Konkuk University Medical Center and its ... - Korea IT Times

More documents

Recommendations

Info

How to... Don't Look Now, But You Need a Pro How to Separate the Wheat From the Chaff When Looking for an Information Security Professional On the way to the office one morning, one of your company's employees sees a USB thumb drive digital media storage device laying on the ground near the front door of your company's office building. He picks it up and takes it to his office. He boots up his company computer and inserts the drive into a USB port, so that he can see what is on it. He thinks “Maybe that way I can figure out who it belongs to and return it to its rightful owner.” As he starts to browse the files on the thumb drive. He notices a folder that is called “company financials”. He clicks on the folder and inside sees a file called “company salaries”. His curiosity gets the better of him and he clicks on the file. At this point a Trojan horse application that is embedded in the document starts collecting all of the email addresses on the computer. Next, it sends a malicious program to all of the addresses that it finds. It harvests any passwords that are stored on the computer and sends them back to the bad guy who left the thumb drive on the ground outside the the front door of your company building. When the addressees that were found on the first victim's computer receive the malicious email that was send by the Trojan from your employee's email address, they open it to see what he has to say. The message says “click on this link to see pictures of the company Christmas party.” They click on the link and the malicious application starts harvesting their passwords and sending a copy of the malicious email to everyone in their address book. The flood of activity brings your corporate network to a screeching halt. Your IP phones stop working and your call center is out of business, not to mention the fact that the bad guy has received more passwords than he knows what to do with. Eventually the infected machines are taken off of the network and communication is restored. Later that day, an employee in HR sends a document that contains confidential company information regarding a problematic situation that has arisen, due to some derogatory terms that were use by an executive of the company, to an attorney who the company had retained for consultation. Because the email and the document are not encrypted by the corporate email system, the confidential data is sent in the clear. There is a disgruntled former employee who is using hacker tools to monitor all of the data that leaves your network bound for the Internet. He harvests the confidential data and posts it on a popular web site. The media picks the story up and the cat is out of the bag. Now you have a publicity nightmare on your hands. Calls start coming in from the board of directors. They say that they are going to recommend an audit to assess the state of the company's information handling practices. The bad day gets worse. About that time, a company analyst is updating the the enterprise database. She is copying and pasting data from a spreadsheet into fields in the database. She gets a call from her sister who is asking for their grandmother's recipe for Ukrainian borsch. The analyst digs around in her files and finds grandma's recipe. She copies and pastes it in to an email and sends it to her sister. When she goes back to work on the database, she accidentally pastes the recipe into one of the fields. The recipe is very long and has some Cyrillic characters in it. The database, because error checking is not enabled, becomes corrupt, due to the volume of data and Cyrillic characters that it doesn't know how to parse. It doesn't take long before the analyst's supervisor figures out that the database is corrupt and calls the server manager with a request to restore the database from a backup. After some time has passed, the backup is located and restored to the server. Users try to access the data to no avail. It turns out that the most recent back up is bad. The next available good back up is a month old. That means that all the data that was entered in the last month 94 KOREA IT TIMES | October 2010
How to... has to be reentered. You have to hire temps to come in and do the work, meanwhile no one has access to the data. Will this day ever end? If you had an Information Assurance (IA) or Information Security program, then user awareness training might have prevented the first guy from inserting the thumb drive into his computer. Awareness training and a good security architecture might have prevented the employee in HR form sending out unencrypted confidential data or the former employee from intercepting it. A robust back up strategy and routine vulnerability assessments for the database could have saved the inconvenience of manually updating the restored database. Did you say that auditors are coming to check on information handling policy compliance? Clearly you need an Information Assurance (IA) professional to establish your IA program and keep it up and running. But where do you find one and then how do you know if he or she is any good? If you run a job vacancy announcement, you are likely to receive the resumes of every hacker wannabe, reformed script-kiddie and junior James Bond within the commuting area. They will try to impress you with tales of their exploits in the underworld of computer hackery. Intermingled with the resumes of the these ill qualified aspiring cyber-warriors, will be a handful resumes from true IA professionals. But how can