Cybersecurity Central | Refining the Human Connection | 501c3 Nonprofit

 BLOG BY CC WEEKLY

Cybersecurity Central is excited to share Blog by CC.

Bookmark this page to discover what Team CC is learning in our #infosec journeys.


#cybersecuritycentral #diversityofthought #blogbycc

DEC 22, 2023

Wireless Security: Ditch the Dust, Go Modern!

by James Driscoll

December 22, 2023

Remember that creaky old swing set in your backyard? The one your parents told you was "safe" even though it looked like it might collapse any minute? Yeah, WEP encryption for your Wi-Fi is kind of like that. It's outdated, wobbly, and about as secure as a screen door on a submarine.

 

WEP was the first attempt at Wi-Fi security, but it's more like a historical artifact than a viable option. It's riddled with vulnerabilities, and cracking it is child's play with readily available software. Imagine leaving your front door wide open and expecting nobody to peek in – that's WEP for you.

 

But wait, there's TKIP! This "upgrade" isn't much better. It was meant as a temporary fix while they figured out something real, like a sturdy steel gate for your network. But just like that rickety swing set, TKIP has its own cracks, some known since its inception! It's time to retire this rusty relic and move on to something stronger.

 

So, what's the good stuff? Look no further than CCMP/AES. It's like a fortress compared to WEP and TKIP – imagine a vault with triple locks and laser beams. Even the most dedicated cyber-crooks would give up in frustration trying to crack this one. This is where your precious data should be living, not floating around in the open air like a forgotten kite.

 

But even Fort Knox has its chinks in the armor. Even with strong encryption, your passwords can be the weak link. Think of them as the keys to your digital kingdom. Using weak, predictable passwords like "password123" is like leaving the spare key under the doormat. Instead, go for something long, strong, and unique – a passphrase fit for a king (or queen) of the internet. Think 20 characters with a mix of letters, numbers, and even symbols. Make it something only you could come up with.

 

And now for the good news: WPA3, the latest and greatest in Wi-Fi security, takes things even further. It's like adding an alarm system and security cameras to your already-fortified castle. Even if someone finds a stray key, they'll be caught red-handed before they can do any damage.

 

So, ditch the dust covered WEP and rusty TKIP. Upgrade to CCMP/AES and lock down your passwords with a passphrase fit for royalty. And if you're looking for the ultimate peace of mind, welcome WPA3 with open arms (just make sure they're protected by strong authentication!). Remember, your internet security is your responsibility, so choose wisely and stay safe out there in the digital jungle!



Connect with me on LinkedIn and let's continue the conversation: https://linkedin.com/in/jdriscoll-76 


NOV 29, 2023

IPv4 & IPv6 Internet Protocols

by James Driscoll

November 29, 2023

This week in my advanced networking class we are looking at the network layer of the IP model.  This layer consists of IPv4 and IPv6 which are two different versions of the Internet Protocol (IP), the fundamental protocol that enables communication on the internet. IPv4 is the older version of the protocol, and it is currently used by most devices on the internet. However, IPv4 is running out of addresses, and IPv6 was developed to provide a much larger address space.

 

IPv4

IPv4 addresses are 32 bits long, which means that there are only about 4.3 billion possible IPv4 addresses. This number of addresses is not enough to accommodate the growing number of devices on the internet, such as smartphones, tablets, and IoT devices.

 

IPv4 addresses are written in dotted-decimal notation, which consists of four decimal numbers separated by periods. For example, the IPv4 address 192.168.1.1 is written in dotted-decimal notation.

 

IPv4 is a mature protocol, and it is well-supported by most devices and networks. However, IPv4 is also a complex protocol, and it can be difficult to manage.

 

IPv6

IPv6 addresses are 128 bits long, which means that there are an almost infinite number of possible IPv6 addresses. This vast address space is enough to accommodate the growing number of devices on the internet for many years to come.

 

IPv6 addresses are written in hexadecimal notation, which consists of eight groups of four hexadecimal digits separated by colons. For example, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is written in hexadecimal notation.

 

IPv6 is a newer protocol than IPv4, and it is not as well-supported by all devices and networks. However, IPv6 is a simpler protocol than IPv4, and it is easier to manage.

 

Comparison of IPv4 and IPv6

Transition to IPv6

The transition to IPv6 is a gradual process, and it is taking place over many years. Most devices and networks now support both IPv4 and IPv6, and internet service providers (ISPs) are offering IPv6 addresses to their customers.

 

Here are some of the benefits of switching to IPv6:

 

Conclusion

IPv6 is the future of the internet, and it is important for businesses and organizations to start planning for the transition to IPv6. By switching to IPv6, businesses can ensure that their networks are future-proof and that they can take advantage of the benefits of the new protocol.

 

Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 


References

NOV 15, 2023

The History of Computer Networking

by James Driscoll

November 16, 2023

Ah, it’s the start of another new term in my quest for a master’s degree in cybersecurity and the next class on my list for the next five weeks is Advanced Networking.  However, before we talk about advanced networking, let’s go back to the basics to have a solid foundation to build upon. This week is a history lesson in computer networking.

 

The Development of Packet Switching 1961-1972:

 

In the early 1960s, three research groups independently invented packet switching as an alternative to circuit switching for computer networks. Packet switching is more efficient and robust for bursty traffic, such as that generated by users of timeshared computers.


The first packet-switched computer network, the ARPANet, was built in the United States in the late 1960s. By 1972, ARPANet had grown to 15 nodes and had been given its first public demonstration. The first host-to-host protocol, the network-control protocol (NCP), was also completed in 1972, enabling the development of applications such as e-mail.


The Internet today is a direct descendant of the ARPANet. It is a packet-switched network that uses the Internet Protocol (IP) to route packets between devices. IP is a simple but effective protocol that has allowed the Internet to grow and evolve over the years.

 

Proprietary Networks and Internetworking 1972-1982:

 

The initial ARPAnet was a closed network, but in the early to mid-1970s, additional packet-switching networks came into being, such as ALOHANet, Telenet, Cyclades, and Tymnet.  Pioneering work on interconnecting networks (under the sponsorship of DARPA) was done by Vinton Cerf and Robert Kahn, who coined the term internetting.  The early versions of TCP combined reliable in-sequence delivery of data with forwarding functions. Later, forwarding functions were separated out of TCP and the UDP protocol was developed, resulting in the three key Internet protocols that we see today: TCP, UDP, and IP.  In addition to the DARPA Internet-related research, many other important networking activities were underway, such as the development of the ALOHA and Ethernet protocols.

 

A Proliferation of Networks 1980-1990:

 

By the end of the 1970s, the ARPAnet had approximately 200 hosts connected to it.  In the 1980s, the number of hosts connected to the public Internet grew tremendously, reaching 100,000 by the end of the decade.  Much of this growth was due to the creation of new computer networks linking universities together, such as BITNET, CSNET, and NSFNET.  In the ARPAnet community, many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  In the early 1980s, France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

 

The 1980s was a time of tremendous growth for the Internet.  New computer networks were created linking universities together, such as BITNET, CSNET, and NSFNET.  Many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

 

The Internet Explosion 1990’s:

 

In the 1990s, the Internet evolved and commercialized. ARPAnet ceased to exist, NSFNET lifted its restrictions on commercial use, and NSFNET was decommissioned.  The World Wide Web was invented at CERN by Tim Berners-Lee and brought the Internet to millions of people.  The Web enabled many new applications, including search, e-commerce, and social networks.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.

The 1990s was a time of rapid growth and innovation for the Internet.  The World Wide Web made the Internet accessible to a wider audience and enabled new applications.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.  The Internet stock market bubble burst in 2000-2001, but several companies emerged as big winners in the Internet space.

 

The New Millennium:

 

In the first two decades of the 21st century, the Internet has transformed society more than any other technology, along with Internet-connected smartphones. Innovation in computer networking continues at a rapid pace, with advances in all areas, including faster routers and higher transmission speeds in both access networks and backbones.


Some of the most notable developments of this period include:

 





 

This completes today's history lesson on an overview of Computer Networking! See you again soon. Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 


References


NOV 1, 2023

Need to Know: Lessons Learned

by Shaun Washington

November 1, 2023

My time has been fully consumed with the transition from Day shift to night shift as a SOC Analyst, balancing time with the family, starting the CWCT program, attending CySA+ study group, and assisting with the Young Mogul Development Group. I have been contemplating on what it is I could talk about that isn’t going to make me sound like a broken record: Network, Study…. Rinse and repeat…. So I think that I will just touch on the things that anyone interested in becoming a Cybersecurity professional needs to know, based on my experience on my #CyberGrowthAndLearningGrind journey. 

You need to know your limitations or your weaknesses. Focusing on your strengths is good and feels good but we all need to become comfortable with being uncomfortable. I have learned and am still in the process of learning that I don’t and cant know it all. The world of Cybersecurity is vast and is growing constantly, we can try our best to stay up to date on the newest exploits and latest technologies but that shouldn’t be our only focus. For myself I know what my capabilities are, and I know where I struggle, so to be successful I try to stay away from my weaknesses and lean on my strengths. That isn’t always a possibility so as uncomfortable as it may be, I also must try to lessen or mitigate any weak areas that I encounter. There are topics of Cyber that I have an affinity for and lean towards that I have seen in myself through the learning process of trial and error, and exposure to varying topics. During my Sec+ studies, encryption was the hardest for me to absorb. I understand the need for it and its usefulness but trying to remember the differences between algorithms and how many bit and bytes are associated with them was not my “cup of tea.” I acknowledged that encryption wasn’t something that I had an interest in pursuing but I made sure to focus on that when I was studying. Fast forward to CySA+ and I am now seeing that the SDLC (Software Development Life Cycle) is the newest hurdle that I need to attack. 

The next thing you need to know is what your goals are. Starting out my only goal was to be in cybersecurity and everything was focused on “breaking into cybersecurity.” I have reached the top of that hill and now face the mountain before me of finding my niche and developing my career in cybersecurity. I have written before about being introduced to DFIR (Digital Forensics Incident Response) through my degree in Cyber Crime Technology, and now that I have my “foot in the door” I am now working on making it to the next level or floor. I didn’t always know that this would be where I wanted to focus but through exposing myself to different topics I find that this area holds my interest the most. It isn’t always about what is the hottest topic but what brings you fulfillment. Ethical Hacking / Pentesting is “sexy” and has its place but for me I am reminded about when we are children you were always asked about what you wanted to be when you grew up, this was usually met with the stereotypical answers of Fireman, Policeman, Doctor, whatever it was that you were being exposed to. Having the base knowledge of a hacker is more important in my pursuits than the actual pursuit of being a hacker. The foundational knowledge will serve me in my pursuits in digital forensics and any certifications aligned with it (I’m coming for you CHFI and SANS certs). 

The last thing I believe you need to know is sometimes the hardest to come to grips with, getting help. We all want to be self sufficient and dependent on only ourselves but there is a need for help and we have to become comfortable asking for and receiving it. I have always been one to help others but it isn’t the easiest task for me to ask for help when I need it. We all need to learn from not only our experiences but the accumulated experiences of those around us. Learning to lean on the strengths of others not only makes us strong but in turn can strengthen those in our spheres of influence. I have seen myself as a role model for youth through the experiences of adoption/fostering kids with my mom growing up due to my desire for family, working with kids starting with babysitting and then transitioning to working with different organizations like the Boys & Girls Club. It has always been easier to do the helping, be the example, be a beacon or guiding light but being vulnerable enough to be on the opposite end of those ideas is something I continually struggle with.  There are plenty of opportunities that are available to you if only you would ask. If I hadn’t become a part of the Simply Cyber and Cybersecurity Central communities I would still be struggling to meet my goals or to even set new ones. Opening myself up to the possibility of rejection personally and professionally have afforded me the current position that I am in… Over 400 applications (and rejections), unanswered connection requests, and mountains of uncertainty were only overcome due to the opportunities that came through the network I was building and continue to nurture.

In summary, we need to:

 

Embrace the process, pain, and rejection, as well as the accomplishments, milestones, and successes. All these together will make you a more complete person and cybersecurity professional. As always, I want to continue to encourage everyone to continue seeking growth and improvement in whatever they desire. I am still striving for that 1% improvement everyday so if you need inspiration, advice, or a sounding board to bounce ideas off, start the conversation on LinkedIn (https://www.linkedin.com/in/shaun-washington-8a428240  or Discord (cybershinigami81).

OCT 25, 2023

Compliance Standards

by James Driscoll

October 25, 2023

For week 4 of my Cloud Security course, we learned about privacy and security laws.  This is a bit of a review as these were part of the CompTIA CySA+ exam I took back in February.  So, I thought it would be a good idea to create a blog to briefly discuss each one. 


The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; the Family Educational Rights and Privacy Act (FERPA); and finally, the European Union General Data Protection Regulation (EU GDPR). We will review these six frameworks below:

 

1.   HIPAA Health Insurance Portability and Accountability Act: HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them.  It was also designed to make health care delivery more efficient (HIPAA History, n.d.).  The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

 

2.    PCI DSS Payment Card Industry Data Security Standard: The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017).  This agreement was established in 2004.  Now, even though it is not a law, non-compliance still has consequences.  These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

 

3.    GLBA Gramm-Leach Bliley Act: This standard is applicable to the banking industry.  The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017).  It became law back in 1999.  This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

 

4.   SOX Act Sarbanes-Oxley Act: This act applies to any organization that is publicly traded (Chapple & Seidl, 2017).  It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors.  It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

 

5.    FERPA Family Educational Rights and Privacy Act: This act mandates that educational institutions protect student information (Chapple & Seidl, 2017).  FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students.  2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.). 

 

6.    EU GDPR European Union General Data Protection Regulation:  The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018, (Chapple & Seidl, 2022)


References


Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

OCT 11, 2023

Emerging Tech in Cloud Computing

by James Driscoll

October 11, 2023

This past week I started my third term in my quest at a master’s degree at ECPI.  In the next five weeks I will be learning about cloud security.  For the reading last week, I read about how blockchain technology can be used in cloud security.  This is interesting as I had only heard about it in terms of cryptocurrency.  So, I decided to do some more research, and this is what I found.


Blockchain technology is a distributed ledger technology that can be used to improve cloud security in several ways:


Below are some specific ways that blockchain technology can be used to improve cloud security:


Some examples of blockchain-based cloud security solutions include:


Below are some additional thoughts on the use of blockchain technology in cloud security:


Overall, blockchain technology has the potential to significantly improve cloud security. As blockchain-based security solutions continue to develop and mature, we can expect to see them adopted by more and more organizations (Gupta, Siddiqui, Alam, & Shuaib, 2019).

 

References


Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

OCT 4, 2023

Cyber Threat Hunting

by Shaun Washington

October 4, 2023

As you all know by now, my hunger to learn and immerse myself in all things cybersecurity has been a long and arduous journey. From multitasking doing my Application Support duties while also trying to learn and absorb as much in the security realm as possible was nigh impossible. So with my new position as a SOC Analyst, I am no longer having to split my time and attention, everything that I am, have been, and continue doing, is all working towards making me a more well-rounded cybersecurity professional. I still don’t know what my final form will be, but I will keep going down the rabbit hole and see where I come out.


One initiative that I am working on is becoming more familiar and comfortable with the idea of Threat Hunting. I had previously completed a Cyber Threat Intelligence course from arcX and now as a part of work I was able to attend and fully focus on Cyber Threat Hunting, presented by Chris Benton from Active Countermeasures

Let’s define Cyber Threat Hunting. It is the proactive process of searching for and identifying malicious activity within a network or system. It is a continuous process that involves using a variety of techniques to detect and respond to threats that may not be known or detected by traditional security solutions. Traditional security solutions are firewalls, SIEMS, Anti-Virus, etc. In this training, we were introduced to the AC Hunter platform and shown its uses in threat hunting and how to go about changing the mindset that seems to be ingrained in security.  If you attend the Simply Cyber Daily Threat Briefs or have conversations around GRC you have probably heard the phrase: “Left and Right of Boom”, meaning before and after and incident, the Boom. Typically, the mindset of security is focused on taking some precautions and preventive steps to secure assets but then that’s where it stops. Threat hunting takes the sensibilities of a Blue Teamer and marries it with the inquisitiveness of a Red Teamer. That means in order to protect something from harm you have to take an active stance and seek out what could/would do you (your data) harm.

Cyber threat hunting is important because it can help organizations to identify and respond to threats before they cause damage. It can also help organizations to improve their overall security posture by identifying vulnerabilities and weaknesses in their systems and networks. There are a variety of different cyber threat hunting techniques that can be used. Some common techniques include:



Here are some examples of cyber threats that cyber threat hunting can help to detect: 


I’m going to give you a summary of what the AC-Hunter platform is and what it can do, the training is very much worth your time so I will not be giving away too much of the information from within the training but if you are interested in finding out more I will include links to find/sign up for the next training on December 1st 2023 (https://www.activecountermeasures.com/hunt-training/).


AC-Hunter is a network threat hunting platform from Active Countermeasures. It is designed to help organizations identify and respond to threats that may not be detected by traditional security solutions. AC-Hunter works by continuously analyzing network traffic to identify patterns and anomalies that may be indicative of malicious activity.


AC-Hunter uses a variety of techniques to detect threats, including:

AC-Hunter is a powerful tool that can help organizations to improve their security posture and reduce the risk of cyber-attacks. It is easy to use and can be deployed on a variety of platforms, including on-premises, cloud, and hybrid environments. The team at AC has put in a lot of work to make this product pretty easy to use, and remove some of the initial barriers of threat hunting. I will say that through the training I did learn something in Linux that I hadn’t know about before, I didn’t know you could highlight results while using the less command to make searching through results easier, also I knew that you could “pipe” results of commands to each other but hadn’t done so with more than 2 commands ex. <command> | <command> | <command> |


If you are interested in checking out the VM’s, labs, or previous training recordings visit https://www.activecountermeasures.com/hunt-training and also build up your threat hunting skills with the Malware of the Day Blog (https://www.activecountermeasures.com/?s=malware+of+the+day) to continue sharpening your threat hunting skills, I know that I will be taking on that challenge.

As always, I want to continue to encourage everyone to continue seeking growth and improvement in whatever they desire. I am still striving for that 1% improvement everyday so if you need inspiration, advice, or a sounding board to bounce ideas off, start the conversation on LinkedIn (https://www.linkedin.com/in/shaun-washington-8a428240/) or Discord (cybershinigami81) 

SEP 28, 2023

Audit First Methodology

by James Driscoll

September 28, 2023

This week in my Security Architecture and Design course we discussed a concept called an Audit First Methodology.

 

The Audit First methodology is a risk-based approach to auditing that focuses on identifying and assessing risks early in the audit process. This allows auditors to focus their resources on the areas of highest risk and to develop a more tailored audit approach.  It is implemented via the following steps:

 





 

There are numerous benefits to utilizing this methodology, including:

 

 

The only challenge that I anticipate using the Audit First Methodology is the reluctance to focus more on the other controls versus the preventive controls.  As stated in the textbook, organizations typically put more stock in preventive controls (Donaldson, Siegel, Williams, & Aslam, 2015).  They way around this challenge is to explain the benefits of following the Audit First Methodology while emphasizing the downside of focusing on the preventive controls in a language that the business side of the organization can understand.  Typically, this is done by translating the cybersecurity jargon over to business jargon.


References

 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

SEP 20, 2023

Maintaining My Hunger: Putting Things in Order

by Shaun Washington

September 20, 2023

My first full month is now in the books as a SOC Analyst and I am starting to establish my routine which includes:

As the date for registration for my CWCT classes approaches swiftly, I now am tasked with maintaining my motivation/hunger. With all the things I need and want to do start to pile up I need to manage my time better and also cut back where necessary.

 

With my work schedule getting ready to rotate into 3rd shifts and classes beginning soon after, I have to maintain a productive mindset as to not burn myself out, lessen my desire, and also keep myself accountable.  I will be using my “downtime” during my wake & working hours to read/study and complete assignments. This is a balancing act that I have had to do before when I was going to school fulltime, working fulltime plus overtime, and trying to be there with my family.

It is also imperative that I start/restart an exercise regimen. My job covers cost of membership for me to join a gym but knowing myself and how I’ve become more and more sedentary, I don’t see that as the best option for me to start out with. I think since I still have my Beachbody workouts P90X and T25 that will be the start to my physical health journey.  I truly miss having a team to workout with and keep me motivated and to push me during my workouts, but I will have to find alternative ways to keep myself moving toward my health goals without a gym buddy. Also choosing the best time to do the workouts will also need to be considered.

I am still working on my 2nd brain or Obsidian Vault, and I want to focus on more of my CySA+ related notes as well as notes for the upcoming classes I will be taking based on digital forensics. My plan is to finish my first play through of the Certify Breakfast playlist and on the second go round start incorporating the information in the videos into my Obsidian Vault to help with me preparation and absorption of the materials.

 

I have noticed that I haven’t been posting to my LinkedIn as much due to my shifting focus. I have the career that I set out on this #CyberGrowthAndLearningGrind and now I need to maintain and expand on what I have started to build.


The TLDR is that I will continue to network and make posts (I probably need to just go ahead and schedule some posts ahead of time). That part of my grind is going to be put on the back burner while I am cooking up the main meal of gaining more cybersecurity knowledge, making meaningful connections, and contributing where I can in my sphere of influence.

Lastly, I want to continue to encourage everyone to continue seeking growth and improvement in whatever they desire. I am still striving for that 1% improvement everyday so if you need inspiration, advice, or a sounding board to bounce ideas off of start the conversation on LinkedIn https://www.linkedin.com/in/shaun-washington-8a428240 or Discord @cybershinigami81.

SEP 13, 2023

Enterprise Security Architecture

by James Driscoll

September 13, 2023

This week for Blog by CC Weekly, I am continuing with sharing my master’s degree cybersecurity course assignments with you. The class this term is Security Architecture and Design.  First, this blog will discuss some of the challenges and benefits of implementing an enterprise security architecture. Second, we will look at how organizations can overcome some of those challenges.  Third, it will analyze the importance of logical and physical security.  Finally, I give my thoughts and opinions on which are more important. Discover more below:


Challenges and benefits to implementing an enterprise security architecture:

Challenges:

Benefits:


The Importance of logical and physical security:


References

 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

SEP 6, 2023

Target Acquired

by Shaun Washington

September 6, 2023

Almost a full month into my new Cybersecurity role as a SOC Analyst and I feel its time to do some slight refocusing and reaffirming of what it is that I am working towards. Previously, the #CyberGrowthAndLearningGrind was 110% focused on gaining the requisite knowledge, experience, certifications, and networking to “break” into cybersecurity. Now that I have arrived what is my new overall goal. Come along with me and check out what’s cooking…. 

First, let me give an update on my current study and training regimen/routine:

 

That list is constantly shifting, and I am working on maintaining my consistency hitting all of them either daily or weekly. I know that I will be using THM a lot more since adding my premium subscription and supplementing my downtime with exposure to information and tools from rooms such as the RedLine and Phishing Email analysis rooms.

Second, I want to bring my “calendar” up to date:

All Things Open 2023 October 15th -17th (hoping to be able to attend) https://2023.allthingsopen.org.

Last, but definitely not least, volunteering making myself available to others.  Time is always at a premium but I have made some wonderful connections through my journey and desire to give back as much as possible. What this will look like is unclear at this moment but I do know that I will be making every effort to:


That sums up the work side of life and I even with this on my plate I will be available to my Friends and Family (Lord Willin and the creek don’t rise.) Keep the conversation going by sending me a message and/or sharing with your network your #CyberGrowthAndLearningGrind journey, just make improvements everyday even if it’s only by 1.

AUG 30, 2023

Technological Convergence

by James Driscoll

August 30, 2023

For the last week of my Ethical and Human Aspects in Cybersecurity we talked about Technological Convergence.  So, what is it?   Technological convergence is the process by which different technologies merge and evolve into new forms that can fulfill multiple functions. This means that devices and applications that were once separate and distinct are now becoming more integrated and interconnected (McGuigan, 2023).  For example, the smartphone is a prime example of technological convergence. It combines the functions of a phone, a computer, a camera, a music player, and more into a single device. This makes it more convenient for users to access all their favorite content and services from one place.

There are numerous potential social and ethical concerns that can arise due to technological convergence.  They include:

 

Technological convergence can jeopardize a company's code of conduct in several ways, including:

It is important for companies to be aware of the potential ethical and legal implications of technological convergence and to take steps to mitigate these risks. This includes updating their codes of conduct to reflect the challenges posed by new technologies.

Here are some specific things that companies can do to mitigate the risks of technological convergence:

By taking these steps, companies can help to mitigate the risks of technological convergence and protect their employees, customers, and data (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

References

AUG 23, 2023

New Frontier, Same Training Grind

by Shaun Washington

August 23, 2023

My first week of being in my new role as a SOC Analyst is officially in the books! What are my takeaways and areas I want to improve upon for the upcoming week? Let's start with the takeaways I am able to share with the community. There are a number of tools that are used within cybersecurity roles that are available to learn on or about. The broad picture is that as a SOC Analyst you need to familiarize yourself with:


First, SIEM which stands for Security Information and Event Management, can be used to aggregate logs from various endpoints and systems, this give you a Macro view or "Big Picture" of the cybersecurity threat landscape. They are customizable and can be tailored to the needs of your business. There are several tools with varying features to select from, here is a list of some in the market:

Second XQL, where the “X” can be filled in by any specific language model, the query languages all are used to work in databases. The majority of the syntax in the QL’s are the same as SQL (Structured Query Language) but are further built upon to suite the needs of the database so that could mean read & write capabilities or just read capabilities (SQL vs KQL). Each of the security platforms has their own flavor of QL, learn the fundamentals of how to build your query and just remember white papers and Google are your friend.

Third EDR, Endpoint Detection and Response, are used to detect anomalous behavior and can also include Antivirus & Ransomware solutions. There are a plethora of options from various vendors, but finding the right one for you is going to depend on your “Stack” or compilation of security devices, or the offerings of the platform. Security in depth is a key concept to consider in building your infrastructure but here are a few of the EDR options:

Fourth, I will combine the last 3 bullet points from my introduction into my #CyberGrowthAndLearingGrind mentality and procedures. Studying for my overall knowledge and learning the aspects of my new job. The basics or fundamentals are the best place to start in any endeavor you pursue, knowing basic networking is a prerequisite for Security Operations, that is all tied into the analysis of traffic, emails, and network appliances. During my CySA+ study group I was shown a program that I felt would help me organize, build a knowledge repository, and also teach me about markdown languages, it is called Obsidian. Since then I have been sharing this program with my colleagues and building my 2nd Brain to reference what I am taking notes of. I have also been shown and/or shared with several browser plug-ins that can make my role easier:

Last but not least is staying up-to-date on the latest stories/vulnerabilities in the industry. You should all know by now about the wonders of the Cybersecurity Central and Simply Cyber communities, these are my favorite spaces to network, learn, and share with others. I know that there are numerous other places/groups/communities, and we can and do learn from one another, so start the conversation in the DM’s, join the community in Discord, and get your fix for actionable intel with the Daily Cyber Threat Brief

Come and make yourself better each day and pay it forward to those around you.

