Sunday, May 26, 2013

Information Security Jobs – The future looks bright




Many recent reports show that a demand for information security jobs continues to grow especially for middle management and senior roles for information security. New regulations are aiding the growth in information security jobs such as: the US Patriot Act, HIPPA, GLBA and so on. Recent reports of cyber espionage from China and the eastern European block add to the general awareness that information security is important to businesses and for national security.  

On Feb 12 2013 President Obama announced that Cyber Threats represent one of the nation’s most serious threats to national security and to the economy.  As a result the President created the Cyber Security Office and appointed a Federal Chief Information Office. The organizations primary goals are to 1) Improve our resilience to cyber incidents and 2) reduce cyber threats.

According to Robert Half data security positions are on the rise with average salaries ranging from $89,000-121,000 depending upon experience.  Security certifications such as the Certified Information Systems Security Professional (CISSP) are in high demand with approximately 10,000 certifications last year. It’s no wonder that as the internet continues to rise and malware strains morph out of control that the need for Information Security jobs will continue to grow. 




http://www.computerworld.com/s/article/9237394/Demand_for_IT_security_experts_outstrips_supply
http://www.informationweek.com/security/management/best-paying-it-security-jobs-in-2012/232200152
http://www.sans.org/20coolestcareers/
http://www.whitehouse.gov/cybersecurity

Posted by at No comments:

Sunday, May 19, 2013

Uncle Sam using Biometrics to make America a Safer Place








Since 911 the need for Biometrics has increased and the US Department of Defense (DOD) has been at the forefront developing systems for use by: homeland security, US Immigration, US Border Patrol, the US Military, and law enforcement. The FBI has developed the IAFIS system, integrated automated fingerprint identification system which is a national database of fingerprints. But it also contains information such as mug shots, aliases, hair and eye color, physical characteristics and other biometric identifiers. Currently the IAFIS system has more than 70 Millions criminal subjects in its master file including 34 Million civil prints. The average response time is 27 minutes. 

Biometrics is no longer used in the movies and in spy novels. It is used every day by immigration and border patrol, law enforcement, and the US military. As visitors enter the US their finger print identification is captured along with their credentials to determine how many times they enter and when they leave.  Border patrol used it to identify potential trafficker and illegal immigrants that cross the boarders. And the US military use biometrics to track down terrorists. 

A number of laws promote the use of Biometrics such as; The US Patriot Act, the Enhances Border Security and Visa Entry Reform Act of 2002, the Responsibility and Work Opportunity Act of 1995,  and the Immigration Control and Financial Responsibility Act of 1996. For more information about the use of Biometric by the US government visit the following sites:

http://www.biometrics.gov/ReferenceRoom/Introduction.aspx
http://www.dhs.gov/government-agencies-using-us-visit
https://www.eff.org/wp/biometrics-whos-watching-you



Posted by at No comments:

Sunday, May 12, 2013

How do you quantify risk?




There are a number of ways to quantify risk. Here are two approaches to help quantify risk.
Say your company produces widgets and has two machines in the manufacturing process. Machine A is worth $100,000 and would take months to replace if it was damaged. Machine B is worth $20,000 and can be replaced quickly. In order to protect this asset you probably have insurance and some type of maintenance is performed on the machine on a regular basis to keep it from breaking down.
Let’s say that the annual costs of  maintenance is $10,000 for Machine A and $1,000 for Machine B. Machine A breaks down one per quarter and Machine B breaks down twice a year. Each time a machine breaks down it cost your company revenue which has an impact on your profitability and your reputation.  
    
Approach 1 is the Weighted Factor Analysis:

Simply calculate the risk factor by multiplying the results in each category to determine which machine present the most risk for the organization.
Asset
Revenue Impact
Profitability Impact
Reputation Impact
Weighted Score
Weight Factor 1-100
30
40
30

Machine A
.8
.9
.5
75
Machine B
.8
.9
.6
78
Based upon the weighted score Machine B has more value and more risk for the organization.

Approach 2: Annualized Loss Expectancy

Each machine has as exposure factor (EF) that it is going to fail. Let say that Machine A is .1 and Machine B is .2. This means that the for each loss the Single Loss Expectancy (is cost of each down time) can be calculated as follows: SLE = Asset value * EF

Machine A’s  SLE = $100,000 * .1 = $10,000
Machine B’s SLE = $20,000 *.2 = $4,000

We already know that Machine A breaks down one per quarter and Machine B breaks down twice a year. 

So the Annualized loss expectancy (ALE) for each machine is:
Machine A’s ALE = $10,000 * 4 = $40,000
Machine B’s ALE = $4,000 * 2 = $8,000

Machine A is clearly the most valuable machine in the organization and causes the most loss from breakdowns each year. From this information it is probably worth exploring a risk mitigation alternative for Machine A such as: more frequent maintenance, spare parts on hand, or training on maintenance prevention to reduce the expense of downtime. In the first approach Machine B is more at risk but taking a further look at approach 2 indicates that the Annualized Loss Expectancy for Machine A is really more costly for the organization.

Posted by at No comments:

Sunday, May 5, 2013

Risk Management and Risk Ranking.




Has your organization performed a Risk Assessment? 

Many organizations fail to keep current on Risk Management. Often times risk management is only important after a costly incident occurs. With little effort it’s easy to reduce your organizations risk exposure by performing a Risk Assessment.  A risk assessment or risk analysis is a simple process of identifying the most values assets, assigning a value to them, and then identifying the probability of certain threat occurring. Once you have an inventory of assets in place and have identified the most likely threats then you simply calculate a risk ranking. The higher the risk ranking the more time, money, and effort is needed on risk mitigation steps to prevent loses from occurring.

 Here’s a simple and valuable formula that your organization can use to identify and rank risks to your organization.

Risk Ranking = (the likelihood of a vulnerability occurring) X (Value of the Asset) – (the percentage of risk mitigation controls) + (the uncertainty of knowledge of the vulnerability)



For example:
Let’s say that you have an Application Server that is used by most of your workers and you also have a separate email server that your workers use too. How do you determine which one has the most risk to the organization?

Asset
Asset Impact
Vulnerability
Vulnerability Likelihood
Certainty of assumptions
Risk Mitigation
Risk Rating Factor
Application Server
50
Hardware failure
1
.9
0
=55
Mail Server
100
Hardware failure
.5
.8
.50
=35

You can see from this chart that the greatest risk is associated with the Application Server. You can also see that unlike the mail server there is no risk mitigation associated with the application server. The conclusion is very simple; the organizations should spend effort on risk mitigation for the Application server because the risk ranking is the highest.

For more information on Risk Management consult that following resources:

The Institute of Risk Management: http://www.theirm.org/
The Risk Management Society : http://www.rims.org
The Risk Management Association: http://www.rmahq.org
Posted by at No comments:
Subscribe to: Posts (Atom)