BLOGS BY JAMES
Cybersecurity Central is excited to share Blog by CC.
Bookmark this page and visit regularly to learn what James Driscoll is discovering in his #infosec journey.
#cybersecuritycentral #diversityofthought #blogbycc
TABLE OF CONTENTS
DEC 22, 2023
Wireless Security: Ditch the Dust, Go Modern!
by James Driscoll
December 22, 2023Remember that creaky old swing set in your backyard? The one your parents told you was "safe" even though it looked like it might collapse any minute? Yeah, WEP encryption for your Wi-Fi is kind of like that. It's outdated, wobbly, and about as secure as a screen door on a submarine.
WEP was the first attempt at Wi-Fi security, but it's more like a historical artifact than a viable option. It's riddled with vulnerabilities, and cracking it is child's play with readily available software. Imagine leaving your front door wide open and expecting nobody to peek in – that's WEP for you.
But wait, there's TKIP! This "upgrade" isn't much better. It was meant as a temporary fix while they figured out something real, like a sturdy steel gate for your network. But just like that rickety swing set, TKIP has its own cracks, some known since its inception! It's time to retire this rusty relic and move on to something stronger.
So, what's the good stuff? Look no further than CCMP/AES. It's like a fortress compared to WEP and TKIP – imagine a vault with triple locks and laser beams. Even the most dedicated cyber-crooks would give up in frustration trying to crack this one. This is where your precious data should be living, not floating around in the open air like a forgotten kite.
But even Fort Knox has its chinks in the armor. Even with strong encryption, your passwords can be the weak link. Think of them as the keys to your digital kingdom. Using weak, predictable passwords like "password123" is like leaving the spare key under the doormat. Instead, go for something long, strong, and unique – a passphrase fit for a king (or queen) of the internet. Think 20 characters with a mix of letters, numbers, and even symbols. Make it something only you could come up with.
And now for the good news: WPA3, the latest and greatest in Wi-Fi security, takes things even further. It's like adding an alarm system and security cameras to your already-fortified castle. Even if someone finds a stray key, they'll be caught red-handed before they can do any damage.
So, ditch the dust covered WEP and rusty TKIP. Upgrade to CCMP/AES and lock down your passwords with a passphrase fit for royalty. And if you're looking for the ultimate peace of mind, welcome WPA3 with open arms (just make sure they're protected by strong authentication!). Remember, your internet security is your responsibility, so choose wisely and stay safe out there in the digital jungle!
Connect with me on LinkedIn and let's continue the conversation: https://linkedin.com/in/jdriscoll-76
NOV 29, 2023
IPv4 & IPv6 Internet Protocols
by James Driscoll
November 29, 2023This week in my advanced networking class we reviewed the network layer of the IP model. Allow me to share more with you in this blog today.
The network layer consists of IPv4 and IPv6 which are two different versions of the Internet Protocol (IP), the fundamental protocol that enables communication on the internet. IPv4 is the older version of the protocol, and it is currently used by most devices on the internet. However, IPv4 is running out of addresses, and IPv6 was developed to provide a much larger address space.
IPv4
IPv4 addresses are 32 bits long, which means that there are only about 4.3 billion possible IPv4 addresses. This number of addresses is not enough to accommodate the growing number of devices on the internet, such as smartphones, tablets, and IoT devices.
IPv4 addresses are written in dotted-decimal notation, which consists of four decimal numbers separated by periods. For example, the IPv4 address 192.168.1.1 is written in dotted-decimal notation.
IPv4 is a mature protocol, and it is well-supported by most devices and networks. However, IPv4 is also a complex protocol, and it can be difficult to manage.
IPv6
IPv6 addresses are 128 bits long, which means that there are an almost infinite number of possible IPv6 addresses. This vast address space is enough to accommodate the growing number of devices on the internet for many years to come.
IPv6 addresses are written in hexadecimal notation, which consists of eight groups of four hexadecimal digits separated by colons. For example, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is written in hexadecimal notation.
IPv6 is a newer protocol than IPv4, and it is not as well-supported by all devices and networks. However, IPv6 is a simpler protocol than IPv4, and it is easier to manage.
Comparison of IPv4 and IPv6
Transition to IPv6
The transition to IPv6 is a gradual process, and it is taking place over many years. Most devices and networks now support both IPv4 and IPv6, and internet service providers (ISPs) are offering IPv6 addresses to their customers.
Here are some of the benefits of switching to IPv6:
A larger address space: IPv6 has a much larger address space than IPv4, which means that there will be enough addresses for all the devices on the internet.
Improved security: IPv6 has some built-in security features that are not available in IPv4.
Simplified routing: IPv6 simplifies the routing of traffic on the internet, which can improve network performance.
Conclusion
IPv6 is the future of the internet, and it is important for businesses and organizations to start planning for the transition to IPv6. By switching to IPv6, businesses can ensure that their networks are future-proof and that they can take advantage of the benefits of the new protocol.
Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76
References
Kurose, J. F., & Ross, K. (2020). Computer Networking (8th ed.). Pearson Education (US). https://ecpi.vitalsource.com/books/9780135928523
NOV 16, 2023
The History of Computer Networking
by James Driscoll
November 16, 2023Ah, it’s the start of another new term in my quest for a master’s degree in cybersecurity and the next class on my list for the next five weeks is Advanced Networking. However, before we talk about advanced networking, let’s go back to the basics to have a solid foundation to build upon. This week is a history lesson in computer networking.
The Development of Packet Switching 1961-1972:
In the early 1960s, three research groups independently invented packet switching as an alternative to circuit switching for computer networks. Packet switching is more efficient and robust for bursty traffic, such as that generated by users of timeshared computers.
The first packet-switched computer network, the ARPANet, was built in the United States in the late 1960s. By 1972, ARPANet had grown to 15 nodes and had been given its first public demonstration. The first host-to-host protocol, the network-control protocol (NCP), was also completed in 1972, enabling the development of applications such as e-mail.
The Internet today is a direct descendant of the ARPANet. It is a packet-switched network that uses the Internet Protocol (IP) to route packets between devices. IP is a simple but effective protocol that has allowed the Internet to grow and evolve over the years.
Proprietary Networks and Internetworking 1972-1982:
The initial ARPAnet was a closed network, but in the early to mid-1970s, additional packet-switching networks came into being, such as ALOHANet, Telenet, Cyclades, and Tymnet. Pioneering work on interconnecting networks (under the sponsorship of DARPA) was done by Vinton Cerf and Robert Kahn, who coined the term internetting. The early versions of TCP combined reliable in-sequence delivery of data with forwarding functions. Later, forwarding functions were separated out of TCP and the UDP protocol was developed, resulting in the three key Internet protocols that we see today: TCP, UDP, and IP. In addition to the DARPA Internet-related research, many other important networking activities were underway, such as the development of the ALOHA and Ethernet protocols.
A Proliferation of Networks 1980-1990:
By the end of the 1970s, the ARPAnet had approximately 200 hosts connected to it. In the 1980s, the number of hosts connected to the public Internet grew tremendously, reaching 100,000 by the end of the decade. Much of this growth was due to the creation of new computer networks linking universities together, such as BITNET, CSNET, and NSFNET. In the ARPAnet community, many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS. In the early 1980s, France launched the Minitel project, a successful attempt to bring data networking into everyone's home.
The 1980s was a time of tremendous growth for the Internet. New computer networks were created linking universities together, such as BITNET, CSNET, and NSFNET. Many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS. France launched the Minitel project, a successful attempt to bring data networking into everyone's home.
The Internet Explosion 1990’s:
In the 1990s, the Internet evolved and commercialized. ARPAnet ceased to exist, NSFNET lifted its restrictions on commercial use, and NSFNET was decommissioned. The World Wide Web was invented at CERN by Tim Berners-Lee and brought the Internet to millions of people. The Web enabled many new applications, including search, e-commerce, and social networks. The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.
The 1990s was a time of rapid growth and innovation for the Internet. The World Wide Web made the Internet accessible to a wider audience and enabled new applications. The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing. The Internet stock market bubble burst in 2000-2001, but several companies emerged as big winners in the Internet space.
The New Millennium:
In the first two decades of the 21st century, the Internet has transformed society more than any other technology, along with Internet-connected smartphones. Innovation in computer networking continues at a rapid pace, with advances in all areas, including faster routers and higher transmission speeds in both access networks and backbones.
Some of the most notable developments of this period include:
Aggressive deployment of broadband Internet access to homes, including cable modems, DSL, fiber to the home, and 5G fixed wireless. This has set the stage for a wealth of video applications, including user-generated video, on-demand streaming of movies and television shows, and multi-person video conferencing.
Increasing ubiquity of high-speed wireless Internet access, enabling new location-specific applications such as Yelp, Tinder, and Waz. The number of wireless devices connecting to the Internet surpassed the number of wired devices in 2011. This high-speed wireless access has also set the stage for the rapid emergence of hand-held computers, such as iPhones, Androids, and iPads, which enjoy constant and untethered access to the Internet.
Emergence of online social networks, such as Facebook, Instagram, Twitter, and WeChat, which have created massive people networks on top of the Internet. Many of these social networks are extensively used for messaging and photo sharing. Many Internet users today "live" primarily within one or more social networks, which also create platforms for new networked applications, including mobile payments and distributed games.
Deployment of extensive private networks by online service providers, such as Google and Microsoft, which connect their globally distributed data centers and bypass the Internet as much as possible by peering directly with lower-tier ISPs. This allows Google to provide search results and e-mail access almost instantaneously.
Migration of many Internet commerce and other applications to the cloud, such as Amazon's EC2, Microsoft's Azure, and the Alibaba Cloud. Cloud companies provide scalable computing and storage environments, as well as implicit access to their high-performance private networks.
This completes today's history lesson on an overview of Computer Networking! See you again soon.
Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76
References
Kurose, J. F., & Ross, K. (2020). Computer Networking (8th ed.). Pearson Education (US). https://ecpi.vitalsource.com/books/9780135928523
OCT 25, 2023
Compliance Standards
by James Driscoll
October 25, 2023For week 4 of my Cloud Security course, we learned about privacy and security laws. This is a bit of a review as these were part of the CompTIA CySA+ exam I took back in February. So, I thought it would be a good idea to create a blog to briefly discuss each one.
The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; the Family Educational Rights and Privacy Act (FERPA); and finally, the European Union General Data Protection Regulation (EU GDPR). We will review these six frameworks below:
1. HIPAA Health Insurance Portability and Accountability Act: HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).
2. PCI DSS Payment Card Industry Data Security Standard: The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).
3. GLBA Gramm-Leach Bliley Act: This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).
4. SOX Act Sarbanes-Oxley Act: This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).
5. FERPA Family Educational Rights and Privacy Act: This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).
6. EU GDPR European Union General Data Protection Regulation: The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018, (Chapple & Seidl, 2022)
References
Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.
Chapple, M., & Seidl, D. (2022). (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide. Wiley.
Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html
Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history
Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp
Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20
Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76
OCT 11, 2023
Emerging Tech in Cloud Computing
by James Driscoll
October 11, 2023This past week I started my third term in my quest at a master’s degree at ECPI. In the next five weeks I will be learning about cloud security. For the reading last week, I read about how blockchain technology can be used in cloud security. This is interesting as I had only heard about it in terms of cryptocurrency. So, I decided to do some more research, and this is what I found.
Blockchain technology is a distributed ledger technology that can be used to improve cloud security in several ways:
Decentralization: Blockchain is decentralized, meaning that it is not controlled by any single entity. This makes it more difficult for hackers to attack the system, as they would need to compromise most nodes in the network to succeed.
Transparency: All transactions on a blockchain are publicly visible, which makes it difficult to commit fraud or tamper with data. This transparency can also be used to audit the security of the cloud system.
Immutability: Once data is added to a blockchain, it cannot be changed without the consensus of the network. This makes blockchain ideal for storing sensitive data, such as customer records or financial data.
Below are some specific ways that blockchain technology can be used to improve cloud security:
Data encryption: Blockchain can be used to encrypt data stored in the cloud, making it more difficult for hackers to access and steal.
Access control: Blockchain can be used to implement access control policies for cloud resources, ensuring that only authorized users have access to sensitive data.
Audit logging: Blockchain can be used to create audit logs of all activity on a cloud system. This can be used to detect and investigate security incidents.
Key management: Blockchain can be used to manage cryptographic keys used to encrypt and authenticate data in the cloud. This can help to prevent unauthorized access to sensitive data (Gupta, Siddiqui, Alam, & Shuaib, 2019).
Some examples of blockchain-based cloud security solutions include:
Siacoin: Siacoin is a decentralized cloud storage platform that uses blockchain technology to store data securely and efficiently (Siacoin, n.d.).
Storj: Storj is another decentralized cloud storage platform that uses blockchain technology. Storj also offers encryption and access control features (Storj, n.d.).
Keyless: Keyless is a blockchain-based key management platform that helps organizations to manage their cryptographic keys securely (Authenticate People, Not Just Devices, n.d.).Blockchain technology is still in its early stages of development, but it has the potential to revolutionize cloud security. As blockchain-based security solutions continue to mature, we can expect to see them adopted by more and more organizations.
Below are some additional thoughts on the use of blockchain technology in cloud security:
Blockchain can help to reduce the risk of data breaches. By decentralizing data storage and access control, blockchain makes it more difficult for hackers to steal or tamper with data.
Blockchain can help to improve compliance. By providing a transparent and auditable record of all activity, blockchain can help organizations to comply with regulations such as GDPR.
Blockchain can help to reduce costs. By eliminating the need for intermediaries, blockchain can help organizations to save money on cloud security costs.
