Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.

When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:

1. Proactive Segmentation – This is typically accomplished during the preparation stage with the goal of reducing organizations attack surface. This is also used as part of a defense in depth strategy. When configured correctly, it will prevent a threat actor from moving from one segment of the network to another.

2. Segmentation in response to an incident – This strategy takes segmentation one step further. Let’s say for example that only a couple of computers on a segment have been compromised. What would happen is that those computers would be placed in their own separate segment. This would restrict the threat actor’s ability to compromise the rest of the segment and prevent movement through the rest of the network.

3. Isolation – This is a third option that takes segmentation even further by completely disconnecting the compromised systems from the rest of the network yet retaining their internet connection. The goal is to ensure that the threat actor has no way to move through the network. The threat actor does however maintain access to the compromised systems.

4. Removal – As the name suggests, with this strategy compromised systems are completely removed from the network and the internet. This absolutely ensures that movement through the network is impossible. It also cuts off the threat actors’ access to those compromised systems. Now there is one critical aspect that we all need to be mindful of when deciding to remove compromised systems from a network and internet. That is, it may still be possible to lose all the data stored on those systems. There is a chance that the threat actor installed a script designed to delete all data when access is lost. The way the script would know is by using a separate script designed to reach out to an external host. Think of it as a ping request. When there is no response, the second script runs deleting all the data.

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Hello February!

=====

Originally I planned to continue on the topic of encryption algorithms but today’s #BlogByCC happened to fall perfectly on a new start to the month, and to do things differently, I want to take this opportunity to encourage and promote more self-reflection. I noticed throughout the years, I would go months on just zooming through life and end up feeling a little bit lost in between. Just as with studying, if you don’t go back to review what you learned, you’ll end up forgetting it. Similarly with life, if you don’t take the time to reflect on how things are going, how would you know where you’re heading towards is the direction you want to be going?

First of all, happy 1st of February! I can’t believe January flew by just like that. I remember starting off the month feeling a mixture of excitement and nervousness. I started my new IT career at a new workplace, which has been by far amazing and exceeds my expectations. There are moments where I felt a little bit of impostor syndrome but that gets trumped when I realize that I’m in a positive environment surrounded with people who genuinely care for your well-being, growth, and development. I get to say that I am a part of a growing and collaborative team that teaches and supports users on how to effectively use technology to help streamline their workflow. You know you’re making it when work doesn’t feel like work and that everyday is an opportunity to learn new things.

Enough about me and more about you! As we start a new month, new goals, and new aspirations, take a break to sit down and look back on how your January went. Here are some questions that may help you reflect on the past and upcoming month:

• What are you grateful for?

• Who are you thankful for?

• What are some of the exciting/memorable moments that happened?

• What are some challenging moments you encountered and how did you grow from that experience?

• What was one thing you learned last month that you will continue to implement?

• What is one thing you’ve decided to leave behind?

• What adjustments do you need to make that will help you reach your goals?

• How did I feel this month and how do I want to feel for next month?

• What can you do better?

On behalf of Cybersecurity Central, we hope you have a wonderful month of February! Let us know how we can support you in your personal development and career growth in the IT/Cybersecurity sector by connecting with us through the Cybersecurity Central LinkedIn Page: https://www.linkedin.com/company/cybersecuritycentralorg

Last week, we looked into the key differences between symmetric and asymmetric key encryption algorithms. The differences were found within the speed of how they process and secure data, the level of security it provides, the number of keys used to encrypt and decrypt, the length and sizes between the cipher text and plain text, and what they are used for.

This week, we’ll dive deeper into symmetric key encryption and its different types. Symmetric encryption is used to keep data being communicated secure in which only users with authorization can access it. This type of encryption uses the same key to encrypt and decrypt information. Although this keeps things cost-effective and easy to use, it is less secure. This is best used for handling and transferring large amounts of data. There are several types of symmetric key encryption, which are 3DES, DES, AES, RC4, Twofish, and Blowfish. Let’s look at the key points in each one.

3DES (Triple Data Encryption Standard):

• Encrypts data three times compared to DES

• Has a fixed-length of 192 bits, using three segments of 64-bit keys

• Is a block cipher

• Uses a private key

DES (Data Encryption Standard):

• Created by an IBM team in the early 1970s

• Encrypts using a 56-bit sized key

• Block cipher

• Considered no longer safe to use

AES (Advanced Encryption Standard):

• Created to replace the DES

• Block cipher

• Originally named Rijndael

• Uses three different keys to encrypt/decrypt 128-bit data: AES-128 (10 rounds), AES-192 (12 rounds), AES-256 (14 rounds)

• Method used to protect government and sensitive information

• Available for free for public or private use

RC4 (Rivest Cipher 4):

• Created by Ron Rivest in 1987

• Considered a variable key-size stream cipher

• Uses 64 or 128-bit key sizes

• Simple and fast to use

• Mainly used in applications like SSL (secure socket layer) and TLS (transport layer security)

Twofish:

• Successor of Blowfish

• Block cipher

• A type of 128-bit encryption with a variable-key length that can go up to 256 bits

• Considered highly secure

Blowfish:

• Designed by Bruce Schneier in 1993 as an alternative to DES

• Considered a 64-bit block cipher

• Uses a variable-length key encryption, encrypting between 32-448 bits in segments

• Uses 16 rounds to encrypt information

• Since it’s not patented, this method is available and free to the public

References

• What Is Encryption? Explanation and Types. (n.d.). Cisco. What Is Encryption? Explanation and Types

• Geeksforgeeks. (2020, January 29). Difference Between Symmetric and Asymmetric Key Encryption. GeeksforGeeks. Difference Between Symmetric and Asymmetric Key Encryption - GeeksforGeeks

• What is RC4 Encryption? (2020, July 14). GeeksforGeeks. What is RC4 Encryption? - GeeksforGeeks

• Indeed. (N.d.). Types of Encryption. Indeed. Types of Encryption: 5 Common Encryption Algorithms

• Simplilearn. (2020, June 17). What is DES? The Data Encryption Standard Explained. Simplilearn..What Is DES (Data Encryption Standard)? DES Algorithm and Operation [Updated]

With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.

Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:

1. Security event – Literally anything that typically occurs on a network. These are things such as accessing a file, changing permissions on a folder, or a port scan by a threat actor.

2. Adverse security event – These are things that have a negative impact on a network. Think of this in terms of an actions that affects the CIA triad. Examples are the introduction of malware, a server crashing, or even a person accessing a file they do not have permission to access.

3. Security incident – this is either a direct violation or a threat of violation of policies, or standards. Some examples of an incident include a DoS/DDoS of a website, a threat actor installing a keylogger to capture login credentials, or the accidental loss of sensitive information.

Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:

1. Preparation – This is the time when an incident response team is established, policies and procedures are created, required equipment is purchased, and applicable training is conducted. Other actions to reduce the attack surface of an organization are also conducted.

2. Detection and Analysis – As the name suggests, this is where incidents are detected and analyzed. There are basically four ways that incidents are detected.

• a. Alerts – These come from things like IDS / IPS, SIEMS, antivirus software, file checking software or other monitoring services.

• b. Logs – Logs can come from anywhere to include the operating system, network devices, various services, applications, and even network flows.

• c. Publicly Available Information – These are notifications resulting from vulnerabilities / exploits published by other organizations.

• d. People – This is employees noticing and reporting abnormalities that may indicate an incident has occurred or is occurring.

3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.

4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved. 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.

One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.

Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.

Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.

1. Fuzzing – Also known as Fuzz testing. This type of dynamic code analysis uses invalid or random data entered by the user to see how an application responds. What analysts are looking for are if the application crashes, fails, or responds incorrectly. This is most useful for finding simple problems.

2. Fault Injection – While this type of analysis sounds like Fuzzing, there is a difference. That difference is that random data is entered into the error handling paths to see how the application responds. Due to the propensity of human error, this test is best completed by using automated tools.

3. Mutation Testing – This type of analysis is like Fuzzing and Fault Injection. The only difference here is that the program itself is modified slightly. These modified versions are then tested and if they fail, they are discarded. This information is just what is in the CompTIA CySA+ study guide. I do not completely understand the whole point behind it.

4. Stress / Load Testing – In this type of analysis, an application is subject to actual use. The purpose is to basically see the maximum number of users the application can handle before issues arise. Fault Injection testing can also be implemented during this type of test again to see how the application reacts.

5. Security Regression Testing – This type of test is completed when changes are made to an application, more specifically when a patch is applied. This test ensures that there are no new issues, such as vulnerabilities, misconfigurations, etc. This testing is conducted by using standard automated tools.

6. User Acceptance Testing – While all the other five tests are important, this one is probably the most important. I say that because this test allows the user to validate that the application meets or exceeds their usability expectations. If an application fails this test, then the other five do not matter because the application will most likely be scrapped or sent back to be redone. That means all six tests would have to be redone as the application would have changed. 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

I remember studying for CompTIA Security+ certification a couple of months ago and the topic I had trouble grasping was the difference between symmetric and asymmetric encryption.

First, let’s look at encryption. Encryption is the process of scrambling readable text (plaintext) into a code (ciphertext) to prevent unauthorized parties from accessing it. The only way it can be converted back to plaintext is if the authorized party possesses the decryption key. This is a method of securing sensitive information that gets passed online.

