Remember that creaky old swing set in your backyard? The one your parents told you was "safe" even though it looked like it might collapse any minute? Yeah, WEP encryption for your Wi-Fi is kind of like that. It's outdated, wobbly, and about as secure as a screen door on a submarine.

WEP was the first attempt at Wi-Fi security, but it's more like a historical artifact than a viable option. It's riddled with vulnerabilities, and cracking it is child's play with readily available software. Imagine leaving your front door wide open and expecting nobody to peek in – that's WEP for you.

But wait, there's TKIP! This "upgrade" isn't much better. It was meant as a temporary fix while they figured out something real, like a sturdy steel gate for your network. But just like that rickety swing set, TKIP has its own cracks, some known since its inception! It's time to retire this rusty relic and move on to something stronger.

So, what's the good stuff? Look no further than CCMP/AES. It's like a fortress compared to WEP and TKIP – imagine a vault with triple locks and laser beams. Even the most dedicated cyber-crooks would give up in frustration trying to crack this one. This is where your precious data should be living, not floating around in the open air like a forgotten kite.

But even Fort Knox has its chinks in the armor. Even with strong encryption, your passwords can be the weak link. Think of them as the keys to your digital kingdom. Using weak, predictable passwords like "password123" is like leaving the spare key under the doormat. Instead, go for something long, strong, and unique – a passphrase fit for a king (or queen) of the internet. Think 20 characters with a mix of letters, numbers, and even symbols. Make it something only you could come up with.

And now for the good news: WPA3, the latest and greatest in Wi-Fi security, takes things even further. It's like adding an alarm system and security cameras to your already-fortified castle. Even if someone finds a stray key, they'll be caught red-handed before they can do any damage.

So, ditch the dust covered WEP and rusty TKIP. Upgrade to CCMP/AES and lock down your passwords with a passphrase fit for royalty. And if you're looking for the ultimate peace of mind, welcome WPA3 with open arms (just make sure they're protected by strong authentication!). Remember, your internet security is your responsibility, so choose wisely and stay safe out there in the digital jungle!

Connect with me on LinkedIn and let's continue the conversation: https://linkedin.com/in/jdriscoll-76 

This week in my advanced networking class we are looking at the network layer of the IP model.  This layer consists of IPv4 and IPv6 which are two different versions of the Internet Protocol (IP), the fundamental protocol that enables communication on the internet. IPv4 is the older version of the protocol, and it is currently used by most devices on the internet. However, IPv4 is running out of addresses, and IPv6 was developed to provide a much larger address space.

IPv4

IPv4 addresses are 32 bits long, which means that there are only about 4.3 billion possible IPv4 addresses. This number of addresses is not enough to accommodate the growing number of devices on the internet, such as smartphones, tablets, and IoT devices.

IPv4 addresses are written in dotted-decimal notation, which consists of four decimal numbers separated by periods. For example, the IPv4 address 192.168.1.1 is written in dotted-decimal notation.

IPv4 is a mature protocol, and it is well-supported by most devices and networks. However, IPv4 is also a complex protocol, and it can be difficult to manage.

IPv6

IPv6 addresses are 128 bits long, which means that there are an almost infinite number of possible IPv6 addresses. This vast address space is enough to accommodate the growing number of devices on the internet for many years to come.

IPv6 addresses are written in hexadecimal notation, which consists of eight groups of four hexadecimal digits separated by colons. For example, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is written in hexadecimal notation.

IPv6 is a newer protocol than IPv4, and it is not as well-supported by all devices and networks. However, IPv6 is a simpler protocol than IPv4, and it is easier to manage.

Comparison of IPv4 and IPv6

Ah, it’s the start of another new term in my quest for a master’s degree in cybersecurity and the next class on my list for the next five weeks is Advanced Networking.  However, before we talk about advanced networking, let’s go back to the basics to have a solid foundation to build upon. This week is a history lesson in computer networking.

The Development of Packet Switching 1961-1972:

In the early 1960s, three research groups independently invented packet switching as an alternative to circuit switching for computer networks. Packet switching is more efficient and robust for bursty traffic, such as that generated by users of timeshared computers.

The first packet-switched computer network, the ARPANet, was built in the United States in the late 1960s. By 1972, ARPANet had grown to 15 nodes and had been given its first public demonstration. The first host-to-host protocol, the network-control protocol (NCP), was also completed in 1972, enabling the development of applications such as e-mail.

The Internet today is a direct descendant of the ARPANet. It is a packet-switched network that uses the Internet Protocol (IP) to route packets between devices. IP is a simple but effective protocol that has allowed the Internet to grow and evolve over the years.

Proprietary Networks and Internetworking 1972-1982:

The initial ARPAnet was a closed network, but in the early to mid-1970s, additional packet-switching networks came into being, such as ALOHANet, Telenet, Cyclades, and Tymnet.  Pioneering work on interconnecting networks (under the sponsorship of DARPA) was done by Vinton Cerf and Robert Kahn, who coined the term internetting.  The early versions of TCP combined reliable in-sequence delivery of data with forwarding functions. Later, forwarding functions were separated out of TCP and the UDP protocol was developed, resulting in the three key Internet protocols that we see today: TCP, UDP, and IP.  In addition to the DARPA Internet-related research, many other important networking activities were underway, such as the development of the ALOHA and Ethernet protocols.

A Proliferation of Networks 1980-1990:

By the end of the 1970s, the ARPAnet had approximately 200 hosts connected to it.  In the 1980s, the number of hosts connected to the public Internet grew tremendously, reaching 100,000 by the end of the decade.  Much of this growth was due to the creation of new computer networks linking universities together, such as BITNET, CSNET, and NSFNET.  In the ARPAnet community, many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  In the early 1980s, France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

The 1980s was a time of tremendous growth for the Internet.  New computer networks were created linking universities together, such as BITNET, CSNET, and NSFNET.  Many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

The Internet Explosion 1990’s:

In the 1990s, the Internet evolved and commercialized. ARPAnet ceased to exist, NSFNET lifted its restrictions on commercial use, and NSFNET was decommissioned.  The World Wide Web was invented at CERN by Tim Berners-Lee and brought the Internet to millions of people.  The Web enabled many new applications, including search, e-commerce, and social networks.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.

The 1990s was a time of rapid growth and innovation for the Internet.  The World Wide Web made the Internet accessible to a wider audience and enabled new applications.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.  The Internet stock market bubble burst in 2000-2001, but several companies emerged as big winners in the Internet space.

The New Millennium:

In the first two decades of the 21st century, the Internet has transformed society more than any other technology, along with Internet-connected smartphones. Innovation in computer networking continues at a rapid pace, with advances in all areas, including faster routers and higher transmission speeds in both access networks and backbones.

Some of the most notable developments of this period include:

• Aggressive deployment of broadband Internet access to homes, including cable modems, DSL, fiber to the home, and 5G fixed wireless. This has set the stage for a wealth of video applications, including user-generated video, on-demand streaming of movies and television shows, and multi-person video conferencing.

• Increasing ubiquity of high-speed wireless Internet access, enabling new location-specific applications such as Yelp, Tinder, and Waz. The number of wireless devices connecting to the Internet surpassed the number of wired devices in 2011. This high-speed wireless access has also set the stage for the rapid emergence of hand-held computers, such as iPhones, Androids, and iPads, which enjoy constant and untethered access to the Internet.

• Emergence of online social networks, such as Facebook, Instagram, Twitter, and WeChat, which have created massive people networks on top of the Internet. Many of these social networks are extensively used for messaging and photo sharing. Many Internet users today "live" primarily within one or more social networks, which also create platforms for new networked applications, including mobile payments and distributed games.

• Deployment of extensive private networks by online service providers, such as Google and Microsoft, which connect their globally distributed data centers and bypass the Internet as much as possible by peering directly with lower-tier ISPs. This allows Google to provide search results and e-mail access almost instantaneously.

• Migration of many Internet commerce and other applications to the cloud, such as Amazon's EC2, Microsoft's Azure, and the Alibaba Cloud. Cloud companies provide scalable computing and storage environments, as well as implicit access to their high-performance private networks.

This completes today's history lesson on an overview of Computer Networking! See you again soon. Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 

References

• Kurose, J. F., & Ross, K. (2020). Computer Networking (8th ed.). Pearson Education (US). https://ecpi.vitalsource.com/books/9780135928523

My time has been fully consumed with the transition from Day shift to night shift as a SOC Analyst, balancing time with the family, starting the CWCT program, attending CySA+ study group, and assisting with the Young Mogul Development Group. I have been contemplating on what it is I could talk about that isn’t going to make me sound like a broken record: Network, Study…. Rinse and repeat…. So I think that I will just touch on the things that anyone interested in becoming a Cybersecurity professional needs to know, based on my experience on my #CyberGrowthAndLearningGrind journey. 

For week 4 of my Cloud Security course, we learned about privacy and security laws.  This is a bit of a review as these were part of the CompTIA CySA+ exam I took back in February.  So, I thought it would be a good idea to create a blog to briefly discuss each one. 

The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; the Family Educational Rights and Privacy Act (FERPA); and finally, the European Union General Data Protection Regulation (EU GDPR). We will review these six frameworks below:

1.   HIPAA Health Insurance Portability and Accountability Act: HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them.  It was also designed to make health care delivery more efficient (HIPAA History, n.d.).  The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

2.    PCI DSS Payment Card Industry Data Security Standard: The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017).  This agreement was established in 2004.  Now, even though it is not a law, non-compliance still has consequences.  These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

3.    GLBA Gramm-Leach Bliley Act: This standard is applicable to the banking industry.  The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017).  It became law back in 1999.  This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

4.   SOX Act Sarbanes-Oxley Act: This act applies to any organization that is publicly traded (Chapple & Seidl, 2017).  It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors.  It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

5.    FERPA Family Educational Rights and Privacy Act: This act mandates that educational institutions protect student information (Chapple & Seidl, 2017).  FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students.  2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.). 

