Blog on Computer Information System Security

My name is Mike Cesaire, I'm an IT professional with over ten years of information system security experience. I have dealt with many aspects of computer and information security which I will be blogging about. I have passed the Security+ certification, therefore I'm  certified by CompTIA. I haven't taken the CISSP or CISA yet, but I will keep you post when I do.

My intended audience are information technology students, information security professionals, or any one interested in information system security. I will share my knowledge, opinions, and experiences with all my readers. I will take the time to read all comments. Please ask lots of questions so I can address them in my blog posts.

In my blogs, I will discuss topics such as access control; telecommunications and network security; information security governance and risk management; software development security; cryptography; security architecture and design; operations security; business continuity and disaster recovery planning; legal, regulations, and compliance; and physical/environmental security.