Overall, blockchain technology has the potential to significantly improve cloud security. As blockchain-based security solutions continue to develop and mature, we can expect to see them adopted by more and more organizations (Gupta, Siddiqui, Alam, & Shuaib, 2019).
References
Authenticate People, Not Just Devices. (n.d.). Retrieved from Keyless: https://keyless.io/
Gupta, A., Siddiqui, S. T., Alam, S., & Shuaib, M. (2019). Cloud Computing Security Using Blockchain. Journal of Emerging Technologies and Innovative Research (JETIR), 791-794.
Siacoin. (n.d.). Retrieved from Coin market Ca[: https://coinmarketcap.com/currencies/siacoin/
Storj. (n.d.). Retrieved from Storj: https://www.storj.io/
Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76
SEP 28, 2023
Audit First Methodology
by James Driscoll
September 28, 2023This week in my Security Architecture and Design course we discussed a concept called an Audit First Methodology.
The Audit First methodology is a risk-based approach to auditing that focuses on identifying and assessing risks early in the audit process. This allows auditors to focus their resources on the areas of highest risk and to develop a more tailored audit approach. It is implemented via the following steps:
Threat Analysis. The goal of this step is to focus on the threats that are most likely and most dangerous, or a combination of the two. This allows the organization to prioritize its resources and address the greatest risk first.
Audit Controls. The goal of this step is to create threat audit controls that search for threat activities (also known as threat hunting). These controls should be tailored to the specific threats that the organization is facing.
Forensic Controls. The goal of this step is to ensure that these controls are properly configured to log the data that is needed to investigate likely threat scenarios first. Logs that are less likely to be needed in an investigation do not need to be as easily accessible as other logs.
Detective Controls. The goal of this step is to create effective and efficient controls that alert on suspected attacker activity while minimizing false positives and maximizing the probability of detecting attacks.
Preventive Controls. The goal here is to block undesired activities and prevent them from occurring. While important, organizations should focus more on the other controls. These controls can be disruptive to the business to implement and operate, and they may not be effective against determined attackers (Donaldson, Siegel, Williams, & Aslam, 2015).
There are numerous benefits to utilizing this methodology, including:
It allows auditors to focus their resources on the areas of highest risk.
It helps to ensure that the audit is tailored to the specific needs of the organization.
It can help to identify and address risks early on before they cause problems.
It can improve communications between auditors and management (Donaldson, Siegel, Williams, & Aslam, 2015).
The only challenge that I anticipate using the Audit First Methodology is the reluctance to focus more on the other controls versus the preventive controls. As stated in the textbook, organizations typically put more stock in preventive controls (Donaldson, Siegel, Williams, & Aslam, 2015). They way around this challenge is to explain the benefits of following the Audit First Methodology while emphasizing the downside of focusing on the preventive controls in a language that the business side of the organization can understand. Typically, this is done by translating the cybersecurity jargon over to business jargon.
References
Donaldson, S., Siegel, S., Williams, C. K., & Aslam, A. (2015). Enterprise Cybersecurity. Springer Nature.
Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76
SEP 13, 2023
Enterprise Security Architecture
by James Driscoll
September 13, 2023This week for Blog by CC Weekly, I am continuing with sharing my master’s degree cybersecurity course assignments with you. The class this term is Security Architecture and Design. First, this blog will discuss some of the challenges and benefits of implementing an enterprise security architecture. Second, we will look at how organizations can overcome some of those challenges. Third, it will analyze the importance of logical and physical security. Finally, I give my thoughts and opinions on which are more important. Discover more below:
Challenges and benefits to implementing an enterprise security architecture:
Challenges:
Lack of communication and coordination: An enterprise security architecture (ESA) requires coordination and communication between different departments and teams within an organization. This can be difficult to achieve, especially in large or complex organizations.
Lack of understanding of the need for security: Not everyone in an organization may understand the importance of security or may not be willing to take the necessary steps to protect information. This can make it difficult to implement and enforce security measures.
Cost: Implementing an ESA can be expensive, especially for large organizations. This can be a barrier to adoption, especially in organizations with limited resources.
Complexity: ESAs can be complex and difficult to implement. This can lead to problems such as implementation delays, errors, and security gaps.
Change management: Implementing an ESA often requires changes to the way an organization does business. This can be disruptive and difficult to manage.
Benefits:
Reduced risk: An ESA can help to reduce the risk of a security breach by providing a comprehensive framework for protecting information.
Improved compliance: An ESA can help organizations to comply with industry regulations and standards.
Increased efficiency: An ESA can help to improve the efficiency of security operations by providing a centralized view of the security landscape.
Enhanced visibility: An ESA can help to improve visibility into the security posture of an organization, which can help to identify and address security risks more quickly.
Improved decision-making: An ESA can provide decision-makers with the information they need to make informed decisions about security.
Policies and business processes that may help companies overcome their challenges:
Establish a security governance framework: This framework should define the roles and responsibilities of different stakeholders in the security program, as well as the processes and procedures for managing security risks.
Develop security policies and procedures: These policies should be aligned with the security governance framework and should define the specific security controls that are required to protect the organization's information assets.
Implement security controls: This includes deploying security technologies, such as firewalls and intrusion detection systems, as well as implementing security procedures, such as password management and user training.
Monitor and enforce security controls: This includes regularly reviewing security logs and reports to identify potential security incidents, as well as taking steps to remediate any vulnerabilities that are identified.
Continuously improve the security program: This includes regularly reviewing the security policies and procedures to ensure that they are still effective, as well as implementing new security controls as needed.
The Importance of logical and physical security:
Logical security is the protection of digital information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Some of the methods used include: 1) user authentication, 2) access control, 3) encryption, 4) firewalls, and 5) intrusion detection systems.
Physical security refers to the protection of physical assets including buildings, equipment, and data centers from unauthorized access, use, damage, or theft. Some of the methods utilized include 1) access control, 2) security guards, 3) video surveillance. 4) intrusion detection systems, 5) fire protection.
Defend why you feel logical or physical security is more important for an organization.
Neither logical nor physical security are more important than the other. Logical and physical security are complimentary and should be implemented together to provide a comprehensive security solution. By protecting both digital and physical assets equally, organizations can reduce the risk of a security breach.
References
Ghaznavi-Zadeh, R. (2017, July 28). Enterprise Security Architecture - A Top-down Approach. Retrieved from ISACA: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
Joint Task Force. (2020, September). Security and Privacy Controls for Information Systems and Organizations. Retrieved from NIST: https://doi.org/10.6028/NIST.SP.800-53r5
Melendez, J. C., Luse, A., Townsend, A. M., & Mennecke, B. (2008). Convergence of Physical and Logical Security: A Pre-implementation Checklist. MWAIS 2008 Proceedings, (p. 10).
Ramani, G. (2015, December 1). Challenges in IMplementing Enterprise-Wide CyberSecurity Strategy. Retrieved from LinkedIn: https://www.linkedin.com/pulse/challenges-implementing-enterprise-wide-cyber-security-ganesan-ramani/
What is Security Architecture, and What do You Need to Know. (2022, February 9). Retrieved from Dig8ital: https://www.dig8ital.com/post/what-is-security-architecture-and-what-do-you-need-to-know
Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76
AUG 30, 2023
Technological Convergence
by James Driscoll
August 30, 2023For the last week of my Ethical and Human Aspects in Cybersecurity we talked about Technological Convergence. So, what is it? Technological convergence is the process by which different technologies merge and evolve into new forms that can fulfill multiple functions. This means that devices and applications that were once separate and distinct are now becoming more integrated and interconnected (McGuigan, 2023). For example, the smartphone is a prime example of technological convergence. It combines the functions of a phone, a computer, a camera, a music player, and more into a single device. This makes it more convenient for users to access all their favorite content and services from one place.
There are numerous potential social and ethical concerns that can arise due to technological convergence. They include:
Privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes.
Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property.
Employment: Technological convergence is leading to the automation of many jobs. This could lead to widespread unemployment, as machines take over the tasks that are currently performed by humans. This could have a significant impact on the economy and society.
Inequality: The benefits of technological convergence are not being evenly distributed. Those who have access to the latest technologies are likely to benefit the most, while those who do not have access may be left behind. This could lead to increased inequality and social unrest.
Bias: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation.
Environmental impact: The production and use of technology has a significant environmental impact. This includes the emission of greenhouse gases, the depletion of natural resources, and the generation of waste. Technological convergence could exacerbate these problems (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).
Technological convergence can jeopardize a company's code of conduct in several ways, including:
Data collection and privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes. For example, a company might use data collected from its employees' smartwatches to track their movements and productivity. This could violate the company's code of conduct, which might promise to respect employee privacy.
Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property. For example, a company might be hacked if its employees' laptops are infected with malware. This could lead to the theft of confidential company information.
Ethical use of technology: Technological convergence can also raise ethical concerns about the use of technology. For example, a company might use facial recognition technology to track its employees' movements. This could be seen as an invasion of privacy and a violation of the company's code of conduct.
Discrimination: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation. For example, a company might use a facial recognition system that is biased against people of color. This could lead to the company discriminating against these people in its hiring practices (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).
It is important for companies to be aware of the potential ethical and legal implications of technological convergence and to take steps to mitigate these risks. This includes updating their codes of conduct to reflect the challenges posed by new technologies.
Here are some specific things that companies can do to mitigate the risks of technological convergence:
Be transparent about data collection and use: Companies should be transparent about the data they collect from their employees and customers, and how they use this data. This can help to build trust and avoid violating privacy expectations.
Implement strong security measures: Companies should implement strong security measures to protect their data from unauthorized access. This includes using encryption, firewalls, and other security technologies.
Educate employees about ethical use of technology: Companies should educate their employees about the ethical use of technology. This includes training them on how to use technology responsibly and how to avoid violating company policies.
Monitor for bias: Companies should monitor their technology systems for bias. This can help to identify and address any potential discrimination issues.
By taking these steps, companies can help to mitigate the risks of technological convergence and protect their employees, customers, and data (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).
References
McGuigan, B. (2023, August 10). What is Technological Convergence. Retrieved from Easy Tech Junkie: https://www.easytechjunkie.com/what-is-technological-convergence.htm#google_vignette
Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues. (2019, May 30). Retrieved from Every CRS Report: https://www.everycrsreport.com/reports/R45746.html#:~:text=Technological%20convergence%20poses%20three%20potential,security%2C%20and%20theft%20of%20data
AUG 16, 2023
Cybersecurity in the Global Economy
by James Driscoll
August 16, 2023Last week in my Ethics and Human Aspects of Cybersecurity class, the topic of cybersecurity in the global economy came up. Specifically, if it is possible. Below is more of my take on this topic.
In 2023, the concept of an individual country's economy is no longer. Anything that affects one country’s economy affects the economies of other countries. We truly have a global economy. Now, when I talk about anything, I mean absolutely anything. It could be something as innocent as weather to something more malicious such as a cyber-attack. An example of a cyber-attack that has the potential to affect the global economy is the Stuxnet Worm.
What is the Stuxnet Worm? This little piece of malware was created in 2010 with the purpose of attacking Industrial Control Systems (ICS) (Mueller & Yadegari, 2012). For anyone that does not know, an ICS is used in sectors such as “manufacturing, transportation, energy, and water treatment” (Industrial Control System, n.d.).
Now, since those sectors mentioned above are used all over the world the potential impact on the global economy is going to be huge. Let us look at the energy sector as an example. Energy is one thing that is not only needed, but also has an almost immediately affects the global economy when there are changes and right now, we get that energy from oil. Just a simple change in production output by Saudi Arabia can cause energy prices to fluctuate, which causes the prices of other products to fluctuate around the world.
What can be done against countries that either actively engage or sponsor people that engage in cyberespionage and launch cyber-attacks? Well, the main tactic that is used are financial sanctions. The theory is that limiting the amount of business that can be conducted thus hitting them in the wallet so to speak should deter someone from engaging in criminal activity. Based on events over the past three years, I am not a fan of it. Perhaps if it is done swiftly and comprehensively it may have the desired effect, but I am not so sure.
There is another tactic that can be used to deter cyber-attacks called “hacking back”, sometimes referred to as “active cyber defense.” However, these two terms are completely different. Techniques and tactics normally associated with active cyber defense include things like utilizing honeypots to study and gain information about cyber-attackers. It also includes scanning your network / looking through logs trying to find Indicators of Compromise (IoC’s).
Hacking back is just as it sounds. A victim of a cyber-attack, attacking the attacker. This is not recommended as it is illegal under 18 U.S. Code Section 1030 Fraud and Related Activity in Connection with computers. This is also known as the Computer Fraud and Abuse Act (CFAA) (18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers, n.d.).
The Russian invasion of Ukraine has brought up an interesting dilemma. That dilemma is if it is acceptable for countries engaged in a conventional war to also engage in cyberespionage. After reading the ACM, the answer to that is a resounding no. The reason for that is in section 1, point 1.2 stipulates that practitioners should avoid causing harm (ACM Code of Ethics Booklet, 2018).
Finally, there is the question of cybersecurity being possible in a global economy. According to ISACA there are eight requirements that every country would need to adopt for cybersecurity. They include: 1) adopting a security by design model, 2) teach cybersecurity awareness to everyone, 3) follow applicable cyber laws, 4) participate in international cooperation, 5) establish and maintain an acceptable level of cybersecurity practitioners, 6) create strong deterrence mechanisms, 7) follow NIST frameworks, and 8) emphasize internet freedom (Ramachandran, 2019). Until these eight requirements are completed, true cybersecurity cannot be achieved in a global economy. The best we can hope for is cyber resiliency.