6.    EU GDPR European Union General Data Protection Regulation:  The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018, (Chapple & Seidl, 2022)

References

• Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex. 

• Chapple, M., & Seidl, D. (2022). (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide. Wiley.

• Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html 

• Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act 

• HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history 

• Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp 

• Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

This past week I started my third term in my quest at a master’s degree at ECPI.  In the next five weeks I will be learning about cloud security.  For the reading last week, I read about how blockchain technology can be used in cloud security.  This is interesting as I had only heard about it in terms of cryptocurrency.  So, I decided to do some more research, and this is what I found.

Blockchain technology is a distributed ledger technology that can be used to improve cloud security in several ways:

• Decentralization: Blockchain is decentralized, meaning that it is not controlled by any single entity. This makes it more difficult for hackers to attack the system, as they would need to compromise most nodes in the network to succeed.

• Transparency: All transactions on a blockchain are publicly visible, which makes it difficult to commit fraud or tamper with data. This transparency can also be used to audit the security of the cloud system.

• Immutability: Once data is added to a blockchain, it cannot be changed without the consensus of the network. This makes blockchain ideal for storing sensitive data, such as customer records or financial data.

Below are some specific ways that blockchain technology can be used to improve cloud security:

• Data encryption: Blockchain can be used to encrypt data stored in the cloud, making it more difficult for hackers to access and steal.

• Access control: Blockchain can be used to implement access control policies for cloud resources, ensuring that only authorized users have access to sensitive data.

• Audit logging: Blockchain can be used to create audit logs of all activity on a cloud system. This can be used to detect and investigate security incidents.

• Key management: Blockchain can be used to manage cryptographic keys used to encrypt and authenticate data in the cloud. This can help to prevent unauthorized access to sensitive data (Gupta, Siddiqui, Alam, & Shuaib, 2019).

Some examples of blockchain-based cloud security solutions include:

• Siacoin: Siacoin is a decentralized cloud storage platform that uses blockchain technology to store data securely and efficiently (Siacoin, n.d.).

• Storj: Storj is another decentralized cloud storage platform that uses blockchain technology. Storj also offers encryption and access control features (Storj, n.d.).

• Keyless: Keyless is a blockchain-based key management platform that helps organizations to manage their cryptographic keys securely (Authenticate People, Not Just Devices, n.d.).Blockchain technology is still in its early stages of development, but it has the potential to revolutionize cloud security. As blockchain-based security solutions continue to mature, we can expect to see them adopted by more and more organizations.

Below are some additional thoughts on the use of blockchain technology in cloud security:

• Blockchain can help to reduce the risk of data breaches. By decentralizing data storage and access control, blockchain makes it more difficult for hackers to steal or tamper with data.

• Blockchain can help to improve compliance. By providing a transparent and auditable record of all activity, blockchain can help organizations to comply with regulations such as GDPR.

• Blockchain can help to reduce costs. By eliminating the need for intermediaries, blockchain can help organizations to save money on cloud security costs.

Overall, blockchain technology has the potential to significantly improve cloud security. As blockchain-based security solutions continue to develop and mature, we can expect to see them adopted by more and more organizations (Gupta, Siddiqui, Alam, & Shuaib, 2019).

References

• Authenticate People, Not Just Devices. (n.d.). Retrieved from Keyless: https://keyless.io/

• Gupta, A., Siddiqui, S. T., Alam, S., & Shuaib, M. (2019). Cloud Computing Security Using Blockchain. Journal of Emerging Technologies and Innovative Research (JETIR), 791-794.

• Siacoin. (n.d.). Retrieved from Coin market Ca[: https://coinmarketcap.com/currencies/siacoin/

• Storj. (n.d.). Retrieved from Storj: https://www.storj.io/

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

As you all know by now, my hunger to learn and immerse myself in all things cybersecurity has been a long and arduous journey. From multitasking doing my Application Support duties while also trying to learn and absorb as much in the security realm as possible was nigh impossible. So with my new position as a SOC Analyst, I am no longer having to split my time and attention, everything that I am, have been, and continue doing, is all working towards making me a more well-rounded cybersecurity professional. I still don’t know what my final form will be, but I will keep going down the rabbit hole and see where I come out.

One initiative that I am working on is becoming more familiar and comfortable with the idea of Threat Hunting. I had previously completed a Cyber Threat Intelligence course from arcX and now as a part of work I was able to attend and fully focus on Cyber Threat Hunting, presented by Chris Benton from Active Countermeasures. 

This week in my Security Architecture and Design course we discussed a concept called an Audit First Methodology.

The Audit First methodology is a risk-based approach to auditing that focuses on identifying and assessing risks early in the audit process. This allows auditors to focus their resources on the areas of highest risk and to develop a more tailored audit approach.  It is implemented via the following steps:

1. Threat Analysis.  The goal of this step is to focus on the threats that are most likely and most dangerous, or a combination of the two.  This allows the organization to prioritize its resources and address the greatest risk first.

2. Audit Controls.  The goal of this step is to create threat audit controls that search for threat activities (also known as threat hunting).  These controls should be tailored to the specific threats that the organization is facing.

3. Forensic Controls.  The goal of this step is to ensure that these controls are properly configured to log the data that is needed to investigate likely threat scenarios first.  Logs that are less likely to be needed in an investigation do not need to be as easily accessible as other logs.

4. Detective Controls.  The goal of this step is to create effective and efficient controls that alert on suspected attacker activity while minimizing false positives and maximizing the probability of detecting attacks.

5. Preventive Controls.  The goal here is to block undesired activities and prevent them from occurring.  While important, organizations should focus more on the other controls.  These controls can be disruptive to the business to implement and operate, and they may not be effective against determined attackers (Donaldson, Siegel, Williams, & Aslam, 2015).

There are numerous benefits to utilizing this methodology, including:

• It allows auditors to focus their resources on the areas of highest risk.

• It helps to ensure that the audit is tailored to the specific needs of the organization.

• It can help to identify and address risks early on before they cause problems.

• It can improve communications between auditors and management (Donaldson, Siegel, Williams, & Aslam, 2015).

The only challenge that I anticipate using the Audit First Methodology is the reluctance to focus more on the other controls versus the preventive controls.  As stated in the textbook, organizations typically put more stock in preventive controls (Donaldson, Siegel, Williams, & Aslam, 2015).  They way around this challenge is to explain the benefits of following the Audit First Methodology while emphasizing the downside of focusing on the preventive controls in a language that the business side of the organization can understand.  Typically, this is done by translating the cybersecurity jargon over to business jargon.

References

• Donaldson, S., Siegel, S., Williams, C. K., & Aslam, A. (2015). Enterprise Cybersecurity. Springer Nature.

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

My first full month is now in the books as a SOC Analyst and I am starting to establish my routine which includes:

• Simply Cyber Daily Threat Brief https://simplycyber.io/streams 

• CompTIA CySA+ study group on Monday, Wednesday, and Friday on the DRJJBMJ Discord server

• Self-guided study in TryHackMe

• CompTIA CySA+ study app https://play.google.com/store/apps/details?id=com.abc.comptiacysa 

• Working the different alerts that come into the queue for the SOC

This week for Blog by CC Weekly, I am continuing with sharing my master’s degree cybersecurity course assignments with you. The class this term is Security Architecture and Design.  First, this blog will discuss some of the challenges and benefits of implementing an enterprise security architecture. Second, we will look at how organizations can overcome some of those challenges.  Third, it will analyze the importance of logical and physical security.  Finally, I give my thoughts and opinions on which are more important. Discover more below:

Challenges and benefits to implementing an enterprise security architecture:

Challenges:

• Lack of communication and coordination: An enterprise security architecture (ESA) requires coordination and communication between different departments and teams within an organization. This can be difficult to achieve, especially in large or complex organizations.

• Lack of understanding of the need for security: Not everyone in an organization may understand the importance of security or may not be willing to take the necessary steps to protect information. This can make it difficult to implement and enforce security measures.

• Cost: Implementing an ESA can be expensive, especially for large organizations. This can be a barrier to adoption, especially in organizations with limited resources.

• Complexity: ESAs can be complex and difficult to implement. This can lead to problems such as implementation delays, errors, and security gaps.

• Change management: Implementing an ESA often requires changes to the way an organization does business. This can be disruptive and difficult to manage.

Benefits:

• Reduced risk: An ESA can help to reduce the risk of a security breach by providing a comprehensive framework for protecting information.

• Improved compliance: An ESA can help organizations to comply with industry regulations and standards.

• Increased efficiency: An ESA can help to improve the efficiency of security operations by providing a centralized view of the security landscape.

• Enhanced visibility: An ESA can help to improve visibility into the security posture of an organization, which can help to identify and address security risks more quickly.

• Improved decision-making: An ESA can provide decision-makers with the information they need to make informed decisions about security.

• Policies and business processes that may help companies overcome their challenges:

• Establish a security governance framework: This framework should define the roles and responsibilities of different stakeholders in the security program, as well as the processes and procedures for managing security risks.

• Develop security policies and procedures: These policies should be aligned with the security governance framework and should define the specific security controls that are required to protect the organization's information assets.

• Implement security controls: This includes deploying security technologies, such as firewalls and intrusion detection systems, as well as implementing security procedures, such as password management and user training.

• Monitor and enforce security controls: This includes regularly reviewing security logs and reports to identify potential security incidents, as well as taking steps to remediate any vulnerabilities that are identified.

• Continuously improve the security program: This includes regularly reviewing the security policies and procedures to ensure that they are still effective, as well as implementing new security controls as needed.

The Importance of logical and physical security:

• Logical security is the protection of digital information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.  Some of the methods used include: 1) user authentication, 2) access control, 3) encryption, 4) firewalls, and 5) intrusion detection systems.

• Physical security refers to the protection of physical assets including buildings, equipment, and data centers from unauthorized access, use, damage, or theft.  Some of the methods utilized include 1) access control, 2) security guards, 3) video surveillance. 4) intrusion detection systems, 5) fire protection.