AUG 16, 2023

Cybersecurity in the Global Economy

by James Driscoll

August 16, 2023

Last week in my Ethics and Human Aspects of Cybersecurity class, the topic of cybersecurity in the global economy came up. Specifically, if it is possible. Below is more of my take on this topic.

In 2023, the concept of an individual country's economy is no longer. Anything that affects one country’s economy affects the economies of other countries. We truly have a global economy. Now, when I talk about anything, I mean absolutely anything. It could be something as innocent as weather to something more malicious such as a cyber-attack. An example of a cyber-attack that has the potential to affect the global economy is the Stuxnet Worm.

What is the Stuxnet Worm? This little piece of malware was created in 2010 with the purpose of attacking Industrial Control Systems (ICS) (Mueller & Yadegari, 2012). For anyone that does not know, an ICS is used in sectors such as “manufacturing, transportation, energy, and water treatment” (Industrial Control System, n.d.).

Now, since those sectors mentioned above are used all over the world the potential impact on the global economy is going to be huge. Let us look at the energy sector as an example. Energy is one thing that is not only needed, but also has an almost immediately affects the global economy when there are changes and right now, we get that energy from oil. Just a simple change in production output by Saudi Arabia can cause energy prices to fluctuate, which causes the prices of other products to fluctuate around the world.

What can be done against countries that either actively engage or sponsor people that engage in cyberespionage and launch cyber-attacks? Well, the main tactic that is used are financial sanctions. The theory is that limiting the amount of business that can be conducted thus hitting them in the wallet so to speak should deter someone from engaging in criminal activity. Based on events over the past three years, I am not a fan of it. Perhaps if it is done swiftly and comprehensively it may have the desired effect, but I am not so sure.

There is another tactic that can be used to deter cyber-attacks called “hacking back”, sometimes referred to as “active cyber defense.” However, these two terms are completely different. Techniques and tactics normally associated with active cyber defense include things like utilizing honeypots to study and gain information about cyber-attackers. It also includes scanning your network / looking through logs trying to find Indicators of Compromise (IoC’s).

Hacking back is just as it sounds. A victim of a cyber-attack, attacking the attacker. This is not recommended as it is illegal under 18 U.S. Code Section 1030 Fraud and Related Activity in Connection with computers. This is also known as the Computer Fraud and Abuse Act (CFAA) (18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

The Russian invasion of Ukraine has brought up an interesting dilemma. That dilemma is if it is acceptable for countries engaged in a conventional war to also engage in cyberespionage. After reading the ACM, the answer to that is a resounding no. The reason for that is in section 1, point 1.2 stipulates that practitioners should avoid causing harm (ACM Code of Ethics Booklet, 2018).

Finally, there is the question of cybersecurity being possible in a global economy. According to ISACA there are eight requirements that every country would need to adopt for cybersecurity. They include: 1) adopting a security by design model, 2) teach cybersecurity awareness to everyone, 3) follow applicable cyber laws, 4) participate in international cooperation, 5) establish and maintain an acceptable level of cybersecurity practitioners, 6) create strong deterrence mechanisms, 7) follow NIST frameworks, and 8) emphasize internet freedom (Ramachandran, 2019). Until these eight requirements are completed, true cybersecurity cannot be achieved in a global economy. The best we can hope for is cyber resiliency.

References

AUG 9, 2023

Mental Recalibration

by Shaun Washington

August 9, 2023

Where to begin? This is my first time ever having time off when moving between jobs, and this time has afforded me some insight and an opportunity to do some mental recalibration. How do I identify or define this concept?


I first need to establish a baseline reading, as I have shared before in previous posts and blogs. My journey before IT and Cybersecurity was one fraught with long hours, no true stable shift, and a constant stream of stressors piling up. I never considered myself a workaholic, but looking back I can definitely see that I was leaning more towards that side of the spectrum. I have experienced a hard time separating that side of life from my growing family and the subsequent duties associated with it.  I never “take a vacation”- especially without something planned and an obligation to show up and/or participate. This was made evident whenever I switched jobs. I would always lose “Sick Time,” and not just a little bit, months of it. 

My time at the JDC began to accrue so fast that I couldn’t take enough time off (at least I thought I couldn’t) to not end up over the max vacation hours at the end of the year which would then roll over into Sick time. Rinse and repeat that for 12 years with compounding interest. I wish I could save money the way I saved PTO... Anyway, the major factor in me going back to school pursing IT and Cybersecurity was my work / life balance or lack thereof. I missed way too many holidays, weekend trips, family functions, you name it all due to my mindset on work and being a good employee. My track record as an employee was impeccable but my record as a family man was suffering to say the least.


Fast forward to my transition to multiple firsts:

The toll that was being exacted on my physical and mental health couldn’t truly be quantified, without me being introspective (never really had time to do that) and finding new ways to be accountable for my wellbeing.  I know how to keep my eye on the prize and power through to my goals, but it has been a long time since I have achieved a big milestone and had the opportunity to reflect and refocus. So to make myself accountable to the others on this #cybergrowthandlearninggrind I will lay it all out before you:



In closing, don’t take your life for granted, work is necessary but it isn’t the only thing that matters. I missed out on so many events and times to make memories that I have a huge amount of regret or FOWIHM (Fear Of What I Have Missed). I can’t let myself do that again, this doesn’t mean that I will be any less of a committed employee, I will just make sure to use all of what is provided to me to make sure that my family thrives as much as my career. I look forward to family trips and vacations, also to conventions and conferences. If any of you are in the same boat as me, please let me know how you made the change or how you plan to change. 


Connect with me on LinkedIn: https://www.linkedin.com/in/shaun-washington-8a428240 

AUG 2, 2023

Ethics

by James Driscoll

August 2, 2023

As I continue my journey of achieving my master’s degree in Cybersecurity at ECPI, I am now learning about ethics and the human aspects in cybersecurity. The topic of ethics comes up quite a bit in the cybersecurity industry. So, what exactly is ethics. According to the Merriam-Webster dictionary, ethics is a “set of moral principals” (Ethics, n.d.). Basically, this is what guides our behavior as human beings. Every industry has their own code of ethics that guides the behavior of that industry’s practitioners. Two that are important to cybersecurity are the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers Computer Society (IEEE-CS).


I will be looking at the ACM Code of Ethics in this blog. This is a guideline that encourages practitioners to act in an honest and responsible manner. It basically forms a foundation on how to how to act in pretty much any situation. The reason for that is the type of information that our organizations handle, which could be argued is more valuable than money.


Now, the ACM Code of Ethics is broken down into four categories. They are as follows:

1) General Ethical Principles,2) Professional Responsibilities, 3) Professional Leadership Principles, 4) Compliance with the Code (ACM Code of Ethics and Professional conduct, n.d.).


General Ethical Principles. This section is split up into seven7 subsections. Each subsection emphasizes a different trait that practitioners should strive to live up to both personally and professionally. A few of the subsections include 1) be a productive member of society, 2) avoid creating harm, 3) be honest and trustworthy and so on (ACM Code of Ethics and Professional conduct, n.d.).


Professional Responsibilities. This section is split up into nine subsections. Each of these subsections emphasizes a different trait that practitioners should strive to live up to on a professional level. A few of the subsections include 1) produce high quality work, 2) Maintain high standards of professional competence, conduct and ethical practice, 3) know and respect existing rules pertaining to professional work and so on (ACM Code of Ethics and Professional conduct, n.d.).


Professional Leadership Responsibilities. This section is split up into seven subsections. Each of these subsections emphasizes a different trait that leaders should strive to live up to on a professional level. A few of the subsections include 1) Put the public good first and foremost, 2) encourage fulfillment of social responsibilities by employees, 3) Manage personnel and resources to enhance the quality of working life and so on (ACM Code of Ethics and Professional conduct, n.d.).


Compliance with the Code. There are only two subsections here. These subsections emphasize the importance of the Code of Ethics. The first subsection encourages practitioners to uphold, promote, and respect the principles of the code. The second subsection encourages practitioners to treat violations of the code as inconsistent with membership in the ACM (ACM Code of Ethics and Professional conduct, n.d.)

References

JUL 26, 2023

Celebrating Wins

by Shaun Washington

July 26, 2023

This is a cathartic moment for me as I announce that the long journey to breaking into Cybersecurity has finally come to an end. I officially have accepted a job offer to be a SOC Analyst for One Source Communications. I just want to give them a shout out for taking the chance on me and also giving me the opportunity to start my cybersecurity career and continue blogging for Team CC and potentially them as well. This is a momentous occasion and I appreciate all the support I have received from the community.

My #CyberGrowthAndLearningGrind is still in full effect, the job is secured but the hunt and pursuit of knowledge will never stop. I will take the time and savor this win, there is a huge weight lifted from my shoulders, however this is just the beginning of my cyber story. My goals are constantly being updated

·         Upon receiving my voucher I will set my exam date for the CySA+ exam

·         Get CySA+ certified before the end of the year

·         Start the CWCT Program in October

·         Prepre for the CHFI

I’ve been participating in study groups and mentorship meetings with other members of the Simply Cyber community, and I am making a concerted effort to invite and introduce others to the people and resources that helped me get to where I am currently. The next win to celebrate will be when I can help the next person take their first or next steps in the industry.

Come join me and the community as we keep learning and growing together.

Connect with me on LinkedIn: https://www.linkedin.com/in/shaun-washington-8a428240 

JUL 12, 2023

Checking My Loadout

by Shaun Washington

July 12, 2023

It is time for a little videogame reference here, If you are familiar with FPS (First Person Shooters) or RPG’s (Role Playing Games) you have probably heard the term/phrase, “checking/changing my loadout.” As I am getting more experience with the interview process and the job market in general, I find this to be true IRL (In Real Life). Whether we are preparing for a quiz, test, interview, or a presentation we need to take stock of what we are equipped with or carrying in our inventories, we will call it our “bag”. The hill that seems to be my biggest obstacle is specific knowledge based on… you guessed it experience. I have always tried to make sure I am equipped to deal with most situations that I come across whether that is dealing with personal matters, preparing for school, or preparing for interviews but like many things in life, "Jack-of-all-trades but master of none" might only get us so far.

I have previously talked about my decision to “niche” down and focus on IAM currently due to the crossover between that area of cybersecurity and my current work duties. I have been exposed to quite a few things due to my hunger for knowledge and volunteering but without the practical on the job experience I felt as though I came up short when trying to get a System Administrator position. The final decision hasn’t been made yet, but after the research I did on Sys Admin Interview questions was not as successful as the research I had done on SOC Analyst questions, I saw and experienced the gap in my knowledge due to lack of exposure and opportunities. I truly hate not being prepared but at the same time there was such a wide variety of topics covered that it would have been impossible to know what was going to be asked unless I had done a similar interview.

My only suggestion for myself and anyone who is reading this is to specialize, niche down, and focus on your specific areas. My CySA+ studies introduced me to Rumsfeld’s matrix of Knowns and Unknowns:

The Known Knowns are the cybersecurity principles I have been studying and the IAM and duties of my job, the Known Unknowns are the specifics of what hardware/software that are in use and that I would be responsible for, Unknown Knowns are the basic duties and processes of troubleshooting and maintain a network, and lastly the Unknown Unknowns the questions and topics that would be brought up during the interview/conversations.  We cannot prepare for the Unknown Unknowns but through proper “loadout” preparation I can make sure that the tools and skills I have can be used with the utmost effectiveness until new skills, experiences, and job duties are acquired and put into rotation.


It feels like a loss and a win at the same time, I will use this experience to make myself more prepared for whatever comes in the future. As always, let's continue the conversation on my LinkedIn and I will see you all on the #cybergrowthandlearninggrind.

JUL 5, 2023

Maintaining Transparancy, Accountability, and Transferable Skills

by Shaun Washington

July 5, 2023

This has been a whirlwind of a past week or so and it all started from a setback that I shared about my “CAARRRLLL” moment getting scammed through Instacart. Just as a recap and not a downward spiral that I can sometimes find myself in:


I had quite a slump, not completely out of the hole but I’m not at the bottom of the pit of despair I was wallowing in. Again, I want to say thank you to all of those in my network that I have met through my participation with Simply Cyber and Cybersecurity Central. Without the constant encouragement I have been receiving in open conversations and DM’s I am able to continue on this path. I make the pledge to myself and anyone reading this that I will remain transparent in my interactions and conversations in my blog posts and my LinkedIn profile. I have been reminded that other draw strength from my experience and sharing of this experience in a public forum.

I am currently trying to make enough time to get in my posts while working, taking the CySA+ course, trying to find work fulltime and/or part-time, and still be available to my family. I can say that the experience has made me cynical or more cautious in my interactions and passed on an opportunity for a parttime position that seemed just a little to good to be true after seeing the red flags of (no interview, asking for account information before having any real interaction, and a slight hint of desperation to get me to fill out the google form with that information). I almost let my desperation for income set me further back and I may never know if the position was truly legitimate, but I know that I can’t get ripped off if I don’t participate in the scam.

 

Last thing I want to talk about is the content that I see always being brought up in posts for people in my position that are trying to make the transition in a different field and don’t have “documented” experience. I would love to start a conversation up about how to convey that on your resume as I am still trying to figure this out myself. I know the skills that I can translate from my previous experience but I don’t know how to bring this across without embellishment or creating metrics that I don’t have or know. I can explain/show my experience managing people and tough/difficult situations from dealing with parents, juvenile, and staff in crisis situations ranging from suicidal ideations/attempts to dealing with a riot. How do you quantify this and add it to a resume with the x, y, z format and also make it apply to cybersecurity/IT? Working in the justice system has made it evident that you can’t save everyone, you can only help those that want it, and you can only change things directly in your sphere of influence (especially with support from supervisors .

Let’s start the conversation so that this information can be shared to improve our community as a whole. Remember, try to improve everyday even if by just 1% on your #cybergrowthandlearninggrind.

Connect with me on LinkedIn: https://www.linkedin.com/in/shaun-washington-8a428240 

The Fourth Amendment in the Digital Age

by James Driscoll

July 5, 2023

Living in America comes with numerous rights as laid out in the Constitution. One of those rights is covered by the Fourth Amendment and states “the right of the people" to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” (Constitution of the United States: Fourth Amendment, n.d.). This is basically our right to privacy. So, what do I suggest this means? The government is prohibited from searching us and taking our property without a good reason.

When the constitution was written, the technology we have today did not exist. So, this begs the question as to how that technology impacts our right to privacy. Perhaps this is not the right question to be asking. Perhaps the question that we should be asking is, is there a way to adapt the Fourth Amendment so that the technology we have today is included in its protections. The reason I say that is because as I said earlier, the technology we have today did not exist when the Fourth Amendment was written. Let’s look at what was around at that time. Specifically houses, papers, and effects (property). That means the original meaning behind the Fourth Amendment is that the government cannot search a person’s house and take papers or property just because they want to (Brenner, 2005).

So, taking the original meaning into consideration, that would mean that the means of communications that we have today (telephone, email, instant messaging, online communications, etc.) would all be fair game to being searched and taken by the government for any reason. That is because the Fourth Amendment is the basis for property law and what is needed is additional legislation that covers the technology we have today. This is where legislation such as wiretapping laws come into play. What this basically does is provides the Fourth Amendment protections to the technology we have today (Kerr, 2003).

Now, I am all in favor of the Fourth Amendment and any legislation that is associated with it and as such I do not believe the government has an obligation to monitor all internet traffic.

I need to mention the Patriot Act which was enacted after the attack on 11 September 2001. The basic premise of the Patriot Act was to expand the governments’ ability to conduct searches on U.S. citizens with little to no evidence to warrant it. The problem is that some sections reduce the protections of the Fourth Amendment while other sections outright violate it (Surveillance Under the USA/Patriot Act, 2001).

Here is the thing, everyone-I understand why the Patriot Act was pushed through. It was pushed through to prevent another terrorist attack. The problem with it is we have lost our right to privacy for something that does not work. Let me explain my personal observation and opinion further. I don’t know about anyone else, but I would consider all the mass shootings we have had just in 2023 alone to be terrorist attacks.

With all of these attacks, the people committing them posted plans online beforehand and the government knew nothing about it. It was not until after the attack that their online presence was investigated, and the evidence found. Why are we losing our Fourth Amendment right to privacy when we are no more protected than before?

References


JUN 28, 2023

IoT Devices and Mirai Botnet

by James Driscoll

June 28, 2023

No matter where we look, we are bound to see an IoT device. So, what exactly is an IoT device? Basically, an IoT device is a device that has sensors, processors, software, and network capability implanted inside them. Some examples include smart home devices (smart thermostats and smart appliances), smart watches, and even self-driving vehicles and Industrial Control Systems (ICS) (Stair & Reynolds, 2020).


Now, while IoT devices were designed to make life easier, they are inherently vulnerable to attack. The reason for that is in their design as they are designed to be pulled out of the box and easily connected to a network via a default username and default password. The reason for this is ease of use, not security.


An example of just how vulnerable IoT devices is and what a threat actor can accomplish with them is the Mirai Botnet attack. The premise of this attack is that in late 2016 several high-profile targets were hit with a Distributed Denial-Denial-of-Service (DDoS) attack. The source of this attack was approximately 600,000 of IoT devices that had been compromised and became a botnet called Mirai. This botnet initially started in August of 2016 and ran until late February 2017 when the threat actor was identified and arrested. The malware used to compromise these devices utilized rapid scanning to find a potential target and once found it immediately started brute-forcing the username and passwords via port 23 (telnet). Once compromised, they sat and waited for the threat actor to issue the commands to start the DDoS attack (Antonakakis, et al., 2017).


What is interesting about this incident is how the threat actor was identified and subsequently arrested. The successful attribution was due to analysis of data gathered through honeypots and DNS data. In addition to that the original source code was published online by the threat actor. So, while this was helpful in leading to attribution, it also paved the way for other threat actors to create their own botnets and add to the ongoing incident (Antonakakis, et al., 2017). The fact that the Mirai Botnet was shut down in five months speaks volumes of the amount of time and effort that went in to fighting this attack.


So, the question that needs to be answered is how we prevent this type of attack in the future. The United States government takes securing IoT devices so seriously that they are included in the 2023 National Cybersecurity Strategy that was published in March 2023. The main strategy mentioned here is the use of labeling. It would be like the labels on food products but instead of providing the ingredients, these labels would provide what security controls an individual device is using. This would allow organizations and private citizens to easily compare multiple devices and choose the one that works best (Biden, 2023).


Also, The Cybersecurity and Infrastructure Security Agency (CISA) has some basic tips that everyone can follow. 1) Change default login credentials (username and password). 2) Keep devices patched and updated. 3) Adjust the devices security settings. The goal is to have enough security but still maintain usability. 4) Decide if the device needs a constant connection to the internet. If it does, then consider placing it on its own network segment (Securing the Internet of Things (IoT), 2021).

References


JUN 21, 2023

Am I Up For the Challenge of Mentorship?

by Shaun Washington

June 21, 2023

So, starting this week off was an opportunity for me to gain knowledge and a new certification upon completion with my acceptance of the GEER Scholarship, enrollment, and first day in the CompTIA CySA+ course being taught through Fayetteville Technical Community College. After finally getting access to my school email and eBooks, I participated in Alyson Van Stone’s Mentorship Monday group. Due to Monday being Juneteenth, and some other unforeseen circumstances, our numbers were quite cozy so just about everyone had a chance to speak, introduce themselves, and ask/answer questions. As part of the meeting there are several questions that are asked just so that participants can become familiar with each other and hopefully spark conversation. The question that I feel gives me the most problems is whether I am a mentor or mentee, depending on the moment I could be both, either, or none.


After making my post about starting class and updating my LinkedIn profile, there were the normal congratulatory messages but then I had a few that were asking for my insight, opinion, and guidance. My Imposter syndrome lizard brain automatically wanted  to say, “you got the wrong guy…. I don’t know that much on {fill in the blank}” and you know the rest of the self doubt conversation that is had by many. Then something made me stop typing and really think about what was happening and what I could and would be able to tell someone who reached out and saw me as a “mentor” or guide. I am usually introverted but being on LinkedIn and writing my blogs for Cybersecurity Central have given me lots of practice not just being the stoic quiet type. I cant even imagine less than a year ago that I would be having conversations with “strangers” about how the cybersecurity industry works, how to advance my knowledge, and a myriad of other conversations I have had.


What I did know was how to take advantage of teachable moments, coming from my background with substance use education and many (many) years working in the Juvenile Detention Center helped me hone my skills on what I used to tell the “kids” were come to Jesus meetings, or just choppin it up. I found that once I took myself out of the position of being an “expert” or “authority” I was able to have real and meaningful conversations with the juveniles, coworkers, or the occasional care givers who would bring their youngins to the door for me to scare straight. 

I have heard from many other professionals on LinkedIn like @Henri Davis and @Kristi Kennebrew about transferable skills. I found myself preaching that gospel, while still on the path myself. Like everything else in life, perfection is not attainable but we can constantly strive for it, so I gave my caveat that “Im not where I want to be yet but this is what has been taught to me” and then the conversation went from there. Being but a fledgling in cybersecurity, with no official title to call myself a “cybersecurity professional,” I gave the knowledge I did have and what I have learned from my experience so far. Does that make me a mentor, I feel that is debatable, but I know I am ahead of where some of my connections are and I have to remind myself that even a mentee can and will be a mentor to someone else at any given moment. I will continue to do my best to show a path forward on my #CyberGrowthAndLearningGrind and will do my best to help someone the way that I would want someone to help me.


Keep striving for improvement, 1% better is enough, don’t let yourself become stagnant in your victories or defeats. Feel free to shoot me a message on LinkedIn to continue the conversation or to start a new one 

The CIA Triad and the Election

by James Driscoll

June 21, 2023

Out of all three elements of the CIA triad, two are questioned after every election. They are integrity and availability. Now, out of those two, integrity gets the most publicity. So, why the disparity between these three elements. Well, integrity is the most important as it is imperative that the American people perceive that the vote they cast has not changed before it is counted (ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT, 2020). Now, availability comes in second because while it is important for all eligible citizens to vote, when there is a problem (usually mechanical), there are options that can be used to ensure everyone can vote. Finally, confidentiality is last.


So, how did we get to this point? Well, we need to look back at the Help America Vote Act that was signed into law in 2002. While this law came from the federal government, it leaves the decision making up to the individual states as it only set minimum guidelines for what the states could do. Because of this, many states have decided not to update their voting equipment. Specifically, “as of 2016 43 states were using equipment that was 10 years old or older” (King & Michael, 2016).


Why mention that? The reason is because the technology is always changing. First there were only paper ballots, now we can not only electronically vote, but we also can have our paper ballots scanned by a machine. Next on the horizon will be the ability to vote online.


Now, online voting while convenient only makes the integrity more important as with the current technology it would be ripe for cyber-attacks and other fraud related issues. One question that get raised during every Presidential election is that of foreign interference. This would be more prevalent with online voting as virtually anyone anywhere could initiate an attack that could affect both the availability and integrity of the election. Multiple studies on this subject have been conducted by numerous groups of computer experts and the consensus is that a lot of work needs to be done to ensure the availability and integrity of the system before it is implemented (Von Spakovsky, 2015).

References


JUN 14, 2023

Taking Time

by Shaun Washington

June 14, 2023

On my “accomplishments” for the day have taken their toll on my mental state. Normally, I can get the drive home to decompress some or just let my thoughts drift away andAs the days and weeks have been slipping by, I am reminded of how precious and fleeting time is.  We all understand on the most basic of levels that time is: Money, Fast & Slow moving, Precious, In Short Supply when you need it, and over abundant when you need something expedited. I have gotten some not so subtle reminders in my life recently about usage of time and then fitting work and life into an allotted time slot.

 

I made the decision to work from home the beginning of this week due to a plethora of “life” happenings:


Having to balance my work schedule with also making sure that my kids aren’t at each other’s throats, not on a screen all day, and having to keep my supervisor updated on my “accomplishments” for the day have taken their toll on my mental state. Normally, I can get the drive home to decompress some or just let my thoughts drift away and not bring any stressors from work home but removing that time was definitely felt the past few days  not bring any stressors from work home but removing that time was definitely felt the past few days. 

I try to maintain positivity, but I also know my limits and I wasn’t physically tired but mentally I was “DONE” and the spiral of agitation, aggravation, and irritation was making its way into my interactions with the family. I haven’t been this close to this level of “anger” and frustration since I was Supervisor at the Juvenile detention center, working overtime, still working as Youth Counselor Technician, giving up my holiday/vacation time, restraining juveniles on a near daily basis, all while putting on the face of strength for my coworkers and family. I had only been in a lower state once before and that was dealing with my mothers death and subsequent estate.


I say all of that to say this, we all need to learn to take time for ourselves on our #CyberGrowthAndLearningGrind. I found my energy reserves drained and it was hard to focus on my daily enrichment and studies. I have an undertaking of the CompTIA CySA+ course and exam coming up shortly and need to remember having moments of weakness is normal, what is not normal is ignoring our needs despite the signs and the writing on the wall.

We always have our responsibilities and obligations just remember you can’t do for anyone if you are not able to do for yourself. Listen to some of your favorite jams, watch a TV show or movie, play a game, just do something that will allow you to recharge your battery before you burn yourself out completely. This is a never-ending battle and we all could use some support, allow yourself the grace and time to get back to yourself.

JUN 7, 2023

Research and Documentation in Cybersecurity

by James Driscoll

June 7, 2023

Cybersecurity is a constantly evolving field, and it is important for organizations to stay up-to-date on the latest threats and trends. One way to do this is to conduct research and documentation.

Purpose of Academic Research

Academic research is the process of gathering information, analyzing it, and drawing conclusions. It can be used to gain new knowledge, improve understanding, and develop new solutions.

In the field of cybersecurity, academic research can be used to:

Relevance to Cybersecurity

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Research and documentation can also help organizations to improve their incident response capabilities. By understanding how cyberattacks work, organizations can develop plans to respond to incidents more effectively.

Definition of "Scholarly" Articles

When conducting research it is critical to use scholarly information. Information from things like blog sites and Wikipedia scholarly information. A scholarly article is a research paper that has been published in a peer-reviewed journal. Peer-review is a process in which experts in the field review the paper and provide feedback before it is published.

Scholarly articles are an important source of information for cybersecurity professionals. They provide up-to-date information on the latest threats and trends, and they can help professionals to develop and implement effective security measures.

Cybersecurity Example

A recent study by the Journal of Medicine found that hospitals are at high risk of cyberattacks. The study found that the complexity of hospital networks makes them easy targets for attackers. The study also found that two factors that correlate to the amount of risk a hospital has to being attacked are network complexity and internal stakeholders.

The study's findings highlight the importance of research and documentation in cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Conclusion

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack. There are many resources available online and in libraries. You can also find a wealth of information by attending conferences and workshops. By staying up-to-date on the latest threats and trends, you can help to protect your organization from cyberattacks.

