CIS 608 Logo

CIS 608 Logo
CIS 608 - Information Security Management

Monday, October 31, 2011

Post 054 - CIS 608





Important News Item: DHS: U.S. infrastructure faces a barrage of cyber-attacks

Summary from CompTIA News Digest on October 30, 2011:

DHS: U.S. infrastructure faces a barrage of cyber-attacks
Hackers have launched thousands of cyber-attacks against critical U.S. infrastructure such as financial and transportation assets and have nearly succeeded in crippling key systems, according to the Department of Homeland Security. DHS Secretary Janet Napolitano said officials responded to more than 100,000 cybersecurity incidents in fiscal 2011, and she urged Congress to draft stronger laws to protect the nation's most vital networks.


========================================================
My Comments:

Looks like yet another reason to be in the Bellevue University M.S. in Cybersecurity Program:

I am resolved, more than ever, to do all the work and complete this important program.

I am also keeping my (public) course blogs up to date and they are getting TONS of hits.

http://cis608.blogspot.com - CIS 608 - Information Security Management

http://cybr515.blogspot.com - Security Architecture and Design

========================================================

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL
United States of America



Sunday, October 30, 2011

Post 053 - CIS 608



Designing and Implementing Enterprise Network Malware Prevention Solutions

(This was my Assignment 9-3 for my CYBR 515 - Security Architecture and Design Course. I thought many of you might like seeing it here in this blog.)
==============================================

Conclusion (from the presentation)

This Enterprise Malware Protection Solution Implementation Project will:

1. Help provide protection from a wide range of threats
2. Enable excellence in protecting our client’s information
3. Help optimize return on investments
4. Help provide future business opportunities
5. Help protect the Slater Technologies, Inc. brand and reputation
6. Help ensure business continuity
7. Help reduce the risk of financial loss
8. Help reduce risk of litigation
9. Help Slater Technologies to become famous for what we do and how we do it

==============================================


The diagrams above were part of the design and presentation I created as part of the assignment shown below.

Companies like Symantec, McAffee, Trend Micro, Kaspersky, etc. provide enterprise-level malware protection. Choose a major anti-virus company and familiarize yourself with their product line. Using what you learned from your research and this week's reading assignment, create an executive presentation of 8-12 PowerPoint slides on the product and on how you would install an enterprise malware solution on a hypothetical network with 50 Windows servers and 2000 Windows 7 computers. Provide sufficient detail about hardware devices and software and where they would be installed. Create a high-level Visio diagram to accompany your proposal that shows the layout of your software. It is not necessary to diagram your complete network, just a high level representation of it. For example, you could represent the 2000 Windows 7 computers with one Icon labeled Windows 7 Workstations (2000). However, if you include a security appliance that provides malware protection, it should be included as a separate icon. Also, indicate location of software components (clients, servers, databases, management tools, etc) on your diagram, as well.


================

William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27002, MCP #3585
Project Manager / Program Manager
Chicago, IL
slater@billslater.com
http://billslater.com/career


Post 052 - CIS 608



Newly Discovered Information: Chinese Hackers Attacked U.S. Satellites in 2007 and 2008

This is amazing. Why would our friends do something like this to American satellites?

Source: http://unionresourcecenter.com/wp/?p=9168

“Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” according to the draft. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”

More Information is in this BBC article:
http://www.bbc.co.uk/news/business-15490687

More Information is also in this Bloomburg article:
http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

==============================
William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27002, MCP #3585

Project Manager / Program Manager
Chicago, IL
slater@billslater.com
http://billslater.com/career


Saturday, October 29, 2011

Post 051 - CIS 608




Navajo Codetalkers - Some True World War II American Heroes of the U.S. Marine Corps

CYBR 515 - Week 9, Assignment 9_2 Trivia Question:

What is code talking and how was it used in World War 2?

During the early part of World War II, the U.S. Government allowed the United States Marine Corps to recruit Native Americans from the Navajo tribe to be able to quickly transmit messages via combat radio equipment using their native Navajo language in combat situations in the Pacific Theater while fighting the Japanese troops (Churchhouse, 2004).

Initially, this project with the Navajo codetalkers, as they were called, started with 29 Navajo Marines. The significance of the ability to use these these Navajo codetalkers was that it afforded the U.S. Marines the ability to transmit vitally important battlefield communications using their native Navajo language in a way that the Japanese could not possibly hope to crack. Reason: the Japanese had no familiarity with the Navajo language (Churchhouse, 2004).

