Was Edward Snowden Duped (Socially Engineered) By Russia?

I was recently talking to a high level executive who does a lot of work with the 3 letter agencies and he made some interesting comments. He said, and I paraphrase, "I feel sorry for Snowden." I asked why is that and he replied, "Because Russia tricked him into thinking he has done the right thing."

This got me to thinking about some other remarks I have heard, most recently in an NBC Meet the Press Interview..

Mike Rogers, The House Intelligence Chairman, said Snowden was “a thief whom we believe had some help”.

Mr. Rogers (not funny!) went on to say, "...the vast majority had nothing to do with privacy. Our Army, Navy, Air Force, Marines have been incredibly harmed by the data that he has taken with him and we believe now is in the hands of nation states.”

Key Features of U.K. approach to Cyber Security

    The U.K. internet economy accounts for 5.7% of the total U.K. GDP. Looking at the two major sectors of the U.K. internet economy, the value chain is 2.6% and e-commerce is 3.1% of the GDP. The monetary total is estimated to be at £82 billion. Every £1 spent on internet connectivity supports another £5 spent in other channels as part of the U.K. ecosystem (Page, 2012).  Given these factors it is clear the nation's overall economy is now reliant on the internet economy.

The U.K. Department of Business, Information and Skills (BIS) commissioned a survey in 2013 with PricewaterhouseCoopers to determine the impact cyber attacks may be having on businesses. The survey found 93% of large businesses (250+ employees) have had a breach in the last year. Of the Small businesses (1-49 employees) surveyed, 87% reported breaches. Even more frightening was the large businesses averaged 133 breaches and the small businesses 17. The worst breaches cost £450,000 - £850,000 per attack on large businesses and £35,000 to £65,000 per attack on small businesses. However, the survey also shows that 36% of breaches were human error related and lack of security training and awareness was often to be at fault (Charlton, 2013).

Key Features of U.S. approach to Cyber Security

Cyber Security has become a focal point of national economic and security concern. On February 12th, 2013 President Obama signed Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity. The EO sets the foundation for developing a framework in which private sector companies of critical infrastructures and the government share information and work together to prevent cyber attacks (White House, 2013). Even before this executive order there has been work done by various national agencies to help define and strengthen the nation’s cyber security, a few of which are discussed in this paper.

AMG Enterprise Security Plan - A Fictious Scenario for CYBR 620

My notes on this paper: Our group was assigned with developing a security plan for a fictitious company. We were not to worry about budget, but were asked to be as comprehensive as possible in the given maximum paper length. This is not a research paper so there are no citations/references except a few exceptions where we quotes ideas from our professor for this project. I'd love to hear feedback from you so please post a comment, email or tweet me. --Glenn Ford

AMG Enterprise Security Plan

Glenn M. Ford, Aaron S. Cameron, Michael J. Park

UMBC at Shady Grove

Executive Summary

AMG Enterprises is an American owned e-commerce company headquartered in Rockville, Maryland. As a company with sales in 22 countries, annual revenue of $61 million (U.S.) in 2012, 97 employees and patents and other intellectual property, AMG is under constant attack by criminals and other hackers. Protecting employees, facilities, equipment and data offers a myriad of challenges. The Confidentiality, Integrity and Availability (CIA) of AMG information is critical to the continuity of operations and to the trust placed in AMG by their customers and vendors. AMG has a comprehensive security plan and has implemented policies, procedures, countermeasures and the operational model of security to ensure the protection of all company assets, as it pertains to physical, network, operational, personal and wireless security. AMG’s headquarters was custom built with security as a top priority. AMG’s policies were drafted to ensure security throughout all aspects of operations. No expense has been spared in deploying countermeasures to meet all threats both now and in the foreseeable future.

Problem Overview

As an ecommerce online business, AMG has an online reputation and brand recognition to maintain. If this reputation is tarnished company growth can be severely degraded. Our customers have complete confidence and assurance that AMG is providing quality products, customer service, and security of all client information.

At the center of this problem is protecting the CIA of AMG Enterprises assets. These assets include: online reputation; brand recognition, client and company information, buildings, inventory, hardware, proprietary software, personnel and overall organizations information technology (see Information Technology Organizational Chart, Appendix G, Figure 1). The cybersecurity threats of data breach and/or threats, denial-of-service (DOS) attacks, insider theft of intellectual property, deliberate corruption of electronic files from hacker attack or malicious attacks including worms and other means are all security problems this document hopes to solve with security policies, procedures and standards and the Countermeasure Triangle (The People, Policy, Technology Triangle; see Appendix H, Figure 2).

BYOD Consumer Demand and Information Security - CYBR 620 Research Paper by Glenn Ford

My Notes on this paper: This is a MDM/BYOD paper I did for Cybersecurity Masters Program, CYBR 620 at UMBC Shady Grove campus.  The paper was to discuss problems and possible solutions with BYOD MDM. This paper was in APA format, with a few professor requested differences, but obviously posting to Blogger I lost some of the formatting. I'd love to hear feedback from any security people (or non-security for that matter).  I was very limited on the space allowed to write on this topic.  I know it could have been 100-200 pages and still not cover all the issues.  Please take that in mind when reading. In a related field?  Connect with me on LinkedIn --Glenn Ford

BYOD Demand and Information Security

Glenn Ford

UMBC at Shady Grove

Executive Summary

Having a BYOD policy without the proper security, device management and monitoring, and a positive user experience can put the enterprise at risk. Information can be monitored or leaked, devices and mobile infrastructure could enter into in an untrusted state, and users become frustrated and paranoid with the use of their device in the workplace. If the enterprise fails in their BYOD plan they will be at a competitive disadvantage for their current workers and ability to hire top talent.

Mobile security risks as well as threats by agents pose an ever growing and complicated problem to the information security of a mobile enterprise. Having the device compromised by authorized or unauthorized users or resources on the device, man in the middle, or end points compromised will lead to information being monitored or leaked. Other attacks such as DoS are at issue as well. Protecting the confidentiality, integrity and availability of the mobile device and infrastructure is at the core of mobile security. Mobile device management, monitoring, and user experience that can work across many platforms and be scalable also pose challenges. With BYOD users, privacy of the user’s personal assets is a great concern.

By providing security through defense in depth there is a known understanding that any single solution may have vulnerabilities but by applying layers of security there are levels of redundancy to increase security. Specific layered security solutions from the moment the device is turned on until the device is powered off are discussed. Solutions are discussed for the supply chain and physical security of the device. Combining the discussed critical solutions in a security policy such as transient authentication and FIPS 140-2 for data protection, dual layer FIPS 140-2 encryption for data in transit, and web based non-resident data only for sensitive information.

With 4 in 10 enterprise level organizations having had a BYOD related security breach, there needs to be fast response to solving the problems in the immediate future.