Jobs

We're talking about information security jobs this week, specifically the types of qualifications and certifications necessary for said positions. There has been a decent degree of discussion concerning the education requirements necessary, and a baseline factor that evens the playing field between trade school and four year degrees are certifications.

Here's a link to a recent article discussing the top five needed certifications from December of 2012. So if you're looking for something to get, one of these might not be a bad idea.

http://www.techrepublic.com/blog/career/the-top-five-in-demand-it-certifications-for-2013/4756

Firewalls

Do you use a firewall? It's a piece of software that helps your computer block unwanted traffic from your network. Generally speaking, antivirus software isn't enough to keep you fully protected. A firewall helps block security holes and it keeps random and bad traffic out of your machine.

Windows has a built in firewall solution, but there are a lot of other free solutions, and paid as well, out there. There are also hardware solutions, and your wireless router in your house probably has its own firewall built in. You're probably familiar with Windows firewall because if you don't have it turned on it nags you until you do.

And really, you should have it turned on. A quick Google will turn up other free firewall solutions, and maybe that software offers some functionality that you need or prefer to Windows. But short of that, even if Windows isn't the best, I'll equate it to one of my earlier posts on Microsoft Security Essentials. Even if it isn't the best solution, it offers enough protection that the residual risk is minimal and probably acceptable for most consumer users.

Back to Basics

We’re going to take it full circle today, back to the first post I made, a very scary topic indeed: sextortion. A new case (and capture thankfully) has prompted the FBI to post a few things to help keep you safe online. Some of this is security theater, but there is some pretty good stuff to.

I’d like to put the focus on the last two bullet points (I’ve copied them from the FBI website and listed them below in case you are hyperlink averted), suspicion and communication. This goes back to a theme I’ve always kept in my posts concerning security, that regardless of the hardware and software protections you may have in place, in the end it’s up to the people involved to maintain security.

We have to be suspicious online. It’s that suspicious that informs us that we aren’t really the millionth visitor and we didn’t really win a new iPad, no matter how colorfully that banner is flashing. Suspicion tells us when something is too good to be true, or when something seems creepy or just not right. This is important because of the layer of anonymity provides. Kids need to be educated on this point. And overall, and emphasis does need to be added that it doesn’t matter if it’s someone you don’t know or someone you trust, you shouldn’t send them anything personal over the internet.

The last point is communication, and I think open lines need to be maintained from the beginning to emphasis the preventative nature of security, but also after an incident has happened.

§  Don't take for granted that your computer's anti-virus software is a guarantee against intrusions.

§  Turn off your computer when you aren't using it.

§  Cover your webcam when not in use.

§  Don't open attachments without independently verifying that they were sent from someone you know.

§  It's okay to be suspicious. If you receive a message with an attachment from your mother at 3 a.m., maybe the message is not really from your mother.

§  If your computer has been compromised and you are receiving extortion threats, don't be afraid to talk to your parents or to call law enforcement.

VIA: http://gizmodo.com/5982356/here-are-the-fbis-official-tips-to-avoid-being-sexually-extorted-online

FROM: http://www.fbi.gov/news/stories/2013/february/sextortion-cons-like-bieber-ruse-targeted-minor-girls/sextortion-cons-like-bieber-ruse-targeted-minor-girls

Passwords and Risk.

We're talking about risk identification, assessment, and management this week. I've linked to an article below that shares some great insight into some very common security problems that most people have. I'm going to focus on the last item on the list -- passwords.

This is a very common problem in people's security world, inadequate passwords. It's something that even I suffer from. It's been on my to-do list for far to long, to take an inventory of my accounts and to manage my passwords. Repetition is probably one of the most common guilty offenses aside from choosing passwords that are just weak to begin with.

Here are a few of the things I have detailed in my to-do list:
- Make sure all accounts have a unique password.
- Make sure my credit card information is not saved for any accounts.
- Make sure my security question is a secret word and not the actual answer to the question.
- Enable two-factor account verification whenever possible

These are just a few of the things we can all do to make our online security a little more secure. It's tough, especially if you'd been steadily collecting different accounts for different things over the past two decades. At some point you've got to sit down and take control of the situation.

Article: http://lifehacker.com/5980126/5-security-holes-almost-everyones-vulnerable-to

The Windows Baseline

People ask me for advice when buying a new computer all the time. The machines are advertised with CPU clock speeds, hard drive and RAM amounts, Gigahertz and Gigabytes and all sorts of other jargon. But what do those numbers actually mean, what can the machine actually do?

