Month: March 2014
MY REFLECTION ON THE BLOCK TEACHING
Image Posted on Updated on
I enjoyed every bit of the lecture sessions as the lectures were very engaging. We learnt about CLOUD COMPUTING and the class was divided into groups for further discussions on the topic after which each group gave a presentation of their reflections. One brainstorming question that got the class uproar is WHO GOVERNS THE CLOUD? A lot of responses were generated from this question ranging from Individual, to Organizations, the Government etc.
A touching part of the block is the reflection on how to make the internet more accessible for Paraplegic Olympians. We worked in groups also and each group discussed different factors like political, Economic, Technological, and so on. My group discussed the Customer needs and we responded actively.
Another interesting session is the LEGO introduced by Dr. Marie. We were to construct different innovative ideas we have. The whole essence of this is to how IT innovative we can and the potentials that exist on our subconscious
.
WEBINAR BY KEN KLIKA- INFORMATION SECURITY IN SMEs
Video Posted on Updated on
This webinar teaches how to improve the efficiency and availability of IT resources and applications through virtualization and discover how you can leverage technologies used in enterprise-class data centers, and reap the benefits of virtualization and cloud computing at an affordable price.
INFORMATION SECURITY BEST PRACTICES FOR SMALL BUSINESSES BY WARD BUCHANAN- Part 1
Video Posted on Updated on
This Video by Ward Buchanan stresses Stresses the need for effective Information Security in SMEs. He said many small Business owners think they do not need to invest in Information Security because it is expensive, does not reduce their operating cost and does not generate revenue in any way but his response is that not been Information Security conscious has the potential to ruin the whole business so it is left to Business owners to decide wisely.
He further said “in this age where cyber crime has grown at an enormous rate, it is not an option not to have protection in place”. Adding that the level of IS in any SME should be commensurate with the level of business they are doing because different types of business collect and store different types of data e.g health care businesses are expected to store patient information and therefore need to protect and ensure patience’s privacy or risk facing legal battles for leaking patient health information. He listed out possible threats are outlined such threats include:
• Computer Viruses
• Identity theft,
• Data loss,
• Employee fraud and theft
• Loss of physical equipment
The impact these threats can have on the business amongst others are also iterated below
• Loss of Proprietary Information
• Loss of Financial Information
• Loss of customer information and confidence
• Litigation
• Penalties- Government penalties for not taking efficient pre-emptive measures.
Listed below are the requirements to be considered for determining the security model that should be adopted by the businesses
• Describe the business and what it does
• Define activities that support business
• Identify information required by the above activities
• Classify information sensitivity
• Identify those who need access to the information
• Identify impact for applicable laws
• Identify and evaluate risks and actions to be taken
Everyone needs to be involved and know the need for security, Hence these steps are to be followed in implementing Information Security
• Designate who is responsible for managing security
• Secure your physical location
• Set up secure storage space
• Get employees to sign non-disclosure agreements
• Install network security components
REFERENCE:
Ward B, (2010). Available on youtube, Retrieved on 07 March, 2014 from
CLOUD COMPUTING & SMEs IN UK- A REPORT FROM THE CLOUD STEWARDSHIP ECONOMIC GROUP PROJECT
Iffatt Gheyas and Bruce Hallas, the authors of this report states their findings on a survey carried out in SMEs in the UK exploring fresh insights about the adoption and use of cloud computing. These SMEs of which only 93 responded to the survey were categorized based on their annual turnover rate, years of operation, staff strength, number of their operating locations within the UK and without.
Key findings from this research include the following:
- SMEs with a relatively low annual turnover of under £100k are relying more heavily on IT & cloud computing to sustain and grow than any other organizations.
- Priority areas for IT investment (a key strategic resource) are Operations, Marketing and Sales.
- All respondents hold access or process personal and commercially sensitive information about their clients or clients‘customers.
- In most SMEs, Director/ Chief Executive/Business Owner is responsible for information security and for identifying threats. It means that SMEs are fully aware of the importance of cyber security and understand the concerns of various governments and customers about security.
- Our brief survey suggests that, in spite of their awareness of the prevalence of information security risks and its impact on the business, most of them are not following the IT security best practices.
- Almost half of the small local businesses with annual turnover less than £100k do not have an information security policy.
- A significant majority of the SMEs surveyed do not have a business continuity policy plan and have never assessed the impact of a breach of confidentiality and/or availability would have on their businesses cash flow, profitability and reputation.
- Most SMEs choose price over security.
- The majority of SMEs see Data Retention Policy‘ and Terms & Conditions of Supply‘ as the most important criteria for the BPO vendor selection process.
