Cybersecurity Central | Refining the Human Connection | 501c3 Nonprofit

BLOGS BY JAMES

Cybersecurity Central is excited to share Blog by CC.

Bookmark this page and visit regularly to learn what James Driscoll is discovering in his #infosec journey.


#cybersecuritycentral #diversityofthought #blogbycc

TABLE OF CONTENTS

DEC 22, 2023

Wireless Security: Ditch the Dust, Go Modern!

by James Driscoll

December 22, 2023

Remember that creaky old swing set in your backyard? The one your parents told you was "safe" even though it looked like it might collapse any minute? Yeah, WEP encryption for your Wi-Fi is kind of like that. It's outdated, wobbly, and about as secure as a screen door on a submarine.

 

WEP was the first attempt at Wi-Fi security, but it's more like a historical artifact than a viable option. It's riddled with vulnerabilities, and cracking it is child's play with readily available software. Imagine leaving your front door wide open and expecting nobody to peek in – that's WEP for you.

 

But wait, there's TKIP! This "upgrade" isn't much better. It was meant as a temporary fix while they figured out something real, like a sturdy steel gate for your network. But just like that rickety swing set, TKIP has its own cracks, some known since its inception! It's time to retire this rusty relic and move on to something stronger.

 

So, what's the good stuff? Look no further than CCMP/AES. It's like a fortress compared to WEP and TKIP – imagine a vault with triple locks and laser beams. Even the most dedicated cyber-crooks would give up in frustration trying to crack this one. This is where your precious data should be living, not floating around in the open air like a forgotten kite.

 

But even Fort Knox has its chinks in the armor. Even with strong encryption, your passwords can be the weak link. Think of them as the keys to your digital kingdom. Using weak, predictable passwords like "password123" is like leaving the spare key under the doormat. Instead, go for something long, strong, and unique – a passphrase fit for a king (or queen) of the internet. Think 20 characters with a mix of letters, numbers, and even symbols. Make it something only you could come up with.

 

And now for the good news: WPA3, the latest and greatest in Wi-Fi security, takes things even further. It's like adding an alarm system and security cameras to your already-fortified castle. Even if someone finds a stray key, they'll be caught red-handed before they can do any damage.

 

So, ditch the dust covered WEP and rusty TKIP. Upgrade to CCMP/AES and lock down your passwords with a passphrase fit for royalty. And if you're looking for the ultimate peace of mind, welcome WPA3 with open arms (just make sure they're protected by strong authentication!). Remember, your internet security is your responsibility, so choose wisely and stay safe out there in the digital jungle!



Connect with me on LinkedIn and let's continue the conversation: https://linkedin.com/in/jdriscoll-76 


NOV 29, 2023

IPv4 & IPv6 Internet Protocols

by James Driscoll

November 29, 2023

This week in my advanced networking class we reviewed the network layer of the IP model. Allow me to share more with you in this blog today.


The network layer consists of IPv4 and IPv6 which are two different versions of the Internet Protocol (IP), the fundamental protocol that enables communication on the internet. IPv4 is the older version of the protocol, and it is currently used by most devices on the internet. However, IPv4 is running out of addresses, and IPv6 was developed to provide a much larger address space.

 

IPv4

IPv4 addresses are 32 bits long, which means that there are only about 4.3 billion possible IPv4 addresses. This number of addresses is not enough to accommodate the growing number of devices on the internet, such as smartphones, tablets, and IoT devices.

 

IPv4 addresses are written in dotted-decimal notation, which consists of four decimal numbers separated by periods. For example, the IPv4 address 192.168.1.1 is written in dotted-decimal notation.

 

IPv4 is a mature protocol, and it is well-supported by most devices and networks. However, IPv4 is also a complex protocol, and it can be difficult to manage.

 

IPv6

IPv6 addresses are 128 bits long, which means that there are an almost infinite number of possible IPv6 addresses. This vast address space is enough to accommodate the growing number of devices on the internet for many years to come.

 

IPv6 addresses are written in hexadecimal notation, which consists of eight groups of four hexadecimal digits separated by colons. For example, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is written in hexadecimal notation.

 

IPv6 is a newer protocol than IPv4, and it is not as well-supported by all devices and networks. However, IPv6 is a simpler protocol than IPv4, and it is easier to manage.

 

Comparison of IPv4 and IPv6

Transition to IPv6

The transition to IPv6 is a gradual process, and it is taking place over many years. Most devices and networks now support both IPv4 and IPv6, and internet service providers (ISPs) are offering IPv6 addresses to their customers.

 

Here are some of the benefits of switching to IPv6:

 

Conclusion

IPv6 is the future of the internet, and it is important for businesses and organizations to start planning for the transition to IPv6. By switching to IPv6, businesses can ensure that their networks are future-proof and that they can take advantage of the benefits of the new protocol.

 

Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 


References

NOV 16, 2023

The History of Computer Networking

by James Driscoll

November 16, 2023

Ah, it’s the start of another new term in my quest for a master’s degree in cybersecurity and the next class on my list for the next five weeks is Advanced Networking.  However, before we talk about advanced networking, let’s go back to the basics to have a solid foundation to build upon. This week is a history lesson in computer networking.

 

The Development of Packet Switching 1961-1972:

 

In the early 1960s, three research groups independently invented packet switching as an alternative to circuit switching for computer networks. Packet switching is more efficient and robust for bursty traffic, such as that generated by users of timeshared computers.


The first packet-switched computer network, the ARPANet, was built in the United States in the late 1960s. By 1972, ARPANet had grown to 15 nodes and had been given its first public demonstration. The first host-to-host protocol, the network-control protocol (NCP), was also completed in 1972, enabling the development of applications such as e-mail.


The Internet today is a direct descendant of the ARPANet. It is a packet-switched network that uses the Internet Protocol (IP) to route packets between devices. IP is a simple but effective protocol that has allowed the Internet to grow and evolve over the years.

 

Proprietary Networks and Internetworking 1972-1982:

 

The initial ARPAnet was a closed network, but in the early to mid-1970s, additional packet-switching networks came into being, such as ALOHANet, Telenet, Cyclades, and Tymnet.  Pioneering work on interconnecting networks (under the sponsorship of DARPA) was done by Vinton Cerf and Robert Kahn, who coined the term internetting.  The early versions of TCP combined reliable in-sequence delivery of data with forwarding functions. Later, forwarding functions were separated out of TCP and the UDP protocol was developed, resulting in the three key Internet protocols that we see today: TCP, UDP, and IP.  In addition to the DARPA Internet-related research, many other important networking activities were underway, such as the development of the ALOHA and Ethernet protocols.

 

A Proliferation of Networks 1980-1990:

 

By the end of the 1970s, the ARPAnet had approximately 200 hosts connected to it.  In the 1980s, the number of hosts connected to the public Internet grew tremendously, reaching 100,000 by the end of the decade.  Much of this growth was due to the creation of new computer networks linking universities together, such as BITNET, CSNET, and NSFNET.  In the ARPAnet community, many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  In the early 1980s, France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

 

The 1980s was a time of tremendous growth for the Internet.  New computer networks were created linking universities together, such as BITNET, CSNET, and NSFNET.  Many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

 

The Internet Explosion 1990’s:

 

In the 1990s, the Internet evolved and commercialized. ARPAnet ceased to exist, NSFNET lifted its restrictions on commercial use, and NSFNET was decommissioned.  The World Wide Web was invented at CERN by Tim Berners-Lee and brought the Internet to millions of people.  The Web enabled many new applications, including search, e-commerce, and social networks.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.

The 1990s was a time of rapid growth and innovation for the Internet.  The World Wide Web made the Internet accessible to a wider audience and enabled new applications.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.  The Internet stock market bubble burst in 2000-2001, but several companies emerged as big winners in the Internet space.

 

The New Millennium:

 

In the first two decades of the 21st century, the Internet has transformed society more than any other technology, along with Internet-connected smartphones. Innovation in computer networking continues at a rapid pace, with advances in all areas, including faster routers and higher transmission speeds in both access networks and backbones.


Some of the most notable developments of this period include:

 





 

This completes today's history lesson on an overview of Computer Networking! See you again soon.


Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 


References


OCT 25, 2023

Compliance Standards

by James Driscoll

October 25, 2023

For week 4 of my Cloud Security course, we learned about privacy and security laws.  This is a bit of a review as these were part of the CompTIA CySA+ exam I took back in February.  So, I thought it would be a good idea to create a blog to briefly discuss each one. 


The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; the Family Educational Rights and Privacy Act (FERPA); and finally, the European Union General Data Protection Regulation (EU GDPR). We will review these six frameworks below:

 

1.   HIPAA Health Insurance Portability and Accountability Act: HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them.  It was also designed to make health care delivery more efficient (HIPAA History, n.d.).  The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

 

2.    PCI DSS Payment Card Industry Data Security Standard: The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017).  This agreement was established in 2004.  Now, even though it is not a law, non-compliance still has consequences.  These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

 

3.    GLBA Gramm-Leach Bliley Act: This standard is applicable to the banking industry.  The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017).  It became law back in 1999.  This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

 

4.   SOX Act Sarbanes-Oxley Act: This act applies to any organization that is publicly traded (Chapple & Seidl, 2017).  It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors.  It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

 

5.    FERPA Family Educational Rights and Privacy Act: This act mandates that educational institutions protect student information (Chapple & Seidl, 2017).  FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students.  2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.). 

 

6.    EU GDPR European Union General Data Protection Regulation:  The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018, (Chapple & Seidl, 2022)



References


Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

OCT 11, 2023

Emerging Tech in Cloud Computing

by James Driscoll

October 11, 2023

This past week I started my third term in my quest at a master’s degree at ECPI.  In the next five weeks I will be learning about cloud security.  For the reading last week, I read about how blockchain technology can be used in cloud security.  This is interesting as I had only heard about it in terms of cryptocurrency.  So, I decided to do some more research, and this is what I found.