References
18 U.S. Code § 1030 - Fraud and related activity in connection with computers https://www.law.cornell.edu/uscode/text/18/1030 0
ACM Code of Ethics Booklet. (2018). Retrieved from ACM: https://www.acm.org/binaries/content/assets/about/acm-code-of-ethics-booklet.pdf
Mueller, P., & Yadegari, B. (2012). The Stuxnet Worm. Retrieved from University of Arizona: https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/topic9-final/report.pdf
Ramachandran, R. (2019, January 23). Cybersecurity and its Critical Role in Global Economy. Retrieved from ISACA: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/cybersecurity-and-its-critical-role-in-global-economy
JUL 5, 2023
The Fourth Amendment in the Digital Age
by James Driscoll
July 5, 2023Living in America comes with numerous rights as laid out in the Constitution. One of those rights is covered by the Fourth Amendment and states “the right of the people" to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” (Constitution of the United States: Fourth Amendment, n.d.). This is basically our right to privacy. So, what do I suggest this means? The government is prohibited from searching us and taking our property without a good reason.
When the constitution was written, the technology we have today did not exist. So, this begs the question as to how that technology impacts our right to privacy. Perhaps this is not the right question to be asking. Perhaps the question that we should be asking is, is there a way to adapt the Fourth Amendment so that the technology we have today is included in its protections. The reason I say that is because as I said earlier, the technology we have today did not exist when the Fourth Amendment was written. Let’s look at what was around at that time. Specifically houses, papers, and effects (property). That means the original meaning behind the Fourth Amendment is that the government cannot search a person’s house and take papers or property just because they want to (Brenner, 2005).
So, taking the original meaning into consideration, that would mean that the means of communications that we have today (telephone, email, instant messaging, online communications, etc.) would all be fair game to being searched and taken by the government for any reason. That is because the Fourth Amendment is the basis for property law and what is needed is additional legislation that covers the technology we have today. This is where legislation such as wiretapping laws come into play. What this basically does is provides the Fourth Amendment protections to the technology we have today (Kerr, 2003).
Now, I am all in favor of the Fourth Amendment and any legislation that is associated with it and as such I do not believe the government has an obligation to monitor all internet traffic.
I need to mention the Patriot Act which was enacted after the attack on 11 September 2001. The basic premise of the Patriot Act was to expand the governments’ ability to conduct searches on U.S. citizens with little to no evidence to warrant it. The problem is that some sections reduce the protections of the Fourth Amendment while other sections outright violate it (Surveillance Under the USA/Patriot Act, 2001).
Here is the thing, everyone-I understand why the Patriot Act was pushed through. It was pushed through to prevent another terrorist attack. The problem with it is we have lost our right to privacy for something that does not work. Let me explain my personal observation and opinion further. I don’t know about anyone else, but I would consider all the mass shootings we have had just in 2023 alone to be terrorist attacks.
With all of these attacks, the people committing them posted plans online beforehand and the government knew nothing about it. It was not until after the attack that their online presence was investigated, and the evidence found. Why are we losing our Fourth Amendment right to privacy when we are no more protected than before?
References
Brenner, S. W. (2005). The Fourth Amendment in an Era of Ubiquitous Technology. Mississippi Law Journal, 75.
Constitution of the United States: Fourth Amendment. (n.d.). Retrieved from Congress: https://constitution.congress.gov/constitution/amendment-4/
Kerr, O. S. (2003). The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution. Michigan Law Journal, 801-839.
Surveillance Under the USA/Patriot Act. (2001, October 23). Retrieved from ACLU https://www.aclu.org/documents/surveillance-under-usapatriot-act
JUN 28, 2023
IoT Devices and Mirai Botnet
by James Driscoll
June 28, 2023No matter where we look, we are bound to see an IoT device. So, what exactly is an IoT device? Basically, an IoT device is a device that has sensors, processors, software, and network capability implanted inside them. Some examples include smart home devices (smart thermostats and smart appliances), smart watches, and even self-driving vehicles and Industrial Control Systems (ICS) (Stair & Reynolds, 2020).
Now, while IoT devices were designed to make life easier, they are inherently vulnerable to attack. The reason for that is in their design as they are designed to be pulled out of the box and easily connected to a network via a default username and default password. The reason for this is ease of use, not security.
An example of just how vulnerable IoT devices is and what a threat actor can accomplish with them is the Mirai Botnet attack. The premise of this attack is that in late 2016 several high-profile targets were hit with a Distributed Denial-Denial-of-Service (DDoS) attack. The source of this attack was approximately 600,000 of IoT devices that had been compromised and became a botnet called Mirai. This botnet initially started in August of 2016 and ran until late February 2017 when the threat actor was identified and arrested. The malware used to compromise these devices utilized rapid scanning to find a potential target and once found it immediately started brute-forcing the username and passwords via port 23 (telnet). Once compromised, they sat and waited for the threat actor to issue the commands to start the DDoS attack (Antonakakis, et al., 2017).
What is interesting about this incident is how the threat actor was identified and subsequently arrested. The successful attribution was due to analysis of data gathered through honeypots and DNS data. In addition to that the original source code was published online by the threat actor. So, while this was helpful in leading to attribution, it also paved the way for other threat actors to create their own botnets and add to the ongoing incident (Antonakakis, et al., 2017). The fact that the Mirai Botnet was shut down in five months speaks volumes of the amount of time and effort that went in to fighting this attack.
So, the question that needs to be answered is how we prevent this type of attack in the future. The United States government takes securing IoT devices so seriously that they are included in the 2023 National Cybersecurity Strategy that was published in March 2023. The main strategy mentioned here is the use of labeling. It would be like the labels on food products but instead of providing the ingredients, these labels would provide what security controls an individual device is using. This would allow organizations and private citizens to easily compare multiple devices and choose the one that works best (Biden, 2023).
Also, The Cybersecurity and Infrastructure Security Agency (CISA) has some basic tips that everyone can follow. 1) Change default login credentials (username and password). 2) Keep devices patched and updated. 3) Adjust the devices security settings. The goal is to have enough security but still maintain usability. 4) Decide if the device needs a constant connection to the internet. If it does, then consider placing it on its own network segment (Securing the Internet of Things (IoT), 2021).
References
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., & Zhou, Y. (2017). Understanding the Mirai Botnet. Security Symposium, pp. 1093-1110.
Biden, P. (2023). National Cybersecurity Strategy. p. 20.
Securing the Internet of Things (IoT). (2021, February 01). Retrieved from CISA: https://www.cisa.gov/news-events/news/securing-internet-things-iot
Stair, R., & Reynolds, G. (2020). Principle of Information Systems (14th ed.). Cengage Learning US.
JUN 21, 2023
The CIA Triad and the Election
by James Driscoll
June 21, 2023Out of all three elements of the CIA triad, two are questioned after every election. They are integrity and availability. Now, out of those two, integrity gets the most publicity. So, why the disparity between these three elements. Well, integrity is the most important as it is imperative that the American people perceive that the vote they cast has not changed before it is counted (ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT, 2020). Now, availability comes in second because while it is important for all eligible citizens to vote, when there is a problem (usually mechanical), there are options that can be used to ensure everyone can vote. Finally, confidentiality is last.
So, how did we get to this point? Well, we need to look back at the Help America Vote Act that was signed into law in 2002. While this law came from the federal government, it leaves the decision making up to the individual states as it only set minimum guidelines for what the states could do. Because of this, many states have decided not to update their voting equipment. Specifically, “as of 2016 43 states were using equipment that was 10 years old or older” (King & Michael, 2016).
Why mention that? The reason is because the technology is always changing. First there were only paper ballots, now we can not only electronically vote, but we also can have our paper ballots scanned by a machine. Next on the horizon will be the ability to vote online.
Now, online voting while convenient only makes the integrity more important as with the current technology it would be ripe for cyber-attacks and other fraud related issues. One question that get raised during every Presidential election is that of foreign interference. This would be more prevalent with online voting as virtually anyone anywhere could initiate an attack that could affect both the availability and integrity of the election. Multiple studies on this subject have been conducted by numerous groups of computer experts and the consensus is that a lot of work needs to be done to ensure the availability and integrity of the system before it is implemented (Von Spakovsky, 2015).
References
ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT. (2020, July 28). Retrieved from http://CISA.gov : https://www.cisa.gov/sites/default/files/publications/cisa-election-infrastructure-cyber-risk-assessment_508.pdf
King, C., & Michael, T. (2016). Security of Electronic Voting in the United States. The CIP Report.
Von Spakovsky, H. (2015). The Dangers of Internet Voting. The Heritage Foundation.
JUN 7, 2023
Research and Documentation in Cybersecurity
by James Driscoll
June 7, 2023Cybersecurity is a constantly evolving field, and it is important for organizations to stay up-to-date on the latest threats and trends. One way to do this is to conduct research and documentation.
Purpose of Academic Research
Academic research is the process of gathering information, analyzing it, and drawing conclusions. It can be used to gain new knowledge, improve understanding, and develop new solutions.
In the field of cybersecurity, academic research can be used to:
Identify new threats and vulnerabilities
Develop new security measures
Improve understanding of how cyberattacks work
Test the effectiveness of security solutions
Relevance to Cybersecurity
Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.
Research and documentation can also help organizations to improve their incident response capabilities. By understanding how cyberattacks work, organizations can develop plans to respond to incidents more effectively.
Definition of "Scholarly" Articles
When conducting research it is critical to use scholarly information. Information from things like blog sites and Wikipedia scholarly information. A scholarly article is a research paper that has been published in a peer-reviewed journal. Peer-review is a process in which experts in the field review the paper and provide feedback before it is published.
Scholarly articles are an important source of information for cybersecurity professionals. They provide up-to-date information on the latest threats and trends, and they can help professionals to develop and implement effective security measures.
Cybersecurity Example
A recent study by the Journal of Medicine found that hospitals are at high risk of cyberattacks. The study found that the complexity of hospital networks makes them easy targets for attackers. The study also found that two factors that correlate to the amount of risk a hospital has to being attacked are network complexity and internal stakeholders.
The study's findings highlight the importance of research and documentation in cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.
Conclusion
Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack. There are many resources available online and in libraries. You can also find a wealth of information by attending conferences and workshops. By staying up-to-date on the latest threats and trends, you can help to protect your organization from cyberattacks.
References
Carcary, M. (2021, February 23). The Research Audit Trail: Methodological Guidance for Application in Practice. Electronic Journal of Business Research Methods.
Jalali, M. S., & Kaiser, J. P. (2018, May 28). Cybersecurity in Hospitals: A Systemic, Organizational Perspective. Journal of Medicine.
Morganelli, M. (2023, April 10). What is a Scholarly Source. Retrieved from SNHU: What is a Scholarly Source?
Scholar. (n.d.). Retrieved from Merriam Webster: Definition of SCHOLAR
MAY 24, 2023
QR Code Safety
by James Driscoll
May 24, 2023QR codes are everywhere, and they are here to stay. They show up on TV during daytime talk shows. They show up during televised sporting events. They are used in restaurants to access menus. They are used to pay for parking in some cities. They are even used to set up MFA. I recently had to use one to Add ECPI to a Block Cert wallet so they can send me a digital copy of my degree. It is futile to attempt to avoid using them at some point. Now, there are risks associated with QR codes as criminals can create fake malicious sites to get money, or personal information. So, how do we stay safe when using them?
Great question! Here are some tips to help you stay safe when using QR codes:
Only scan QR codes from trusted sources. If you see a QR code in a public place, such as on a poster or flyer, be careful before scanning it. It could be linked to a malicious website or app. Only scan QR codes from sources that you trust, such as businesses or organizations that you know.
Check the URL before scanning. When you scan a QR code, your phone will show you the URL of the website or app that it is linked to. Take a moment to check the URL before you click on it. If the URL looks suspicious, don't click on it.
Use a security app. There are numerous security apps available that can help you scan QR codes safely. These apps can scan QR codes for malicious content and warn you if they find anything suspicious. One of those is the “QR Scanner” from Trend Micro. It not only blocks dangerous sites that are associated with the QR code, but it also alerts the user of the danger.
Be aware of phishing scams. Phishing scams are a common way for hackers to steal personal information. In a phishing scam, the hacker will send you a message that looks like it is from a legitimate company. The message will ask you to click on a link or enter your personal information. If you receive a message from a company that you do business with, don't click on any links in the message. Instead, go to the company's website directly and log in there.
By following these tips, you can help to protect yourself from the risks associated with using QR codes.
Additional tips:
If you are using a public Wi-Fi network, be especially careful when scanning QR codes. Hackers can use public Wi-Fi networks to intercept your traffic and steal your personal information.
Keep your phone's operating system and security software up to date. This will help to protect your phone from known vulnerabilities.
Be aware of the risks associated with scanning QR codes from unknown sources. If you are not sure whether a QR code is safe, do not click on it.
MAY 17, 2023
Network Attached Storage
by James Driscoll
May 17, 2023Ever We all know that backing up our organizations data is critical to being able to recover from a disaster or incident. Now, there are numerous methods that can be used to accomplish data backup. They include external hard drives, USB drives, optical media (cd’s or dvd’s, cloud storage, and finally Network Attached Storage (NAS). The Network Attached Storage (NAS) is going to be the focus of this blog.
So, what is a NAS? Basically, it is a dedicated file storage system that is attached to a network. One concept that is associated with a NAS is RAID (Redundant Array of Independent Disks). Some of you might be wondering what RAID and that is a good question. A RAID is a data storage virtualization technology that combines multiple physical disks into one or more logical units. Now, the reason this is done is for redundancy.
When using RAID, there are several configurations that can be utilized. They all have pros and cons that need to be considered to ensure the most appropriate configuration is used. Those configurations are discussed below.
Raid 0 – With this configuration the data is split up and written (striped) among all the disks.
· Advantages – an increase in the number of drives equals better performance. Good for applications that need high throughput.