• Defend why you feel logical or physical security is more important for an organization.

• Neither logical nor physical security are more important than the other.  Logical and physical security are complimentary and should be implemented together to provide a comprehensive security solution.  By protecting both digital and physical assets equally, organizations can reduce the risk of a security breach.

References

• Ghaznavi-Zadeh, R. (2017, July 28). Enterprise Security Architecture - A Top-down Approach. Retrieved from ISACA: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach

• Joint Task Force. (2020, September). Security and Privacy Controls for Information Systems and Organizations. Retrieved from NIST: https://doi.org/10.6028/NIST.SP.800-53r5 

• Melendez, J. C., Luse, A., Townsend, A. M., & Mennecke, B. (2008). Convergence of Physical and Logical Security: A Pre-implementation Checklist. MWAIS 2008 Proceedings, (p. 10).

• Ramani, G. (2015, December 1). Challenges in IMplementing Enterprise-Wide CyberSecurity Strategy. Retrieved from LinkedIn: https://www.linkedin.com/pulse/challenges-implementing-enterprise-wide-cyber-security-ganesan-ramani/ 

• What is Security Architecture, and What do You Need to Know. (2022, February 9). Retrieved from Dig8ital: https://www.dig8ital.com/post/what-is-security-architecture-and-what-do-you-need-to-know 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

Almost a full month into my new Cybersecurity role as a SOC Analyst and I feel its time to do some slight refocusing and reaffirming of what it is that I am working towards. Previously, the #CyberGrowthAndLearningGrind was 110% focused on gaining the requisite knowledge, experience, certifications, and networking to “break” into cybersecurity. Now that I have arrived what is my new overall goal. Come along with me and check out what’s cooking…. 

For the last week of my Ethical and Human Aspects in Cybersecurity we talked about Technological Convergence.  So, what is it?   Technological convergence is the process by which different technologies merge and evolve into new forms that can fulfill multiple functions. This means that devices and applications that were once separate and distinct are now becoming more integrated and interconnected (McGuigan, 2023).  For example, the smartphone is a prime example of technological convergence. It combines the functions of a phone, a computer, a camera, a music player, and more into a single device. This makes it more convenient for users to access all their favorite content and services from one place.

There are numerous potential social and ethical concerns that can arise due to technological convergence.  They include:

• Privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes.

• Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property.

• Employment: Technological convergence is leading to the automation of many jobs. This could lead to widespread unemployment, as machines take over the tasks that are currently performed by humans. This could have a significant impact on the economy and society.

• Inequality: The benefits of technological convergence are not being evenly distributed. Those who have access to the latest technologies are likely to benefit the most, while those who do not have access may be left behind. This could lead to increased inequality and social unrest.

• Bias: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation.

• Environmental impact: The production and use of technology has a significant environmental impact. This includes the emission of greenhouse gases, the depletion of natural resources, and the generation of waste. Technological convergence could exacerbate these problems (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

Technological convergence can jeopardize a company's code of conduct in several ways, including:

• Data collection and privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes. For example, a company might use data collected from its employees' smartwatches to track their movements and productivity. This could violate the company's code of conduct, which might promise to respect employee privacy.

• Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property. For example, a company might be hacked if its employees' laptops are infected with malware. This could lead to the theft of confidential company information.

• Ethical use of technology: Technological convergence can also raise ethical concerns about the use of technology. For example, a company might use facial recognition technology to track its employees' movements. This could be seen as an invasion of privacy and a violation of the company's code of conduct.

• Discrimination: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation. For example, a company might use a facial recognition system that is biased against people of color. This could lead to the company discriminating against these people in its hiring practices (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

It is important for companies to be aware of the potential ethical and legal implications of technological convergence and to take steps to mitigate these risks. This includes updating their codes of conduct to reflect the challenges posed by new technologies.

Here are some specific things that companies can do to mitigate the risks of technological convergence:

• Be transparent about data collection and use: Companies should be transparent about the data they collect from their employees and customers, and how they use this data. This can help to build trust and avoid violating privacy expectations.

• Implement strong security measures: Companies should implement strong security measures to protect their data from unauthorized access. This includes using encryption, firewalls, and other security technologies.

• Educate employees about ethical use of technology: Companies should educate their employees about the ethical use of technology. This includes training them on how to use technology responsibly and how to avoid violating company policies.

• Monitor for bias: Companies should monitor their technology systems for bias. This can help to identify and address any potential discrimination issues.

By taking these steps, companies can help to mitigate the risks of technological convergence and protect their employees, customers, and data (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

References

• McGuigan, B. (2023, August 10). What is Technological Convergence. Retrieved from Easy Tech Junkie: https://www.easytechjunkie.com/what-is-technological-convergence.htm#google_vignette 

• Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues. (2019, May 30). Retrieved from Every CRS Report: https://www.everycrsreport.com/reports/R45746.html#:~:text=Technological%20convergence%20poses%20three%20potential,security%2C%20and%20theft%20of%20data 

My first week of being in my new role as a SOC Analyst is officially in the books! What are my takeaways and areas I want to improve upon for the upcoming week? Let's start with the takeaways I am able to share with the community. There are a number of tools that are used within cybersecurity roles that are available to learn on or about. The broad picture is that as a SOC Analyst you need to familiarize yourself with:

• SIEM’s

• XQL (Various Query Languages)

• EDR (what does it do, capabilities, options from vendors)

• Email Analysis (know the basics of TCP/IP communication and packet structure)

• Resources that can make your job more effective/work more efficiently

• Staying up-to-date on the latest stories/vulnerabilities in the industry

First, SIEM which stands for Security Information and Event Management, can be used to aggregate logs from various endpoints and systems, this give you a Macro view or "Big Picture" of the cybersecurity threat landscape. They are customizable and can be tailored to the needs of your business. There are several tools with varying features to select from, here is a list of some in the market:

• SolarWinds Security Event Manager

• Micro Focus ArcSight ESM

• Splunk Enterprise Security

• LogRhythm NextGen SIEM

• IBM QRadar

• AlienVault Unified Security Management

• Sumo Logic

• Lima Charlie

• Elk Stack

• Wazuh 

Last week in my Ethics and Human Aspects of Cybersecurity class, the topic of cybersecurity in the global economy came up. Specifically, if it is possible. Below is more of my take on this topic.

In 2023, the concept of an individual country's economy is no longer. Anything that affects one country’s economy affects the economies of other countries. We truly have a global economy. Now, when I talk about anything, I mean absolutely anything. It could be something as innocent as weather to something more malicious such as a cyber-attack. An example of a cyber-attack that has the potential to affect the global economy is the Stuxnet Worm.

What is the Stuxnet Worm? This little piece of malware was created in 2010 with the purpose of attacking Industrial Control Systems (ICS) (Mueller & Yadegari, 2012). For anyone that does not know, an ICS is used in sectors such as “manufacturing, transportation, energy, and water treatment” (Industrial Control System, n.d.).

Now, since those sectors mentioned above are used all over the world the potential impact on the global economy is going to be huge. Let us look at the energy sector as an example. Energy is one thing that is not only needed, but also has an almost immediately affects the global economy when there are changes and right now, we get that energy from oil. Just a simple change in production output by Saudi Arabia can cause energy prices to fluctuate, which causes the prices of other products to fluctuate around the world.

What can be done against countries that either actively engage or sponsor people that engage in cyberespionage and launch cyber-attacks? Well, the main tactic that is used are financial sanctions. The theory is that limiting the amount of business that can be conducted thus hitting them in the wallet so to speak should deter someone from engaging in criminal activity. Based on events over the past three years, I am not a fan of it. Perhaps if it is done swiftly and comprehensively it may have the desired effect, but I am not so sure.

There is another tactic that can be used to deter cyber-attacks called “hacking back”, sometimes referred to as “active cyber defense.” However, these two terms are completely different. Techniques and tactics normally associated with active cyber defense include things like utilizing honeypots to study and gain information about cyber-attackers. It also includes scanning your network / looking through logs trying to find Indicators of Compromise (IoC’s).

Hacking back is just as it sounds. A victim of a cyber-attack, attacking the attacker. This is not recommended as it is illegal under 18 U.S. Code Section 1030 Fraud and Related Activity in Connection with computers. This is also known as the Computer Fraud and Abuse Act (CFAA) (18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

The Russian invasion of Ukraine has brought up an interesting dilemma. That dilemma is if it is acceptable for countries engaged in a conventional war to also engage in cyberespionage. After reading the ACM, the answer to that is a resounding no. The reason for that is in section 1, point 1.2 stipulates that practitioners should avoid causing harm (ACM Code of Ethics Booklet, 2018).

Finally, there is the question of cybersecurity being possible in a global economy. According to ISACA there are eight requirements that every country would need to adopt for cybersecurity. They include: 1) adopting a security by design model, 2) teach cybersecurity awareness to everyone, 3) follow applicable cyber laws, 4) participate in international cooperation, 5) establish and maintain an acceptable level of cybersecurity practitioners, 6) create strong deterrence mechanisms, 7) follow NIST frameworks, and 8) emphasize internet freedom (Ramachandran, 2019). Until these eight requirements are completed, true cybersecurity cannot be achieved in a global economy. The best we can hope for is cyber resiliency.

References

• 18 U.S. Code § 1030 - Fraud and related activity in connection with computers https://www.law.cornell.edu/uscode/text/18/1030 0

• ACM Code of Ethics Booklet. (2018). Retrieved from ACM: https://www.acm.org/binaries/content/assets/about/acm-code-of-ethics-booklet.pdf 

• Mueller, P., & Yadegari, B. (2012). The Stuxnet Worm. Retrieved from University of Arizona: https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/topic9-final/report.pdf 

• Ramachandran, R. (2019, January 23). Cybersecurity and its Critical Role in Global Economy. Retrieved from ISACA:  https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/cybersecurity-and-its-critical-role-in-global-economy 

Where to begin? This is my first time ever having time off when moving between jobs, and this time has afforded me some insight and an opportunity to do some mental recalibration. How do I identify or define this concept?