The two main types of encryption are symmetric and asymmetric. The main difference would be the use of keys, which are used to decrypt/unscramble a secret code.

Symmetric key encryption uses one key to encrypt and decrypt a message or data. Although it is at its convenience to have one key making the encryption process fast, it is less secure. It would require the receiving party to share the same key as the sender, which puts data being sent over the network at risk of being uncovered.

Asymmetric key encryption requires two keys, a public key and a private key to encrypt and decrypt a message or data. Compared to symmetric key encryption, it is considered much more secure but a much slower process. The downside to this is that if the private key gets lost, there’s no other way to decrypt the data. Geeks for Geeks created a table of comparison that best describes the differences between the two:

Symmetric Key Encryption

• It only requires a single key for both encryption and decryption.

• The size of the cipher text is the same or smaller than the original plain text.

• The encryption process is very fast.

• It is used when a large amount of data is required to transfer.

• It only provides confidentiality.

• The length of the key used is 128 or 256 bits

• In symmetric key encryption, resource utilization is low compared to asymmetric key encryption.

• It is efficient as it is used for handling large amounts of data.

• Security is less as only one key is used for encryption and decryption.

• Examples: 3DES, AES, DES and RC4

• The Mathematical Representation is as follows:

P = D (K, E(P))

where K –> encryption and decryption key

P –> plain text

D –> Decryption

E(P) –> Encryption of plain text

Asymmetric Key Encryption

• It requires two keys, a public key and a private key, one to encrypt and the other one to decrypt.

• The size of cipher text is the same or larger than the original plain text.

• The encryption process is slow.

• It is used to transfer small amounts of data.

• It provides confidentiality, authenticity, and non-repudiation.

• The length of the key used is 2048 or higher.

• In asymmetric key encryption, resource utilization is high.

• It is comparatively less efficient as it can handle a small amount of data.

• It is more secure as two keys are used here- one for encryption and the other for decryption.

• Examples: Diffie-Hellman, ECC, El Gamal, DSA and RSA

• The Mathematical Representation is as follows:

P = D(Kd, E (Ke,P))

where Ke –> encryption key

Kd –> decryption key

D –> Decryption

E(Ke, P) –> Encryption of plain text using encryption key Ke . P –> plain text

References:

• Geeksforgeeks. (2020, January 29). Difference Between Symmetric and Asymmetric Key Encryption. GeeksforGeeks. Difference Between Symmetric and Asymmetric Key Encryption - GeeksforGeeks

• Okeke, F. (2022, August 9). Asymmetric vs symmetric encryption: What’s the difference? TechRepublic. Asymmetric vs symmetric encryption: What’s the difference?

Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.

Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.

TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:

1. The traffic is sends is not checked for integrity. That means that a threat actor can make changes to the traffic sent or they can utilize a replay attack.

2. TACACS+ also utilizes an insecure encryption algorithm. This means that the threat actor can discover the encryption key.

So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.

RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.

Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:

1. Principles, which are users.

2. Instance, used to differentiate similar primaries.

3. Realms, which are groups of principles. These are based on trust boundaries.

Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.

Until next week!

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.

Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:

• Technical controls – these are things like “firewalls, IDS / IPS, network segmentation, authentication / authorization systems”, etc (Chapple & Seidl, 2020).

• Administrative controls – These are nothing more than policies and procedures.

• Physical controls – Think items used in physical security of property

• Legal controls – Possible fourth control. As the name suggests, these are controls that are required to be implemented by law. Could also be lumped in with administrative controls.

Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:

• Preventive controls – As you can guess by the name, these controls are designed to prevent an incident. We are talking about things like “firewalls, awareness training, security guards” (Chapple & Seidl, 2020).

• Detective controls – These are designed to discover an incident and report

• Corrective controls – These controls are designed to either clean the network and or reduce the impact of the incident. These include things like applying software updates / patches, using antivirus / antimalware, and utilizing backups.

Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Upon using TryHackMe as a learning platform, I remember learning about steganography for one of the lessons I started with and have not forgotten about it since. So what is steganography?

According to the Merriam-Webster dictionary, Steganography is the “art or practice of concealing a message, image, or file within another message, image or file” that is not so secret. The Greek word, “steganos” or “stegos” means “covered”, while the word “graph” means “to write.” This could look like a secret message or plain text embedded into a picture. To hide a sensitive message within a seemingly “ordinary” file is to avoid detection or suspicion. To elaborate, let’s look at the 5 different types of steganography.

Text Steganography

This method involves storing secret information and encoding it within a text document. Other techniques are called line-shift coding, word-shift coding, feature coding, and syntactic method. Check out Tutorials Point to learn more about these techniques: What are the Techniques of Text Steganography in Information Security?

Audio Steganography

This method is done to conceal messages within audio clips for the purpose of hiding data or by watermarking — to protect the audio from any unauthorized reproduction.

Image Steganography

This method is used to embed data within an image. This can involve altering the intensity values of the image pixels. Other forms of image steganography are as follows:

• Stego-image: an image obtained after steganography, which contains hidden data

• Stego-key: uses a key to embed hidden messages within a cover-image or stego-image

• Cover-image: uses a picture to hide data

• Message: actual data embedded within pictures, which can either be in text or image form

Video Steganography

This method involves concealing data by embedding it within a video file, which acts as the “carrier”. Discrete Cosine Transform (DCT) is often used as the method. This is done by inserting values in each image within the video file to conceal data.

Network/Protocol Steganography

This method uses network protocols such as TCP, UDP, and more to hide data. Covert channels may be utilized. These are channels that are not used to transfer but rather store information.

The main purpose of steganography is to provide some sort of hidden communication within those who may know how to uncover it. This can be used as an avenue to protect sensitive data from potential malicious attacks. With the constant development of technology, steganography can also be used as a method to deliver attacks. One way is using Powershell or BASH scripting to automate an attack, which can look like embedding and activating scripts within a Word or Excel file once it is opened with the purpose of corruption. It all depends on the motive.

References:

• Merriam-webster.com. (2018). Definition of STEGANOGRAPHY. [online] Available at: Definition of STEGANOGRAPHY.

• Simplilearn (2021). What is Steganography? Types, Techniques, Examples & Applications | Simplilearn. [online] Simplilearn.com. Available at: What is Steganography? A Complete Guide with Types & Examples.

• Stanger, J. (2020). The Ancient Practice of Steganography: What Is It, How Is It Used and Why Do Cybersecurity Pros Need to Understand It. [online] CompTIA. Available at: The Ancient Practice of Steganography: What is it, How is it Used and Why Do Cybersecurity Pros Need to Understand it?.

• www.tutorialspoint.com. (n.d.). What are the techniques of Text Steganography in Information Security? [online] Available at: What are the techniques of Text Steganography in Information Security? [Accessed 28 Dec. 2022].

• GeeksforGeeks. (2019). Image Steganography in Cryptography - GeeksforGeeks. [online] Available at: Image Steganography in Cryptography - GeeksforGeeks.

I have heard this question repeated multiple times (or a similar question just like this), “How can you protect something if you don’t know how it works?”

In a way, this holds true. How do you know what systems to protect? What parts of the networks or systems are vulnerable or at risk if something were to happen?

As someone in pursuit of a career in cybersecurity, I first made the goal to start in an IT role before I continue down the path. As a hands-on learner, I want to learn and understand the ins and outs, the network infrastructures, the vendors used, hardware, software, the issues that end-users may encounter on a daily basis, literally everything within a company. Surely, there are ways to transition into cybersecurity from a completely different industry or right out of graduation and there are wonderful and reputable industry professionals on LinkedIn who speak on this.

However, if you’re someone like me looking to start in IT or review the fundamentals, here are some great free resources I highly recommend:

KevTech IT Support: Kevtech IT Support

Kevin from KevTech IT Support shares valuable information that will help those transitioning into IT prepare for their first job. He shares about how to build your resume, IT FAQs, common IT interview questions, how to build up your own virtual home lab, and many more. He also has a community on Discord.

East Charmer: East Charmer

If you want to know what a day in the life looks like as an IT professional, Marie from East Charmer creates videos to show you on-the-job responsibilities. Not only that, she also creates videos to help those seeking an IT support role and also show a glimpse of what it’s like to work in the office vs working from home, what challenges and difficulties are faced within the role, and best IT practices.

RunCMD (formerly: IT Career Questions): RUN CMD

Zach from RunCMD gives you all the insights into IT, such as knowing which certifications and roadmap to take, which trending skills and topics to dive into, home labs you can start building, and basically everything you need to know to get into IT.

Cobuman: Cobuman

If you want to get super technical, Cobuman is your go-to. Ranging from teaching you how to prepare for your next IT interview or certification to providing tips on help desk issues you may encounter on the job, Cobuman is ready to help you get a head start into your IT career.

NetworkChuck: NetworkChuck

If you want to learn scripting, hacking, and everything tech related, check out Chuck from NetworkChuck on YouTube. He provides fun and informational videos on a lot of different topics like Linux, CCNA, Dockers, Raspberry Pi, Cloud, certifications, and more.