· Disadvantages – No redundancy
Raid 1 – With this configuration, even number of disks are utilized, and the same data is written to all disks (mirroring).
· Advantages – provides redundancy.
· Disadvantages – costly
Raid 3 – With this configuration the written to every drive except one and uses parity for error correction. The last drive is used for parity, which is a way to protect the data from a drive failure without the added cost of mirroring.
· Advantages – Good performance for applications that need large sequential data access.
· Disadvantages – Requires 1.25 times the size of the data disks. Rarely used.
Raid 4 – Same as Raid 3 except striping is done at block level versus at the byte level (Raid 3).
· Advantages – can write to a single disk without rewriting an entire stripe.
· Disadvantages – Write performance suffers due to single parity drive.
Raid 5 – With this configuration, the drives utilize striping and are also able to be independently written to.
· Advantages – there is no dedicated parity drive. Parity info is evenly split among all drives in the array. Error correction is available. Since all blocks of data are written at the same time there is improved read/write times. Can survive one disk failure.
· Disadvantages – none to speak of
Raid 6 – This configuration is like Raid 5 except for an additional parity element.
· Advantages – able to survive two drive failures.
· Disadvantages – Requires a minimum of four disks. Since there are two parity elements, rebuilding the failed drives will take longer (Services, EMC E, 2005)
References
Services, EMC E. Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments. Available from: ECPI, (2nd Edition). Wiley Professional Development (P&T), 2005.
MAY 3, 2023
APT Naming Conventions
by James Driscoll
May 3, 2023Ever since listening to CyberWire Daily podcast back in October 2020 and hearing about an Advanced Persistent Threat (APT) group named Fancy Bear, I have always wondered how these groups got their names. Then recently I found out that the same group can have multiple names which adds to the confusion. This topic has come up within the past couple weeks or so, so I thought it would be a good idea to try to reduce some of the confusion by breaking down how these groups get their names and why it is usually multiple names.
Let us start with the easiest question. Why are there multiple names for the same APT group? The short answer is because each research company (Microsoft, Mandiant, etc.) has their own naming convention. For example, Microsoft names APT groups utilizing the periodic table however, it was announced last week that they are changing their convention to a weather-themed naming convention. Now, some other companies like CrowdStrike utilizes the word “Panda” for Chinese groups, “Bear” for Russian groups, “Kitten” for Iranian groups, and “Chollima” for North Korean Groups. Symantec gives APT groups names of insects and finally Palo Alto names APT groups using constellations (Sabin, 2022).
So, with that out of the way, we need to address why the naming convention is not standardized. Basically, there are three reasons why the naming convention is not standardized. Those reasons are human, technical, and operational. Let us look at each one closer:
Human
· The operation conducted is used as the APT’s name.
· The name of the malware used is given as the APT’s name.
· The research companies do not relate their research to the research of other companies.
· Media refuses to correct wrong mapping in public articles.
Technical
· Different companies see different aspect of the same thing. For example, one company only sees the TTP’s while another only sees the C2 infrastructure.
· Either an APT group splits up or multiple groups combine.
· Multiple APT groups share their tools with each other.
Operational
· Each company using their own naming convention gives them the ability to take their research in any direction they want.
· Each company may feel that by using another company naming convention signals that the other companies research is more complete than their own (Roth, 2018).
So, while the reasons behind all the different names makes sense, there is still the argument for a standard naming convention. I mean communication between organizations alerting each other to IoC’s that are being noticed is vital, so why can’t these security research companies communicate and collaborate with each other. I have said it before that no one organization can be successful on its own. Everyone must work together to defeat our adversaries.
References
· Roth, F. (2018, March 25). The Newcomer's Guide to Cyber Threat Actor Naming. Retrieved from Medium: https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263
· Sabin, S. (2022, September 20). Cyber Firms Explain Their Ongoing Hacker Group Name Game. Retrieved from Axios: https://www.axios.com/2022/09/20/cyber-firms-hacker-group-name-game
APR 19, 2023
Business Continuity / Disaster Recovery Plans
by James Driscoll
April 19, 2023Disasters whether natural or man-made are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).
For a BC / DR plan to be successful the following five steps should be taken.
1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).
When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:
1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).
References
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf
Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal:
5 steps to creating a backup and disaster recovery plan
Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies
APR 12, 2023
Honeypots
by James Driscoll
April 12, 2023A honeypot is a security measure that creates a virtual trap to lure attackers into targeting a particular part of an organizations network. There are two classifications of honeypots depending on how they are used. First, is a production honeypot. These are used by large organizations and companies. Second, is a research honeypot. These are used by educational institutions, governments, and militaries. No matter the classification their purpose is to gain knowledge of threat actors’ tactics, techniques, and procedures (TTP’s) (EC-Council 2020).
So, basically honeypots can fall into one of three categories: Low-interaction honeypot, medium-interaction honeypot, or high-interaction honeypot. Now, the low, medium, and high represent the services the threat actor can see. For the low-interaction honeypot, there is a limited number of emulated services. The medium-interaction honeypot has more emulated services. Finally, the High-interaction honeypot has nothing emulated. It is basically a real-world vulnerable system (Mahmoud, 2019).
Are there any legal or ethical implications to using honeypots? The answer is maybe, depending on its purpose, there could be legal implications in using honeypots. Reason for that is, what are honeypots designed to do. They are designed to lure threat actors into gaining access and attacking those systems thinking they are attacking an organizations actual system. Well, in legal terms, that is called entrapment. So, depending on the reason for the honeypot, for instance, researching threat actors to better bolster network security will probably not trigger a law enforcement response. Now if the purpose is to prosecute these threat actors, that is a whole other story as it may trigger a response in the form of a claim from the threat actor. It may also leave the organization open to regulatory action and it may even subject the organization to criminal prosecution for hacking (Overly, 2019).
The bottom line is that if an organization wants to setup a honeypot, it would be best to consult an attorney and that specializes in information security and law enforcement to get some advice beforehand. This will ensure that the organization is in compliance with 18 U.S.C Section 1030 which has a statement in it that exempts lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States (Section 1030. Fraud and related activity in connection with computers, n.d.)
References:
EC-Council (2020). Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volume 3: Web Attacks and Defense). International Council of E-Commerce Consultants (EC Council). VitalSource Bookshelf Online
Mahmoud, R. V. (2019). Deploying a University Honeypot: A Case Study. Retrieved from ceut-ws: http://ceur-ws.org/Vol-2443/paper03.pdf
Overly, M. R. (2019, November 25). Avoiding the Pitfalls of Operating a Honeypot. Retrieved from CSO Online: Avoiding the pitfalls of operating a honeypot
Section 1030. Fraud and related activity in connection with computers. (n.d.). Retrieved from House.gov: 18 USC 1030: Fraud and related activity in connection with computers
MAR 29, 2023
Failure
by James Driscoll
March 29, 2023We have all “failed” at something. Whether it was a test in school, running a business, maybe even a marriage, etc. Now, let me ask what does fail really mean? According to Google, fail as a verb has two meanings 1) to be unsuccessful at something. 2) To neglect to do something. To me both sound negative. My goal with this blog is to take the first definition and look at it from a different perspective as it does not necessarily have to have a negative connotation.
Let us look with the first meaning “to be unsuccessful at something”. Now, we have all been unsuccessful at something at some point in our lives. Whether it was a test in school, running a business, maybe even a marriage that ended in divorce, etc. All of these can be seen as things we may have “failed” at. Now personally, I have “failed” numerous tests in school, and I “failed” running a business and I have felt bad about both as I am sure everyone else has when we “fail” at something. So, why do we feel bad when we “fail” at something? The reason we feel bad is due to the negative connotation that surrounds that word.
What if we look at “fail” from a different perspective. The word “fail” can be looked at as an acronym. That acronym is First Attempt in Learning. Let us look at the above examples in a different light. For example, a year ago, I took my first certification test. It was the CompTIA CySA+ and I missed passing it by 32 points. Essentially, I failed it because I did not get the minimum passing score however, the fact that I learned the format of the exam and learned that I had studied old material, it was a success. Now in terms of running a business, I had one when I first retired from the military. I had to shut it down after three months, so essentially it failed. Now, given that it was a learning experience in what not to do next time, it was a success. The point is that if lessons are learned, then whatever is seen as a “failure” is not unsuccessful, thus making the first definition inaccurate. If that makes sense?
So, do not be afraid to try something new, because when we do and “fail” at it, that is when we not only learn about the new thing we tried but also we learn more about ourselves. It is how we grow as human beings.
MAR 22, 2023
Compliance Does Not Equal Security
by James Driscoll
March 22, 2023There is a saying in the cybersecurity field. That saying is “compliance does not equal security”. Now, when I first heard about this, my first thought was why doesn’t it. The reason I asked that is because of my 20 plus year experience in non-IT regulatory compliance. In these cases, especially regarding safety, if we were compliant with the regulations, we were certain things were going to be safe. So, compliance not equaling security confused me for a bit.
After finally being able to do some research, it turns out to be a true statement. Compliance does not equal security for three reasons. 1) Regulatory updates are not keeping pace with technology advancements. 2) There are instances when multiple regulations that govern an organization contradict each other. 3) Organizations simply check the box, saying they are compliant because they are required to do so, not because they see value in the regulations.
Now, let me talk about each of these three points. 1) Regulatory updates are not keeping pace with technology advancements. This absolutely makes sense. My experience with the Air Force is that they update their regulations every few years as things change. The cybersecurity field seems to not have that mentality. Take for example the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1986 and is not only still applicable 37 years later, but also in serious need of an update. That is just one example of the numerous regulations that need to be updated. Updating outdated regulations is one of the goals of the 2023 National Cybersecurity Strategy.
Now, let us move onto point number 2. There are instances when multiple regulations that govern an organization contradict each other. It is highly probably that on organization can be governed by more than one regulation and by complying with one means not complying with another one. When I first started studying cybersecurity and saw that an organization can be governed by more than one regulation, I asked what they are supposed do, which one takes precedence. The reply I got was that all applicable regulations get followed. Now, I realize that is not always possible. This is something that the 2023 National Cybersecurity Strategy wants to remediate. This is desperately needed.
Finally, let us look at point number 3. Organizations simply check the box, saying they are compliant because they are required to, not because they see value in the regulations. I do not understand how we got to this point. Is it because regulatory updates are not keeping pace with technology advances? Is it because there are instances when multiple regulations that govern an organization contradict each other? Is it possible that the current regulations are a bit ambiguous? Going back to my Air Force career, the regulations that I dealt with every day were specific in their requirements and non-compliance had consequences.
So, how do we as cybersecurity professionals rectify this? Like I said earlier, points 1 and 2 are basically covered by the 2023 National Cybersecurity Strategy. The problem is that the timeline for completion is unknown. Point 3 on the other hand, we have influence in. I think this is where being able to translate the technical verbiage into business verbiage and communicating how the regulations affect the business is critical. I would love to hear if you all have any thoughts or ideas on this.
MAR 8, 2023
2023 National Cybersecurity Strategy
by James Driscoll
March 8, 2023Disclaimer: The thoughts and ideas below are that of my own and do not reflect that of my employer. Also, this is done from the perspective of someone that is new to the cybersecurity industry. All opinions are based off of what was learned through school and a career involving 20 years active-duty military and 8 years as a government contractor.
On 3 March 2023, the National Cybersecurity Strategy was published by the Biden-Harris Administration. Believe it or not, this is only the third such strategy. The other two were published in 2003 and 2018.
The document starts out by touting the positives of the internet and mentioning some of the amazing things we have been able to accomplish resulting from its inception. Now, to balance that, some of the not so favorable aspects are also mentioned. Also mentioned is the primary goal that the administration hope to accomplish for the United States and its Allies. That goal is “to build a digital ecosystem that is easily and inherently defensible, resilient and aligned with our values” (2023 National Cybersecurity Strategy).
So, to reach the aforementioned goal, my impression is that all the Executive Orders (EO’s) that have been issued in the past two years have been combined into this one document. I say that because a lot of the EO’s are listed here. There is also a reference to the 2008 Comprehensive National Cybersecurity Initiative. The idea is to not only continue evolve that initiative. One thing that I was happy to see is that this while this current strategy replaces the one from 2018, it will not completely wipe it out. The plan is to press forward with a lot of the concepts established in the previous administration.
Let us move into basically the meat and potatoes of the National Cybersecurity Strategy. This part is separated into what the administration is calling Five-Pillars. The first thing I thought of when I saw the term Five-Pillars is that of the Zero Trust Model. For anyone that is not familiar with Zero Trust, here is a picture of it. Simply, replace the concepts of Zero Trust with the five concepts of the National Cybersecurity Strategy.
PILLAR 1 | DEFEND CRITICAL INFRASTRUCTURE
This section of the document is separated into five strategic objectives.
Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety. Please correct me if I am wrong but isn’t this something that should have been accomplished a long time ago. Anyway, the plan here is twofold. 1) Create new regulations. I can without hesitation tell everyone that I am not a fan. It does not make sense to create new regulations when there are current one in place not being enforced. 2) Update current regulations. I am 100% on board with this idea. The reason is that there are regulations that have been around for decades that are still applicable and desperately need updated. An example of this is the Computer Fraud and Abuse Act (CFAA). This was written in 1986 and has had no real update.
Strategic Objective 1.2: Scale Public-Private Collaboration. There is a saying that has been attributed to several African cultures that is applicable here. That saying is “it takes a village” and in the context of cybersecurity, it is true. Neither the United States Government nor the Private Sector will be successful in securing critical infrastructure on their own.