References


Easing In

by Eula Chua

August 7, 2023

I never thought 2023 would be such a fast and busy year for me. It has officially been 6 months since I entered the field of Information Technology! it has been such an endless learning experience on the job and it makes me excited for what’s next.

Because it’s been such a huge change in routine for me, my mind was craving for more professional development but it was difficult to find time with how demanding personal and work responsibilities could be. Although, I was glad to have booked off one of the weekends in May to learn some Microsoft Azure Fundamentals, which is something I would love to share more about in a future post!

But for this week, I’m choosing to ease myself in and absorb everything I’ve learned in the past 6 months. I do apologize that I have been quite MIA for the past few weeks. Not only am I easing into a fairly new career path, I’ve also been planning and preparing for a new chapter in life that I may or may not share in another future post, we shall see!

Life has its ways of surprising you. And when it does, you take what you get and mold it into something beautiful. I’ll see you at the next post and hope to share more about what I’ve been learning (tech and non-tech related).



Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro

MAY 31, 2023

Crossing the Ever-Moving Finish Line

by Shaun Washington

May 31, 2023

It feels like its been forever since I wrote my last blog post, I was inundated with studying, studying, worrying, posting for @Josh Mason’s #30daysjobchallenge, studying and passing my Security + exam. Just want to thank everyone for their support and positive energy that helped me push through.


Now that the Sec+ is under my belt, I am trying to plan out my next move(s). First was to get the certification to make myself more marketable for HR and the ATS, Im still fighting that battle as we speak. I did my comparison on the different A.I. platforms (ChatGPT, Bard) to see which one made better changes/updates to my resume. I have had some help previously trying to fine tune my resume, and so far 2 days into my poll the numbers look like this:

My pre A.I. resume is getting most of the votes, but I am unsure what the issue is with it that is keeping me from getting past ATS and making it to at least a 1st interview. I will keep seeking assistance with getting this formula right to try and make this transition into Cybersecurity. If you haven’t already voted there are a few days left and the comments/conversation has been nonexistent.

 

I have had quite a few new connections that have asked me for tips and ideas on making it into the field, my imposter syndrome is getting quite confused because I know that I haven’t “made it” yet but for some people I am ahead, and they want to catch up to where I am. I can only be authentic and real with them when I say that I have not arrived on the cybersecurity scene just yet but here is what I have done so far to get where I am right now. Insert courses/resources that I have posted/shared, push Networking, Networking, Networking, and building your LinkedIn presence/profile/brand. I am not an expert in Canva or design, but I know how to express “my” interests/personality in what I do. I implore everyone that is reading this to take an introspective look at what is unique about you, bring that and your experiences into how you display yourself. What I have learned about branding on LinkedIn was from 2 main sources that I have shared on multiple occasions: Gerald Auger’s Definitive GRC Masterclass and Ken Underhill’s Cybersecurity Personal Branding course. They are worth the money and time to complete and are available at SimplyCyber.io, TCM Security, and Udemy.com

 

As I look toward the future, I will be seeking advice and implementing advice that I have come across to move my career forward and I will share what I learn with you, either through this blog, my LinkedIn posts, or DM. Please tear my resume to shreds if you know what is missing or what I could be doing better, I am always looking to improve on my #CyberGrowthAndLearningGrind. Keeping my eyes on the prize and not stopping until I have crossed the line and passed the baton to the next person.


Lets continue the conversation on my LinkedIn or feel free to message me.

MAY 24, 2023

QR Code Safety

by James Driscoll

May 24, 2023

QR codes are everywhere, and they are here to stay. They show up on TV during daytime talk shows. They show up during televised sporting events. They are used in restaurants to access menus. They are used to pay for parking in some cities. They are even used to set up MFA. I recently had to use one to Add ECPI to a Block Cert wallet so they can send me a digital copy of my degree. It is futile to attempt to avoid using them at some point. Now, there are risks associated with QR codes as criminals can create fake malicious sites to get money, or personal information. So, how do we stay safe when using them?

Great question! Here are some tips to help you stay safe when using QR codes:

By following these tips, you can help to protect yourself from the risks associated with using QR codes.

Additional tips:



What's On My Cybersecurity Event Radar

by Kimberly McKnight

May 24, 2023

As you read this blog, I hope you are having a great day. I know many of us are consumed. At the very least, attempt to find some joy within your busy week, get outside, and remember to come up for air! 


Events can take up a lot of time, but they are important to help us stay in-the-know on what is developing in the cybersecurity industry. They also provide us with insights and learnings from professionals in our field who are tapping into what is working, and what is not. We learn about new technology and discover new trainings, programs, and resources. 


I feel attending events is SO important, I created #ThisWeekinCybersecurity to help others keep track of the exciting, engaging, and FREE virtual industry events. (Yes, I missed it this week... hence this blog). Why the focus on virtual?

 

Now, time for some upcoming #cybersecurity events:


I happen to work for this company, but that doesn't impact my decision to share! USCG is an amazing program I am happy to be a part of. PlayCyber by Katzcy is excited to present the US Cyber Games Season III Open Kick-Off Event on June 1, 2023 via live stream. Register here to be sure to save your space and check your emails for the details prior to the event. Help to Spread the Word on socials with your network: https://www.uscybergames.com/spread-the-word 


Another event I am ecstatic about is the SimplyCyberCon, coming November 8, 2023! It will be an extraordinary event, filled with tons of valuable information and knowledge sharing from the #SimplyCyber community. #SimplyCyberCon is in its inaugural year and we hope to "see" you there, virtually! With a new speaker track and another for seasoned infosec pros, plus workshops, this event will offer something for everyone. Plus, Simply Cyber and Gerald Auger, PhD are all about the community, anticipate there will be tons of fun sprinkled into this event. When registering for your virtual ticket, you may donate any amount to go towards the prizes and giveaways at the con. Learn more and sign up to receive notifications when updates are available! https://simplycybercon.org 


Well, there you have it! A few events you MUST make time for on your calendar. Plus, they are FREE and virtual, so you have no excuse. 


Take care and enjoy your week, everyone! And it would be AWESOME if you followed #BlogbyCC on LinkedIn! Thanks!


MAY 17, 2023

Mental Health Check

by Shaun Washington

May 17, 2023

This isn’t a very technical blog for this week, but some self-reflection based around the current job market and my journey into cybersecurity. So I have found myself being very pessimistic about the prospects of making the pivot into cybersecurity or a better paying job in general.

My #CyberGrowthAndLearningGrind has been on going and ramping up in intensity as I make the push to break into cybersecurity, I have been putting in a lot of work on myself to become well rounded and try to show that I am an asset worthy of the opportunity to potential employers. I have spoken on my situation in previous blog posts and it hasn’t gotten any better for me financially and of course that takes a mental toll not to mention the constant rejection emails from jobs that I have applied to. I have worked in and around the mental health field and know how I usually react to these types of situations and diagnosis aside imposter syndrome keeps rearing its ugly head.

I know what I am capable of and what I bring to every workplace, and it baffles me that:

I have to say that the communities on LinkedIn that I am a participant in (Simply Cyber, Cybersecurity Central) and the rest of the Cybersecurity professionals I have connected with have been more than supportive in helping me focus on the end goal, listening to my rants, showing me new viewpoints, and so much more. I am truly amazed and grateful, and I will try to make myself available to support others in the same way I have been supported (Pay it Forward).

I have not done the best for myself recently with selfcare, but I know my limits due to having hit just about rock bottom emotionally before, so fortunately and unfortunately, I know when I truly need to stop and step away. Jax Scott made a post about selfcare and consciously I felt guilty, because I know I should be doing better for myself, but at the same time I can’t afford to rest at this point until I get to the next step and put myself and my family in a better position.

The TLDR is make sure you take care of yourselves to the best of your ability and check on your friends and family as well. Everyone is struggling with something and could use a friendly ear or shoulder to lean on.

Lets continue the conversation on my LinkedIn or feel free to message me.

Network Attached Storage

by James Driscoll

May 17, 2023

Ever We all know that backing up our organizations data is critical to being able to recover from a disaster or incident. Now, there are numerous methods that can be used to accomplish data backup. They include external hard drives, USB drives, optical media (cd’s or dvd’s, cloud storage, and finally Network Attached Storage (NAS). The Network Attached Storage (NAS) is going to be the focus of this blog.

So, what is a NAS? Basically, it is a dedicated file storage system that is attached to a network. One concept that is associated with a NAS is RAID (Redundant Array of Independent Disks). Some of you might be wondering what RAID and that is a good question. A RAID is a data storage virtualization technology that combines multiple physical disks into one or more logical units. Now, the reason this is done is for redundancy.

When using RAID, there are several configurations that can be utilized. They all have pros and cons that need to be considered to ensure the most appropriate configuration is used. Those configurations are discussed below.

Raid 0 – With this configuration the data is split up and written (striped) among all the disks.

· Advantages – an increase in the number of drives equals better performance. Good for applications that need high throughput.

· Disadvantages – No redundancy

Raid 1 – With this configuration, even number of disks are utilized, and the same data is written to all disks (mirroring).

· Advantages – provides redundancy.

· Disadvantages – costly

Raid 3 – With this configuration the written to every drive except one and uses parity for error correction. The last drive is used for parity, which is a way to protect the data from a drive failure without the added cost of mirroring.

· Advantages – Good performance for applications that need large sequential data access.

· Disadvantages – Requires 1.25 times the size of the data disks. Rarely used.

Raid 4 – Same as Raid 3 except striping is done at block level versus at the byte level (Raid 3).

· Advantages – can write to a single disk without rewriting an entire stripe.

· Disadvantages – Write performance suffers due to single parity drive.

Raid 5 – With this configuration, the drives utilize striping and are also able to be independently written to.

· Advantages – there is no dedicated parity drive. Parity info is evenly split among all drives in the array. Error correction is available. Since all blocks of data are written at the same time there is improved read/write times. Can survive one disk failure.

· Disadvantages – none to speak of

Raid 6 – This configuration is like Raid 5 except for an additional parity element.

· Advantages – able to survive two drive failures.

· Disadvantages – Requires a minimum of four disks. Since there are two parity elements, rebuilding the failed drives will take longer (Services, EMC E, 2005)


References

Services, EMC E. Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments. Available from: ECPI, (2nd Edition). Wiley Professional Development (P&T), 2005.


MAY 10, 2023

Security at Work

by Eula Chua

May 10, 2023

Working in IT has been great these past few months. Everyday, I get to learn different parts of the operation. From doing onboarding/offboarding tasks such as setting up laptops and managing mobile devices to diving deep into the administration side of IT, I’m fortunate to be exposed to all kinds of different issues that allows me to exercise my problem solving skills. As I continue to ease into the environment and defining my role, I also think about the improvements that we can implement into our environment.


You might not realize this. Everyday you are practicing Cybersecurity. It is not confined to one role. Whether you’re working in the cybersecurity sector or just starting out your IT career, everyone has a part in keeping their environment secured – leading by example, using a password manager, creating complex passwords, keeping a clean desk space, running Windows updates consistently, the list goes on. Most issues we encounter can be prevented through user education. Get your users on board with best security practices. Keep them informed on rising trends. Take every opportunity to implement security at your work place because the worst thing that can happen is shutting down a business by a click of a button that can be prevented. A great place to start talking about security at work is through security awareness training.


Check out these resources to learn more about security awareness:


Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro

I Am Team CC i.e Cryptographic Conundrum

by Shaun Washington

May 10, 2023

So, where to begin? As I have stated in recent LinkedIn posts and #BlogbyCC, I have been studying for the CompTIA Security + exam and scheduled to take it on May 25th. In general I feel prepared but to help quiet my imposter syndrome, I scheduled the exam far enough out to get in some good “cramming” and polishing of my knowledge. I then came to the realization that certain areas on the exam I had more difficulty recalling (general disdain) and the main culprit and focus of my ire is the topic of cryptography.


I understand the purpose and the need for cryptography but aligning it with experience is proving difficult and I need to drill in some situational awareness about this section of the exam. I don’t want to put too much emphasis on this section but maybe my struggle will help the next person coming along this path. Hence, I will try to put my spin on this to make it memorable for me and whomever stumbles upon this.


To protect a system against attacks and malicious penetration attempts cryptography has 2 factors:

1)      Strength of the keys and effectiveness of mechanisms and protocols associated with the keys

2)     Protection of the keys through key management (secure key generation, storage, distribution, use and destruction)


These 2 factors are interdependent and lose their effectiveness when not working in tandem. Based on NIST’s special publication 800-57 Part 1, Revision 4 – there are guidelines for key management and some best practices associated with them. The aforementioned cryptographic keys are used in the 3 general classes of cryptographic algorithms. Cryptographic algorithms are broken into 3 classes approved by NIST, further defined by amount or type of cryptographic keys used with them:


o   Source and integrity authentication through generating message authentication codes (MACs)

o   Compressing messages for generating and verifying digital signatures

o   Deriving keys in key-establishment algorithms

o   Generating deterministic random numbers


o   Providing data confidentiality by using the same key for encrypting and decrypting data

o   Providing MACs for source and integrity authentication services (keys used to create and validate the MAC)

o   Establishing keys

o   Generating deterministic random numbers


o   Computing digital signatures

o   Establishing cryptographic keying material

o   Identity management

 

For me, that is pretty easily understood and memorable, however here come the acronyms. Under symmetric-key algorithms we have:




The rabbit whole goes much deeper with those but I am going to let my brain rest from all the bits and bytes for a second.

Let’s not forget block and streaming cyphers, I am going to enlist everyone’s favorite AI chat bot to give a simplified explanation (its hard to make this lighthearted).

“Block ciphers are like chocolate bars that you want to keep safe from sneaky snack thieves. You break the chocolate into equal-sized blocks, and then you wrap each block in a special secret foil that only you and your trusted friends can unwrap. That way, if a thief gets their hands on the chocolate, they can only steal one block at a time, and they can't read the message on the foil because it's encrypted.

 

On the other hand, streaming ciphers are like squirting a water gun at your annoying little sibling. You keep squirting water at them until they're soaked, and they can't figure out where the water is coming from. In the same way, streaming ciphers encrypt data one "stream" at a time, making it difficult for anyone trying to intercept the data to figure out where the data is coming from."


SOOO, yeah, the explanation was pretty good but I’m just going to set this to the side for now. If you have some way to help you remember this information, please feel free to message me or make a post on LinkedIn and add me to it. Still on this #CyberGrowthAndLearningGrind 16 days 'til it’s go time.

MAY 3, 2023

#CyberGrowthAndLearningGrind

by Shaun Washington

May 3, 2023

This week has been a blur from dealing with procrastinating end users who waited till the last minute to get off of Zoom to the Telehealth platform being used by my company, to me getting my CompTIA Security+ exam scheduled.


I just want to put some emphasis on the challenge I have posed for myself and whoever is willing to join me. I originally made the post on this on LinkedIn:

I am challenging myself to improve every day, a 1% improvement on a consistent basis is all it takes. So far I have been sharing any new training/learning opportunities that I am partaking in such as the ATTACKIQ Academy trainings mentioned in my previous blog post, the apps, books, and websites that I am using to study for my Security+ exam. I am looking to expand my network and further the community that #CybersecurityCentral and #SimplyCyber have been fostering and nurturing. The push to break into cybersecurity is in full swing, I will also be participating in the #30dayjobchallenge that Alyson Van Stone mentioned, and I encourage my network and anyone else who is up for it to take the next step and turn up the intensity. Network with others by participating in Gerald Auger, PhD - Simply Cyber Daily Cyber Threat Brief on YouTube and the #simplycybercommunitychallenge on LinkedIn, apply for positions (even if imposter syndrome tells you not to), use the resources available to you (there are a plethora of free & cheap resources available on Cybersecurity Central, Simply Cyber and other spaces).

 

I am not qualified to mentor anyone in cybersecurity job hunting, but I do know how to motivate others around me and I will be the push to move forward and the cheering section for when you succeed. The only thing I ask in return is that you do the same for the next person.

APT Naming Conventions

by James Driscoll

May 3, 2023

Ever since listening to CyberWire Daily podcast back in October 2020 and hearing about an Advanced Persistent Threat (APT) group named Fancy Bear, I have always wondered how these groups got their names. Then recently I found out that the same group can have multiple names which adds to the confusion. This topic has come up within the past couple weeks or so, so I thought it would be a good idea to try to reduce some of the confusion by breaking down how these groups get their names and why it is usually multiple names.


Let us start with the easiest question. Why are there multiple names for the same APT group? The short answer is because each research company (Microsoft, Mandiant, etc.) has their own naming convention. For example, Microsoft names APT groups utilizing the periodic table however, it was announced last week that they are changing their convention to a weather-themed naming convention. Now, some other companies like CrowdStrike utilizes the word “Panda” for Chinese groups, “Bear” for Russian groups, “Kitten” for Iranian groups, and “Chollima” for North Korean Groups. Symantec gives APT groups names of insects and finally Palo Alto names APT groups using constellations (Sabin, 2022).


So, with that out of the way, we need to address why the naming convention is not standardized. Basically, there are three reasons why the naming convention is not standardized. Those reasons are human, technical, and operational. Let us look at each one closer:


Human

·         The operation conducted is used as the APT’s name.

·         The name of the malware used is given as the APT’s name.

·         The research companies do not relate their research to the research of other companies.

·         Media refuses to correct wrong mapping in public articles.

Technical

·         Different companies see different aspect of the same thing. For example, one company only sees the TTP’s while another only sees the C2 infrastructure.

·         Either an APT group splits up or multiple groups combine.

·         Multiple APT groups share their tools with each other.

Operational

·         Each company using their own naming convention gives them the ability to take their research in any direction they want.

·         Each company may feel that by using another company naming convention signals that the other companies research is more complete than their own (Roth, 2018).


So, while the reasons behind all the different names makes sense, there is still the argument for a standard naming convention. I mean communication between organizations alerting each other to IoC’s that are being noticed is vital, so why can’t these security research companies communicate and collaborate with each other. I have said it before that no one organization can be successful on its own. Everyone must work together to defeat our adversaries.


References

·         Roth, F. (2018, March 25). The Newcomer's Guide to Cyber Threat Actor Naming. Retrieved from Medium: https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

·         Sabin, S. (2022, September 20). Cyber Firms Explain Their Ongoing Hacker Group Name Game. Retrieved from Axios: https://www.axios.com/2022/09/20/cyber-firms-hacker-group-name-game

 


My First RSA Conference Experience #RSAC2023

by Kimberly McKnight

May 3, 2023

Last week was a whirlwind! There was so much happening at once with RSA Conference 2023, where should I begin?


A good starting point may be, how did I prepare for my first RSAC experience? 

 

With so much marketing leading up to RSA this year, many of us were bombarded with emails and social posts from cybersecurity companies. Since I went to RSA for work, my focus was more so around what to expect for my first visit to San Fran.


Since I already knew my time was primarily consumed with working during most hours, I decided the first thing to do was to schedule the most important work-related events. After blocking those times off, there was minimal time left, but included some evenings open. From talking to connections who worked similar events prior, I knew the evenings would be essential for catching up and getting rested for the next early morning! ☀️ Although I wish I would have made it to the Crowdstrike event! They had THE party to be at this year with the theme, Welcome to the Jungle. It was completely over the top from hearing feedback from co-workers that went. So, I made a mental note: Crowdstrike RSAC Party 2024, check!

 

Next, I tuned in to a just-in-time episode of Hacker Valley Media’s Hacker Valley Studio with Chris Cochran & Ron Eddings. It dropped about a week prior to RSAC and it came in clutch for helping to calm my nerves and realize it’s a big event for everyone attending, not just me. 🤯 Hacker Valley had a get-together at RSAC, like so many others, and Chris was gracious enough to send an invite. Wish I could have went! Looks like it was a great time. Follow them if you aren’t already: https://hackervalley.com

 

Although RSAC has passed, their RSAC episode has golden takeaways for any networking event! Did I mention BlackHat is quickly approaching? Watch the episode, “RSA with a Purpose” https://youtu.be/sZLCkZG_zG4 or listen on your favorite podcast platform: https://hackervalley.com/e/rsa-with-purpose:-sealing-deals-getting-hired-and-networking-with-industry-leaders/

 

Finally, I checked the weather—all I noted was it was much colder than my always warm south Florida!!! 🥶 Since I was working the booth for one of our clients, all black was the attire. Usually all black is a no-go for me personally, especially living in Florida, but for this occasion, I made an exception and rocked all black. 

 

Of course, our team at PlayCyber by Katzcy had the #merch on deck! We’re super talented, not just saying that because I work here—the team is truly remarkable at the collaboration and work produced. We sported a mix of PlayCyber pullovers and US Cyber Games Season III jersey all around San Francisco! USCG hosted a table at RSAC College Day, too. Great turnouts. If you want to show your support, go grab your official gear here: https://shop.playcyber.com and follow us on socials!

 

While we are here talking about work, I want to add a few shameless plugs for #cybergames info from my current company’s brands:

 



 

To wrap up, I dropped a quick collage below with some pics from the week. Did I mention everything moved so fast?! By the time the first day came to an end, my anxiety was ending and the focus was all about #quantum, #cybersecurity, #marketing, and #networking, while trying to show up as my best self each day. I consider myself fairly extroverted, but events can stress out even the most extroverted personalities. I'm still adjusting from the west coast swing!

 

If you’re headed to your first big (or small) show, know you’re not the only one who is going for the first time! There are many others who feel exactly the same as you, no need to fear. The people in this industry are amongst some of the most friendly and kind I’ve ever met. That’s saying a lot with a tenured background in hospitality, where being kind is a requirement. 

 

Thanks to everyone who was a part of this experience. No way to include it all, I’m tired already and I feel like I just scratched the surface! Maybe I’ll share more another time, but wanted to be sure to put this out there and say it was an amazing experience. Would I do it again? Yep, for sure. Looking forward to do it all over again next year! ✨ 


And thanks to RSA Conference for putting on a great show! Until next time, San Francisco!

APR 26, 2023

Types of Personnel Policies to Mitigate Risks: Part III of III

by Eula Chua

April 26, 2023

As we are on the last stretch of how to mitigate security risks through the implementation of personnel policies, it’s important to note that not all risks come from the online network but offline as well. Otherwise, these policies wouldn’t exist. This week, we’re looking deeper into the remaining four policies, which are Non-Disclosure Agreement (NDA), Third-Party Risk Management, Terms of Agreement, and Measurement Systems Analysis.

1. Non-Disclosure Agreement - This policy is implemented within two parties in which data that is shared between them is not to be disclosed to unauthorized parties. This is also used in companies to prohibit employees from disclosing data that is strictly meant to be kept within the organization. This includes not sharing with unauthorized entities while being employed or when offboarding the company. This category includes social media analysis, which is used to verify whether an employee is compliant with the policies in place.

2. Third-Party Risk Management - This can be overlooked, especially when trust is involved. Many do not realize that being connected to other entities outside of the company can pose a risk. This is where having security policies can help with mitigating these risks. Third-Party Agreements include:

a. Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA), where two or more entities come to an understanding in terms of working towards a mutual goal

b. Business Partners Agreement (BPA), where a written agreement is established between business partners to indicate their responsibilities and obligations while working together

c. Service Level Agreement (SLA), where expectations are laid out between an entity and a vendor to ensure standards are met

3. Terms of Agreement - This is usually added as a clause in a legal document, indicating when an agreement comes into effect

4. Measurement Systems Analysis (MSA) - This determines the accuracy of data collected by evaluating the tools and processes used to measure. An example of this would be measuring data based on the type of equipment being used and how it is being used.

What policies do you notice that are heavily implemented in your current organization? Do you feel that it’s working to mitigate risk or create restrictions on the processes done at your organization?


References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.


MITRE Attack

by Shaun Washington

April 26, 2023

The rabbit hole that I have gone done in my #CyberGrowthAndLearningGrind recently is partaking in the ATTACKIQ Academy and their learning paths. So far, I have completed about 75% of the Purple Team path. Before the end of this week I plan on having this learning path cleared, just have to finish Threat Alignment & Emulation Planning for Purple Teams.

I suggest you take a look at the offerings available in the ATTACKIQ Academy but I will give a brief overview of what I have gone through so far. Like any other new concept that we are learning, let’s start with some definitions:

MITRE – non-profit corporation based in cybersecurity, but also work in defense, intelligence, aviation, civil systems, homeland security, judiciary, and healthcare.

CVE – Common Vulnerabilities and Exposures

ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge


MITRE is closely associated with the ATT&CK Framework and is known for encompassing a common vocabulary and creating flexible processes (frameworks) that assist in uniting the cybersecurity industry.  The ATT&CK Framework can be found at https://attack.mitre.org

Another concept that is covered within MITRE ATT&CK is the concept of Threat Informed Defense. This is an approach for cybersecurity that proactively uses three elements, that provide an evolving feedback loop for use by your security team. The three elements are:

·         Cyber threat intelligence analysis

·         Defensive engagement of the threat

·         Focused sharing and collaboration.

I have covered the basics of CTI in one of my previous blog posts but this formalizes it within the MITRE framework by using a tool called CRITS (Collaborative Research Into Threats). It is a free open source tool that can be found withing the training from ATTACKIQ. I highly recommend visiting the site and taking some of these trainings (P.S. they have some sweet looking badges, not that it should matter but you know…….).

The ATT&CK Framework covers the TTP’s (Tactics, Techniques, and Procedures) which are broken down as such:

● Tactics are the adversary’s technical goals.

● Techniques are how those goals are achieved.

● Procedures are specific implementations of techniques.

MITRE has another tool named MITRE ATT&CK Navigator which allows for users to follow the TTP’s and visualize the flow of techniques used by threat groups. This tool can be found at https://mitre-attack.github.io/attack-navigator/enterprise Using this tool will be very beneficial to Red and Blue teams during any Purple teaming exercises or BAS (Breach & Attack Simulations). I want to draw attention to the Teams because before taking these courses I believed that the Purple Team was an actual separate team but it is in fact a process/workflow achieved by Blue and Red teams working together to use their skills to make their organization safer.


There is so much more to go into but if this piqued your interest please do as Morpheus says:

APR 19, 2023

Business Continuity / Disaster Recovery Plans 

by James Driscoll

April 19, 2023

Disasters whether natural or man-made are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken.


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: 

5 steps to creating a backup and disaster recovery plan

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies


APR 12, 2023

Honeypots

by James Driscoll

April 12, 2023

A honeypot is a security measure that creates a virtual trap to lure attackers into targeting a particular part of an organizations network. There are two classifications of honeypots depending on how they are used. First, is a production honeypot. These are used by large organizations and companies. Second, is a research honeypot. These are used by educational institutions, governments, and militaries. No matter the classification their purpose is to gain knowledge of threat actors’ tactics, techniques, and procedures (TTP’s) (EC-Council 2020).


