Wednesday, February 12, 2014

AMG Enterprise Security Plan - A Fictious Scenario for CYBR 620

My notes on this paper: Our group was assigned with developing a security plan for a fictitious company. We were not to worry about budget, but were asked to be as comprehensive as possible in the given maximum paper length. This is not a research paper so there are no citations/references except a few exceptions where we quotes ideas from our professor for this project. I'd love to hear feedback from you so please post a comment, email or tweet me. --Glenn Ford

AMG Enterprise Security Plan
Glenn M. Ford, Aaron S. Cameron, Michael J. Park
UMBC at Shady Grove

Executive Summary

AMG Enterprises is an American owned e-commerce company headquartered in Rockville, Maryland. As a company with sales in 22 countries, annual revenue of $61 million (U.S.) in 2012, 97 employees and patents and other intellectual property, AMG is under constant attack by criminals and other hackers. Protecting employees, facilities, equipment and data offers a myriad of challenges. The Confidentiality, Integrity and Availability (CIA) of AMG information is critical to the continuity of operations and to the trust placed in AMG by their customers and vendors. AMG has a comprehensive security plan and has implemented policies, procedures, countermeasures and the operational model of security to ensure the protection of all company assets, as it pertains to physical, network, operational, personal and wireless security. AMG’s headquarters was custom built with security as a top priority. AMG’s policies were drafted to ensure security throughout all aspects of operations. No expense has been spared in deploying countermeasures to meet all threats both now and in the foreseeable future.

Problem Overview

As an ecommerce online business, AMG has an online reputation and brand recognition to maintain. If this reputation is tarnished company growth can be severely degraded. Our customers have complete confidence and assurance that AMG is providing quality products, customer service, and security of all client information.
At the center of this problem is protecting the CIA of AMG Enterprises assets. These assets include: online reputation; brand recognition, client and company information, buildings, inventory, hardware, proprietary software, personnel and overall organizations information technology (see Information Technology Organizational Chart, Appendix G, Figure 1). The cybersecurity threats of data breach and/or threats, denial-of-service (DOS) attacks, insider theft of intellectual property, deliberate corruption of electronic files from hacker attack or malicious attacks including worms and other means are all security problems this document hopes to solve with security policies, procedures and standards and the Countermeasure Triangle (The People, Policy, Technology Triangle; see Appendix H, Figure 2).

Wednesday, February 5, 2014

BYOD Consumer Demand and Information Security - CYBR 620 Research Paper by Glenn Ford

My Notes on this paper: This is a MDM/BYOD paper I did for Cybersecurity Masters Program, CYBR 620 at UMBC Shady Grove campus.  The paper was to discuss problems and possible solutions with BYOD MDM. This paper was in APA format, with a few professor requested differences, but obviously posting to Blogger I lost some of the formatting. I'd love to hear feedback from any security people (or non-security for that matter).  I was very limited on the space allowed to write on this topic.  I know it could have been 100-200 pages and still not cover all the issues.  Please take that in mind when reading. In a related field?  Connect with me on LinkedIn --Glenn Ford

BYOD Demand and Information Security
Glenn Ford
UMBC at Shady Grove

Executive Summary

Having a BYOD policy without the proper security, device management and monitoring, and a positive user experience can put the enterprise at risk. Information can be monitored or leaked, devices and mobile infrastructure could enter into in an untrusted state, and users become frustrated and paranoid with the use of their device in the workplace. If the enterprise fails in their BYOD plan they will be at a competitive disadvantage for their current workers and ability to hire top talent.
Mobile security risks as well as threats by agents pose an ever growing and complicated problem to the information security of a mobile enterprise. Having the device compromised by authorized or unauthorized users or resources on the device, man in the middle, or end points compromised will lead to information being monitored or leaked. Other attacks such as DoS are at issue as well. Protecting the confidentiality, integrity and availability of the mobile device and infrastructure is at the core of mobile security. Mobile device management, monitoring, and user experience that can work across many platforms and be scalable also pose challenges. With BYOD users, privacy of the user’s personal assets is a great concern.
By providing security through defense in depth there is a known understanding that any single solution may have vulnerabilities but by applying layers of security there are levels of redundancy to increase security. Specific layered security solutions from the moment the device is turned on until the device is powered off are discussed. Solutions are discussed for the supply chain and physical security of the device. Combining the discussed critical solutions in a security policy such as transient authentication and FIPS 140-2 for data protection, dual layer FIPS 140-2 encryption for data in transit, and web based non-resident data only for sensitive information.
With 4 in 10 enterprise level organizations having had a BYOD related security breach, there needs to be fast response to solving the problems in the immediate future.