what you have learned most from completing this course
Before I took this course, I thought studying information security system is just something that tells me how to secure my own data from my computer; this is what most people will think. Most of people’s knowledge of information security system is to block hacker hack into their computer, and stop virus attack.
After learned what information security system is, I learned that secure computer data base is not just having an anti-virus program installed in the computer. It’s about a team work, company needs to have an IT security to monitor all the IT works, and also it’s about management, management team needs to train their employees before worse thing happen. Learning information security system also teach me few specific types of virus, and what will they damage your computer system.
Information security system also teach me about the law system, I learn the rule about information security system, ethics issues about acceptable behavior, and ofcause understanding different cultural is important to fixed moral attitudes or customs of a particular group.
How what you've learned complements other areas of knowledge you have or hope to gain
Learning and understanding are not going to help me to secure my system completely; planning and take actions will be the hardest part of information security system.
Management’s responsibilities and role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.
The hardest part will be maintenance, because IT is always changing, which will continuing bring company new problems and new threats. Managers must understand each new threat and come out with a new solution to defense the risk the company will get, which means manger has to go back to the first stage and develop new plan, and enforce employees to operate and monitor this new threat.
what you consider to be the most important aspects of information security and why
I think Risk management is the most important aspect of information security, because knowing the risks can reduce threats to the company. And be able to identify risks of the security, we have to examine and understand the information and systems currently in place, both for ourselves and the enemies. We also need to be able to control those risks, and also need to protect our classify database. People can steal our classify information both internal and external, for securing external threats, we can develop a strong IT secure team, but internal threats will be a lot harder to secure.
We can develop a security clearances, each data user assigned a single level of authorization indicating classification level. Before accessing specific set of data, employee must meet need to know requirement, and also set up extra level of protection ensures information confidentiality is maintained.
Even though company’s having the security clearances, still a lot of holes in the system, because if the employee works long enough in the company, he still have away to break into the system; there isn’t a 100% system for this problem.
what you haven't learned but had hoped to
I was planning to have lessons about how to secure my own computer with programming, but this course is more about theories of information secure system of an organization.
For example, if I want to stop hackers get into my computer and steal my personal data, the only way to stop them is be able to know the computer programming, because having firewall isn’t good enough, be able to stop them come into the door, need to understand how they come in.
what aspects of information security interested and/or bored you the most
Learning about security and personal is more interested than others, because it makes me understand what are the qualifications and requirements to be a security manager.
Such as I would never think human resource will get into this subject, human resource must be addressed positioning and naming; staffing; evaluating impact of information security across every role in IT function; integrating solid information security concepts into personnel practices. At the same time, try not to make employees to feel threaten.
There are different levels of qualifications and requirements for different position, such as upper management should learn about budgetary needs of information security function; IT and management must learn more about level of influence and prestige the information security function should be given to be effective.
These are something more involve for the head boss to be consider what type of employee he needs to hire be able to secure his company’s data, at the same time, need to have someone to monitor these security officers work. Most of the smaller company will choose to monitor by themselves.
what topics you found particularly easy or difficult to grasp
Learning about implementing information security took me the longest to understand, because too many strategies and models that I had hard time to understand.
Such as SecSDLC implementation phase accomplished through changing configuration and operation of organization’s information systems. Be able to find out the configuration, we need to start with company’s procedures, people, hardware, and software. We have to use the blueprint for information security into a concrete project plan. Project plan also involve with WBS, which is another complicated structure to understand.
how the course could have been facilitated better to assist your understanding and
knowledge.
I will recommend to upload some video clips of news, current situation, and graphic. It will help students to understand more than just listen and watch power points.
There are few video clips in each section, but because of each section has many different structures, one or two videos cannot explain every point clearly.
About Me
Thursday, 19 November 2009
Wednesday, 18 November 2009
Week 12, Section 12
Definition of hacker is who shares an anti-authoritarian approach to software development now associated with the free software movement.
Ensuring that you have adequate network protection is vital, but protecting your system from hackers who use social engineering to get inside should also be a priority. Even the best employee may create system vulnerabilities if they aren't aware of the threat, and companies often overlook this hacking angle.
Hackers can be smooth operators. They may call looking for advice, offering flattery in the attempt to gain your employees trust. They use this connection to talk their way into getting information about the security your company has in place and the programs you run. They may also prey on your employee's confidence in the network in order to gain specific details and shortcomings about your system operations. By using social engineering to obtain even small amounts of information about how your system operates and what programs you use, the hackers can run software on their end that will not only give them greater detail on your system, it can show them how to get inside.
