The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: cyber security

Information Security Leadership at Brandeis GPS

With rising technology usage, there has been an inevitable rise in cybersecurity threats and an increased  demand for information security professionals. There is a growing responsibility to protect information as cybersecurity risks can be catastrophic for companies, customers, and careers.

With a Brandeis GPS Master’s in Information Security Leadership, you earn the confidence to attack any cybersecurity situation with leadership and technical savvy.

Brandeis University is ranked #35 among national universities by U.S. News and World Report, so you will have earned a master’s from one of the top universities in the country to lead you through any cybersecurity challenge, and to influence decisions for risk prevention.

Our cutting-edge, industry relevant, 100% online curriculum for professionals will build your leadership abilities and skills in leveraging technical know-how. Since you will learn alongside cybersecurity leaders from many industries in small seminar-style classes with no more than 12 students, your exposure to cybersecurity threats of all kinds will be significantly expanded.

The program will equip you to:

  • Develop a business case for investing in cybersecurity and risk management
  • Inform and influence senior executives to commit to obtaining and maintaining this investment
  • Oversee the planning, acquisition and evolution of secure infrastructures
  • Assess the impact of security policies and regulatory requirements on complex systems and organizational objectives

The 30-credit part-time, online program has six required courses and four electives.

The required courses are Foundations of Information Security, Information Security Management, Principles of Computer Incident Response and Investigation, Principles of Risk Management in Information Security, Information Security and Compliance, and Leading Security in Complex Organizations.

Options for electives include Identity Management and Access Control, Cloud Security, Secure Mobile Applications and Data, Network Security, and Managing Change and Innovation. View all courses offered in Information Security Leadership here.

Those applying to the Information Security Leadership program should have an undergraduate degree with work experience and/or coursework in introduction to networking, introduction to computer science and introduction to computer security.

We hope you enjoyed our cybersecurity series as part of National Cyber Awareness Month.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps

Governance and the case for bringing cybersecurity out of IT

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Information security governance is perhaps the most challenging aspect of cybersecurity.

Governance, while not a four-letter word, is often discussed with the same grumble that one uses when speaking about the dentist or aged fish. The basics of governance revolves around the advancement that simple accountability and transparency deters calamity. One cannot predict and avoid all disasters — think volcano here — but at the same time, one cannot grade one’s own homework.

It works well until there is a real test and someone else has the red pen. I think it was the queen of corporate governance, Nell Minow, who said, “watched boards change.” I agree, and would say this observation can be applied all the way down the corporate chain into an organization: those that change are the ones who are watched as objectively as possible.

So what does this have to do with cybersecurity, and why is governance hard in the cybersecurity space? There are a number of reasons for this perception. First, boards have been bamboozled by jargon and an IT executive tier that has been unclear and unsure of what and how to report on security. (For those of you on boards, when was the last time you had a security executive discuss the direct link between spend and the measured reduction of risk?). Indeed, in a Bay Dynamics/Osterman Research survey, “the majority (85%) of board members
believe that IT
and security executives need to improve the way they report to the board.”

While I am not a fan of standards for standards’ sake, the ISO/IEC 38500:2008 Corporate governance of information technology has the following useful definitions:

  • Corporate governance: The system by which organizations are directed and controlled.
  • Corporate governance of IT: The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.
  • Management: The system of controls and processes required to achieve the strategic objectives set by the organization’s governing body. Management is subject to the policy guidance and monitoring set through corporate governance.

Security leaders should tack these definitions to their wall.

When it comes to how security leaders can set the right direction for the board and make sure the Board has the right information for strategic oversight, I think it is a “two-way street.” Boards need to come to the security business and ask questions and security leaders need to come to the Board with improved reporting. Perhaps an improvement would be an approach that keeps the security report separate and distinct from that of technology. For organizations where information security, or cybersecurity, does not report to IT— bravo! You have taken a step toward greater transparency. The inherent mission of IT is accessibility and availability and the inherent mission of security is possession (control), protection and integrity. These missions are often in conflict, and managing them under the same leader (often a technology leader), could result in a Head of Security who does not have the chance to challenge or push back against the IT Executive who writes their performance assessment and controls their compensation.

We can better coordinate, manage and govern our complete security capabilities by bringing cybersecurity out of IT and taking a more holistic approach to incorporating physical and facility security, fraud and loss mitigation, and the other components converging security capabilities, data collection, management, and ultimately governance.