What is remarkable is the patriotism and the heroism of these men. Depite the fact that, many native Americans still felt as if the Americans had stolen their land during the 1700s and the 1800s. These Navajo Codetalkers rose to the call to serve the U.S. cause in World War II, and placed themselves in harm’s way in battlefield situations to help further the cause of the U.S.’s tactical and strategic objectives in the Pacific Theatre.

I did some additional research and found 12 very interesting pictures of the surviving Navajo codetalkers and these pictures are attached (Facebook Navajo Codetalkers Forum, 2011).

Please check out these pictures. They will help you understand a lot about these magnificent Americans and their selfless service to the U.S.

Enjoy!

References:

Churchhouse, R. (2004). Code and Ciphers: Julius Caesar, the Enigma, and the Internet. Cambridge, U.K.: Cambridge University Press.

Facebook Navajo Codetalkers Forum. (2011). Facebook Navajo Codetalkers Forum Photo Album. Retrieved from the web at http://www.facebook.com/pages/Our-Navajo-Code-Talkers/119244804756?ref=ts&sk=wall on October 28, 2011.

Best regards,

Bill
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
CIS 608 Blog: http://cis608.blogspot.com
Chicago, IL
United States of America


Thursday, October 27, 2011

Post 050 - CIS 608



Internet History and Growth Presentation

Tonight, I updated my Internet History and Growth presentation.


I originally created this in 2002 and it was well received. Tonight I added slides about the impact of mobile technologies and Steve Jobs.

Enjoy!


William Favre Slater, III, MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL
United States of America

Post 049 - CIS 608




Measuring Return on IT Security Investments


The two diagrams above are part of an additional approach on measuring the return on IT security investment. These are from a white paper that was produced in December 2007 by Intel Corporation.

As I stated in Post 046 - CIS 608, I really believe that an organization must consider additional factors when trying to uncover and quantify the real return on IT security investment. As I stated earlier, those factors that should be considered are:

  • Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program

  • Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program

  • Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program

  • Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program

  • People that kept their jobs because of the implementation of a solid Information Security Management Program

  • PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program

What is also interesting is that this week, per the directions in our 2010 text book, Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition. Indianapolis, IN: Course Technology, you see a business trend toward using this method to quantify the value of investment on controls to increase information security and reduce risk:


It is based on determining two sets of Annual Loss Expectancy (ALE).

The first ALE is before the application of information security controls.

The second ALE is after the application of information security controls.

ALE is based on this calculation:

SLE * ARO = ALE

Where:
SLE is the Single Loss Expectancy for an incident
ARO is the Annualized Rate of Occurrence (Example 1 incident per month would be an ARO of 12.)
ALE = Annual Loss Expectancy

=======================================================

I think the important lessons here are that:

1) Management is looking for ways to quantify and justify the amount of money spent on IT security management controls

2) Risk must be reduced, but only to the degree that management can cost justify it and also is willing to accept the residual risk that remains

3) Even though the 2007 model and the 2010 model for measuring the effectiveness of money spent on information security controls are similar, the models for justifying and quantifying the money spent on information security may still be in a state of flux if they can change that much between December 2007 and when our book was published in 2010.


Post 048 - CIS 608




Assignment 9.2 - Calculating the Cost Benefit Analysis after Applying Information Security Controls

The table image above shows the exercise we did to calculate the Cost Benefit Analysis after applying Information Security.

It is based on determining two sets of Annual Loss Expectancy (ALE).

The first ALE is before the application of information security controls.

The second ALE is after the application of information security controls.

ALE is based on this calculation:

SLE * ARO = ALE

Where:
SLE is the Single Loss Expectancy for an incident
ARO is the Annualized Rate of Occurrence (Example 1 incident per month would be an ARO of 12.)
ALE = Annual Loss Expectancy


Reference:

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition. Indianapolis, IN: Course Technology.