CBT Nuggets: CBT Nuggets

CBT Nuggets is a free IT on-demand training platform. They include courses from industry experts to help you study for your next IT certification or gain real-world IT skills.

Have I missed anything else that should be on this list?

Follow us on Cybersecurity Central on LinkedIn and let us know what else we can add!

For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks.  These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization.  This allows them to create defenses that are more likely to be effective in the event of an attack. 

According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with.  They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain.  I will go into further detail about each framework in the following paragraphs.

The first framework we will look at is the MITRE ATT&CK Framework.  The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries.  The good thing about this framework is that there is no cost to access it.  To access it, just go to https://attack.mitre.org.  On the first page is the ATT&CK matrix.  There is a plethora of information regarding adversary TTPs available.

The second framework is the Diamond Model of Intrusion Analysis.  The key thing to remember about this is that it is relationship based.  All the vertical lines of the model are called events.  So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.

I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst.  Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide.  This first blog in the series will cover risk.

The concept of risk is a major player in the world of cybersecurity.  As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is.  To define a risk, we need to discuss two other concepts.  The first concept is vulnerability, which is nothing more than a weakness.  The second concept is a threat, which is any outside force that can exploit a vulnerability.

Now, there are a couple of ways to look at risk.  1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”.  Keep in mind that with this type of representation, there no numerical values to be entered.  It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it.  2) Look at it through the lens of a Venn Diagram, below:

The past few months have been so focused on studying on Security+ that it’s been awhile since I reviewed the fundamentals of networking. This month, I have decided to study and relearn some of the IT networking concepts in order to fully understand what those entering the IT field (or already in the field) will be protecting in the future. I haven’t decided if I want to pursue taking a certification exam and which certification exam to take but I do have the study materials to continue my independent learning. The 2 Network certificates that are highly sought out (industry standard) are CompTIA Network+ and the Cisco Certified Network Associate (CCNA), which will be the focus for today’s blog.

If you are someone who may be thinking about getting a Network certificate (or just studying for it) and can’t decide which one to take, to get you started, I’ll be sharing a few of the main differences and resources that may help you determine which certificate is right for you and meets your needs.

CompTIA Network+:

• Vendor-neutral approach (knowledge covers a wide range of systems or tools)

• Prepares for specific job roles within IT (i.e. Sys Admin, Network Engineer, etc.)

• Great certificate to start with for those new to IT

• Teaches business skills that are highly sought out

• Focuses on knowledge-based

• Exam allows approximately 90 minutes to complete

CCNA:

• Concentrates on technical skills

• Product-specific: provides an in-depth knowledge of networking skills on Cisco systems

• Focuses on hands-on/practical exercises

• Great certificate for those looking into a career in Networking

• Exclusive to Cisco products and tools

• Exam allows approximately 120 minutes to complete

Resources:

• Best Beginner Networking Certification 2022 (RUN CMD): https://youtu.be/35EC8KxYb4I

• Network+ vs. CCNA (Data Knox): https://youtu.be/Wb1A6LkYy1g

• CompTIA Network+ vs. CCNA: Why IT Pros Should Earn CompTIA Network+ First. (n.d.). Default. Retrieved December 5, 2022, from https://www.comptia.org/blog/comptia-network-vs.-ccna

• Greaves, R. (2020, July 17). CCNA vs Network+: Main Differences and Which to Choose. IT Career Central.
  https://itcareercentral.com/ccna-vs-network/#Main_Differences_Between_CCNA_vs_Network

This blog post will be a bit different than usual.

As you read this, December is literally a day away.

It’s easy to get into the loop of thinking that we haven’t done everything we wanted to do on our list for this year or maybe, we didn’t even have an exact plan to begin with and feel a bit all over the place. That is okay. Things happen and sometimes, the pivots we made may have been necessary.

This year, I took a step forward to dive into the world of cybersecurity. I can tell you for a fact that I had no exact direction to begin with but went in anyway. I took my time researching most of the resources I found and fixed up my LinkedIn profile, which led me to connect with many wonderful cybersecurity communities online.

As long as you take action one step at a time, one thing leads to another and before you know it, you’ve done more than many others who are stuck overthinking which moves to make. If you need somewhere to start, I recommend checking out our Resources page here in Cybersecurity Central.

I invite you to reflect with me and look back on our own journey this year. This way, we can get a sense of where we are, how we got here, and what we are looking forward to in 2023.

Feel free to take some notes and answer the following reflection questions:

• What/Who am I grateful for this year?

• What are some challenges I faced and overcame?

• What are some big and small wins I have accomplished this year?

• How have I grown this year (physically, mentally, spiritually, and emotionally)?

• How have I contributed positively to my communities/workplace/family/friends…?

For more thought-provoking questions, check out this article by Indeed: 

100 Student Reflection Questions You Can Ask Yourself

I hope these questions help you discover new and amazing things about yourself!

In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.

There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.

One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).

Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:

1. Statement of management commitment

2. Purpose of the policy

3. Scope of the policy

4. List of definitions

5. Organizational structure

6. Prioritization or severity ratings of incidents

7. Performance measures

8. Reporting and contact forms (Computer Security Incident Handling Guide, 2012)

These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:

1. Consistent user training

2. Keeping Operating Systems, software and applications up to date

3. Using anti-virus and anti-malware software (Ransomware, n.d.)

The good thing about taking the above steps is that they help protect against more than just ransomware.

The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.

References

• Computer Security Incident Handling Guide. (2012). Retrieved from NIST

• Elliot, J. (n.d.). What is the 3-2-1 Backup Rule?. Retrieved from US Chamber

• Ransomware. (n.d.). Retrieved from FBI

It's that time of the year again!  The holidays are approaching.  This week of Thanksgiving, we give thanks  for the people and things that make us feel grateful. 

I felt this was the perfect time to let the entire tech and infosec community know what an important role they have played in not only my life, but also in the lives of many others I have met and grown to know over the past couple of years transitioning into the industry. 

You may hear it all the time, but the community is where it's at.  There are so many communities available within tech and infosec, and that's important.  Each of us come from different backgrounds and experiences and these communities offer us a place to meet, connect, engage, help, support, and learn from each other. 

The important part is to find one, or several, that you feel comfortable in and start showing up.  The more you get intertwined in the community, the more support you will find.  Whether you are employed already, or seeking a new role, being involved in a supportive community is the key to success. Without the connections and relationships you will make, it is a lot harder to network and find a new role. 

Why? The majority of roles are in the "hidden" job market, meaning, they will never be posted.  Those hiring go to the people they know and trust and ask them for recommendations for upcoming (unposted) roles.  If you are not networking or involved in a community, the hidden job market is nearly impossible to tap into. 

Take myself for an example.  I wasn't even applying for roles yet, but I was so involved in one of my favorite infosec communities, simplycyber.io.  My current boss went to Gerald Auger, PhD, and asked him if he knew anyone to recommend for an upcoming role.  Because I was a regular in the community and my skills aligned with the potential role, I was recommended for the role, interviewed, and was hired. 

It can be scary, intimidating, and feel unknown at first, but stick with it, find a community you enjoy being a part of and engage with others within the community.  All of us have something to offer, even if it's support and an encouraging word.  You don't need to be technical to be a part of these communities. 

I may be a little biased, but Simply Cyber is absolutely hands down my favorite community out there.  Thanks to my friend, Stefan Waldvogel for sharing it with me.  Truly a community anyone new, or already in the industry, will appreciate and benefit from being a part of.  If you are into Discord, check out the Simply Cyber Discord, another great place to meet and connect if you can't make the livestreams, or want to connect anytime with the community. 

Again, I truly want to thank everyone who has been a part of my network, and the overarching community.  This journey would not have been possible without you.  I would love to hear, what are some of your favorite communities? 

Let us know on our LinkedIn page, where you can find our posts for these blogs each week: https://www.linkedin.com/company/cybersecuritycentralorg. 

Happy Thanksgiving! 

We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.

There are three main reasons an organization may not want to pay a ransom:

1) There is no guarantee that the organization will regain access to its information.

2) It almost guarantees that the organization will be attacked again.

3) It may be illegal to pay the ransom.

Let's take a deeper dive into each:

1. There is no guarantee that the organization will regain access to it information. Even though the ransomware group promised to provide a decryption key once a ransom was paid, it is possible that they will simply take the money and run and not provide that key (Fruhlinger, 2020). The main thing to remember is that the organization is dealing with criminals and ethics, or integrity are not necessarily in their vocabulary

2. It almost guarantees that the organization will be attacked again. According to a report that came out earlier this year, 80% of the organizations that were victims of a ransomware attack and paid the ransom were attacked a second time (Townsend, 2022). The reason for this is that by paying the ransom, the organization is telling the group they are willing to pay to get their information back. So, naturally the group is going to see them as an easy way to make money.

3. It may be illegal to pay ransom. I would say that this is the primary reason not to pay a ransom. You see there is an office within the U.S. Treasury Department called the Office of Foreign Asset Control (OFAC). This office is responsible for sanctioning not only the ransomware gangs, but also any other entity that sponsors, or provides any type of support for these activities (Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments, 2020).

So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.

In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.

