CIS 608 Information Security Blog

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...

Automated controls are a Godsend for Information Security departments. They can be universally applied, tracked, and easily accessible during an audit review. Today I am going to discuss one automated control specifically and that is our company’s external writable media policy.   Per policy, all non-approved writable media is prohibited from being read by any company device. This policy extends to servers too. Gone are the days where employees can put thumb drives or the occasional SD card into any laptop and transfer files. In recent times with the transition to Office 365 and cloud storage, such a policy is easily forgettable. 5 years  ago  however when the policy was put into place, it was a radical change that generated a lot of push back from our employees.   Here’s how it works: our antivirus software which is installed and configured on the base image of every laptop and desktop we use has a rule applied to it. When a writable device is detected...

Without a proper policy review process in place, companies can find themselves at a serious competitive disadvantage in the marketplace. In this post I will review how lacking to review and retire or update outdated policies can stifle innovation and slow productivity. I will focus mainly on one example that I’m certain many companies are behind the eight-ball on, and that is the move to the cloud.   The year is 2002. After a few years getting themselves established, building a modest customer-base, and looking to build out the technology infrastructure in their new office space, one of the founders decided it would be neat to name the company network drive after a cartoon character. Flash forward to 2019, and the year-long process of  retiring  the “ Tweety ” network drive is nearing its conclusion.    For nearly 20 years thousands of employees who have come and gone through the doors found themselves using the term “ Tweety ” in everyday context....

Security awareness is a critical aspect of any information security department. This often involves training, video modules, posters, email announcements, and various other communications.  Unfortunately  all this effort often falls on deaf ears. Employees represent the largest potential of risk to a company from an information security standpoint;  however,  it has been my experience that all the training in the world cannot make people disrupt their daily routine and make security a priority.   There is one technique that I have seen  work  however. Something that has always gotten people engaged, more recently upset, but always talking about information security. This technique involves sending fake spam emails from our Information Security Department to our end-users, and I would like to share how this process has evolved over the years.    Our InfoSec department has been using this technique for years now. They first starte...

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...