2. Reponses to Marvin in 100 words, user training is the weakest link with an organization, because organizations often fail to train their end users on the dos and don't s of their network security policy. Most organizations typically draft ambiguous policies which often result in knee jerk reactions. An organization can strengthen their policies if they consult with end users during the drafting procedure. If an organization provides training and consults with end users during the policy drafting period, an effective policy would be the end result. The policy should be drafted around the end users, if not the end users will continue to incur policy violations, because they were probably unaware of certain policy restrictions. The same collaborative principles are used by manufacturing and pharmaceutical companies prior to releasing a new product. The company works diligently with their research and development department before releasing a new product. Prior to a full release they often release sample products to a small group of consumers. These consumers will perform rigorous test on the product and report any deficiencies. Similarly, pharmaceutical companies look for volunteers to ensure their product is safe even after approval from the F.D.A. This same procedure should be used when drafting a network security policy. Input should be obtained from the end users and training should be provided during the drafting process to ensure that the work environment and policy complement each other instead of inhibiting work productivity.



3. Response to Aretha in 100 words, User training is considered the weakest link in a network security policy because the user or users lack the depth and understanding of the numerous intricacies designed to protect the end user and the network. Also, they may not understand the severity of the threat or resulting impact Inadequate training, human error, or deliberate action taken by the user for one reason or another contribute to this weakness. Inadequate training may be defined in several ways. Examples include: when the user does not receive the training he or she needs to properly do his or her job, failing to ask for additional training when one does not understand or failure to be recognized for additional training, and or insufficient refresher training after the initial robust training after accepting a position. Human error may be accidental and due to carelessness, complacency, fatigue, poor planning, stress, etc. etc. Whatever the reason may be, the IT and security team must be prepared to take corrective action to fix the problem when it occurs. The deliberate action of an individual to cause an organization harm by an insider or outsider threat is real and is becoming more frequent Organizations can combat the user training dilemma by conducting timely mandatory training that is easily understood by its audience (avoid using technical language or jargon), utilizing user friendly equipment and devices, executing immediate corrective action or actions when an incident occurs, remaining vigilant, and understanding the motivations of people and why they do what they do. Finally, emphasizing that IT and security policies are created to ensure safety by mitigating or eliminating threats rather than convenience purposes.



4. Response to Joseph in 100 words. User training is one of the most difficult thing to train employees on based on several factors including but not limited to age, familiarity with systems, and the ability of the group to grasp concepts. Age diversity is always a largely difficult thing to account for when teaching employees in a group setting. Older people based on their unfamiliarity of a computer will need the pace of the teaching much slower than the pace of a younger group dynamic. The younger group based on their knowledge and greater usage of computer based systems will become bored and lose interest in the material if they feel disengaged or the teaching seems remedial. If the pace is too quick the elder crowd will feel left behind and have a defeated attitude toward the teachings. Utilization of certain programs will cause further issues based on the learning groups understanding of them. For example trying to teach someone who has only used a windows operating system may have difficulty understanding a Mac based operating system. Just as some people will not understand portions of the Microsoft Office Suite if they have never used them. While others will grasp the usage and intricacies of programs. The individual will determine how quickly they can grasp the concepts and programs and therefore may require further training and assistance. In the case of my place of business we have a very diverse group of individuals. The training department utilizes a pretest for anyone who is attending training so they can be grouped into like groups so the pace and depth of the learning is on a similar level. The test consists of a 10 question sheet which asks about familiarity and understanding of systems. Based on the score the individual is placed in a group with those who are on a similar level.



5. in 250-300 words, please provide a substantive response to the following question.


What is a service set identifier (SSID), and what does it do? From an IS professional’s perspective why is SSID vulnerable?


6. Response to Justin in 100 words, A service Set Identifiers is normally in conjunction with a wireless network in personal and hot spot wifi areas. It clearly identifies the name of the WIFI that you are attempting to connect to. It also provides information like if it has security properties or if it is open to the public. There are options to change the SSID number if it is a personally owned router, and the only variable this changes is the quick access to find the needed WIFI. This doesn't change the security, unless you put your name on it or some PII that someone in proximity could find and then know your where abouts. In regards to SSIDs they are visible by all personal, including IT technicians. If someone has a WIFI router at work, it can often disrupt the channel if that company is running on wireless. This can cause the speed to decrease or even kick people off the wifi. Also if they are not allowed in the workplace, then you can see them because they will pop up on any wireless transmitter within range. If for some reason an SSID is left unsecured then anyone can tap into the local network and begin to phish or sniff for data, such as passwords and files. Not only can they access your wifi, but they then can also lock it so you can't access it. Also unless the WPA is activated it makes accessing your Internet much easier to access. With it on, doesn't mean its no accessible, its just that it will take them longer, and might just be enough for them to disregard the attempt.



7. Response to Leamon, A service set identifier (SSID) is a sequence of characters (32 alphanumeric) that uniquely names a wireless local area network (WLAN). The WLAN acts as a password when a mobile devices that use high-frequency radio waves tries to connect to the desired network or the basic service set (BSS) when multiple independent network operate in the same area. It has been stated that a WLAN allows users to move around the coverage area at either your home or office maintaining a network connection. However, the BSS is a wireless network that contain a single access point which is connected to a set of all stations that can communicate with each other. From personal standpoint, I have no idea what BSS I am currently attach to because I have read that if you move your laptop to another room in your house you are covered by another access point. There are two type of BSSs which are called independent and infrastructure. "Independent BSSs exits when two clients communicate without using APs, but cannot connect to any other BSS. Infrastructure BSSs can communicate with other stations but only in other BSSs and it must use APs.SSID vulnerabilities from an IT professional's perspective are a major risk because "The SSID is advertised in plain text in the access point beacon messages." The access point beacon messages relates to wireless communication of messages between a wireless access point and one or more mobile stations although beacon messages are transparent to users, an eavesdropper can easily determine the SSID with the use of an 802.11 WLAN packet analyzer such as Sniffer Pro, NetStumbler, and Kismet." SSID Wireless networks with open authentication create major network vulnerabilities because there is no way to verify or control access points to know if a client is valid.



8. Response to Marvin in 100 words, The SSID is different than the name that is assigned to a wireless router. For example, the administrator of a wireless network may set the name of the router, or base station, to "Office." This will be the name that users see when browsing available wireless networks, but the SSID is a different 32-character string that ensures the network's name is different from other nearby networks. This makes it easier for users to identify and connect to the appropriate network. Each packet sent over a wireless network includes the SSID, which ensures that the data being sent over the air arrives at the correct location. Without service set identifiers, sending and receiving data in a location with multiple wireless networks would be chaotic and unpredictable (Christensson, P. (2006). SSID Definition. Retrieved 2016, May 26, from http://techterms.com) From an IS professional's perspective why is a SSID vulnerable, a SSID is vulnerable when they are not protected by a password or an assigned user name. An unprotected SSID is vulnerable because access controls such as a password is not being utilized. Furthermore, an open SSID can easily receive malware due to its open public access. Additionally, when a SSID is not assigned a user name such as Office, an employee may connect to the wrong router and download valuable information on a foreign network. Thus, passwords protect the SSID from unauthorized access and a user name ensures employees are connected to the correct network.