The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: security

Security and the Internet of Things

By Joseph Dalessandro

October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.

Love it or despise it, the Internet of Things (IoT) has forever altered human thinking and interaction. Increased telemetry from our bodies through wearable tech and app analysis of data about our health and personal space has led to discovery, identification and interactions with others through apps and smart devices that is the new norm. How will this explosion of devices change our mission objective as security leaders and professionals?

The term IoT is generally applied to “endpoint” objects such as devices, wearables, cameras, chips, toys, and other objects that can be accessed through a connection such as WiFi or other carrier signals and interacted with via the internet. Examples that have become pervasive would be FitBit wearable’s, iWatches, Alexa or Google Home devices, Nest thermostats, and medical devices such as insulin pumps. While these devices are limited in capability, often just one or two functions or a binary state of on/off, the numbers of devices and the absence of uniform minimum security standards from manufacturers present a problem (several actually) for our IT departments Infrastructure management and security professional.

We can easily find statistics about the number of devices that have emerged in earnest since 2008. The 2017 Cisco Visual Networking Index provides a comprehensive view of some of those numbers. Two of my favorite highlights from this report include:

  • There will be 3.5 networked devices per capita by 2021 (global population 7.875 times 3.5)
  • IP traffic in North America will reach 85 EB per month by 2021 (And North America will not be the highest trafficked global region)

While I am not sure where that bandwidth comes from (I cannot get great consistently streaming bandwidth for Netflix sometimes), what worries me more is patching, tracking and controlling devices. Now, I am not suggesting we control all devices, but I need to control the ones that are on my network because they will increase the potential surface of attack for our networks by orders of magnitude. The more devices you add, outside of implemented and effective controls, the quicker your organization will suffer a breach. Therefore, if you don’t get roles such as patching right you will be lost under the crushing weight of IoT adoption rates. We have to get the “basics” right to ensure we have a foundation capable of integrating IoT devices. We will also need to assess risk and device configuration and a number of other areas we will not venture into here.

In the world of cyber security, people and data are what we most are accustomed to thinking about protecting and defending against. How do we wrap our heads around the potential problems of IoT where the numbers are so much higher? I would submit that we undertake the following approach:

  1. Get the basics right. There will be a lot of debate about what “get the basics right” means but at a high level, I am referring to:
  • Have a comprehensive security program based on risk, with regular assessments
  • Identify where all your data is located and ensure it is appropriately categorized
  • User access, and privileged access, is controlled and re-certified (access for IoT devices as well)
  • Network traffic is premeditated and segmented and network information is logged and monitored (must also scale)
  • Systems management has KPI’s and documented configuration baselines or employs a CMDB
  • Change Management and patching are religiously observed and followed
  • There is a formal incident management/response process (and adjust and augment IR for IoT)
  • There is a crisis and contingency management plan that is tested and updated annually

Yup, that was just step 1. Get all this right and you can start to think about being able to control IoT in your ecosystem.

2. Determine the level of increased risk, or changed risk, related to data loss or breach from #3.

3. Augment your information management or data governance policies and processes to encompass IoT increased data creation and interaction.

4. Determine the physical limits or extensions of IoT devices. Can users outside your physical location use devices or access devices inside your physical location? Do you need to limit (or attempt to limit) the carrier signal outside your four walls?

5. Hire a competent and qualified leader to bridge between security and IT. Brandeis Information Security Leadership graduates are great candidates.

IoT is a big problem that can seem overwhelming, where unpatched devices can increase your threat surface by orders of magnitude. Remember, getting the basics right will see you treating IoT with the same risk strategy that has allowed you to manage technology risk.

Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.

Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact gps@brandeis.edu, call 781-736-8787 or visit www.brandeis.edu/gps.

Image source: https://www.personneltoday.com/wp-content/uploads/sites/8/2015/06/wearable-tech-wearable-technology.jpg

Learn information technology management online at Brandeis

Did you know that Brandeis GPS offers courses for professional development? Enroll in an online course this fall and network with new colleagues in a 10-week, seminar-style online classroom capped at 20 students. Registration is now open and we’re celebrating by profiling our favorite fall courses.

