Category Archives: Security

Security Done Right

During my job-related trip to Israel a couple of months ago, I was subjected to a thorough security check at the airport. I learned later on that everybody goes through the same process. It was a little inconvenient, but in the end, I felt safe.

With all the advance technologies in security, nothing beats the old way of conducting security – thorough checks on individuals. I also noticed the defense in depth strategy at the Israel airport – the several layers of security people have to pass to get to their destinations. No wonder some of the greatest IT security companies come from Israel (e.g. Checkpoint Firewall).

As an IT security professional (I’m a CISSP certified), I can totally relate to the security measures Israel has to implement. And companies need to learn from them. Not a day goes by that we learn companies being hacked, shamed, and extorted by hackers around the world.

Sadly, some companies only take security seriously when it’s too late – when their data has been stolen, their systems have been compromised, and their twitter account has been taken over. It will be a never ending battle with hackers, but it’s a great idea to start securing your systems now.

CISSP

A couple of days ago, I got the official renewal of my CISSP (Certified Information Systems Security Professional) certification from ISC2.  My certification is valid again for another three years, until October 2015.

CISSP certification is one of the certifications I make sure to maintain because of its usefulness. No question every IT professional should be aware of security implications in any system he/she develops, build, or maintain.  Security breaches are becoming the norm and IT professionals should be prepared to face these challenges.  CISSP certification greatly help IT professionals like me in creating and enforcing security policies and procedures, and in designing and maintaining secure systems.

When I first obtained the certification six years ago, in Oct 2006, I remembered it was one of the toughest exam I ever took.  And passing the exam is just one of the requirements.  One should have at least five years information security experience, and should be endorsed by another CISSP professional.  In addition, one should abide by the ISC2 code of ethics.

To maintain certification, one should obtain Continuing Professional Education (CPE) credits of 120 points within three years, and pay the annual maintenance fee.   The requirement to obtain CPE credits keeps my security skills current.  There are many ways to obtain CPE credits.  My favorites are the security seminars and conferences such as Secure Boston, Source Boston, and IANS.  One can also get points by reviewing security books, reading and writing security articles, and speaking about security in seminars and conferences, among others.

To learn more about CISSP and how to get certified, go to the ISC2 website.

BYOD

Recently, I attended a security seminar on the newest buzzword in the IT industry – BYOD, or Bring Your Own Device – to complete my CISSP CPE (Continuing Professional Education) requirement for the year. The seminar was sponsored by ISC2 and the speaker, Brandon Dunlap, is a seasoned, insightful, and very entertaining speaker.  I highly recommend the seminar.

BYOD came about because of the popularity of mobile devices – iPhone, iPad, Android, Blackberry, etc.- , the consumerization of IT, and employees getting more flexible schedules.    Companies are starting to allow their employees to use their own devices – to improve productivity, mobility, and supposedly save the company money.  The millennials, in particular, are more apt to use their own devices.  Owning these devices for them signifies status symbol or a fashion statement.

However,  does it make sense to allow these devices into the company’s network?  What are the security implications of the BYOD phenomenon?

From a technology standpoint, there are a lot of innovations to secure both the mobile devices and the company’s applications and data, for instance, using containers, to separate personal apps and company’s apps.  Security companies are creating products and services that will improve the security of BYOD.  But from a policy and legal standpoint, very little is being done.  Companies who jumped into this BYOD buzz are getting stung by BYOD pitfalls as exemplified by one of the greatest IT companies in the world – IBM.   In addition, recent studies showed that BYOD does not really save company money.

Companies need to thoroughly understand BYOD before adopting it.  It is a totally new way of working.

The seminar highlighted the many problems of BYOD, and the immense work that needs to be done to make it successful.  No wonder the organizer entitled it “Bring Your Own Disaster” instead of “Bring Your Own Device.”

 

Security Strategy

Amidst the highly publicized security breaches, such as the LinkedIn hacked passwords, hacktivists defacing high profile websites, or online thieves stealing credit card information, one of the under-reported security breaches are nation states or unknown groups stealing Intellectual Property information from companies such as building designs, manufacturing secret formulas, business processes, financial information, etc. This could be the most damaging security breach in terms of its effect on the economy.

Companies do not even know they are being hacked, or are reluctant to report such breaches. And the sad truth is that companies do not even bother beefing up their security until they become victims.

In this day and age, all companies should have a comprehensive security program to protect their assets. It starts with an excellent security strategy, a user awareness program (a lot of security breaches are done via social engineering), and a sound technical solution. A multi-layered security is always the best defense – a firewall that monitors traffic, blocks IP addresses that launches attacks, and limits the network point of entry; an IDS/IPS that identifies attacks and gives signal; a good Security Information and Event Management (SIEM) system; and good patch management system to patch servers and applications immediately once vulnerabilities are identified, to name a few.

Cost is always the deciding factor in implementing technologies. Due diligence is needed in creating cost analysis and threat model. As with any security implementation, you do not buy a security solution that costs more than the system you are protecting.

Thoughts on Information Security

I cannot stress enough the importance of information security. Almost everyday we hear stories about security breaches – hacker groups defacing websites for political purposes, countries stealing proprietary information from other countries and companies, organized crime stealing credit card information and selling those in the black market.

Cloud computing and mobile devices have exacerbated the problem.

The thing with security is that it is at odds with convenience. We want to get things done quickly, but security slows us down. For instance, we are required to enter hard to guess passwords to access our bank account online or access our company’s applications. Why not just let us in right away? Remembering passwords (and lots of them) and being required to change them every three months take some time and effort.

But if we want ourselves and our companies we work for to be secure, we should give up a little convenience. There is no other way.

A lot of technical solutions and innovations have been devised to improve information security. But no amount of technical innovation can solve the weakest link in security – social engineering. Remember the “I Love You” virus several years ago? It was a virus that was spread when you open an email with the subject line “I Love You.” Who wouldn’t want to open an email with that subject line?

User awareness is the key. Companies and individuals should at least invest in training on security and privacy.

The sad thing is that many companies and individuals do not take security very seriously, until they become victims. True, we should not spend significant amount of time and money for security. The resources we spend on security should be proportional to the assets we are protecting. You should not buy a 1 million dollar vault to protect your 100K painting.

When I obtained my CISSP certification several years ago, I didn’t plan on specializing on information security. I have, however, incorporated good security practices in system and network design and implementation, virtualization, storage, and almost all aspect of IT. But with the tremendous need for IT security professionals these days, I might consider specializing in information security.