Personal Firewall Benefits

First of all, it is important to understand what a firewall’s purpose is.  A firewall is meant to protect a private network from outside attacks (e.g. Internet).  A firewall can consist of software or hardware.  A firewall sits between a private network and a public network (Vicomsoft Learning Center 2011-2014).

Next, it is important to understand what a firewall does.  It checks all traffic between private and public networks and checks to make sure the traffic meets a specific criteria.  The firewall will prevent traffic from entering the private network if it does not meet this criteria.  A firewall can include logging and/or triggering alerts when someone attempts to enter the private network with hostile intentions (Vicomsoft Learning Center 2011-2014).

Following are just some of the benefits of installing a personal firewall (Hooper n.d.):

• Monitors Traffic:  This feature monitors not only incoming traffic to a private network but also monitors outbound traffic.  This helps ensure that bad traffic neither enters nor exists a private network.
• Blocks Trojans:  A Trojan horse virus is where computer files have the virus attach to them.  Then when the files are sent out, this can end up impacting others who open those files.  A firewall prevents the Trojans from attaching themselves to files on the private network in the first place.
• Stops Hackers:  A firewall prevents someone from using a private network and/or computer to spread viruses.  An attack can not only come from a hacker but can also come from a neighbor if there is no protection against intrusions.
• Stops Keyloggers:  Keyloggers are spyware software that are placed onto a computer to capture keystrokes.  This type of attack allows attackers to access private accounts because the attacker gains access to user ID’s and passwords.  This is why a multifactor authentication to sensitive sites is so important to prevent this type of attack in addition to a personal firewall.

Another important way to protect a computer is securing wireless routers.  An unsecure router is like an open invitation for someone to try to attack a personal computer or network.  When a person is using a public WiFi, the best and first defense against an attack is a firewall.

Reference:

• Hooper, B. Demand Media (n.d.) What Are the Benefits of Firewall Security?  Retrieved from http://science.opposingviews.com/benefits-firewall-security-3806.html
• Vicomsoft Learning Center (2011 - 2014). Firewalls.  Retrieved from http://www.vicomsoft.com/learning-center/firewalls/

Information Security Risk Control Strategies

All companies are vulnerable to attacks on their data if they have any networks that are exposed outside of their company.  Even if networks are only internal, a company is still at risk of an internal attack from an employee who wants to gain by the attack or is possibly disgruntled at the company.

There are many strategies that a company can take to mitigate risk to assets.  Some companies are required by law to protect their assets such as financial institutions and medical practices.  There are many regulations that have to be complied with in terms of protecting personal information of customers and patients of these organizations.  In that case, defense is the only option for these businesses.

The following are five strategies that can be used in information asset risk control in an organization (Whitman 2014): 

• Defense:  Defense is when additional safeguards are implemented to eliminate or reduce risk that is not being controlled.
• Transferal:  Having the risk transferred to outside organizations or areas to handle the risk.
• Mitigation:  Decrease the impacts of a successful attack on assets.
• Acceptance:  Do nothing but document that the risk is not being controlled and that the risk is being accepted.
• Termination:  Completely remove the asset from the organization.

Another viewpoint on risk control strategies indicated the following four strategies (Gillette n.d.):

• Avoidance:
• The most popular strategy
• Tries to avoid risks and threats completely
• Countering threats
• Remove assets that are vulnerable
• Limit who can access the asset
• Add safeguards to protect asset
• Methods to avoid risk
• Policy
• Training
• Technology
• Transference: 
• Move the risk to other assets, processes, or organizations
• Transfer risk through the following methods:
• Reengineering services
• Changing development methodologies
• Outsourcing
• Advantages:  Leverage another company’s expertise & allow the primary company to concentrate on what they know
• Disadvantages:  Costs are likely to be high and the contracts can be very complex to keep both companies safe from liability
• Larger organizations are more likely to use this method

• Migration: 
• Limit the impacts that would happen if an asset was successfully attacked
• Use planning and preparation to reduce the impacts
• Planning includes:  disaster recovery plan, incident response plan, and business continuity plan
• Early detection is key to limiting risks

• Acceptance: 
• Do nothing and accept the results of any attacks
• This method requires determine how much risk there is, what the likelihood of an attack is, how much harm would an attack cause, how feasible would it be to add additional controls, what is the cost benefit of adding controls to prevent an attack, and are measures to prevent an attack justifiable.

How a risk is handled is largely up to an organization.  An organization that is governed by regulations can chose not to mitigate their risks in an appropriate fashion but they can face penalties and fines if they are out of compliance.  If an employee of a company that is governed by regulations willfully disregards the laws, they could face fines, termination, or even jail time.

Reference:

• Gillette, W. (n.d.).  Risk Control Strategies And Physical Security.  Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&sqi=2&ved=0CDgQFjAB&url=http%3A%2F%2Fwww.cs.uwlax.edu%2F~riley%2FCS419%2FRiskControl.ppt&ei=k9JKVJvuEsr-8AHSmYH4Aw&usg=AFQjCNF2pMwz8zCK_L0_NxbDx-Ca6KFIGw&sig2=qg5bE4b6H3aix0_-dupP_w
• Whitman, M. and Mattord, H. Management of Information Security, 4^th edition. 2014, 2010 Cengage Learning

Identify Information Security Risks

In information security management, it is important to not only identify the risks to company assets but it is also important to identify assets that are at risk in the first place.

