Discussion Replies

Must be 150 words each, and contain actual content and not just filibuster or comments of how interesting something is.

1) Module 1: Protecting the User system

This module concludes on protecting things like laptop/desktop systems, which can be very broad and lends itself to many different ideas and approaches. Thinking about this with a defense in depth mindset, what do you think is the most important security control you can place in your network or on the machine to help protect data on your end user systems? If another student has selected your control, select the next best or state why you agree with them.

2) Module 1: Threats to your data from you

I think the best security control is ourselves. The chapter talks about how small personal details about our lives can lead to physical theft, physical attacks, or identity theft. If we are honest about the security measures that we take to safeguard our electronic devices, there are some apparent vulnerabilities to address. For example creating stronger more sophisticated passwords, add two-step verification for critical apps, updating antivirus software and software in general, creating several locks on our mobile devices, refrain from posting personal information on social media, and setting security controls for each application we use. I believe that the most critical security controls start with our behaviors.

3) Module 1: Patching

Patching your systems and keeping them up to date is probably at the very top of the list of things to protect your systems and infrastructure and unfortunately something most companies fail at. I've worked as a penetration tester for many years and repeatedly found critical vulnerabilities that were years old on the servers. Even after finding the vulnerabilities, reporting the risks and recommending specific patches to the engineering teams I still would find the same vulnerability in future scans and tests.

Patching seems like a simple thing, why do you think its done so poorly?

4) Chapter 1: Gathering Security Requirements

Chapter 1 includes a section on drafting security requirements and this is typically one of the first things that need to be done when you build out your set of security controls to protect an application or environment. This is a very important step, which guides how you will select your controls and you have to be careful not to identify the solution yet, just the requirement. For example, Antivirus is a solution, not a requirement. As a discussion point for this week I'd like to dig into various requirements so, with that, what are some examples of one or two common security requirements you can think of?

5) Chapter 1: Prevent Unauthorized Use

You are exactly right about requirements and I'm glad you think about it that way. Something like preventing unauthorized usage on the machine is a perfect example of a requirement. It is broad, does not mention a solution, and clearly states what you need at a high level and is something management can understand. This particular one would be a common one and can include both keeping users off the machine, keeping them from doing things they are not allowed to do if they can log on, or limiting them when they use certain functions.

With all that, there are many solutions you can apply to different aspects of this requirement. One inexpensive method of supporting this requirement is to remove users from local administrator groups on their computers but many companies do not do this. What do you think the pro's and con's are and what would you recommend in your own company?

6) Chapter 1: 2 Factor identification

2 Factor, or multiple factor, authentication is a good example of a security requirement. This can be implemented with something like RSA SecureID Tokens as you mentioned but we have to be careful we don't specify that is the requirement because it is just one potential solution to meet the 2FA requirement. We can use other things such as digital certificates or smartcards or biometrics to also accomplish multiple factor authentication so we have to be clear with that and leave ourselves open to all the options. 2FA can be complicated and expensive to deploy to an entire organization. With that, where do you think you would apply 2FA in a company if you had limited funds and could not do everything?

7) Chapter 14: Secure Communications

Secure communications is a critical part of protecting sensitive information and this really boils down to encryption. What are some methods you see to encrypt data over an untrusted network for different message formats and what are some best practices to look out for to ensure encryption is properly done?

8) Chapter 14 IPSEC

Great response. IPSec is an excellent example of a standard method of encrypting data across the Internet. It is most commonly used between 2 sites, either when both sides are owned by the same organization or each side is owned but a different organization. Before IPSec VPN's were in place a company would typically established a leased line between two points which only carried that organizations traffic. IPSec replaced much of this at a great savings without compromising security. Client to Site IPSec VPN's are also very popular and allow us to securely connect to our networks from home or hotels as needed. One of the problems of client IPSec VPN's is something called split tunneling and this can cause a security weakness in the IPSec tunnel. Can you explain the concept of split tunneling and why it could be a problem?