Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated. Some of which were:
- Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
- Failure to require secure passwords, and to change those passwords regularly, according to a schedule
- Failure to install the necessary security & update patches
- No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
- Failure to encrypt data
- Failure to monitor the network (again, IDPSs would be one component of doing this)
All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security. It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.
Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.