Blockchain technology is a distributed ledger technology that can be used to improve cloud security in several ways:


Below are some specific ways that blockchain technology can be used to improve cloud security:


Some examples of blockchain-based cloud security solutions include:


Below are some additional thoughts on the use of blockchain technology in cloud security:


Overall, blockchain technology has the potential to significantly improve cloud security. As blockchain-based security solutions continue to develop and mature, we can expect to see them adopted by more and more organizations (Gupta, Siddiqui, Alam, & Shuaib, 2019).

 

References


Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

SEP 28, 2023

Audit First Methodology

by James Driscoll

September 28, 2023

This week in my Security Architecture and Design course we discussed a concept called an Audit First Methodology.

 

The Audit First methodology is a risk-based approach to auditing that focuses on identifying and assessing risks early in the audit process. This allows auditors to focus their resources on the areas of highest risk and to develop a more tailored audit approach.  It is implemented via the following steps:

 





 

There are numerous benefits to utilizing this methodology, including:

 

 

The only challenge that I anticipate using the Audit First Methodology is the reluctance to focus more on the other controls versus the preventive controls.  As stated in the textbook, organizations typically put more stock in preventive controls (Donaldson, Siegel, Williams, & Aslam, 2015).  They way around this challenge is to explain the benefits of following the Audit First Methodology while emphasizing the downside of focusing on the preventive controls in a language that the business side of the organization can understand.  Typically, this is done by translating the cybersecurity jargon over to business jargon.


References

 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

SEP 13, 2023

Enterprise Security Architecture

by James Driscoll

September 13, 2023

This week for Blog by CC Weekly, I am continuing with sharing my master’s degree cybersecurity course assignments with you. The class this term is Security Architecture and Design.  First, this blog will discuss some of the challenges and benefits of implementing an enterprise security architecture. Second, we will look at how organizations can overcome some of those challenges.  Third, it will analyze the importance of logical and physical security.  Finally, I give my thoughts and opinions on which are more important. Discover more below:


Challenges and benefits to implementing an enterprise security architecture:

Challenges:

Benefits:


The Importance of logical and physical security:


References

 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

AUG 30, 2023

Technological Convergence

by James Driscoll

August 30, 2023

For the last week of my Ethical and Human Aspects in Cybersecurity we talked about Technological Convergence.  So, what is it?   Technological convergence is the process by which different technologies merge and evolve into new forms that can fulfill multiple functions. This means that devices and applications that were once separate and distinct are now becoming more integrated and interconnected (McGuigan, 2023).  For example, the smartphone is a prime example of technological convergence. It combines the functions of a phone, a computer, a camera, a music player, and more into a single device. This makes it more convenient for users to access all their favorite content and services from one place.

There are numerous potential social and ethical concerns that can arise due to technological convergence.  They include:

 

Technological convergence can jeopardize a company's code of conduct in several ways, including:

It is important for companies to be aware of the potential ethical and legal implications of technological convergence and to take steps to mitigate these risks. This includes updating their codes of conduct to reflect the challenges posed by new technologies.

Here are some specific things that companies can do to mitigate the risks of technological convergence:

By taking these steps, companies can help to mitigate the risks of technological convergence and protect their employees, customers, and data (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

References

AUG 16, 2023

Cybersecurity in the Global Economy

by James Driscoll

August 16, 2023

Last week in my Ethics and Human Aspects of Cybersecurity class, the topic of cybersecurity in the global economy came up. Specifically, if it is possible. Below is more of my take on this topic.

In 2023, the concept of an individual country's economy is no longer. Anything that affects one country’s economy affects the economies of other countries. We truly have a global economy. Now, when I talk about anything, I mean absolutely anything. It could be something as innocent as weather to something more malicious such as a cyber-attack. An example of a cyber-attack that has the potential to affect the global economy is the Stuxnet Worm.

What is the Stuxnet Worm? This little piece of malware was created in 2010 with the purpose of attacking Industrial Control Systems (ICS) (Mueller & Yadegari, 2012). For anyone that does not know, an ICS is used in sectors such as “manufacturing, transportation, energy, and water treatment” (Industrial Control System, n.d.).

Now, since those sectors mentioned above are used all over the world the potential impact on the global economy is going to be huge. Let us look at the energy sector as an example. Energy is one thing that is not only needed, but also has an almost immediately affects the global economy when there are changes and right now, we get that energy from oil. Just a simple change in production output by Saudi Arabia can cause energy prices to fluctuate, which causes the prices of other products to fluctuate around the world.

What can be done against countries that either actively engage or sponsor people that engage in cyberespionage and launch cyber-attacks? Well, the main tactic that is used are financial sanctions. The theory is that limiting the amount of business that can be conducted thus hitting them in the wallet so to speak should deter someone from engaging in criminal activity. Based on events over the past three years, I am not a fan of it. Perhaps if it is done swiftly and comprehensively it may have the desired effect, but I am not so sure.

There is another tactic that can be used to deter cyber-attacks called “hacking back”, sometimes referred to as “active cyber defense.” However, these two terms are completely different. Techniques and tactics normally associated with active cyber defense include things like utilizing honeypots to study and gain information about cyber-attackers. It also includes scanning your network / looking through logs trying to find Indicators of Compromise (IoC’s).

Hacking back is just as it sounds. A victim of a cyber-attack, attacking the attacker. This is not recommended as it is illegal under 18 U.S. Code Section 1030 Fraud and Related Activity in Connection with computers. This is also known as the Computer Fraud and Abuse Act (CFAA) (18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

The Russian invasion of Ukraine has brought up an interesting dilemma. That dilemma is if it is acceptable for countries engaged in a conventional war to also engage in cyberespionage. After reading the ACM, the answer to that is a resounding no. The reason for that is in section 1, point 1.2 stipulates that practitioners should avoid causing harm (ACM Code of Ethics Booklet, 2018).

Finally, there is the question of cybersecurity being possible in a global economy. According to ISACA there are eight requirements that every country would need to adopt for cybersecurity. They include: 1) adopting a security by design model, 2) teach cybersecurity awareness to everyone, 3) follow applicable cyber laws, 4) participate in international cooperation, 5) establish and maintain an acceptable level of cybersecurity practitioners, 6) create strong deterrence mechanisms, 7) follow NIST frameworks, and 8) emphasize internet freedom (Ramachandran, 2019). Until these eight requirements are completed, true cybersecurity cannot be achieved in a global economy. The best we can hope for is cyber resiliency.

References

JUL 5, 2023

The Fourth Amendment in the Digital Age

by James Driscoll

July 5, 2023

Living in America comes with numerous rights as laid out in the Constitution. One of those rights is covered by the Fourth Amendment and states “the right of the people" to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” (Constitution of the United States: Fourth Amendment, n.d.). This is basically our right to privacy. So, what do I suggest this means? The government is prohibited from searching us and taking our property without a good reason.

When the constitution was written, the technology we have today did not exist. So, this begs the question as to how that technology impacts our right to privacy. Perhaps this is not the right question to be asking. Perhaps the question that we should be asking is, is there a way to adapt the Fourth Amendment so that the technology we have today is included in its protections. The reason I say that is because as I said earlier, the technology we have today did not exist when the Fourth Amendment was written. Let’s look at what was around at that time. Specifically houses, papers, and effects (property). That means the original meaning behind the Fourth Amendment is that the government cannot search a person’s house and take papers or property just because they want to (Brenner, 2005).

So, taking the original meaning into consideration, that would mean that the means of communications that we have today (telephone, email, instant messaging, online communications, etc.) would all be fair game to being searched and taken by the government for any reason. That is because the Fourth Amendment is the basis for property law and what is needed is additional legislation that covers the technology we have today. This is where legislation such as wiretapping laws come into play. What this basically does is provides the Fourth Amendment protections to the technology we have today (Kerr, 2003).

Now, I am all in favor of the Fourth Amendment and any legislation that is associated with it and as such I do not believe the government has an obligation to monitor all internet traffic.

I need to mention the Patriot Act which was enacted after the attack on 11 September 2001. The basic premise of the Patriot Act was to expand the governments’ ability to conduct searches on U.S. citizens with little to no evidence to warrant it. The problem is that some sections reduce the protections of the Fourth Amendment while other sections outright violate it (Surveillance Under the USA/Patriot Act, 2001).

Here is the thing, everyone-I understand why the Patriot Act was pushed through. It was pushed through to prevent another terrorist attack. The problem with it is we have lost our right to privacy for something that does not work. Let me explain my personal observation and opinion further. I don’t know about anyone else, but I would consider all the mass shootings we have had just in 2023 alone to be terrorist attacks.

With all of these attacks, the people committing them posted plans online beforehand and the government knew nothing about it. It was not until after the attack that their online presence was investigated, and the evidence found. Why are we losing our Fourth Amendment right to privacy when we are no more protected than before?

References


JUN 28, 2023

IoT Devices and Mirai Botnet

by James Driscoll

June 28, 2023

No matter where we look, we are bound to see an IoT device. So, what exactly is an IoT device? Basically, an IoT device is a device that has sensors, processors, software, and network capability implanted inside them. Some examples include smart home devices (smart thermostats and smart appliances), smart watches, and even self-driving vehicles and Industrial Control Systems (ICS) (Stair & Reynolds, 2020).


Now, while IoT devices were designed to make life easier, they are inherently vulnerable to attack. The reason for that is in their design as they are designed to be pulled out of the box and easily connected to a network via a default username and default password. The reason for this is ease of use, not security.


