Aaron Elliott
Forum Replies Created
-
Posts
-
You are right I forgot to mention cloud storage. I am also not sure how common businesses use cloud storage, at least from my experience I have not seen it. I as well use direct attach storage too.
A company needs to understand and research thee threats and vulnerabilities their network has first of all. Both physical and software solutions need attention to secure a network. Physically, the location of the facility is important, as natural disaster can compromise data availability. The facilities markings on the outside can cause security risks, if bad actors have interest in physical break ins. Man trap entrances to data centers to prevent bad actors shadowing employees to gain entrance.
A company will want to implement regular security updates and patches to keep up to date. Along with closing ports that are not in use. Limiting access of end users for only needed files and training thee end users on file management and security practice will help in keeping a network secure.
Direct Attached Storage is a hard drive that is physically attached to a single server. This type of storage does not allow for file sharing between different servers; however, this type is cheaper and easier to install. This option is usually slower data access, so recommended for smaller organization.
Network Attached Storage is a storage option that can be accessed through a server, allowing cross server access. This option uses a certain file format like NFS. Compared to a Direct attached storage, network attached storage is more expensive, but still relatively cheap. Usually used for smaller businesses.
Storage Area Network is an option that is also accessed through a network but is seen on the network as its own hard drive without the need for a file format like NAS. This option is easy to expand with the data all in one place. This option requires more skill to set up and has fast access times, making this option for expensive and used commercially.
RAID is multiple hard drives together with information spread throughout them all, giving the storage parity, disk mirroring, and fault tolerancing. This option helps prevent data loss for when a hard drive fails, the extra devices will have the same data that can be used to remake on the replacement devices.
I beleive in the prophecies of the Gospel, as there are so many examples of the prophecies coming true. Among the birth of Jesus being an extraordinary foretelling, the betrayal of Jesus being foretold before his birth, and Jesus himself telling his disciples that they will renounce knowing him at the time of His death, and that even Judas sold Jesus out for silver came true.
The tactics used in phishing are clever at times, just this week I have received text messages regarding my PayPal account and Amazon account being locked. Obviously, the link they provide has no indicator of being associated with those websites, so I knew it was a phishing attack. Now in the work environment, loaded with the stress and the need to meet deadlines, the chances to get phished are way higher.
I remember at my last employer I was only in the quality department, and I eventually gained access to other departments that I worked with, which could cause integrity issues along with security. I had access to probably three other departments data that I really didn’t need, it was just more convenient for management to give me access rather than have all departments communicate and work together. Really drives home the fact that management needs to be behind security issues to fix the problem.
Businesses face security threats from constant malware risks and phishing attacks. Most of these attacks are enabled and successful through employee carelessness, by phishing emails that may look official, or having weak passwords. These threats can be reduced by a good employee security understanding and training be required. Along with data backups for any breaches in security that might ransom data or encrypt data.
A critical control of OWASP would be authorization and access control. Access creep can raise the risk of data breaches if not monitored and managed, as it is recommended that associates are given the minimum access as required. Since it is common that an associate will move departments in a company, if their access to sensitive data is not managed, one employee can access a majority of the data, which poses as a increased security risk, due to carelessness from the associate or possibly sabotage from a disgruntled associate. Managing user accounts by auditing their permissions periodically to ensure users are granted the correct permissions, while disabling old unused accounts to prevent unauthorized access by previous employees or possible breaches.
I beleive Jesus to be my savior from sin. I shy away from preaching the teachings or speaking of my religion on a regular basis, as currently I do not feel I can do Jesus’ teachings justice as I do not know them well enough to lead others to Jesus. I continue learning however to one day spread the teachings of Jesus.
This is a main reason why I do not use a cell phone for anything sensitive, like paying bills or logging into any personal account. Countless apps have access to your data, and personal data is a commodity now for advertisers, who knows who has your data and how secure their networks are.
Policy enforcement is something I have seen not always kept up with once management and supporting departments get overloaded with tasks, which is especially common in smaller companies. Unfortunately, it leads to a critical failure for the policy to be enforced as the policy demanded in the first place.
I agree third party audits are important, and most regulation committees like ISO require them. Internal audits cause some friction between departments that for sure, as I witnessed a fair amount of it when I worked in the quality department and auditing production lines, but it all helps to communicate the importance of the audits, and the reason is not to get people in trouble. Also, the internal audits are needed to be given to the third-party auditors to prove the company also checks for non-compliance.
The risk that comes with mobile devices is the potential increase in security failures. Users of mobile devices can fail to make passwords strong enough to prevent the device from being cracked, this could be the password to unlock the device itself or any applications installed, the danger of a weak password to unlock the device is the risk of losing the device, leaving sensitive devices for anyone to find. Users may fail to update their devices on a regular basis, allowing for easier breaches. Managing mobile devices would be more of a challenge to not lose track of devices that have been assigned to associates, as making sure all devices are updated and free of malware, as access to the device may not be possible at any moment.
An organization should be prepared for an incident by finding the value of what is at risk, be that a monetary value or production capabilities. Once the risk is valued, the risk should be ranked on severity and the likelihood that an event would occur. These findings need to be documented and reported to those responsible in management. The organization should then follow a plan to address these vulnerabilities, such as the “Plan, Do, Check, Act method. Changes made during a PDCA process would also be better reinforced with automated security that can check server logs for events and patches and followed by auditing of the changes made.
While I have not been in the IT field professionally, my past work experience always had a mandatory audit from internal and third-party groups. These third-party audits provide the company with a list of improvements and non-compliant issues that need to be addressed in order to stay compliant with industry and legal standards. Once all non-compliances have been addressed and corrected, a passing audit is useful in proving the companies meets industry standards that are commonly needed for companies to even do business or acquire new business.
