Security Convergence – Ready or not, it is here!
The security industry has been talking about the convergence of physical and information security functions for years. Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish. I say, ready or not, it’s already here. Security functions and technology has merged right under our eyes. Let me explain.
First, let’s define “Security Convergence”. According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.” The key words are risks, interdependencies, and solutions. It’s critical to review the risks to the business and determine the best methods for mitigation. Notice that this definition contains no reference to information security or physical security.
Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk. They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks. More progressive organizations have their security converged and are thus better able to handle common risks. These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.
Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease. They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints. These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical. With this, the company is better positioned to manage their security risks in a consolidated function.
One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network. The camera system in your facility is most likely on your corporate IP network. There’s also a strong possibility that’s also true with your badge system. They are network servers, but are usually managed outside of IT. This is another case where a converged security function can better maintain critical company services.
Security isn’t something you bolt on and hope it works. It needs to be incorporated into the fiber of the organization. A converged security function allows this to occur in the most cost-effective way.
What do you think? Feel free to comment below.
What do you need? Security Education or Training
As you’re looking to improve yourself as a Cybersecurity citizen, you often need help from an outside source to increase your knowledge and/or abilities. Security is a broad topic encompassing many disciplines and Cybersecurity is no different. There are technical, procedural, and managerial aspects to be considered to grow what you know about Cybersecurity. There are often many, different ways to solve the same security problem. Knowing what to do and how to do it requires both knowledge and experience. How do you gain it though?
The answer is Cybersecurity training and education. There’s often a question as to which you need: training or education. There is a difference between the two, which I’ll explain below. You need to be aware of your needs, wants, and goals before proceeding, or there’s a chance you won’t meet them.
Cybersecurity education provides a more general background on the philosophies and concepts behind Cybersecurity. It allows you to understand the context for security tools, techniques, and technologies. With security education, you understand why it’s important to have particular protection methodologies in place and is at the strategic level of thinking. Cybersecurity education emphasizes principles of risk management and how security fits into an organizational culture and structure. Education is long term taking many months if not years to acquire. Finally, education teaches critical thinking and allows the student to learn how to learn, which is crucial for new subjects or technologies.
In contrast, Cybersecurity training is more specific to a technology, procedure, or skill. It’s tactical or operational, rather than strategic. Training emphasizes the building of explicit skills and applying what you know to a particular situation. When you attend cyber training, you are learning about a specific technology or practice that can meet an immediate need. Lastly, training is short term and can often be accomplished in days or weeks.
In this discussion, I’m trying not to sway your though as to which is better, because both are important for expanding your Cybersecurity knowledge and abilities. You need to decide for yourself the method you want to take in order to meet your goals. The important thing to consider is that you keep growing and increasing your knowledge. Feel free to comment below on your views of education versus training. Don’t stop learning!
National Center of Academic Excellence in Information Assurance Education
In April 2012, the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA) and Department of Homeland Security (DHS) announced that Bellevue University is designated as a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) for the academic years 2012-2017. This is a great accomplishment for the University and demonstrates our continued dedication to not only Cybersecurity Education, but also to the security community.
The CAE-IAE application, submitted earlier this year passed a rigorous review that was evaluated against a stringent criteria, demonstrating its competency and commitment to academic excellence in Information Assurance education and security practices. The letter received by the University with the announcement demonstrates the quality of our program. “One reviewer remarked that Bellevue’s submission, ‘demonstrated fine curriculum, expert faculty and noteworthy outreach.’ You are to be commended for submitting such an exemplary application. Your ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. “
Mary Hawkins, the Bellevue University President will be receiving the official certificate of designation signed by the Director, NSA, the IA Director, NSA and the Cybersecurity Assistant Secretary, DHS, at the 16th Colloquium for Information Systems Security Education (CISSE) in June.
An official press release and announcement is forthcoming.
Cyberwar – Is it Happening Now? – Part 2
Cyberwar as a term, concept, and action isn’t going away. We are stuck with it. The challenge is how do we define it? Whether or not we’re even in a Cyberwar now is entirely open to opinion and personal biases.
It makes for a great debate, which is what happened last Wednesday, February 22nd at Bellevue University. That afternoon, Dr. Matt Crosston and I debated this topic in front of a full audience of students, professors, and other interested parties. We addressed the problem with definitions and perceptional bias. Our goal was to get participant thinking about the real issues, so we can begin to develop real solutions.