Get an introduction to the “nuts and bolts” that span all areas of information technology. With this 10-week, graduate-level course, you’ll learn enough foundational information about each key area to assess and evaluate when and how each technology should be appropriately deployed to solve organizational challenges. Topics include:

  • An overview of the history of information technology
  • Telecommunications and networking
  • Data and transactional databases/enterprise systems (ERP)
  • Data warehousing and business intelligence
  • E-commerce and B2B systems
  • Security and compliance

Capture-2

Fall courses run Sept. 14-Nov. 22. Whether you’re looking to complete a full degree or advance your career through professional development, this course is designed to equip you with the necessary skills for making an impact in any industry or organization.

How it works:
Take a part-time, online course this fall without enrolling in one of our graduate programs. If you like what you learn and want to continue your education, you can apply your credits from this fall toward a future degree. Questions? Contact our enrollment team at gps@brandeis.edu or 781-736-8787 or fill out our first-time registration form and we’ll be in touch.

In Case You Missed It: Moshe Kai Cavalin our 17-year-old M.S. in Information Security Student

He’s 17, he can’t drive a car, he can’t vote and he can’t have a drink to celebrate his success. Moshe Kai Cavalin is just your typical teenager from San Gabriel, California.

Except he had two college degrees by 15, flies planes and interns at NASA. He graduated from community college at 11, and finished a bachelor’s in math from the University of California, Los Angeles at age 15. Now he is sending his talents to Brandeis Graduate Professional Studies.

Cavalin will be taking online courses in information security shortly after his bouts with NASA (where he is helping develop surveillance technology for airplanes and drones). We cannot wait to welcome such a talented individual into our program. Until then, learn more about Cavalin here.

Footerindesign

Are you protected?

by: Scarlett Huck

Have more questions? Want to learn more? Don’t miss our #AskTheExpert event with Cyber Security Strategist and Evangelist at Intel Corporation, Matthew Rosenquist! You can RSVP here.

2015 has certainly not been deprived of threats and successful hackings into cyberspace. With big business companies such as Home Depot, Target, Staples,  and Sony under fire, it is hard to believe that anyone is safe.

Why does this continue to be a growing concern? Who are behind these attacks? Survey says that more than half of reported incidents were staff-related. These breaches included, but were not limited to: “unauthorized access to data, breach of data protection regulations, and misuse or loss of confidential information”. When dealing with staff-related issues, there are certain precautions that can be taken. The first is to make sure employers are informed of the risks and of the data protection laws and the consequences of breaking them. It is also important to make sure employers are not tricked into divulging secure information via over-the-phone scams.

Attacks
But what about the other half of attacks that are not employee based? These are the attacks that tend to be more deliberate and malicious. For example, take the Impact Team. This is a group of hackers who are hacking for what they believe to be ‘good’. In a quote directly from the group they stated they plan to hack “[a]ny companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.” The team is currently best known for their hack of the adultery-encouraging website Ashley Madison. The hackers demanded the site be taken down immediately or the personal information of Ashley Madison’s clients would be released in 30 days. When these terms were not met, a list of names and email addresses of the site’s users was released in order to expose them for their infidelity. Situations like this are becoming known as “hacktivism,” or the act of hacking for a politically or socially motivated purpose.

AttackDist
With attacks occurring every day, it is important to remember to protect yourself. The Department of Homeland Security offers many tips including using proper passwords and privacy settings, thinking before you post on social media and being cautious of what you download. It is also important to be cautious if you run a small business, which are commonly hacked due to lack of security. As far as big business is concerned, larger strides must be taken. Business Insider recommends the steps that must be taken to prevent future attacks, President Obama is currently requesting $14 billion in the 2016 budget proposal in order to tighten government cybersecurity and laws regarding cybersecurity and data protection are becoming stricter. Within the near future, there is hope for the decrease in cyber attacks.

Have more questions? Want to learn more? Don’t miss our #AskTheExpert event with Cyber Security Strategist and Evangelist at Intel Corporation, Matthew Rosenquist! You can RSVP here.