Is it better to identify what assets need to be protected first?  Or is it better to identify what threats there are and then identify what assets are at risk due to those threats?  A lot depends on the size of the company and how labor intensive it will be to do either of these things.  Ideally, both angles should be considered when protecting company assets.

Another key point to protecting company assets is to assess the priority of protecting the asset.  Once assets that are at risk are identified, then a priority should be placed on each asset to determine what is the most at risk and will cause the most damage if compromised.

Risks do not just include breaches.  Risks can also include natural disasters, accidents, mistakes, etc.  The assets need to be protected from all risks.

Also to be considered is the cost of having an asset damaged, destroyed, or breached.  If the cost is high due to loss of this asset, the priority of protecting this asset will be higher.

Another point to managing risks are the inherit risks that employees bring into the company due to their ability to access company information anywhere and from their own devices.  How should a company address this risk?  Should a company prevent employees from accessing company information outside of the network?  What would that do to the work/home balance that employees need to stay happy working for a company?

Another consideration to risks is how quickly a company can assess the risk level to a company.  The percentage of companies that know what their risk level is at any point in time is very low.  This means that a lot of companies do not even know that they are at risk. 

A way to make it more likely that a company is able to assess risk levels quickly is by automating the process.  There is a lot of technical solutions that will monitor the network, personal devices, email usage, etc. that can determine if an employee is inadvertently or purposely introducing risk to the company.

All these things need to be considered when assessing risk to company assets.

Reference:

·          Hurley, J. TechWorld (Jan 2011).  Identify enterprise security risks.  What color is your information risk today?  Retrieved from http://features.techworld.com/security/3258042/identifying-enterprise-security-risks/

·         Borysowich, C. (Jul 2009).  Identifying Security Threats.  Retrieved from http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182

Security Best Practices

Once an organization has determined where the security risks are, some fundamental best practices should be implemented to avoid security breaches.

A very important thing to do to protect customer and employee information is to use encryption.  All sensitive data should be encrypted when it is stored and when it is being transmitted.  There are many government regulations that will impose fines against companies who cannot prove that they have followed this very important step of keeping sensitive information safe.  Encryption should use the strongest possible algorithm to keep sensitive information secure.  OWASP has a top 10 security vulnerabilities list published annually and provides information about encryption when transporting data (OWASP 2014) and when storing sensitive data (OWASP Apr 2014).

Other things that should be done to keep customer information secure include (Hess 2013): 

• Use digital certificates to sign all sites
• Do not allow removable media to be used on company computers (e.g. USB drives, external hard drives, etc.)
• Install a spam filter on the email system
• Install a device that scrubs all email coming in and out of a company to prevent PCI data from going out and malware links from coming into the company network
• Always maintain security patches on all applications
• Make sure users are trained on security concerns since information security is everyone’s responsibility

Reference:

• Hess, K. ZDNet (Mar 2013).  10 security best practice guidelines for businesses.  Retrieved from http://www.zdnet.com/10-security-best-practice-guidelines-for-businesses-7000012088/
• OWASP (2014). Top 10 2014-I4 Lack of Transport Encryption.  Retrieved from https://www.owasp.org/index.php/Top_10_2014-I4_Lack_of_Transport_Encryption
• OWASP (Apr 2014).  Cryptographic Storage Cheat Sheet.  Retrieved from https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Security Education, Training, and Awareness

In the last several years, more and more of my employee security training comes with a link to an online course.  Some of the courses are minimal and take a matter of minutes to read and to take the final quiz to confirm that I read and comprehended the material.  Other training materials takes hours and days to complete.

Who has time to do all that training and also get their jobs done?  Why does my company keep on insisting that I take the same training over and over each year?  What is the point?

Well, the point is that people tend to forget things if they are not reminded.  The use it or lose it mentality is very true.  If I don’t have those reminders every once in a while, I am very likely to forget some important aspects of keeping things secure at work and even at home on my personal computer.  Also, things change and if this material is not kept up-to-date, I am not likely to find out about new security threats to me and my company.

About a year ago my company started having pop-ups with security hints come up each day when I logged onto the network.  At first I read each one because it interested me.  Now, I cannot even tell you if those pop-ups come up anymore.  After a while I found them irritating.  Soon, I stopped reading them altogether.  Now I cannot even tell you if I get them anymore.  I compare this to being deep in thought and driving home and realizing that I traveled a great distance without consciously thinking about where I was.  Because I am focused on starting work when I log on in the morning, I don’t notice the detail of whether I closed a pop-up when I first logged on.  Tomorrow morning I am definitely going to pay attention and see if that pop-up appears when I log on.

The information security department is also sending out periodic newsletters with interesting relevant topics that include things that I can do at home as well as at work to protect my information.  I always read those and always get a lot from doing so.

So, next time you are annoyed by having to do that training at work, realize that it is to protect you and the company from security risks. 

Information security is everyone’s business!