You can see the seminar/webinar/debate yourself at http://bellevuena6.adobeconnect.com/p3tko7z33g0/.
After you watch it, please feel free to comment with your ideas or opinions on cyberwar. Is it really happening now?
Cyberwar – Is it Happening Now?
I was all set to write this great piece on Cyberwar and how it’s a bunch of fear-mongering by those who don’t understand it, but Scot Terban beat me to it. See his thought-provoking piece on InfosecIsland or his blog titled: Dr. Cyberlove… Or, how I learned to stop worrying and love CYBERWAR! (Here’s the link for those who are paranoid: http://krypt3ia.wordpress.com/2012/02/15/dr-cyberlove-or-how-i-learned-to-stop-worrying-and-love-cyberwar/). It’s a great piece to get you thinking about Cyberwar and if we are indeed in one now.
According to Sen Joseph Lieberman and Jay Rockefeller, we are on the brink of a cyber disaster. They equate our cyber situation to 9/11. Now I’m all for increasing focus on security, but not for the sake of FUD (Fear, Uncertainty, & Doubt). Selling fear never works in the long term.
Cyberwar is a sexy term that’s hotly debated. Many take one side or the other as to whether or not we are at war over the wires (or wireless). Can computers kill? Are we in the land of The Terminator and Tron? Are we on the brink of Cyber-Armageddon? Can people live without Twitter and Facebook?
These questions and more will be addressed in the seminar / webinar / debate Dr. Matt Crosston and I are having next Wednesday starting at 1pm. If you live in the Omaha area, you can participate in the debate in person, in the Bellevue University Hitchcock Humanities Center’s Criss Auditorium. Presenters will be me, Ronald Woerner, Assistant Professor and Director of Cybersecurity Studies in the University’s College of Information Technology, and Dr. Matthew D. Crosston, Associate Professor, ISIS Program Director – International Security and Intelligence Studies Chair – Political Science.
Please visit http://www.bellevue.edu/cyberwar/ for more information and to register.
Just call me Dr. Cyberlove…
Incident Response – Know what to do when “it” hits
There are four primary responsibilities of security: Prevent, Deter, Detect, and Respond. We often focus much of our efforts on prevention and detection and neglect deterrence and response. In today’s post, I want to focus on the latter: how security professionals should respond to incidents and what they need to have in their “toolkit” to be ready when “it” hits the fan.
“Be prepared” is the boy scout motto. It should also be a motto for security. We never really know when something bad will occur. It’s usually at the worst possible time (see Murphy’s Law and its corollaries). It’s crucial that security professionals are ready for it and know what to do when “it” hits. The websites linked below provide great resources to help you be prepared for anything that comes your way. It includes procedures, templates, and forms that you can use in your security program so you are ready.
Security should have plans and checklists ready to use when there’s an incident. This is for both physical and IT incidents. That way they don’t miss any critical element. I’ve also seen that checklists help in these situations to reduce the impact of any emotions that occur in high stress situations.
- SANS SCORE(Security Consensus Operational Readiness Evaluation) – http://www.sans.org/score/incidentforms/
- U.S. Security Awareness – http://www.ussecurityawareness.org/highres/incident-response.html
My second law of incident response is “Don’t Panic, ” which is also the first line in the Hitchhiker’s Guide to the Galaxy. It works for security as well. It’s important to respond to problems rather than react. Response is positive while reaction is negative and is often associated with panic. We react without thinking leading to mistakes. If you are prepared, then your poised to respond in a positive manner. Think even for a second before you act. Use your resources and respond.
Albert Einstein sums it up best, ” You can never solve a problem on the level on which it was created.”
Please feel free to comment on your ideas and suggestions to improve incident response.
Happy Safer Internet Day
Tuesday, February 7, 2012 is Safer Internet Day (SID). It’s an international event organized to promote safer and more responsible use of online technology and mobile phones, especially amongst the younger generation. We have so many netizens who are unaware of the dangers in the new Internet age. The only solution is constant and consistent education.
Some of the statistics provided on the website are telling:
- 26 per cent of children report having a public social networking profile.
- Children of all ages are lacking digital skills –confidence is often not matched by skill!