 

Not subscribed to our blog?

Click here to subscribe!

 

Footerindesign

Creating the Total Package

Below is a post written by M.S. in Information Security graduate, Megan Olvera. She is an EMC employee who is continuing her quest for life-long learning. Below are her thoughts on her experience with Brandeis GPS.

Brenna_Megan

“I am admittedly a lifelong learner. I have always loved school, and although I had just wrapped up my first Master’s Degree in 2010, by 2011, I was already missing the classroom. Unfortunately, I couldn’t justify the time and expense required to earn another degree “just because.”  What to do, what to do?  My career had taken a turn from a more liberal arts focus into the world of IT, and although my daily responsibilities didn’t require an IT background, having that level of knowledge certainly wouldn’t hurt.  When my employer (EMC) sent out information about their partnership with Brandeis, jumping into the Master of Science in Information Security program seemed a perfect next step.

My previous formal education was focused on the Humanities side of the house, so I worried that I’d struggle with the more technical concepts I knew would come with this program; working in IT and learning IT in theory are often two very different things.  I was happy to discover that the Brandeis instructors were not only patient in clarifying issues for me, but they seemed to appreciate the human-experience slant that my own background naturally brought to our class discussions.  More than once, professors offered feedback that they valued the perspectives I added to the conversations.

HomeMakeover

The online learning format of Brandeis GPS was ideal for me, as I lead a busy life between family, work, and all-consuming hobbies.  If I had a vacation planned or needed to travel for work, there were no worries about missing class, as class came with me!  I’d be sure to message my professors of any planned time away, just in case I ran into connectivity issues, and most professors were accommodating if I asked for a weekly assignment to be made available early, so that I could work ahead when needed.

COstream

As I progressed through the curriculum at Brandeis, my new found knowledge was noticed and appreciated at work. At times, it even caused exclamations of surprise from my manager at my ability to clearly understand and troubleshoot technical issues that had stumped other members of our team.  In addition to learning technical concepts, I also learned how to efficiently communicate with management; presenting the need-to-know information in a way that enables them to quickly grasp issues and impacts and then make decisions.  In my current role, I interact with clients who expect a certain level of technical expertise combined with graceful communication skills, and now, thanks to my experience at Brandeis, I can confidently step forward and claim that competence.  If any readers are on the fence about committing to (in my case, yet another) degree program, hesitate no longer – Brandeis is the way to go!”

Click here to subscribe to our blog!

Footerindesign

The Opportunities in Big Data Still Ripe for Innovation

– Associate Editor, BostInno Tech

Big data is the “new currency” — an innovation that can boost or bust a business when not properly taken advantage of. Smart startups have been dipping into the deluge of data to draw out audience analytics, predict maintenance before costly breakdowns or better deliver targeted treatments to their consumers.

With innovation naturally comes a surge of yet-to-be explored opportunities other companies should have the foresight to capitalize on.

“More big data disruption is coming,” said Ryan Betts, CTO of Bedford-based VoltDB, in an email to BostInno. “And it will be around real-time, interactive experiences.”

The space is one VoltDB has been able to establish itself in, by providing an in-memory relational database that combines massive data ingest with real-time analytics and decisioning, so that organizations can act on data at its greatest point of value.

Betts pointed to big-name behemoths, such as Google, Amazon, IBM, Oracle and Microsoft, that are also establishing themselves in the space. He noted “unlimited Internet-attached storage space can be purchased at very cost competitive prices,” which, when combined with “ubiquitous computing,” are creating a network effect that’s become increasingly beneficial to consumers.

“In the same way that social networks become more powerful and offer greater utility as members join and build connections,” Betts explained, “these devices will connect to share data, to cooperate with one another and to interact with us in our environment.”

Betts menCloud-Computing-captioned Nest, a company reinventing the thermostat and smoke alarm by connecting to the Internet and syncing up to apps in a way that’s reinventing climate control. The collision Betts’ described is even more evident in individuals’ “smartphone on the coffee table” or “tablet a family member uses for Facebook.”