- An overwhelming majority of respondents, regardless of class characteristics, view ―Legal system which governs SME‘s relationship with their supplier‖ as the most critical success factor for IT outsourcing.
- Companies with higher earnings prefer single vendor solutions, while companies with lower earnings prefer multi-vendor outsourcing.
MY REFLECTION
From this report it is obvious that SMEs with relatively low annual turnover are using cloud computing more intensively than SMEs with a higher level of turnover which negates the postulation of Kelly L, (2014) that “SMEs face the same information security threat as larger enterprises but without their budgets”. Many authors are of the opinion that financial Incapacitation is the main reason why SMEs do not invest in Information Security which may be right. Nevertheless, this report based on a valid survey shows that SMEs are aware of Information Security and beyond lack of finances they just decide not to invest in it because they feel it is not cost-effective.
REFERENCES:
Gheyas, I. and Hallas, B. (2011). Cloud computing and SMEs in UK. Retrieved on 05 March 2014, from< https://www.iisp.org/imis15/CMDownload.aspx?ContentKey=c0d6c3b7-81db-4c64-b9ec-a5e028aea4fd&ContentItemKey=f5a4ded3-937e-4f60-8933-cf1ed948640b>.
Kelly, L. (2014). ComputerWeekly.com. The Top 5 SME Security Challenges. Retrieved 05 March, 2014 from < http://www.computerweekly.com/feature/The-top-five-SME-security-challenges>
EU SMES IN 2012: AT THE CROSSROADS. ANNUAL REPORT ON SMALL AND MEDIUM-SIZED ENTERPRISES IN THE EU, 2011/12
The European Union faced challenging economic conditions in 2011/12, with an intensifying sovereign debt crisis in the euro zone, the spectre of double-dip recession for several countries and weakening growth in even the better performing nations. Throughout the downturn, however, SMEs have retained their position as the backbone of the European economy, with some 20.7 million firms accounting for more than 98 per cent of all enterprises, of which the lion’s share (92.2 percent) are firms with fewer than ten employees. For 2012 it is estimated that SMEs accounted for 67 per cent of total employment and 58 per cent of gross value added (GVA)1. These figures point to a virtual standstill as compared to the preceding year, 2011. With more than 87 million person employed the EUs SMEs continue to be the backbone of the EU economy. However, the difficult economic environment continues to pose severe challenges to them. This is also reflected in the key findings of the report:
1. With the EU economy threatening to dip into recession again, SMEs in the EU as a whole continue to struggle to recover to pre-crisis levels of value added and employment. Yet, SME performance varies considerably among Member States.
2. SMEs in Austria and Germany have exceeded their 2008 levels of gross value added (GVA) and employment in 2011. SMEs in Belgium, Finland, France and Luxembourg have, on average, experienced an anaemic performance since 2008. In the other 20 Member States, SMEs have been so far unable to bounce back to their pre-crisis levels of either GVA or employment.
3. A number of factors explain why in very few countries SMEs have recovered well. First, it appears to help if an economy, such as the Germany’s, is strong in high-tech and medium high-tech manufacturing and knowledge-intensive services. Second, sectoral labour productivity levels are higher when the sector shows higher investment rates, higher export rates, and when the sector belongs to high-tech and medium high-tech manufacturing and knowledge-intensive services. Again, Austria and Germany have generally met these conditions. Third, the real value added growth in these best performing Member States is a result of both employment growth -boosting aggregate demand- and real productivity growth, with the contribution of the former being clearly the dominant one.
4. As regards the industrial picture, most sectors experienced a recovery in GVA growth for SMEs in the EU combined with declining or flat SME employment (overall remaining at much lower than the pre-crisis levels of 2008). The sole exceptions were trade, transportation and services. SMEs operating in the mining & quarrying performed least well.
5. Notwithstanding some positive effects on labour productivity, the main result of these trends is a ‘jobless growth’ for the EU’s SMEs.
REFERENCE:
Wymenga P., Spanikova V., Barker A., Konings J., and Canton Erik (2012). EU SMEs in 2012: at the crossroads. Annual Report on Small and Medium-sized Enterprises in the EU, 2011/12. Retrieved on 5 March, 2014 from <http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/performance-review/files/supporting-documents/2012/annual-report_en.pdf>
THE TOP FIVE SME SECURITY CHALLENGES
SMEs encounter the same data security danger as bigger ventures yet without their plans. Bits of knowledge on the best way to make SMEs more secure without utilizing unmanageable and old fashioned systems. Consistent with the article, the five significant tests confronted by SMEs
THE CLOUD SECURITY RISK FOR SMEs
The cloud is a technology many SMEs are interested in because of the benefits of flexibility, pay-for-use and reduced hardware investment. But there remain questions over its security.