An example of just how vulnerable IoT devices is and what a threat actor can accomplish with them is the Mirai Botnet attack. The premise of this attack is that in late 2016 several high-profile targets were hit with a Distributed Denial-Denial-of-Service (DDoS) attack. The source of this attack was approximately 600,000 of IoT devices that had been compromised and became a botnet called Mirai. This botnet initially started in August of 2016 and ran until late February 2017 when the threat actor was identified and arrested. The malware used to compromise these devices utilized rapid scanning to find a potential target and once found it immediately started brute-forcing the username and passwords via port 23 (telnet). Once compromised, they sat and waited for the threat actor to issue the commands to start the DDoS attack (Antonakakis, et al., 2017).


What is interesting about this incident is how the threat actor was identified and subsequently arrested. The successful attribution was due to analysis of data gathered through honeypots and DNS data. In addition to that the original source code was published online by the threat actor. So, while this was helpful in leading to attribution, it also paved the way for other threat actors to create their own botnets and add to the ongoing incident (Antonakakis, et al., 2017). The fact that the Mirai Botnet was shut down in five months speaks volumes of the amount of time and effort that went in to fighting this attack.


So, the question that needs to be answered is how we prevent this type of attack in the future. The United States government takes securing IoT devices so seriously that they are included in the 2023 National Cybersecurity Strategy that was published in March 2023. The main strategy mentioned here is the use of labeling. It would be like the labels on food products but instead of providing the ingredients, these labels would provide what security controls an individual device is using. This would allow organizations and private citizens to easily compare multiple devices and choose the one that works best (Biden, 2023).


Also, The Cybersecurity and Infrastructure Security Agency (CISA) has some basic tips that everyone can follow. 1) Change default login credentials (username and password). 2) Keep devices patched and updated. 3) Adjust the devices security settings. The goal is to have enough security but still maintain usability. 4) Decide if the device needs a constant connection to the internet. If it does, then consider placing it on its own network segment (Securing the Internet of Things (IoT), 2021).

References


JUN 21, 2023

The CIA Triad and the Election

by James Driscoll

June 21, 2023

Out of all three elements of the CIA triad, two are questioned after every election. They are integrity and availability. Now, out of those two, integrity gets the most publicity. So, why the disparity between these three elements. Well, integrity is the most important as it is imperative that the American people perceive that the vote they cast has not changed before it is counted (ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT, 2020). Now, availability comes in second because while it is important for all eligible citizens to vote, when there is a problem (usually mechanical), there are options that can be used to ensure everyone can vote. Finally, confidentiality is last.


So, how did we get to this point? Well, we need to look back at the Help America Vote Act that was signed into law in 2002. While this law came from the federal government, it leaves the decision making up to the individual states as it only set minimum guidelines for what the states could do. Because of this, many states have decided not to update their voting equipment. Specifically, “as of 2016 43 states were using equipment that was 10 years old or older” (King & Michael, 2016).


Why mention that? The reason is because the technology is always changing. First there were only paper ballots, now we can not only electronically vote, but we also can have our paper ballots scanned by a machine. Next on the horizon will be the ability to vote online.


Now, online voting while convenient only makes the integrity more important as with the current technology it would be ripe for cyber-attacks and other fraud related issues. One question that get raised during every Presidential election is that of foreign interference. This would be more prevalent with online voting as virtually anyone anywhere could initiate an attack that could affect both the availability and integrity of the election. Multiple studies on this subject have been conducted by numerous groups of computer experts and the consensus is that a lot of work needs to be done to ensure the availability and integrity of the system before it is implemented (Von Spakovsky, 2015).

References


JUN 7, 2023

Research and Documentation in Cybersecurity

by James Driscoll

June 7, 2023

Cybersecurity is a constantly evolving field, and it is important for organizations to stay up-to-date on the latest threats and trends. One way to do this is to conduct research and documentation.

Purpose of Academic Research

Academic research is the process of gathering information, analyzing it, and drawing conclusions. It can be used to gain new knowledge, improve understanding, and develop new solutions.

In the field of cybersecurity, academic research can be used to:

Relevance to Cybersecurity

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Research and documentation can also help organizations to improve their incident response capabilities. By understanding how cyberattacks work, organizations can develop plans to respond to incidents more effectively.

Definition of "Scholarly" Articles

When conducting research it is critical to use scholarly information. Information from things like blog sites and Wikipedia scholarly information. A scholarly article is a research paper that has been published in a peer-reviewed journal. Peer-review is a process in which experts in the field review the paper and provide feedback before it is published.

Scholarly articles are an important source of information for cybersecurity professionals. They provide up-to-date information on the latest threats and trends, and they can help professionals to develop and implement effective security measures.

Cybersecurity Example

A recent study by the Journal of Medicine found that hospitals are at high risk of cyberattacks. The study found that the complexity of hospital networks makes them easy targets for attackers. The study also found that two factors that correlate to the amount of risk a hospital has to being attacked are network complexity and internal stakeholders.

The study's findings highlight the importance of research and documentation in cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Conclusion

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack. There are many resources available online and in libraries. You can also find a wealth of information by attending conferences and workshops. By staying up-to-date on the latest threats and trends, you can help to protect your organization from cyberattacks.

References


MAY 24, 2023

QR Code Safety

by James Driscoll

May 24, 2023

QR codes are everywhere, and they are here to stay. They show up on TV during daytime talk shows. They show up during televised sporting events. They are used in restaurants to access menus. They are used to pay for parking in some cities. They are even used to set up MFA. I recently had to use one to Add ECPI to a Block Cert wallet so they can send me a digital copy of my degree. It is futile to attempt to avoid using them at some point. Now, there are risks associated with QR codes as criminals can create fake malicious sites to get money, or personal information. So, how do we stay safe when using them?

Great question! Here are some tips to help you stay safe when using QR codes:

By following these tips, you can help to protect yourself from the risks associated with using QR codes.

Additional tips:



MAY 17, 2023

Network Attached Storage

by James Driscoll

May 17, 2023

Ever We all know that backing up our organizations data is critical to being able to recover from a disaster or incident. Now, there are numerous methods that can be used to accomplish data backup. They include external hard drives, USB drives, optical media (cd’s or dvd’s, cloud storage, and finally Network Attached Storage (NAS). The Network Attached Storage (NAS) is going to be the focus of this blog.

So, what is a NAS? Basically, it is a dedicated file storage system that is attached to a network. One concept that is associated with a NAS is RAID (Redundant Array of Independent Disks). Some of you might be wondering what RAID and that is a good question. A RAID is a data storage virtualization technology that combines multiple physical disks into one or more logical units. Now, the reason this is done is for redundancy.

When using RAID, there are several configurations that can be utilized. They all have pros and cons that need to be considered to ensure the most appropriate configuration is used. Those configurations are discussed below.

Raid 0 – With this configuration the data is split up and written (striped) among all the disks.

· Advantages – an increase in the number of drives equals better performance. Good for applications that need high throughput.

· Disadvantages – No redundancy

Raid 1 – With this configuration, even number of disks are utilized, and the same data is written to all disks (mirroring).

· Advantages – provides redundancy.

· Disadvantages – costly

Raid 3 – With this configuration the written to every drive except one and uses parity for error correction. The last drive is used for parity, which is a way to protect the data from a drive failure without the added cost of mirroring.

· Advantages – Good performance for applications that need large sequential data access.

· Disadvantages – Requires 1.25 times the size of the data disks. Rarely used.

Raid 4 – Same as Raid 3 except striping is done at block level versus at the byte level (Raid 3).

· Advantages – can write to a single disk without rewriting an entire stripe.

· Disadvantages – Write performance suffers due to single parity drive.

Raid 5 – With this configuration, the drives utilize striping and are also able to be independently written to.

· Advantages – there is no dedicated parity drive. Parity info is evenly split among all drives in the array. Error correction is available. Since all blocks of data are written at the same time there is improved read/write times. Can survive one disk failure.

· Disadvantages – none to speak of

Raid 6 – This configuration is like Raid 5 except for an additional parity element.

· Advantages – able to survive two drive failures.

· Disadvantages – Requires a minimum of four disks. Since there are two parity elements, rebuilding the failed drives will take longer (Services, EMC E, 2005)


References

Services, EMC E. Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments. Available from: ECPI, (2nd Edition). Wiley Professional Development (P&T), 2005.


MAY 3, 2023

APT Naming Conventions

by James Driscoll

May 3, 2023

Ever since listening to CyberWire Daily podcast back in October 2020 and hearing about an Advanced Persistent Threat (APT) group named Fancy Bear, I have always wondered how these groups got their names. Then recently I found out that the same group can have multiple names which adds to the confusion. This topic has come up within the past couple weeks or so, so I thought it would be a good idea to try to reduce some of the confusion by breaking down how these groups get their names and why it is usually multiple names.


Let us start with the easiest question. Why are there multiple names for the same APT group? The short answer is because each research company (Microsoft, Mandiant, etc.) has their own naming convention. For example, Microsoft names APT groups utilizing the periodic table however, it was announced last week that they are changing their convention to a weather-themed naming convention. Now, some other companies like CrowdStrike utilizes the word “Panda” for Chinese groups, “Bear” for Russian groups, “Kitten” for Iranian groups, and “Chollima” for North Korean Groups. Symantec gives APT groups names of insects and finally Palo Alto names APT groups using constellations (Sabin, 2022).


So, with that out of the way, we need to address why the naming convention is not standardized. Basically, there are three reasons why the naming convention is not standardized. Those reasons are human, technical, and operational. Let us look at each one closer:


Human

·         The operation conducted is used as the APT’s name.

·         The name of the malware used is given as the APT’s name.

·         The research companies do not relate their research to the research of other companies.

·         Media refuses to correct wrong mapping in public articles.

Technical

·         Different companies see different aspect of the same thing. For example, one company only sees the TTP’s while another only sees the C2 infrastructure.