Post 047 - CIS 608


Week Nine Assignments- Maps to Course Obj. 7
MesusaControls.xls (19.5 Kb)
Read/Review
: Chapter 9, Management of Information Security, 3e.
: Powerpoint Slides, Chapter 9, located in Course Documents, Lecture Notes
Learning Objectives - Week 9
Understand and select from risk mitigation strategy options to control risk
Identify risk control classification categories
Use existing conceptual frameworks to evaluate risk controls, and formulate a cost-benefit analysis
Assignment 9.1
This assignment is worth 50 points.
One year ago, the Mesusa Corporation conducted a threat evaluation and created a list of threats, the cost per incident and the projected frequency of occurrence. During the year, Mesusa decided to implement controls designed to reduce the cost per incidence and the number of threats. The attached spreadsheet (top of page - MesusaControls.xls) indicates the pre-control cost and frequency of occurrence, the cost of controls for each type of threat, and the post-control cost and frequency of occurrence. Calculate the AROs, the ALEs and the CBA for this initiative, and return the completed spreadsheet.

Assignment 9.2 (post to the Week 9 Forum)
This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.
Once you have finished 9.1, present only your CBA totals to the forum. Describe which controls were worth the cost, which were not, and why. For those that were not, determine what alternative controls are available.

In your response, comment on whether you agree with the analysis and the recommended alternate controls.

Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting, due no later than Wed. At least two of the other messages must be responses to other student original postings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute!

Group Assignment-Week 9
This assignment is worth 50 points.
As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...
Have one person in your group post the group consensus, labeled as "Week9 Post - Grade Me" to your group forum.
Assignment 9.3 (Post to your Blog)
This assignment is worth 20 points.
Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.
Post your link to your blog in this drop box. If the link is not posted, the assignment is not considered to be submitted and will get a grade of zero.

Monday, October 24, 2011

Post 046 - CIS 608


ROSI - Return on Security Investment

This week in our CIS 608 class, we are dealing with measuring Information Security Management in terms of quantitative ideas such as ROSI, ALE, and SLE. (see diagram above)

ROSI = Return on Security Investment
ALE = Annual Loss Expectancy
SLE = Single Loss Expectancy

I believe that these are ideas that are outdated throwbacks to the Insurance Industry and calculations related to damage claims, investments, and loss payouts.

I might also add to the mix here that these are measurements for which people will be tested and measured when they take exams like the CISSP and the CRISC.

But despite their longevity as standard ways to define the effectiveness of Information Security, I believe that ROSI, ALE, and SLE are now obsolete I will would like to add my own thoughts here about measuring ROSI.

I think that here in the second decade of the 21st century, we need something better to help measure the effectiveness of Information Security Management programs. In my opinion, a better idea on measuring the effectiveness of an Information Security Management program would be to measure and quantify benefits like these:

  • Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program

  • Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program

  • Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program

  • Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program

  • People that kept their jobs because of the implementation of a solid Information Security Management Program

  • PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program

These are just a few ideas about how to create a better set of metrics with which to measure the effectiveness of your Information Security Management Program. I will be writing a lot more about this in the very near future.

Feel free to comment below or better yet, e-mail me with your ideas: slater@billslater.com

Thanks.

Best regards,

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America

Saturday, October 22, 2011

Post 045 - CIS 608


Information Asset Classification - A Key Step in Risk Management and Information Security Management

This week, we covered classification of Information Assets as a key step in risk management and Information Security Management. The diagram above was adapted from a diagram in a Data Classification white paper I downloaded from the ISACA website.

Data Classification and Information Classification and labeling is required under these areas of ISO 27001 Annex A Domains, Control Objectives and Controls:

A.7 Asset Management
A.7.2 Information Classification
A.7.2.1 Classification Guidelines
A.7.2.2 Information labeling and handling

There was quite a bit of discussion on whether we were going to have a three-tier data classification system or a four-tier data classification system.

It’s really important to get this right as early as possible. What surprised me was

1) Just how political it was

2) How difficult it was to explain to the stakeholders

3) How difficult it was to get senior management to make a decision and support it


The proposed possible three-tier classification system:

Unclassified

Marketing and promotion literature; Annual Financial Reports for Shareholders

Protected

Personally Identifiable Information

Names with Social Security Numbers, Phone numbers, addresses

Client related;

Business-related

Restricted

Company Strategy, Privileged Data Related to How the Company is Managed; etc.


The proposed possible four-tier classification system:

Unclassified

Marketing and promotion literature; Annual Financial Reports for Shareholders

Private

Business-related

Confidential

Personally Identifiable Information

Names with Social Security Numbers, Phone numbers, addresses

Secret

Company Strategy, Privileged Data Related to How the Company is Managed; etc.

You may want to study this because it shows how much work, thought, time and diplomacy can be expended to arrive at a business decision regarding classification of information assets and data assets.

Which one did I favor? The four-tier classification system.