So, basically honeypots can fall into one of three categories: Low-interaction honeypot, medium-interaction honeypot, or high-interaction honeypot. Now, the low, medium, and high represent the services the threat actor can see. For the low-interaction honeypot, there is a limited number of emulated services. The medium-interaction honeypot has more emulated services. Finally, the High-interaction honeypot has nothing emulated. It is basically a real-world vulnerable system (Mahmoud, 2019).


Are there any legal or ethical implications to using honeypots? The answer is maybe, depending on its purpose, there could be legal implications in using honeypots. Reason for that is, what are honeypots designed to do. They are designed to lure threat actors into gaining access and attacking those systems thinking they are attacking an organizations actual system. Well, in legal terms, that is called entrapment. So, depending on the reason for the honeypot, for instance, researching threat actors to better bolster network security will probably not trigger a law enforcement response. Now if the purpose is to prosecute these threat actors, that is a whole other story as it may trigger a response in the form of a claim from the threat actor. It may also leave the organization open to regulatory action and it may even subject the organization to criminal prosecution for hacking (Overly, 2019).


The bottom line is that if an organization wants to setup a honeypot, it would be best to consult an attorney and that specializes in information security and law enforcement to get some advice beforehand. This will ensure that the organization is in compliance with 18 U.S.C Section 1030 which has a statement in it that exempts lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States (Section 1030. Fraud and related activity in connection with computers, n.d.)


References:


Types of Personnel Policies to Mitigate Risks: Part II of III

by Eula Chua

April 12, 2023

I’m In the topic of security policies, here are the next 4 personnel policies that will help mitigate risks and data theft within an organization. Taking these preventative measures will also help the organization build reliability and trust with external parties and internal employees.

Take a moment to observe your current employer. Are some of these personnel policies mentioned being practiced within your workplace or are they non-existent? What can you do to improve information security within your workplace? What is something you can start doing today?

For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.


References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.


Using the Intelligence Lifecycle for Investigation (Part 2)

by Shaun Washington

April 12, 2023

It’s time to wrap this conversation on investigations, using intelligence, and how to address or triage incidents.


The first thing we need to do is define risk triage, I will enlist our ever so helpful friendly neighborhood AI ChatGPT. ChatGPT defines risk triage as” the process of evaluating and prioritizing potential threats or attacks based on their severity, likelihood, and potential impact on an organization's systems, data, or operations.”  The goal of risk triage is to help security teams focus their efforts and resources on the most critical threats, so that risks can be mitigated quickly and effectively.


The risk triage process typically involves analyzing threat intelligence data from various sources, such as network logs, endpoint detection and response (EDR) tools, and threat intelligence feeds, to identify potential threats. The threats are then categorized based on their risk level, with high-risk threats given top priority for further investigation and mitigation. These are all apart of the tool set and daily activities of a SOC/Cybersecurity Analyst.


From the perspective of a Fraud Analyst, risk triage refers to the process of prioritizing cases based on the potential for financial loss and the likelihood that the fraud will be successful. This process involves analyzing data from various sources, such as transaction logs, customer profiles, and fraud detection tools, to identify potential fraud cases. The cases are then categorized based on their risk level, with high-risk cases given top priority for investigation and prevention. The risk triage process helps fraud analysts focus their efforts and resources on the most critical fraud cases, so they can take proactive measures to prevent financial loss and protect their organization's reputation.


Fraudulent alerts are notifications similar to Indicators Of Compromise (IOC) that indicate suspicious or unauthorized activity in a financial institution's systems, accounts, or transactions. Here are some examples of fraudulent alerts in the context of ACH/wires/digital banking/account openings:

 

In each case, the financial institution's fraud detection systems would generate alerts based on predefined rules and thresholds designed to detect suspicious or unusual activity. The alerts would then be reviewed by Fraud Analysts or investigators who would determine whether the activity is legitimate or fraudulent and take appropriate action to prevent or mitigate losses.


Fraud analysts use various methods to document and track open cases related to fraud investigations. Here are some common practices / techniques:


Regardless of the method used, fraud analysts typically document and track open cases in a way that allows them to quickly access case information, track progress, and collaborate with other team members. This helps ensure that investigations are thorough and efficient, and that cases are resolved as quickly as possible.

APR 5, 2023

Using the Intelligence Lifecycle for Investigation (Part 1)

by Shaun Washington

April 5, 2023

It’s time to put on our sleuth hats and delve into some investigations. After completing #arcX Foundation Level Threat Intelligence Analyst Training and stumbling across the Fraudology Masterclass I am deciding to dive into using Threat Intelligence in investigations. There is a lot of cross-over between Cybersecurity work and Fraud Analysis, so let’s take the investigation life cycle into consideration which includes: Direction, Collection, Analysis, Dissemination. 


I hope Gerry likes the flowcharts:

The Intelligence lifecycle has four main areas but can be broken into six, if you want to separate steps 1 and 3 into individual steps. The first step is planning and direction which is what gives the investigation purpose and a starting point. As part of this we would start by identifying what Risk/Vulnerability/information we want to find. The stakeholders give the prompt to begin the investigation and sets the scope of the cycle through the Feedback given.


The next step is the collection of evidence/data based on your target or alert. This is also when an investigator would have identified risk and start their assessments. Typically, an investigations risk assessment would begin with employees , also finding the risk-tolerance limit (appetite) for the situation. That helps with prioritization of alerts or events.


This funnels into fraud risk governance, Fraud risk prevention, Fraud risk detection, and Monitoring & reporting. Fraud risk governance is the structure of rules, practices, and processes for fraud risk management in a company. A strong and transparent fraud risk governance policy discourages fraudsters because it emphasizes C-level commitment to reducing and controlling fraud risk. Having a good framework to follow will lead to prevention, detection, and eventually monitoring & reporting on evidence found.


Processing and analysis of the collected data is the next step in the process, how the intelligence is refined and turned into actionable intel. This is very important because this is the fruits of the labor that was put into the investigation and that product is what fuels the second half of the cycle. Knowledge without action is wasted, and for action to be taken you must disseminate that intel back to the stakeholders that initiated the intelligence process to begin with. And in turn this starts the next planning and direction phase based on what insights are gained.


Tune in next week for part 2 where I will take a look at what SOC or Fraud Analysts would look at in terms of Alerts and how they would go about addressing them (triage).

MAR 29, 2023

Types of Personnel Policies to Mitigate Risks: Part I of III

by Eula Chua

March 29, 2023

I’m beginning to witness how the material I have studied for during my CompTIA Security+ exam preparation is being implemented in a corporate environment. As part of the administrative control category, maintaining personnel policies can help reduce and manage risk by preventing data theft and loss, as well as incidents, when followed by employees. Although the policies pertain to personnel behaviour and expectations, these help with keeping security on top of mind. There are 12 categories under personnel policies. In each blog, we’ll go through 4 of them:

For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.


References:
Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.


Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro


Digging Deep, Ready for Battle

by Shaun Washington

March 29, 2023

The focus for this week is digging deep, and not letting the setback in life hold you back. Life comes at us in many ways, some more vicious and brutal than others (yes I’m talking about you tax paperwork). Like many of you out there, I put on my armor and mask before getting out of bed and heading out of the door. What armor and mask do I speak of?


The armor is your countless experiences that you draw upon to give you strength in the midst of troubling times. Whether you believe in karma or not this world revolves around energy exchange, what you put out into the world comes back to you. I make it a point to not be the stick in the mud that I may feel like whenever I get around others. Everyone is dealing with something but it could be the positive energy I give them that makes the difference in their day.


When I speak about masks, I mean hiding the emotions or compartmentalizing them. I have a bad habit of bottling up my emotions but this is not what I am referring to. Don’t let others see you sweat, stoicism can go a long way in how others perceive you in tough situations. Years in the juvenile detention center getting slapped, spit at/on, called every name but the one that was given to me, and having to deal with everything from riots to touching 💩 with my hands (gloved of course) has given me thicker skin and the ability to regulate my emotions in the hairiest of situations.


Whenever I changed careers to IT people would ask me if it is hard to deal with clients/customers. The slight annoyance of having to repeat myself (a lot) or using what seems like basic problem solving skills to realize that the webcams privacy screen (red dot slider-thingamajig) is on can in no way compare to having to physically restrain a juvenile who is trying to harm themselves.


Everything is not all doom and gloom, one of the major talking points for those looking to break into cybersecurity is finding transferable skills. If I have learned anything from my 12 years working for the Department of Public Safety it is how to be flexible in my thinking and planning, be aware of body language and other queues of heightened stress or anxiety, rapport building with juveniles and their families, and how to hit the reset button on my emotions or put on my mask.


I say all of that to say this, every trial and tribulation happened for a reason or purpose, and I learned and grew from each experience. There is a saying that people come into your life for a reason or a season, I can equate that to job history as well. I have always worked with children and usually ones that had behavioral issues, this lead me into working at the detention center. The detention center is where I gained my respect for safety and security, gained insight into the processes of law, and learned its better to be proactive than reactive.


I want to challenge any readers to take an introspective look at jobs/skills you have amassed and how they can translate into a cybersecurity role.


Please send me a message on LinkedIn to continue this conversation or brainstorm what transferable skills you possess and how to put them to work for your future in cybersecurity.

Failure

by James Driscoll

March 29, 2023

We have all “failed” at something. Whether it was a test in school, running a business, maybe even a marriage, etc. Now, let me ask what does fail really mean? According to Google, fail as a verb has two meanings 1) to be unsuccessful at something. 2) To neglect to do something. To me both sound negative. My goal with this blog is to take the first definition and look at it from a different perspective as it does not necessarily have to have a negative connotation.

Let us look with the first meaning “to be unsuccessful at something”. Now, we have all been unsuccessful at something at some point in our lives. Whether it was a test in school, running a business, maybe even a marriage that ended in divorce, etc. All of these can be seen as things we may have “failed” at. Now personally, I have “failed” numerous tests in school, and I “failed” running a business and I have felt bad about both as I am sure everyone else has when we “fail” at something. So, why do we feel bad when we “fail” at something? The reason we feel bad is due to the negative connotation that surrounds that word.


What if we look at “fail” from a different perspective. The word “fail” can be looked at as an acronym. That acronym is First Attempt in Learning. Let us look at the above examples in a different light. For example, a year ago, I took my first certification test. It was the CompTIA CySA+ and I missed passing it by 32 points. Essentially, I failed it because I did not get the minimum passing score however, the fact that I learned the format of the exam and learned that I had studied old material, it was a success. Now in terms of running a business, I had one when I first retired from the military. I had to shut it down after three months, so essentially it failed. Now, given that it was a learning experience in what not to do next time, it was a success. The point is that if lessons are learned, then whatever is seen as a “failure” is not unsuccessful, thus making the first definition inaccurate. If that makes sense?


So, do not be afraid to try something new, because when we do and “fail” at it, that is when we not only learn about the new thing we tried but also we learn more about ourselves. It is how we grow as human beings. 

MAR 22, 2023

Compliance Does Not Equal Security

by James Driscoll

March 22, 2023

There is a saying in the cybersecurity field. That saying is “compliance does not equal security”. Now, when I first heard about this, my first thought was why doesn’t it. The reason I asked that is because of my 20 plus year experience in non-IT regulatory compliance. In these cases, especially regarding safety, if we were compliant with the regulations, we were certain things were going to be safe. So, compliance not equaling security confused me for a bit.


After finally being able to do some research, it turns out to be a true statement. Compliance does not equal security for three reasons. 1) Regulatory updates are not keeping pace with technology advancements. 2) There are instances when multiple regulations that govern an organization contradict each other. 3) Organizations simply check the box, saying they are compliant because they are required to do so, not because they see value in the regulations.


Let's talk about each of these three points: 


1) Regulatory updates are not keeping pace with technology advancements. This absolutely makes sense. My experience with the Air Force is that they update their regulations every few years as things change. The cybersecurity field seems to not have that mentality. Take for example the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1986 and is not only still applicable 37 years later, but also in serious need of an update. That is just one example of the numerous regulations that need to be updated. Updating outdated regulations is one of the goals of the 2023 National Cybersecurity Strategy.


Point number 2: There are instances when multiple regulations that govern an organization contradict each other. It is highly probably that on organization can be governed by more than one regulation and by complying with one means not complying with another one. When I first started studying cybersecurity and saw that an organization can be governed by more than one regulation, I asked what they are supposed do, which one takes precedence. The reply I got was that all applicable regulations get followed. Now, I realize that is not always possible. This is something that the 2023 National Cybersecurity Strategy wants to remediate. This is desperately needed.


Finally, let us look at point number 3. Organizations simply check the box, saying they are compliant because they are required to, not because they see value in the regulations. I do not understand how we got to this point. Is it because regulatory updates are not keeping pace with technology advances? Is it because there are instances when multiple regulations that govern an organization contradict each other? Is it possible that the current regulations are a bit ambiguous? Going back to my Air Force career, the regulations that I dealt with every day were specific in their requirements and non-compliance had consequences.


So, how do we as cybersecurity professionals rectify this? Like I said earlier, points 1 and 2 are basically covered by the 2023 National Cybersecurity Strategy. The problem is that the timeline for completion is unknown. Point 3 on the other hand, we have influence in. I think this is where being able to translate the technical verbiage into business verbiage and communicating how the regulations affect the business is critical. I would love to hear if you all have any thoughts or ideas on this. 

ATM’s, APT’s, TTP’s, BSA/AML PSA 

by Shaun Washington

March 22, 2023

Simply Cyber Daily Cyber Threat Report for March 21, 2023 had a plethora of incidents involving banking and made me do some thinking, what can/would I say to someone in the banking industry (ATM) about cyber crime, TTP (Tactic, Techniques, and Procedures), and APT (Advance Persistent Threats). Cybersecurity as a whole has a lot of acronyms that we need to familiarize ourselves with including, GDPR, PCI-DSS, HIPAA, SOX, SOC, APT, TTP, and many more. There are several that are applicable to the financial sector but one that I ran across recently is BSA (Bank Secrecy Act).

 

The Currency and Foreign Transactions Reporting Act of 1970—which legislative framework is commonly referred to as the "Bank Secrecy Act" (BSA)—requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. AML (Anti Money Laundering) is the second piece of the banks infrastructure to deal with fraudulent activities and transactions. When I look at this through a cybersecurity lens I immediately equate it to GRC (Governance, Risk, and Compliance) auditing. The similarities begin with the internal controls that are associated the compliance program in BSA/AML are right in line with the frameworks that are used in GRC such as ISO 27001 or the NIST Cybersecurity Framework. NIST Cybersecurity Framework covers reducing risk, vendor monitoring, compliance, and vendor assessments. The cybersecurity risk is considered as part of the organization's risk and all must be taken into account for the wholistic health and safety of the organizations assets ($$$).


A Cybersecurity Analyst / GRC Analyst / SOC Analyst all have some cross over with the position that handles BSA/AML in the bank, the Fraud Analyst. For example, a Fraud Analyst is responsible for reviewing system-generated alerts to identify fraudulent activity, they then determine action required to protect the banks assets, work with management on handling complex cases as required. That role is almost identical to the duties of a SOC Analyst, both roles are “watching glass” aka checking log/alerts and making determinations of steps to triage or escalate the alert/ticket as required. Cross training in cybersecurity almost seems that it would be necessary to stay abreast of current trends the APT’s are using to compromise end users, their accounts, or third party suppliers.


There are specific TTP’s that TA’s (Threat Actors) are using to take advantage of vulnerabilities found in all assets that are internet facing as well as social engineering to manipulate the users.  The banking trojan “Mispandu” made the news for targeting banks in Latin America. The tactics that they are using to accomplish this involve compromising WordPress sites to act as C2 (Command and Control) servers. They are also using phishing emails and invoice scam attachments at there Technique to use on this attack vector.  Ransomware incidents are widespread and affect any and everyone from bank to hospital to school. It is no holds bar and cybersecurity professionals, fraud analysts, and law enforcement all work together sometimes unknowingly to remediate and correct these crimes.


The grind of staying up to date through training, networking, research and collaboration are daunting tasks for anyone in any anti crime job. My take away from this is to use all the resources available and share intel whenever possible for the advancement of the field. I am going to list but a few sources for any cybersecurity professional or fraud analyst to use:

 

They say bad things come in 3’s, death and Cybersecurity acronyms, study up to learn and grow with the community members.


Glossary of 3’s:

MAR 15, 2023

Staying Focused

by Shaun Washington

March 15, 2023

As many of you know from either interacting with me or from living the grind that is being a cybersecurity professional, the need to stay up to date and learn new skills is paramount. I have shared my Not So Secret Recipe for prepping for a SOC Analyst interview and since then I have continued to add more “Protein” and “Seasoning.” Since then, I have applied for scholarships, grants, and other free trainings, the universe seems to be on my side because I was accepted into the March cohort of VTFoundation Security Analyst Bootcamp (Splunk), GRC Professional Certification training, and Cybersecurity Workforce Certification Training through Ivy Tech Community College.


I am almost overwhelmed at my luck in this regard but on the other hand I am looking forward to the challenge. I am trying to be a sponge and become as well rounded as I can, then I should find my niche (if I can ever narrow it down: IAM, GRC, DFIR, SOC,……… )

 

My daily grind is going to have to be revamped with all that is currently on my plate. My current responsibilities with Project Management seemed to be growing exponentially with my regular duties not going anywhere. I have 3 App/program integrations that I am “leading” or running point on. I continue to be #TeamLive on the Simply Cyber Daily Cyber Threat Brief, studying for CompTIA Security+, and putting in some time on World of Haiku (I will pick up ZTM Ethical Hacking Bootcamp in the future).

 

This is a shorter blog than my previous ones but I am burning the candle at both ends and now that I have finished the GRC Analyst Master Class I believe I will start my write up/review shortly.


Stay tuned...

Cybersecurity on YouTube

by Eula Chua

March 15, 2023

Everyone has their own way of absorbing and learning new information. Today’s technology has enabled us to learn via different avenues—through books, articles, podcasts, and videos.

Having a 9-5 schedule can be difficult, especially when you’re using a lot of brain power at work. Making time for learning and development after work is a commitment and sometimes it’s just not doable for everyone. If you’re in this position, don’t worry. You are not alone.

A few weeks ago, I recommended a few resources and articles on how to keep up with the latest IT/Cybersecurity news via articles.

If you are currently following us on LinkedIn, you’ll notice that every Monday, we post about what’s happening #ThisWeekInCybersecurity where we share shows, segments, and learning opportunities from Cybersecurity industry experts.

Some can be long formats, others short. If you’re on the road or commuting to work, YouTube is a great platform to stay up-to-date. Though Cybersecurity communities are ever present on LinkedIn, here are some channel recommendations on YouTube where you can also engage and be a part of the community. From giving guidance on how to grow a career in cybersecurity to sharing about what it’s like to work in the industry, these are some of experts I have been following and learning from:


Most of these are located on Cybersecurity Central's Resources by CC page. Check it out, then let us know if you have a channel to recommend. If so, send us a message on LinkedIn!


Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro


MAR 8, 2023

My (almost) 3 Month Journey in a Gist

by Eula Chua

March 8, 2023

It was once a thought, let alone, a dream, to be able to work in IT. I’m almost three months in and I cannot even emphasise how rewarding it is to be in this field. I love that I get to assist users with simple or complex issues and being able to resolve it together.


At my workplace, everyday is different. There are days where I would be working on the ticket queues, supporting users within the office, online, on construction sites, or pass the border with all kinds of issues — printers, networks, hardware, e-mail, software, and more. There are days where I would be setting up new IT equipment for on-boarding employees and days where I would be moving an entire department onto a new floor. As someone who usually performs well with routine, I did not expect to enjoy a schedule with so much flexibility.


I found that being in IT is not just about fixing things. A big part of being in IT is building relationships, especially if you’re working in an internal IT team for a company. Not only am I learning and building my technical and communication skills, I am also building resilience and growing in humility. “You don’t know what you don’t know.” When it comes to encountering a problem you’ve never dealt with before, it’s important to be honest with yourself and with the user. If you’re not sure how to solve something, communicate the truth with them but most importantly, reassure them that you will find a way to get the issue solved. Most of the time, the user will understand depending on the level of issue that you are dealing with. I found that putting myself in the other person’s shoes is what helps me understand what the user might be going through and how I can better assist them.


Overall, my experience in IT and in my new workplace has been amazing so far. There’s definitely a lot of learning, growth, and opportunity in the position that I am in. Although I have been having troubles balancing my time with work, leisure, (and LinkedIn), I hope that in the next couple of months, I’ll be able to find time to further my studies, build up my skills within IT and Cyber Security, and continue sharing my journey with you.


Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro


2023 National Cybersecurity Strategy

by James Driscoll

March 8, 2023

Disclaimer:  The thoughts and ideas below are that of my own and do not reflect that of my employer.  Also, this is done from the perspective of someone that is new to the cybersecurity industry.  All opinions are based off of what was learned through school and a career involving 20 years active-duty military and 8 years as a government contractor.


On 3 March 2023, the National Cybersecurity Strategy was published by the Biden-Harris Administration.  Believe it or not, this is only the third such strategy.  The other two were published in 2003 and 2018. 


The document starts out by touting the positives of the internet and mentioning some of the amazing things we have been able to accomplish resulting from its inception.  Now, to balance that, some of the not so favorable aspects are also mentioned.  Also mentioned is the primary goal that the administration hope to accomplish for the United States and its Allies.  That goal is “to build a digital ecosystem that is easily and inherently defensible, resilient and aligned with our values” (2023 National Cybersecurity Strategy).


So, to reach the aforementioned goal, my impression is that all the Executive Orders (EO’s) that have been issued in the past two years have been combined into this one document.  I say that because a lot of the EO’s are listed here.  There is also a reference to the 2008 Comprehensive National Cybersecurity Initiative.  The idea is to not only continue evolve that initiative.  One thing that I was happy to see is that this while this current strategy replaces the one from 2018, it will not completely wipe it out.  The plan is to press forward with a lot of the concepts established in the previous administration.


Let us move into basically the meat and potatoes of the National Cybersecurity Strategy.  This part is separated into what the administration is calling Five-Pillars.  The first thing I thought of when I saw the term Five-Pillars is that of the Zero Trust Model.  For anyone that is not familiar with Zero Trust, here is a picture of it.  Simply, replace the concepts of Zero Trust with the five concepts of the National Cybersecurity Strategy. 

PILLAR 1 | DEFEND CRITICAL INFRASTRUCTURE


This section of the document is separated into five strategic objectives. 


Strategic Objective 1.1:  Establish Cybersecurity Requirements to Support National Security and Public Safety.  Please correct me if I am wrong but isn’t this something that should have been accomplished a long time ago.  Anyway, the plan here is twofold.  1) Create new regulations.  I can without hesitation tell everyone that I am not a fan.  It does not make sense to create new regulations when there are current one in place not being enforced.  2) Update current regulations.  I am 100% on board with this idea.  The reason is that there are regulations that have been around for decades that are still applicable and desperately need updated.  An example of this is the Computer Fraud and Abuse Act (CFAA).  This was written in 1986 and has had no real update.


Strategic Objective 1.2:  Scale Public-Private Collaboration.  There is a saying that has been attributed to several African cultures that is applicable here.  That saying is “it takes a village” and in the context of cybersecurity, it is true.  Neither the United States Government nor the Private Sector will be successful in securing critical infrastructure on their own. 


Now, for there to be greater collaboration between the United States Government and the Private Sector there is an obstacle that must be overcome.  Some people may be asking what that obstacle is.  That obstacle is that some people do not trust the government.  A good example of this is the recent train derailment in Palestine Ohio.  The citizens there do not trust what the EPA (government) is telling them.  President Reagan said there is a phrase that nobody wants to hear, and it is applicable in 2023 which is a problem.  That phrase is “I am from the government, and I am here to help”.  So, to accomplish this objective the Private Sector must be able to trust the government and that alone might take a while to accomplish.


Strategic Objective 1.3:  Integrate Federal Cybersecurity Centers.  What does this mean?  Taking an educated guess based on my 20-year military career and additional eight years as a government contractor, I would say this means improving communication between the various agencies.  If I am incorrect, please someone let me know.


Strategic Objective 1.4:  Update Federal Incident Response Plans and Processes.  This is one of those concepts that makes no sense.  I say that because keeping incident response plans and processes up to date is something that should already be occurring on a regular basis.  Perhaps it is the wording of the title that is the issue.  I say that because the whole point of this is to define which of the many federal agencies the private sector needs to contact depending on their industry. 


Strategic Objective 1.5:  Modernize Federal Defenses.  This section talks about not only replacing obsolete systems but also implementing newer security controls such as Zero Trust.  Th goal here is to have a network that is “easily defended and more resilient which would be a model for the private sector to emulate” (2023 National Cybersecurity Strategy).  Do not get me wrong, I think this is an awesome idea however, I question why this was not thought of before 2023. 


PILLAR 2 | DISRUPT AND DISMANTLE THREAT ACTORS


This pillar is also broken up into five Strategic Objectives.


Strategic Objective 2.1:  Integrate Federal Disruption Activities.  Like Strategic Objective 1.3, this sounds like not only improving communications between agencies but also making sure they are on the same page operationally.  Again, if I am incorrect in this please let me know.


Strategic Objective 2.2:  Enhance Public-Private Operational Collaboration to Disrupt Adversaries.  The concept of government and private sector collaboration is a recurring theme in this document.  The government is encouraging the private sector to communicate through any of the organizations that serve as hubs for the government.  Like I said Strategic Objective 1.2. the government has a lot of work to do to reestablish that trust with the private sector before they can think about improving collaboration.

 

Strategic Objective 2.3:  Increase the Speed and Scale of Intelligence Sharing and Victim Notification.  While I agree that the timeliness of intelligence sharing is crucial in disrupting a threat actors’ activities, there is a concept missing.  That concept is information accuracy.  Being able to share intelligence information quickly is useless of the information being shared is not accurate. 


Strategic Objective 2.4:  Prevent Abuse of U.S. Based Infrastructure.  Preventing adversaries from using U.S. based infrastructure for nefarious reasons is the goal of this objective.   There is no indication that there is a specific plan on how to accomplish that.  It simply restates a concept that should not have to be restated.  That concept is that “service providers must make attempts to secure the use of their infrastructure against abuse or other criminal behavior” (2023 National Cybersecurity Strategy. 


Strategic Objective 2.5:  Counter Cybercrime, Defeat Ransomware.  The goal here is to reduce the instances of ransomware.  There is a four-part plan on how to do that.  1) Work with international partners to limit freedom of criminals.  2) Investigate instances for ransomware from a law enforcement perspective.  3) Increase infrastructure resilience.  4) Limit the ability of criminals to leverage cryptocurrency as a ransom payment. 


There are two points in the following statement in this section that I do not agree with.  The statement is “the administration strongly discourages the payment of ransoms.  At the same time, victims of ransomware – whether they chose to pay a ransom – should report the incident to law enforcement and other appropriate agencies”.  The first point is “strongly discourages”.  The reason I disagree with this is because the language is not strong enough to deter organizations from just paying.  The second point is “whether or not they chose to pay a ransom”.  The reason I disagree with this is because there should be no choice.  There are established processes and procedures (BC / DR / IR plans and backups) that if done correctly would mean there is no need to pay to get information back.  Also, what is not mentioned is that paying certain ransomware groups may in fact be illegal.  The U.S. Treasury Department Office of Foreign Asset Control (OFAC) has a sanctions list of foreign entities and conducting business with those listed entities to include paying ransoms can bring legal action from the government.


PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE


This pillar is separated into six strategic objectives. Strategic Objective 3.1: Hold the Stewards of Our Data Accountable.  While I think that limiting the collection, use, sharing, and storing personal information as there is way too much of that, I question if it is necessary to limit it through legislation.  I have said it earlier, it makes no sense to create new legislation if current legislation is not enforced.  A better idea would be to update what is already on the books and enforce that.


Strategic Objective 3.2: Drive the Development of Secure IoT Devices.  There is one idea in this section that I cannot get on board with.  That idea is creating security labels for IoT devices.  For anyone that is not familiar with this idea, let me give you the Readers Digest version.  Think of security labels like nutrition labels on packaged food.  It is designed to give consumers the ability to compare the security of IoT devices. 


The reason I am not on board with this is because it will not help anything.  I say that because our society is an instant gratification society.  By that I mean when we want something, we want it right now.  When society in general buy in this case an IoT device, they want to be able to take it out of the box, plug it in, turn it on, and have it running with minimal effort.  I think these labels are going to have the opposite effect that the administration is hoping for.


Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services.  The whole point of this section is to secure the software products that are created.  Basically, moving from the idea of push to production and fix later to secure the product before it goes to production.  Now, before I continue, something I learned about this section is that this is not the first time this has been brought up.  It turns out that this was first talked about in the 2003 National Cybersecurity Strategy.  Makes me wonder why this has not brought to fruition in the last 20 years. 


The problem here is like I said in the last objective.  It is that whole instant gratification idea.  In this case it is all about making money as quickly as possible.  That means pushing a product out as quickly as possible even if it has problems.  For this reason, I can almost guarantee that there will be push back.


Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security.  Money is going to be the primary factor in everything in this pillar being successful.  The government must find a way to fund it.  Now, there has been some progress with the passing of the Bipartisan Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Science Act but there is a long way to go.


Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability.  This section is all about holding government contractors accountable when they fail to adhere to cybersecurity regulations.  It talks about using the Civil Cyber-Fraud Initiative (CCFI) and the False Claims Act to do that.  I question if that is necessary.  I say that because if the requirements are written in the contract, then it becomes a contract violation, which can not only cause them to lose the contract they are on but also affect the organizations’ ability to be awarded government contracts in the future.


Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop.  This is an interesting section.  If there is a catastrophic cyber incident, it is not the Federal Government COULD be called, it should say the Federal Government WILL be called.  So, I get the impression that they are not prepared for that.  If I am wrong in this, please let me know.


PILLAR 4 | INVEST IN A RESILIENT FUTURE


This pillar also has six strategic objectives. Strategic objectives 4.1: Secure the Technical Foundation of the Internet.  The impression I get is that this is an extension of Strategic Objective 1.5.  It just goes into more detail as to how to achieve it.  The two probably could have been combined.


Strategic Objective 4.2:  Reinvigorate Federal Research and Development for Cybersecurity.  This is actually a good idea.  For technology for keep advancing, we must invest in research and development (R&D).  The thing is to be successful we need to invest in areas that are relevant such as quantum computing and artificial intelligence just to name a few.


Strategic Objective 4.3:  Prepare for Our Post-Quantum Future.  The goal here is to ensure that our data remains secure.  Currently that is done through encryption however, with advances in technology, we are quickly coming to a point where quantum computing will be capable of breaking that encryption.  This sections simply talks about the need to protect our infrastructure from this emerging technology. 


Strategic Objective 4.4: Secure Our Clean Energy Future.  While this is a good idea, it is worded poorly.  As written right now, the impression I get is that the government wants to focus all their energy is securing “clean” energy and ignoring what we already have.  That is a problem as we need to not only secure our energy future which should be clean, but we also need to secure the energy we currently have, which honestly should take priority.


Strategic Objective 4.5:  Support Development of a Digital Identity Ecosystem.  I had to read this section multiple times and the impression I get is that there is a lot of talk but really no substance.  It does mention how easy it is to commit fraud.  So, to make an educated guess, I would say the goal here is to work to prevent fraud in a digital ecosystem.  If anyone has other ideas, I would love to hear them.



Strategic Objective 4.6:  Develop a National Strategy to Strengthen Our Cyber Workforce.  We all know that there is a severe shortage of talent in the world of Cybersecurity, and it is only going to get worse.  As the written the plan to tackle this shortage is to expand on existing programs.  The government also wants to address the lack of diversity in this field, which is a good thing.


PILLAR 5 | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS


There are five strategic objectives here as well. Strategic Objective 5.1:  Build Coalitions to Counter Threats to Our Digital Ecosystem.  This section takes the goal of collaboration that we saw earlier with the private sector and expands it to include foreign partners.  Another good idea as most of the attacks against the United States originate in foreign countries.  The document mentions numerous partnerships and coalitions that have been forms with various groups of countries.  Why can we not simply combine all these coalitions and partnerships into one, or better yet, work this through the intelligence groups the United States is apart of (5-Eyes, 9-Eyes, 14-Eyes).  I do not see the need to complicate things more than they already are.

Strategic Objective 5.2:  Strengthen International Partner Capacity.  From what I gather in this section is that the United States is going to continue to work with foreign partners to improve their ability to fight cyber criminals.  It seems the goal here is to ensure that everyone is on the same page in fighting cybercrime.

Strategic Objective 5.3:  Expand U.S. Ability to Assist Allies and Partners.  My impression of this section is that while the United States wants to assist our foreign partners in the event of a cyber-attack, we will only do so if it is in our national interest.  So, to make that decision, even more policies are going to be created.  This sounds like something that should have been created before 2023.


Strategic Objective 5.4:  Build Coalitions to Reinforce global Norms of Responsible State Behavior.  While I completely agree that global norms need to be enforced, looking at where we are at right now a lot of work needs to be done.  The document talks about members of the United Nations committing to enforcing these norms.  All I have to say about this is that talk is cheap.  Making statements condemning actions do not enforce global norms.  Tiered sanctions do not work either as evidence with the Russian invasion of Ukraine.  Any action needs to be not only swift but also must cause the maximum amount of pain for the offender.


Strategic Objective 5.5:  Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services.  As we have seen numerous times recently, securing the supply chain is critically important.  So, it makes sense to be in here.  Something that comes to mind while reading this section is there was a term I had read while studying for the CySA+.  That term is “Trusted Foundry”.  This is a program used by the Department of Defense to ensure the security of the manufacturing infrastructure for information technology vendors that create hardware for the military.  So, my question is why can’t the rest of the U.S. Government use that as a model if not use it outright.  I said it earlier and will say it again, there is no need to reinvent the wheel.  A program already exists, simply expand on it.


IMPLEMENTATON

This section basically talks about working with private-sector and foreign partners to reach the objectives in this strategy.  I would have liked to see a little more substance, but it is a lot of ambiguous ideas just like the rest of the document. 

MY IMPRESSION

Overall, the 2023 National Cybersecurity Strategy has a lot of potential to be a game changer to the industry.  The issue I have is I think that it will be stuck at having potential.  As I have pointed out, there are so good points.  I also have pointed out that there are points in here that basically do not make sense to me.  As I have said multiple times here, if I am wrong in any way, please reach out to me and we can have that discussion as I am new to this industry. 


Practical experience 

by Shaun Washington

March 8, 2023

This week I had a reply on a comment from completing a Udemy course on Crowdstrike Falcon that has made me think. Employers want us to have experience but in the situation of Crowdstrike, Henri Davis reminded me that getting access to the platform for any hands on was going to be extremely difficult if my current company didn’t already have access to it.

 

I may not be able to practice on Crowdstrike but it was suggested that I look into Windows Defender. This brought me back to thinking about what trainings/platforms are available for someone that is interested in learning could have access to without the need of an enterprise account.

 

The first platform that I use to enrich myself is Security Blue Team's eLearning site, I am currently working through the Blue Team Junior Analyst pathway. The pathway consists of courses on Network Analysis, OSINT, Digital Forensics, Dark Web Operations, Threat Hunting, and Vulnerability Management. Each section shows you several tools that are open source or not locked behind a pay wall for personal usage.

 

The second platform that I am using is a new purchase that I made and that is World of Haiku. This is a gamified learning platform that introduces and lets you practice Linux and other tools used in cybersecurity such as nmap and john the ripper. There is a free demo but I decided to invest the money to allow myself the access and use my time in the “game” as downtime from the constant barrage of video and text that I have been ingesting during this grind to enter the cybersecurity field. There are plenty of other platforms that are similar such as HTB (Hack The Box), Lets Defend, and TryHackMe, but I feel like using gaming to learn will help drill information and some situational awareness into me while also being a break from the norm.

 

There are several certifications that are less about the memorization of the material and are about using the knowledge you have in practical/real life situations. I have not taken any of them but I may delve deeper into them in a future blog. The top ones that come to mind are TCM's PNPT and  Blue Team Level 1. I know that for myself I like to read something and then see it done and lastly do it myself. Everyone's learning style is different and you should make it a point to know so that you can excel at your future endeavors.


I can't stress enough the importance of networking, building up your brand, and trying to skill up. Looking at my LinkedIn metrics I can see the exact time that I got involved with the cybersecurity community on LinkedIn which then introduced me to the team at Cybersecurity Central and Simply Cyber. Continue grinding, make new connections, try to learn something new each day, and try to help those around you. You will be surprised at what you have to offer, even if its just encouragement, it is all  beneficial.


MAR 1, 2023

Adding Fuel To The Fire

by Shaun Washington

March 1, 2023

I don’t want to jump the gun, but I will be transparent on the blog the same way that I am with anyone that I choose to deal with. I am currently working in IT at a company that I can say cares about me/staff’s wellbeing and have long standing relationships with C-Level staff from my first employment there working on the ropes course, doing experiential education, and teaching substance abuse prevention classes for all ages groups. The first time that I left this company was due to opportunities for stable employment that was not going to be affected by Grant funding (Non-Profit problems), now I am back full circle after doing a 12-year stint working at the local Juvenile Detention Center. Fast forward not even a year into my first IT role and I have had to seek alternate revenue methods, which includes driving for Uber, and job searching.


In a perfect world I would keep doing this position for a few more years because I am truly grateful to have coworkers that I get along with and support each other in learning and everything else. I have had to “turn it up to 11” in terms of my networking and job searching to try and pivot to another IT position or break into cybersecurity because the little bit of cushion I had built up has long been eaten away from gas prices being ridiculous and me loosing around 15k in income making the career change (looking to play the long game). I know that I just need an opportunity to prove myself and learn and grow in cybersecurity.


Well, thanks to all the resources and knowledge I have gained from Cybersecurity Central, numerous cybersecurity professionals in my LinkedIn network (Henri Davis, Kevin Apolinario, Gerald Auger just to name a few), free resources and training and countless inspiring posts and conversations, I have gotten to interview for a SOC Analyst 1 position. I feel confident in my preparation due to the grind I have been on studying for Security +, GRC Analyst Masterclass, and ZTM Ethical Hacking Bootcamp. I am currently waiting to see if I am offered the position (fingers crossed).


I just want to share the resources that I used to get myself to this point, even if I don’t get the position I have definitely grown, and I will be ready for the next interview when/if that comes to fruition.


Here is my not so Secret Sauce (in no particular order):

·         Security Blue Team – Blue Team Junior Analyst Pathway Bundle – elearning.securityblue.team

·         Dr. Gerald Auger’s GRC Analyst Masterclass, SOC Analyst Interview Questions - YT

·         Zero To Mastery Ethical Hacking Bootcamp 2023 on Udemy

·         Let’s Defend SOC Analyst Interview Questions

·         Henri Davis - TechTual Chatter Podcast and SOC Analyst Interview Questions - YT

·         Day “Cyberwox” Johnson – Cybersecurity & Detection Lab Playlist – YT

·         Mike Chapple, Jason Dion, Ian Neil, and Professor Messer - Security + Book, Videos, and Practice exams


This is not an exhaustive list, but this was my bread-and-butter combo to gaining confidence, knowledge, and skills. Please share with others in your network. Knowledge without action is wasted.


Disclaimer: Results may vary. What energy and effort you put in will be returned to you.

Continuing Education

by James Driscoll

March 1, 2023

The cybersecurity realm is constantly evolving as we know.  The constantly changing landscape is why a lot of the certification organizations (CompTIA for one) update their certification exams every three years.  It is also the reason why certifications themselves expire after three years.  So, does this mean that to renew a certification you have to retake the exam every three years?  Absolutely not.  The various certifications organizations realize that retaking an exam every three years is pretty much not practical.  So, they all have developed a way to keep the certifications current using Continuing Education Units (CEUs).  In the rest of this blog, I will be discussing how CompTIA handles CEUs as I only have a CySA+.  For anyone that has a certification from another organization, I recommend going to their site and reading up on their procedures.

CompTIA make is easy to figure out what is needed to keep their certifications current.  The best part is that you do not need to log in.


Simply go to www.comptia.org.  When the page comes up, you will see at the top “Continuing Education”. Place the cursor on it and in the drop-down box that appears, click on Continuing Education Units (CEUs).

The next page that comes up will display the various CompTIA certifications in a bar graph style format along with a number.  This gives a clear depiction of the number of CEUs that are required in a three-year period to stay current:

Now just below the graph, CompTIA tell you how to earn CEUs.  Also on the right side of the page is a section called “Popular Renewal Options”.  The option that is particularly interesting is the “Preapproved Training:"

The page that comes up when you click on “Preapproved Training” has a chart.  This chart breaks down the maximum number of CEUs a person can earn for each type of qualifying activity in that three-year period before the certification expires. As you can see below, there are a total of five qualifying activities on the left side of the chart.  The individual certifications are across the top of the chart.  The data in the middle are the maximum number of CEUs that can be earned for the activity, based on the certification:

The rest of the page breaks down each qualifying activity.

For those of us that have CompTIA certifications, I highly recommend reading through their continuing education pages.  From what I can see, they really put in a lot of time and effort to explain everything and take a lot of the guesswork out of deciding if an activity qualifies towards renewal.

Hope this helped in your CompTIA journey!


FEB 22, 2023

Finding My Space

by Shaun Washington

February 22, 2023

As I have been doing research on how to improve my chances of landing a role in cybersecurity, there has been a constantly reoccurring point. You must focus on an area of Cybersecurity, niche down, not be too broad due to it making you harder to find by recruiters. At first due to exposure and experience I received from CFCC’s Cyber Crime Technology program, I was heavily leaning towards Ethical Hacking and Red Team, also DFIR those were the most interesting subjects that I had the opportunity to learn.


My LinkedIn journey has broadened my horizons and exposed me to even more positions such as SOC Analyst, GRC Analyst, and IAM (Identity Access Management). After making connections with Henri Davis, Gerald Auger, and quite a few others in the IT and Cybersecurity field, I am trying to leverage my transferable skills and trainings to focus primarily on IAM, DFIR, and GRC.


My current role as an Application Support Specialist has given me experience working with Active Directory, Office365, Athena Practice, and several other platforms that have different Access Controls such as RBAC (Role Based Access Control), and DAC (Discretionary Access Control). This experience has given me the basic premise of what an IAM Analyst would do.


My degree has given me experience with doing DFIR (Digital Forensics and Incident Response). In several of my classes and my Capstone, I had to leverage tools such as FTK Imager, Sleuth Kit, Autopsy, and SANS Sift to create forensic images of drives, and find artifacts and evidence on those drives and slack space. After the investigations I had to create reports that documented my process and findings.


Last but not least my interactions on LinkedIn helped me cross paths with Cybersecurity Central and the GRC Analyst Master Class by Gerald Auger. I am about 50% through the training and have been presented with the opportunity to put this knowledge to use by helping a friend with becoming compliant with DD-2345 and NIST 800-171. So far I have gathered the documentation and created an Audit guideline that I will use to get some practice auditing and help me friend with his SSP (System Security Plan).


All 3 of those areas are battling for my attention and it is hard for me to narrow down to just one area I want to  pursue. I have posed the question to my network on LinkedIn as to whether or not there is a role in the Cybersecurity world that encompasses all those areas but I think the consensus is in the words of the late DMX, “Stop being greedy.” At this point I will continue the grind to skill up and gain practical experience and “patiently” wait for the opportunity to get into Cybersecurity. As always, until that time presents itself, I will do my best to support those around me and to learn from those that are where I want to be.


Follow Shaun on LinkedIn at: https://www.linkedin.com/in/shaun-washington-8a428240

"Which one?"


Keeping Up-to-Date with Cybersecurity News


by Eula Chua

February 22, 2023

With all the personal responsibilities, professional development, and other daily tasks we have on our plates, it can be hard to find time to keep up with what’s new within the IT/Cyber Security industry.


New technologies and trends continue to move forward drastically. It’s essential to stay up-to-date to ensure we don’t miss out on what could help or break our systems, let alone, our overall workflows.


Whether you have time for a workout or listen/read during a commute, here are some of the top news resources you should check out:



Take a look at our tab above for more resources recommended by Cybersecurity Central and follow us on our Cybersecurity Central LinkedIn page for new updates every week!


Follow Eula on LinkedIn at: https://www.linkedin.com/in/eulac-lipro 


FEB 15, 2023

What Is Entry-Level?

by Shaun Washington

February 15, 2023

What is entry-level? Oxford defines entry-level as “at the lowest level in an employment hierarchy.” That doesn’t sound quite right, Hey ChatGPT define entry-level, “Entry-level refers to a job, position, or task that is designed for individuals who are new to a particular field or industry, typically requiring little or no previous experience. It is often the starting point for a person's career in a particular profession or job category. Entry-level roles may have lower pay and fewer responsibilities compared to higher-level roles within the same organization.” Hmm, let me see what that job description said again, “minimum of 7+ years exp.......”

 

Does this look familiar? I am greeted by similar, if not more outrageous, “qualifications” for entry-level positions in IT and Cybersecurity. I fully understand the need for experience when dealing with the safety and security of people and information. My background before making the transition to IT was in Substance Abuse Prevention and then I did 12 years working for the Department of Public Safety as a Juvenile Justice Officer. On the job training was expected, I shadowed coworkers who had experience and then was given projects and tasks with varying difficulties and responsibilities. There was even a “bootcamp” to learn policy and procedure and the necessary skills for people in my position.

 

That doesn’t seem like it’s a lot to ask, look at a potential candidate in a wholistic manner.


I could go on ad nauseum, I’m preaching to the choir. Why must we “Break” into IT / cybersecurity? Those that came before all didn’t have to break in, someone took the chance or gave them an opportunity to prove themselves. The job market has a lot of parallels to the school system, what was taught in years past as what you strive to become is now expected of those that haven’t even begun. Things I learned in late middle school and early high school children are learning in elementary school. The focus is on metrics and achieving but at the cost of the development of the one coming up through the system.


We live in a flawed world with flawed people, we have to change the system; but for that to happen, we have to BE the change that we want to see. I am on my daily grind trying to learn as much as possible to make my move from IT to Cybersecurity. I used my network and former coworkers to help me pivot my career from being a Supervisor at a Juvenile Detention Center to Application Support Specialist.


I will be that bridge for those behind me, I will celebrate the victories of my peers and coworkers because when the time comes I want others to celebrate my victories and to be the help that I need to grow. Okay I’m jumping off my soapbox, Rant done.

“Helping other people is the best way to make up for your mistakes.” - Kenshin Himura



References:




FEB 8, 2023

Asymmetric Key Encryption Algorithms

by Eula Chua

February 8, 2023

Hope you had time to reflect as we began the month of February. If you haven’t yet, check out my previous blog post, “Time for Reflection”.


Two weeks ago, we looked into what a symmetric key encryption algorithm is and the key differences between each one that fall under that category. This week, we’re going back to our regular programming on encryption algorithms and dive deeper into asymmetric key encryption.


In asymmetric encryption, 2 different keys are used. A public key is used for encrypting and a private key for decrypting. A common use for this type of encryption would be when messages are sent over the network, allowing secure communication between 2 parties. In this case, the public key enables others to view and access what is being sent. The private key only allows authenticated users to access what is sent to them. Both keys are needed to be able to decode a message. Although the encryption process is slow, this type is used to transfer small amounts of data. This makes asymmetric encryption more secure than symmetric encryption and it provides confidentiality, authenticity, and non-repudiation. A few examples are: Diffie-Hellman, ElGamal, ECC (Elliptic-Curve Cryptography), RSA (Rivest Shamir Adleman), and DSS (Digital Signature Standard). Let’s look at the key points of each one.


Diffie-Hellman:


ElGamal:

- Founded by Taher Elgamal in the 1980s

- Based on the Diffie-Hellman exchange

- The goal is to make it difficult to calculate the encryption approach regardless if the attacker knows certain information


ECC (Elliptic Curve Cryptography):

- Creates smaller and efficient cryptography keys

- Faster and lightweight

- More secure as it is able to generate more robust mathematical keys

- Can be used in combination with other encryption methods for increased security and performance using less keys


RSA (Rivest Shamir Adleman):

- Founded by Ron Rivest, Adi Shamir, and Leonard Adleman in the 1970s

- Most widely used to asymmetrically encrypt data that is sent over insecure networks

- Provides data integrity, confidentiality, and authenticity of transmitted data

- Can have key-lengths of 1024-bits or 2048-bits


DSS (Digital Signature Standard):

- Uses digital signatures to authenticate encrypted data, files, and softwares

- Can detect signs of attempted tampered information or modification of data while being in transit

- US federal government agencies uses DSS to generate and validate digital signatures


References:

https://review42.com/resources/types-of-encryption/







Types of Corporate Cybersecurity Documentation

by James Driscoll

February 8, 2023

One day till my CompTIA CySA+ exam. So, for this last blog before the exam, I thought I would talk about corporate cybersecurity documentation. Having clear and precise documentation is critical if an organization is to have a successful cybersecurity program. There are four types of documentation that I will cover below, 1) policies; 2) standards; 3) procedures; 4) guidelines:






I will post on LinkedIn my results. I want to thank everyone that has followed this journey and sincerely hope there was value from these posts. I will be on vacation for the next couple weeks so I will not have a blog until 1 March.

 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


FEB 1, 2023

The Containment Phase

by James Driscoll

February 1, 2023

Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.


When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:


 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


Time for Reflection

by Eula Chua

February 1, 2023

Hello February!

=====

Originally I planned to continue on the topic of encryption algorithms but today’s #BlogByCC happened to fall perfectly on a new start to the month, and to do things differently, I want to take this opportunity to encourage and promote more self-reflection. I noticed throughout the years, I would go months on just zooming through life and end up feeling a little bit lost in between. Just as with studying, if you don’t go back to review what you learned, you’ll end up forgetting it. Similarly with life, if you don’t take the time to reflect on how things are going, how would you know where you’re heading towards is the direction you want to be going?


First of all, happy 1st of February! I can’t believe January flew by just like that. I remember starting off the month feeling a mixture of excitement and nervousness. I started my new IT career at a new workplace, which has been by far amazing and exceeds my expectations. There are moments where I felt a little bit of impostor syndrome but that gets trumped when I realize that I’m in a positive environment surrounded with people who genuinely care for your well-being, growth, and development. I get to say that I am a part of a growing and collaborative team that teaches and supports users on how to effectively use technology to help streamline their workflow. You know you’re making it when work doesn’t feel like work and that everyday is an opportunity to learn new things.


Enough about me and more about you! As we start a new month, new goals, and new aspirations, take a break to sit down and look back on how your January went. Here are some questions that may help you reflect on the past and upcoming month:



On behalf of Cybersecurity Central, we hope you have a wonderful month of February! Let us know how we can support you in your personal development and career growth in the IT/Cybersecurity sector by connecting with us through the Cybersecurity Central LinkedIn Page: https://www.linkedin.com/company/cybersecuritycentralorg


JAN 25, 2023

Symmetric Key Encryption Algorithm

by Eula Chua

January 25, 2023

Last week, we looked into the key differences between symmetric and asymmetric key encryption algorithms. The differences were found within the speed of how they process and secure data, the level of security it provides, the number of keys used to encrypt and decrypt, the length and sizes between the cipher text and plain text, and what they are used for.


This week, we’ll dive deeper into symmetric key encryption and its different types. Symmetric encryption is used to keep data being communicated secure in which only users with authorization can access it. This type of encryption uses the same key to encrypt and decrypt information. Although this keeps things cost-effective and easy to use, it is less secure. This is best used for handling and transferring large amounts of data. There are several types of symmetric key encryption, which are 3DES, DES, AES, RC4, Twofish, and Blowfish. Let’s look at the key points in each one.


3DES (Triple Data Encryption Standard):


DES (Data Encryption Standard):


AES (Advanced Encryption Standard):


RC4 (Rivest Cipher 4):


Twofish:


Blowfish:



References


Phases of Incident Response

by James Driscoll

January 25, 2023

With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.


Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:



Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:



3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.


4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved. 


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

JAN 18, 2023

Software Testing

by James Driscoll

January 18 2023

For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.

One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.

Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.

Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Symmetric vs. Asymmetric Encryption: Key Differences

by Eula Chua

January 18, 2023

I remember studying for CompTIA Security+ certification a couple of months ago and the topic I had trouble grasping was the difference between symmetric and asymmetric encryption.


First, let’s look at encryption. Encryption is the process of scrambling readable text (plaintext) into a code (ciphertext) to prevent unauthorized parties from accessing it. The only way it can be converted back to plaintext is if the authorized party possesses the decryption key. This is a method of securing sensitive information that gets passed online.


The two main types of encryption are symmetric and asymmetric. The main difference would be the use of keys, which are used to decrypt/unscramble a secret code.


Symmetric key encryption uses one key to encrypt and decrypt a message or data. Although it is at its convenience to have one key making the encryption process fast, it is less secure. It would require the receiving party to share the same key as the sender, which puts data being sent over the network at risk of being uncovered.


Asymmetric key encryption requires two keys, a public key and a private key to encrypt and decrypt a message or data. Compared to symmetric key encryption, it is considered much more secure but a much slower process. The downside to this is that if the private key gets lost, there’s no other way to decrypt the data. Geeks for Geeks created a table of comparison that best describes the differences between the two:


Symmetric Key Encryption


P = D (K, E(P))

where K –> encryption and decryption key

P –> plain text

D –> Decryption

E(P) –> Encryption of plain text


Asymmetric Key Encryption


P = D(Kd, E (Ke,P))

where Ke –> encryption key

Kd –> decryption key

D –> Decryption

E(Ke, P) –> Encryption of plain text using encryption key Ke . P –> plain text


References:


JAN 11, 2023

Authentication Protocols

by James Driscoll

January 11, 2023

Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.


Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.


TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:


So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.


RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.


Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:


Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.

Until next week!