·         Either an APT group splits up or multiple groups combine.

·         Multiple APT groups share their tools with each other.

Operational

·         Each company using their own naming convention gives them the ability to take their research in any direction they want.

·         Each company may feel that by using another company naming convention signals that the other companies research is more complete than their own (Roth, 2018).


So, while the reasons behind all the different names makes sense, there is still the argument for a standard naming convention. I mean communication between organizations alerting each other to IoC’s that are being noticed is vital, so why can’t these security research companies communicate and collaborate with each other. I have said it before that no one organization can be successful on its own. Everyone must work together to defeat our adversaries.


References

·         Roth, F. (2018, March 25). The Newcomer's Guide to Cyber Threat Actor Naming. Retrieved from Medium: https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

·         Sabin, S. (2022, September 20). Cyber Firms Explain Their Ongoing Hacker Group Name Game. Retrieved from Axios: https://www.axios.com/2022/09/20/cyber-firms-hacker-group-name-game

 


APR 19, 2023

Business Continuity / Disaster Recovery Plans 

by James Driscoll

April 19, 2023

Disasters whether natural or man-made are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken.


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: 

5 steps to creating a backup and disaster recovery plan

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies


APR 12, 2023

Honeypots

by James Driscoll

April 12, 2023

A honeypot is a security measure that creates a virtual trap to lure attackers into targeting a particular part of an organizations network. There are two classifications of honeypots depending on how they are used. First, is a production honeypot. These are used by large organizations and companies. Second, is a research honeypot. These are used by educational institutions, governments, and militaries. No matter the classification their purpose is to gain knowledge of threat actors’ tactics, techniques, and procedures (TTP’s) (EC-Council 2020).


So, basically honeypots can fall into one of three categories: Low-interaction honeypot, medium-interaction honeypot, or high-interaction honeypot. Now, the low, medium, and high represent the services the threat actor can see. For the low-interaction honeypot, there is a limited number of emulated services. The medium-interaction honeypot has more emulated services. Finally, the High-interaction honeypot has nothing emulated. It is basically a real-world vulnerable system (Mahmoud, 2019).


Are there any legal or ethical implications to using honeypots? The answer is maybe, depending on its purpose, there could be legal implications in using honeypots. Reason for that is, what are honeypots designed to do. They are designed to lure threat actors into gaining access and attacking those systems thinking they are attacking an organizations actual system. Well, in legal terms, that is called entrapment. So, depending on the reason for the honeypot, for instance, researching threat actors to better bolster network security will probably not trigger a law enforcement response. Now if the purpose is to prosecute these threat actors, that is a whole other story as it may trigger a response in the form of a claim from the threat actor. It may also leave the organization open to regulatory action and it may even subject the organization to criminal prosecution for hacking (Overly, 2019).


The bottom line is that if an organization wants to setup a honeypot, it would be best to consult an attorney and that specializes in information security and law enforcement to get some advice beforehand. This will ensure that the organization is in compliance with 18 U.S.C Section 1030 which has a statement in it that exempts lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States (Section 1030. Fraud and related activity in connection with computers, n.d.)


References:


MAR 29, 2023

Failure

by James Driscoll

March 29, 2023

We have all “failed” at something. Whether it was a test in school, running a business, maybe even a marriage, etc. Now, let me ask what does fail really mean? According to Google, fail as a verb has two meanings 1) to be unsuccessful at something. 2) To neglect to do something. To me both sound negative. My goal with this blog is to take the first definition and look at it from a different perspective as it does not necessarily have to have a negative connotation.


Let us look with the first meaning “to be unsuccessful at something”. Now, we have all been unsuccessful at something at some point in our lives. Whether it was a test in school, running a business, maybe even a marriage that ended in divorce, etc. All of these can be seen as things we may have “failed” at. Now personally, I have “failed” numerous tests in school, and I “failed” running a business and I have felt bad about both as I am sure everyone else has when we “fail” at something. So, why do we feel bad when we “fail” at something? The reason we feel bad is due to the negative connotation that surrounds that word.


What if we look at “fail” from a different perspective. The word “fail” can be looked at as an acronym. That acronym is First Attempt in Learning. Let us look at the above examples in a different light. For example, a year ago, I took my first certification test. It was the CompTIA CySA+ and I missed passing it by 32 points. Essentially, I failed it because I did not get the minimum passing score however, the fact that I learned the format of the exam and learned that I had studied old material, it was a success. Now in terms of running a business, I had one when I first retired from the military. I had to shut it down after three months, so essentially it failed. Now, given that it was a learning experience in what not to do next time, it was a success. The point is that if lessons are learned, then whatever is seen as a “failure” is not unsuccessful, thus making the first definition inaccurate. If that makes sense?


So, do not be afraid to try something new, because when we do and “fail” at it, that is when we not only learn about the new thing we tried but also we learn more about ourselves. It is how we grow as human beings. 

MAR 22, 2023

Compliance Does Not Equal Security

by James Driscoll

March 22, 2023

There is a saying in the cybersecurity field. That saying is “compliance does not equal security”. Now, when I first heard about this, my first thought was why doesn’t it. The reason I asked that is because of my 20 plus year experience in non-IT regulatory compliance. In these cases, especially regarding safety, if we were compliant with the regulations, we were certain things were going to be safe. So, compliance not equaling security confused me for a bit.


After finally being able to do some research, it turns out to be a true statement. Compliance does not equal security for three reasons. 1) Regulatory updates are not keeping pace with technology advancements. 2) There are instances when multiple regulations that govern an organization contradict each other. 3) Organizations simply check the box, saying they are compliant because they are required to do so, not because they see value in the regulations.


Now, let me talk about each of these three points. 1) Regulatory updates are not keeping pace with technology advancements. This absolutely makes sense. My experience with the Air Force is that they update their regulations every few years as things change. The cybersecurity field seems to not have that mentality. Take for example the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1986 and is not only still applicable 37 years later, but also in serious need of an update. That is just one example of the numerous regulations that need to be updated. Updating outdated regulations is one of the goals of the 2023 National Cybersecurity Strategy.


Now, let us move onto point number 2. There are instances when multiple regulations that govern an organization contradict each other. It is highly probably that on organization can be governed by more than one regulation and by complying with one means not complying with another one. When I first started studying cybersecurity and saw that an organization can be governed by more than one regulation, I asked what they are supposed do, which one takes precedence. The reply I got was that all applicable regulations get followed. Now, I realize that is not always possible. This is something that the 2023 National Cybersecurity Strategy wants to remediate. This is desperately needed.


Finally, let us look at point number 3. Organizations simply check the box, saying they are compliant because they are required to, not because they see value in the regulations. I do not understand how we got to this point. Is it because regulatory updates are not keeping pace with technology advances? Is it because there are instances when multiple regulations that govern an organization contradict each other? Is it possible that the current regulations are a bit ambiguous? Going back to my Air Force career, the regulations that I dealt with every day were specific in their requirements and non-compliance had consequences.


So, how do we as cybersecurity professionals rectify this? Like I said earlier, points 1 and 2 are basically covered by the 2023 National Cybersecurity Strategy. The problem is that the timeline for completion is unknown. Point 3 on the other hand, we have influence in. I think this is where being able to translate the technical verbiage into business verbiage and communicating how the regulations affect the business is critical. I would love to hear if you all have any thoughts or ideas on this. 

MAR 8, 2023

2023 National Cybersecurity Strategy

by James Driscoll

March 8, 2023

Disclaimer:  The thoughts and ideas below are that of my own and do not reflect that of my employer.  Also, this is done from the perspective of someone that is new to the cybersecurity industry.  All opinions are based off of what was learned through school and a career involving 20 years active-duty military and 8 years as a government contractor.


On 3 March 2023, the National Cybersecurity Strategy was published by the Biden-Harris Administration.  Believe it or not, this is only the third such strategy.  The other two were published in 2003 and 2018. 


The document starts out by touting the positives of the internet and mentioning some of the amazing things we have been able to accomplish resulting from its inception.  Now, to balance that, some of the not so favorable aspects are also mentioned.  Also mentioned is the primary goal that the administration hope to accomplish for the United States and its Allies.  That goal is “to build a digital ecosystem that is easily and inherently defensible, resilient and aligned with our values” (2023 National Cybersecurity Strategy).


So, to reach the aforementioned goal, my impression is that all the Executive Orders (EO’s) that have been issued in the past two years have been combined into this one document.  I say that because a lot of the EO’s are listed here.  There is also a reference to the 2008 Comprehensive National Cybersecurity Initiative.  The idea is to not only continue evolve that initiative.  One thing that I was happy to see is that this while this current strategy replaces the one from 2018, it will not completely wipe it out.  The plan is to press forward with a lot of the concepts established in the previous administration.


Let us move into basically the meat and potatoes of the National Cybersecurity Strategy.  This part is separated into what the administration is calling Five-Pillars.  The first thing I thought of when I saw the term Five-Pillars is that of the Zero Trust Model.  For anyone that is not familiar with Zero Trust, here is a picture of it.  Simply, replace the concepts of Zero Trust with the five concepts of the National Cybersecurity Strategy. 

PILLAR 1 | DEFEND CRITICAL INFRASTRUCTURE


This section of the document is separated into five strategic objectives. 


Strategic Objective 1.1:  Establish Cybersecurity Requirements to Support National Security and Public Safety.  Please correct me if I am wrong but isn’t this something that should have been accomplished a long time ago.  Anyway, the plan here is twofold.  1) Create new regulations.  I can without hesitation tell everyone that I am not a fan.  It does not make sense to create new regulations when there are current one in place not being enforced.  2) Update current regulations.  I am 100% on board with this idea.  The reason is that there are regulations that have been around for decades that are still applicable and desperately need updated.  An example of this is the Computer Fraud and Abuse Act (CFAA).  This was written in 1986 and has had no real update.