I first need to establish a baseline reading, as I have shared before in previous posts and blogs. My journey before IT and Cybersecurity was one fraught with long hours, no true stable shift, and a constant stream of stressors piling up. I never considered myself a workaholic, but looking back I can definitely see that I was leaning more towards that side of the spectrum. I have experienced a hard time separating that side of life from my growing family and the subsequent duties associated with it.  I never “take a vacation”- especially without something planned and an obligation to show up and/or participate. This was made evident whenever I switched jobs. I would always lose “Sick Time,” and not just a little bit, months of it. 

As I continue my journey of achieving my master’s degree in Cybersecurity at ECPI, I am now learning about ethics and the human aspects in cybersecurity. The topic of ethics comes up quite a bit in the cybersecurity industry. So, what exactly is ethics. According to the Merriam-Webster dictionary, ethics is a “set of moral principals” (Ethics, n.d.). Basically, this is what guides our behavior as human beings. Every industry has their own code of ethics that guides the behavior of that industry’s practitioners. Two that are important to cybersecurity are the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers Computer Society (IEEE-CS).

I will be looking at the ACM Code of Ethics in this blog. This is a guideline that encourages practitioners to act in an honest and responsible manner. It basically forms a foundation on how to how to act in pretty much any situation. The reason for that is the type of information that our organizations handle, which could be argued is more valuable than money.

Now, the ACM Code of Ethics is broken down into four categories. They are as follows:

1) General Ethical Principles,2) Professional Responsibilities, 3) Professional Leadership Principles, 4) Compliance with the Code (ACM Code of Ethics and Professional conduct, n.d.).

General Ethical Principles. This section is split up into seven7 subsections. Each subsection emphasizes a different trait that practitioners should strive to live up to both personally and professionally. A few of the subsections include 1) be a productive member of society, 2) avoid creating harm, 3) be honest and trustworthy and so on (ACM Code of Ethics and Professional conduct, n.d.).

Professional Responsibilities. This section is split up into nine subsections. Each of these subsections emphasizes a different trait that practitioners should strive to live up to on a professional level. A few of the subsections include 1) produce high quality work, 2) Maintain high standards of professional competence, conduct and ethical practice, 3) know and respect existing rules pertaining to professional work and so on (ACM Code of Ethics and Professional conduct, n.d.).

Professional Leadership Responsibilities. This section is split up into seven subsections. Each of these subsections emphasizes a different trait that leaders should strive to live up to on a professional level. A few of the subsections include 1) Put the public good first and foremost, 2) encourage fulfillment of social responsibilities by employees, 3) Manage personnel and resources to enhance the quality of working life and so on (ACM Code of Ethics and Professional conduct, n.d.).

Compliance with the Code. There are only two subsections here. These subsections emphasize the importance of the Code of Ethics. The first subsection encourages practitioners to uphold, promote, and respect the principles of the code. The second subsection encourages practitioners to treat violations of the code as inconsistent with membership in the ACM (ACM Code of Ethics and Professional conduct, n.d.)

References

• 18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from Cornell Law School:  https://www.law.cornell.edu/uscode/text/18/1030 

• The Code affirms an obligation of computing professionals to use their skills for the benefit of society. https://www.acm.org/code-of-ethics

• Ethics. (n.d.). Retrieved from Merrian-Webster: Definition of ETHIC: https://www.merriam-webster.com/dictionary/ethic 

This is a cathartic moment for me as I announce that the long journey to breaking into Cybersecurity has finally come to an end. I officially have accepted a job offer to be a SOC Analyst for One Source Communications. I just want to give them a shout out for taking the chance on me and also giving me the opportunity to start my cybersecurity career and continue blogging for Team CC and potentially them as well. This is a momentous occasion and I appreciate all the support I have received from the community.

It is time for a little videogame reference here, If you are familiar with FPS (First Person Shooters) or RPG’s (Role Playing Games) you have probably heard the term/phrase, “checking/changing my loadout.” As I am getting more experience with the interview process and the job market in general, I find this to be true IRL (In Real Life). Whether we are preparing for a quiz, test, interview, or a presentation we need to take stock of what we are equipped with or carrying in our inventories, we will call it our “bag”. The hill that seems to be my biggest obstacle is specific knowledge based on… you guessed it experience. I have always tried to make sure I am equipped to deal with most situations that I come across whether that is dealing with personal matters, preparing for school, or preparing for interviews but like many things in life, "Jack-of-all-trades but master of none" might only get us so far.

This has been a whirlwind of a past week or so and it all started from a setback that I shared about my “CAARRRLLL” moment getting scammed through Instacart. Just as a recap and not a downward spiral that I can sometimes find myself in:

• Still applying (getting rejected) to positions in Cybersecurity

• Had me account compromised in Instacart

• Trying to make ends meet, working in the gig economy while offsetting cost to participate in these apps (Uber, Instacart)

• Had to sell my videogame collection (my stress outlet for many years) to make some ends meet

• Take responsibility for the actions that led to this point, whether they were in my control or not

Living in America comes with numerous rights as laid out in the Constitution. One of those rights is covered by the Fourth Amendment and states “the right of the people" to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” (Constitution of the United States: Fourth Amendment, n.d.). This is basically our right to privacy. So, what do I suggest this means? The government is prohibited from searching us and taking our property without a good reason.

When the constitution was written, the technology we have today did not exist. So, this begs the question as to how that technology impacts our right to privacy. Perhaps this is not the right question to be asking. Perhaps the question that we should be asking is, is there a way to adapt the Fourth Amendment so that the technology we have today is included in its protections. The reason I say that is because as I said earlier, the technology we have today did not exist when the Fourth Amendment was written. Let’s look at what was around at that time. Specifically houses, papers, and effects (property). That means the original meaning behind the Fourth Amendment is that the government cannot search a person’s house and take papers or property just because they want to (Brenner, 2005).

So, taking the original meaning into consideration, that would mean that the means of communications that we have today (telephone, email, instant messaging, online communications, etc.) would all be fair game to being searched and taken by the government for any reason. That is because the Fourth Amendment is the basis for property law and what is needed is additional legislation that covers the technology we have today. This is where legislation such as wiretapping laws come into play. What this basically does is provides the Fourth Amendment protections to the technology we have today (Kerr, 2003).

Now, I am all in favor of the Fourth Amendment and any legislation that is associated with it and as such I do not believe the government has an obligation to monitor all internet traffic.

I need to mention the Patriot Act which was enacted after the attack on 11 September 2001. The basic premise of the Patriot Act was to expand the governments’ ability to conduct searches on U.S. citizens with little to no evidence to warrant it. The problem is that some sections reduce the protections of the Fourth Amendment while other sections outright violate it (Surveillance Under the USA/Patriot Act, 2001).

Here is the thing, everyone-I understand why the Patriot Act was pushed through. It was pushed through to prevent another terrorist attack. The problem with it is we have lost our right to privacy for something that does not work. Let me explain my personal observation and opinion further. I don’t know about anyone else, but I would consider all the mass shootings we have had just in 2023 alone to be terrorist attacks.

With all of these attacks, the people committing them posted plans online beforehand and the government knew nothing about it. It was not until after the attack that their online presence was investigated, and the evidence found. Why are we losing our Fourth Amendment right to privacy when we are no more protected than before?

References

• Brenner, S. W. (2005). The Fourth Amendment in an Era of Ubiquitous Technology. Mississippi Law Journal, 75.

• Constitution of the United States: Fourth Amendment. (n.d.). Retrieved from Congress: https://constitution.congress.gov/constitution/amendment-4/

• Kerr, O. S. (2003). The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution. Michigan Law Journal, 801-839.

• Surveillance Under the USA/Patriot Act. (2001, October 23). Retrieved from ACLU https://www.aclu.org/documents/surveillance-under-usapatriot-act 

No matter where we look, we are bound to see an IoT device. So, what exactly is an IoT device? Basically, an IoT device is a device that has sensors, processors, software, and network capability implanted inside them. Some examples include smart home devices (smart thermostats and smart appliances), smart watches, and even self-driving vehicles and Industrial Control Systems (ICS) (Stair & Reynolds, 2020).

Now, while IoT devices were designed to make life easier, they are inherently vulnerable to attack. The reason for that is in their design as they are designed to be pulled out of the box and easily connected to a network via a default username and default password. The reason for this is ease of use, not security.

An example of just how vulnerable IoT devices is and what a threat actor can accomplish with them is the Mirai Botnet attack. The premise of this attack is that in late 2016 several high-profile targets were hit with a Distributed Denial-Denial-of-Service (DDoS) attack. The source of this attack was approximately 600,000 of IoT devices that had been compromised and became a botnet called Mirai. This botnet initially started in August of 2016 and ran until late February 2017 when the threat actor was identified and arrested. The malware used to compromise these devices utilized rapid scanning to find a potential target and once found it immediately started brute-forcing the username and passwords via port 23 (telnet). Once compromised, they sat and waited for the threat actor to issue the commands to start the DDoS attack (Antonakakis, et al., 2017).

What is interesting about this incident is how the threat actor was identified and subsequently arrested. The successful attribution was due to analysis of data gathered through honeypots and DNS data. In addition to that the original source code was published online by the threat actor. So, while this was helpful in leading to attribution, it also paved the way for other threat actors to create their own botnets and add to the ongoing incident (Antonakakis, et al., 2017). The fact that the Mirai Botnet was shut down in five months speaks volumes of the amount of time and effort that went in to fighting this attack.

So, the question that needs to be answered is how we prevent this type of attack in the future. The United States government takes securing IoT devices so seriously that they are included in the 2023 National Cybersecurity Strategy that was published in March 2023. The main strategy mentioned here is the use of labeling. It would be like the labels on food products but instead of providing the ingredients, these labels would provide what security controls an individual device is using. This would allow organizations and private citizens to easily compare multiple devices and choose the one that works best (Biden, 2023).