Suavely manipulating an individual isn't the only social engineering method hackers use. Some hackers are far more direct. It's hard to believe, but they may directly call a business and impersonate an authority in the company. Employees can be easily swayed by a person issuing a direct request in an authoritative tone. Employees have been known to do what the hacker says because they believe they are being asked on behalf of the company. They may change passwords or issue new ones, allowing the hacker access to your system. The hacker may start small and simply ask for access to their email account, which is generally that of a system administrator. Once they have access to this account, they can issue credible commands to gain further access to and control over your business systems.
No one wants to think that getting access to their company's system could be so easy, but it can and does happen. Using these tricks to gain access to business networks is actually quite common. The key to limiting this risk is comprehensive training for your employees so they learn to see through the hackers ploys.
(Guidance Consulting INC) http://www.guidance-consulting.com/articles/94-how-hackers-use-social-engineering-to-get-inside.html
Frederick Wood, of Seattle, has been convicted and sentenced to 39 months in prison in prison this week for using the infamous P2P client Limewire to steal personal information from over 100 unsuspecting sharers. Kathryn Warma, assistant U.S. attorney in the Computer Hacking and Internet Crimes Unit of the U.S. Attorney's Office says the identify theft is very common, but not to many people know it exists. Wood, says Warma, would type keywords such as "tax return" or "bank account" into the Limewire search box which allowed him to download files with that type of personal information from shared folders of naive or unsuspecting Limewire users. The convicted felon also searched specifically for college financial aid forms, says PCWorld, which include "exhaustive personal and financial information about the family." Wood would then use the info to open accounts, receive credit cards, and make purchases in their names.
http://www.afterdawn.com/news/archive/18862.cfm
Limewire is the biggest P2P downloading software, you can get almost every moves, music, games, and others from it.
It is really hard for user to 100% sure their computer is secured, because Limewire has the access to get into your hard drive be able to download data, hackers can use this to hack into your computer and steal personal information.
Users can only choose not to use and P2P downloading software and limit their entertainments, or take the risk of using it.
Ensuring that you have adequate network protection is vital, but protecting your system from hackers who use social engineering to get inside should also be a priority. Even the best employee may create system vulnerabilities if they aren't aware of the threat, and companies often overlook this hacking angle.
Hackers can be smooth operators. They may call looking for advice, offering flattery in the attempt to gain your employees trust. They use this connection to talk their way into getting information about the security your company has in place and the programs you run. They may also prey on your employee's confidence in the network in order to gain specific details and shortcomings about your system operations. By using social engineering to obtain even small amounts of information about how your system operates and what programs you use, the hackers can run software on their end that will not only give them greater detail on your system, it can show them how to get inside.
Suavely manipulating an individual isn't the only social engineering method hackers use. Some hackers are far more direct. It's hard to believe, but they may directly call a business and impersonate an authority in the company. Employees can be easily swayed by a person issuing a direct request in an authoritative tone. Employees have been known to do what the hacker says because they believe they are being asked on behalf of the company. They may change passwords or issue new ones, allowing the hacker access to your system. The hacker may start small and simply ask for access to their email account, which is generally that of a system administrator. Once they have access to this account, they can issue credible commands to gain further access to and control over your business systems.
No one wants to think that getting access to their company's system could be so easy, but it can and does happen. Using these tricks to gain access to business networks is actually quite common. The key to limiting this risk is comprehensive training for your employees so they learn to see through the hackers ploys.
(Guidance Consulting INC) http://www.guidance-consulting.com/articles/94-how-hackers-use-social-engineering-to-get-inside.html
Frederick Wood, of Seattle, has been convicted and sentenced to 39 months in prison in prison this week for using the infamous P2P client Limewire to steal personal information from over 100 unsuspecting sharers. Kathryn Warma, assistant U.S. attorney in the Computer Hacking and Internet Crimes Unit of the U.S. Attorney's Office says the identify theft is very common, but not to many people know it exists. Wood, says Warma, would type keywords such as "tax return" or "bank account" into the Limewire search box which allowed him to download files with that type of personal information from shared folders of naive or unsuspecting Limewire users. The convicted felon also searched specifically for college financial aid forms, says PCWorld, which include "exhaustive personal and financial information about the family." Wood would then use the info to open accounts, receive credit cards, and make purchases in their names.
http://www.afterdawn.com/news/archive/18862.cfm
Limewire is the biggest P2P downloading software, you can get almost every moves, music, games, and others from it.
It is really hard for user to 100% sure their computer is secured, because Limewire has the access to get into your hard drive be able to download data, hackers can use this to hack into your computer and steal personal information.
Users can only choose not to use and P2P downloading software and limit their entertainments, or take the risk of using it.
Subscribe to:
Posts (Atom)