Strategic Objective 1.2:  Scale Public-Private Collaboration.  There is a saying that has been attributed to several African cultures that is applicable here.  That saying is “it takes a village” and in the context of cybersecurity, it is true.  Neither the United States Government nor the Private Sector will be successful in securing critical infrastructure on their own. 


Now, for there to be greater collaboration between the United States Government and the Private Sector there is an obstacle that must be overcome.  Some people may be asking what that obstacle is.  That obstacle is that some people do not trust the government.  A good example of this is the recent train derailment in Palestine Ohio.  The citizens there do not trust what the EPA (government) is telling them.  President Reagan said there is a phrase that nobody wants to hear, and it is applicable in 2023 which is a problem.  That phrase is “I am from the government, and I am here to help”.  So, to accomplish this objective the Private Sector must be able to trust the government and that alone might take a while to accomplish.


Strategic Objective 1.3:  Integrate Federal Cybersecurity Centers.  What does this mean?  Taking an educated guess based on my 20-year military career and additional eight years as a government contractor, I would say this means improving communication between the various agencies.  If I am incorrect, please someone let me know.


Strategic Objective 1.4:  Update Federal Incident Response Plans and Processes.  This is one of those concepts that makes no sense.  I say that because keeping incident response plans and processes up to date is something that should already be occurring on a regular basis.  Perhaps it is the wording of the title that is the issue.  I say that because the whole point of this is to define which of the many federal agencies the private sector needs to contact depending on their industry. 


Strategic Objective 1.5:  Modernize Federal Defenses.  This section talks about not only replacing obsolete systems but also implementing newer security controls such as Zero Trust.  Th goal here is to have a network that is “easily defended and more resilient which would be a model for the private sector to emulate” (2023 National Cybersecurity Strategy).  Do not get me wrong, I think this is an awesome idea however, I question why this was not thought of before 2023. 


PILLAR 2 | DISRUPT AND DISMANTLE THREAT ACTORS


This pillar is also broken up into five Strategic Objectives.


Strategic Objective 2.1:  Integrate Federal Disruption Activities.  Like Strategic Objective 1.3, this sounds like not only improving communications between agencies but also making sure they are on the same page operationally.  Again, if I am incorrect in this please let me know.


Strategic Objective 2.2:  Enhance Public-Private Operational Collaboration to Disrupt Adversaries.  The concept of government and private sector collaboration is a recurring theme in this document.  The government is encouraging the private sector to communicate through any of the organizations that serve as hubs for the government.  Like I said Strategic Objective 1.2. the government has a lot of work to do to reestablish that trust with the private sector before they can think about improving collaboration.

 

Strategic Objective 2.3:  Increase the Speed and Scale of Intelligence Sharing and Victim Notification.  While I agree that the timeliness of intelligence sharing is crucial in disrupting a threat actors’ activities, there is a concept missing.  That concept is information accuracy.  Being able to share intelligence information quickly is useless of the information being shared is not accurate. 


Strategic Objective 2.4:  Prevent Abuse of U.S. Based Infrastructure.  Preventing adversaries from using U.S. based infrastructure for nefarious reasons is the goal of this objective.   There is no indication that there is a specific plan on how to accomplish that.  It simply restates a concept that should not have to be restated.  That concept is that “service providers must make attempts to secure the use of their infrastructure against abuse or other criminal behavior” (2023 National Cybersecurity Strategy. 


Strategic Objective 2.5:  Counter Cybercrime, Defeat Ransomware.  The goal here is to reduce the instances of ransomware.  There is a four-part plan on how to do that.  1) Work with international partners to limit freedom of criminals.  2) Investigate instances for ransomware from a law enforcement perspective.  3) Increase infrastructure resilience.  4) Limit the ability of criminals to leverage cryptocurrency as a ransom payment. 


There are two points in the following statement in this section that I do not agree with.  The statement is “the administration strongly discourages the payment of ransoms.  At the same time, victims of ransomware – whether they chose to pay a ransom – should report the incident to law enforcement and other appropriate agencies”.  The first point is “strongly discourages”.  The reason I disagree with this is because the language is not strong enough to deter organizations from just paying.  The second point is “whether or not they chose to pay a ransom”.  The reason I disagree with this is because there should be no choice.  There are established processes and procedures (BC / DR / IR plans and backups) that if done correctly would mean there is no need to pay to get information back.  Also, what is not mentioned is that paying certain ransomware groups may in fact be illegal.  The U.S. Treasury Department Office of Foreign Asset Control (OFAC) has a sanctions list of foreign entities and conducting business with those listed entities to include paying ransoms can bring legal action from the government.


PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE


This pillar is separated into six strategic objectives. Strategic Objective 3.1: Hold the Stewards of Our Data Accountable.  While I think that limiting the collection, use, sharing, and storing personal information as there is way too much of that, I question if it is necessary to limit it through legislation.  I have said it earlier, it makes no sense to create new legislation if current legislation is not enforced.  A better idea would be to update what is already on the books and enforce that.


Strategic Objective 3.2: Drive the Development of Secure IoT Devices.  There is one idea in this section that I cannot get on board with.  That idea is creating security labels for IoT devices.  For anyone that is not familiar with this idea, let me give you the Readers Digest version.  Think of security labels like nutrition labels on packaged food.  It is designed to give consumers the ability to compare the security of IoT devices. 


The reason I am not on board with this is because it will not help anything.  I say that because our society is an instant gratification society.  By that I mean when we want something, we want it right now.  When society in general buy in this case an IoT device, they want to be able to take it out of the box, plug it in, turn it on, and have it running with minimal effort.  I think these labels are going to have the opposite effect that the administration is hoping for.


Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services.  The whole point of this section is to secure the software products that are created.  Basically, moving from the idea of push to production and fix later to secure the product before it goes to production.  Now, before I continue, something I learned about this section is that this is not the first time this has been brought up.  It turns out that this was first talked about in the 2003 National Cybersecurity Strategy.  Makes me wonder why this has not brought to fruition in the last 20 years. 


The problem here is like I said in the last objective.  It is that whole instant gratification idea.  In this case it is all about making money as quickly as possible.  That means pushing a product out as quickly as possible even if it has problems.  For this reason, I can almost guarantee that there will be push back.


Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security.  Money is going to be the primary factor in everything in this pillar being successful.  The government must find a way to fund it.  Now, there has been some progress with the passing of the Bipartisan Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Science Act but there is a long way to go.


Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability.  This section is all about holding government contractors accountable when they fail to adhere to cybersecurity regulations.  It talks about using the Civil Cyber-Fraud Initiative (CCFI) and the False Claims Act to do that.  I question if that is necessary.  I say that because if the requirements are written in the contract, then it becomes a contract violation, which can not only cause them to lose the contract they are on but also affect the organizations’ ability to be awarded government contracts in the future.


Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop.  This is an interesting section.  If there is a catastrophic cyber incident, it is not the Federal Government COULD be called, it should say the Federal Government WILL be called.  So, I get the impression that they are not prepared for that.  If I am wrong in this, please let me know.


PILLAR 4 | INVEST IN A RESILIENT FUTURE


This pillar also has six strategic objectives. Strategic objectives 4.1: Secure the Technical Foundation of the Internet.  The impression I get is that this is an extension of Strategic Objective 1.5.  It just goes into more detail as to how to achieve it.  The two probably could have been combined.


Strategic Objective 4.2:  Reinvigorate Federal Research and Development for Cybersecurity.  This is actually a good idea.  For technology for keep advancing, we must invest in research and development (R&D).  The thing is to be successful we need to invest in areas that are relevant such as quantum computing and artificial intelligence just to name a few.


Strategic Objective 4.3:  Prepare for Our Post-Quantum Future.  The goal here is to ensure that our data remains secure.  Currently that is done through encryption however, with advances in technology, we are quickly coming to a point where quantum computing will be capable of breaking that encryption.  This sections simply talks about the need to protect our infrastructure from this emerging technology. 


Strategic Objective 4.4: Secure Our Clean Energy Future.  While this is a good idea, it is worded poorly.  As written right now, the impression I get is that the government wants to focus all their energy is securing “clean” energy and ignoring what we already have.  That is a problem as we need to not only secure our energy future which should be clean, but we also need to secure the energy we currently have, which honestly should take priority.


Strategic Objective 4.5:  Support Development of a Digital Identity Ecosystem.  I had to read this section multiple times and the impression I get is that there is a lot of talk but really no substance.  It does mention how easy it is to commit fraud.  So, to make an educated guess, I would say the goal here is to work to prevent fraud in a digital ecosystem.  If anyone has other ideas, I would love to hear them.



Strategic Objective 4.6:  Develop a National Strategy to Strengthen Our Cyber Workforce.  We all know that there is a severe shortage of talent in the world of Cybersecurity, and it is only going to get worse.  As the written the plan to tackle this shortage is to expand on existing programs.  The government also wants to address the lack of diversity in this field, which is a good thing.


PILLAR 5 | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS


There are five strategic objectives here as well. Strategic Objective 5.1:  Build Coalitions to Counter Threats to Our Digital Ecosystem.  This section takes the goal of collaboration that we saw earlier with the private sector and expands it to include foreign partners.  Another good idea as most of the attacks against the United States originate in foreign countries.  The document mentions numerous partnerships and coalitions that have been forms with various groups of countries.  Why can we not simply combine all these coalitions and partnerships into one, or better yet, work this through the intelligence groups the United States is apart of (5-Eyes, 9-Eyes, 14-Eyes).  I do not see the need to complicate things more than they already are.