Now, for there to be greater collaboration between the United States Government and the Private Sector there is an obstacle that must be overcome. Some people may be asking what that obstacle is. That obstacle is that some people do not trust the government. A good example of this is the recent train derailment in Palestine Ohio. The citizens there do not trust what the EPA (government) is telling them. President Reagan said there is a phrase that nobody wants to hear, and it is applicable in 2023 which is a problem. That phrase is “I am from the government, and I am here to help”. So, to accomplish this objective the Private Sector must be able to trust the government and that alone might take a while to accomplish.
Strategic Objective 1.3: Integrate Federal Cybersecurity Centers. What does this mean? Taking an educated guess based on my 20-year military career and additional eight years as a government contractor, I would say this means improving communication between the various agencies. If I am incorrect, please someone let me know.
Strategic Objective 1.4: Update Federal Incident Response Plans and Processes. This is one of those concepts that makes no sense. I say that because keeping incident response plans and processes up to date is something that should already be occurring on a regular basis. Perhaps it is the wording of the title that is the issue. I say that because the whole point of this is to define which of the many federal agencies the private sector needs to contact depending on their industry.
Strategic Objective 1.5: Modernize Federal Defenses. This section talks about not only replacing obsolete systems but also implementing newer security controls such as Zero Trust. Th goal here is to have a network that is “easily defended and more resilient which would be a model for the private sector to emulate” (2023 National Cybersecurity Strategy). Do not get me wrong, I think this is an awesome idea however, I question why this was not thought of before 2023.
PILLAR 2 | DISRUPT AND DISMANTLE THREAT ACTORS
This pillar is also broken up into five Strategic Objectives.
Strategic Objective 2.1: Integrate Federal Disruption Activities. Like Strategic Objective 1.3, this sounds like not only improving communications between agencies but also making sure they are on the same page operationally. Again, if I am incorrect in this please let me know.
Strategic Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries. The concept of government and private sector collaboration is a recurring theme in this document. The government is encouraging the private sector to communicate through any of the organizations that serve as hubs for the government. Like I said Strategic Objective 1.2. the government has a lot of work to do to reestablish that trust with the private sector before they can think about improving collaboration.
Strategic Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notification. While I agree that the timeliness of intelligence sharing is crucial in disrupting a threat actors’ activities, there is a concept missing. That concept is information accuracy. Being able to share intelligence information quickly is useless of the information being shared is not accurate.
Strategic Objective 2.4: Prevent Abuse of U.S. Based Infrastructure. Preventing adversaries from using U.S. based infrastructure for nefarious reasons is the goal of this objective. There is no indication that there is a specific plan on how to accomplish that. It simply restates a concept that should not have to be restated. That concept is that “service providers must make attempts to secure the use of their infrastructure against abuse or other criminal behavior” (2023 National Cybersecurity Strategy.
Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomware. The goal here is to reduce the instances of ransomware. There is a four-part plan on how to do that. 1) Work with international partners to limit freedom of criminals. 2) Investigate instances for ransomware from a law enforcement perspective. 3) Increase infrastructure resilience. 4) Limit the ability of criminals to leverage cryptocurrency as a ransom payment.
There are two points in the following statement in this section that I do not agree with. The statement is “the administration strongly discourages the payment of ransoms. At the same time, victims of ransomware – whether they chose to pay a ransom – should report the incident to law enforcement and other appropriate agencies”. The first point is “strongly discourages”. The reason I disagree with this is because the language is not strong enough to deter organizations from just paying. The second point is “whether or not they chose to pay a ransom”. The reason I disagree with this is because there should be no choice. There are established processes and procedures (BC / DR / IR plans and backups) that if done correctly would mean there is no need to pay to get information back. Also, what is not mentioned is that paying certain ransomware groups may in fact be illegal. The U.S. Treasury Department Office of Foreign Asset Control (OFAC) has a sanctions list of foreign entities and conducting business with those listed entities to include paying ransoms can bring legal action from the government.
PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
This pillar is separated into six strategic objectives. Strategic Objective 3.1: Hold the Stewards of Our Data Accountable. While I think that limiting the collection, use, sharing, and storing personal information as there is way too much of that, I question if it is necessary to limit it through legislation. I have said it earlier, it makes no sense to create new legislation if current legislation is not enforced. A better idea would be to update what is already on the books and enforce that.
Strategic Objective 3.2: Drive the Development of Secure IoT Devices. There is one idea in this section that I cannot get on board with. That idea is creating security labels for IoT devices. For anyone that is not familiar with this idea, let me give you the Readers Digest version. Think of security labels like nutrition labels on packaged food. It is designed to give consumers the ability to compare the security of IoT devices.
The reason I am not on board with this is because it will not help anything. I say that because our society is an instant gratification society. By that I mean when we want something, we want it right now. When society in general buy in this case an IoT device, they want to be able to take it out of the box, plug it in, turn it on, and have it running with minimal effort. I think these labels are going to have the opposite effect that the administration is hoping for.
Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services. The whole point of this section is to secure the software products that are created. Basically, moving from the idea of push to production and fix later to secure the product before it goes to production. Now, before I continue, something I learned about this section is that this is not the first time this has been brought up. It turns out that this was first talked about in the 2003 National Cybersecurity Strategy. Makes me wonder why this has not brought to fruition in the last 20 years.
The problem here is like I said in the last objective. It is that whole instant gratification idea. In this case it is all about making money as quickly as possible. That means pushing a product out as quickly as possible even if it has problems. For this reason, I can almost guarantee that there will be push back.
Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security. Money is going to be the primary factor in everything in this pillar being successful. The government must find a way to fund it. Now, there has been some progress with the passing of the Bipartisan Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Science Act but there is a long way to go.
Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability. This section is all about holding government contractors accountable when they fail to adhere to cybersecurity regulations. It talks about using the Civil Cyber-Fraud Initiative (CCFI) and the False Claims Act to do that. I question if that is necessary. I say that because if the requirements are written in the contract, then it becomes a contract violation, which can not only cause them to lose the contract they are on but also affect the organizations’ ability to be awarded government contracts in the future.
Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop. This is an interesting section. If there is a catastrophic cyber incident, it is not the Federal Government COULD be called, it should say the Federal Government WILL be called. So, I get the impression that they are not prepared for that. If I am wrong in this, please let me know.
PILLAR 4 | INVEST IN A RESILIENT FUTURE
This pillar also has six strategic objectives. Strategic objectives 4.1: Secure the Technical Foundation of the Internet. The impression I get is that this is an extension of Strategic Objective 1.5. It just goes into more detail as to how to achieve it. The two probably could have been combined.
Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity. This is actually a good idea. For technology for keep advancing, we must invest in research and development (R&D). The thing is to be successful we need to invest in areas that are relevant such as quantum computing and artificial intelligence just to name a few.
Strategic Objective 4.3: Prepare for Our Post-Quantum Future. The goal here is to ensure that our data remains secure. Currently that is done through encryption however, with advances in technology, we are quickly coming to a point where quantum computing will be capable of breaking that encryption. This sections simply talks about the need to protect our infrastructure from this emerging technology.
Strategic Objective 4.4: Secure Our Clean Energy Future. While this is a good idea, it is worded poorly. As written right now, the impression I get is that the government wants to focus all their energy is securing “clean” energy and ignoring what we already have. That is a problem as we need to not only secure our energy future which should be clean, but we also need to secure the energy we currently have, which honestly should take priority.
Strategic Objective 4.5: Support Development of a Digital Identity Ecosystem. I had to read this section multiple times and the impression I get is that there is a lot of talk but really no substance. It does mention how easy it is to commit fraud. So, to make an educated guess, I would say the goal here is to work to prevent fraud in a digital ecosystem. If anyone has other ideas, I would love to hear them.
Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce. We all know that there is a severe shortage of talent in the world of Cybersecurity, and it is only going to get worse. As the written the plan to tackle this shortage is to expand on existing programs. The government also wants to address the lack of diversity in this field, which is a good thing.
PILLAR 5 | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS
There are five strategic objectives here as well. Strategic Objective 5.1: Build Coalitions to Counter Threats to Our Digital Ecosystem. This section takes the goal of collaboration that we saw earlier with the private sector and expands it to include foreign partners. Another good idea as most of the attacks against the United States originate in foreign countries. The document mentions numerous partnerships and coalitions that have been forms with various groups of countries. Why can we not simply combine all these coalitions and partnerships into one, or better yet, work this through the intelligence groups the United States is apart of (5-Eyes, 9-Eyes, 14-Eyes). I do not see the need to complicate things more than they already are.
Strategic Objective 5.2: Strengthen International Partner Capacity. From what I gather in this section is that the United States is going to continue to work with foreign partners to improve their ability to fight cyber criminals. It seems the goal here is to ensure that everyone is on the same page in fighting cybercrime.
Strategic Objective 5.3: Expand U.S. Ability to Assist Allies and Partners. My impression of this section is that while the United States wants to assist our foreign partners in the event of a cyber-attack, we will only do so if it is in our national interest. So, to make that decision, even more policies are going to be created. This sounds like something that should have been created before 2023.
Strategic Objective 5.4: Build Coalitions to Reinforce global Norms of Responsible State Behavior. While I completely agree that global norms need to be enforced, looking at where we are at right now a lot of work needs to be done. The document talks about members of the United Nations committing to enforcing these norms. All I have to say about this is that talk is cheap. Making statements condemning actions do not enforce global norms. Tiered sanctions do not work either as evidence with the Russian invasion of Ukraine. Any action needs to be not only swift but also must cause the maximum amount of pain for the offender.
Strategic Objective 5.5: Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services. As we have seen numerous times recently, securing the supply chain is critically important. So, it makes sense to be in here. Something that comes to mind while reading this section is there was a term I had read while studying for the CySA+. That term is “Trusted Foundry”. This is a program used by the Department of Defense to ensure the security of the manufacturing infrastructure for information technology vendors that create hardware for the military. So, my question is why can’t the rest of the U.S. Government use that as a model if not use it outright. I said it earlier and will say it again, there is no need to reinvent the wheel. A program already exists, simply expand on it.
IMPLEMENTATON
This section basically talks about working with private-sector and foreign partners to reach the objectives in this strategy. I would have liked to see a little more substance, but it is a lot of ambiguous ideas just like the rest of the document.
MY IMPRESSION
Overall, the 2023 National Cybersecurity Strategy has a lot of potential to be a game changer to the industry. The issue I have is I think that it will be stuck at having potential. As I have pointed out, there are so good points. I also have pointed out that there are points in here that basically do not make sense to me. As I have said multiple times here, if I am wrong in any way, please reach out to me and we can have that discussion as I am new to this industry.
MAR 1, 2023
Continuing Education
by James Driscoll
March 1, 2023The cybersecurity realm is constantly evolving as we know. The constantly changing landscape is why a lot of the certification organizations (CompTIA for one) update their certification exams every three years. It is also the reason why certifications themselves expire after three years. So, does this mean that to renew a certification you have to retake the exam every three years? Absolutely not. The various certifications organizations realize that retaking an exam every three years is pretty much not practical. So, they all have developed a way to keep the certifications current using Continuing Education Units (CEUs). In the rest of this blog, I will be discussing how CompTIA handles CEUs as I only have a CySA+. For anyone that has a certification from another organization, I recommend going to their site and reading up on their procedures.
CompTIA make is easy to figure out what is needed to keep their certifications current. The best part is that you do not need to log in.
Simply go to www.comptia.org. When the page comes up, you will see at the top “Continuing Education”. Place the cursor on it and in the drop-down box that appears, click on Continuing Education Units (CEUs).
The next page that comes up will display the various CompTIA certifications in a bar graph style format along with a number. This gives a clear depiction of the number of CEUs that are required in a three-year period to stay current:
Now just below the graph, CompTIA tell you how to earn CEUs. Also on the right side of the page is a section called “Popular Renewal Options”. The option that is particularly interesting is the “Preapproved Training:"
The page that comes up when you click on “Preapproved Training” has a chart. This chart breaks down the maximum number of CEUs a person can earn for each type of qualifying activity in that three-year period before the certification expires. As you can see below, there are a total of five qualifying activities on the left side of the chart. The individual certifications are across the top of the chart. The data in the middle are the maximum number of CEUs that can be earned for the activity, based on the certification:
The rest of the page breaks down each qualifying activity.
For those of us that have CompTIA certifications, I highly recommend reading through their continuing education pages. From what I can see, they really put in a lot of time and effort to explain everything and take a lot of the guesswork out of deciding if an activity qualifies towards renewal.
Hope this helped in your CompTIA journey!
FEB 8, 2023
Types of Corporate Cybersecurity Documentation
by James Driscoll
February 8, 2023One day till my CompTIA CySA+ exam. So, for this last blog before the exam, I thought I would talk about corporate cybersecurity documentation. Having clear and precise documentation is critical if an organization is to have a successful cybersecurity program. There are four types of documentation that I will cover below, 1) policies; 2) standards; 3) procedures; 4) guidelines:
Policies – This type of documentation describes the organizations intent regarding a particular subject. As such, they are typically signed by the CEO. There is no set length for a policy, it just needs to completely cover the intent of the organization. The biggest take away here is that compliance is mandatory.
Standards – This type of documentation tells how the organization will implement the policy. Compliance here is also mandatory. Standards do not have to be signed by the CEO. Someone at a lower level can approve these.
Procedures – This type of documentation provides a step-by-step process for completing a specific task. Just like policies and standards, compliance with procedures is also mandatory. This could also be considered a checklist or even a playbook.
Guidelines – Compliance with this type of documentation is not mandatory however, probably highly recommended. The reason for that is because guidelines consist of best practices and recommendations. They are simply meant to be helpful advice.
I will post on LinkedIn my results. I want to thank everyone that has followed this journey and sincerely hope there was value from these posts. I will be on vacation for the next couple weeks so I will not have a blog until 1 March.