Also, The Cybersecurity and Infrastructure Security Agency (CISA) has some basic tips that everyone can follow. 1) Change default login credentials (username and password). 2) Keep devices patched and updated. 3) Adjust the devices security settings. The goal is to have enough security but still maintain usability. 4) Decide if the device needs a constant connection to the internet. If it does, then consider placing it on its own network segment (Securing the Internet of Things (IoT), 2021).

References

• Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., & Zhou, Y. (2017). Understanding the Mirai Botnet. Security Symposium, pp. 1093-1110.

• Biden, P. (2023). National Cybersecurity Strategy. p. 20.

• Securing the Internet of Things (IoT). (2021, February 01). Retrieved from CISA: https://www.cisa.gov/news-events/news/securing-internet-things-iot 

• Stair, R., & Reynolds, G. (2020). Principle of Information Systems (14th ed.). Cengage Learning US.

So, starting this week off was an opportunity for me to gain knowledge and a new certification upon completion with my acceptance of the GEER Scholarship, enrollment, and first day in the CompTIA CySA+ course being taught through Fayetteville Technical Community College. After finally getting access to my school email and eBooks, I participated in Alyson Van Stone’s Mentorship Monday group. Due to Monday being Juneteenth, and some other unforeseen circumstances, our numbers were quite cozy so just about everyone had a chance to speak, introduce themselves, and ask/answer questions. As part of the meeting there are several questions that are asked just so that participants can become familiar with each other and hopefully spark conversation. The question that I feel gives me the most problems is whether I am a mentor or mentee, depending on the moment I could be both, either, or none.

After making my post about starting class and updating my LinkedIn profile, there were the normal congratulatory messages but then I had a few that were asking for my insight, opinion, and guidance. My Imposter syndrome lizard brain automatically wanted  to say, “you got the wrong guy…. I don’t know that much on {fill in the blank}” and you know the rest of the self doubt conversation that is had by many. Then something made me stop typing and really think about what was happening and what I could and would be able to tell someone who reached out and saw me as a “mentor” or guide. I am usually introverted but being on LinkedIn and writing my blogs for Cybersecurity Central have given me lots of practice not just being the stoic quiet type. I cant even imagine less than a year ago that I would be having conversations with “strangers” about how the cybersecurity industry works, how to advance my knowledge, and a myriad of other conversations I have had.

What I did know was how to take advantage of teachable moments, coming from my background with substance use education and many (many) years working in the Juvenile Detention Center helped me hone my skills on what I used to tell the “kids” were come to Jesus meetings, or just choppin it up. I found that once I took myself out of the position of being an “expert” or “authority” I was able to have real and meaningful conversations with the juveniles, coworkers, or the occasional care givers who would bring their youngins to the door for me to scare straight. 

Out of all three elements of the CIA triad, two are questioned after every election. They are integrity and availability. Now, out of those two, integrity gets the most publicity. So, why the disparity between these three elements. Well, integrity is the most important as it is imperative that the American people perceive that the vote they cast has not changed before it is counted (ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT, 2020). Now, availability comes in second because while it is important for all eligible citizens to vote, when there is a problem (usually mechanical), there are options that can be used to ensure everyone can vote. Finally, confidentiality is last.

So, how did we get to this point? Well, we need to look back at the Help America Vote Act that was signed into law in 2002. While this law came from the federal government, it leaves the decision making up to the individual states as it only set minimum guidelines for what the states could do. Because of this, many states have decided not to update their voting equipment. Specifically, “as of 2016 43 states were using equipment that was 10 years old or older” (King & Michael, 2016).

Why mention that? The reason is because the technology is always changing. First there were only paper ballots, now we can not only electronically vote, but we also can have our paper ballots scanned by a machine. Next on the horizon will be the ability to vote online.

Now, online voting while convenient only makes the integrity more important as with the current technology it would be ripe for cyber-attacks and other fraud related issues. One question that get raised during every Presidential election is that of foreign interference. This would be more prevalent with online voting as virtually anyone anywhere could initiate an attack that could affect both the availability and integrity of the election. Multiple studies on this subject have been conducted by numerous groups of computer experts and the consensus is that a lot of work needs to be done to ensure the availability and integrity of the system before it is implemented (Von Spakovsky, 2015).

References

• ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT. (2020, July 28). Retrieved from http://CISA.gov : https://www.cisa.gov/sites/default/files/publications/cisa-election-infrastructure-cyber-risk-assessment_508.pdf 

• King, C., & Michael, T. (2016). Security of Electronic Voting in the United States. The CIP Report.

• Von Spakovsky, H. (2015). The Dangers of Internet Voting. The Heritage Foundation.

On my “accomplishments” for the day have taken their toll on my mental state. Normally, I can get the drive home to decompress some or just let my thoughts drift away andAs the days and weeks have been slipping by, I am reminded of how precious and fleeting time is.  We all understand on the most basic of levels that time is: Money, Fast & Slow moving, Precious, In Short Supply when you need it, and over abundant when you need something expedited. I have gotten some not so subtle reminders in my life recently about usage of time and then fitting work and life into an allotted time slot.

I made the decision to work from home the beginning of this week due to a plethora of “life” happenings:

• Kids are out of school, but my wife and I are not, she will be finishing up administrative duties at her school this week but I don’t work on a school schedule so you know how that goes.

• Kids started coughing, sniffling, complaining of sore throats, spiking fevers; all the joys of getting sick. Luckily its not Strep and likely just a virus (Yay!?!)

Having to balance my work schedule with also making sure that my kids aren’t at each other’s throats, not on a screen all day, and having to keep my supervisor updated on my “accomplishments” for the day have taken their toll on my mental state. Normally, I can get the drive home to decompress some or just let my thoughts drift away and not bring any stressors from work home but removing that time was definitely felt the past few days  not bring any stressors from work home but removing that time was definitely felt the past few days. 

Cybersecurity is a constantly evolving field, and it is important for organizations to stay up-to-date on the latest threats and trends. One way to do this is to conduct research and documentation.

Purpose of Academic Research

Academic research is the process of gathering information, analyzing it, and drawing conclusions. It can be used to gain new knowledge, improve understanding, and develop new solutions.

In the field of cybersecurity, academic research can be used to:

• Identify new threats and vulnerabilities

• Develop new security measures

• Improve understanding of how cyberattacks work

• Test the effectiveness of security solutions

Relevance to Cybersecurity

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Research and documentation can also help organizations to improve their incident response capabilities. By understanding how cyberattacks work, organizations can develop plans to respond to incidents more effectively.

Definition of "Scholarly" Articles

When conducting research it is critical to use scholarly information. Information from things like blog sites and Wikipedia scholarly information. A scholarly article is a research paper that has been published in a peer-reviewed journal. Peer-review is a process in which experts in the field review the paper and provide feedback before it is published.

Scholarly articles are an important source of information for cybersecurity professionals. They provide up-to-date information on the latest threats and trends, and they can help professionals to develop and implement effective security measures.

Cybersecurity Example

A recent study by the Journal of Medicine found that hospitals are at high risk of cyberattacks. The study found that the complexity of hospital networks makes them easy targets for attackers. The study also found that two factors that correlate to the amount of risk a hospital has to being attacked are network complexity and internal stakeholders.

The study's findings highlight the importance of research and documentation in cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Conclusion

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack. There are many resources available online and in libraries. You can also find a wealth of information by attending conferences and workshops. By staying up-to-date on the latest threats and trends, you can help to protect your organization from cyberattacks.

References

• Carcary, M. (2021, February 23). The Research Audit Trail: Methodological Guidance for Application in Practice. Electronic Journal of Business Research Methods.

• Jalali, M. S., & Kaiser, J. P. (2018, May 28). Cybersecurity in Hospitals: A Systemic, Organizational Perspective. Journal of Medicine.

• Morganelli, M. (2023, April 10). What is a Scholarly Source. Retrieved from SNHU: What is a Scholarly Source?

• Scholar. (n.d.). Retrieved from Merriam Webster: Definition of SCHOLAR

I never thought 2023 would be such a fast and busy year for me. It has officially been 6 months since I entered the field of Information Technology! it has been such an endless learning experience on the job and it makes me excited for what’s next.

Because it’s been such a huge change in routine for me, my mind was craving for more professional development but it was difficult to find time with how demanding personal and work responsibilities could be. Although, I was glad to have booked off one of the weekends in May to learn some Microsoft Azure Fundamentals, which is something I would love to share more about in a future post!

But for this week, I’m choosing to ease myself in and absorb everything I’ve learned in the past 6 months. I do apologize that I have been quite MIA for the past few weeks. Not only am I easing into a fairly new career path, I’ve also been planning and preparing for a new chapter in life that I may or may not share in another future post, we shall see!

Life has its ways of surprising you. And when it does, you take what you get and mold it into something beautiful. I’ll see you at the next post and hope to share more about what I’ve been learning (tech and non-tech related).

Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro

It feels like its been forever since I wrote my last blog post, I was inundated with studying, studying, worrying, posting for @Josh Mason’s #30daysjobchallenge, studying and passing my Security + exam. Just want to thank everyone for their support and positive energy that helped me push through.

Now that the Sec+ is under my belt, I am trying to plan out my next move(s). First was to get the certification to make myself more marketable for HR and the ATS, Im still fighting that battle as we speak. I did my comparison on the different A.I. platforms (ChatGPT, Bard) to see which one made better changes/updates to my resume. I have had some help previously trying to fine tune my resume, and so far 2 days into my poll the numbers look like this:

QR codes are everywhere, and they are here to stay. They show up on TV during daytime talk shows. They show up during televised sporting events. They are used in restaurants to access menus. They are used to pay for parking in some cities. They are even used to set up MFA. I recently had to use one to Add ECPI to a Block Cert wallet so they can send me a digital copy of my degree. It is futile to attempt to avoid using them at some point. Now, there are risks associated with QR codes as criminals can create fake malicious sites to get money, or personal information. So, how do we stay safe when using them?