Strategic Objective 5.2:  Strengthen International Partner Capacity.  From what I gather in this section is that the United States is going to continue to work with foreign partners to improve their ability to fight cyber criminals.  It seems the goal here is to ensure that everyone is on the same page in fighting cybercrime.

Strategic Objective 5.3:  Expand U.S. Ability to Assist Allies and Partners.  My impression of this section is that while the United States wants to assist our foreign partners in the event of a cyber-attack, we will only do so if it is in our national interest.  So, to make that decision, even more policies are going to be created.  This sounds like something that should have been created before 2023.


Strategic Objective 5.4:  Build Coalitions to Reinforce global Norms of Responsible State Behavior.  While I completely agree that global norms need to be enforced, looking at where we are at right now a lot of work needs to be done.  The document talks about members of the United Nations committing to enforcing these norms.  All I have to say about this is that talk is cheap.  Making statements condemning actions do not enforce global norms.  Tiered sanctions do not work either as evidence with the Russian invasion of Ukraine.  Any action needs to be not only swift but also must cause the maximum amount of pain for the offender.


Strategic Objective 5.5:  Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services.  As we have seen numerous times recently, securing the supply chain is critically important.  So, it makes sense to be in here.  Something that comes to mind while reading this section is there was a term I had read while studying for the CySA+.  That term is “Trusted Foundry”.  This is a program used by the Department of Defense to ensure the security of the manufacturing infrastructure for information technology vendors that create hardware for the military.  So, my question is why can’t the rest of the U.S. Government use that as a model if not use it outright.  I said it earlier and will say it again, there is no need to reinvent the wheel.  A program already exists, simply expand on it.


IMPLEMENTATON

This section basically talks about working with private-sector and foreign partners to reach the objectives in this strategy.  I would have liked to see a little more substance, but it is a lot of ambiguous ideas just like the rest of the document. 

MY IMPRESSION

Overall, the 2023 National Cybersecurity Strategy has a lot of potential to be a game changer to the industry.  The issue I have is I think that it will be stuck at having potential.  As I have pointed out, there are so good points.  I also have pointed out that there are points in here that basically do not make sense to me.  As I have said multiple times here, if I am wrong in any way, please reach out to me and we can have that discussion as I am new to this industry. 


MAR 1, 2023

Continuing Education

by James Driscoll

March 1, 2023

The cybersecurity realm is constantly evolving as we know.  The constantly changing landscape is why a lot of the certification organizations (CompTIA for one) update their certification exams every three years.  It is also the reason why certifications themselves expire after three years.  So, does this mean that to renew a certification you have to retake the exam every three years?  Absolutely not.  The various certifications organizations realize that retaking an exam every three years is pretty much not practical.  So, they all have developed a way to keep the certifications current using Continuing Education Units (CEUs).  In the rest of this blog, I will be discussing how CompTIA handles CEUs as I only have a CySA+.  For anyone that has a certification from another organization, I recommend going to their site and reading up on their procedures.

CompTIA make is easy to figure out what is needed to keep their certifications current.  The best part is that you do not need to log in.


Simply go to www.comptia.org.  When the page comes up, you will see at the top “Continuing Education”. Place the cursor on it and in the drop-down box that appears, click on Continuing Education Units (CEUs).

The next page that comes up will display the various CompTIA certifications in a bar graph style format along with a number.  This gives a clear depiction of the number of CEUs that are required in a three-year period to stay current:

Now just below the graph, CompTIA tell you how to earn CEUs.  Also on the right side of the page is a section called “Popular Renewal Options”.  The option that is particularly interesting is the “Preapproved Training:"

The page that comes up when you click on “Preapproved Training” has a chart.  This chart breaks down the maximum number of CEUs a person can earn for each type of qualifying activity in that three-year period before the certification expires. As you can see below, there are a total of five qualifying activities on the left side of the chart.  The individual certifications are across the top of the chart.  The data in the middle are the maximum number of CEUs that can be earned for the activity, based on the certification:

The rest of the page breaks down each qualifying activity.

For those of us that have CompTIA certifications, I highly recommend reading through their continuing education pages.  From what I can see, they really put in a lot of time and effort to explain everything and take a lot of the guesswork out of deciding if an activity qualifies towards renewal.

Hope this helped in your CompTIA journey!


FEB 8, 2023

Types of Corporate Cybersecurity Documentation

by James Driscoll

February 8, 2023

One day till my CompTIA CySA+ exam. So, for this last blog before the exam, I thought I would talk about corporate cybersecurity documentation. Having clear and precise documentation is critical if an organization is to have a successful cybersecurity program. There are four types of documentation that I will cover below, 1) policies; 2) standards; 3) procedures; 4) guidelines:






I will post on LinkedIn my results. I want to thank everyone that has followed this journey and sincerely hope there was value from these posts. I will be on vacation for the next couple weeks so I will not have a blog until 1 March.

 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


FEB 1, 2023

The Containment Phase

by James Driscoll

February 1, 2023

Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.


When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:


 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


JAN 25, 2023

Phases of Incident Response

by James Driscoll

January 25, 2023

With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.


Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:



Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:



3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.


4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved. 


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

JAN 18, 2023

Software Testing

by James Driscoll

January 18 2023

For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.

One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.

Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.

Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

JAN 11, 2023

Authentication Protocols

by James Driscoll

January 11, 2023

Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.


Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.


TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:


So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.


RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.


Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:


Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.

Until next week!


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


JAN 4, 2023

Security Controls

by James Driscoll

January 4, 2023

Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.


Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:



Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:



Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


DEC 28, 2022

Cloud Responsibilities

by James Driscoll

December 28, 2022

During week four of my 10-week journey to becoming CompTIA CySA+ certified, I will be looking at the responsibilities of the Cloud Service Provider (CSP) and the customer.  So, operating on premises and in a cloud environment have both similarities and differences.  Considerations for Confidentiality, Integrity, and Availability (CIA) must be made in both instances.  Also, access management is an objective in both instances.


Now the difference in on premises and a cloud environment is where responsibilities lie.  You see, on premises operations the owner is responsible for everything.  In a cloud-environment, those responsibilities are split between the CSP, and the customer and those responsibilities differ depending on the type of cloud service (IaaS, PaaS, and SaaS).  Luckily, the CySA+ study guide by CompTIA has a nice graphic that illustrates how those responsibilities are divided up.  I recreated the graphic the graphic below in Excel with the information reviewed in the CompTIA CySA+ Exam Study Guide CSO-002:


The above graphic is divided into three cloud services. Each of those services is divided into five different aspects where responsibilities lie.  One thing you will notice is that everything is color coded.  The white shading depicts what the customer is responsible for, the dark gray depicts what the CSP is responsible for, and the light orange depicts what responsibilities are shared by both the customer and the CSP.


So, what does this mean in terms of Cybersecurity?  Well, at the top of each service is the Data and according to their shading, the customer is responsible for it, even in the SaaS which is shared with the CSP.  That means the customer, aka the owner of the data is responsible for securing it. 


I bring that up because moving to the cloud, while not totally a new concept, is new to some organizations and maybe misunderstood.  I think there maybe the mindset that if an organization moves to the cloud, they are no longer responsible for anything, and that is simply not the case as shown above. 


The key takeaway is, no matter if your organization is considering moving to the cloud, or has already moved, it is important to know where your responsibilities lie.  The inspiration behind this blog is that there have been news stories lately data stored in the cloud have been breached due to misconfigurations and I want to make sure that the cause is not due to a misunderstanding of responsibilities.


References:

DEC 21, 2022

Common Vulnerability Scoring System (CVSS)

by James Driscoll

December 21, 2022

As we continue with week three of this 10-week trek to the CySA+ exam, I will discuss the Common Vulnerability Scoring System (CVSS).  As the name suggests, it is a scoring system for vulnerabilities.  Now, CVSS is part of a larger standardized security information communication platform called the Security Content Automation Protocol (SCAP). 


So, where are we most likely to see CVSS?  Well, when a vulnerability is discovered, it is submitted to the National Vulnerability Database and given a common Vulnerabilities and Exposures (CVE) number.  This CVE is also part of SCAP and maintained by NIST.  Anyway, the CVSS is part of the CVE report, as you can see in the below screenshot.

Upon closer examination, we see that there are two versions of the CVSS.  Version 3 is the most recent version and what is used for newer vulnerabilities.  Older vulnerabilities are scored based on version 2.0.  The next major item to notice is the Base Score which is 7.8 High.  Now, what does this mean?  The CVSS scoring system works on a scale from 0-10 and is broken down into rating categories, shown in the visual below:


So, based on the scale, the 7.8 Base Score is the second highest rating a vulnerability can receive.  That means that any organization with this vulnerability should seriously look at remediating it.


Continuing with our examination of the above CVE, the next item we see is the “Vector”.  This is the actual CVSS and is what determines the base score.  As we can see, the CVSS is broken up into eight categories:



One thing you will notice is that in the above descriptions, I did not give numerical values for each of the criteria.  I left those out for a reason.  That reason is thanks to our friends at NIST, there is an online calculator that will calculate the score for us.  The URL is https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.  It is easy to use.  For each of the eight categories, click on the criteria that applies.  When checking out the site you will see two metrics: Temporal Score and Environmental Score.  I am not covering them currently as they appear to be outside the scope of the exam per the CompTIA CySA+ Study Guide.


References:


DEC 14, 2022

Attack Frameworks

by James Driscoll

December 14, 2022

For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks.  These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization.  This allows them to create defenses that are more likely to be effective in the event of an attack. 


According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with.  They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain.  I will go into further detail about each framework in the following paragraphs.


The first framework we will look at is the MITRE ATT&CK Framework.  The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries.  The good thing about this framework is that there is no cost to access it.  To access it, just go to https://attack.mitre.org.  On the first page is the ATT&CK matrix.  There is a plethora of information regarding adversary TTPs available.