Best regards,

Bill
William Favre Slater, III, PMP
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL


Thursday, October 20, 2011

Post 044 - CIS 608



Week Eight Assignments- Maps to Course Obj. 1

..
Read/Review
: Chapter 8, Management of Information Security, 3e.
: Powerpoint Slides, Chapter 8, located in Course Documents, Lecture Notes
: NIST Security docs

Learning Objectives - Week 8
Define risk management and its role in the organization
Use risk management techniques to identify and prioritize risk factors for information assets.
Assess risk based on the likelihood of adverse events and the effects on information assets when events occur
Document the results of risk identification
Assignment 8.1
This assignment is worth 50 points.
The Mesusa Corporation has three information assets to evaluate for risk management as listed below. Create a ranked list of risk associated with the four vulnerabilities. You can begin with the columns from the Ranked Vulnerability Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk rating, then include percentage of current control and the uncertainty rate to come up with a final risk -rating estimate. Use the formula as described in this chapter.
From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.
Switch L47 connects a network to the Internet. It has two vulnerabilities; (1) susceptibility to hardware failure, with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75% certainty of the assumptions and data.
Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such and attack is estimated at 0.2. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of vulnerability by 75%. There is an 80% certainty of the assumptions and data.
Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90% certainty of the assumptions and data.


..
Assignment 8.2 (post to the Week 8 Forum)
This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.
Using the data classification scheme presented in this chapter, identify and classify the categories of information contained in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information is a) confidential, b) sensitive but unclassified, or c) suitable for public release?

In your response, comment on whether you agree with the ratings, and identify any possible instances for misuse or embarrassment that the author may have missed.

Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting, due no later than Wed. At least two of the other messages must be responses to other student original postings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute!
________________________________________

Group Assignment-Week 8
This assignment is worth 50 points.
As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left... Have one person in your group post the group consensus, labeled as "Week8 Post - Grade Me" to your group forum.
Assignment 8.3 (Post to your Blog)
This assignment is worth 20 points.
Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.




Wednesday, October 19, 2011

Post 043 - CIS 608


What Does a Cyberweapon Attack Look Like?

The diagram above, from Technolytics, shows the processes and phases of a cyberweapon attack. You can use your imagination to try to understand how an entity (like the U.S.) could conceivably use such cyberweapons to punish or retaliate against an adversary to accomplish a military and/or political objective.

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 042 - CIS 608


Classes and Capabilities of Cyberweapons

There are several classes of cyberweapons. The table above, from Technolytics, shows the current classes, descriptions, and capabilities of cyberweapons. You can use your imagination to try to understand how an entity (like the U.S.) could conceivably use such cyberweapons to punish or retaliate against an adversary to accomplish a military and/or political objective.

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 041 - CIS 608




The Economic Justification for Cyberweapons

The diagram above from Technolytics, shows how cyberweapons are now possible and much cheaper than building a $2.2 billion stealth bomber, a cruise missile, or a stealth fighter. In addition, the possible throw-weight and the attack velocity of a cyberweapons is far greater than a bomber, missile, or fighter, because a cyberweapon can conceivably attack any "target" that is attached to the Internet. The good news is that these devices have the advantage of the Internet, but the bad news is that they are vulnerable to cyberweapons that could strike on the Internet. (Remember the Army axiom, "Tracer rounds work BOTH ways.")


Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 040 - CIS 608




Evolution of Cyberweapons

The diagram above shows how cyberweapons are emerging in their capabilities. This is not only because of the importance and proliferation of the Internet and everything connected to it, it is also because cyberweapons are now possible and much cheaper than building a $2.2 billion stealth bomber.

Think about the proliferation of cyberweapons and compare it to the first chart from Mary Meeker, showing how mobile Internet traffic will overtake Internet traffic from desktop and laptop computers in the year 2013.

Can you see where all this is heading? If left unchecked, the world of those who can possibly threaten a world of people who have ubiquitous access to the Internet will continue to increase.

References:

Ingram, M. (2010). Mary Meeker: Mobile Internet Will Soon Overtake Fixed Internet. A web article published at Gigaom.com. Retrieved from the web on July 19, 2010 at http://gigaom.com/2010/04/12/mary-meeker-mobile-internet-will-soon-overtake-fixed-internet/

.

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.