An organization’s board and business management must be in alignment where spend and the use of emerging technology are converging for the business. Security leaders should consider the following approach to champion governance:

  1. Above all, be transparent and accountable. Don’t tell the board what they want to hear or what you think they want to hear (they know when they are being managed). Represent the security program objectively. Characterize how security investments support the delivery of value for the business and supports organizational objectives.
  2. Do the hard work to consistently measure, monitor and report on security risk, and to provide the analysis between security investments and the execution to mitigate or manage risk and reduce or limit potential impact.
  3. Share performance and achievements of security resources — these drive the execution of a program and they are where the rubber meets the road for execution of the security program. Just like other business function, people are what drive success for a security program.
  4. Demonstrate how cybersecurity is aligned with and supports the strategic planning and objectives of the business and the expected business outcomes. Often the inherent conflict between the IT mantra of constant access and availability will be in conflict with cybersecurity’s mission of possession, protection and integrity, but the two do not have to be contentious, but IT needs a peer who can hold IT accountable if needed, not a lackey who does what they are told.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

Security and the Internet of Things

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Love it or despise it, the Internet of Things (IoT) has forever altered human thinking and interaction. Increased telemetry from our bodies through wearable tech and app analysis of data about our health and personal space has led to discovery, identification and interactions with others through apps and smart devices that is the new norm. How will this explosion of devices change our mission objective as security leaders and professionals?

The term IoT is generally applied to “endpoint” objects such as devices, wearables, cameras, chips, toys, and other objects that can be accessed through a connection such as WiFi or other carrier signals and interacted with via the internet. Examples that have become pervasive would be FitBit wearable’s, iWatches, Alexa or Google Home devices, Nest thermostats, and medical devices such as insulin pumps. While these devices are limited in capability, often just one or two functions or a binary state of on/off, the numbers of devices and the absence of uniform minimum security standards from manufacturers present a problem (several actually) for our IT departments Infrastructure management and security professional.

We can easily find statistics about the number of devices that have emerged in earnest since 2008. The 2017 Cisco Visual Networking Index provides a comprehensive view of some of those numbers. Two of my favorite highlights from this report include:

  • There will be 3.5 networked devices per capita by 2021 (global population 7.875 times 3.5)
  • IP traffic in North America will reach 85 EB per month by 2021 (And North America will not be the highest trafficked global region)

While I am not sure where that bandwidth comes from (I cannot get great consistently streaming bandwidth for Netflix sometimes), what worries me more is patching, tracking and controlling devices. Now, I am not suggesting we control all devices, but I need to control the ones that are on my network because they will increase the potential surface of attack for our networks by orders of magnitude. The more devices you add, outside of implemented and effective controls, the quicker your organization will suffer a breach. Therefore, if you don’t get roles such as patching right you will be lost under the crushing weight of IoT adoption rates. We have to get the “basics” right to ensure we have a foundation capable of integrating IoT devices. We will also need to assess risk and device configuration and a number of other areas we will not venture into here.

In the world of cyber security, people and data are what we most are accustomed to thinking about protecting and defending against. How do we wrap our heads around the potential problems of IoT where the numbers are so much higher? I would submit that we undertake the following approach:

  1. Get the basics right. There will be a lot of debate about what “get the basics right” means but at a high level, I am referring to:
  • Have a comprehensive security program based on risk, with regular assessments
  • Identify where all your data is located and ensure it is appropriately categorized
  • User access, and privileged access, is controlled and re-certified (access for IoT devices as well)
  • Network traffic is premeditated and segmented and network information is logged and monitored (must also scale)
  • Systems management has KPI’s and documented configuration baselines or employs a CMDB
  • Change Management and patching are religiously observed and followed
  • There is a formal incident management/response process (and adjust and augment IR for IoT)
  • There is a crisis and contingency management plan that is tested and updated annually

Yup, that was just step 1. Get all this right and you can start to think about being able to control IoT in your ecosystem.

2. Determine the level of increased risk, or changed risk, related to data loss or breach from #3.

3. Augment your information management or data governance policies and processes to encompass IoT increased data creation and interaction.

4. Determine the physical limits or extensions of IoT devices. Can users outside your physical location use devices or access devices inside your physical location? Do you need to limit (or attempt to limit) the carrier signal outside your four walls?

5. Hire a competent and qualified leader to bridge between security and IT. Brandeis Information Security Leadership graduates are great candidates.