The second framework is the Diamond Model of Intrusion Analysis.  The key thing to remember about this is that it is relationship based.  All the vertical lines of the model are called events.  So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.

As you can see in the image above, all the vertical lines are events.  Where those lines intersect are core features of the events.  Unfortunately, the study guide really does not go into further detail about this framework.  It is just a basic overview for the test.


The third framework is the Lockheed Martin Cyber Kill Chain.  As the name suggests this framework was created by Lockheed Martin and consists of 7 processes that form a chain:


The fourth and final framework is the Unified Kill Chain.  Now, according to the CompTIA CySA+ Study Guide, while this framework is not testable, it is information that is good to know.  In a nutshell, this framework is a combination of the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and other frameworks.  All together they make up an 18-process chain that describes how an attack can occur both inside and outside a network.


References:


DEC 7, 2022

Risk - Topics from CompTIA CySA+ Studies

by James Driscoll

December 7, 2022

I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst.  Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide.  This first blog in the series will cover risk.


The concept of risk is a major player in the world of cybersecurity.  As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is.  To define a risk, we need to discuss two other concepts.  The first concept is vulnerability, which is nothing more than a weakness.  The second concept is a threat, which is any outside force that can exploit a vulnerability.


Now, there are a couple of ways to look at risk.  1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”.  Keep in mind that with this type of representation, there no numerical values to be entered.  It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it.  2) Look at it through the lens of a Venn Diagram, below:

What this diagram shows is that risk is where a threat and a vulnerability meet. 


Let us look at each entity starting with threats.  There are four types of threats an organization may encounter.  To determine threats to an organization requires an assessment that focuses outside a particular organization.



Moving on to Vulnerability.  As stated earlier, a vulnerability is nothing more than a weakness that a threat can use to their advantage.  Unlike determining threats, when an organization determines their vulnerabilities, they focus on themselves.


This brings us to risk itself.  There are two concepts that are utilized when determining risk.  They are:


One way to calculate risk is to use a qualitative matrix that utilizes low, medium, and high ratings.  The diagram below is an example out of the CompTIA CySA+ Study Guide:

As you can see, the likelihood a threat will exploit a vulnerability is on the left with the impact on the bottom.  So, this is read just like a graph.  Low values are at the bottom and to the left, with higher values towards the top and to the right.

According to the CySA+ study guide this matrix can also be used as a quantitative matrix.  That means instead of using Low, Medium, and High values, an organization assigns numerical values.  Now, I have not seen quantitative matrix, so I do not know what the maximum numerical value to represent a high value.  I would imagine that would be set by an individual organization. 

References:


NOV 23, 2022

Ways Organizations Can Recover From an Attack

by James Driscoll

November 23, 2022

In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.


There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.


One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).


Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:



These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:



The good thing about taking the above steps is that they help protect against more than just ransomware.


The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.


References


NOV 16, 2022

Why Organizations Should Not Pay Ransomware

by James Driscoll

November 16, 2022

We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.


There are three main reasons an organization may not want to pay a ransom:

1) There is no guarantee that the organization will regain access to its information.

2) It almost guarantees that the organization will be attacked again.

3) It may be illegal to pay the ransom.


Let's take a deeper dive into each:

So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.

In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.

References


NOV 2, 2022

Insider Threat

by James Driscoll

November 2, 2022

There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.

This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).

This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.

Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).

The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:

An insider threat can take one of three forms:

Other threats:

Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:

An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.


References

OCT 26, 2022

SIM Swapping

by James Driscoll

October 26, 2022

This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping?   2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.

So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).

Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.

Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.

So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).

Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:









References

OCT 12, 2022

Securing IoT Devices

by James Driscoll

October 12, 2022

What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).

While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.

I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.

So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.

When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.

Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).

After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.

1. Start with configuring the router correctly.

a. Do not use default credentials. Change both the login ID and password.

b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.

2. Put IoT devices on their own network separate from everything else.

a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.

3. Another option is to turn off features you are not going to use.

4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.

5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.

6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).

So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.

References

18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products 


Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable 


Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices 




OCT 5, 2022

Cookie Policies & Privacy Pop-Ups

by James Driscoll

October 5, 2022

Imagine you are browsing the internet and come across a website that contains a popup screen, covering the entire page, like in the screenshot below. 


Note: MyFitnessPal.com is the website used as an example throughout this blog.

Basically, this popup screen is asking users to click “Accept” and the screen will go away.  The question I have is do you grumble and begrudgingly click “Accept” or do you the options and read about how a site uses and stores your data?  Have you noticed that some websites you visit have this popup and some do not?  Does everyone know why we constantly see these popup screens?  If you cannot answer these questions, do not worry as I will talk about each one of them.


Each site that has a privacy policy with a pop-up screen provides links that users can click on to learn how their information is being used and stored.  On this site users can read about their data rights and options, the terms and conditions of use, and the privacy policy.  There is also a link for users to opt out of certain cookies.  Finally, users can click on the “Accept” button to agree to all cookies. 


Before diving deeper into the these pop-ups, I think it helps to understand why pop-ups are here in the first place.  About three years ago, privacy pop-ups came about in the California Consumer Privacy Act (CCPA) of 2018.  The CCPA officially became law in Jan 2020 and mandates that websites advise their users what information they collect and how they intend to use it (Healey, 2021).


Another major reason for these pop-ups is the EU’s General Data Protection Regulation (GDPR), which mandates sites that collect the personal information of EU citizens comply with this new regulation. Companies globally had to adjust and ensure their websites were in compliance with GDPR in order to continue serving customers in these countries. 


Back to our example website, MyFitnessPal.com. What are the options available?  The first option is to read exactly what the data rights and options are.  The Readers Digest version is the site tells users that they have the option to opt out of personalized and targeted advertising.  It also gives users directions on limiting cookies and other tracking technologies.  Next, they give directions on changing device settings for both iOS and Android.  Finally, there are even steps on how users can access their data and export it to a file (Data Management, n.d.). 


Next, let’s look at their Terms and Conditions of Use.  This page spells out what users can and cannot do with their site.  It is basically a legal disclaimer designed to protect them and their users (MyFitnessPal Terms and Conditions of Use, n.d.).  Every site you go to is going to have this page.  Some sites will make it easier to find than others.


The third and final policy that we have is the Privacy Policy.  This page talks about how the site collects and uses user information.  They also discuss how and to whom they share user information.  Reading further on, they discuss the legal reasons for collecting and sharing user information.  They also include situations where users are asked for consent to information sharing. 


Now, there is one more option available. If you review the above screen shot, there is an option to opt out of specific cookies.  This means users can choose which cookies are accepted, or not.  The options may vary from site to site, and based on user region. 


So, let’s take a further look, shall we?  As you can see in the next screenshot tells users why cookies are used.  Users can also agree to all of them and proceed or they can click on more information and choose which cookies they want to accept.

If we click on “More Information," we find a couple of options that users can opt in or out of.  As shown in the below screenshot below, there are three sets of cookies: “Required Cookies”, “Functional Cookies”, and “Advertising Cookies”.  Notice users can only opt in or out of the “Functional Cookies”, and the “Advertising Cookies”.  The reason is “Required Cookies” are necessary for the site to function properly.  The other two are completely optional.


UPDATE:  As I am writing this blog, new information has come out regarding these cookie consent notifications.


According to the Bleeping Computer news site, seeing these consent pop-ups may mean users are already being tracked.  The reason they say that is because in some cases, these pop-ups facilitate a “privacy breaching data exchange before the user can opt out” (Toulas, 2022).


Now, you may be asking what are our options?  Well, one option is to completely stop using the internet.  Before I am written off as insane, I understand this is impossible.  Our lives are so intertwined with the internet that the actuality of this happening is next to zero.  But, it is still an option.  A second option is to continue with the status quo.  A third option?  Yes, ladies and gentlemen, there is a third option available: Use the Brave browser.  This is now an option because starting with the upgrade that comes out this month, which will be version 1.45, Brave will block users from seeing these consent pop-ups (Toulas, 2022).


Bottom line, when you get to a website with one of these privacy pop-ups, I highly recommend taking some time to read through the policies.  I say that because I want everyone to be informed as to how their information is being collected and used.  Keep in mind that the information these sites collect, and use is your information and you as the owner of that information get to dictate whether a website can not only collect, but also use that information. 


References:


SEP 28, 2022

MFA Fatigue

by James Driscoll

September 28, 2022

The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).


The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).


So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.


1. Educate all users on indicators of an attack:


a. Unexpected MFA push notifications

b. Unknown location of login attempt

c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request

d. Continuous MFA requests in rapid succession over a short period of time


2. Restrict the number of MFA push notifications allowed


3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)


One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.


I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.


Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.


There are two important takeaways I want everyone to gain from this blog:



References

Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer: 

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches


Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”


Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf


SEP 21, 2022

Cybersecurity Workforce Framework - NIST & NICE

by James Driscoll

September 21, 2022

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.


Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.


The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).


One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).


So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.


In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.


Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.


So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.


References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181


SEP 7, 2022

Compliance Frameworks

by James Driscoll

September 14, 2022

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

AUG 31, 2022

The Computer Fraud and Abuse Act (CFAA)

by James Driscoll

August 31, 2022

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom.  Now, we all know that this is illegal, but do we know why it is illegal?  The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986.  This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.   


History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984.  There was a part of this act that made the following two activities related to computers illegal.  1) Gaining unauthorized access to a computer.  2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022).  Basically, this is privilege escalation.  


Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests.  More specifically the actions had to involve one of three scenarios.  1) Accessing information vital to national security.  2) Gaining access to personal financial records.  3) Gaining unauthorized access to government computers (CFAA Background, 2022).  