References

• Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments. (2020, October 1). Retrieved from Treasury Department: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

• Fruhlinger, J. (2020, June 19). Ransomeware Explained: How it Works and How to Remove it. Retrieved from CSO Online: 

• Ransomware explained: How it works and how to remove it

• Townsend, K. (2022, June 08). It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again. Retrieved from Security Week: It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again | SecurityWeek.Com

We’re heading into the most wonderful time of the year. While some of us are getting ready for our upcoming Thanksgiving dinners, others are already preparing Christmas presents. Either everything goes smoothly or it doesn’t.

You may ask, “what do the holidays even have to do with cybersecurity?”

Everything.

Think about it. All the retail shops are busy getting ready to stock up for all the holiday sales. We’re busy thinking about what gifts to buy for each of our family members or panicking about what to cook for our upcoming dinner gatherings. Others are getting ready to fly out for vacation. These are some honourable mentions.

While we’re occupied with a million things to do during this season, adversaries are also doing the same.

Have you heard of the Log4J vulnerability, Log4Shell?

Log4J is a built-in software library within Java that was created by an open-source project maintained by the Apache Software Foundation. It logs activities within a web server by tracking and monitoring system calls. The Log4Shell vulnerability was discovered in December 2021, involving arbitrary code execution (ACE). Depending on the Log4J version being used on the application, Log4Shell enables an attacker to remotely control a device on the Internet. This was being done before IT/Cyber professionals discovered it, hence called a zero-day vulnerability.

How about the Cadbury Easter Egg Scam?

Around April 2022, a message with a phishing link was circulating all over WhatsApp, advertising that consumers would receive a free Easter chocolate basket from Cadbury Clicking on the link would take you to a web page where you can fill in your personal data. Eventually, Cadbury found out and issued a public alert.

If you noticed, both situations occurred near or during a holiday. Attackers very well know that people have a lot on their plates during busier seasons like these. By adding more on top of that, they would hope we’d fall into their traps.

How can we prepare for what’s to come? The best way to prevent this is awareness.

We don’t know what we don’t know. Awareness will help lead us to our solution.

Stay on top of the cyber attacks and learn about what occurs during holidays. Here are some great resources (but not limited to) that you can look into (some of these also include examples from the past):

• 5 Scams to look out for this Holiday season (Forbes): How To Avoid Getting Scammed During The Holidays

• Holiday Cyber crime statistics (Norton): Holiday cybercrime statistics + tips to protect against threats

• Cyber attacks during Holidays (ThriveDX): Cyber Attacks During Holidays: Why the Spike?

Learn about the social engineering tactics and how attackers use this against us:

• Principles of Social Engineering - CompTIA Security+ SY0-501 - 1.2 - Professor Messer IT Certification Training Courses

• Social Engineering (Okta): Social Engineering: How It Works, Examples & Prevention | Okta

Learn how to prevent scams from happening:

• Holiday Scams (FBI): Holiday Scams | Federal Bureau of Investigation

• 7 Holiday Security Tips To Try Before The Year Ends(Security Intelligence): 7 Holiday Cybersecurity Tips to Try Before The Year Ends

• Holiday Cybersecurity Tips | NCDIT

Check out the rest of our Blog By CC page below for more cybersecurity topics!

References:

• What is Log4Shell? The Log4j vulnerability explained (and what to do about it). (2021, December 17). Dynatrace News. 

• What is Log4Shell? The Log4j vulnerability explained (and what to do about it)

• Lekhi, A. (n.d.). Log4J Vulnerability: What, Why and How. Gca.isa.org.
  Log4J Vulnerability: What, Why and How

• Beyond The Security Alert Dance: Learn Some Useful Steps. (n.d.). Default.
  Beyond The Security Alert Dance: Learn Some Useful Steps

• Published, K. C. (2022, April 5). Cadbury issue warning over Easter egg scam on WhatsApp. GoodTo.
  Cadbury issue warning over Easter egg scam on WhatsApp

• [Scam Alert] Free Cadbury Easter Chocolate Basket Scam | Trend Micro News

Leading up to it, I had doubted myself. I didn’t think I was going to pass because my study habits weren’t perfect. But I remembered that I had made a commitment to myself from the beginning of this cybersecurity journey, to pass this exam even if it takes me multiple times to do it.

Last month, I’m happy to share that I finally earned my very first cybersecurity certificate: CompTIA Security+ SY0-601. Passing this exam truly affirmed my decision to begin a career in this field. The learning never stops.

Although everyone has their own way of studying, I want to share with you the resources and tips that have helped me successfully pass this exam. I cannot guarantee that you will pass the exam as what I’m sharing is based on my own experience, however, with the amount of time and work you put in, your success and efforts will show in the results. I hope that what I share helps you in any way.

Resources

The first thing I did was research and find the appropriate study material for Security+ that worked for me. This took some time until I finally decided which courses and practice exams to stick to. There are a lot of free/affordable resources available out there, especially on Youtube and Udemy. It can get overwhelming. Know your learning style and choose accordingly. Check out this page to learn about different learning styles: VAK 

For myself, I learn best by doing all three: learning by seeing/writing, listening, and doing. I made sure to use resources that would aid me in my learning. I chose multiple resources to ensure each topic is fully covered in-depth and explained in different ways to help me understand the concepts. Most of the courses listed include additional hands-on labs that are not a part of the exam but are there to reinforce your learning.

Here are the resources that have helped me:

For visual/auditory learning (learning by seeing/writing and listening):

• Jason Dion’s CompTIA Security+ (SY0-601) Complete Course and Exam: CompTIA Security+ Complete Training Course & Practice Exam

• Darril Gibson’s CompTIA Security+ Get Certified Get Ahead Sy0-601 Study Guide: About Security+ SY0-601 - Get Certified Get Ahead

• Professor Messer’s CompTIA Security+ SY0-601 Training Course: CompTIA Security+ SY0-601 Training Course

For kinesthetic learning (learn by doing):

• Jason Dion’s CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs

• Professor Messer: Professor Messer's CompTIA SY0-601 Security+ Success Bundle - Professor Messer IT Certification Training Courses

• DojoLab - PBQ practice exams: CompTIA Security+ SY0-601 PBQs, Certification Tests & Labs

• CompTIA Security Exam Prep App (iOS)

Here are other highly recommended resources that you may also prefer:

• Ian Neil’s Security+ Study Guide: Home

• Mike Meyers and Dan Lachance’s Total CompTIA Security+ Certification (SY0-601): TOTAL: CompTIA Security+ Certification (SY0-601)

• Mike Chapple’s Security+ resources: Security+ Study Group - CertMike

• Pocket Prep’s Security+ Practice Exam: CompTIA® Security+

• LearnZapp’s CompTIA Security+ SY0-601 Prep (iOS and Android): Learnzapp - CompTIA Security+ SY0-601 Exam Prep Mobile App - Darril Gibson

• CompTIA Official CertMaster: CertMaster Practice for Security+ Exam Prep | CompTIA IT Certifications

Tips

• You can use multiple study materials. It might be better as some instructors provide in-depth information and examples about a topic whereas others briefly go through it. But if one is enough, do what works for you.

• CompTIA Security+ lists out all the objectives and acronyms for the exam. Use this to your advantage. You can find it here: Exam Objectives

• Create a study schedule/timeline. It’s okay to fall off the tracks when it comes to studying. Having a timeline will help you get back on track and stay consistent.

• Check for discount vouchers included in the courses/study material you purchased. Most authorized instructors will include a discount voucher for your exam.

• Schedule your exam ahead of time. This will help you stay accountable in your studies. If you don’t, you might not end up doing it. Depending on the organization, you might be able to reschedule if the original date you set no longer works for you.

• The exam is composed of multiple choice questions (MCQ) and performance-based questions(PBQ) (i.e. matching, fill-in-the-blanks, etc.). Many suggest doing MCQs first and leaving all the PBQs last as they can be time-consuming. More information about the exam will be available on the official CompTIA website.

• You’ll see others recommend taking the exam after 1 month of studying. Some recommend 9 months. Everyone has their own pace. Focus on your path and choose a timeline that works best for you.

• Stay focused and believe in yourself.

• Want to study with us? Subscribe to Cybersecurity Central on Youtube and get notified for our #SecurityFriday videos: Cybersecurity Central

Are you thinking of taking the CompTIA Security+ certification? Let us know how you do on our LinkedIn post: https://www.linkedin.com/company/cybersecuritycentralorg/

Good luck with all your studies!

Check out Resources by CC for even more learning tech and infosec resources!

There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.

This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).

This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.

Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).

The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:

• Espionage

• Terrorism

• Unauthorized disclosure of information

• Corruption

• Sabotage

• Workplace violence

• Intentional or unintentional loss or degradation of organizational resources or capabilities (Defining Insider Threats, n.d.).

An insider threat can take one of three forms:

• Unintentional threat

  • Negligence – This type of threat occurs when someone inside the organization that has been trained on the IT or security policies knowingly does not follow them.

  • Accidental – This type of threat occurs when someone inside the organizations knows what the IT and security policies are, but simply makes a mistake and possibly forgets to follow them.

• Intentional threat – This type of threat occurs when someone inside the organization takes actions to intentionally circumvent IT and security policies to cause harm to the organization. These threats are considered malicious in nature.