He added, “For the consumer, the automation and the disruptive potential of these devices communicating and interacting with one another will create relevant, micro-personalized experiences.”

To Atlas Venture Partner Chris Lynch, co-founder and board member of Kendall Square’s big data hackerspace hack/reduce, the future is, indeed, in “automation, simplification and integration.” Lynch broke each element down in an email to BostInno, saying:

Automation of the process of analyzing data, simplification of the user interface to allow non-data scientists to participate in the big data revolution and integration of next generation analytics into legacy applications people already know how to use.

Lynch acknowledged big data’s downfalls, adding, “Platform and tool companies are largely played out.”

His comment was reminiscent of that of Google Ventures’ Rich Miner, who, at Harvard Business School’s recent Cyberposium, argued, “Big data is a very overused word.” He added that big data is often “a layer, not a startup itself.” Yet, he had formerly singled out Nest for taking “mundane devices” and making it work on users’ behalf, noting there’s “a huge amount of innovation” in the connected devices space — which all circles back to big data.

“From a pure technology perspective, we need to deliver scale, security and simplicity,” Lynch said. “[We need to] make it easy for people to absorb the technology and increase the time to value.”

To Betts, the industry can see immense value from interconnections, as well. As he posited:

Interconnections will impact factory manufacturing plants; impact how predictive maintenance is scheduled and executed on high-end industrial equipment; create connected Internet services that must scale authorization and authentication, detect and prevent financial, telephone and even online-game fraud, and make construction sites better monitored, safer and more efficient. And that’s not all. It will also participate in building a smarter electric grid that is cheaper, less wasteful, more reliable and designed to supply power to electric vehicles while generating power through broadly distributed residential solar panels and other alternative sources.

Now it’s up to innovators to seize the opportunities.

Click here to subscribe to our blog!

Footerindesign

Fuzzy Math: The Security Risk Model That’s Actually About Risk

By: Derek Brink

Reblogged from: https://blogs.rsa.com/fuzzy-math-security-risk-model-thats-actually-risk/

Sharpen your number two pencils everyone and use the following estimates to build a simple risk model:

  • Average number of incidents: 12.5 incidents per month (each incident affects 1 user)
  • Average loss of productivity: 3.0 hours per incident
  • Average fully loaded cost per user: $72 per hour

Based on this information, what can your risk model tell me about the security risk?

My guess is that your initial answer is something along the lines of “the average business impact is $2,700 per month,” which you obtained by the following calculation:

12.5 incidents/month * 3.0 hours/incident * $72/hour = $2,700/month

But in fact, this tells us almost nothing about the risk—remember that risk is defined as the likelihood of the incident, as well as the magnitude of the resulting business impact. If internet-security1we aren’t talking about probabilities and magnitudes, we aren’t talking about risks! (We can’t even say that 50% of the time the business impact will be greater than $2,700, and 50% of the time it will be less—that would be the median, not the mean or average. Even if we could, how useful would that really be to the decision maker?)

Let’s stay with this simplistic example, and say that your subject matter experts actually provided you with the following estimates:

  • Number of incidents: between 11 and 14 per month
  • Loss of productivity: between 1 and 5 hours per incident
  • Fully loaded cost per user: between $24 and $120 per hour

This is much more realistic. As we have discussed in “What Are Security Professionals Afraid Of?,” the values we have to work with are generally not certain. If we knew with certainty what was going to happen and how big an impact it would have, it wouldn’t be a risk!

Based on these estimates, what would your risk model look like now?

For many of us, our first instinct would be to use the average for each of the three ranges to compute an “expected value”, which is of course exactly the result that we got before.

Some of us might try to be more ambitious, and compute an “expected case,” a “low case,” riskand a “high case”—by using the average and the two extremes of the three ranges:

  • Expected case = 12.5 * 3.0 * $72 = $2,700/month
  • Low case = 11 * 1.0 * $24 = $260/month
  • High case = 14 * 5.0 * $120 = $8,400/month

It would be tempting to say that the business impact could be “as low as $260/month or as high as $8,400/month, with an expected value of $2,700/month.” But again, this does not tell us about risk. What is the probability of the low case, or the high case? What is the likelihood that the business impact will be more than $3,000 per month, which happens to be our decision-maker’s appetite for risk?