Great question! Here are some tips to help you stay safe when using QR codes:

1. Only scan QR codes from trusted sources. If you see a QR code in a public place, such as on a poster or flyer, be careful before scanning it. It could be linked to a malicious website or app. Only scan QR codes from sources that you trust, such as businesses or organizations that you know.

2. Check the URL before scanning. When you scan a QR code, your phone will show you the URL of the website or app that it is linked to. Take a moment to check the URL before you click on it. If the URL looks suspicious, don't click on it.

3. Use a security app. There are numerous security apps available that can help you scan QR codes safely. These apps can scan QR codes for malicious content and warn you if they find anything suspicious. One of those is the “QR Scanner” from Trend Micro. It not only blocks dangerous sites that are associated with the QR code, but it also alerts the user of the danger.

4. Be aware of phishing scams. Phishing scams are a common way for hackers to steal personal information. In a phishing scam, the hacker will send you a message that looks like it is from a legitimate company. The message will ask you to click on a link or enter your personal information. If you receive a message from a company that you do business with, don't click on any links in the message. Instead, go to the company's website directly and log in there.

By following these tips, you can help to protect yourself from the risks associated with using QR codes.

Additional tips:

• If you are using a public Wi-Fi network, be especially careful when scanning QR codes. Hackers can use public Wi-Fi networks to intercept your traffic and steal your personal information.

• Keep your phone's operating system and security software up to date. This will help to protect your phone from known vulnerabilities.

• Be aware of the risks associated with scanning QR codes from unknown sources. If you are not sure whether a QR code is safe, do not click on it.

As you read this blog, I hope you are having a great day. I know many of us are consumed. At the very least, attempt to find some joy within your busy week, get outside, and remember to come up for air! 

Events can take up a lot of time, but they are important to help us stay in-the-know on what is developing in the cybersecurity industry. They also provide us with insights and learnings from professionals in our field who are tapping into what is working, and what is not. We learn about new technology and discover new trainings, programs, and resources. 

I feel attending events is SO important, I created #ThisWeekinCybersecurity to help others keep track of the exciting, engaging, and FREE virtual industry events. (Yes, I missed it this week... hence this blog). Why the focus on virtual?

1. Virtual makes events available to attend regardless of your location

2. Most virtual events can be consumed at any time, making them convenient for your schedule. 

Now, time for some upcoming #cybersecurity events:

I happen to work for this company, but that doesn't impact my decision to share! USCG is an amazing program I am happy to be a part of. PlayCyber by Katzcy is excited to present the US Cyber Games Season III Open Kick-Off Event on June 1, 2023 via live stream. Register here to be sure to save your space and check your emails for the details prior to the event. Help to Spread the Word on socials with your network: https://www.uscybergames.com/spread-the-word 

Another event I am ecstatic about is the SimplyCyberCon, coming November 8, 2023! It will be an extraordinary event, filled with tons of valuable information and knowledge sharing from the #SimplyCyber community. #SimplyCyberCon is in its inaugural year and we hope to "see" you there, virtually! With a new speaker track and another for seasoned infosec pros, plus workshops, this event will offer something for everyone. Plus, Simply Cyber and Gerald Auger, PhD are all about the community, anticipate there will be tons of fun sprinkled into this event. When registering for your virtual ticket, you may donate any amount to go towards the prizes and giveaways at the con. Learn more and sign up to receive notifications when updates are available! https://simplycybercon.org 

• Bonus: If you don't know the Simply Cyber community yet, come join us every weekday morning at https://simplycyber.io/streams for the Daily Cyber Threat Brief. Promise, it is not only fun and engaging, but it is jam-packed with headlines and advice on how to tackle some of the biggest issues facing the #InfoSec community today. 

Well, there you have it! A few events you MUST make time for on your calendar. Plus, they are FREE and virtual, so you have no excuse. 

Take care and enjoy your week, everyone! And it would be AWESOME if you followed #BlogbyCC on LinkedIn! Thanks!

This isn’t a very technical blog for this week, but some self-reflection based around the current job market and my journey into cybersecurity. So I have found myself being very pessimistic about the prospects of making the pivot into cybersecurity or a better paying job in general.

My #CyberGrowthAndLearningGrind has been on going and ramping up in intensity as I make the push to break into cybersecurity, I have been putting in a lot of work on myself to become well rounded and try to show that I am an asset worthy of the opportunity to potential employers. I have spoken on my situation in previous blog posts and it hasn’t gotten any better for me financially and of course that takes a mental toll not to mention the constant rejection emails from jobs that I have applied to. I have worked in and around the mental health field and know how I usually react to these types of situations and diagnosis aside imposter syndrome keeps rearing its ugly head.

I know what I am capable of and what I bring to every workplace, and it baffles me that:

1. Entry-level IT positions pay the amount that they do especially considering what they end up entailing.

2. Working in a similar position doesn’t necessarily “make you a fit” for another company asking you to do the same thing.

3. The job market is filled with so much new and proven talent and layoffs keep adding to this pool, but there is still a shortage of “talent” in the field

4. I feel guilty pushing for a job for myself knowing that there are others in worse situations seeking positions as well. 

Ever We all know that backing up our organizations data is critical to being able to recover from a disaster or incident. Now, there are numerous methods that can be used to accomplish data backup. They include external hard drives, USB drives, optical media (cd’s or dvd’s, cloud storage, and finally Network Attached Storage (NAS). The Network Attached Storage (NAS) is going to be the focus of this blog.

So, what is a NAS? Basically, it is a dedicated file storage system that is attached to a network. One concept that is associated with a NAS is RAID (Redundant Array of Independent Disks). Some of you might be wondering what RAID and that is a good question. A RAID is a data storage virtualization technology that combines multiple physical disks into one or more logical units. Now, the reason this is done is for redundancy.

When using RAID, there are several configurations that can be utilized. They all have pros and cons that need to be considered to ensure the most appropriate configuration is used. Those configurations are discussed below.

Raid 0 – With this configuration the data is split up and written (striped) among all the disks.

· Advantages – an increase in the number of drives equals better performance. Good for applications that need high throughput.

· Disadvantages – No redundancy

Raid 1 – With this configuration, even number of disks are utilized, and the same data is written to all disks (mirroring).

· Advantages – provides redundancy.

· Disadvantages – costly

Raid 3 – With this configuration the written to every drive except one and uses parity for error correction. The last drive is used for parity, which is a way to protect the data from a drive failure without the added cost of mirroring.

· Advantages – Good performance for applications that need large sequential data access.

· Disadvantages – Requires 1.25 times the size of the data disks. Rarely used.

Raid 4 – Same as Raid 3 except striping is done at block level versus at the byte level (Raid 3).

· Advantages – can write to a single disk without rewriting an entire stripe.

· Disadvantages – Write performance suffers due to single parity drive.

Raid 5 – With this configuration, the drives utilize striping and are also able to be independently written to.

· Advantages – there is no dedicated parity drive. Parity info is evenly split among all drives in the array. Error correction is available. Since all blocks of data are written at the same time there is improved read/write times. Can survive one disk failure.

· Disadvantages – none to speak of

Raid 6 – This configuration is like Raid 5 except for an additional parity element.

· Advantages – able to survive two drive failures.

· Disadvantages – Requires a minimum of four disks. Since there are two parity elements, rebuilding the failed drives will take longer (Services, EMC E, 2005)

References

Services, EMC E. Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments. Available from: ECPI, (2nd Edition). Wiley Professional Development (P&T), 2005.

Working in IT has been great these past few months. Everyday, I get to learn different parts of the operation. From doing onboarding/offboarding tasks such as setting up laptops and managing mobile devices to diving deep into the administration side of IT, I’m fortunate to be exposed to all kinds of different issues that allows me to exercise my problem solving skills. As I continue to ease into the environment and defining my role, I also think about the improvements that we can implement into our environment.

You might not realize this. Everyday you are practicing Cybersecurity. It is not confined to one role. Whether you’re working in the cybersecurity sector or just starting out your IT career, everyone has a part in keeping their environment secured – leading by example, using a password manager, creating complex passwords, keeping a clean desk space, running Windows updates consistently, the list goes on. Most issues we encounter can be prevented through user education. Get your users on board with best security practices. Keep them informed on rising trends. Take every opportunity to implement security at your work place because the worst thing that can happen is shutting down a business by a click of a button that can be prevented. A great place to start talking about security at work is through security awareness training.

Check out these resources to learn more about security awareness:

• Infosec: Security Awareness -- Definition, History, and Types | Infosec Resources https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/

• Amazon Security Awareness Training: https://learnsecurity.amazon.com/en/index.html

• BC Government: https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/information-security/defensible-security/security-embedding-dna-controls/security-awareness-program

• Mimecast: What is Security Awareness Training &  Why is it Important? 

• SANS: Security Awareness Training | SANS Security Awareness 

• CybSafe: 7 reasons why security awareness training is important in 2023

• Microsoft: Cybersecurity Awareness – Microsoft Security

Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro

So, where to begin? As I have stated in recent LinkedIn posts and #BlogbyCC, I have been studying for the CompTIA Security + exam and scheduled to take it on May 25th. In general I feel prepared but to help quiet my imposter syndrome, I scheduled the exam far enough out to get in some good “cramming” and polishing of my knowledge. I then came to the realization that certain areas on the exam I had more difficulty recalling (general disdain) and the main culprit and focus of my ire is the topic of cryptography.

I understand the purpose and the need for cryptography but aligning it with experience is proving difficult and I need to drill in some situational awareness about this section of the exam. I don’t want to put too much emphasis on this section but maybe my struggle will help the next person coming along this path. Hence, I will try to put my spin on this to make it memorable for me and whomever stumbles upon this.