Other threats:

• Collusive threats – This type of threat occurs when two or more people inside the organization work together to circumvent IT and security policies resulting in harm to the organization.

• Third-Party threats – These threats originate from people that are not part of the organization. They could be contractors, vendors, or even outside visitors (Defining Insider Threats, n.d.).

Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:

• Poor performance Appraisals – No one likes to get a poor appraisal from their supervisor/manager. While an employee getting a poor appraisal would not be an indicator in and of itself, the thing to watch out for is if they are overly vocal about it. That may mean they are disgruntled and willing do cause harm to the company.

• Voicing Disagreements with Policies – Not everyone is going to like organization policies and that is fine. The thing to watch out for is like the first indicator, employees that overly critical and vocal about their dislike for the policies.

• Disagreements with Coworkers – It is not the disagreement itself that can be an indicator, but rather how the employees handle themselves after the disagreement is over.

• Financial Distress / Family Issues – Employees that are having financial problems or family issues might try to find a way to make a lot of money quick and what better way to that than selling their organizations data.

• Unexplained Financial Gain – The indicator here is an employee that starts living above their annual income.

• Odd Working Hours – This boils down to employees coming to work for no official reason during weekends or the stay late

• Unusual Overseas Travel – This would look like an employee traveling to a country that they normally would not be interested in go to and there is no official reason to go.

• Leaving the company – The employee may be leaving for a benign reason, but it may warrant looking into their activity for the past three or six months as it may be an indicator (The Early Indicators of an Insider Threat, n.d.).

An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.

References

• Defining Insider Threats. (n.d.). Retrieved from CISA: Defining Insider Threats | CISA

• Kelley, A. (2022, September 29). Former NSA InfoSec Designer Jareh Sebastian Dalke was Arrested by the FBI in Denver, Colorado on Wednesday as Paty of a Sting Operation. Retrieved from Next Gov: NSA Employee Leaked Classified Cyber Intel, Charged with Espionage

• The Early Indicators of an Insider Threat. (n.d.). Retrieved from Digital Guardian: The Early Indicators of an Insider Threat

Black Friday, Cyber Monday, and Boxing Day are coming before we know it. As we head into the holiday shopping season, I want to bring some awareness to credit card fraud.

As reported in the 2020 Federal Trade Commission Report, credit card fraud is ranked as one of the main types of identity theft reported and continues to rise.

Credit card fraud is an act of obtaining another individual’s credit card information without authorization or their knowledge, by placing random, unusual purchases, withdrawing funds, or creating new accounts. The fraudster’s main motive here is financial gain.

Credit card frauds happen more often than we think. To get a grasp of how it’s looking, check out Card Rates.com: 15 Disturbing Credit Card Fraud Statistics

Credit card fraud can occur in multiple ways, not limited to:

• CNP (Card-Not-Present) Fraud: This is when someone uses your credit card without physically having it on them. This is possible if the fraudster knows your full credit card information (account number, expiry date, and card verification code) and can be done over mail or on a network.

• Account Takeover: Similar to CNP fraud, this is when the attacker uses your known information to verify their identity as the actual owner of the account. In this case, they now have access to change their address and can request a replacement card that they can use and abuse.

• Stolen/Lost Credit Card Fraud: If these cards are found by a criminal, they might have troubles making purchases in-person, due to the PIN number requirement. This still gives them an advantage to make purchases online.

• Credit Card Skimming: With the use of a fake machine, your credit card details that are held in the magnetic strip can be stored when it is swiped.

• Mail Non-Receipt Card Fraud: If you're expecting a new or replacement card to get sent to your mailbox, there is a chance that a criminal can get a hold of it. Once they do, they have the power to register the card and abuse it.

Although large-scale companies have a fraud investigations and data loss prevention team that work endlessly in the back end, doing our part as users and credit card owners in combination with the back end teams will help effectively prevent credit card fraud from happening to us.

What can we do right now?

Here are some practical tips we can do to prevent or to stop credit card fraud:

• When you notice suspicious activity on your account, call your credit card company ASAP and have them cancel your account and request a replacement.

• Always check the machine(s) you’re inserting your card into. Do all the other machines around it look the same? Are there any external attachments on it?

• Ensure that the PIN number is not a common PIN that you have used before or with other accounts.

• For online banking, review the password policy and requirements of your bank and ensure you are using proper password hygiene. (To read more about password management, read my blog post here: CYBERSECURITYCENTRAL - Blog by CC)

• Protect your information. Do not share your credit card and relevant documents associated with it to anyone or anywhere, not even to your closest loved one.

• Ensure your credit card is kept at a safe place after each use.

Resources:

• Sandberg, E. (2020, August 24). 15 Disturbing Credit Card Fraud Statistics:

• 15 Disturbing Credit Card Fraud Statistics - CardRates.com

• '··. (n.d.). https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2019/consumer_sentinel_network_data_book_2019.pdf

• Helbock, M. (2019). 11 Common Types Of Credit Card Scams & Fraud | ConsumerProtect.com 

Once upon a time, we lived in a world without caller ID. Every time the phone rang, all we could do was answer it, hoping it wouldn’t be a random stranger trying to impersonate a service provider. It was highly likely that an adversary would pull this scam tactic.

You might ask, what is vishing?

Vishing is a form of phishing — a portmanteau of “voice phishing”. This occurs when an attacker utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. As caller IDs became a necessity in the telecom world, it helped filter out which phone numbers should be trusted based on what we know. But even then, attackers still found ways to overcome this challenge, which is why it still happens occasionally. In present time, VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID and setting up fake phone numbers that are difficult to track.

In vishing attacks, the adversary falsifies their identity by pretending to be a person of authority. The common vishing attacks that many hear about relate to tech support scams and automated scare-tactic voice messages. To be effective, most attacks similar to this are combined with other types of attacks such as identity fraud or ransomware attacks.

So, do they still happen?

The answer is yes.

Although phishing scams are more popular, according to Kroll (2022), vishing attacks have been on the rise, especially in 2022, and have been “occurring more than 1-in-4 times out of all types of response-based threats.” The more that technology develops, the more sophisticated and motivated these adversaries are to find ways to create these cyber attacks.

Below are some key patterns we all need to be aware of when encountering potential vishing attacks. For some extra context, here is a list of vishing attack principles compiled by the experts of Kroll (The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21 | Kroll) for reference:

1. Urgency - Creating a sense of urgency creates stress and overwhelms the target so they are likely to give in to what is being requested.

2. Retrieving Sensitive Information - Personal or sensitive information is what an adversary aims for. The motive is to use the requested information for monetary gain. Most organizations do not ask for sensitive information over the phone, especially credit card numbers or social security numbers. If this occurs, this may be an indicator of a vishing attack.

3. Request for Computer Access - This is a common indicator for hoax or fake virus attacks. Organizations do not usually request people for remote access to their device.

4. Legitimate Claims - This is used in order for fake organizations to gain trust with their targets by pretending they are reputable. The next time a hacker asks for any information, the victim is likely to share it.

5. Voice Synthesizing - This is used to conceal an adversary’s identity when speaking to a target. Voice distortion may indicate a scam.

To avoid falling for vishing attacks, it is important to be aware of the characteristics and traits. Knowing how an attack works gives users the advantage to prevent future cyber incidents.

A few key points to remember:

• If the number is unfamiliar, take caution when speaking to the caller

• Take the time to search where the phone number or area code is from

• Avoid sharing personal or sensitive information, such as your account numbers, SIN/SSN, or passwords

• Do not pick up calls from unknown numbers and allow it to go through voicemail

As we are in the last week of Cybersecurity Awareness Month, let’s continue to strive staying safe online. Continue to protect your information and always stay vigilant. As mentioned earlier, the more technology develops, the more threat actors discover ways to trick users.

Remember, cybersecurity criminals never sleep! #Becybersafe all year round and keep an eye out for more related content here at Cybersecurity Central!

This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping?   2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.

So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).

Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.

Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.

So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).

Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:

1. Protect both the phone and the SIM card or E-SIM. That means setting up and turning whatever form of protection they have. That could be a PIN, password, or utilizing a pattern to unlock the device. Newer devices can utilize either a fingerprint or facial recognition to unlock. If able, lock the SIM. What that does is forces the user to enter a PIN every time the device is started. If anyone locks their SIM, use one that is different than the PIN used to unlock the device and do not use something that is easily figured out or guessed (birthdays of yourself or a family member) (Adamu, 2022).

2. Lock the phone number with the service provider. The reason that this is recommended is because it prevents changes to the account, in this case moving the SIM from one device to another unless a customer provides an authentication PIN or by going to the store and authenticating that way (Adamu, 2022).

3. Utilize strong/complex passwords and security questions. That means if the password used to access the online account does not have at least 12 characters consisting of lowercase letters, uppercase letters, numbers, and special characters. The same is also true for any other accounts keeping in mind not to reuse passwords. This would be a good time to invest in a password manager because it is impossible to remember multiple passwords that are 12 characters in length (Adamu, 2022).

4. Set up Two-Factor Authentication (2FA). Best thing to do is to use an authentication app such as Google, Microsoft, or Authy. Do not use SMS-based or email-based authentication if possible (Adamu, 2022).