David Lacey, director of research at the Information Systems Security Association (ISSA-UK) said the cloud is a good solution for SMEs if they choose professional, reliable service providers. Who’s responsible for security in the cloud? It is a personal decision, but all should be very wary of putting personal information into the cloud.
SECURITY REGULATION COMPLIANCE FOR SMEs
Compliance is a painful process for many SMEs. However, there is no avoiding compliance, even if it does not necessarily lead to better security. Compliance is about covering yourself, passing on the problems and ticking all the boxes.
The tick-box culture large companies perpetuate and wrap up in corporate speak is meaningless for SMEs but they should work with trusted advisors on compliance. SMEs should try to understand where their assets are and focus security controls there.
However, the main benefit of compliance is to get the attention of the board, because the CEO must sign a top-level policy document to ensure confidentiality and integrity to comply with standards such as ISO 27000.
THE CHANGING SME THREAT LANDSCAPE
Like many IT security firms, Dell SecureWorks is constantly surveying the changing threat landscape. Coburn said SMEs are increasingly being targeted, but many believe they are under the radar and not in the sights of cyber criminals.
Malware is becoming more sophisticated. Aurora and Stuxnet are very sophisticated, all targeted at siphoning financial information.
It was put forward that a very good method to create awareness for SMEs is through:
SECURITY EDUCATION AND TRAINING FOR SMES
Constant education and training around IT security is necessary to help reduce human error.
There’s nothing the industry can do to solve the problem. Human error lets security down. Most secure organizations spend time and money on staff and until SMEs begin to train awareness, they are not secured. Common sense only becomes common sense when you know the right thing to do.
ISSA5173 SECURITY STANDARD TARGETS SME NEEDS
To combat some of the issues SMEs face, the Information Systems Security Association (ISSA-UK), where Lacey is director of research, is creating a new security standard for small businesses, called ISSA5173.
SMEs are different from large organisations, not in security threats which are the same, but more in the way they operate. SMEs don’t need paper and labour-intensive controls that big companies like. The new standard suggests looking at policies, procedure and education. The pressure on SMEs is to grow their business and security is often low on the to-do list.
Meanwhile, the security landscape has changed out of all recognition with the impact of the internet and an increasingly mobile workforce, which has transformed the way people communicate. The future of security is complex as we are facing a data Tsunami with a 60% growth in mobile data. The threats are more sophisticated, data breaches more damaging, users have left the buildings and the applications have followed. There has been an increase in data legislation around the world because it is citizen-friendly and cheap, but reliance on standards and a herd-mentality towards security is leading to a world of compliance and policies, which does not necessarily improve security, said Lacey.
REFERENCES:
Computerweekly.com (2014). The Top Five SME Security Challenges. Retrieved on 5 March, 2014 from < http://www.computerweekly.com/feature/The-top-five-SME-security-challenges>
THE CLOUD DIVIDEND: ECONOMIC BENEFITS OF CC TO BUSINESS AND THE WIDER EMEA ECONOMY
This is a summary of the report on and results of an independent study to quantify the economic benefits of cloud computing to business and to Europe’s five largest economies (in alphabetical order, France, Germany, Italy, Spain and the UK). The study was undertaken by Centre for Economics and Business Research Ltd (Cebr) on behalf of EMC, a global commercial technologycompany, providing systems, software and services to its business clients and the following were discovered:
- The widespread of Cloud Computing adoption has a potential to generate over €763 billion worth of collective financial benefits in years 2010 – 2015, across the five economies.
- A forecasted yearly economic benefit in excess of €177 billion by 2015, which involves a 23.2% share of collective benefits over a six year period and this would cause a high amount of workload to Cloud service providers and customers.
- An excess of 2.3 million net jobs (direct and indirect) created between 2010 – 2015 on a collective basis and CC adoption could yield 446 thousands new jobs annually by 2015 across the five economies.
What this study shows is that, not only is cloud computing an important issue from the micro perspective of boosting the efficiency of individual companies’ IT investment and, hence, general corporate productivity, but also that, especially in the present uncertain economic climate, it will also be a critical macroeconomic factor that is crucial for boosting Europeʹs economic growth. As such, the study is an important contribution outlining one of the most important ways that European economies can revive and emerge from the economic crisis.