To protect a system against attacks and malicious penetration attempts cryptography has 2 factors:

1)      Strength of the keys and effectiveness of mechanisms and protocols associated with the keys

2)     Protection of the keys through key management (secure key generation, storage, distribution, use and destruction)

These 2 factors are interdependent and lose their effectiveness when not working in tandem. Based on NIST’s special publication 800-57 Part 1, Revision 4 – there are guidelines for key management and some best practices associated with them. The aforementioned cryptographic keys are used in the 3 general classes of cryptographic algorithms. Cryptographic algorithms are broken into 3 classes approved by NIST, further defined by amount or type of cryptographic keys used with them:

• Hash functions – are the building blocks used in key management and provide services like

o   Source and integrity authentication through generating message authentication codes (MACs)

o   Compressing messages for generating and verifying digital signatures

o   Deriving keys in key-establishment algorithms

o   Generating deterministic random numbers

• Symmetric-key algorithms – aka secret key algorithms are “symmetric” due to being used for both encrypting and decrypting. These keys are used for:

o   Providing data confidentiality by using the same key for encrypting and decrypting data

o   Providing MACs for source and integrity authentication services (keys used to create and validate the MAC)

o   Establishing keys

o   Generating deterministic random numbers

• Asymmetric-key algorithms – aka public-key algorithms use paired keys (public and private) to perform their functions. The public key is known to all (that’s why its public) but the private key is controlled by only the owner of the key pair (shhhhhh it’s a secret). Uses for asymmetric algorithms are:

o   Computing digital signatures

o   Establishing cryptographic keying material

o   Identity management

For me, that is pretty easily understood and memorable, however here come the acronyms. Under symmetric-key algorithms we have:

• Advanced Encryption Standard (AES) – based on Rijndael algorithm (yeesh) encrypts and decrypts data using 128/192/256-bit keys into 128-bit blocks.

• 3DES / Triple DEA (Data Encryption Algorithm) – applies the DES cipher 3 times to each block (Triple… duh) encrypts and decrypts data using 56-bit keys into 64-bit blocks.

The rabbit whole goes much deeper with those but I am going to let my brain rest from all the bits and bytes for a second.

This week has been a blur from dealing with procrastinating end users who waited till the last minute to get off of Zoom to the Telehealth platform being used by my company, to me getting my CompTIA Security+ exam scheduled.

I just want to put some emphasis on the challenge I have posed for myself and whoever is willing to join me. I originally made the post on this on LinkedIn:

Ever since listening to CyberWire Daily podcast back in October 2020 and hearing about an Advanced Persistent Threat (APT) group named Fancy Bear, I have always wondered how these groups got their names. Then recently I found out that the same group can have multiple names which adds to the confusion. This topic has come up within the past couple weeks or so, so I thought it would be a good idea to try to reduce some of the confusion by breaking down how these groups get their names and why it is usually multiple names.

Let us start with the easiest question. Why are there multiple names for the same APT group? The short answer is because each research company (Microsoft, Mandiant, etc.) has their own naming convention. For example, Microsoft names APT groups utilizing the periodic table however, it was announced last week that they are changing their convention to a weather-themed naming convention. Now, some other companies like CrowdStrike utilizes the word “Panda” for Chinese groups, “Bear” for Russian groups, “Kitten” for Iranian groups, and “Chollima” for North Korean Groups. Symantec gives APT groups names of insects and finally Palo Alto names APT groups using constellations (Sabin, 2022).

So, with that out of the way, we need to address why the naming convention is not standardized. Basically, there are three reasons why the naming convention is not standardized. Those reasons are human, technical, and operational. Let us look at each one closer:

Human

·         The operation conducted is used as the APT’s name.

·         The name of the malware used is given as the APT’s name.

·         The research companies do not relate their research to the research of other companies.

·         Media refuses to correct wrong mapping in public articles.

Technical

·         Different companies see different aspect of the same thing. For example, one company only sees the TTP’s while another only sees the C2 infrastructure.

·         Either an APT group splits up or multiple groups combine.

·         Multiple APT groups share their tools with each other.

Operational

·         Each company using their own naming convention gives them the ability to take their research in any direction they want.

·         Each company may feel that by using another company naming convention signals that the other companies research is more complete than their own (Roth, 2018).

So, while the reasons behind all the different names makes sense, there is still the argument for a standard naming convention. I mean communication between organizations alerting each other to IoC’s that are being noticed is vital, so why can’t these security research companies communicate and collaborate with each other. I have said it before that no one organization can be successful on its own. Everyone must work together to defeat our adversaries.

References

·         Roth, F. (2018, March 25). The Newcomer's Guide to Cyber Threat Actor Naming. Retrieved from Medium: https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

·         Sabin, S. (2022, September 20). Cyber Firms Explain Their Ongoing Hacker Group Name Game. Retrieved from Axios: https://www.axios.com/2022/09/20/cyber-firms-hacker-group-name-game

Last week was a whirlwind! There was so much happening at once with RSA Conference 2023, where should I begin?

A good starting point may be, how did I prepare for my first RSAC experience? 

With so much marketing leading up to RSA this year, many of us were bombarded with emails and social posts from cybersecurity companies. Since I went to RSA for work, my focus was more so around what to expect for my first visit to San Fran.

Since I already knew my time was primarily consumed with working during most hours, I decided the first thing to do was to schedule the most important work-related events. After blocking those times off, there was minimal time left, but included some evenings open. From talking to connections who worked similar events prior, I knew the evenings would be essential for catching up and getting rested for the next early morning! ☀️ Although I wish I would have made it to the Crowdstrike event! They had THE party to be at this year with the theme, Welcome to the Jungle. It was completely over the top from hearing feedback from co-workers that went. So, I made a mental note: Crowdstrike RSAC Party 2024, check!

Next, I tuned in to a just-in-time episode of Hacker Valley Media’s Hacker Valley Studio with Chris Cochran & Ron Eddings. It dropped about a week prior to RSAC and it came in clutch for helping to calm my nerves and realize it’s a big event for everyone attending, not just me. 🤯 Hacker Valley had a get-together at RSAC, like so many others, and Chris was gracious enough to send an invite. Wish I could have went! Looks like it was a great time. Follow them if you aren’t already: https://hackervalley.com. 

Although RSAC has passed, their RSAC episode has golden takeaways for any networking event! Did I mention BlackHat is quickly approaching? Watch the episode, “RSA with a Purpose” https://youtu.be/sZLCkZG_zG4 or listen on your favorite podcast platform: https://hackervalley.com/e/rsa-with-purpose:-sealing-deals-getting-hired-and-networking-with-industry-leaders/

Finally, I checked the weather—all I noted was it was much colder than my always warm south Florida!!! 🥶 Since I was working the booth for one of our clients, all black was the attire. Usually all black is a no-go for me personally, especially living in Florida, but for this occasion, I made an exception and rocked all black. 

Of course, our team at PlayCyber by Katzcy had the #merch on deck! We’re super talented, not just saying that because I work here—the team is truly remarkable at the collaboration and work produced. We sported a mix of PlayCyber pullovers and US Cyber Games Season III jersey all around San Francisco! USCG hosted a table at RSAC College Day, too. Great turnouts. If you want to show your support, go grab your official gear here: https://shop.playcyber.com and follow us on socials!

While we are here talking about work, I want to add a few shameless plugs for #cybergames info from my current company’s brands:

• Have you joined PlayCyber Global League yet? It’s free, for now… Check it out and join today: https://PlayCyber.com/League

• Interested in #cybersecurity and supporting the industry professionals of tomorrow from the USA? Learn more about the US Cyber Games and register to attend the US Cyber Open Kick-Off, register to play in the US Cyber Open, follow on socials, and stay up to date with the latest in Season III events by joining the fandom! https://uscybergames.com 

• Seeking a place exclusively for women to network, game, and share the latest in #cybersecurity? Head over to Wicked6.com, follow us on socials, and watch the replays from past W6 events when you join PCGL! 

To wrap up, I dropped a quick collage below with some pics from the week. Did I mention everything moved so fast?! By the time the first day came to an end, my anxiety was ending and the focus was all about #quantum, #cybersecurity, #marketing, and #networking, while trying to show up as my best self each day. I consider myself fairly extroverted, but events can stress out even the most extroverted personalities. I'm still adjusting from the west coast swing!

If you’re headed to your first big (or small) show, know you’re not the only one who is going for the first time! There are many others who feel exactly the same as you, no need to fear. The people in this industry are amongst some of the most friendly and kind I’ve ever met. That’s saying a lot with a tenured background in hospitality, where being kind is a requirement. 

Thanks to everyone who was a part of this experience. No way to include it all, I’m tired already and I feel like I just scratched the surface! Maybe I’ll share more another time, but wanted to be sure to put this out there and say it was an amazing experience. Would I do it again? Yep, for sure. Looking forward to do it all over again next year! ✨ 

And thanks to RSA Conference for putting on a great show! Until next time, San Francisco!

As we are on the last stretch of how to mitigate security risks through the implementation of personnel policies, it’s important to note that not all risks come from the online network but offline as well. Otherwise, these policies wouldn’t exist. This week, we’re looking deeper into the remaining four policies, which are Non-Disclosure Agreement (NDA), Third-Party Risk Management, Terms of Agreement, and Measurement Systems Analysis.

1. Non-Disclosure Agreement - This policy is implemented within two parties in which data that is shared between them is not to be disclosed to unauthorized parties. This is also used in companies to prohibit employees from disclosing data that is strictly meant to be kept within the organization. This includes not sharing with unauthorized entities while being employed or when offboarding the company. This category includes social media analysis, which is used to verify whether an employee is compliant with the policies in place.

2. Third-Party Risk Management - This can be overlooked, especially when trust is involved. Many do not realize that being connected to other entities outside of the company can pose a risk. This is where having security policies can help with mitigating these risks. Third-Party Agreements include:

a. Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA), where two or more entities come to an understanding in terms of working towards a mutual goal

b. Business Partners Agreement (BPA), where a written agreement is established between business partners to indicate their responsibilities and obligations while working together

c. Service Level Agreement (SLA), where expectations are laid out between an entity and a vendor to ensure standards are met

3. Terms of Agreement - This is usually added as a clause in a legal document, indicating when an agreement comes into effect

4. Measurement Systems Analysis (MSA) - This determines the accuracy of data collected by evaluating the tools and processes used to measure. An example of this would be measuring data based on the type of equipment being used and how it is being used.