5. Utilize biometric authentication on the device. Using this type of authentication is dependent on the device as newer models support it while older models do not. If that functionality is available it is recommended as a criminal would not be able to bypass that barrier (Adamu, 2022).

6. Keep personal information shared online to a bare minimum. Any information that is posted online can be used by a criminal to impersonate their victim. I know that is easier said than done. I say that because our society is addicted to posting every part of our lives to social media. I understand why, it is a way to keep friends and family that are geographically separated up to date with what is going on and that is fine. The problem is posting too much information that criminals can use. I am talking about things like the name of a pet, best friends name, favorite food, etc. (Adamu, 2022). Do those examples look familiar? Well, they should since they are typical security questions that we are all asked to provide answers for to authenticate ourselves when we have forgotten our password to an online account.

7. Know how to spot phishing emails, texts, and phone calls. One resource I recommend checking out is to look some of our other blogs, specifically look at the Aug 24th blog as well as the blogs on October 12th and 19th. Miss Eula Chua discusses what phishing is and what to look for in emails and texts.

References

• Adamu, H. (2022, march 13). How to Protect Yourself From a SIM-Swap Attack. Retrieved from Android Police: How to protect yourself from a SIM-swap attack

• Cryptopedia Staff. (2021, October 6). What is a Cell Phone SIM Swap Attack. Retrieved from Gemni: Sim Swap Attacks: What Are They? | Gemini

• Gatlan, S. (2022, October 18). Verizon Notifies Prepaid Customers Their Accounts Were Breached. Retrieved from Bleeping Computer: Verizon notifies prepaid customers their accounts were breached

• SIM Swapping. (n.d.). Retrieved from Verizon: What is a SIM Swapping Scam? Protect Your Device Against SIM Hackers

• What is a SIM Swap. (n.d.). Retrieved from Yubico: What is a Sim Swap?

Over the past couple of weeks a few news stories I have seen and a few podcasts I listen to have recently started to talk about a group that I have not heard about in a long time. That group is called the Five Eyes. I remember the first time I heard of them a couple of years ago. So, for those people that are not familiar with them, this blog is specifically designed for you as I will talk about who they are, what their purpose, and other interesting tidbits of information that may be relevant. Plus, how does this relate to privacy.

So, what exactly is Five Eyes? Five eyes is an alliance between the United States, the United Kingdom, Australia, Canada, and New Zealand. This alliance was formed in 1946 with the purpose of making it easy for the countries in the alliance to share surveillance and intelligence information with each other (Five Eyes, n.d.). Now, the types of intelligence that this alliance focuses on is human intelligence, signal intelligence, geo intelligence, and finally defense intelligence (Taylor, 2022).

Would it surprise anyone that in addition to the Five Eyes Alliance, there is also a Nine Eyes Alliance. This alliance is made up of the Five Eyes countries, plus the following: Denmark, France, Netherlands, and Norway. The goal of this alliance is the same as the Five Eyes Alliance. Now, I would imagine some people are thinking Nine countries that share intelligence information, that is not too bad. Just wait a minute, I have one more alliance to go over. The final alliance is called 14 Eyes. They are made up of the Nine Eyes countries plus Germany, Belgium, Italy, Sweden, and Spain (Taylor, 2022).

So, what do these alliances have to do with our privacy? Well, remember what the goal of these alliances (more specifically the Five Eyes Alliance) is to share surveillance and intelligence information. What everyone needs to pay attention to is the surveillance portion of that goal. The reason I say specifically the Five Eyes Alliance is because the United Kingdom and the United States are considered the biggest violators in terms of privacy.

For example, the United Kingdom passed a law in 2016 that basically tells both Internet Service Providers and phone companies to record things like browsing history, connection times and text messages for a period of two years. Also, that information must be made available to authorities whenever they ask for it. A warrant is not required (Taylor, 2022).

The reason the United States made the list of the biggest privacy violators is because not only are they conducting mass surveillance similar to the United Kingdom under a program called PRISM, but in 2017 Internet Service Provides became authorized to not only collect users information, but they can also sell it to other organizations (Taylor, 2022) .

So, lets pivot and discuss what we as individuals can do to protect our privacy. First, we can get away from email providers like Yahoo and Gmail. The reason is that Yahoo has been caught scanning users emails on behalf of the US Government. The reason for getting rid of Gmail is because they have been caught letting users emails be accessed by third parties. Now, I would bet some people are asking what email providers we are supposed to use that are more secure. You’re in luck as I have you covered with nine options

1. Mailfence – They are out of Belgium

2. Tutanota – They are out of Germany

3. ProtonMail – They are out of Switzerland

4. Mailbox.org – Also out of Germany

5. Posteo – Also out of Germany

6. Runbox – they are out of Norway

7. Countermail – They are out of Sweden

8. KolabNow – Also out of Switzerland

9. Startmail – They are out of The Netherlands

I know what you are thinking reading this list and you are correct in that some of them are in one of the other alliances. Keep in mind that we are focusing on avoiding the Five Eyes Alliance specifically. That is not to say that the other alliances do not violate privacy, I would imagine they do, but to a lesser extent (Taylor, 2022).

Another option that is available we can all use to protect our privacy is to use a Virtual Private Network (VPN). For those that do not know what a VPN does, it encrypts between a user’s device and the VPN server. This makes it impossible for an ISP to not only read the traffic being sent, but also to determine a user’s IP address and location. One thing to look for when choosing a VPN is to ensure that the company does not keep logs. The reason for that is if there are logs, then authorities in the countries that VPN is in can request access to them, which defeats the whole aspect of using a VPN to ensure privacy.

The digital privacy advocacy group Restore Privacy has a list of nine VPN providers they recommend however of those nine only three have been certified as not collecting logs. The nine that are recommended include:

1. NordVPN – located in Panama

2. SurfShark – located in The Netherlands

3. ExpressVPN – located in the British Virgin Islands

4. VPN.apc – located in Romania

5. VyprVPN – located in Switzerland

6. Perfect Privacy – also located in Switzerland

7. OVPN – located in Sweded

8. TrustZone VPN – located in Seychelles

9. ProtonVPN – again located in Switzerland

Below are the three VPN providers that are certified to not collect logs.

1. NordVPN

2. ExpressVPN

3. VyprVPN (Taylor, 2022)

There is one final thing that we all can do to protect our privacy. That is to stop using insecure search engines such as Google and Bing, just to name the main ones and move to more secure search engines. There are four that are outside the Five Eyes Alliance, which include:

1. Searx – there is no jurisdiction

2. MetaGer – located in Germany

3. Swisscows – located in Germany

4. Qwnt – located in France

There are also three that while they are located within the Five Eyes Alliance, are still recommended due to their privacy policies. They are:

1. DuckDuckGo – located in the United States

2. Mojeek – located in the United Kingdom

3. Brave Search – also located in the United States

One thing to remember is that the above recommendations is not an all-inclusive list of what we can do to ensure our privacy. One thing missing is web browsers. There are more secure browsers them Chrome and Edge.

Basically, what this comes down to is trust. With the information that has been provided, does everyone trust that their privacy is ensured with what you are currently using . Before we as individuals can answer that question, we all need to look at our own situation, threat model and whether an adversary would have a reason to target you. We also need to determine if we are comfortable with our governments basically having unrestricted access to our information.

References

• Five Eyes. (n.d.). Retrieved from Privacy International: https://privacyinternational.org/learn/five-eyes 

• Taylor, S. (2022, March 14). Five Eyes, Nine Eyes, 14 Eyes (What to Avoid in 2022). Retrieved from Restore Privacy: https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/ 

Many of the phishing emails I’ve seen almost always involve money in it. This email in particular mentions that I will be sent an incredible amount of money but what for? Why would the “FBI Headquarters” contact me through a random test email (test@rapidsms.net) from someone I don’t recognize (I personally don’t know anyone named Christopher A. Wray)?

If you read the email, you will notice that the beginning sentence attempts to list actual organizations to get you to think that this is legitimate, even though you may not have used any of their services. You will also notice that the grammar and punctuation are not done properly. The person they are asking to contact doesn’t actually have an official “western union” email.

To reference some common features of phishing emails with all that we have listed, we can come to the conclusion that this email is too good to be true and that it came from an unusual sender. There’s a sense of urgency in the email where we are notified about the deadline to lodge the claim but it’s not as emphasized compared to other emails that heavily use that trait.

Can you find any more noticeable traits about this email that we haven’t mentioned yet? Let us know! Remember to review the common features of phishing emails and if you’re unsure whether an email you received came from the right source, use your best judgment. Next week, we will continue to practice analyzing other phishing emails, this time involving “order transactions” from a "legitimate” company. Until then, trust your gut and don’t open that suspicious email!

What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).

While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.

I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.

So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.

When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.

Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).

After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.

1. Start with configuring the router correctly.

a. Do not use default credentials. Change both the login ID and password.

b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.

2. Put IoT devices on their own network separate from everything else.

a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.

3. Another option is to turn off features you are not going to use.

4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.

5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.

6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).

So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.

References

18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products 

Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable 

Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices 

One of the main reasons for naming my nonprofit Cybersecurity Central was because to be a resource for those who desire is to constantly learn more about tech, infosec, cybersecurity, and preparation for career development and reaching our human potentials.