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


JAN 4, 2023

Happy New Year from Team CC!

by Eula Chua

January 4, 2023

We hope that you have an amazing start of the year. Last year was a year full of discoveries and learning. I took some time to evaluate where I was in my current state and where I wanted to be in my career. There were moments that felt painfully slow, in terms of my personal progress, and moments where I felt like things were moving rapidly. There were moments I took risks, and there were others where I wished I had taken the leap of faith. Nevertheless, I’m grateful to be where I am at this moment and how much I have grown since the start of 2022. Most of my goals came to fruition because of self-reflection. Writing things down and keeping reminders on my calendar kept me away from distractions as best as possible.


This year, I have taken my reflection up a notch and although this is not related to cybersecurity, I wanted to share this resource to everyone because it’s free! This is not a sponsored post, although I vouch for this as many journal prompts included in this resource can either only be found in physical journals and planners, (planners can be costly), or you would have to search up questions on google or formulate your own.


Year Compass provides you all the questions that can help you reflect on your past year and re-evaluate what things and habits you need to keep or leave in the past. This also includes writing prompts to help you plan out your 2023 and make it a memorable one. They give you the option of printing a physical copy or downloading a digital copy that you can upload on your digital notes app. Check out the Year Compass here: https://yearcompass.com


What are your goals for the year of 2023? What certifications are you aiming to achieve? What courses will you be taking? What online communities will you be participating in?


Let’s keep one another accountable! Follow Cybersecurity Central on socials below to stay up-to-date with all the livestream events, online courses, and conferences happening every week!

LinkedInYouTubeTwitter

Security Controls

by James Driscoll

January 4, 2023

Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.


Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:



Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:



Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


DEC 28, 2022

Steganography

by Eula Chua

December 28, 2022

Upon using TryHackMe as a learning platform, I remember learning about steganography for one of the lessons I started with and have not forgotten about it since. So what is steganography?

According to the Merriam-Webster dictionary, Steganography is the “art or practice of concealing a message, image, or file within another message, image or file” that is not so secret. The Greek word, “steganos” or “stegos” means “covered”, while the word “graph” means “to write.” This could look like a secret message or plain text embedded into a picture. To hide a sensitive message within a seemingly “ordinary” file is to avoid detection or suspicion. To elaborate, let’s look at the 5 different types of steganography.


Text Steganography


This method involves storing secret information and encoding it within a text document. Other techniques are called line-shift coding, word-shift coding, feature coding, and syntactic method. Check out Tutorials Point to learn more about these techniques: What are the Techniques of Text Steganography in Information Security?


Audio Steganography


This method is done to conceal messages within audio clips for the purpose of hiding data or by watermarking — to protect the audio from any unauthorized reproduction.


Image Steganography


This method is used to embed data within an image. This can involve altering the intensity values of the image pixels. Other forms of image steganography are as follows:



Video Steganography


This method involves concealing data by embedding it within a video file, which acts as the “carrier”. Discrete Cosine Transform (DCT) is often used as the method. This is done by inserting values in each image within the video file to conceal data.


Network/Protocol Steganography


This method uses network protocols such as TCP, UDP, and more to hide data. Covert channels may be utilized. These are channels that are not used to transfer but rather store information.


The main purpose of steganography is to provide some sort of hidden communication within those who may know how to uncover it. This can be used as an avenue to protect sensitive data from potential malicious attacks. With the constant development of technology, steganography can also be used as a method to deliver attacks. One way is using Powershell or BASH scripting to automate an attack, which can look like embedding and activating scripts within a Word or Excel file once it is opened with the purpose of corruption. It all depends on the motive.


References:

Cloud Responsibilities

by James Driscoll

December 28, 2022

During week four of my 10-week journey to becoming CompTIA CySA+ certified, I will be looking at the responsibilities of the Cloud Service Provider (CSP) and the customer.  So, operating on premises and in a cloud environment have both similarities and differences.  Considerations for Confidentiality, Integrity, and Availability (CIA) must be made in both instances.  Also, access management is an objective in both instances.


Now the difference in on premises and a cloud environment is where responsibilities lie.  You see, on premises operations the owner is responsible for everything.  In a cloud-environment, those responsibilities are split between the CSP, and the customer and those responsibilities differ depending on the type of cloud service (IaaS, PaaS, and SaaS).  Luckily, the CySA+ study guide by CompTIA has a nice graphic that illustrates how those responsibilities are divided up.  I recreated the graphic the graphic below in Excel with the information reviewed in the CompTIA CySA+ Exam Study Guide CSO-002:


The above graphic is divided into three cloud services. Each of those services is divided into five different aspects where responsibilities lie.  One thing you will notice is that everything is color coded.  The white shading depicts what the customer is responsible for, the dark gray depicts what the CSP is responsible for, and the light orange depicts what responsibilities are shared by both the customer and the CSP.


So, what does this mean in terms of Cybersecurity?  Well, at the top of each service is the Data and according to their shading, the customer is responsible for it, even in the SaaS which is shared with the CSP.  That means the customer, aka the owner of the data is responsible for securing it. 


I bring that up because moving to the cloud, while not totally a new concept, is new to some organizations and maybe misunderstood.  I think there maybe the mindset that if an organization moves to the cloud, they are no longer responsible for anything, and that is simply not the case as shown above. 


The key takeaway is, no matter if your organization is considering moving to the cloud, or has already moved, it is important to know where your responsibilities lie.  The inspiration behind this blog is that there have been news stories lately data stored in the cloud have been breached due to misconfigurations and I want to make sure that the cause is not due to a misunderstanding of responsibilities.


References:

DEC 21, 2022

Common Vulnerability Scoring System (CVSS)

by James Driscoll

December 21, 2022

As we continue with week three of this 10-week trek to the CySA+ exam, I will discuss the Common Vulnerability Scoring System (CVSS).  As the name suggests, it is a scoring system for vulnerabilities.  Now, CVSS is part of a larger standardized security information communication platform called the Security Content Automation Protocol (SCAP). 


So, where are we most likely to see CVSS?  Well, when a vulnerability is discovered, it is submitted to the National Vulnerability Database and given a common Vulnerabilities and Exposures (CVE) number.  This CVE is also part of SCAP and maintained by NIST.  Anyway, the CVSS is part of the CVE report, as you can see in the below screenshot.

Upon closer examination, we see that there are two versions of the CVSS.  Version 3 is the most recent version and what is used for newer vulnerabilities.  Older vulnerabilities are scored based on version 2.0.  The next major item to notice is the Base Score which is 7.8 High.  Now, what does this mean?  The CVSS scoring system works on a scale from 0-10 and is broken down into rating categories, shown in the visual below:


So, based on the scale, the 7.8 Base Score is the second highest rating a vulnerability can receive.  That means that any organization with this vulnerability should seriously look at remediating it.


Continuing with our examination of the above CVE, the next item we see is the “Vector”.  This is the actual CVSS and is what determines the base score.  As we can see, the CVSS is broken up into eight categories:



One thing you will notice is that in the above descriptions, I did not give numerical values for each of the criteria.  I left those out for a reason.  That reason is thanks to our friends at NIST, there is an online calculator that will calculate the score for us.  The URL is https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.  It is easy to use.  For each of the eight categories, click on the criteria that applies.  When checking out the site you will see two metrics: Temporal Score and Environmental Score.  I am not covering them currently as they appear to be outside the scope of the exam per the CompTIA CySA+ Study Guide.


References:


DEC 14, 2022

Starting In IT first? Check Out These Free Resources!

by Eula Chua

December 14, 2022

I have heard this question repeated multiple times (or a similar question just like this), “How can you protect something if you don’t know how it works?”

In a way, this holds true. How do you know what systems to protect? What parts of the networks or systems are vulnerable or at risk if something were to happen?

As someone in pursuit of a career in cybersecurity, I first made the goal to start in an IT role before I continue down the path. As a hands-on learner, I want to learn and understand the ins and outs, the network infrastructures, the vendors used, hardware, software, the issues that end-users may encounter on a daily basis, literally everything within a company. Surely, there are ways to transition into cybersecurity from a completely different industry or right out of graduation and there are wonderful and reputable industry professionals on LinkedIn who speak on this.

However, if you’re someone like me looking to start in IT or review the fundamentals, here are some great free resources I highly recommend:

KevTech IT Support: Kevtech IT Support

Kevin from KevTech IT Support shares valuable information that will help those transitioning into IT prepare for their first job. He shares about how to build your resume, IT FAQs, common IT interview questions, how to build up your own virtual home lab, and many more. He also has a community on Discord.

East Charmer: East Charmer

If you want to know what a day in the life looks like as an IT professional, Marie from East Charmer creates videos to show you on-the-job responsibilities. Not only that, she also creates videos to help those seeking an IT support role and also show a glimpse of what it’s like to work in the office vs working from home, what challenges and difficulties are faced within the role, and best IT practices.

RunCMD (formerly: IT Career Questions): RUN CMD

Zach from RunCMD gives you all the insights into IT, such as knowing which certifications and roadmap to take, which trending skills and topics to dive into, home labs you can start building, and basically everything you need to know to get into IT.

Cobuman: Cobuman

If you want to get super technical, Cobuman is your go-to. Ranging from teaching you how to prepare for your next IT interview or certification to providing tips on help desk issues you may encounter on the job, Cobuman is ready to help you get a head start into your IT career.

NetworkChuck: NetworkChuck

If you want to learn scripting, hacking, and everything tech related, check out Chuck from NetworkChuck on YouTube. He provides fun and informational videos on a lot of different topics like Linux, CCNA, Dockers, Raspberry Pi, Cloud, certifications, and more.

CBT Nuggets: CBT Nuggets

CBT Nuggets is a free IT on-demand training platform. They include courses from industry experts to help you study for your next IT certification or gain real-world IT skills.

Have I missed anything else that should be on this list?

Follow us on Cybersecurity Central on LinkedIn and let us know what else we can add!

Attack Frameworks

by James Driscoll

December 14, 2022

For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks.  These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization.  This allows them to create defenses that are more likely to be effective in the event of an attack. 


According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with.  They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain.  I will go into further detail about each framework in the following paragraphs.


The first framework we will look at is the MITRE ATT&CK Framework.  The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries.  The good thing about this framework is that there is no cost to access it.  To access it, just go to https://attack.mitre.org.  On the first page is the ATT&CK matrix.  There is a plethora of information regarding adversary TTPs available.


The second framework is the Diamond Model of Intrusion Analysis.  The key thing to remember about this is that it is relationship based.  All the vertical lines of the model are called events.  So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.

As you can see in the image above, all the vertical lines are events.  Where those lines intersect are core features of the events.  Unfortunately, the study guide really does not go into further detail about this framework.  It is just a basic overview for the test.


The third framework is the Lockheed Martin Cyber Kill Chain.  As the name suggests this framework was created by Lockheed Martin and consists of 7 processes that form a chain:


The fourth and final framework is the Unified Kill Chain.  Now, according to the CompTIA CySA+ Study Guide, while this framework is not testable, it is information that is good to know.  In a nutshell, this framework is a combination of the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and other frameworks.  All together they make up an 18-process chain that describes how an attack can occur both inside and outside a network.


References:


DEC 7, 2022

Risk - Topics from CompTIA CySA+ Studies

by James Driscoll

December 7, 2022

I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst.  Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide.  This first blog in the series will cover risk.


The concept of risk is a major player in the world of cybersecurity.  As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is.  To define a risk, we need to discuss two other concepts.  The first concept is vulnerability, which is nothing more than a weakness.  The second concept is a threat, which is any outside force that can exploit a vulnerability.


Now, there are a couple of ways to look at risk.  1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”.  Keep in mind that with this type of representation, there no numerical values to be entered.  It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it.  2) Look at it through the lens of a Venn Diagram, below:

What this diagram shows is that risk is where a threat and a vulnerability meet. 


Let us look at each entity starting with threats.  There are four types of threats an organization may encounter.  To determine threats to an organization requires an assessment that focuses outside a particular organization.



Moving on to Vulnerability.  As stated earlier, a vulnerability is nothing more than a weakness that a threat can use to their advantage.  Unlike determining threats, when an organization determines their vulnerabilities, they focus on themselves.


This brings us to risk itself.  There are two concepts that are utilized when determining risk.  They are:


One way to calculate risk is to use a qualitative matrix that utilizes low, medium, and high ratings.  The diagram below is an example out of the CompTIA CySA+ Study Guide:

As you can see, the likelihood a threat will exploit a vulnerability is on the left with the impact on the bottom.  So, this is read just like a graph.  Low values are at the bottom and to the left, with higher values towards the top and to the right.

According to the CySA+ study guide this matrix can also be used as a quantitative matrix.  That means instead of using Low, Medium, and High values, an organization assigns numerical values.  Now, I have not seen quantitative matrix, so I do not know what the maximum numerical value to represent a high value.  I would imagine that would be set by an individual organization. 

References:


CompTIA Network+ vs CCNA?: A Quick Learning Update

by Eula Chua

December 7, 2022

The past few months have been so focused on studying on Security+ that it’s been awhile since I reviewed the fundamentals of networking. This month, I have decided to study and relearn some of the IT networking concepts in order to fully understand what those entering the IT field (or already in the field) will be protecting in the future. I haven’t decided if I want to pursue taking a certification exam and which certification exam to take but I do have the study materials to continue my independent learning. The 2 Network certificates that are highly sought out (industry standard) are CompTIA Network+ and the Cisco Certified Network Associate (CCNA), which will be the focus for today’s blog.


If you are someone who may be thinking about getting a Network certificate (or just studying for it) and can’t decide which one to take, to get you started, I’ll be sharing a few of the main differences and resources that may help you determine which certificate is right for you and meets your needs.


CompTIA Network+:



CCNA:



Resources:



NOV 30, 2022

2022 Reflections

by Eula Chua

November 30, 2022

This blog post will be a bit different than usual.

As you read this, December is literally a day away.

It’s easy to get into the loop of thinking that we haven’t done everything we wanted to do on our list for this year or maybe, we didn’t even have an exact plan to begin with and feel a bit all over the place. That is okay. Things happen and sometimes, the pivots we made may have been necessary.

This year, I took a step forward to dive into the world of cybersecurity. I can tell you for a fact that I had no exact direction to begin with but went in anyway. I took my time researching most of the resources I found and fixed up my LinkedIn profile, which led me to connect with many wonderful cybersecurity communities online.

As long as you take action one step at a time, one thing leads to another and before you know it, you’ve done more than many others who are stuck overthinking which moves to make. If you need somewhere to start, I recommend checking out our Resources page here in Cybersecurity Central.

I invite you to reflect with me and look back on our own journey this year. This way, we can get a sense of where we are, how we got here, and what we are looking forward to in 2023.

Feel free to take some notes and answer the following reflection questions:


For more thought-provoking questions, check out this article by Indeed: 

100 Student Reflection Questions You Can Ask Yourself

I hope these questions help you discover new and amazing things about yourself!

NOV 23, 2022

Ways Organizations Can Recover From an Attack

by James Driscoll

November 23, 2022

In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.


There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.


One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).


Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:



These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:



The good thing about taking the above steps is that they help protect against more than just ransomware.


The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.


References


Thankful for the Tech & InfoSec Community

by Kimberly McKnight

November 23, 2022

It's that time of the year again!  The holidays are approaching.  This week of Thanksgiving, we give thanks  for the people and things that make us feel grateful. 


I felt this was the perfect time to let the entire tech and infosec community know what an important role they have played in not only my life, but also in the lives of many others I have met and grown to know over the past couple of years transitioning into the industry. 


You may hear it all the time, but the community is where it's at.  There are so many communities available within tech and infosec, and that's important.  Each of us come from different backgrounds and experiences and these communities offer us a place to meet, connect, engage, help, support, and learn from each other. 


The important part is to find one, or several, that you feel comfortable in and start showing up.  The more you get intertwined in the community, the more support you will find.  Whether you are employed already, or seeking a new role, being involved in a supportive community is the key to success. Without the connections and relationships you will make, it is a lot harder to network and find a new role. 


Why? The majority of roles are in the "hidden" job market, meaning, they will never be posted.  Those hiring go to the people they know and trust and ask them for recommendations for upcoming (unposted) roles.  If you are not networking or involved in a community, the hidden job market is nearly impossible to tap into. 


Take myself for an example.  I wasn't even applying for roles yet, but I was so involved in one of my favorite infosec communities, simplycyber.io.  My current boss went to Gerald Auger, PhD, and asked him if he knew anyone to recommend for an upcoming role.  Because I was a regular in the community and my skills aligned with the potential role, I was recommended for the role, interviewed, and was hired. 


It can be scary, intimidating, and feel unknown at first, but stick with it, find a community you enjoy being a part of and engage with others within the community.  All of us have something to offer, even if it's support and an encouraging word.  You don't need to be technical to be a part of these communities. 


I may be a little biased, but Simply Cyber is absolutely hands down my favorite community out there.  Thanks to my friend, Stefan Waldvogel for sharing it with me.  Truly a community anyone new, or already in the industry, will appreciate and benefit from being a part of.  If you are into Discord, check out the Simply Cyber Discord, another great place to meet and connect if you can't make the livestreams, or want to connect anytime with the community. 


Again, I truly want to thank everyone who has been a part of my network, and the overarching community.  This journey would not have been possible without you.  I would love to hear, what are some of your favorite communities? 


Let us know on our LinkedIn page, where you can find our posts for these blogs each week: https://www.linkedin.com/company/cybersecuritycentralorg


Happy Thanksgiving! 

NOV 16, 2022

Why Organizations Should Not Pay Ransomware

by James Driscoll

November 16, 2022

We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.


There are three main reasons an organization may not want to pay a ransom:

1) There is no guarantee that the organization will regain access to its information.

2) It almost guarantees that the organization will be attacked again.

3) It may be illegal to pay the ransom.


Let's take a deeper dive into each:

So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.

In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.

References


Get Ready for the Holidays and Potential Cyber Attacks

by Eula Chua

November 16, 2022

We’re heading into the most wonderful time of the year. While some of us are getting ready for our upcoming Thanksgiving dinners, others are already preparing Christmas presents. Either everything goes smoothly or it doesn’t.


You may ask, “what do the holidays even have to do with cybersecurity?”


Everything.


Think about it. All the retail shops are busy getting ready to stock up for all the holiday sales. We’re busy thinking about what gifts to buy for each of our family members or panicking about what to cook for our upcoming dinner gatherings. Others are getting ready to fly out for vacation. These are some honourable mentions.


While we’re occupied with a million things to do during this season, adversaries are also doing the same.


Have you heard of the Log4J vulnerability, Log4Shell?


Log4J is a built-in software library within Java that was created by an open-source project maintained by the Apache Software Foundation. It logs activities within a web server by tracking and monitoring system calls. The Log4Shell vulnerability was discovered in December 2021, involving arbitrary code execution (ACE). Depending on the Log4J version being used on the application, Log4Shell enables an attacker to remotely control a device on the Internet. This was being done before IT/Cyber professionals discovered it, hence called a zero-day vulnerability.


How about the Cadbury Easter Egg Scam?


Around April 2022, a message with a phishing link was circulating all over WhatsApp, advertising that consumers would receive a free Easter chocolate basket from Cadbury Clicking on the link would take you to a web page where you can fill in your personal data. Eventually, Cadbury found out and issued a public alert.


If you noticed, both situations occurred near or during a holiday. Attackers very well know that people have a lot on their plates during busier seasons like these. By adding more on top of that, they would hope we’d fall into their traps.


How can we prepare for what’s to come? The best way to prevent this is awareness.


We don’t know what we don’t know. Awareness will help lead us to our solution.


Stay on top of the cyber attacks and learn about what occurs during holidays. Here are some great resources (but not limited to) that you can look into (some of these also include examples from the past):


Learn about the social engineering tactics and how attackers use this against us:

Learn how to prevent scams from happening:

Check out the rest of our Blog By CC page below for more cybersecurity topics!


References:

NOV 9, 2022

Resources and Tips to Help You Study for Your CompTIA Security+ Exam

by Eula Chua

November 9, 2022

Leading up to it, I had doubted myself. I didn’t think I was going to pass because my study habits weren’t perfect. But I remembered that I had made a commitment to myself from the beginning of this cybersecurity journey, to pass this exam even if it takes me multiple times to do it.

Last month, I’m happy to share that I finally earned my very first cybersecurity certificate: CompTIA Security+ SY0-601. Passing this exam truly affirmed my decision to begin a career in this field. The learning never stops.

Although everyone has their own way of studying, I want to share with you the resources and tips that have helped me successfully pass this exam. I cannot guarantee that you will pass the exam as what I’m sharing is based on my own experience, however, with the amount of time and work you put in, your success and efforts will show in the results. I hope that what I share helps you in any way.

Resources

The first thing I did was research and find the appropriate study material for Security+ that worked for me. This took some time until I finally decided which courses and practice exams to stick to. There are a lot of free/affordable resources available out there, especially on Youtube and Udemy. It can get overwhelming. Know your learning style and choose accordingly. Check out this page to learn about different learning styles: VAK 

For myself, I learn best by doing all three: learning by seeing/writing, listening, and doing. I made sure to use resources that would aid me in my learning. I chose multiple resources to ensure each topic is fully covered in-depth and explained in different ways to help me understand the concepts. Most of the courses listed include additional hands-on labs that are not a part of the exam but are there to reinforce your learning.

Here are the resources that have helped me:

For visual/auditory learning (learning by seeing/writing and listening):

For kinesthetic learning (learn by doing):

Here are other highly recommended resources that you may also prefer:

Tips

Are you thinking of taking the CompTIA Security+ certification? Let us know how you do on our LinkedIn post: https://www.linkedin.com/company/cybersecuritycentralorg/


Good luck with all your studies!


Check out Resources by CC for even more learning tech and infosec resources!

NOV 2, 2022

Insider Threat

by James Driscoll

November 2, 2022

There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.

This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).

This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.

Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).

The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:

An insider threat can take one of three forms:

Other threats:

Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:

An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.


References

Credit Card Fraud: Tips For Prevention

by Eula Chua

November 2, 2022

Black Friday, Cyber Monday, and Boxing Day are coming before we know it. As we head into the holiday shopping season, I want to bring some awareness to credit card fraud.

As reported in the 2020 Federal Trade Commission Report, credit card fraud is ranked as one of the main types of identity theft reported and continues to rise.

Credit card fraud is an act of obtaining another individual’s credit card information without authorization or their knowledge, by placing random, unusual purchases, withdrawing funds, or creating new accounts. The fraudster’s main motive here is financial gain.

Credit card frauds happen more often than we think. To get a grasp of how it’s looking, check out Card Rates.com: 15 Disturbing Credit Card Fraud Statistics

Credit card fraud can occur in multiple ways, not limited to:

Although large-scale companies have a fraud investigations and data loss prevention team that work endlessly in the back end, doing our part as users and credit card owners in combination with the back end teams will help effectively prevent credit card fraud from happening to us.

What can we do right now?

Here are some practical tips we can do to prevent or to stop credit card fraud:


Resources:

OCT 26, 2022

Vishing Attacks in Depth

by Eula Chua

October 26, 2022

Once upon a time, we lived in a world without caller ID. Every time the phone rang, all we could do was answer it, hoping it wouldn’t be a random stranger trying to impersonate a service provider. It was highly likely that an adversary would pull this scam tactic.


You might ask, what is vishing?

Vishing is a form of phishing — a portmanteau of “voice phishing”. This occurs when an attacker utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. As caller IDs became a necessity in the telecom world, it helped filter out which phone numbers should be trusted based on what we know. But even then, attackers still found ways to overcome this challenge, which is why it still happens occasionally. In present time, VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID and setting up fake phone numbers that are difficult to track.


In vishing attacks, the adversary falsifies their identity by pretending to be a person of authority. The common vishing attacks that many hear about relate to tech support scams and automated scare-tactic voice messages. To be effective, most attacks similar to this are combined with other types of attacks such as identity fraud or ransomware attacks.


So, do they still happen?


The answer is yes.


Although phishing scams are more popular, according to Kroll (2022), vishing attacks have been on the rise, especially in 2022, and have been “occurring more than 1-in-4 times out of all types of response-based threats.” The more that technology develops, the more sophisticated and motivated these adversaries are to find ways to create these cyber attacks.


Below are some key patterns we all need to be aware of when encountering potential vishing attacks. For some extra context, here is a list of vishing attack principles compiled by the experts of Kroll (The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21 | Kroll) for reference:







To avoid falling for vishing attacks, it is important to be aware of the characteristics and traits. Knowing how an attack works gives users the advantage to prevent future cyber incidents.


A few key points to remember:



As we are in the last week of Cybersecurity Awareness Month, let’s continue to strive staying safe online. Continue to protect your information and always stay vigilant. As mentioned earlier, the more technology develops, the more threat actors discover ways to trick users.


Remember, cybersecurity criminals never sleep! #Becybersafe all year round and keep an eye out for more related content here at Cybersecurity Central!

SIM Swapping

by James Driscoll

October 26, 2022

This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping?   2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.

So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).

Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.

Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.

So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).

Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:









References

OCT 19, 2022

Five Eyes Alliance and Privacy 

by James Driscoll

October 19, 2022

Over the past couple of weeks a few news stories I have seen and a few podcasts I listen to have recently started to talk about a group that I have not heard about in a long time. That group is called the Five Eyes. I remember the first time I heard of them a couple of years ago. So, for those people that are not familiar with them, this blog is specifically designed for you as I will talk about who they are, what their purpose, and other interesting tidbits of information that may be relevant. Plus, how does this relate to privacy.

So, what exactly is Five Eyes? Five eyes is an alliance between the United States, the United Kingdom, Australia, Canada, and New Zealand. This alliance was formed in 1946 with the purpose of making it easy for the countries in the alliance to share surveillance and intelligence information with each other (Five Eyes, n.d.). Now, the types of intelligence that this alliance focuses on is human intelligence, signal intelligence, geo intelligence, and finally defense intelligence (Taylor, 2022).

Would it surprise anyone that in addition to the Five Eyes Alliance, there is also a Nine Eyes Alliance. This alliance is made up of the Five Eyes countries, plus the following: Denmark, France, Netherlands, and Norway. The goal of this alliance is the same as the Five Eyes Alliance. Now, I would imagine some people are thinking Nine countries that share intelligence information, that is not too bad. Just wait a minute, I have one more alliance to go over. The final alliance is called 14 Eyes. They are made up of the Nine Eyes countries plus Germany, Belgium, Italy, Sweden, and Spain (Taylor, 2022).

So, what do these alliances have to do with our privacy? Well, remember what the goal of these alliances (more specifically the Five Eyes Alliance) is to share surveillance and intelligence information. What everyone needs to pay attention to is the surveillance portion of that goal. The reason I say specifically the Five Eyes Alliance is because the United Kingdom and the United States are considered the biggest violators in terms of privacy.

For example, the United Kingdom passed a law in 2016 that basically tells both Internet Service Providers and phone companies to record things like browsing history, connection times and text messages for a period of two years. Also, that information must be made available to authorities whenever they ask for it. A warrant is not required (Taylor, 2022).