Tuesday, October 18, 2011

Post 039 - CIS 608


U.S. Weighed Use of Cyberattacks to Weaken Libya

Right now, I am on a business trip in San Diego. At the hotel this morning, I picked up a news digest from the New York Times. On the front page was an article with this headline: U.S. Weighed Use of Cyberattacks to Weaken Libya.

This article explained that it was revealed recently that members of the Obama Administration seriously considered the use of offensive cyberwarfare capabilities against Libya as the administration planned the events leading to the ouster of Quaddafi's government. The targets would have likely included computer systems related to infrastructure, radar systems, and air defense missile systems.

However, there were two key reasons that the ultimate decision was to hold back from using these offensive cyberwarfare capabilities:

1) It would set an example that could be copied by Russia and/or China.

2) It begs the question: How would they carry out such attacks without informing congressional leaders?"

My comments:

In the grand scheme of things, such considerations about the possibile intent to use such cyberwarfare weapons proves that such types weaponized software and the battle plans to launch such attacks now actually exist.

Also, there is legal language Title 10 of the U.S. Code that prohibits the offense use of "cyberweapons." Going outside Title 10 by way of Executive Order from the President of the United States is the only way this can occur with impunity.

So now there are some new things to think about as Americans brace themselves for a world in which the landscape international conflict has literally now been extended into the Internet and potentially everything connected to the Internet. When such weapons are unleashed, don't expect Symantec, McAfee, Kapersky, or anything you can buy at Amazon.com to save you. Nope. It will take much more than that.

Reference:
Schmitt, E and Shanker, T. (2011). U.S. Weighed Use of Cyberattacks to Weaken Libya. An article printed on the New York Times website. Retrieved at

Bill
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
CIS 608 Blog: http://cis608.blogspot.com
slater@billslater.com
http://billslater.com/career
Chicago, IL
United States of America

Sunday, October 16, 2011

Post 038 - CIS 608



Logical Network Design Diagram by William F. Slater, III

Designing the Enterprise Wireless Network for the Forever Young Cosmetic Company

This Assignment 6_3, was for my CYBR 515 - Security Architecture and Design course in this same M.S. in Cybersecurity program. I am posting it in this blog because there are many concepts related to Information Security Management controls involved.

Put yourself in the role of a consultant. You have been hired to propose a wireless solution for a small company. The background information on the company is contained in the attachment to this assignment. Based on that information, your reading, and any other source materials at your disposal, provide a simple design for a secure wireless network. In your design, include a list of the security features that you would enable and why you would enable them.

================================

Bellevue University

CYBR515

Forever Young Cosmetics
Business and Technical Requirements Document


Purpose: Gain experience in configuring a Wireless Local Area Network consisting of multiple access points.

Instructions: Read the narrative below and produce a network drawing and list of security features that you would plan to implement.

Background: Your group has been hired as secure networking consultants by Forever Young Cosmetics. Their corporate headquarters, manufacturing plant, and distribution center are in a single 250,000 square foot structure located in St Louis, MO. They want to use IEEE 802.11n capable wireless devices to track inventory and shipment and to provide laptop access to the Internet for their employees. They want to provide total wireless coverage of their entire building with the maximum wireless security possible using commercially available devices. Your task is to provide a preliminary recommendation for a secure wireless infrastructure that would support their needs. They currently have a wired Local Area Network with approximately 250 hosts that is connected through a firewall to a single high speed Internet connection provided by Comcast.

Deliverables:

  1. A one page Visio diagram that overviews your proposed wireless infrastructure. The diagram doesn’t have to depict all of the hardware, just the logical components that will make up the network. For example, a single laptop Icon can be used to simulate laptop users and single switch and computer icons can be used to represent their existing wired network. You are free to choose any Visio symbols you wish, as you will be graded on content, not style. For the purposes of placing wireless devices, you may consider the building as a perfect square. Please indicate the quantity of wireless devices on your drawing, and include controllers and firewalls, if necessary.

  1. A list of security features that would be enabled in the network and an explanation of the type of protection, strengths and weaknesses that they would afford.

For more information about ISO 27001, click here.

Best regards,

William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America


Post 037 - CIS 608



Creating an Effective Information Security Management System (ISMS) Using ISO 27001

The diagram above shows the steps required to implement an ISO 27001-based ISMS

This week, we studied discussed Information Security management frameworks. Since I worked on an ISO 27001-based ISMS implementation project between January 2011 and July 2011 I personally found it especially interesting. Despite the fact that ISO 27001 is an internationally recognized standard for Risk Management and Information Security Management, I was amazed that more classmates were unfamiliar with the ISO 27001 standard. Maybe it's just because this Information Security Management Standard is better known and understood in places like India, Japan, Korea, the U.K.