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
FEB 1, 2023
The Containment Phase
by James Driscoll
February 1, 2023Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.
When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:
Proactive Segmentation – This is typically accomplished during the preparation stage with the goal of reducing organizations attack surface. This is also used as part of a defense in depth strategy. When configured correctly, it will prevent a threat actor from moving from one segment of the network to another.
Segmentation in response to an incident – This strategy takes segmentation one step further. Let’s say for example that only a couple of computers on a segment have been compromised. What would happen is that those computers would be placed in their own separate segment. This would restrict the threat actor’s ability to compromise the rest of the segment and prevent movement through the rest of the network.
Isolation – This is a third option that takes segmentation even further by completely disconnecting the compromised systems from the rest of the network yet retaining their internet connection. The goal is to ensure that the threat actor has no way to move through the network. The threat actor does however maintain access to the compromised systems.
Removal – As the name suggests, with this strategy compromised systems are completely removed from the network and the internet. This absolutely ensures that movement through the network is impossible. It also cuts off the threat actors’ access to those compromised systems. Now there is one critical aspect that we all need to be mindful of when deciding to remove compromised systems from a network and internet. That is, it may still be possible to lose all the data stored on those systems. There is a chance that the threat actor installed a script designed to delete all data when access is lost. The way the script would know is by using a separate script designed to reach out to an external host. Think of it as a ping request. When there is no response, the second script runs deleting all the data.
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
JAN 25, 2023
Phases of Incident Response
by James Driscoll
January 25, 2023With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.
Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:
Security event – Literally anything that typically occurs on a network. These are things such as accessing a file, changing permissions on a folder, or a port scan by a threat actor.
Adverse security event – These are things that have a negative impact on a network. Think of this in terms of an actions that affects the CIA triad. Examples are the introduction of malware, a server crashing, or even a person accessing a file they do not have permission to access.
Security incident – this is either a direct violation or a threat of violation of policies, or standards. Some examples of an incident include a DoS/DDoS of a website, a threat actor installing a keylogger to capture login credentials, or the accidental loss of sensitive information.
Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:
Preparation – This is the time when an incident response team is established, policies and procedures are created, required equipment is purchased, and applicable training is conducted. Other actions to reduce the attack surface of an organization are also conducted.
Detection and Analysis – As the name suggests, this is where incidents are detected and analyzed. There are basically four ways that incidents are detected.
a. Alerts – These come from things like IDS / IPS, SIEMS, antivirus software, file checking software or other monitoring services.
b. Logs – Logs can come from anywhere to include the operating system, network devices, various services, applications, and even network flows.
c. Publicly Available Information – These are notifications resulting from vulnerabilities / exploits published by other organizations.
d. People – This is employees noticing and reporting abnormalities that may indicate an incident has occurred or is occurring.
3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.
4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved.
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
JAN 18, 2023
Software Testing
by James Driscoll
January 18 2023For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.
One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.
Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.
Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.
Fuzzing – Also known as Fuzz testing. This type of dynamic code analysis uses invalid or random data entered by the user to see how an application responds. What analysts are looking for are if the application crashes, fails, or responds incorrectly. This is most useful for finding simple problems.
Fault Injection – While this type of analysis sounds like Fuzzing, there is a difference. That difference is that random data is entered into the error handling paths to see how the application responds. Due to the propensity of human error, this test is best completed by using automated tools.
Mutation Testing – This type of analysis is like Fuzzing and Fault Injection. The only difference here is that the program itself is modified slightly. These modified versions are then tested and if they fail, they are discarded. This information is just what is in the CompTIA CySA+ study guide. I do not completely understand the whole point behind it.
Stress / Load Testing – In this type of analysis, an application is subject to actual use. The purpose is to basically see the maximum number of users the application can handle before issues arise. Fault Injection testing can also be implemented during this type of test again to see how the application reacts.
Security Regression Testing – This type of test is completed when changes are made to an application, more specifically when a patch is applied. This test ensures that there are no new issues, such as vulnerabilities, misconfigurations, etc. This testing is conducted by using standard automated tools.
User Acceptance Testing – While all the other five tests are important, this one is probably the most important. I say that because this test allows the user to validate that the application meets or exceeds their usability expectations. If an application fails this test, then the other five do not matter because the application will most likely be scrapped or sent back to be redone. That means all six tests would have to be redone as the application would have changed.
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
JAN 11, 2023
Authentication Protocols
by James Driscoll
January 11, 2023Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.
Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.
TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:
The traffic is sends is not checked for integrity. That means that a threat actor can make changes to the traffic sent or they can utilize a replay attack.
TACACS+ also utilizes an insecure encryption algorithm. This means that the threat actor can discover the encryption key.
So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.
RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.
Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:
Principles, which are users.
Instance, used to differentiate similar primaries.
Realms, which are groups of principles. These are based on trust boundaries.
Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.
Until next week!
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
JAN 4, 2023
Security Controls
by James Driscoll
January 4, 2023Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.
Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:
Technical controls – these are things like “firewalls, IDS / IPS, network segmentation, authentication / authorization systems”, etc (Chapple & Seidl, 2020).
Administrative controls – These are nothing more than policies and procedures.
Physical controls – Think items used in physical security of property
Legal controls – Possible fourth control. As the name suggests, these are controls that are required to be implemented by law. Could also be lumped in with administrative controls.
Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:
Preventive controls – As you can guess by the name, these controls are designed to prevent an incident. We are talking about things like “firewalls, awareness training, security guards” (Chapple & Seidl, 2020).
Detective controls – These are designed to discover an incident and report
Corrective controls – These controls are designed to either clean the network and or reduce the impact of the incident. These include things like applying software updates / patches, using antivirus / antimalware, and utilizing backups.
Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.
References
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002
DEC 28, 2022
Cloud Responsibilities
by James Driscoll
December 28, 2022During week four of my 10-week journey to becoming CompTIA CySA+ certified, I will be looking at the responsibilities of the Cloud Service Provider (CSP) and the customer. So, operating on premises and in a cloud environment have both similarities and differences. Considerations for Confidentiality, Integrity, and Availability (CIA) must be made in both instances. Also, access management is an objective in both instances.
Now the difference in on premises and a cloud environment is where responsibilities lie. You see, on premises operations the owner is responsible for everything. In a cloud-environment, those responsibilities are split between the CSP, and the customer and those responsibilities differ depending on the type of cloud service (IaaS, PaaS, and SaaS). Luckily, the CySA+ study guide by CompTIA has a nice graphic that illustrates how those responsibilities are divided up. I recreated the graphic the graphic below in Excel with the information reviewed in the CompTIA CySA+ Exam Study Guide CSO-002:
The above graphic is divided into three cloud services. Each of those services is divided into five different aspects where responsibilities lie. One thing you will notice is that everything is color coded. The white shading depicts what the customer is responsible for, the dark gray depicts what the CSP is responsible for, and the light orange depicts what responsibilities are shared by both the customer and the CSP.
So, what does this mean in terms of Cybersecurity? Well, at the top of each service is the Data and according to their shading, the customer is responsible for it, even in the SaaS which is shared with the CSP. That means the customer, aka the owner of the data is responsible for securing it.
I bring that up because moving to the cloud, while not totally a new concept, is new to some organizations and maybe misunderstood. I think there maybe the mindset that if an organization moves to the cloud, they are no longer responsible for anything, and that is simply not the case as shown above.
The key takeaway is, no matter if your organization is considering moving to the cloud, or has already moved, it is important to know where your responsibilities lie. The inspiration behind this blog is that there have been news stories lately data stored in the cloud have been breached due to misconfigurations and I want to make sure that the cause is not due to a misunderstanding of responsibilities.
References:
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Exam Study Guide CSO-002. Indianapolis : John Wiley and Sons. https://www.amazon.com/CompTIA-CySA-Study-Guide-CS0-002/dp/1119684056
CompTIA CySA+ Certification Exam https://www.comptia.org/certifications/cybersecurity-analyst
DEC 21, 2022
Common Vulnerability Scoring System (CVSS)
by James Driscoll
December 21, 2022As we continue with week three of this 10-week trek to the CySA+ exam, I will discuss the Common Vulnerability Scoring System (CVSS). As the name suggests, it is a scoring system for vulnerabilities. Now, CVSS is part of a larger standardized security information communication platform called the Security Content Automation Protocol (SCAP).
So, where are we most likely to see CVSS? Well, when a vulnerability is discovered, it is submitted to the National Vulnerability Database and given a common Vulnerabilities and Exposures (CVE) number. This CVE is also part of SCAP and maintained by NIST. Anyway, the CVSS is part of the CVE report, as you can see in the below screenshot.
Upon closer examination, we see that there are two versions of the CVSS. Version 3 is the most recent version and what is used for newer vulnerabilities. Older vulnerabilities are scored based on version 2.0. The next major item to notice is the Base Score which is 7.8 High. Now, what does this mean? The CVSS scoring system works on a scale from 0-10 and is broken down into rating categories, shown in the visual below:
So, based on the scale, the 7.8 Base Score is the second highest rating a vulnerability can receive. That means that any organization with this vulnerability should seriously look at remediating it.
Continuing with our examination of the above CVE, the next item we see is the “Vector”. This is the actual CVSS and is what determines the base score. As we can see, the CVSS is broken up into eight categories:
Attack Vector (AV) – This is how the adversary exploits the vulnerability. Has four criteria of physical access, local access, adjacent network, and network. The more remote, the higher the score.
Attack Complexity (AC) – This is how difficult the vulnerability is to exploit. Has two criteria high and low. A low difficulty equals a higher score
Privilege Required (PR) – This is the type of account access needed to exploit the vulnerability. Has three criteria high, low, and none. A rating of none equals a higher score.
User Interaction (UI) – Is another end user needed by the adversary? Has two criteria none and required. A rating of none equals a higher score
Confidentiality (C) – This describes if the confidentiality of the data will be affected. Has three criteria none, low, and high. A rating of high means all the information is compromised and equals a higher score.
Integrity (I) – This describes the impact to the integrity of the data. Also has three criteria none, low, and high. A rating of high means all data integrity is lost and equals a higher score.
Availability (A) – This describes the impact to data availability. Has three criteria as well none, low, and high. A rating of high means the availability of the data is completely gone and equals a higher score.
Scope (S) – This describes if the vulnerability can affect other system components. Has two criteria unchanged and changed. It is not scored.
One thing you will notice is that in the above descriptions, I did not give numerical values for each of the criteria. I left those out for a reason. That reason is thanks to our friends at NIST, there is an online calculator that will calculate the score for us. The URL is https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. It is easy to use. For each of the eight categories, click on the criteria that applies. When checking out the site you will see two metrics: Temporal Score and Environmental Score. I am not covering them currently as they appear to be outside the scope of the exam per the CompTIA CySA+ Study Guide.
References:
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Exam Study Guide CSO-002. Indianapolis : John Wiley and Sons. https://www.amazon.com/CompTIA-CySA-Study-Guide-CS0-002/dp/1119684056
CompTIA CySA+ Certification Exam https://www.comptia.org/certifications/cybersecurity-analyst
DEC 14, 2022
Attack Frameworks
by James Driscoll
December 14, 2022For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks. These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization. This allows them to create defenses that are more likely to be effective in the event of an attack.
According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with. They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain. I will go into further detail about each framework in the following paragraphs.
The first framework we will look at is the MITRE ATT&CK Framework. The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries. The good thing about this framework is that there is no cost to access it. To access it, just go to https://attack.mitre.org. On the first page is the ATT&CK matrix. There is a plethora of information regarding adversary TTPs available.
The second framework is the Diamond Model of Intrusion Analysis. The key thing to remember about this is that it is relationship based. All the vertical lines of the model are called events. So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.
As you can see in the image above, all the vertical lines are events. Where those lines intersect are core features of the events. Unfortunately, the study guide really does not go into further detail about this framework. It is just a basic overview for the test.
The third framework is the Lockheed Martin Cyber Kill Chain. As the name suggests this framework was created by Lockheed Martin and consists of 7 processes that form a chain:
Reconnaissance – Gathering information about the target
Weaponization – This is when an adversary creates the tools to exploit the targets vulnerability
Delivery – This is when an adversary deploys the tools created
Exploitation – This is when an adversary utilizes the tools to gain access to the target network
Installation – This is when persistence is created using a backdoor
Command and Control (C2) – Facilitates remote control of the compromised system
Actions on Objectives – This is when an adversary collects and exfiltrates information such as credentials. They are also able to escalate their privileges and move throughout the network
The fourth and final framework is the Unified Kill Chain. Now, according to the CompTIA CySA+ Study Guide, while this framework is not testable, it is information that is good to know. In a nutshell, this framework is a combination of the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and other frameworks. All together they make up an 18-process chain that describes how an attack can occur both inside and outside a network.
References:
Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Exam Study Guide CSO-002. Indianapolis : John Wiley and Sons. https://www.amazon.com/CompTIA-CySA-Study-Guide-CS0-002/dp/1119684056
CompTIA CySA+ Certification Exam https://www.comptia.org/certifications/cybersecurity-analyst
DEC 7, 2022
Risk - Topics from CompTIA CySA+ Studies
by James Driscoll
December 7, 2022I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst. Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide. This first blog in the series will cover risk.
The concept of risk is a major player in the world of cybersecurity. As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is. To define a risk, we need to discuss two other concepts. The first concept is vulnerability, which is nothing more than a weakness. The second concept is a threat, which is any outside force that can exploit a vulnerability.
Now, there are a couple of ways to look at risk. 1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”. Keep in mind that with this type of representation, there no numerical values to be entered. It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it. 2) Look at it through the lens of a Venn Diagram, below:
What this diagram shows is that risk is where a threat and a vulnerability meet.