Further, we would be ignoring the fact that the three ranges in our simple risk model actually move independently—i.e., it isn’t logical to assume that fewer incidents will always be of shorter duration and lower hourly cost, or the converse.

Unfortunately, this is the point at which so many security professionals throw up their hands at the difficulty of measuring security risks and either fall back into the trap of techie-talk or gravitate towards qualitative 5×5 “risk maps.”

The solution to this problem is to apply a proven, widely used approach to risk modeling called Monte Carlo simulation. In a nutshell, we can carry out the computations for many (say, a thousand, or ten thousand) scenarios, each of which uses a random value from our estimated ranges. The results of these computations are likewise not a single, static number; the output is also a range and distribution, from which we can readily describe both probabilities and magnitudes—exactly what we are looking for!

Staying with our same simplistic example, we can use those estimates provided by our subject matter experts plus the selection of a logical distribution for each range. Here are my choices:

  • Number of incidents: Between 11 and 14 incidents per month—I will use a uniform distribution, meaning that any value between 11 and 14 is equally likely.
  • Loss of productivity: Between 1 and 5 hours per incident—I will use a normal distribution (the familiar bell-shaped curve), meaning that the values are most likely to be around the midpoint of the range.
  • Fully loaded cost per user: Between $24 and $120 per hour—I will use a triangular distribution, to reflect the fact that the majority of users are at the lower end of the pay scale, while still accommodating the fact that incidents will sometimes happen to the most highly paid individuals.

The following graphic provides a visual representation of the three approaches.

Based on a Monte Carlo simulation with one thousand iterations—performed by using program-hero-infosec1standard functions available in an Excel spreadsheet—we can advise our business decision makers with the following risk-based statements:

  • There is a 90% chance that the business impact will be between $500 and $4,500 per month.
  • There is an 80% likelihood that the business impact will be greater than $1,000 per month.
  • The mean (average) business impact is about $2,100 per month—note how this is significantly lower than the $2,700 figure computed earlier; the difference is in the use of the asymmetrical triangular distribution for one of the variables.
  • There is a 20% likelihood that the business impact will be greater than $3,000 per month.

If warranted, we can try to reduce the uncertainty of this analysis even further by improving the estimates in our risk model. (There will be more to come, in upcoming blogs, on that.)

What to do, of course, depends entirely on each organization’s appetite for risk. But as security professionals, we will have done our jobs, in a way that’s actually useful to the business decision maker.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Click here to subscribe to our blog!

Image and video hosting by TinyPic

Footerindesign

So What Is the Risk of Mobile Malware?

By: Derek Brink

Originally from: https://blogs.rsa.com/risk-mobile-malware/

Obvious, or oblivious? Short-term predictions eventually tend to make us look like one or the other—as Art Coviello astutely noted in making his own predictions for the security industry in 2014—depending on how they actually turn out. (Long-term predictions, however, which require an entirely different level of thinking, are evaluated against a different scale. For example, check out the many uncannily accurate predictions Isaac Asimov made for the 2014 World’s Fair, from his reflections on the just-concluded 1964 World’s Fair.)

Art’s short-term prediction about mobile malware:

Chapa NO MALWARE2014 is the tipping point year of mobile malware: As businesses provide greater mobile access to critical business applications and sensitive data, and consumers increasingly adopt mobile banking, it is easy to see that mobile malware will rapidly grow in sophistication and ubiquity in 2014. We’ve already seen a strong uptick in both over the past few months and expect that this is just the beginning of a huge wave. We will see some high-profile mobile breaches before companies and consumers realize the risk and take appropriate steps to mitigate it. Interestingly, the Economist recently featured an article suggesting such fears were overblown. It is probably a good idea to be ready just the same.