The reason the United States made the list of the biggest privacy violators is because not only are they conducting mass surveillance similar to the United Kingdom under a program called PRISM, but in 2017 Internet Service Provides became authorized to not only collect users information, but they can also sell it to other organizations (Taylor, 2022) .

So, lets pivot and discuss what we as individuals can do to protect our privacy. First, we can get away from email providers like Yahoo and Gmail. The reason is that Yahoo has been caught scanning users emails on behalf of the US Government. The reason for getting rid of Gmail is because they have been caught letting users emails be accessed by third parties. Now, I would bet some people are asking what email providers we are supposed to use that are more secure. You’re in luck as I have you covered with nine options

I know what you are thinking reading this list and you are correct in that some of them are in one of the other alliances. Keep in mind that we are focusing on avoiding the Five Eyes Alliance specifically. That is not to say that the other alliances do not violate privacy, I would imagine they do, but to a lesser extent (Taylor, 2022).

Another option that is available we can all use to protect our privacy is to use a Virtual Private Network (VPN). For those that do not know what a VPN does, it encrypts between a user’s device and the VPN server. This makes it impossible for an ISP to not only read the traffic being sent, but also to determine a user’s IP address and location. One thing to look for when choosing a VPN is to ensure that the company does not keep logs. The reason for that is if there are logs, then authorities in the countries that VPN is in can request access to them, which defeats the whole aspect of using a VPN to ensure privacy.

The digital privacy advocacy group Restore Privacy has a list of nine VPN providers they recommend however of those nine only three have been certified as not collecting logs. The nine that are recommended include:


Below are the three VPN providers that are certified to not collect logs.


There is one final thing that we all can do to protect our privacy. That is to stop using insecure search engines such as Google and Bing, just to name the main ones and move to more secure search engines. There are four that are outside the Five Eyes Alliance, which include:

There are also three that while they are located within the Five Eyes Alliance, are still recommended due to their privacy policies. They are:

One thing to remember is that the above recommendations is not an all-inclusive list of what we can do to ensure our privacy. One thing missing is web browsers. There are more secure browsers them Chrome and Edge.

Basically, what this comes down to is trust. With the information that has been provided, does everyone trust that their privacy is ensured with what you are currently using . Before we as individuals can answer that question, we all need to look at our own situation, threat model and whether an adversary would have a reason to target you. We also need to determine if we are comfortable with our governments basically having unrestricted access to our information.

References

Analyzing a Smishing Attack

by Eula Chua

October 19, 2022

Phishing attacks have become more sophisticated and found their way to other avenues. This week, I will be helping you analyze a Smishing attack.

A Smishing attack is part of the phishing family. It’s a cyber attack where text messages are sent by an attacker to trick victims into clicking a malicious link, sharing sensitive information, or sending money to a “trusted” organization. The characteristics and motives are almost identical except for the fact that it’s sent via SMS. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.

Since text messages do not have a dedicated spam folder, we cannot filter them out. They come through easier and are more likely to be opened by users who are unaware whether they are spam or not.

The following image is an example of a text message I received from someone claiming to be “Canada Revenue Agency” or CRA. In America, the equivalent would be the IRS (Internal Revenue Service). In the perspective of a user, it may be hard to identify whether this is coming from the actual agency.

In regards to this example, here are some questions to ask:

Smishing schemes are made to create doubt in our thought process. This is one of the main tactics of conducting a successful attack. To help combat this, the questions you ask yourself will lead you to make the right judgement, especially if you’re not sure when you encounter a text message like this. I recommend approaching text messages like these with a curious mind. Think critically and ask yourself questions. If you feel like something is fishy, then you’re probably right.

Instead of me listing out what may be suspicious about this, I want you to try figuring out this one. Take out a pen and paper or your digital notes. What are some of the red flags you see in this text message? 

Share it with us by snapping a photo or a screenshot and send it in our LinkedIn comments section of this week’s #BlogByCC post!

OCT 12, 2022

Trust Your Gut - Analyzing a Phishing Emailyzing a Phis- Analyzing a P

by Eula Chua

October 12, 2022

Phishing is one of the most common cyber attacks used in today’s world. It uses a combination of social engineering techniques to lead a target into sending sensitive information for financial gain or to gain access to critical resources. To read more about phishing, click here for my previous post.

As we celebrate #CybersecurityAwarenessMonth, this week, we will look into analyzing a phishing email that I received in my spam/junk folder in their inbox. We will be using Phishing.org’s Common Features of Phishing Emails as a tool to help us learn how to distinguish an illegitimate email by its writing style, by the sender’s address, the links attached to it, and many more indicators. This demonstration is done for educational purposes only. I do not recommend anyone sifting through their spam inbox as the attached links may be infected or lead to malicious websites (unless an email you were expecting from a reliable source somehow landed there. Don’t worry, it happens.) Some emails get passed the filter and land in your inbox. In case you come across a spam email, here’s what to watch out for.

Exhibit A: Money Transfers:


Many of the phishing emails I’ve seen almost always involve money in it. This email in particular mentions that I will be sent an incredible amount of money but what for? Why would the “FBI Headquarters” contact me through a random test email (test@rapidsms.net) from someone I don’t recognize (I personally don’t know anyone named Christopher A. Wray)?

If you read the email, you will notice that the beginning sentence attempts to list actual organizations to get you to think that this is legitimate, even though you may not have used any of their services. You will also notice that the grammar and punctuation are not done properly. The person they are asking to contact doesn’t actually have an official “western union” email.

To reference some common features of phishing emails with all that we have listed, we can come to the conclusion that this email is too good to be true and that it came from an unusual sender. There’s a sense of urgency in the email where we are notified about the deadline to lodge the claim but it’s not as emphasized compared to other emails that heavily use that trait.

Can you find any more noticeable traits about this email that we haven’t mentioned yet? Let us know! Remember to review the common features of phishing emails and if you’re unsure whether an email you received came from the right source, use your best judgment. Next week, we will continue to practice analyzing other phishing emails, this time involving “order transactions” from a "legitimate” company. Until then, trust your gut and don’t open that suspicious email!

Securing IoT Devices

by James Driscoll

October 12, 2022

What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).

While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.

I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.

So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.

When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.

Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).

After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.

1. Start with configuring the router correctly.

a. Do not use default credentials. Change both the login ID and password.

b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.

2. Put IoT devices on their own network separate from everything else.

a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.

3. Another option is to turn off features you are not going to use.

4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.

5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.

6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).

So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.

References

18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products 


Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable 


Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices 




OCT 5, 2022

Mindfulness is a Must

by Kimberly McKnight

October 5, 2022

One of the main reasons for naming my nonprofit Cybersecurity Central was because to be a resource for those who desire is to constantly learn more about tech, infosec, cybersecurity, and preparation for career development and reaching our human potentials.


This particular blog post, and many of the topics I discuss personally, are around the human side of careers. I heard of mindfulness training and CBT, (cognitive behavioral therapy), but had no personal experiences using these resources myself, until recently. 


Mindfulness allows us to relocate confidence we may have lost, or never built within ourselves, it helps to focus on what is important and relates to our mission in our journey, and it is a complete gamechanger when discovered and tapped into.


For many reasons, things have been out of line for quite some time in my life, and the discovery of learning to change my mindset has been a true help in allowing me to realign and restructure plans and next steps in my tech and infosec career.


Below are some #mindset resources I use personally and want to share with you. If you have mastered this art and already possess a positive and confident mindset, share the resources with your network. It's mind-blowing to learn how many others are waiting to discover how to influence their own mindset and become the best versions of themselves they are capable of being. Leaders and influencers included! It's not just the n00bs full of insecurities. 


Aligned in Tech was the first podcast still sticking to the tech theme, but started to lean into mindset, and how to rethink my value as a career changer and what I bring to the table. The shows consist of several things I heard before, but was captured so simply and delivered with support, from experience, allowing you to absorb and make the necessary mind shifts necessary to excel in our lives. 


Brave to Be Multipassionate by Kate Kim was the next podcast I found, after seeing a post from Kate on LinkedIn. Wow! What a gem of a podcast! I have found more resources and individuals to follow from listening to her podcast than I can count! She hosts amazing guests who are more than research worthy, each with great initiatives and platforms themselves. Do yourself a favor and make this a must listen, (or watch now on YouTube), especially if you're anything like me and have passions in many places throughout your life. 


The next resource is Positively Living podcast from Lisa Zawrotny, whom I discovered while listening to Kate's Brave to Be Multipassionate podcast! Talk about hitting all the areas... Lisa covers everything from how to organize your LIFE, and how to have a positive and productive mindset while doing so. If you want to get organized, and learn various methods from multiple expert sources, this is a show for you. Add it to your list of favorites!


Last up, a self-help and self-therapy book, "The CBT Deck: 101 Practices to Improve Thoughts, Be in the Moment & Take Action in Your Life."  This is something I found on Amazon covering Cognitive Behavioral Therapy, CBT, specifically. Although the podcasts above may not mention CBT directly, I found much of the mindset talks, insights, and help provided goes right back to CBT. Instead of opting for the physical deck of cards (the "paperback" option on Amazon), I decided to go with the Audible version where I can listen to the cards, anywhere from 5-15 minutes per day. It will depend on your style of intake as to which method you may prefer. Kindle version is also available. I can tell you for the few weeks I've been using this, I have noted a big difference in my overall outlook and confidence in my abilities and BHAG goals


Now that you have these resources for mindfulness, connect on social on let us know what you think! Feel free to tag @cybersecuritycentral in your posts! We would love to highlight and share your post!


If you haven't already, please be sure to check out Cybersecurity Central’s YouTube channel and subscribe to follow the latest! Follow us on LinkedIn at Cybersecurity Central


I greatly appreciate your support of Cybersecurity Central and can't thank you enough for tuning in each week to hang out with us!


Now go check out some of these insightful and inspiring mindfulness resources. You will not be disappointed!  


Cookie Policies & Privacy Pop-Ups

by James Driscoll

October 5, 2022

Imagine you are browsing the internet and come across a website that contains a popup screen, covering the entire page, like in the screenshot below. 


Note: MyFitnessPal.com is the website used as an example throughout this blog.

Basically, this popup screen is asking users to click “Accept” and the screen will go away.  The question I have is do you grumble and begrudgingly click “Accept” or do you the options and read about how a site uses and stores your data?  Have you noticed that some websites you visit have this popup and some do not?  Does everyone know why we constantly see these popup screens?  If you cannot answer these questions, do not worry as I will talk about each one of them.


Each site that has a privacy policy with a pop-up screen provides links that users can click on to learn how their information is being used and stored.  On this site users can read about their data rights and options, the terms and conditions of use, and the privacy policy.  There is also a link for users to opt out of certain cookies.  Finally, users can click on the “Accept” button to agree to all cookies. 


Before diving deeper into the these pop-ups, I think it helps to understand why pop-ups are here in the first place.  About three years ago, privacy pop-ups came about in the California Consumer Privacy Act (CCPA) of 2018.  The CCPA officially became law in Jan 2020 and mandates that websites advise their users what information they collect and how they intend to use it (Healey, 2021).


Another major reason for these pop-ups is the EU’s General Data Protection Regulation (GDPR), which mandates sites that collect the personal information of EU citizens comply with this new regulation. Companies globally had to adjust and ensure their websites were in compliance with GDPR in order to continue serving customers in these countries. 


Back to our example website, MyFitnessPal.com. What are the options available?  The first option is to read exactly what the data rights and options are.  The Readers Digest version is the site tells users that they have the option to opt out of personalized and targeted advertising.  It also gives users directions on limiting cookies and other tracking technologies.  Next, they give directions on changing device settings for both iOS and Android.  Finally, there are even steps on how users can access their data and export it to a file (Data Management, n.d.). 


Next, let’s look at their Terms and Conditions of Use.  This page spells out what users can and cannot do with their site.  It is basically a legal disclaimer designed to protect them and their users (MyFitnessPal Terms and Conditions of Use, n.d.).  Every site you go to is going to have this page.  Some sites will make it easier to find than others.


The third and final policy that we have is the Privacy Policy.  This page talks about how the site collects and uses user information.  They also discuss how and to whom they share user information.  Reading further on, they discuss the legal reasons for collecting and sharing user information.  They also include situations where users are asked for consent to information sharing. 


Now, there is one more option available. If you review the above screen shot, there is an option to opt out of specific cookies.  This means users can choose which cookies are accepted, or not.  The options may vary from site to site, and based on user region. 


So, let’s take a further look, shall we?  As you can see in the next screenshot tells users why cookies are used.  Users can also agree to all of them and proceed or they can click on more information and choose which cookies they want to accept.

If we click on “More Information," we find a couple of options that users can opt in or out of.  As shown in the below screenshot below, there are three sets of cookies: “Required Cookies”, “Functional Cookies”, and “Advertising Cookies”.  Notice users can only opt in or out of the “Functional Cookies”, and the “Advertising Cookies”.  The reason is “Required Cookies” are necessary for the site to function properly.  The other two are completely optional.


UPDATE:  As I am writing this blog, new information has come out regarding these cookie consent notifications.


According to the Bleeping Computer news site, seeing these consent pop-ups may mean users are already being tracked.  The reason they say that is because in some cases, these pop-ups facilitate a “privacy breaching data exchange before the user can opt out” (Toulas, 2022).


Now, you may be asking what are our options?  Well, one option is to completely stop using the internet.  Before I am written off as insane, I understand this is impossible.  Our lives are so intertwined with the internet that the actuality of this happening is next to zero.  But, it is still an option.  A second option is to continue with the status quo.  A third option?  Yes, ladies and gentlemen, there is a third option available: Use the Brave browser.  This is now an option because starting with the upgrade that comes out this month, which will be version 1.45, Brave will block users from seeing these consent pop-ups (Toulas, 2022).


Bottom line, when you get to a website with one of these privacy pop-ups, I highly recommend taking some time to read through the policies.  I say that because I want everyone to be informed as to how their information is being collected and used.  Keep in mind that the information these sites collect, and use is your information and you as the owner of that information get to dictate whether a website can not only collect, but also use that information. 


References:


SEP 28, 2022

MFA Fatigue

by James Driscoll

September 28, 2022

The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).


The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).


So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.


1. Educate all users on indicators of an attack:


a. Unexpected MFA push notifications

b. Unknown location of login attempt

c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request

d. Continuous MFA requests in rapid succession over a short period of time


2. Restrict the number of MFA push notifications allowed


3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)


One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.


I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.


Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.


There are two important takeaways I want everyone to gain from this blog:



References

Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer: 

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches


Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”


Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf


Cybersecurity Awareness All Year Round

by Eula Chua

September 28 2022

We have a lot coming for you this October for Cybersecurity Awareness Month. To get you prepared for what’s to come, here’s a quick background of what Cybersecurity Awareness Month is about.


In October 2004, Cybersecurity Awareness month was established as a joint initiative by the National Cybersecurity Alliance and the U.S. Department of Homeland Security.


With the continuous rise of confidential data being uploaded online and the rise of current and upcoming cyber threats, this month is about creating awareness to help all types of users stay safe and protected online.


This year's campaign theme is, “See Yourself in Cyber.” Technology continues to adapt and improve every single day. This year’s main focus will be on putting people first when it comes to cybersecurity. As developers, administrators, or end users, we all play a part in technology. It’s important to highlight preventable measures we can take to protect our online privacy and data, in the hopes of building up a safer cyber space together. For more information, check out: 

Cybersecurity Awareness Month | CISA


Although we have a whole month dedicated to Cybersecurity Awareness, did you know that there are other days where we can celebrate it all year round? Here are more days that you can add to your calendar:



Are you participating in this year’s Cybersecurity Awareness Month? 


Connect with us on Cybersecurity Central's socials and tell us about it!



SEP 21, 2022

Cybersecurity Workforce Framework - NIST & NICE

by James Driscoll

September 21, 2022

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.


Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.


The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).


One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).


So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.


In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.


Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.


So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.


References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181


Staying Safe in the Digital World

by Eula Chua

September 21 2022

Not many realize it., but the need for cybersecurity has increased in today’s time and will continue to increase as technology progresses.


Earlier this week, I encountered an elderly client who told me that he did not want to give out his email address unless it was absolutely necessary. This led him to share about a deepfake AI incident he heard about, where another elderly person was lured into believing that the service provider she was communicating with was the “actual” service provider, when in fact, was a scam. She lost thousands of dollars and had a lack of support. It was devastating to hear but even more devastating to know that incidents like this happen daily without us even knowing.


I decided to pursue the path of cybersecurity early Spring of this year. It has become more and more evident to me how important it is to implement it on every level, from your personal devices and home networks to small-medium sized businesses, large corporations, and industrial control systems, and to create awareness designed differently for each age group.


Like the following quote, “Your internal reality becomes your external reality.” (Unknown), it’s relevant to say that this applies everywhere, even in the cyber world. If the internal systems are flawed or compromised, it might show as a data breach, a business closure, or financial loss.


If you haven't been keeping up with Simply Cyber’s Daily Cyber News Brief every weekday, you are missing out! First of all, the community never has a dull moment; second, there is always something happening in the digital world that we don’t hear about on mainstream news. Technology changes every day. Being informed about what is happening is an effective way to learn how to prevent ourselves from getting compromised.


As we approach Cybersecurity Awareness Month in October, below are some great resources to better prepare ourselves and help protect one another from online incidents:

Cybersecurity Central is proud to be an official 2022 Cybersecurity Awareness Month Champion organization with National Cybersecurity Alliance.


There’s no better time than to start now. Stay safe, stay aware, and stay secure.


SEP 7, 2022

Offline vs. Online Identities

by Eula Chua

September 14, 2022

Did you know you have two identities? Well technically, it’s two parts of your identity. Don’t worry, I didn’t either but it turns out that the identity we normally refer to is only one half of what we have. Many forget that our digital identity counts and is as important as our real-life identity.

Let’s call them: offline and online. So, what’s the difference?

Our offline identity is what we mostly refer to. It is who we are, our real-life personas, and how others know us. This is the identity we use at home, at work, or at school. The offline identity includes personal details of our life that even our friends and family might know, such as our full name, date of birth, age, address, and even our favourite colours.

Our online identity is the digital identity that we carry, that indicates who we are and how we present ourselves. This is our online persona. This can include our usernames, emails, or aliases for our accounts. The moment we are active on the web is the moment our online identity is established, regardless whether we create an account online or not.

It’s important to keep in mind that both identities should be secured as each one comes with different risks. Even if one is more secure, this could still pose a risk to the other as both offline and online identities can be entryways or an attack surface.

What preventable measures can we take to protect our offline and online identities?

Awareness is key. Let’s first look into social engineering.

Social engineering attacks are a common way to gain information using social tactics. As we will look into the specifics of social engineering attacks in the future, for this topic, we will focus on shoulder surfing.

Shoulder surfing is a type of social engineering attack where someone casually observes over the shoulder of another person to gain unauthorized information. This is a simple technique that is used for gathering sensitive information, such as credentials, or monetary gains and is often committed in office environments.

Check out some practical ways to prevent shoulder surfing:


Additional steps we can take are to avoid using the things in the list below, to help protect our identity:



Now that we know that our identity is split into two parts, let’s make sure we protect both identities as best as we can. Help us spread awareness by sharing our blog to your network!

To learn more about your digital identity, check out the references below.

References:

Digital identity for individuals. (2017). NIST. https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals

Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.

Introduction to Cybersecurity. (2018, January 22). Networking Academy. https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity

Compliance Frameworks

by James Driscoll

September 14, 2022

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

SEP 7, 2022

What's Happening in Tech & InfoSec? How To Stay (Somewhat) Up-to-Date with Podcasts

by Kimberly McKnight

September 9, 2022

One of the reasons I've made so many connections is tuning into livestreams, attending webinars, and listening to podcasts, then reaching out to those who inspire me and making a personal connection.  It's also how I am able to (somewhat) stay up-to-date on infosec news and events. 


For today's blog, I wanted to cover podcasts. This is the next section to be built out on the resources page, but to align with the resources already on our site, I want to provide you with the foundations.  One topic that isn't highlighted yet on the CC Resources page is podcasts.  Podcasts are critical to staying current on what's happening in the worlds of tech and cyber. 


Below are some of what I feel are must listen podcasts.  Some are daily, others weekly, or even monthly.  How do I find time to listen and keep up?  Full transparency, I don't get to keep up with all of them all the time, but I definitely find time to listen in the morning, a little during the day, a lot at night, and even small doses on the weekends.  I enjoy mixing podcasts that aren't all technical and also include the human side of things:   



Please note: The podcast list above is a only a quick snapshot.  There are many more I've listened to and recommend, and will include in the CC Resources page in the future, as well.  


One of the primary reasons I named this nonprofit foundation Cybersecurity Central was because I want it to be a resource to those who desire is to learn more about where to learn more about all things cybersecurity.  Cybersecurity Central has a resources page newly released, but there are many topics still to be added from the lists I've accumulated over the past 2 years, researching and discovering where some of the most applicable, engaging, and trustworthy resources.  Feel free to check out the CC Resources page for a flavor of the absolute essentials everyone should check out.  Be sure to bookmark and check back regularly for new resources.  I have TONS of resources still to share, but building it out one by one is super tedious, bear with me. ;)

 

If you haven't already, be sure to check out Cybersecurity Central’s YouTube channel.

 

And while you are there, please subscribe, like, and share with your network if you found some valueTake care and thanks as always for the continued support for Cybersecurity Central!


Common Attacks on Public Wi-Fi

by Eula Chua

September 7, 2022

From an end user’s perspective, it can be exciting when we find free Wi-Fi is available. Unfortunately, “free” does not always mean it’s safe to use. In today’s blog, we will bridge from last week’s blog topic, Public Wi-Fi is Not Your Friend, and highlight some of the risks of using public Wi-Fi.


Although there are many risks that can occur, we will focus on the following three common attacks:



Identity Theft

We often use our identity to verify who we truly are in order to open or access important accounts like our bank accounts. It is crucial that we keep our personal information safe and protected to prevent others from stealing it. This is what identity theft is – when someone steals your personal information such as your name, address, credit card information, social security numbers, health insurance numbers and more. Those who attempt to steal these sensitive information often use it to commit identity fraud for financial gain. To prevent identity theft from occurring, especially under public wi-fi, avoid visiting websites where you’re required to fill in your personal information or bank login credentials.


On-Path Attack/Man-In-The-Middle Attack

With an open connection, there can be an influx of network packets traveling within that network all coming from different devices. This is susceptible to an on-path attack, where a different, and possibly malicious, computer can intercept the connection between two other computers within the same network. This is a form of active eavesdropping. Be aware that any unusual activity, such as having large amounts of data transfers occur over public wi-fi, may possibly indicate an on-path attack. For prevention, devices are recommended to be equipped with anti-malware software, firewalls, and intrusion detection systems. As with any device, ensure that strong passwords are always used and that software are regularly patched and updated.


Session Hijacking

Session hijacking is similar to the on-path attack. The goal is to either steal personal information, execute a denial-of-service attack, or infect a system with malware. Rather than intercepting between two computers, the malicious hacker intercepts a connection between the computer and the server of a website by recording your session ID. Session IDs may be attached to links or requests that are sent to the websites you visit. Active, passive, and hybrid are the three different types of session hijacking attacks that also include different techniques on how it’s conducted. To prevent this, avoid clicking links you’re unsure about, make sure to log out of your accounts in each session to terminate it, install a firewall and anti-virus software on your device, ensure that the websites that are visited are secured, with URLs beginning with “HTTPS”, and last but not least, use a VPN (virtual private network). Using a VPN will make it more difficult for hackers to intercept traffic.


In Conclusion


There are many other threats out there that need to be covered, but we will need to take things one step at a time. The more devices we hold, the more points of entry we have open. Cybersecurity attacks and breaches happen quite frequently and the scary part is that we might not even know it’s happening until it reaches the news. Prevention is one of the best ways to protect ourselves and our systems from any attack. We don’t always know how to prevent unless we know what we are preventing from. This is why the importance of cybersecurity awareness is crucial to all users. We hope that we can continue to bring you more cybersecurity awareness content to you here at Cybersecurity Central to help you stay protected online.


AUG 31, 2022

The Computer Fraud and Abuse Act (CFAA)

by James Driscoll

August 31, 2022

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom.  Now, we all know that this is illegal, but do we know why it is illegal?  The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986.  This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.   


History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984.  There was a part of this act that made the following two activities related to computers illegal.  1) Gaining unauthorized access to a computer.  2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022).  Basically, this is privilege escalation.  


Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests.  More specifically the actions had to involve one of three scenarios.  1) Accessing information vital to national security.  2) Gaining access to personal financial records.  3) Gaining unauthorized access to government computers (CFAA Background, 2022).  


Let's skip ahead to 1986.  This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA).  This separation facilitated the addition of three more prohibitions: 


Now, in addition to what was mentioned above, lets see was else is in the CFAA.  There are also punishments defined in this document.  These punishments are defined by the type of offense.  In addition, the CFAA dictates who (depending on the offense) will investigate.  It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service.  Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).


2022 Update

Over the years, the CFAA has been updated numerous times.  The most recent update was in May 2022.  Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).  This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).


Conclusion

I highly recommend at least scanning over it.  I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased.  Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing.  This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.


References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030 

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground 

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

 https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act 


Public Wi-Fi is Not Your Friend

by Eula Chua

August 31, 2022

I have been deceived and probably, so have you.

There was a time in life when my friends and I would get excited when Wi-Fi became publicly accessible in certain coffee shops, restaurants, airports, and libraries. This meant that we didn’t have to spend extra money to pay for cellular data overages.

We would instantly connect wherever public Wi-Fi was available as if he hit a jackpot. Okay, maybe that’s a little exaggerated. But it defined the quote, “the best things in life are free.”

Although that quote does not exactly hold true. It should have been, “the free things in life come with consequences.” Here is where convenience versus security comes to mind.

Public Wi-Fi is not our friend. Connecting to it puts ourselves at potential risk. At your discretion, you can use it when it comes to desperate measures but if it’s possible, avoid it at all costs.

I’ll tell you why.

There are probably hundreds of people passing by the same location as you. This means with these hotspots, any one of these people can connect. This also means any one of these people may be a cyber criminal.

Another point to think about is how the public Wi-Fi was configured. Was it properly secured? Are you able to gain access to the network as an admin? Maybe they didn’t change the default settings on their router.

Here are a few risks that may be encountered through using public Wi-Fi:



We will go over each one of these in a future post. But for now, what can we do to protect ourselves and mitigate the risks that we can control?


Here is a list compiled by Get Cyber Safe, a Canadian national public awareness campaign:



Do you have other recommendations, tips, or tricks on how to protect ourselves online? Visit us on social and let us know!


Below are some great resources and studies to check out regarding public Wi-Fi:


(PDF) Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

Public Wi-Fi - Get Cyber Safe


https://irjhis.com/paper/IRJHISIC2203054.pdf


Until next time, stay safe out there… and online!


AUG 24, 2022

Let’s Talk About Phishing

by Eula Chua

August 24, 2022

Did you know there are different kinds of phishing attacks that exist? First, let’s define what phishing means.