Let us look at each entity starting with threats. There are four types of threats an organization may encounter. To determine threats to an organization requires an assessment that focuses outside a particular organization.
Adversarial threats – These threats can take many forms and include people, groups, or even other organizations. Their goal is to compromise an organizations security.
Accidental threats – These threats are merely employees making a mistake such as a misconfiguration.
Structural threats – These threats are when network infrastructure fails. Failures can happen for any reason such as equipment being too old, network traffic exceeds equipment capability, excessive heat due to an HVAC system going out, etc.
Environmental threats – These threats are either natural or man-made.
Moving on to Vulnerability. As stated earlier, a vulnerability is nothing more than a weakness that a threat can use to their advantage. Unlike determining threats, when an organization determines their vulnerabilities, they focus on themselves.
This brings us to risk itself. There are two concepts that are utilized when determining risk. They are:
The likelihood a threat is going to exploit a particular vulnerability, and
How much of an impact that exploitation is going to have on the organization
One way to calculate risk is to use a qualitative matrix that utilizes low, medium, and high ratings. The diagram below is an example out of the CompTIA CySA+ Study Guide:
As you can see, the likelihood a threat will exploit a vulnerability is on the left with the impact on the bottom. So, this is read just like a graph. Low values are at the bottom and to the left, with higher values towards the top and to the right.
According to the CySA+ study guide this matrix can also be used as a quantitative matrix. That means instead of using Low, Medium, and High values, an organization assigns numerical values. Now, I have not seen quantitative matrix, so I do not know what the maximum numerical value to represent a high value. I would imagine that would be set by an individual organization.
References:
Chapple, M., & Seidl, D. (2020). Comptia CySA+ Study Guide Exam CSO-002. Indianapolis : John Wiley and Sons https://www.amazon.com/CompTIA-CySA-Study-Guide-CS0-002/dp/1119684056
CompTIA CySA+ Certification Exam https://www.comptia.org/certifications/cybersecurity-analyst
NOV 23, 2022
Ways Organizations Can Recover From an Attack
by James Driscoll
November 23, 2022In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.
There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.
One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).
Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:
Statement of management commitment
Purpose of the policy
Scope of the policy
List of definitions
Organizational structure
Prioritization or severity ratings of incidents
Performance measures
Reporting and contact forms (Computer Security Incident Handling Guide, 2012)
These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:
Consistent user training
Keeping Operating Systems, software and applications up to date
Using anti-virus and anti-malware software (Ransomware, n.d.)
The good thing about taking the above steps is that they help protect against more than just ransomware.
The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.
References
Computer Security Incident Handling Guide. (2012). Retrieved from NIST
Elliot, J. (n.d.). What is the 3-2-1 Backup Rule?. Retrieved from US Chamber
NOV 16, 2022
Why Organizations Should Not Pay Ransomware
by James Driscoll
November 16, 2022We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.
There are three main reasons an organization may not want to pay a ransom:
1) There is no guarantee that the organization will regain access to its information.
2) It almost guarantees that the organization will be attacked again.
3) It may be illegal to pay the ransom.
Let's take a deeper dive into each:
There is no guarantee that the organization will regain access to it information. Even though the ransomware group promised to provide a decryption key once a ransom was paid, it is possible that they will simply take the money and run and not provide that key (Fruhlinger, 2020). The main thing to remember is that the organization is dealing with criminals and ethics, or integrity are not necessarily in their vocabulary
It almost guarantees that the organization will be attacked again. According to a report that came out earlier this year, 80% of the organizations that were victims of a ransomware attack and paid the ransom were attacked a second time (Townsend, 2022). The reason for this is that by paying the ransom, the organization is telling the group they are willing to pay to get their information back. So, naturally the group is going to see them as an easy way to make money.
It may be illegal to pay ransom. I would say that this is the primary reason not to pay a ransom. You see there is an office within the U.S. Treasury Department called the Office of Foreign Asset Control (OFAC). This office is responsible for sanctioning not only the ransomware gangs, but also any other entity that sponsors, or provides any type of support for these activities (Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments, 2020).
So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.
In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.
References
Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments. (2020, October 1). Retrieved from Treasury Department: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
Fruhlinger, J. (2020, June 19). Ransomeware Explained: How it Works and How to Remove it. Retrieved from CSO Online:
Townsend, K. (2022, June 08). It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again. Retrieved from Security Week: It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again | SecurityWeek.Com
NOV 2, 2022
Insider Threat
by James Driscoll
November 2, 2022There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.
This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).
This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.
Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).
The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:
Espionage
Terrorism
Unauthorized disclosure of information
Corruption
Sabotage
Workplace violence
Intentional or unintentional loss or degradation of organizational resources or capabilities (Defining Insider Threats, n.d.).
An insider threat can take one of three forms:
Unintentional threat
Negligence – This type of threat occurs when someone inside the organization that has been trained on the IT or security policies knowingly does not follow them.
Accidental – This type of threat occurs when someone inside the organizations knows what the IT and security policies are, but simply makes a mistake and possibly forgets to follow them.
Intentional threat – This type of threat occurs when someone inside the organization takes actions to intentionally circumvent IT and security policies to cause harm to the organization. These threats are considered malicious in nature.
Other threats:
Collusive threats – This type of threat occurs when two or more people inside the organization work together to circumvent IT and security policies resulting in harm to the organization.
Third-Party threats – These threats originate from people that are not part of the organization. They could be contractors, vendors, or even outside visitors (Defining Insider Threats, n.d.).
Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:
Poor performance Appraisals – No one likes to get a poor appraisal from their supervisor/manager. While an employee getting a poor appraisal would not be an indicator in and of itself, the thing to watch out for is if they are overly vocal about it. That may mean they are disgruntled and willing do cause harm to the company.
Voicing Disagreements with Policies – Not everyone is going to like organization policies and that is fine. The thing to watch out for is like the first indicator, employees that overly critical and vocal about their dislike for the policies.
Disagreements with Coworkers – It is not the disagreement itself that can be an indicator, but rather how the employees handle themselves after the disagreement is over.
Financial Distress / Family Issues – Employees that are having financial problems or family issues might try to find a way to make a lot of money quick and what better way to that than selling their organizations data.
Unexplained Financial Gain – The indicator here is an employee that starts living above their annual income.
Odd Working Hours – This boils down to employees coming to work for no official reason during weekends or the stay late
Unusual Overseas Travel – This would look like an employee traveling to a country that they normally would not be interested in go to and there is no official reason to go.
Leaving the company – The employee may be leaving for a benign reason, but it may warrant looking into their activity for the past three or six months as it may be an indicator (The Early Indicators of an Insider Threat, n.d.).
An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.
References
Defining Insider Threats. (n.d.). Retrieved from CISA: Defining Insider Threats | CISA
Kelley, A. (2022, September 29). Former NSA InfoSec Designer Jareh Sebastian Dalke was Arrested by the FBI in Denver, Colorado on Wednesday as Paty of a Sting Operation. Retrieved from Next Gov: NSA Employee Leaked Classified Cyber Intel, Charged with Espionage
The Early Indicators of an Insider Threat. (n.d.). Retrieved from Digital Guardian: The Early Indicators of an Insider Threat
OCT 26, 2022
SIM Swapping
by James Driscoll
October 26, 2022This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping? 2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.
So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).
Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.
Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.
So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).
Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:
Protect both the phone and the SIM card or E-SIM. That means setting up and turning whatever form of protection they have. That could be a PIN, password, or utilizing a pattern to unlock the device. Newer devices can utilize either a fingerprint or facial recognition to unlock. If able, lock the SIM. What that does is forces the user to enter a PIN every time the device is started. If anyone locks their SIM, use one that is different than the PIN used to unlock the device and do not use something that is easily figured out or guessed (birthdays of yourself or a family member) (Adamu, 2022).
Lock the phone number with the service provider. The reason that this is recommended is because it prevents changes to the account, in this case moving the SIM from one device to another unless a customer provides an authentication PIN or by going to the store and authenticating that way (Adamu, 2022).
Utilize strong/complex passwords and security questions. That means if the password used to access the online account does not have at least 12 characters consisting of lowercase letters, uppercase letters, numbers, and special characters. The same is also true for any other accounts keeping in mind not to reuse passwords. This would be a good time to invest in a password manager because it is impossible to remember multiple passwords that are 12 characters in length (Adamu, 2022).
Set up Two-Factor Authentication (2FA). Best thing to do is to use an authentication app such as Google, Microsoft, or Authy. Do not use SMS-based or email-based authentication if possible (Adamu, 2022).
Utilize biometric authentication on the device. Using this type of authentication is dependent on the device as newer models support it while older models do not. If that functionality is available it is recommended as a criminal would not be able to bypass that barrier (Adamu, 2022).
Keep personal information shared online to a bare minimum. Any information that is posted online can be used by a criminal to impersonate their victim. I know that is easier said than done. I say that because our society is addicted to posting every part of our lives to social media. I understand why, it is a way to keep friends and family that are geographically separated up to date with what is going on and that is fine. The problem is posting too much information that criminals can use. I am talking about things like the name of a pet, best friends name, favorite food, etc. (Adamu, 2022). Do those examples look familiar? Well, they should since they are typical security questions that we are all asked to provide answers for to authenticate ourselves when we have forgotten our password to an online account.
Know how to spot phishing emails, texts, and phone calls. One resource I recommend checking out is to look some of our other blogs, specifically look at the Aug 24th blog as well as the blogs on October 12th and 19th. Miss Eula Chua discusses what phishing is and what to look for in emails and texts.
References
Adamu, H. (2022, march 13). How to Protect Yourself From a SIM-Swap Attack. Retrieved from Android Police: How to protect yourself from a SIM-swap attack
Cryptopedia Staff. (2021, October 6). What is a Cell Phone SIM Swap Attack. Retrieved from Gemni: Sim Swap Attacks: What Are They? | Gemini
Gatlan, S. (2022, October 18). Verizon Notifies Prepaid Customers Their Accounts Were Breached. Retrieved from Bleeping Computer: Verizon notifies prepaid customers their accounts were breached
SIM Swapping. (n.d.). Retrieved from Verizon: What is a SIM Swapping Scam? Protect Your Device Against SIM Hackers
What is a SIM Swap. (n.d.). Retrieved from Yubico: What is a Sim Swap?
OCT 12, 2022
Securing IoT Devices
by James Driscoll
October 12, 2022What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).
While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.
I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.
So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.
When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.
Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).
After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.
1. Start with configuring the router correctly.
a. Do not use default credentials. Change both the login ID and password.
b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.
2. Put IoT devices on their own network separate from everything else.
a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.
3. Another option is to turn off features you are not going to use.
4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.
5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.
6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).
So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.
References
18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products
Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable
Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices
OCT 5, 2022
Cookie Policies & Privacy Pop-Ups
by James Driscoll
October 5, 2022Imagine you are browsing the internet and come across a website that contains a popup screen, covering the entire page, like in the screenshot below.
Note: MyFitnessPal.com is the website used as an example throughout this blog.
Basically, this popup screen is asking users to click “Accept” and the screen will go away. The question I have is do you grumble and begrudgingly click “Accept” or do you the options and read about how a site uses and stores your data? Have you noticed that some websites you visit have this popup and some do not? Does everyone know why we constantly see these popup screens? If you cannot answer these questions, do not worry as I will talk about each one of them.
Each site that has a privacy policy with a pop-up screen provides links that users can click on to learn how their information is being used and stored. On this site users can read about their data rights and options, the terms and conditions of use, and the privacy policy. There is also a link for users to opt out of certain cookies. Finally, users can click on the “Accept” button to agree to all cookies.
Before diving deeper into the these pop-ups, I think it helps to understand why pop-ups are here in the first place. About three years ago, privacy pop-ups came about in the California Consumer Privacy Act (CCPA) of 2018. The CCPA officially became law in Jan 2020 and mandates that websites advise their users what information they collect and how they intend to use it (Healey, 2021).
Another major reason for these pop-ups is the EU’s General Data Protection Regulation (GDPR), which mandates sites that collect the personal information of EU citizens comply with this new regulation. Companies globally had to adjust and ensure their websites were in compliance with GDPR in order to continue serving customers in these countries.
Back to our example website, MyFitnessPal.com. What are the options available? The first option is to read exactly what the data rights and options are. The Readers Digest version is the site tells users that they have the option to opt out of personalized and targeted advertising. It also gives users directions on limiting cookies and other tracking technologies. Next, they give directions on changing device settings for both iOS and Android. Finally, there are even steps on how users can access their data and export it to a file (Data Management, n.d.).
Next, let’s look at their Terms and Conditions of Use. This page spells out what users can and cannot do with their site. It is basically a legal disclaimer designed to protect them and their users (MyFitnessPal Terms and Conditions of Use, n.d.). Every site you go to is going to have this page. Some sites will make it easier to find than others.
The third and final policy that we have is the Privacy Policy. This page talks about how the site collects and uses user information. They also discuss how and to whom they share user information. Reading further on, they discuss the legal reasons for collecting and sharing user information. They also include situations where users are asked for consent to information sharing.
Now, there is one more option available. If you review the above screen shot, there is an option to opt out of specific cookies. This means users can choose which cookies are accepted, or not. The options may vary from site to site, and based on user region.
So, let’s take a further look, shall we? As you can see in the next screenshot tells users why cookies are used. Users can also agree to all of them and proceed or they can click on more information and choose which cookies they want to accept.
If we click on “More Information," we find a couple of options that users can opt in or out of. As shown in the below screenshot below, there are three sets of cookies: “Required Cookies”, “Functional Cookies”, and “Advertising Cookies”. Notice users can only opt in or out of the “Functional Cookies”, and the “Advertising Cookies”. The reason is “Required Cookies” are necessary for the site to function properly. The other two are completely optional.