This particular blog post, and many of the topics I discuss personally, are around the human side of careers. I heard of mindfulness training and CBT, (cognitive behavioral therapy), but had no personal experiences using these resources myself, until recently. 

Mindfulness allows us to relocate confidence we may have lost, or never built within ourselves, it helps to focus on what is important and relates to our mission in our journey, and it is a complete gamechanger when discovered and tapped into.

For many reasons, things have been out of line for quite some time in my life, and the discovery of learning to change my mindset has been a true help in allowing me to realign and restructure plans and next steps in my tech and infosec career.

Below are some #mindset resources I use personally and want to share with you. If you have mastered this art and already possess a positive and confident mindset, share the resources with your network. It's mind-blowing to learn how many others are waiting to discover how to influence their own mindset and become the best versions of themselves they are capable of being. Leaders and influencers included! It's not just the n00bs full of insecurities. 

Aligned in Tech was the first podcast still sticking to the tech theme, but started to lean into mindset, and how to rethink my value as a career changer and what I bring to the table. The shows consist of several things I heard before, but was captured so simply and delivered with support, from experience, allowing you to absorb and make the necessary mind shifts necessary to excel in our lives. 

Brave to Be Multipassionate by Kate Kim was the next podcast I found, after seeing a post from Kate on LinkedIn. Wow! What a gem of a podcast! I have found more resources and individuals to follow from listening to her podcast than I can count! She hosts amazing guests who are more than research worthy, each with great initiatives and platforms themselves. Do yourself a favor and make this a must listen, (or watch now on YouTube), especially if you're anything like me and have passions in many places throughout your life. 

The next resource is Positively Living podcast from Lisa Zawrotny, whom I discovered while listening to Kate's Brave to Be Multipassionate podcast! Talk about hitting all the areas... Lisa covers everything from how to organize your LIFE, and how to have a positive and productive mindset while doing so. If you want to get organized, and learn various methods from multiple expert sources, this is a show for you. Add it to your list of favorites!

Last up, a self-help and self-therapy book, "The CBT Deck: 101 Practices to Improve Thoughts, Be in the Moment & Take Action in Your Life."  This is something I found on Amazon covering Cognitive Behavioral Therapy, CBT, specifically. Although the podcasts above may not mention CBT directly, I found much of the mindset talks, insights, and help provided goes right back to CBT. Instead of opting for the physical deck of cards (the "paperback" option on Amazon), I decided to go with the Audible version where I can listen to the cards, anywhere from 5-15 minutes per day. It will depend on your style of intake as to which method you may prefer. Kindle version is also available. I can tell you for the few weeks I've been using this, I have noted a big difference in my overall outlook and confidence in my abilities and BHAG goals. 

Now that you have these resources for mindfulness, connect on social on let us know what you think! Feel free to tag @cybersecuritycentral in your posts! We would love to highlight and share your post!

If you haven't already, please be sure to check out Cybersecurity Central’s YouTube channel and subscribe to follow the latest! Follow us on LinkedIn at Cybersecurity Central. 

I greatly appreciate your support of Cybersecurity Central and can't thank you enough for tuning in each week to hang out with us!

Now go check out some of these insightful and inspiring mindfulness resources. You will not be disappointed!  

The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).

The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).

So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.

1. Educate all users on indicators of an attack:

a. Unexpected MFA push notifications

b. Unknown location of login attempt

c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request

d. Continuous MFA requests in rapid succession over a short period of time

2. Restrict the number of MFA push notifications allowed

3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)

One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.

I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.

Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.

There are two important takeaways I want everyone to gain from this blog:

1. MFA is simply another tool. It is good at preventing a threat actor from gaining access to a network, but it can be compromised.

2. Educate your users. That means everyone from the CEO all the way down to the newest employee that is at the bottom of the corporate ladder. Securing our networks is everyone’s responsibility. There is an African proverb that states “it takes a village to raise a child” (Reupert, Straussner, Weimand, & Mayberry, 2022). I would say that in this context, it takes a village to secure our networks.

References

Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer: 

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches

Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”

Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf

We have a lot coming for you this October for Cybersecurity Awareness Month. To get you prepared for what’s to come, here’s a quick background of what Cybersecurity Awareness Month is about.

In October 2004, Cybersecurity Awareness month was established as a joint initiative by the National Cybersecurity Alliance and the U.S. Department of Homeland Security.

With the continuous rise of confidential data being uploaded online and the rise of current and upcoming cyber threats, this month is about creating awareness to help all types of users stay safe and protected online.

This year's campaign theme is, “See Yourself in Cyber.” Technology continues to adapt and improve every single day. This year’s main focus will be on putting people first when it comes to cybersecurity. As developers, administrators, or end users, we all play a part in technology. It’s important to highlight preventable measures we can take to protect our online privacy and data, in the hopes of building up a safer cyber space together. For more information, check out: 

Cybersecurity Awareness Month | CISA

Although we have a whole month dedicated to Cybersecurity Awareness, did you know that there are other days where we can celebrate it all year round? Here are more days that you can add to your calendar:

• January 24th to 28th: Data Privacy Week

• February 8th: Safer Internet Day

• February 14th: National Clean Out Your Computer Day

• March 31st: World Back-up Day

• April 12th: Identity Management Day

• May 5th: World Password Day

• All of October: Security Awareness Month

• October 29th: National Internet Day

• November 13th to 19th: International Fraud Awareness Week

• November 30th: Computer Security Day

Are you participating in this year’s Cybersecurity Awareness Month? 

Connect with us on Cybersecurity Central's socials and tell us about it!

• CC on LinkedIn: https://linkedin.com/company/cybersecuritycentralorg 

• CC on Twitter: https://twitter.com/cybersecuritycc 

• CC on YouTube: https://youtube.com/cybersecuritycentral 

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.

Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.

The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).

One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).

So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.

In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.

Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.

So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.

References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181

Not many realize it., but the need for cybersecurity has increased in today’s time and will continue to increase as technology progresses.

Earlier this week, I encountered an elderly client who told me that he did not want to give out his email address unless it was absolutely necessary. This led him to share about a deepfake AI incident he heard about, where another elderly person was lured into believing that the service provider she was communicating with was the “actual” service provider, when in fact, was a scam. She lost thousands of dollars and had a lack of support. It was devastating to hear but even more devastating to know that incidents like this happen daily without us even knowing.

I decided to pursue the path of cybersecurity early Spring of this year. It has become more and more evident to me how important it is to implement it on every level, from your personal devices and home networks to small-medium sized businesses, large corporations, and industrial control systems, and to create awareness designed differently for each age group.

Like the following quote, “Your internal reality becomes your external reality.” (Unknown), it’s relevant to say that this applies everywhere, even in the cyber world. If the internal systems are flawed or compromised, it might show as a data breach, a business closure, or financial loss.

If you haven't been keeping up with Simply Cyber’s Daily Cyber News Brief every weekday, you are missing out! First of all, the community never has a dull moment; second, there is always something happening in the digital world that we don’t hear about on mainstream news. Technology changes every day. Being informed about what is happening is an effective way to learn how to prevent ourselves from getting compromised.

As we approach Cybersecurity Awareness Month in October, below are some great resources to better prepare ourselves and help protect one another from online incidents:

• National Cybersecurity Alliance (US): Home - National Cybersecurity Alliance

• National Public Awareness Campaign (Government of Canada): Get Cyber Safe

• Layer 8 Security Champions (UK): Champions Hub Membership

• Read my previous blog post on End-User Awareness at CYBERSECURITYCENTRAL - Blog by CC

Cybersecurity Central is proud to be an official 2022 Cybersecurity Awareness Month Champion organization with National Cybersecurity Alliance.

There’s no better time than to start now. Stay safe, stay aware, and stay secure.

Did you know you have two identities? Well technically, it’s two parts of your identity. Don’t worry, I didn’t either but it turns out that the identity we normally refer to is only one half of what we have. Many forget that our digital identity counts and is as important as our real-life identity.

Let’s call them: offline and online. So, what’s the difference?

Our offline identity is what we mostly refer to. It is who we are, our real-life personas, and how others know us. This is the identity we use at home, at work, or at school. The offline identity includes personal details of our life that even our friends and family might know, such as our full name, date of birth, age, address, and even our favourite colours.

Our online identity is the digital identity that we carry, that indicates who we are and how we present ourselves. This is our online persona. This can include our usernames, emails, or aliases for our accounts. The moment we are active on the web is the moment our online identity is established, regardless whether we create an account online or not.

It’s important to keep in mind that both identities should be secured as each one comes with different risks. Even if one is more secure, this could still pose a risk to the other as both offline and online identities can be entryways or an attack surface.

What preventable measures can we take to protect our offline and online identities?

Awareness is key. Let’s first look into social engineering.

Social engineering attacks are a common way to gain information using social tactics. As we will look into the specifics of social engineering attacks in the future, for this topic, we will focus on shoulder surfing.

Shoulder surfing is a type of social engineering attack where someone casually observes over the shoulder of another person to gain unauthorized information. This is a simple technique that is used for gathering sensitive information, such as credentials, or monetary gains and is often committed in office environments.