From the above it is evident that the benefit of cloud computing is changing the turnover for Organizations and more to come in the next few years which means CC has come to stay and not just that to improve the operations/activities of Organizations that adopt it whether Smes or large.
REFERENCE:
UK. Centre for Economic and Business Research (2010). The Cloud Dividend: Part One. The economic benefits of cloud computing to business and the wider EMEA economy. France, Germany, Italy, Spain and the UK. Retrieved on 04 March, 2014 from < http://uk.emc.com/collateral/microsites/2010/cloud-dividend/cloud-dividend-report.pdf>
MY REFLECTION ON ADVANCED PERSISTENT CYBER THREATS IN ORGANIZATIONS
No matter the size of an organization whether large or SMEs, advanced cyber-attacks such as Advanced Persistent Threats, represent a credible threat and risk to the organization and Information Security officers must address the risk these adversaries pose to their organization.
A four-step process for countering advanced cyber attack which is a big Information Security Challenge is provided below by The CISO’s Guide to Advanced Attackers (2012).
- Gather intelligence
- Mine for cyber threat indicators
- Respond to information security alerts
- Break the “kill chain” or cyber-attack process
I posit that beyond the Financial Incapacitation challenge that has been identified as a major reason for SMEs not being able to tackle IS issues, corrective measures like the above listed should be adopted instead of focusing on the assumed complexities.
REFERENCE:
The CISO’s Guide to Advanced Attackers (2012). Retrieved on 05 March, 2014 from < http://go.secureworks.com/lp-ciso-guide-advanced-attackers>.
IT SECURITY STRATEGIES FOR SMEs
Small and medium enterprises are depending more on their information technology infrastructure but do not have the means to secure it properly due to financial restrictions like limited resources, and adequate know-how. Many SME managers believe that IT security in their company can be compared to having a firewall and updating the antivirus software regularly. Strategic policies, information theft, business continuity, access controls, and many other aspects are only dealt with in case of security incidents. To improve security in a company holistically, four levels (organizational level, workflow level, information level, and technical level) need to be addressed.Parts of existing standards are useful to address issues on the organizational level; Pipkin’s approach is especially useful for SMEs.
SME’S AND LARGE COMPANIES
In highly competitive global markets, SMEs usually are only successful if they provide highly customized solutions for their customers. The knowledge of their customers is also emphasized by the management style of many SMEs. Many SMEs are operated as family businesses managed by their founders or their descendants. Even though the management usually knows a lot about their customers and their core business, they often lack a systematic approach of organizing their business processes. In many cases, the management of SMEs does not see their company as a likely target for hacker attacks or intruders. Therefore, they deem IT security low priority. This is a very dangerous misconception of the evolving threats to modern IT infrastructure. Another aspect, which is often underestimated, is industrial espionage. Since know-how is the most important asset of SMEs, proper safeguards have to be taken to protect this asset from intruders as well as from malicious or disgruntled employees or former employees. This fact becomes even more evident as the IT infrastructure used by many SMEs offers services similar to large companies, such as Internet access on every work desk, remote access for home workers or traveling salesmen, distributed databases, or simple ERP and CRM systems. However, as SMEs usually spend less money —both in absolute and relative figures — on IT management and information security; they are much less prepared for potential attacks from outside or inside.
IT SECURITY STANDARDS FOR SMES
Established Standards Most Information Security Frameworks were originally developed either for large corporations or governmental institutions to establish or keep a certain level of service quality and security. Therefore, a more pragmatic approach is needed that covers all areas that need to be addressed, but which is still feasible for companies with low IT budgets.
A Pragmatic Approach for SMEs Donald Pipkin (2000) developed an interesting approach that is very suitable for smaller companies with a few modifications even though it was originally developed for large corporations. Pipkin suggests an Information Security process model consisting of five aspects: (1) inspection, (2) protection, (3) detection.
CONCLUSION
Security needs to be addressed at four levels (organizational level, workflow level, information level, and technical level). SMEs differ from large companies in many aspects. These differences explain why IT security is usually not that well addressed in SMEs, even though SMEs increasingly depend on their IT systems as much as large companies do. Additionally, SMEs may be more often attacked in the future, as large companies become increasingly difficult to hack.