Many people often look at the list of Domains, Control Objectives, and Controls in ISO 27001 Annex A and think that these topics are the only things that need to be address. But it is essential to remember that the implementation of an ISMS is as much Risk Management driven and Information Security Policy driven as much as it is about the establishment of Information Security Controls. It is also important to measure it so the effectiveness of the policies and other controls can be determined and also so the entire ISMS can continue to be improved under the Plan - Do - Check - Act process so it be under continuous process improvement.

Remember, if you are doing one of these ISO 27001 implementation projects, don't forget to do the Risk Management effort.

For more information about ISO 27001, click here.

Best regards,

William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America



Tuesday, October 11, 2011

Post 036 - CIS 608



Implementing E-Mail Security Solutions to Defend Against E-Mail Dangers, Scams, and SPAMS

This week in the CYBR 515 - Security Architecture and Design class, we are studying E-Mail Dangers and how to implement security against these dangers to mitigate the risks.

I received the e-mail below this morning. The header is also included for those who like to read such things The point in including this scam e-mail in this blog is to show:

1) It looks VERY authentic and legitimate. They want you to believe that they are from Microsoft Canada and that they are legitimate.

2) That even the best spam filters can't catch everything and that your ability to be secure in the use of e-mail requires constant vigilance and education about the dangers that are associated with e-mail threats.

You brain, your awareness, and your vigilance may be some of your best defenses in e-mail and other places you touch and use the Internet (especially the web via web browsers).

===============================================================

E-Mail Header:

X-MSK: CML=3.201000
Received: from zuul.matrixconsulting.net ([10.4.5.2]) by powerweb.net with MailEnable ESMTP; Tue, 11 Oct 2011 10:33:03 -0500
X-ASG-Debug-ID: 1318347175-00958a099a1049e00001-LAYJgu
Received: from sharpe (78-33-47-12.static.enta.net [78.33.47.12]) by zuul.matrixconsulting.net with ESMTP id ypTHT0fs5gSIj2Qr for ; Tue, 11 Oct 2011 11:32:55 -0400 (EDT)
X-Barracuda-Envelope-From: customers@microsoft.ca
X-Barracuda-Apparent-Source-IP: 78.33.47.12
From: "Microsoft-Canada"
Subject: Critical Update For Microsoft Firewall and Security Center 4081
To: slater@billslater.com
X-ASG-Orig-Subj: Critical Update For Microsoft Firewall and Security Center 4081
Content-Type: text/plain;
Reply-To: customers@microsoft.ca
Date: Tue, 11 Oct 2011 16:32:57 +0100
X-Priority: 1
X-Library: Indy 8.0.25
X-Barracuda-Connect: 78-33-47-12.static.enta.net[78.33.47.12]
X-Barracuda-Start-Time: 1318347175
X-Barracuda-URL: http://zuul.matrixconsulting.net:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at matrixconsulting.net
X-Barracuda-Spam-Score: 0.64
X-Barracuda-Spam-Status: No, SCORE=0.64 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_SA601, MISSING_MID, NORMAL_HTTP_TO_IP
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.77031
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.14 MISSING_MID Missing Message-Id: header
0.00 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.50 BSF_SC0_SA601 Custom Rule SA601
Message-Id: <20111011153304.70ED92067105@zuul.matrixconsulting.net>
X-ME-Bayesian: 0.000000
Return-Path:

===============================================================

E-Mail Text Body:

Tuesday, October 11, 2011,
10:33 AM

Dear Customer,

Please notice that Microsoft has recently issued a Security Update for Microsoft Windows Firewall and Security Center.

This Update is to prevent malicious users from getting access to your computer files by executing arbitary code on a new buffer overflow found in the windows firewall process.

This is an high-priority updates. In order to help protect your computer against security threats and malicious code.

Please follow these instructions:

1. Download the file from http://200.21.20.163/SecurityPatch/SECURITY_FIX_4081.exe

2. Double-click on SECURITY_FIX_4081.exe to start the update.

3. Click on *Allow Access*

This is an Automated Message produced by Microsoft Canada Co., Please Do Not Reply

Microsoft Team.


===============================================================

Stay safe online!

Best regards,

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America