Thursday, January 14, 2016

Get your Cyber-Security Freak On - What I Am Reading 1/14/2016

UdacityIntro to Information Security -

This course provides a one-semester overview of information security. It is designed to help students with prior computer and programming knowledge — both undergraduate and graduate — understand this important priority in society today. The technical content of the course gives a broad overview of essential concepts and methods for providing and evaluating security in information processing systems (operating systems and applications, networks, protocols, and so on).
In addition to its technical content, the course touches on the importance of management and administration, the place information security holds in overall business risk, social issues such as individual privacy, and the role of public policy.
The course will be organized around a few broad themes:
• Foundations: security mindset, essential concepts (policy, CIA, etc.)
• Software security: vulnerabilities and protections, malware, program analysis
• Practical cryptography: encryption, authentication, hashing, symmetric and asymmetric crypto
• Networks: wired and wireless networks, protocols, attacks and countermeasures
• Applications and special topics: databases, web apps, privacy and anonymity, voting, public policy

For those who aren't aware Udacity and Georgia Tech partnered a couple of years ago to offer an online Masters Degree in Computer Science.  This course is part of that track.  Looking at the syllabus it appears to be a pretty comprehensive course, designed to last 6 months at 6 hours / week.  Recommended prerequisites are undergrad courses in computer networking, operating systems (I assume they mean the theory courses and not something like how to use Windows), programming experience and Linear Algebra and Discrete Mathematics.  I haven't taken the course but it appears it may be a cut above the usual Security+ / CISSP courses being repackaged and put out online.  The textbook is definately a serious academic type book  Computer Security: Principles and Practice (3rd Edition)

 So why you (the imaginary voices in my head) ask, did you just spend so much time on this?  Well honestly this course probably isn't for everyone - it probably isn't even for me given that it requires literacy and some ability to use critical thought, but on the other hand it is exciting to see stuff like this out there so I pointed it out.

Schneier on Security - IT Security and the Normalization of Deviance -

The point is that normalization of deviance is a gradual process that leads to a situation where unacceptable practices or standards become acceptable, and flagrant violations of procedure become normal -- despite that fact that everyone involved knows better.

Schneier points to several indicators of a developing culture of deviance.  In my opinion the indicators are so general as to be useless.  Basically any organization will display all of them to some degree.  

My opinion - This type of situation is a problem but it is entirely self inflicted.  If rules interfere with accomplishing needed work the rules will be ignored.  Once one is ignored it is a cascading effect - "Well we aren't doing A so we don't need to do B."

  The two choices are strictly enforce adherence to all the rules and suffer the consequences or tailor the rules to the work.  The second option will be more successful, again my opinion.  It also requires some courage as many rules are driven by regulatory regimes that aren't 100% applicable and are put in place solely as a wink and nod to auditors.  Stopping that practice will be almost impossible as long as such regimes exist.

Post a Comment

Cybersecurity Job Numbers from 3/11/2018 shows 285,681 open cybersecurity positions nation wide (not the 1,000,000 that I hear quoted so often).  The eight states with...