Let's skip ahead to 1986.  This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA).  This separation facilitated the addition of three more prohibitions: 


Now, in addition to what was mentioned above, lets see was else is in the CFAA.  There are also punishments defined in this document.  These punishments are defined by the type of offense.  In addition, the CFAA dictates who (depending on the offense) will investigate.  It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service.  Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).


2022 Update

Over the years, the CFAA has been updated numerous times.  The most recent update was in May 2022.  Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).  This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).


Conclusion

I highly recommend at least scanning over it.  I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased.  Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing.  This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.


References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030 

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground 

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

 https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act 


AUG 24, 2022

Why Every Organization Needs a Disaster Recovery / Business Continuity Plan 

by James Driscoll

August 24, 2022

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken:


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).


When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

AUG 17, 2022

DEF CON: The Beginning

by James Driscoll

August 17, 2022

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out. 


Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.


It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.


So, why was DEF CON started? It was not envisioned to be the exhibition that we have today. In fact, the origin is mundane. In 1993 a gentleman by the name of Jeff Moss, had a friend that was moving away. Being a good friend, Jeff wanted to give his friend a good send off, so he organized a going away party. Well, in an unfortunate circumstance, the friend moved before this party. So, not wanting to cancel this party and wanting to honor his friend, he asked all his hacker friends to make a trip to Las Vegas to party. Thus, DEF CON was born. There were approximately 100 people in attendance.


As mentioned above, this was originally supposed to be a going away party, so this would have been a one-time event. However, everyone had such a great time they convinced Jeff to host it again in 1994. Reluctantly he agreed and in the 2nd DEF CON there were at least 200 people that attended. With each new DEF CON, the number of attendees consistently grew. For DEF CON 27 which was in 2019, there were approximately 30,000 attendees.


Another interesting bit of information that I did not know is that in 2018 there was a DEF CON event held in China. It was supposed to be an inaugural event, but due to the COVID-19 pandemic, it is still the only DEF CON event that has ever been held outside the United States. 

AUG 10, 2022

CompTIA Certification Exams

by James Driscoll

August 10, 2022

There seems to be some confusion when it comes to CompTIA certification exams.  I constantly see questions about exam expiration and what should be done.  These questions are primarily from people who are working to break into the Information Technology (IT) realm, so they cover A+, Network+, and Security+.  The purpose of this blog is to clear up some of that confusion.  For illustrative purposes I will use the CompTIA A+ exam details to highlight what I am talking about.

Regarding the expiration of the exams. All CompTIA exams are generally valid for three years, give or take a few months.  Now, the reason they are valid for such a short time is that as we all know the IT realm is constantly changing.  This means that the exams need to be constantly updated for them to stay relevant.  For instance, the A+ version 1001/1002 officially launched on 15 January 2019 and will retire 20 October 2022 so, three months shy of three years.  What this means is that on 20 October 2022, this exam is no longer available.  It does not mean that the certification goes away forever.  It simply means that version 1001 is replaced with a newer version. 

That newer version is numbered 1101/1102 and was officially launched in April 2022.  Some people have asked what this means.  In a nutshell this means that there is generally a six month overlap between the retiring version and the newer version and that a person can take either exam.  One thing to keep in mind is that if a person wants to take the newer version, the study material associated with the newer exam, may not be available right away.  The below screenshots illustrate my points.

The same concept also applies to Network+, Security +, and every other CompTIA certification exam. 

In addition to this, there seems to be some confusion as to when a person is ready to take an exam.  I have seen people say that they take such and such practice test and have been scoring x% on each test, then asking if they are read to take the exam.  Here is an easy way to tell if you are ready.  Again, I will use the CompTIA A+ exam as an example.  Now, as shown below, to pass either version of core 1 and core 2, a test taker needs to score 675 out of 900 (core 1) and 700 out of 900 (core 2). 

Figuring out if you are ready for the exam is fairly simple.  Just take 675 and divide it by 900.  Then take that answer and multiply by 100 to get the minimum percentage to pass.  This is what it looks like: 675/900=.75 * 100 = 75%.  This means for core 1, the minimum passing score is 75%.  The same formula applies to core 2 and every other CompTIA exam.  So, if someone is consistently scoring over that minimum percentage (in this case 75%), they are ready for the exam.

Hopefully, this information is helpful.  I wish everyone good luck on which ever test you are all studying for.

AUG 3, 2022

DVWA - The Damn Vulnerable Web Application

by James Driscoll

August 3, 2022

In the world of ethical hacking, it is important to constantly practice your skills to maintain proficiency.  Now there are a multitude of way to accomplish this.  There are websites like TryHackMe and Hack the Box.  Another option is to setup a home lab utilizing either physical or virtual machines. 


Using virtual machines offers numerous options.  Operating Systems that are intentionally vulnerable can be downloaded and created to practice on.  This is fine if you want to practice hacking into a machine.  However, what are the options if you want to practice hacking a web application?  Well, I found an answer while taking part in an ethical hacking class while working on my bachelor’s degree in Cybersecurity, the Damn Vulnerable Web Application (DVWA).


DVWA can be downloaded and installed on a Virtual Machine (VM), offering the ability to practice concepts such as SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery, to name a few. 


Where can the DVWA be downloaded from?  Good question.  There are many versions of the DVWA floating around the internet, but the best place it to go to this Github page https://github.com/digininja/DVWA and download from there.  This version is the most up-to-date and is the only one that has any type of support.


So, how is it accessed?  Since it is a web application it should really be from a separate VM.  Just as if you were accessing a normal web application during a penetration test.  Simply put the IP address of the VM hosting the DVWA, below:


The login information should be provided:


After logging in, you will see the below screen:


What is interesting about the DVWA is that it has adjustable security settings that range from Low to impossible.  If you look at the screenshot above, on the left side is DVWA Security.  This is where the security level can be adjusted.  This should be the first thing you do.


After the security level is adjusted, then any of the other options can be selected.  In this case I chose to go with SQL Injection.

This platform really makes it easy to practice these valuable skills.  I highly recommend giving this a try.  I hope you all have as much fun using this as I did. 

This platform really makes it easy to practice these valuable skills.  I highly recommend giving this a try.  I hope you all have as much fun using this as I did. 


Check out this DVMA resource: YouTube video from @CryptoCat on DVMA setup, first step. There is a series outlining all the steps. Another great find to walk you through the process, step by step: https://youtu.be/GmWQ1VIjd2U 



JUL 27, 2022

Chase The Knowledge, Not the Certification

by James Driscoll

July 27, 2022

There is a question that I see all the time on the various social media platforms, “will {insert certification name here}, get me a job in Cybersecurity?”  Now I know that there are a million opinions as to whether certifications are even needed to enter this industry.  That is not what this is about.  This is about the apparent myth that simply getting a certification will land a person a job in cybersecurity.


The answer to the above question is no, {insert certification here} will not directly land someone a job.  At most, the certification will help someone get an interview.  From there is it up to you to land the job.  So, does that mean not to worry about getting a certification?  Not necessarily.  What I am saying is, do not get a certification simply because it is a requirement for some jobs.  Get the certification for the knowledge you will gain.  It is one thing to pass the exam and receive the certification.  That may help you get an interview by standing out over other applicants that may not have the specific certification.  During the interview, the fact that you have {insert certification here} means nothing, unless you can apply some of those concepts in the interview and can talk to the interviewer about some of the knowledge you gained by studying for the exam. 


The whole premise is to chase the knowledge, not the certification.


JUL 20, 2022

Veteran in Cybersecurity

by James Driscoll

July 20, 2022

My name is James.  I am a retired Air Force veteran and married to my wife of 22 years.


In the Air Force, my role was in Air Transportation.  Basically, I worked at military airports loading passengers and cargo.  The best way to picture it is to think of a combination of American Airlines and Federal Express.  After I retired in 2014 I continued with the same career field but as a military contractor.  The job is interesting however, no longer challenging.


One aspect of this job that I really enjoy is that of regulatory compliance.  Ensuring that all the passengers comply with not only applicable FAA/TSA regulations but also applicable destination country entry regulations.  On the cargo side, the job entailed ensuring the cargo was prepared and documented correctly.  This is extremely important when hazardous cargo is being transported.  The reason for this is for the safety of the aircraft, crew, and any passengers.  An example of a failure in procedure is ValuJet flight 592 that went down in the Everglades in 1999.  The reason for this crash was that some oxygen generators were not properly packaged or documented.  


In addition to loading airplanes, an additional job that I had was a system administrator.  I was responsible for creating accounts, setting permissions based on the duty position of the individual, working with the help desk to update and patch the system.  This is what initially got me interested in Information Technology.  As a result, I tried numerous times to change career fields into Information Technology but was unsuccessful. 


Why am I making the career change into Cybersecurity?  This is a good question.  It was June 2020, and I was working at a deployed location loading aircraft and suffering every day because of medical conditions created by my military career.  My wife suggested contacting the Veterans Affairs office and applying for something called Vocational Rehab.  Basically, this is a program where veterans with medical conditions can go back to school to get a degree in a field that will not aggravate the condition.  So, I applied.


After speaking with the counselor, I was approved!  Next, it was time to choose a program and school.  I thought to myself, this was the perfect chance to finally change careers and move into Information Technology.  After constantly seeing reports of data breaches and ransomware attacks, I decided to transition into cybersecurity.  The school I chose to attend is ECPI and I will be graduating the end of August 2022.


I am extremely grateful to Kimberly for this opportunity to work with Cybersecurity Central.  It is exciting to be able to give back to such a welcoming community that I am breaking into.  It will be an interesting journey but I hope it will be a journey that everyone can learn and get inspiration from.


Feel free to connect or send me a message on LinkedIn: https://www.linkedin.com/in/jdriscoll-76


SUPPORT OUR MISSION

CONNECT WITH US & SUPPORT CC

LinkedInYouTubeTwitterDonate