Obviously there is some benefit to knowing the ins and outs of a computer machine, just like there is a benefit from knowing the ins and outs of a car, but not everyone has that kind of time or interest. In the end its a tool and people buy it to do a job, whether that's spreadsheets or lolcats.

The Windows Experience Index is a number assigned to a computer by the Windows System Assessment Tool. It's incredibly useful for boiling down the components of a machine and assigning them a score, and then assigning an overall score to the entire machine. The tool is available in Windows Vista, 7, and 8.

This is an example of a benchmark, and a useful benchmark at that. All benchmarks are artificial, and not necessarily a guarantee of how a machine will run in real world situations, but there is correlation. In the end you get what you pay for. If you're looking for lolcats, you can probably skimp on the score quite a bit. If you want to manipulate spreadsheets, you might want a little more umph for the numbers. And if you're trying to play the latest games, then yes, you're going to need to pay for that higher number.

I'm Still Going to Use Microsoft Security Essentials

This article came up the other day, and it’s a little jargon-full, but it seemed like a very important topic for the average user. This is particularly important because Microsoft Security Essentials (MSE) is one of the most popular virus protection programs, and now that it’s built into Windows 8 that is only likely to increase. I know that since its release, I have always recommended it to friends and family. It’s free, easy to use, and updates along with your Windows OS. Now, based on the article headline, you might think that I’m changing my mind, but I’m not, and here’s why.

The article in question: http://www.ibtimes.com/microsoft-security-essentials-fails-antivirus-certification-test-second-time-row-microsoft-disputes

The main point here is the difference in goals of the certification test and Microsoft’s own testing goals, summarized most succinctly in the article that Blackbird is looking at the viruses that are missed by the software by category, whereas Microsoft designs its software based on consumer impact. To me this means that while this certification test is important and useful, it is also biased by being more artificial. Microsoft’s own tests too are by definition artificial, but the company is striving to obtain real world results.

The second major thing to look at when talking about all these percentages of malware, is the encountered numbers. What this means is that malware might affect your machine, but you may never come into contact with it. And this hits on one of the points that I have always emphasized, this is about the person using the machine and not the machine. Even if MSE was 100% effective, a person can still mess up a machine. If you are using safe browsing habits, not opening links from spam emails, or browsing untrustworthy websites, you’re not going to encounter this malware. The point is, no one should be depending entirely on their antivirus software to completely protect them. There are many other ways for your data to be compromised, such a phishing and other social engineering scams.

At the end of the day, my take away is this, I’d rather Microsoft fail an artificial certification and continue to focus on real word tests than for the company to design their software in an artificial setting that scores 100% in the lab, then completely fails the consumer in the real world. (Ahem, video card benchmarks, cough).

This week we are discussing information security plans. I’m sure many people have seen these and had to read them at some point at work, but what about at home? This linked article here gives a great example of enforcing some InfoSec at home, with a demographic that may not be entirely savvy enough to understand the trouble they can get in without it.

First of all, let’s cover the benefit of explicit rules such as these. The crux of computer issues comes from human error. If we examine the McCumber Cube, education and policy seem to stand out as the areas where the user can screw up. A perfect system is only that way until someone who doesn’t know how to use it does.

Phones are just tiny computers, more powerful now than any computer I played DOOM on growing up, and kids are getting them. I wasn’t allowed on the internet when my parents weren’t home in middle school, and these devices are connected to the internet all the time. There is a need for rules, policies outlined explicitly so the user understands the authorized uses of a device and their own responsibilities.

The linked list includes a lot of social, parenting, and politeness type rules, but it also includes some great rules regarding information security. Chief of which, and I think it matches places of employment for adults, is that the phone does not belong to the child and the password will always be known by the true owner. This seems to jive with corporate policies about browsing Facebook all day instead of getting work done, the machine is there for a reason and the corporation will check and see that you are using it as such.

The acceptable and unacceptable uses of this technology are clearly outlined. So while this may not cover all the parts of a traditional Enterprise Information Security Policy, I think it’s going to serve this parent and child very well.

Web link: http://gizmodo.com/5972721/every-parent-who-gives-their-kid-an-iphone-should-make-their-kid-follow-these-18-rules