IoT is a big problem that can seem overwhelming, where unpatched devices can increase your threat surface by orders of magnitude. Remember, getting the basics right will see you treating IoT with the same risk strategy that has allowed you to manage technology risk.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

Image source: https://www.personneltoday.com/wp-content/uploads/sites/8/2015/06/wearable-tech-wearable-technology.jpg

Are you protected?

by: Scarlett Huck

Have more questions? Want to learn more? Don’t miss our #AskTheExpert event with Cyber Security Strategist and Evangelist at Intel Corporation, Matthew Rosenquist! You can RSVP here.

2015 has certainly not been deprived of threats and successful hackings into cyberspace. With big business companies such as Home Depot, Target, Staples,  and Sony under fire, it is hard to believe that anyone is safe.

Why does this continue to be a growing concern? Who are behind these attacks? Survey says that more than half of reported incidents were staff-related. These breaches included, but were not limited to: “unauthorized access to data, breach of data protection regulations, and misuse or loss of confidential information”. When dealing with staff-related issues, there are certain precautions that can be taken. The first is to make sure employers are informed of the risks and of the data protection laws and the consequences of breaking them. It is also important to make sure employers are not tricked into divulging secure information via over-the-phone scams.

Attacks
But what about the other half of attacks that are not employee based? These are the attacks that tend to be more deliberate and malicious. For example, take the Impact Team. This is a group of hackers who are hacking for what they believe to be ‘good’. In a quote directly from the group they stated they plan to hack “[a]ny companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.” The team is currently best known for their hack of the adultery-encouraging website Ashley Madison. The hackers demanded the site be taken down immediately or the personal information of Ashley Madison’s clients would be released in 30 days. When these terms were not met, a list of names and email addresses of the site’s users was released in order to expose them for their infidelity. Situations like this are becoming known as “hacktivism,” or the act of hacking for a politically or socially motivated purpose.

AttackDist
With attacks occurring every day, it is important to remember to protect yourself. The Department of Homeland Security offers many tips including using proper passwords and privacy settings, thinking before you post on social media and being cautious of what you download. It is also important to be cautious if you run a small business, which are commonly hacked due to lack of security. As far as big business is concerned, larger strides must be taken. Business Insider recommends the steps that must be taken to prevent future attacks, President Obama is currently requesting $14 billion in the 2016 budget proposal in order to tighten government cybersecurity and laws regarding cybersecurity and data protection are becoming stricter. Within the near future, there is hope for the decrease in cyber attacks.

Have more questions? Want to learn more? Don’t miss our #AskTheExpert event with Cyber Security Strategist and Evangelist at Intel Corporation, Matthew Rosenquist! You can RSVP here.

 

Not subscribed to our blog?

Click here to subscribe!

 

Footerindesign

“Ask the Expert” Special Event Webinar

InfoBubblez22

“Ask the Expert: Cyber Security” 

Led by Matthew Rosenquist, Cybersecurity Strategist and Evangelist at Intel Corporation

Wednesday, October 21st at 7pm via Adobe Connect

Matt’s areas of expertise include :
  • Security industry advocacy
  • Security strategy and planning
  • Security operations management
  • Platform security product/service development and sustaining operations
  • Emergency/Crisis response command, control, and communications
  • Security policy development, training, and compliance oversight
  • M&A information security strategy and management
  • Security product strategic planning
  • Technical and behavioral risk assessment and threat analysis
  • Determination of security business value and ROI
  • Threat Agent Risk Assessment (TARA) methodology
  • Internal and external investigations
  • Corporate consulting for risk management and strategic alignment
  • Security industry outreach, evangelism, speaker, and champion

 

RSVP here

 

MatthewRosenquist-Oct.21Webinar

Matthew Rosenquist joined Intel Corp in 1996 and benefits from over 20 years in the field of security. Mr. Rosenquist specializes in security strategy, measuring value, and developing cost effective capabilities and organizations which deliver the optimal level of security. Currently, a cyber-security strategist for the Intel Security Group, he helped in the formation of this industry leading organization which brings together security across hardware, firmware, software and services.

The community can connect with Matthew via Twitter @Matt_Rosenquist, Intel Blog and LinkedIn.

 

Increasing Interest in Cybersecuirty Education and Careers

Matthew Rosenquist

Written by:  Cybersecurity Strategist and Evangelist at Intel Corporation

The world is facing a growing problem as people’s everyday lives are becoming more digital and increasing our reliance on cybersecurity to protect our interests, yet there are not enough security professionals to fulfill the rising demands.  This leaves gaps in the security of companies and organizations we share information with.  There is hope on the horizon.  Academia is adjusting to increase the training of graduates and there is a rising interest in students to study the variety of cybersecurity domains.  But more students are needed as demand is far outpacing the expected rise in available talent.