The Economist article Art references (which is based on an earlier blog) asserts that “surprisingly little malware has found its way into handsets. . . smartphones have turned out to be much tougher to infect than laptops and desktop PCs.” (Ironically, the Economist also publishes vendor-sponsored content such as How Mobile Risks Are Pushing Companies Towards Better Security. I suppose that’s one way to beat the obvious or oblivious game: Place a bet on both sides.)

RSA’s Online Fraud Resource Center provides some terrific fact-based insights on the matter, including Behind the Scenes of a Fake Token Mobile App Operation.

But the legitimate question remains: What is the risk of malware on mobile? Let’s focus here on enterprise risks, and set aside the consumer risks that Art also raised as a topic for another blog.

Keep in mind the proper definition of “risk”—one of the root causes of miscommunication internet-security1among security professionals today, as I have noted in a previous blog—which is “the likelihood that a vulnerability will be exploited, and the corresponding business impact.” If we’re not talking about probabilities and magnitudes, we’re not talking about risk.

Regarding the probability of malware infecting mobile devices:

  • The Economist‘s article builds on findings from an academic paper published by researchers from Georgia Tech, along with a recent PhD student who is now the Chief Scientist at spin-off security vendor Damballa. Their core hypothesis is that the activities of such malware—including propagation and update of malicious code, command and control communications with infected devices, and transmission of stolen data—will be discernible in network traffic.
  • From three months of analysis, they found that about 3,500 mobile devices (out of a population of 380 million) were infected—roughly 0.001%, or 1 in 100,000.
  • Compare this to the computers cleaned per mille (CCM) metric regularly reported by Microsoft: For every 1,000 computers scanned by the Microsoft Malicious Software Removal Tool, CCM is the number of computers that needed to be cleaned after they were scanned. For 1H2012, the infection rates per 1,000 computers with no endpoint protection was between 11.6 and 13.6 per month.

All of this nets out to say that currently, mobile endpoints are three orders of magnitude less likely to be infected by malware than traditional endpoints.

But doesn’t this conflict with other published research about mobile malware? For example, I’ve previously blogged about an analysis of 13,500 free applications for Android devices, published in October 2012 by university researchers in Germany:

  • Of 100 apps selected for manual audit and analysis, 41 were vulnerable to man-in-the-middle (MITM) attacks due to various forms of SSL misuse.
  • Of these 41 apps, the researchers captured credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.
  • Among the apps with confirmed vulnerabilities against MITM attacks, the cumulative installed base is up to 185 million users.

In another blog, I’ve noted that mobile applications have a more complex attack surface mobile-appthan traditional web applications—in addition to server-side code, they also deal with client-side code and (multiple) network channels. The impact of these threats is often multiplied, as in the common case of support for functions that were previously server-only (e.g., offline access). This makes security for mobile apps even more difficult for developers to address—mobile technology is not as well known, development teams are not as well educated, and testing teams are harder to keep current.

Meanwhile, malware on mobile is indeed becoming more prevalent: Currently over 350,000 instances from 300 malware families. It is also becoming more sophisticated—e.g., by obfuscating code to evade static and dynamic analysis, establishing device administration privileges to install additional code, and spreading code using Bluetooth, according to the IBM X-Force 2013 Mid-Year Trend and Risk Report.

But threats, vulnerabilities, and exploits are not risks. What would be obvious to predict is this: The likelihood of exploits based on mobile malware will increase dramatically in 2014—point Art.

The other half of the risk equation is the business impact of mobile exploits. From the enterprise perspective, we would have to estimate the cost of exploits such as compromise of sensitive corporate datasurveillance of key employees, and impersonation of key corporate identities—e.g., as part of attacks aimed at social networks or cloud platforms, where the mobile exploits are the means to a much bigger and more lucrative end. It seems quite reasonable to predict that we’ll see some high-profile, high-impact breaches along these lines in 2014—again, point Art.

Obvious or oblivious, you can put me down squarely with Art’s prediction for this one, with the exception that I would say the risk of mobile malware is much more concentrated and targeted than the all users/all devices scenario he seems to suggest.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Footerindesign

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)