one tell them apart? That's where the (ISC)² comes in. The International Information Systems Security Certification Consortium, Inc., or (ISC)² , headquartered in the United States and with offices in London, Hong Kong and Tokyo, is the global, not-for-profit leader in educating and certifying information assurance professionals throughout their careers. They are recognized for Gold Standard certifications and world class education programs. In November of 1988, “The Consortium” was formed among several professional organizations to create a global information security certification process for professionals and address the need for a standardized curriculum for the burgeoning profession. A series of strategy and planning meetings were held at Idaho State University and in Salt Lake City, Utah in the US. By 1992 the consortium had finalized creation of what is known as the Common Body of Knowledge, or the CBK for Information Security Professionals. The CBK refers to the ten “domains” of information assurance, which include Access Control, Application Development Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security Governance and Risk Management, Legal, Regulations, Investigations and Compliance, Operations Security, Physical (Environmental) Security, Security Architecture and Design, and Telecommunications and Network Security. The (ISC)² has a number of certification programs where candidates are qualified at various stages in the development of their Information Assurance careers. At the end of the bad day described above, the cert holder that you are looking for is the Certified Information Systems Security Professional, or CISSP. The (ISC)² has established criteria for becoming a candidate for the certification, which includes completion of at least five full years of experience in information security / assurance and sponsorship by someone who is already a CIS- SP. Once accepted as a candidate, certification requires successful completion of a 250 question written test of the candidates knowledge of the CBK, which must be completed within six hours. Most professionals prepare for approximately six months prior to taking the exam. The pass / fail rate is about 70 percent. Today, there are approximately 60,000 CISSPs worldwide. Just because a person has the CIS- SP certification doesn't mean that they are an expert in all ten domains, or any of them for that matter. In fact, that is one of the knocks on the program. They say that the certification requires understand these topics in a way in which a river might be described – a mile wide and a foot deep. In other words, in order to pass the exam a person has to have a broad knowledge of the concepts, but it does not require deep knowledge in any in order to pass. It's this writers experience that the person you select to implement your IA program should at least be an expert in one of the domains and the more the better. Obviously, there are a great many factors that one must consider when hiring an employee. The CISSP certification isn't perfect, but with all things being equal, pick the person who has those initials after their name, as opposed to the one that doesn't. Robert E. Weimer / bob@koreaittimes.com www.koreaittimes.com 95
Page 1:
October 2010 | Vol. 76 Konkuk Unive
Page 7 and 8:
u-Finance 42 Different is Better KE
Page 9 and 10:
Analysis LG U+ XOXO When Eject butt
Page 11 and 12:
Analysis X-Box 360 comes with an 8G
Page 13 and 14:
Editorial ty of k-pop music or the
Page 15 and 16:
Conference SaKong Il, Chairman of t
Page 17 and 18:
Conference Special meeting for the
Page 19 and 20:
Conference 2009 Global assessment r
Page 21 and 22:
Conference gram is designed to esta
Page 23 and 24:
Open Daejeon Daejeon EXPO science p
Page 25 and 26:
Conference Gyung-Su Lee, Chairperso
Page 28 and 29:
u-hospital Konkuk University Medica
Page 30 and 31:
u-hospital tumor during the surgery
Page 32 and 33:
Open Korea Chungcheongbuk-do Sets t
Page 34 and 35:
Open Korea 3rd-Generation Industria
Page 36 and 37:
Open Korea Gwangju City Stresses 6
Page 38 and 39:
e-government Seoul City Pushes for
Page 40 and 41:
e-government e-Government, here WeG
Page 42 and 43:
u-Finance Different is Better Citib
Page 44 and 45: KES2010 KES 2010, Buckle Up, Early
Page 46 and 47: KES2010 ful cases of green IT appli
Page 48 and 49: KES2010 Cho Seok, the Deputy Minist
Page 50 and 51: KES2010 François Barlinckhoff from
Page 52 and 53: KES2010 From South America to South
Page 54 and 55: KES2010 satisfied with the exhibiti
Page 56 and 57: KES2010 World 3D Expo Came to Life
Page 58 and 59: KES2010 App World Expo Shows that t
Page 60 and 61: KES2010 Medical-grade Full-body Sca
Page 62 and 63: KES2010 We Look at The World! It is
Page 64 and 65: KES2010 Creative Futures Forum The
Page 66 and 67: IMID2010 The Beginning of the Inter
Page 68 and 69: iSEDEX2010 “No Power” Green Mem
Page 70 and 71: iSEDEX2010 Cutting-Edge Internation
Page 72 and 73: iSEDEX2010 Samsung Electronics unve
Page 74: Events Global Gateway, G-FAIR 2010
Page 77 and 78: Events industry to create high valu
Page 79 and 80: Events 'Robot World' is one of the
Page 81 and 82: Event ing research papers that will
Page 83 and 84: Electronics Special further in the
Page 85 and 86: Country Report Royal Highness Crown
Page 87 and 88: Investment Guide However, the colle
Page 89 and 90: Toys, Whatyourkidsneed World Class
Page 91 and 92: Column E-learning progress Electron
Page 93: Festival Eve fri, Art Fireworks Sho
show all

Konkuk University Medical Center and its ... - Korea IT Times

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?