Sunday, February 17, 2013

Post 015 – CYBR 650







Harry and Mae's Infrastructure Improvement Action Plan - 

First Draft

This week, we were told that our Blog Assignment was to explain what the most difficult part of developing our Action Plan for our Course Project.

This was my Action Plan:

The action plan to remediate Harry and Mae’s IT security issues is simple.
1.  Implement a Security Management Framework
2.  Mitigate risks associated with the threats that have already been identified
3.  Continuously monitor threats and vulnerabilities
4.  Assess and manage the risks associated with these threats and vulnerabilities
5.  Apply controls where possible to mitigate risks
6.  Document residual risks
7.  Regularly report on threats, vulnerabilities, and risks to management
8.  Continually educate all employees about threats and vulnerabilities
9.  Continually educate and equip the IT staff with the knowledge and tools they need to mitigate the risks associated with the threats and vulnerabilities that are identified

= = = = = = = = = = = = = =


I think the two most difficult aspects of this assignment were:

1)  Structure it in a comprehensive, understandable manner that would garner the management support and buy-in needed to execute the plan.

2)  Recommending the adoption of a comprehensive, albeit proven, security management framework (ITIL v3) with which to better control and management security using finite resources.  That was a bold, yet needed move, if Harry and Mae’s is going to mature in the areas of risk management and security management.


==================================================

References:

Anderson, R. (2008). Security Engineering, second edition. Indianapolis, IN: John Wiley.
Bellevue University. (2012).   Harry and Mae Case Study. Retrieved from  http://idcontent.bellevue.edu/content/CIT/cyber/generic/harryAndMaes/   December 14, 2012.
Cokins, G. (2009).  Performance Management: Integrating Strategy Execution, Methodologies, Risk, and Analytics.   Hoboken, NJ: John Wiley & Sons, Inc.
Landoll, D. L. (2011). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, second edition. Boca Raton, FL: CRC Press.
McCumber, J. (2008).  Assessing and Managing Security Risk in IT Systems: a Technology-independent Approach. Retrieved from the web at https://buildsecurityin.us-cert.gov/swa/downloads/McCumber.pdf  on August 31, 2011.
Microsoft. (2012).  Microsoft Systems Center Operations Manager Technical Data.  Retrieved from http://technet.microsoft.com/en-us/library/hh205987.aspx on December 16, 2012.
National Institute of Standards and Technology (NIST). (2011).  NIST SP 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View.  Published by the National Institute of Standards and Technology, U.S. Department of Commerce in March 2011. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf  on June 11, 2012.
National Institute of Standards and Technology (NIST). (2011).  NIST SP 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View.  Published by the National Institute of Standards and Technology, U.S. Department of Commerce in March 2011. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf  on June 11, 2012.
O’Donnell, A. (2012). What Is SCAP? – An article published at About.com. Retrieved from  http://netsecurity.about.com/od/newsandeditorial1/g/What-Is-Scap.htm   December 16, 2012.
OGC. (2007). ITIL v3 Service Operation. London, U.K.: The Stationary Office.
Olzak, T. (2006).  Get Control of Vulnerability Management.  An article published at Toolbox.com on Apirl 1, 2006. Retrieved from http://it.toolbox.com/blogs/adventuresinsecurity/get-control-of-vulnerability-management-8569  on February 12, 2013.
Quinn, S., et al. (2012). NIST SP 800-117 - Guide to Adopting and Using the Security Content Autommation Protocol (SCAP) version 1.2 (Draft).  Retrieved from http://csrc.nist.gov/publications/nistpubs/800-117/sp800-117.pdf on December 3, 2012
Senft, S., et al. (2013). Information Technology Control and Audit, fourth edition. Boca Raton, FL: CRC Press.
Swiderski, F. and Snyder, W. (2004).  Threat Modeling. Redmond, WA: Microsoft Press.
Talbot, J. and Jakeman, M. (2009).  Security Risk Management Body of Knowledge. Hoboken, NJ: John Wiley & Sons, Inc.
Waltermire, D. (2012). NIST SP 800-126 - The Technical Specification for the Security Content Autommation Protocol (SCAP), version 1.2, revision 2.  Retrieved from http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf  on December 3, 2012.
Wheeler, E. (2011).  Security Risk Management: Building an Information Security Risk Management Program from the Ground Up.  Boston, MA: Syngress.
Witte. G., et al. (2012). Security Automation Essentials:  Streamlined Enterprise Security Management and Monitoring with SCAP.  New York, NY: McGrawHill.
Young, C. S. (2010).  Metrics and Methods for Security Risk Assessment.  Boston, MA: Syngress. 





Sunday, February 10, 2013

Post 014 – CYBR 650








Panetta Delivers Sharp Warning about Cyber Attacks
SecDef: 'Cyber is now at a point where the technology is there to cripple a country'

In a tough speech delivered on February 6, 2013, outgoing Secretary of Defense, Leon Panetta announced that the capabilities of cyberattacks now were at the level that they could cripple the critical infrastructure of an entire country.  What makes this disturbing is three things:

1)  He among all the officials in the U.S. Government would be in the best position to know what he is talking about in this regard:  He is still the current Secretary of Defense, and has overseen the maturing of the cyberwarfare capabilities of the U.S. Military.  He also was the head of the CIA prior to assuming the role of Secretary of Defense after the departure of Robert Gates.
2)  He is probably 100% accurate in his assessment.
3)  This represents a previously unstated capability of cyberweapons by high-level U.S. Government officials, though it has been suspected for at least two to three years.

All this confirms that for me, I chose the right discipline to study and work for an M.S. in, and it affirms that I am researching and writing about topics that are extremely relevant to the national security of the United States.

In any case, I still believe that 2013 will be one of the most interesting years in our country’s 237-year history.

I have been researching and writing about Cyberwar and Cyberwarfare for 18 months.  It is a topic in which I have a strong interest.  Other articles here: 


==================================================

References.

Washington Free Becon. (2013).  Panetta Delivers Sharp Warning about Cyber Attacks
SecDef: 'Cyber is now at a point where the technology is there to cripple a country'  An article published at the Free Beacon on February 6, 2013.  Retrieved from http://freebeacon.com/panetta-delivers-sharp-warning-about-cyber-attacks/  on February 7, 2013.

Kerr, D.  (2013).  'Cyber 9/11' may be on horizon, Homeland Security chief warns.  An article published at CNET on January 24, 2013.  Retrieved from http://news.cnet.com/8301-1009_3-57565763-83/cyber-9-11-may-be-on-horizon-homeland-security-chief-warns/  on January 26, 2013.


Turzanski, E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won't Be Like Pearl Harbor At All...” A webinar presentation held by the Foreign Policy Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html   on October 25, 2012.


===================================================

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
CYBR 650 Blog:
http://cybr650.blogspot.com
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America