REFERENCES:
Ji-Yeu P., Rosslin R., Chang-Hwa H., Sang-Soo Y., and Tai-hoon K., (2008). IT Security Strategies for SMEs. International Journal of Software Engineering and Its Application. Retrieved on 05 March, 2013 from < http://www.sersc.org/journals/IJSEIA/vol2_no3_2008/7.pdf>
Pipkin, D. L. (2000). Information security. Upper Saddle River, NJ: Prentice Hall
WHITEPAPER- TOP 10 THREATS TO SME DATA SECURITY- WHITEPAPER
As much as it is difficult to find reality-based, accurate reporting on what the network security threat really is today, Scott Pinzon has identified 10 most common vectors of data compromises that could affect SMEs and also proposed practical techniques and defences to counter these vectors which are:
INSIDER ATTACKS– Verizon’s Intrusion Response Team investigated 500 intrusions in 4 years and could attribute 18% of the breaches to corrupt insiders. Of that 18%, about half arose from the IT staff itself.
MITIGATION
Implement the principle of dual control. Implementing dual control means that for every key resource, you have a fall-back.
LACK OF CONTINGENCY: Many SMEs have found that a merely bad data failure or compromise turns disastrous when there is no Business Continuity Plan, Disaster Recovery Plan, Intrusion Response Policy, up-to-date backup system from which you can actually restore, or off-site storage.
MITIGATION
Certainly if you have budget for it, hire an expert to help you develop sound information assurance methodologies. If you don’t have much money to work with, leverage the good work others have done and modify it to fit your organization.
POOR CONFIGURATION LEADING TO COMPROMISE: Inexperienced or underfunded SMEs often install routers, switches, and other networking gear without involving anyone who understands the security ramifications of each device.
MITIGATION
Perform an automated vulnerability audit scan. If you can’t afford to hire consultants, you probably can afford a one-time, automated scan of your network.
RECKLESS USE OF HOTEL NETWORKS AND KIOSKS HOTEL: Networks are notoriously lousy with viruses, worms, spyware, and malware, and are often run with poor security practices overall.
MITIGATION
Set and enforces a policy forbidding employees from turning off defences.
RECKLESS USE OF WI-FI HOT SPOTS: Public wireless hot spots carry all the same risks as hotel networks and then some attackers commonly put up an unsecured wireless access point which broadcasts itself as “Free Public WiFi.” Then they wait for a connection-starved road warrior to connect.
MITIGATION
Teach users to always choose encrypted connections. Have them connect via a Virtual Private Network (VPN).
DATA LOST ON A PORTABLE DEVICE: Much sensitive data is compromised every year when workers accidentally leave their smart phone in a taxi, their USB stick in a hotel room, or their laptop on a commuter train. When data is stored on small devices, it’s wiser for administrators to stop thinking about what they’ll do “if that device ever gets lost…” and instead, think, “when it gets lost…”
MITIGATION
Manage mobile devices centrally. Consider investing in servers and software that centrally manage mobile devices.
WEB SERVER COMPROMISE: The most common botnet attack today is against web sites; and the fatal flaw in most web sites is poorly-written custom application code. MITIGATION
Audit your web app code. If (for instance) a Web form has a field for a visitor to supply a phone number, the web application should discard excess characters.
RECKLESS WEB SURFING BY EMPLOYEES : A 2006 study by the University of Washington found that the sites that spread the most spyware were (in order)
1. Celebrity fan sites (such as the type that give updates on the follies of Paris Hilton and Britney Spears);
2. Casual gaming sites (where you can play checkers against a stranger)
3. Porn sites (coming in at a surprising third place)
Social networking sites such as MySpace and Facebook have taken the lead as virtual cesspools of spam, trojans, and spyware.
MITIGATION
Implement web content filtering. Use web filtering software such as WatchGuard’s WebBlocker. Web filtering solutions maintain databases (updated daily) of blocked URLs in scores of categories.
MALICIOUS HTML EMAIL : The most common email attack now arrives as an HTML email that links to a malicious, booby-trapped site. One wrong click can trigger a drive-by download.
MITIGATION
Implement an outbound web proxy. You can set up your LAN so that all HTTP requests and responses redirect to a web proxy server, which provides a single choke-point where all Web traffic can be monitored for appropriateness.
AUTOMATED EXPLOIT OF A KNOWN VULNERABILITY
Negligent SMEs get victimized if they don’t install Windows patches during the same month the patch is published.
MITIGATION
Invest in patch management or build an inexpensive test network.
CONCLUSION
The suggested measures can go a long way in mitigating risks in SMEs and protecting their network but these are only examples of the procedures that a diligent IT administrator could implement to increase network security.
REFERENCE
Scott P., (2008). WatchGuard Technologies -Top 10 Threats to SME Data Security. Retrieved on 05 March, 2014 from < https://www.watchguard.com/docs/whitepaper/wg_top10-summary_wp.pdf>
MSCISSUSANCOLE 