Professor Jaric’s Assignment
For this assignment, put yourself in the role of an executive at a small to medium-sized corporation… Let’s say it’s a gourmet food retailer with three stores and an online e-commerce marketplace. You sell approximately $1 million in goods each year; you have more than 35,000 customers, 100 retail employees and 35 corporate employees.
You are the CIO or the IT supervisor, and you’ve been tasked with helping your organization prevent and manage cyber threats. These threats can come from a variety of sources, and they can impact many aspects of your business. Your job in this assignment is to identify potential threats, assess your organization’s vulnerabilities, and provide advice on how to minimize digitally-induced disaster.
In a 500+ word blog post, address the following:
1. Know your enemy: As of Summer 2020, what are 5 sources/types of potential digital threats to your organization. Examples include external malicious actors or internal human error. Provide a thorough description and examples; be specific.
2. Know yourself: Identify at least 5 digital processes, systems, and/or functions your company has in place. Importantly, address how could those be exploited or manipulated in order to gain access to valuable corporate or customer data?
3. Develop your strategy: As the chief technology executive, make 5 recommendations that your company should adopt to be more safe, secure, and reliable. Again, consider hardware, software, networks, and human policies and procedures. (e.g., appropriate use policy on corporate computers; firewall; SSL/web encryption; backup/retention)
My Answers
Question 1: The number one security threat to my company is lazy, stupid, and horny employees. They check their personal email, surf the web starting at Reddit, and even use the company WIFI to watch porn on their phones in the restroom. Of course, phishing and other forms of social engineering are a perennial threat, and the higher up you go on the food chain, the more sophisticated the social engineering becomes. I’ve had social engineers arrange fake dates with VPs. But not every social engineering threat has to be sophisticated to work, some employees will click on that link from “paypal” and fill in their details without any due diligence at all 🙄. Then there are the idiots who put passwords on a post-it note on their monitor. I don’t require super-sophisticated passwords no human can remember, and I don’t require periodic password changes, so everyone should be able to have their password memorized. Of course, data breaches can happen because of disgruntled employees leaving the company. And finally, with COVID 19, I’ve had to think a lot about our VPN, and how to keep it secure.
Question 2- The things we have in place are:
- Our website. It’s attractive and well maintained, and it has our e-commerce operations on it. This has become particularly vital, because our brick and mortar locations were shut down for two months and are still only allowing one family of customers in at a time. Naturally this could be hacked, either to put graffiti on the site, or, more seriously, to steal customer data.
- Our VPN, which has been vital to our office operations during COVID-19. If a bad actor has access to an employee’s VPN key, they have access to everything the employee does. This is why we try to keep the VPN secure. Before COVID-19, only company-issued devices could access the VPN, but now we’ve had to allow BYOD because we couldn’t afford universal issue of company laptops and tablets.
- Our server holds the website and a bunch of other data. It’s a big rack in our main office, with all the usual accessories. Physical access to it is strictly controlled, but the office has been deserted for days during the COVID crisis. In April I only went in once a week.
- Our brick and mortar point of sale system. This is not a huge security concern since when it’s up a cashier is always there, and the machines are on Ethernet cable not WiFi and only have access to our intranet, not the internet.
- Our corporate intranet does a lot of things. It’s where everyone with a white collar job stores files that multiple people need to access, for instance. It’s where the sales figures from our POS system and eCommerce meet, too.
Question 3: Of course we use SSL for anything networked. It is 2020 and I am not an idiot. Likewise, we have a firewall- we’ve implemented an enterprise solution from Norton. The guest wifi for employee’s personal devices in our offices is soloed and separate from the company wifi used by company issued devices, which have a corporate certificate installed on them and are subject to man-in-the-middle inspection by our office. The open customer wifi for our brick and mortar stores is even more strictly separate. As I said, we used to require company issued devices for work from home. That’s not practical anymore but we do require the use of a virtual machine to keep our data seperate from employee’s personal data. The company certificate is on the VM but not on our employees personal profiles. The VMs and company issued devices are backed up to our server, once again this is an off the shelf solution we purchased from Norton.