All the right elements are in place.  Pay for cybersecurity is on the rise, the needs for an estimated 1.5 million jobs is already growing, and higher education institutions are working collaboratively to establish the training infrastructure necessary for the next generation of security professionals to be prepared for success.  What is missing are the necessary numbers of students.  There simply is not enough.

The good news is millennials are interested, but need more information in order to commit.  Survey results from the Raytheon-NCSA Millennial report show the most prevalent factor for prospective students to increase their interest, is being provided data and expertise to explain what jobs entail.

Providing basic career information is absolutely possible but not as simple as it may seem.  Job roles do morph very rapidly.  Some data suggests as often as every nine months security professionals see their role, expectations, and focus being shifted into new areas or vary radically.  With such a rapid rate of change, cybersecurity is truly a dynamic domain where responsibilities are fluid.  This is not likely to turn off prospective millennials, as they are a generation which embraces diversity.  It may in fact, contribute to the attractiveness of these careers.  Combined with a strong employability and excellent pay, the industry should have no problem filling desk seats in universities.

What is needed right now are for experienced professionals to step up and work with educational institutions to explain the roles and responsibilities to the pool of prospective students.  Open forums, virtual meetings, presentations, in-class instruction, and even simple question-and-answer sessions can go a long way in painting a vivid picture of our industry, opportunities, and challenges which await.  The community should work together to attract applicants to the cyber sciences, especially women and underrepresented minorities who can bring in fresh ideas and perspectives.  I urge higher education institutions to reach out to the security community professionals and ask for help.  Many are willing to share their perspectives and industry knowledge to help inform students and encourage those who might be interested in a career in cybersecurity.  Only together can the private sector and academia help fulfill the needs for the next generation of security professionals.

TwitterIconFollow Matt on Twitter: @Matt_Rosenquist

Interested in Cyber Security? Join our #AskTheExpert session with Matthew Rosenquist! RSVP here

Footerindesign

 

Webinar: Non-Traditional Ways to Fund Your Tech Startup

Elizabeth Mwanga: Non-Traditional Ways to Fund Your Tech Start-up

Thursday, February 26, 2015, 12-1pm EST Webinar via Adobe Connect

According to Bloomberg, 80% of Startups fail within 18 months. However, this should NOT be a deterrent to aspiring entrepreneurs. 29% of Second, Third and up to 10th time Startup Entrepreneurs achieve success and longevity.  Paradoxically, their success rate increased with their number of past failures.

Elizabeth Mwanga, a Successful Serial Entrepreneur, will teach aspiring and current Start-up Entrepreneurs how to practically fund their Startups via non-traditional means, with a main focus on ‘Prompt Profititability’ and a zero debt ratio, through no-risk funding methods, including United States government grants, as well as United States government contracts, coupled with other savvy tips to keep Startup Entrepreneurs free and clear of debt as well as a focus on immediate profitability. References

unnamed (2)

unnamed (1)Elizabeth Mwanga is an accomplished entrepreneur who has sold two profitable media companies and has pivoted her new endeavors to include technology companies in the fields of disruptive closed source solutions for businesses and government agencies, including cyber-security, biometrics, embedded systems in real time, robotics, sensor design, etc. Additionally, Miss Mwanga is a diabetes advocate; as a Type 1.5 diabetic, her diagnosis in 2007 inspired her to take back control of her health. Over 19 months, she lost 105 lbs. (down from 210 lbs.) and in 2014, established HCode (SAM Registered) – a boutique startup firm focused on mhealth technologies for people with chronic health conditions, specialized in sensors and nanotechnology. In September 2014, Miss Mwanga won the INNOCENTIVE “Identifying Best-in-Class Support Services for Patients with Diabetes” Ideation Challenge.

Miss Mwanga has been featured in Ebony, Woman’s Day, Redbook, MORE, and Diabetes Health Monitor Magazine (cover story). Additionally, she’s been a guest on the Dr. Oz Show, a commentator on KSA2-TV Saudi Arabia, and in various online publications such as The Huffington Post and Everyday Health.

How to Register:

To register for this event, please complete this brief form by February 25th, 2015, providing your name & email address: Register Here

We will send you further log-in instructions the day of the event. If you encounter any problems registering, please email gps@brandeis.edu.

*Note that space is limited to the first 100 registrants.

Click here to subscribe to our blog!

Footerindesign

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)