- 12 per cent of European 9-16 year olds say they have been bothered or upset by something on the internet…
- …however, 56 per cent of parents whose child has received nasty or hurtful messages online are not aware of this.
- One in eight parents don’t seem to mediate their children’s online activities…
- …while 56 per cent of parents take positive steps such as suggesting to their children how to behave towards others online.
- 44 per cent of children think that parental mediation limits what they do online, 11 per cent say it limits their activities a lot.
One aspect that I find fascinating is that this is a global problem. Kids worldwide are encountering the same problems that we see here in the United States. Wesites like SaferInternetDay.org and StaySafeOnline.org provide a large amount of useful information to help folks be secure online. It’s all free and readily available for anyone who wants it.
It’s great to see a worldwide effort like this. I just wonder how we can better spread the word and educate not only our kids, but everyone.
Internet is still vulnerable to cyber-criminals
William Slater is a student in the Bellevue University M.S. in Cybersecurity program. He is quoted in the San Francisco Chronicle’s web site in a recent column by James Temple on Internet security and Mark Bowden’s book “Worm: The First Digital World War.”
Bellevue University Cybersecurity Skill Valuation Survey
A request for your help:
I would like to ask you for your advice as we develop a new academic program in Cybersecurity. Here at Bellevue University and the College of Information Technology, we periodically review whether our academic programs are meeting the expectations of students and employers. As a leader in your business area, we value your views on the skills you would expect of an employee with a Bachelor of Science degree in Cybersecurity. Conceptually, this would be an employee with a current (or future) role in your organization who would be responsible for various operational aspects of securing your information systems. Below is a link to a short survey which will record your views about the skills you would expect of such a graduate / employee.
http://www.surveymonkey.com/s/2SJF76Z
It will be most beneficial if you could complete the survey by Feb 14, 2012. I sincerely appreciate you taking a few moments to complete the survey and provide us with your valuable advice on this matter as we strive to improve our programs for the benefit of both students and employers.
We will publish a summary of the results of this survey after its completion.
Cyberthreats – Are You Ready?
Within the last week, there have been two articles on major news sources regarding the importance of Cybersecurity in the Information Age. I’ll summarize them below. These articles demonstrate how everyone needs to have an awareness of cyber threats and the ways to handle them. We’ve seen a good trend in that Cybersecurity is now (finally!) taking a priority for organizations. Whether it’s protecting from Cyberthreats or responding to Cyber incidents, Companies need a security plan of action. They can no longer hide from Cyber risks, but proactively address them.
ABC News – FBI Director Says Cyberthreat Will Surpass Threat From Terrorists (http://abcnews.go.com/blogs/politics/2012/01/fbi-director-says-cyberthreat-will-surpass-threat-from-terrorists/)
FBI Director Robert Mueller and National Intelligence Director James Clapper testified this week before the Senate Select Committee on Intelligence on Cyberthreats. The threat of economic fraud and espionage from state actors such as Russia and China is a real and growing concern. “We foresee a cyber-environment in which emerging technologies are developed and implemented before security responses can be put in place,” Clapper said. The article lists many of the complex computer breaches that highlight the wide array of threats the officials were testifying about.
USA Today – Want CSI without the blood? Investigate computer forensics
The Television show CSI and its spin-offs has greatly enhanced the profile of forensics practices. Of course, it’s not as easy as it looks on TV. Computer forensics is a skilled discipline that takes years of practice to perfect to ensure all evidence is properly obtained and secured. Today, there’s a huge need as most investigations involve some aspect of information technology.
This article in USA Today discusses the increasing prevalence of computer forensics in law enforcement and investigations. It quotes that “Bureau of Labor Statistics estimates computer forensics jobs are expected to grow more than 13 percent in the next several years.” The growth isn’t limited to only computer forensics, but all aspects of Cybersecurity. The National Security Agency has plans to hire 3,000 specialists to combat the thousands of cyberattacks every day in the United States, while the Department of Homeland Security is hiring about 1,000 more Cybersecurity specialists
These articles show that a new warfront is cyberspace. As a nation, individuals and organizations need to step up their cyber protections and be ready when cyber attacks occur.
We will discuss this and many other aspects of Cyberwar in our webinar / live debate on Wednesday, February 22nd. See http://www.bellevue.edu/cyberwar/ for details and to register.