According to Phishing.org, phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

Phishing is one of the most common ways for cyber attackers to target people online via email. Many times, this type of attack is used on specific groups of people or high-profile individuals to gain personal information and most of the time, for financial gains.

As phishing continues to adapt, cyber attackers have found other communicative pathways to trick users into providing information. Some examples are voice messages, SMS text messages, and phishing through search engines. There are multiple ways in which phishing techniques are conducted, however, in today’s blog, we will be focusing on the different types: email phishing, vishing, smishing, spearphishing, and whaling


Email phishing

When we hear phishing, we automatically think of email phishing. That’s because it is the most common technique used to conduct a phishing attack. If you check your spam/junk folder in your inbox right now, you might notice emails coming from unknown email addresses with odd subject lines. There could also be emails coming from people you think you know. Beware that the purpose of phishing is to trick users into revealing personal information and believing that the sender or organization is legitimate. How is this conducted? Usually, phishing attacks that are done through email may contain links that lead to a malicious website that appears legitimate. These websites could either load up a trojan virus or something that enables you to input your credentials. Other emails could contain malicious attachments.


Vishing aka. Voice phishing

Vishing is a combination of “voice” and “phishing”. This occurs when a “phisher” utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID.


Smishing aka. SMS phishing

“SMS” and “phishing” make up the term “Smishing”. Rather than it being done through email, phishing is done via text message. With the same purpose of gaining personal or financial information from a target, malicious links and attachments can also be sent through text. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.


Spearphishing vs. Whaling

If you get these two terms mixed up, you are not alone. Let’s go over the main differences.

Spearphishing is a specific type of phishing in which an attack is conducted on a particular person or specific groups of users, most often within an organization.

Whaling is a specific type of spearphishing, where a high-level executive is either the victim or the one being impersonated.

There are so many different ways a phishing attack can be done. Importance of end-user security awareness is crucial to our online safety and privacy as phishing attempts occur every minute of every day.


As end-users, how can we do our part to prevent these phishing attacks from progressing?



If you would like to learn more about phishing, here are some great resources to visit:

- https://www.getcybersafe.gc.ca/en/blogs/phishing-introduction

- https://phishing.org

- https://www.microsoft.com/en-ca/security/business/security-101/what-is-phishing

- https://cybersecurityguide.org/resources/phishing/

- https://www.phishprotection.com/resources/what-is-phishing/

Why Every Organization Needs a Disaster Recovery / Business Continuity Plan 

by James Driscoll

August 24, 2022

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken:


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).


When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

AUG 17, 2022

DEF CON: The Beginning

by James Driscoll

August 17, 2022

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out. 


Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.


It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.


So, why was DEF CON started? It was not envisioned to be the exhibition that we have today. In fact, the origin is mundane. In 1993 a gentleman by the name of Jeff Moss, had a friend that was moving away. Being a good friend, Jeff wanted to give his friend a good send off, so he organized a going away party. Well, in an unfortunate circumstance, the friend moved before this party. So, not wanting to cancel this party and wanting to honor his friend, he asked all his hacker friends to make a trip to Las Vegas to party. Thus, DEF CON was born. There were approximately 100 people in attendance.


As mentioned above, this was originally supposed to be a going away party, so this would have been a one-time event. However, everyone had such a great time they convinced Jeff to host it again in 1994. Reluctantly he agreed and in the 2nd DEF CON there were at least 200 people that attended. With each new DEF CON, the number of attendees consistently grew. For DEF CON 27 which was in 2019, there were approximately 30,000 attendees.


Another interesting bit of information that I did not know is that in 2018 there was a DEF CON event held in China. It was supposed to be an inaugural event, but due to the COVID-19 pandemic, it is still the only DEF CON event that has ever been held outside the United States. 

Password Management 101 

by Eula Chua

August 17, 2022

We’re exposed to an ocean of information to the point where I can’t even track how many times I’ve seen a post or meme on passwords on paper notes. It’s basically second nature to many of us in the technical field to know that’s something that should always be avoided. It only really hits us when we see another person commit the unforbidden. Then it leaves us in shock.


This happened to me the other day. Upon helping one of the most patient customers I have served, I couldn’t help but noticed that her passwords were stored on a piece of paper tucked in her wallet. I haven’t realized.


You may ask why I’m bringing up this story.

It’s always been a battle between convenience and security.


We’re in a day and age where we have to create multiple accounts for multiple online services and platforms. When it comes to passwords/passphrases, it’s easier for us to write them down on a piece of paper or create a password we can easily memorize. When it comes to convenience, time is valuable and although we want things quick and ready to use, security is on the line. When it comes to security, there are so many steps we need to comply with. How can we find the balance between convenience and security?


Although it may take time before we get to that point, let’s take charge of what we have control of today. As end-users, we are the first line of defense. A big focus we can work on is practicing proper password hygiene.


Before we go and start changing passwords right away, let’s take a moment to reflect on these questions:



Have these questions got you thinking about your current passwords? If so, don’t worry. You are not alone. It may seem overwhelming to have to change every password for every single account. Know that it will take time. Something that has worked for me is utilizing a password manager to keep track of all my accounts and passwords. Whenever I come across an account I have to log in to, I would add it to the password manager, reset my password, and store it.


Before I continue, you may ask, “How does a password manager work?”


Essentially, a password manager uses a secure encryption process to ensure that any password data that transmits online is protected and difficult to crack. While multiple passwords are stored, the main way to access them is by using a master password. This makes it easier for us to remember one password rather than hundreds of passwords. Combining this with multi-factor authentication makes it even more secure. Password managers are one of the safest and most secure tools to use. Nonetheless, complex password requirements should not be neglected.


“What are the complex password requirements we should follow to ensure that they are harder to figure out?”


Some common ones, which you may have also read when creating passwords for new accounts are:



Now that we have gone over password complexity requirements and a brief introduction to password managers, here are some notable ones you can start with:


Bitwarden (Bitwarden Open Source Password Manager)



LastPass (#1 Password Manager & Vault App with Single-Sign On & MFA Solutions)



1Password (Password Manager for Families, Businesses, Teams | 1Password)



There are lots of options out there so make sure to do more research and find one that suits your needs.


Changing passwords from multiple logins can take up lots of time and can be overwhelming. Remember to start small and change what you can. Over time, you’ll be able to meet the complexity requirements for every password. The most important part to note here is that practicing password hygiene prevents future compromises. Let’s continue to do our part and stay safe online.

AUG 10, 2022

Multi-Factor Authentication: Factors In-depth

by Eula Chua

August 10, 2022

Almost everything on the Internet requires us to sign up for an account, whether it’s creating an email, a social media profile, or even an account for an e-commerce website. Yet so many data breaches and phishing attacks occur often without our knowledge. Check out this article by Nasdaq on skyrocketing data breaches: 

Data Breaches Continue to Skyrocket in 2022

What can we do to protect ourselves on our end?

Multi-Factor Authentication (MFA).

Multi-Factor Authentication is an authentication method that helps verify the identity of the correct user logging in their account. Although usernames and passwords is a method on its own, having only one way to authenticate an account does not fully prevent unauthorized users from accessing it. MFA adds extra layers of protection to keep potential hackers from progressing their attack.

There are 7 Factors/Attributes of Authentication that we will delve into:

3 Factors:

- Something you are

- Something you have

- Something you know

4 Attributes:

- Something you do

- Something you exhibit

- Somewhere you are

- Someone you know


1. Something you are

This factor requires information that is you and only “you”. By this, we mean biometrics. This mainly comes in the form of scanning physical traits, such as your face, retina, fingerprint, thumbprint, voice identification, palm, and more. Do you own any Apple devices? If so, biometric scanning is something you might already be familiar with. Think of Face ID and Touch ID.


2. Something you have

This type of authentication factor asks for something a person physically carries or refers to a token key. A token key is a physical device that generates numbers to help identify that the person logging in is (hopefully) authorized. Some other examples are ID smart badges, a physical key, an authentication app on your phone, and common access cards (CACs).

One-time passwords (OTPs) are one of the common security methods used for MFA and are self-explanatory—use the password once and it’s done. The app using the OTP method would automatically generate a new password to use for next time a login is required. Two types of OTP methods are Time-based one-time password (TOTP) and HMAC-based one-time password (HOTP). Here’s a quick comparison.

TOTP

- Time-based/timestep: the temporary password is only valid within a certain amount of time (usually 30-60 seconds)

- Examples: Google Authenticator App, Microsoft Authenticator App, SecureAuth App

HOTP

- Counter-based: once the temporary password has been used, it will automatically increment by one until it is requested and validated again

- HMAC stands for Hash-based Message Authentication Code, which is an event-based one-time password method that relies on a counter

- Example: Yubiko’s YubiKey


3. Something you know

This factor mainly refers to a specific memory where it can be retrieved when required. Some examples would be personal security questions, passphrase, or personal identification number (PIN). A common example of this would be a password. Passwords are restricted pieces of information that most of us need to remember and retrieve when logging into an account. Using this as a sole method of authentication is not secured and is susceptible to the account getting compromised. This is where the use of password managers come in. Many people are still questioning the use of password managers but for the most part, it has been one of the safest ways to store all your passwords in one. We’ll talk more about proper password hygiene and password management in our future blog posts.


4. Something you do

This is one of four attributes where a physical action is observed. Something is done, a gesture or a touch, in order to gain access or to unlock. A common example for this would be signatures, which can be challenging to reproduce due to the pen movement and its two-dimensional output.


5. Something you exhibit

In most cases, this isn’t commonly included as a factor of authentication but we’ll include it here. This is a specific trigger and response type, similar to “something you are”, to determine whether a response is true or false. An example of this would be a lie detector test.


6. Somewhere you are

This is a factor that uses a person’s location to authenticate a login. This uses Internet Protocol (IP) and Media Access Control (MAC) addressing to indicate where the login attempt is occurring. In some apps or social media platforms (Instagram or Facebook for example), this feature is used to alert the user if a suspicious sign-in attempt was done at an unfamiliar location. This way, the user can make a decision whether to reset their password or not.


7. Someone you know

Similar to “something you know”, this human authentication attribute is an old practice that involves an individual and a whole lot of trust. An example of this would be utilizing the Chain of Trust model, requiring people to vouching for one another. Here’s a study if you would like to read more about this authentication factor: https://people.csail.mit.edu/rivest/BrainardJuelsRivestSzydloYung-FourthFactorAuthenticationSomebodyYouKnow.pdf


After going through this, you might think that implementing MFA is intimidating but in reality, it’s the total opposite. Most companies already have them implemented on their platform. All that is needed is your approval. Next time you log in to any of your accounts, check the privacy and security settings to see if they have MFA included, which can come in the form of using an Authenticator app (recommended), SMS text message, voice call, or e-mail verification. If you noticed that one of your accounts does not use MFA, consider suggesting it to that platform’s customer support or connect with the IT team of your organization. As end-users, we have a big responsibility when it comes to protecting ourselves online. Starting off with multi-factor authentication is a big step in preventing compromised accounts. Let’s keep security on top of everyone’s minds.


If you’re not sure how to use a multi-factor authentication app, check out this video by Microsoft: 

Set up multi-factor authentication with a mobile device in Microsoft 365 Business

Most Authenticator apps work similarly so make sure you use one that works for you. Thank you for reading!


Additional sources:


CompTIA Certification Exams

by James Driscoll

August 10, 2022

There seems to be some confusion when it comes to CompTIA certification exams.  I constantly see questions about exam expiration and what should be done.  These questions are primarily from people who are working to break into the Information Technology (IT) realm, so they cover A+, Network+, and Security+.  The purpose of this blog is to clear up some of that confusion.  For illustrative purposes I will use the CompTIA A+ exam details to highlight what I am talking about.

Regarding the expiration of the exams. All CompTIA exams are generally valid for three years, give or take a few months.  Now, the reason they are valid for such a short time is that as we all know the IT realm is constantly changing.  This means that the exams need to be constantly updated for them to stay relevant.  For instance, the A+ version 1001/1002 officially launched on 15 January 2019 and will retire 20 October 2022 so, three months shy of three years.  What this means is that on 20 October 2022, this exam is no longer available.  It does not mean that the certification goes away forever.  It simply means that version 1001 is replaced with a newer version. 

That newer version is numbered 1101/1102 and was officially launched in April 2022.  Some people have asked what this means.  In a nutshell this means that there is generally a six month overlap between the retiring version and the newer version and that a person can take either exam.  One thing to keep in mind is that if a person wants to take the newer version, the study material associated with the newer exam, may not be available right away.  The below screenshots illustrate my points.

The same concept also applies to Network+, Security +, and every other CompTIA certification exam. 

In addition to this, there seems to be some confusion as to when a person is ready to take an exam.  I have seen people say that they take such and such practice test and have been scoring x% on each test, then asking if they are read to take the exam.  Here is an easy way to tell if you are ready.  Again, I will use the CompTIA A+ exam as an example.  Now, as shown below, to pass either version of core 1 and core 2, a test taker needs to score 675 out of 900 (core 1) and 700 out of 900 (core 2). 

Figuring out if you are ready for the exam is fairly simple.  Just take 675 and divide it by 900.  Then take that answer and multiply by 100 to get the minimum percentage to pass.  This is what it looks like: 675/900=.75 * 100 = 75%.  This means for core 1, the minimum passing score is 75%.  The same formula applies to core 2 and every other CompTIA exam.  So, if someone is consistently scoring over that minimum percentage (in this case 75%), they are ready for the exam.

Hopefully, this information is helpful.  I wish everyone good luck on which ever test you are all studying for.

AUG 3, 2022

DVWA - The Damn Vulnerable Web Application

by James Driscoll

August 3, 2022

In the world of ethical hacking, it is important to constantly practice your skills to maintain proficiency.  Now there are a multitude of way to accomplish this.  There are websites like TryHackMe and Hack the Box.  Another option is to setup a home lab utilizing either physical or virtual machines. 


Using virtual machines offers numerous options.  Operating Systems that are intentionally vulnerable can be downloaded and created to practice on.  This is fine if you want to practice hacking into a machine.  However, what are the options if you want to practice hacking a web application?  Well, I found an answer while taking part in an ethical hacking class while working on my bachelor’s degree in Cybersecurity, the Damn Vulnerable Web Application (DVWA).


DVWA can be downloaded and installed on a Virtual Machine (VM), offering the ability to practice concepts such as SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery, to name a few. 


Where can the DVWA be downloaded from?  Good question.  There are many versions of the DVWA floating around the internet, but the best place it to go to this Github page https://github.com/digininja/DVWA and download from there.  This version is the most up-to-date and is the only one that has any type of support.


So, how is it accessed?  Since it is a web application it should really be from a separate VM.  Just as if you were accessing a normal web application during a penetration test.  Simply put the IP address of the VM hosting the DVWA, below:


The login information should be provided:


After logging in, you will see the below screen:


What is interesting about the DVWA is that it has adjustable security settings that range from Low to impossible.  If you look at the screenshot above, on the left side is DVWA Security.  This is where the security level can be adjusted.  This should be the first thing you do.


After the security level is adjusted, then any of the other options can be selected.  In this case I chose to go with SQL Injection.

This platform really makes it easy to practice these valuable skills.  I highly recommend giving this a try.  I hope you all have as much fun using this as I did. 

This platform really makes it easy to practice these valuable skills.  I highly recommend giving this a try.  I hope you all have as much fun using this as I did. 


Check out this DVMA resource: YouTube video from @CryptoCat on DVMA setup, first step. There is a series outlining all the steps. Another great find to walk you through the process, step by step: https://youtu.be/GmWQ1VIjd2U 



End-user Security Awareness Overview

by Eula Chua

August 3, 2022

The online space has no bounds. We are all connected in some way. From our smart TVs and Wi-Fi-enabled home appliances to computers and mobile devices. we are surrounded by technology everywhere we go and probably didn’t think we would get as far as becoming dependent on it. Yet, we hear about data security breaches happening all over the world and to all types of organizations, and sometimes we don’t realize how close we are to being a part of one. All it takes is one account to open the gates – to getting compromised.


Unfortunately, we ourselves have become the primary attack vector for threat actors, as mentioned in the SANS 2022 Security Awareness Report (https://www.sans.org/blog/sans-2022-security-awareness-report/). These companies and vendors can only do so much until they’re left with no choice. How can we improve from here? Security Awareness.


To specify, we will be focusing on information security and end-users in particular. We’ll do a quick overview.


According to Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/), “Security Awareness is a formal process for training and educating employees about IT protection.” Because most of us these days are working online, whether it’s for work, education, or personal purposes, security awareness is no longer limited to employees but to everyone.


What are some of the topics security awareness covers?

Topics may include, but are not limited to:


- Email usage

- Social engineering/Phishing

- Online Safety

- Privacy

- Proper password hygiene

- Common errors and how we can prevent it

- Mobile Device usage

- Encryption

- Social Networking

- AUP (Acceptable Use Policies)


Who does it involve or affect?

It involves all end-users, which may include:


- Executives

- Employees

- Students/Educators

- Grandparents/Parents

- Teenagers/Children

- You


Overall, it would be any target that a threat actor chooses to attack.


Where is security awareness needed/Where can it be found?

It is needed everywhere and anywhere we have Internet access. Nowadays, we’re seeing educational facilities bring up online end-user awareness campaigns, especially with the rise of hybrid learning. Most commonly, businesses and large organizations implement security awareness as formal training. Considering how much damage one small mistake can do, it can either do little harm or completely negatively affect the business, whether it’s financially related or business closure. Because budget may be limited, small businesses that need training often are not able to implement it. This is now being made aware, and thankfully, online resources are made available to small businesses to help them get started. Here’s an article by Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-training-can-protect-small-businesses/). For end-users in general, most well-known vendors and service providers offer free online security awareness training programs. Amazon offers a free cybersecurity awareness training course that anyone can take on their learning website: https://learnsecurity.amazon.com/.


When would security awareness training take place?

In terms of organizations, If it was possible, it should be an ongoing program however, there may be factors that hinder it from being constant such as time, budget, and resources. Most businesses opt for monthly, bi-monthly, quarterly, or bi-annually employee training depending on the factors previously mentioned. Others may do it annually but that may be a stretch.


How can we prevent ourselves from being attacked?

The key to prevention is being aware. Creating awareness of what type of cyber attacks have been committed allows an individual or an entity to be prepared for what may possibly occur. Then we can move on to taking action.

A few actionable topics to start with, that can be included and taught during security awareness training are:

- Setting up MFA (multi-factor authentication)

- Importance of password managers

- Strong password requirements (i.e. include uppercase, lowercase, numbers, and symbols)

- Wi-Fi and VPN usage

- Tips on identifying phishing emails

- Keeping workstations and devices updated and patch

- Online privacy


Why is security awareness important?

Since the start of the pandemic in 2020, there has been a surge of employees working from home or hybrid. Even many of the websites we visit nowadays require our information, for example, e-commerce, email lists, social media, and more. Because of this, so much of our personal identifiable information (PII) is being made available online in some way. With more network or website traffic happening online, users are more vulnerable to encountering an attack and sometimes might not even know it. There can be many tools implemented to prevent attacks to a certain extent. Raising awareness on common cybersecurity threats and risks can help users protect themselves and their assets, reduce anxiety, become less vulnerable, and be more prepared.

As mentioned earlier in this post, the online space has no bounds. Remember that behind every technology is a human behind it.

Security starts with you.


Resources to help you get started:

JUL 27, 2022

How I Hacked Into Cybersecurity

by Kimberly McKnight

July 27, 2022

It was almost Q3 2020 and felt like the world was falling out of place.  In some new awkward reality, attempting to decode what was happening.  We were in the early phases of a global pandemic.  At that time, no one really understood what that meant, or what it was going to look like.  A company trip to D.C., corporate headquarters, was cancelled last minute.  The company scrambled to put together a travel policy and guidelines.   For now, it was deemed no travel, companywide, until more was known.

 

Next, another major bombshell announcement: no more hiring. Period. Like zero, globally.  What?  Wait, no one had ever heard of such a thing.  We just finished interviewing and offering positions to candidates last week.  Our Fortune 100, Best Company to Work For, is no longer hiring, globally?  Even the most seasoned recruiters who were in the industry for years were in complete shock.

 

When you work in recruiting and hear no more hiring, you understand the writing on the wall. Instantly I knew what was going to happen next.  Hours were decreased and then the furlough news came down.  If anyone didn’t know what was next, they had their heads buried in the ground.  The layoff email was sent the last day of furlough, informing myself and 200+ corporate team members, our positions with the company were no longer.

 

At first, I wasn't sure what to think.  Looking back on it now, I believe I was traumatized.  When you envision yourself with a company and the ride ends early, it is a sinking feeling.  Even though there were people who had been with the company much longer, many right around retirement and had 20+ years invested, I still couldn't help but feel it was due to my own actions.  I ultimately knew it wasn't true, but it didn’t make the feelings any less real.  After a while, you can start to believe those feelings... don't. 

 

While on furlough pending the inevitable layoff news, I began thinking about what I really wanted in a career.  What did I want to do with the time I had left?  After all, I’ve been working for over 20 years already.  I had to find something that continues to drive my curiosity and allows me to constantly grow and learn.  Hospitality was amazing in providing endless opportunities to work in so many areas of business, but after the pandemic experience, I wanted to be sure I picked something that wasn’t tied to worldwide travel.  The way things were looking, it was going to take a long time to recover from and could come back around at any time.  

 

What happens next?  Check out my video on “How To Get Into Cybersecurity | How I Hacked Into Cyber,” posted on Cybersecurity Central’s YouTube channel.

 

And while you are there, please subscribe, like, and share with your network if you found some value in it.  Take care and thanks for supporting Cybersecurity Central!


Chase The Knowledge, Not the Certification

by James Driscoll

July 27, 2022

There is a question that I see all the time on the various social media platforms, “will {insert certification name here}, get me a job in Cybersecurity?”  Now I know that there are a million opinions as to whether certifications are even needed to enter this industry.  That is not what this is about.  This is about the apparent myth that simply getting a certification will land a person a job in cybersecurity.


The answer to the above question is no, {insert certification here} will not directly land someone a job.  At most, the certification will help someone get an interview.  From there is it up to you to land the job.  So, does that mean not to worry about getting a certification?  Not necessarily.  What I am saying is, do not get a certification simply because it is a requirement for some jobs.  Get the certification for the knowledge you will gain.  It is one thing to pass the exam and receive the certification.  That may help you get an interview by standing out over other applicants that may not have the specific certification.  During the interview, the fact that you have {insert certification here} means nothing, unless you can apply some of those concepts in the interview and can talk to the interviewer about some of the knowledge you gained by studying for the exam. 


The whole premise is to chase the knowledge, not the certification.


JUL 20, 2022

It Takes A Lot Of Courage

by Eula Chua

July 20, 2022

My name is Eula. As a Cybersecurity Content Creator for Cybersecurity Central, I wanted to provide you with a glimpse of how I made it here.


It takes a lot of courage for someone to make a career switch or let alone, begin an entirely new career. If you’re one of these people, thank you for being a great example to those around you, for showing that where we are is not the “end-all-be-all” and that there is more for us out there.

 

A few years ago, I was transitioning out of a career in the Beauty industry not exactly thinking about what was next for me but rather to “go with the flow”.  A friend offered me to take on an interview in tech retail and got the job. It was something I would leverage until I make my next move.  I thought of pursuing careers in the environmental, medical, behavioral, and educational routes but every time, something would prevent me from continuing.  One day, I sat in my Communications class (in a Medical program I was in at the time) and heard my professor say this to the entire class, “You’re in this program because you love it.  You’re passionate about it.  You want to be here.” Everything she was saying did not translate to how I was feeling.  In fact, it was the opposite.  I stuck to my commitment, finished Level 1 of that program, and left it.  It was difficult to leave but it was freeing.

 

During my discernment, I remembered someone telling me to reflect on my childhood and recall everything that sparked a light in me.  A few of those moments were playing video games with my friends, hosting group chats, researching new technology, learning basic web development to create websites, creating backgrounds and video editing using Adobe tools.  All of that had to do with being on the computer.  Everything else clicked to me – working on the computer, being surrounded by devices at work, seeing how much of our world has shifted into the digital age.  Having a strong Community Outreach background with a desire to help people, being introduced to this side of tech by one of my good friends, and amongst other factors that aligned, I found myself on the path of Cybersecurity.  It took a while to get here but I’m here and we’re just getting started. 

 

I hope that our content brings value to you, whether it be something you implement personally or professionally or something you can relate to or learn from.  If you have suggestions on topics you would like us to cover, feel free to send me a message on LinkedIn: https://linkedin.com/in/eulac-lipro


Veteran in Cybersecurity

by James Driscoll

July 20, 2022

My name is James.  I am a retired Air Force veteran and married to my wife of 22 years.


In the Air Force, my role was in Air Transportation.  Basically, I worked at military airports loading passengers and cargo.  The best way to picture it is to think of a combination of American Airlines and Federal Express.  After I retired in 2014 I continued with the same career field but as a military contractor.  The job is interesting however, no longer challenging.


One aspect of this job that I really enjoy is that of regulatory compliance.  Ensuring that all the passengers comply with not only applicable FAA/TSA regulations but also applicable destination country entry regulations.  On the cargo side, the job entailed ensuring the cargo was prepared and documented correctly.  This is extremely important when hazardous cargo is being transported.  The reason for this is for the safety of the aircraft, crew, and any passengers.  An example of a failure in procedure is ValuJet flight 592 that went down in the Everglades in 1999.  The reason for this crash was that some oxygen generators were not properly packaged or documented.  


In addition to loading airplanes, an additional job that I had was a system administrator.  I was responsible for creating accounts, setting permissions based on the duty position of the individual, working with the help desk to update and patch the system.  This is what initially got me interested in Information Technology.  As a result, I tried numerous times to change career fields into Information Technology but was unsuccessful. 


Why am I making the career change into Cybersecurity?  This is a good question.  It was June 2020, and I was working at a deployed location loading aircraft and suffering every day because of medical conditions created by my military career.  My wife suggested contacting the Veterans Affairs office and applying for something called Vocational Rehab.  Basically, this is a program where veterans with medical conditions can go back to school to get a degree in a field that will not aggravate the condition.  So, I applied.


After speaking with the counselor, I was approved!  Next, it was time to choose a program and school.  I thought to myself, this was the perfect chance to finally change careers and move into Information Technology.  After constantly seeing reports of data breaches and ransomware attacks, I decided to transition into cybersecurity.  The school I chose to attend is ECPI and I will be graduating the end of August 2022.


I am extremely grateful to Kimberly for this opportunity to work with Cybersecurity Central.  It is exciting to be able to give back to such a welcoming community that I am breaking into.  It will be an interesting journey but I hope it will be a journey that everyone can learn and get inspiration from.


Feel free to connect or send me a message on LinkedIn: https://www.linkedin.com/in/jdriscoll-76


SUPPORT OUR MISSION

CONNECT WITH US & SUPPORT CC

LinkedInYouTubeTwitterDonate