What policies do you notice that are heavily implemented in your current organization? Do you feel that it’s working to mitigate risk or create restrictions on the processes done at your organization?

References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.

Disasters whether natural or man-made are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).

For a BC / DR plan to be successful the following five steps should be taken.

1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:

1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).

References
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: 

5 steps to creating a backup and disaster recovery plan

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

A honeypot is a security measure that creates a virtual trap to lure attackers into targeting a particular part of an organizations network. There are two classifications of honeypots depending on how they are used. First, is a production honeypot. These are used by large organizations and companies. Second, is a research honeypot. These are used by educational institutions, governments, and militaries. No matter the classification their purpose is to gain knowledge of threat actors’ tactics, techniques, and procedures (TTP’s) (EC-Council 2020).

So, basically honeypots can fall into one of three categories: Low-interaction honeypot, medium-interaction honeypot, or high-interaction honeypot. Now, the low, medium, and high represent the services the threat actor can see. For the low-interaction honeypot, there is a limited number of emulated services. The medium-interaction honeypot has more emulated services. Finally, the High-interaction honeypot has nothing emulated. It is basically a real-world vulnerable system (Mahmoud, 2019).

Are there any legal or ethical implications to using honeypots? The answer is maybe, depending on its purpose, there could be legal implications in using honeypots. Reason for that is, what are honeypots designed to do. They are designed to lure threat actors into gaining access and attacking those systems thinking they are attacking an organizations actual system. Well, in legal terms, that is called entrapment. So, depending on the reason for the honeypot, for instance, researching threat actors to better bolster network security will probably not trigger a law enforcement response. Now if the purpose is to prosecute these threat actors, that is a whole other story as it may trigger a response in the form of a claim from the threat actor. It may also leave the organization open to regulatory action and it may even subject the organization to criminal prosecution for hacking (Overly, 2019).

The bottom line is that if an organization wants to setup a honeypot, it would be best to consult an attorney and that specializes in information security and law enforcement to get some advice beforehand. This will ensure that the organization is in compliance with 18 U.S.C Section 1030 which has a statement in it that exempts lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States (Section 1030. Fraud and related activity in connection with computers, n.d.)

References:

• EC-Council (2020). Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volume 3: Web Attacks and Defense). International Council of E-Commerce Consultants (EC Council). VitalSource Bookshelf Online

• Mahmoud, R. V. (2019). Deploying a University Honeypot: A Case Study. Retrieved from ceut-ws: http://ceur-ws.org/Vol-2443/paper03.pdf 

• Overly, M. R. (2019, November 25). Avoiding the Pitfalls of Operating a Honeypot. Retrieved from CSO Online: Avoiding the pitfalls of operating a honeypot

• Section 1030. Fraud and related activity in connection with computers. (n.d.). Retrieved from House.gov: 18 USC 1030: Fraud and related activity in connection with computers

I’m In the topic of security policies, here are the next 4 personnel policies that will help mitigate risks and data theft within an organization. Taking these preventative measures will also help the organization build reliability and trust with external parties and internal employees.

1. Job Rotations - This policy can be temporary or permanent. Not only does this concept require employees to switch different job roles for exposure and learning opportunities, but this also prevents or exposes fraudulent activity. This is similar to the separation of duties concept, which prevents giving full control to an individual.

2. Clean Desk Space - As self-explanatory as it can be, having a clean desk space ensures that an area is kept organized and reduces the chance of leaving any sensitive information out in the open. Keeping a desk space free of paper prevents possible data theft or potential leaks of confidential information.

3. Background Check - Usually performed during an onboarding process, an employee undergoing a background check would help build trust and identify any piece of the employee’s history that may pose a risk to the company. Background checks vary within each organization, depending on what type of roles and responsibilities an employee will be performing. Background checks may include criminal record checks, financial credit checks, and social media/online activities.

4. Onboarding & Offboarding - Onboarding is the start of the hiring process where an employee is given any IT equipment to perform their job and access to the appropriate resources within the organization using a work account. Offboarding is a process done when an employee is exiting the company. In these situations, everything that was issued to the employee, in the beginning, is collected. This process includes disabling all related work accounts, IT equipment collections, collection of keys/key card accesses, laptops, phones, and other devices.

Take a moment to observe your current employer. Are some of these personnel policies mentioned being practiced within your workplace or are they non-existent? What can you do to improve information security within your workplace? What is something you can start doing today?

For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.

References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.

I’m beginning to witness how the material I have studied for during my CompTIA Security+ exam preparation is being implemented in a corporate environment. As part of the administrative control category, maintaining personnel policies can help reduce and manage risk by preventing data theft and loss, as well as incidents, when followed by employees. Although the policies pertain to personnel behaviour and expectations, these help with keeping security on top of mind. There are 12 categories under personnel policies. In each blog, we’ll go through 4 of them:

1. Acceptable Use Policy - This policy mainly introduces computer systems and networks but also describes the responsibilities of users when accessing the systems and how they can be accessed. Organizations may include AUPs in their contracts upon hiring. Users are informed that they can be monitored based on their web and email activity. The purpose of this is to help prevent users from accessing data from external sources that may potentially introduce a breach into the network of the organization.

2. Mandatory Vacations - This policy requires employees to take time off from work. By doing so, this can help detect any malicious activities occurring that may involve employees. This also helps to deter fraud, but not necessarily prevent it.

3. Separation of Duties - This is a principle prevents fraud, errors, and theft by dividing tasks between multiple employees. Delegating different tasks to other employees prevents a single employee or entity from completing an entire process on their own or having full control of a process that may be deemed sensitive, lessening the chances of committing fraud.

4. Least Privilege - This policy enables specific rights and permissions to be assigned to an individual, but nothing more. In order to reduce risk and potential losses, a user is to be given access to a limited amount of data, enough to perform their assigned tasks but not overly restricting them.

For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.

References:
Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.

Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro

We have all “failed” at something. Whether it was a test in school, running a business, maybe even a marriage, etc. Now, let me ask what does fail really mean? According to Google, fail as a verb has two meanings 1) to be unsuccessful at something. 2) To neglect to do something. To me both sound negative. My goal with this blog is to take the first definition and look at it from a different perspective as it does not necessarily have to have a negative connotation.

Let us look with the first meaning “to be unsuccessful at something”. Now, we have all been unsuccessful at something at some point in our lives. Whether it was a test in school, running a business, maybe even a marriage that ended in divorce, etc. All of these can be seen as things we may have “failed” at. Now personally, I have “failed” numerous tests in school, and I “failed” running a business and I have felt bad about both as I am sure everyone else has when we “fail” at something. So, why do we feel bad when we “fail” at something? The reason we feel bad is due to the negative connotation that surrounds that word.

What if we look at “fail” from a different perspective. The word “fail” can be looked at as an acronym. That acronym is First Attempt in Learning. Let us look at the above examples in a different light. For example, a year ago, I took my first certification test. It was the CompTIA CySA+ and I missed passing it by 32 points. Essentially, I failed it because I did not get the minimum passing score however, the fact that I learned the format of the exam and learned that I had studied old material, it was a success. Now in terms of running a business, I had one when I first retired from the military. I had to shut it down after three months, so essentially it failed. Now, given that it was a learning experience in what not to do next time, it was a success. The point is that if lessons are learned, then whatever is seen as a “failure” is not unsuccessful, thus making the first definition inaccurate. If that makes sense?

So, do not be afraid to try something new, because when we do and “fail” at it, that is when we not only learn about the new thing we tried but also we learn more about ourselves. It is how we grow as human beings. 

There is a saying in the cybersecurity field. That saying is “compliance does not equal security”. Now, when I first heard about this, my first thought was why doesn’t it. The reason I asked that is because of my 20 plus year experience in non-IT regulatory compliance. In these cases, especially regarding safety, if we were compliant with the regulations, we were certain things were going to be safe. So, compliance not equaling security confused me for a bit.

After finally being able to do some research, it turns out to be a true statement. Compliance does not equal security for three reasons. 1) Regulatory updates are not keeping pace with technology advancements. 2) There are instances when multiple regulations that govern an organization contradict each other. 3) Organizations simply check the box, saying they are compliant because they are required to do so, not because they see value in the regulations.

Let's talk about each of these three points: 

1) Regulatory updates are not keeping pace with technology advancements. This absolutely makes sense. My experience with the Air Force is that they update their regulations every few years as things change. The cybersecurity field seems to not have that mentality. Take for example the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1986 and is not only still applicable 37 years later, but also in serious need of an update. That is just one example of the numerous regulations that need to be updated. Updating outdated regulations is one of the goals of the 2023 National Cybersecurity Strategy.

Point number 2: There are instances when multiple regulations that govern an organization contradict each other. It is highly probably that on organization can be governed by more than one regulation and by complying with one means not complying with another one. When I first started studying cybersecurity and saw that an organization can be governed by more than one regulation, I asked what they are supposed do, which one takes precedence. The reply I got was that all applicable regulations get followed. Now, I realize that is not always possible. This is something that the 2023 National Cybersecurity Strategy wants to remediate. This is desperately needed.

Finally, let us look at point number 3. Organizations simply check the box, saying they are compliant because they are required to, not because they see value in the regulations. I do not understand how we got to this point. Is it because regulatory updates are not keeping pace with technology advances? Is it because there are instances when multiple regulations that govern an organization contradict each other? Is it possible that the current regulations are a bit ambiguous? Going back to my Air Force career, the regulations that I dealt with every day were specific in their requirements and non-compliance had consequences.

So, how do we as cybersecurity professionals rectify this? Like I said earlier, points 1 and 2 are basically covered by the 2023 National Cybersecurity Strategy. The problem is that the timeline for completion is unknown. Point 3 on the other hand, we have influence in. I think this is where being able to translate the technical verbiage into business verbiage and communicating how the regulations affect the business is critical. I would love to hear if you all have any thoughts or ideas on this.