UPDATE: As I am writing this blog, new information has come out regarding these cookie consent notifications.
According to the Bleeping Computer news site, seeing these consent pop-ups may mean users are already being tracked. The reason they say that is because in some cases, these pop-ups facilitate a “privacy breaching data exchange before the user can opt out” (Toulas, 2022).
Now, you may be asking what are our options? Well, one option is to completely stop using the internet. Before I am written off as insane, I understand this is impossible. Our lives are so intertwined with the internet that the actuality of this happening is next to zero. But, it is still an option. A second option is to continue with the status quo. A third option? Yes, ladies and gentlemen, there is a third option available: Use the Brave browser. This is now an option because starting with the upgrade that comes out this month, which will be version 1.45, Brave will block users from seeing these consent pop-ups (Toulas, 2022).
Bottom line, when you get to a website with one of these privacy pop-ups, I highly recommend taking some time to read through the policies. I say that because I want everyone to be informed as to how their information is being collected and used. Keep in mind that the information these sites collect, and use is your information and you as the owner of that information get to dictate whether a website can not only collect, but also use that information.
References:
Data Management. (n.d.). Retrieved from MyfitnessPal: https://www.myfitnesspal.com/data-usage
Healey, J. (2021, September 1). What are Those Annoying Website Popups About Cookies? And What Should You do About Them. Retrieved from LA Times: https://www.latimes.com/business/technology/story/2021-09-01/what-are-website-cookies-how-do-they-impact-internet-data
MyFitnessPal Terms and Conditions of Use. (n.d.). Retrieved from MyFitnessPal.com: https://www.myfitnesspal.com/terms-of-service
Toulas, B. (2022, September 29). Brave Browser to Start Blocking Annoying Cookie Consent Banners. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/brave-browser-to-start-blocking-annoying-cookie-consent-banners
SEP 28, 2022
MFA Fatigue
by James Driscoll
September 28, 2022The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).
The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).
So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.
1. Educate all users on indicators of an attack:
a. Unexpected MFA push notifications
b. Unknown location of login attempt
c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request
d. Continuous MFA requests in rapid succession over a short period of time
2. Restrict the number of MFA push notifications allowed
3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)
One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.
I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.
Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.
There are two important takeaways I want everyone to gain from this blog:
MFA is simply another tool. It is good at preventing a threat actor from gaining access to a network, but it can be compromised.
Educate your users. That means everyone from the CEO all the way down to the newest employee that is at the bottom of the corporate ladder. Securing our networks is everyone’s responsibility. There is an African proverb that states “it takes a village to raise a child” (Reupert, Straussner, Weimand, & Mayberry, 2022). I would say that in this context, it takes a village to secure our networks.
References
Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer:
MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”
Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf
SEP 21, 2022
Cybersecurity Workforce Framework - NIST & NICE
by James Driscoll
September 21, 2022Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.
Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.
The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).
One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).
So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.
In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.
Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.
So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.
References
Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181
SEP 7, 2022
Compliance Frameworks
by James Driscoll
September 14, 2022While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).
The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).
The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).
The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).
The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).
The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).
References:
Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.
Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html
Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/
Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp
Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20
AUG 31, 2022
The Computer Fraud and Abuse Act (CFAA)
by James Driscoll
August 31, 2022We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom. Now, we all know that this is illegal, but do we know why it is illegal? The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986. This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.
History of CFAA
The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984. There was a part of this act that made the following two activities related to computers illegal. 1) Gaining unauthorized access to a computer. 2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022). Basically, this is privilege escalation.
Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests. More specifically the actions had to involve one of three scenarios. 1) Accessing information vital to national security. 2) Gaining access to personal financial records. 3) Gaining unauthorized access to government computers (CFAA Background, 2022).
Let's skip ahead to 1986. This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA). This separation facilitated the addition of three more prohibitions:
Gaining unauthorized access with intent to defraud (CFAA Background, 2022). Now, you will notice that the gaining unauthorized access is the same as in the Comprehensive Crime Act. The addition is the intent to defraud. So, the bottom line for this prohibition is to gain unauthorized access with the intent of illegally receiving money from an organization through deception.
Gaining unauthorized access, same as before, but adding to that the threat actor changes the data in some way that it affects the Confidentiality, Integrity, and Availability (CIA triad) of that data.
The addition of prohibiting trafficking in computer passwords (CFAA Background, 2022).
Now, in addition to what was mentioned above, lets see was else is in the CFAA. There are also punishments defined in this document. These punishments are defined by the type of offense. In addition, the CFAA dictates who (depending on the offense) will investigate. It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service. Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).
2022 Update
Over the years, the CFAA has been updated numerous times. The most recent update was in May 2022. Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022). This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).
Conclusion
I highly recommend at least scanning over it. I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased. Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing. This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.
References:
18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030
CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground
Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:
AUG 24, 2022
Why Every Organization Needs a Disaster Recovery / Business Continuity Plan
by James Driscoll
August 24, 2022Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).
For a BC / DR plan to be successful the following five steps should be taken:
1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).
When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:
1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).
References:
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf
Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html
Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies
AUG 17, 2022
DEF CON: The Beginning
by James Driscoll
August 17, 2022DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out.
Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.
It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.
So, why was DEF CON started? It was not envisioned to be the exhibition that we have today. In fact, the origin is mundane. In 1993 a gentleman by the name of Jeff Moss, had a friend that was moving away. Being a good friend, Jeff wanted to give his friend a good send off, so he organized a going away party. Well, in an unfortunate circumstance, the friend moved before this party. So, not wanting to cancel this party and wanting to honor his friend, he asked all his hacker friends to make a trip to Las Vegas to party. Thus, DEF CON was born. There were approximately 100 people in attendance.
As mentioned above, this was originally supposed to be a going away party, so this would have been a one-time event. However, everyone had such a great time they convinced Jeff to host it again in 1994. Reluctantly he agreed and in the 2nd DEF CON there were at least 200 people that attended. With each new DEF CON, the number of attendees consistently grew. For DEF CON 27 which was in 2019, there were approximately 30,000 attendees.
Another interesting bit of information that I did not know is that in 2018 there was a DEF CON event held in China. It was supposed to be an inaugural event, but due to the COVID-19 pandemic, it is still the only DEF CON event that has ever been held outside the United States.
AUG 10, 2022
CompTIA Certification Exams
by James Driscoll
August 10, 2022There seems to be some confusion when it comes to CompTIA certification exams. I constantly see questions about exam expiration and what should be done. These questions are primarily from people who are working to break into the Information Technology (IT) realm, so they cover A+, Network+, and Security+. The purpose of this blog is to clear up some of that confusion. For illustrative purposes I will use the CompTIA A+ exam details to highlight what I am talking about.
Regarding the expiration of the exams. All CompTIA exams are generally valid for three years, give or take a few months. Now, the reason they are valid for such a short time is that as we all know the IT realm is constantly changing. This means that the exams need to be constantly updated for them to stay relevant. For instance, the A+ version 1001/1002 officially launched on 15 January 2019 and will retire 20 October 2022 so, three months shy of three years. What this means is that on 20 October 2022, this exam is no longer available. It does not mean that the certification goes away forever. It simply means that version 1001 is replaced with a newer version.
That newer version is numbered 1101/1102 and was officially launched in April 2022. Some people have asked what this means. In a nutshell this means that there is generally a six month overlap between the retiring version and the newer version and that a person can take either exam. One thing to keep in mind is that if a person wants to take the newer version, the study material associated with the newer exam, may not be available right away. The below screenshots illustrate my points.
The same concept also applies to Network+, Security +, and every other CompTIA certification exam.
In addition to this, there seems to be some confusion as to when a person is ready to take an exam. I have seen people say that they take such and such practice test and have been scoring x% on each test, then asking if they are read to take the exam. Here is an easy way to tell if you are ready. Again, I will use the CompTIA A+ exam as an example. Now, as shown below, to pass either version of core 1 and core 2, a test taker needs to score 675 out of 900 (core 1) and 700 out of 900 (core 2).
Figuring out if you are ready for the exam is fairly simple. Just take 675 and divide it by 900. Then take that answer and multiply by 100 to get the minimum percentage to pass. This is what it looks like: 675/900=.75 * 100 = 75%. This means for core 1, the minimum passing score is 75%. The same formula applies to core 2 and every other CompTIA exam. So, if someone is consistently scoring over that minimum percentage (in this case 75%), they are ready for the exam.
Hopefully, this information is helpful. I wish everyone good luck on which ever test you are all studying for.
AUG 3, 2022
DVWA - The Damn Vulnerable Web Application
by James Driscoll
August 3, 2022In the world of ethical hacking, it is important to constantly practice your skills to maintain proficiency. Now there are a multitude of way to accomplish this. There are websites like TryHackMe and Hack the Box. Another option is to setup a home lab utilizing either physical or virtual machines.
Using virtual machines offers numerous options. Operating Systems that are intentionally vulnerable can be downloaded and created to practice on. This is fine if you want to practice hacking into a machine. However, what are the options if you want to practice hacking a web application? Well, I found an answer while taking part in an ethical hacking class while working on my bachelor’s degree in Cybersecurity, the Damn Vulnerable Web Application (DVWA).
DVWA can be downloaded and installed on a Virtual Machine (VM), offering the ability to practice concepts such as SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery, to name a few.
Where can the DVWA be downloaded from? Good question. There are many versions of the DVWA floating around the internet, but the best place it to go to this Github page https://github.com/digininja/DVWA and download from there. This version is the most up-to-date and is the only one that has any type of support.
So, how is it accessed? Since it is a web application it should really be from a separate VM. Just as if you were accessing a normal web application during a penetration test. Simply put the IP address of the VM hosting the DVWA, below:
The login information should be provided:
After logging in, you will see the below screen:
What is interesting about the DVWA is that it has adjustable security settings that range from Low to impossible. If you look at the screenshot above, on the left side is DVWA Security. This is where the security level can be adjusted. This should be the first thing you do.
After the security level is adjusted, then any of the other options can be selected. In this case I chose to go with SQL Injection.
This platform really makes it easy to practice these valuable skills. I highly recommend giving this a try. I hope you all have as much fun using this as I did.
This platform really makes it easy to practice these valuable skills. I highly recommend giving this a try. I hope you all have as much fun using this as I did.
Check out this DVMA resource: YouTube video from @CryptoCat on DVMA setup, first step. There is a series outlining all the steps. Another great find to walk you through the process, step by step: https://youtu.be/GmWQ1VIjd2U
JUL 27, 2022
Chase The Knowledge, Not the Certification
by James Driscoll
July 27, 2022There is a question that I see all the time on the various social media platforms, “will {insert certification name here}, get me a job in Cybersecurity?” Now I know that there are a million opinions as to whether certifications are even needed to enter this industry. That is not what this is about. This is about the apparent myth that simply getting a certification will land a person a job in cybersecurity.
The answer to the above question is no, {insert certification here} will not directly land someone a job. At most, the certification will help someone get an interview. From there is it up to you to land the job. So, does that mean not to worry about getting a certification? Not necessarily. What I am saying is, do not get a certification simply because it is a requirement for some jobs. Get the certification for the knowledge you will gain. It is one thing to pass the exam and receive the certification. That may help you get an interview by standing out over other applicants that may not have the specific certification. During the interview, the fact that you have {insert certification here} means nothing, unless you can apply some of those concepts in the interview and can talk to the interviewer about some of the knowledge you gained by studying for the exam.
The whole premise is to chase the knowledge, not the certification.
JUL 20, 2022
Veteran in Cybersecurity
by James Driscoll
July 20, 2022My name is James. I am a retired Air Force veteran and married to my wife of 22 years.
In the Air Force, my role was in Air Transportation. Basically, I worked at military airports loading passengers and cargo. The best way to picture it is to think of a combination of American Airlines and Federal Express. After I retired in 2014 I continued with the same career field but as a military contractor. The job is interesting however, no longer challenging.
One aspect of this job that I really enjoy is that of regulatory compliance. Ensuring that all the passengers comply with not only applicable FAA/TSA regulations but also applicable destination country entry regulations. On the cargo side, the job entailed ensuring the cargo was prepared and documented correctly. This is extremely important when hazardous cargo is being transported. The reason for this is for the safety of the aircraft, crew, and any passengers. An example of a failure in procedure is ValuJet flight 592 that went down in the Everglades in 1999. The reason for this crash was that some oxygen generators were not properly packaged or documented.
In addition to loading airplanes, an additional job that I had was a system administrator. I was responsible for creating accounts, setting permissions based on the duty position of the individual, working with the help desk to update and patch the system. This is what initially got me interested in Information Technology. As a result, I tried numerous times to change career fields into Information Technology but was unsuccessful.
Why am I making the career change into Cybersecurity? This is a good question. It was June 2020, and I was working at a deployed location loading aircraft and suffering every day because of medical conditions created by my military career. My wife suggested contacting the Veterans Affairs office and applying for something called Vocational Rehab. Basically, this is a program where veterans with medical conditions can go back to school to get a degree in a field that will not aggravate the condition. So, I applied.
After speaking with the counselor, I was approved! Next, it was time to choose a program and school. I thought to myself, this was the perfect chance to finally change careers and move into Information Technology. After constantly seeing reports of data breaches and ransomware attacks, I decided to transition into cybersecurity. The school I chose to attend is ECPI and I will be graduating the end of August 2022.
I am extremely grateful to Kimberly for this opportunity to work with Cybersecurity Central. It is exciting to be able to give back to such a welcoming community that I am breaking into. It will be an interesting journey but I hope it will be a journey that everyone can learn and get inspiration from.
Feel free to connect or send me a message on LinkedIn: https://www.linkedin.com/in/jdriscoll-76
SUPPORT OUR MISSION