Check out some practical ways to prevent shoulder surfing:

• Position screen monitors in a way where other unauthorized personnel are unable to see them (away from windows, counters, or open spaces)

• Adjust the screen brightness or use a screen filter that is attachable to the monitor to restrict the visibility of the screen to surrounding bodies

Additional steps we can take are to avoid using the things in the list below, to help protect our identity:

• Personal information in our usernames or passwords

• Full name, if not required

• Parts of our address and phone number

• The same username and password combinations, especially for our financial accounts

• Super-odd usernames and reusing it over again for other accounts – this can be easy to track

• Usernames with password clues or consecutive patterns, for example: having a series of numbers and letters, including the first-part of two-part phrases

Now that we know that our identity is split into two parts, let’s make sure we protect both identities as best as we can. Help us spread awareness by sharing our blog to your network!

To learn more about your digital identity, check out the references below.

References:

Digital identity for individuals. (2017). NIST. https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals

Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.

Introduction to Cybersecurity. (2018, January 22). Networking Academy. https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

One of the reasons I've made so many connections is tuning into livestreams, attending webinars, and listening to podcasts, then reaching out to those who inspire me and making a personal connection.  It's also how I am able to (somewhat) stay up-to-date on infosec news and events. 

For today's blog, I wanted to cover podcasts. This is the next section to be built out on the resources page, but to align with the resources already on our site, I want to provide you with the foundations.  One topic that isn't highlighted yet on the CC Resources page is podcasts.  Podcasts are critical to staying current on what's happening in the worlds of tech and cyber. 

Below are some of what I feel are must listen podcasts.  Some are daily, others weekly, or even monthly.  How do I find time to listen and keep up?  Full transparency, I don't get to keep up with all of them all the time, but I definitely find time to listen in the morning, a little during the day, a lot at night, and even small doses on the weekends.  I enjoy mixing podcasts that aren't all technical and also include the human side of things:   

• 2 Cyber Chicks with Jax Scott & Erika McDuffie 

• Hacker Valley Studio with Ron Eddings & Chris Cochran

• Darknet Diaries with Jack Rhysider

• Cyberwire Daily with Dave Bittner

• The Hacker Factory Podcast with Phillip Wylie

• Simply Cyber Podcast with Gerald Auger, PhD (or join us live on YouTube M-F #teamlive)

• Cybercrime Magazine Podcast from Cybercrime Ventures

• Cyber Security Headlines from CISO Series  |  After listening to this 6-minute podcast, go check out Simply Cyber's Daily Cyber News Brief for the breakdowns from each story!  Or click here if you prefer the podcast version. 

Please note: The podcast list above is a only a quick snapshot.  There are many more I've listened to and recommend, and will include in the CC Resources page in the future, as well.  

One of the primary reasons I named this nonprofit foundation Cybersecurity Central was because I want it to be a resource to those who desire is to learn more about where to learn more about all things cybersecurity.  Cybersecurity Central has a resources page newly released, but there are many topics still to be added from the lists I've accumulated over the past 2 years, researching and discovering where some of the most applicable, engaging, and trustworthy resources.  Feel free to check out the CC Resources page for a flavor of the absolute essentials everyone should check out.  Be sure to bookmark and check back regularly for new resources.  I have TONS of resources still to share, but building it out one by one is super tedious, bear with me. ;)

If you haven't already, be sure to check out Cybersecurity Central’s YouTube channel.

And while you are there, please subscribe, like, and share with your network if you found some value.  Take care and thanks as always for the continued support for Cybersecurity Central!

From an end user’s perspective, it can be exciting when we find free Wi-Fi is available. Unfortunately, “free” does not always mean it’s safe to use. In today’s blog, we will bridge from last week’s blog topic, Public Wi-Fi is Not Your Friend, and highlight some of the risks of using public Wi-Fi.

Although there are many risks that can occur, we will focus on the following three common attacks:

• Identity Theft

• Man-In-The-Middle Attack (aka On-Path Attack)

• Session Hijacking

Identity Theft

We often use our identity to verify who we truly are in order to open or access important accounts like our bank accounts. It is crucial that we keep our personal information safe and protected to prevent others from stealing it. This is what identity theft is – when someone steals your personal information such as your name, address, credit card information, social security numbers, health insurance numbers and more. Those who attempt to steal these sensitive information often use it to commit identity fraud for financial gain. To prevent identity theft from occurring, especially under public wi-fi, avoid visiting websites where you’re required to fill in your personal information or bank login credentials.

On-Path Attack/Man-In-The-Middle Attack

With an open connection, there can be an influx of network packets traveling within that network all coming from different devices. This is susceptible to an on-path attack, where a different, and possibly malicious, computer can intercept the connection between two other computers within the same network. This is a form of active eavesdropping. Be aware that any unusual activity, such as having large amounts of data transfers occur over public wi-fi, may possibly indicate an on-path attack. For prevention, devices are recommended to be equipped with anti-malware software, firewalls, and intrusion detection systems. As with any device, ensure that strong passwords are always used and that software are regularly patched and updated.

Session Hijacking

Session hijacking is similar to the on-path attack. The goal is to either steal personal information, execute a denial-of-service attack, or infect a system with malware. Rather than intercepting between two computers, the malicious hacker intercepts a connection between the computer and the server of a website by recording your session ID. Session IDs may be attached to links or requests that are sent to the websites you visit. Active, passive, and hybrid are the three different types of session hijacking attacks that also include different techniques on how it’s conducted. To prevent this, avoid clicking links you’re unsure about, make sure to log out of your accounts in each session to terminate it, install a firewall and anti-virus software on your device, ensure that the websites that are visited are secured, with URLs beginning with “HTTPS”, and last but not least, use a VPN (virtual private network). Using a VPN will make it more difficult for hackers to intercept traffic.

In Conclusion

There are many other threats out there that need to be covered, but we will need to take things one step at a time. The more devices we hold, the more points of entry we have open. Cybersecurity attacks and breaches happen quite frequently and the scary part is that we might not even know it’s happening until it reaches the news. Prevention is one of the best ways to protect ourselves and our systems from any attack. We don’t always know how to prevent unless we know what we are preventing from. This is why the importance of cybersecurity awareness is crucial to all users. We hope that we can continue to bring you more cybersecurity awareness content to you here at Cybersecurity Central to help you stay protected online.

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom.  Now, we all know that this is illegal, but do we know why it is illegal?  The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986.  This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.   

History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984.  There was a part of this act that made the following two activities related to computers illegal.  1) Gaining unauthorized access to a computer.  2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022).  Basically, this is privilege escalation.  

Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests.  More specifically the actions had to involve one of three scenarios.  1) Accessing information vital to national security.  2) Gaining access to personal financial records.  3) Gaining unauthorized access to government computers (CFAA Background, 2022).  

Let's skip ahead to 1986.  This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA).  This separation facilitated the addition of three more prohibitions: 

1. Gaining unauthorized access with intent to defraud (CFAA Background, 2022).  Now, you will notice that the gaining unauthorized access is the same as in the Comprehensive Crime Act.  The addition is the intent to defraud.  So, the bottom line for this prohibition is to gain unauthorized access with the intent of illegally receiving money from an organization through deception.

2. Gaining unauthorized access, same as before, but adding to that the threat actor changes the data in some way that it affects the Confidentiality, Integrity, and Availability (CIA triad) of that data. 

3. The addition of prohibiting trafficking in computer passwords (CFAA Background, 2022).

Now, in addition to what was mentioned above, lets see was else is in the CFAA.  There are also punishments defined in this document.  These punishments are defined by the type of offense.  In addition, the CFAA dictates who (depending on the offense) will investigate.  It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service.  Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

2022 Update

Over the years, the CFAA has been updated numerous times.  The most recent update was in May 2022.  Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).  This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).

Conclusion

I highly recommend at least scanning over it.  I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased.  Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing.  This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.

References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030 

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground 

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

 https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act 

I have been deceived and probably, so have you.

There was a time in life when my friends and I would get excited when Wi-Fi became publicly accessible in certain coffee shops, restaurants, airports, and libraries. This meant that we didn’t have to spend extra money to pay for cellular data overages.

We would instantly connect wherever public Wi-Fi was available as if he hit a jackpot. Okay, maybe that’s a little exaggerated. But it defined the quote, “the best things in life are free.”

Although that quote does not exactly hold true. It should have been, “the free things in life come with consequences.” Here is where convenience versus security comes to mind.

Public Wi-Fi is not our friend. Connecting to it puts ourselves at potential risk. At your discretion, you can use it when it comes to desperate measures but if it’s possible, avoid it at all costs.

I’ll tell you why.

There are probably hundreds of people passing by the same location as you. This means with these hotspots, any one of these people can connect. This also means any one of these people may be a cyber criminal.

Another point to think about is how the public Wi-Fi was configured. Was it properly secured? Are you able to gain access to the network as an admin? Maybe they didn’t change the default settings on their router.

Here are a few risks that may be encountered through using public Wi-Fi:

• Identity Theft

• Data Breach

• Man-in-The-Middle Attack (aka On-path attack)

• Eavesdropping/Packet Sniffing

• Session hijacking

• Unencrypted connections

• Malware distribution

We will go over each one of these in a future post. But for now, what can we do to protect ourselves and mitigate the risks that we can control?

Here is a list compiled by Get Cyber Safe, a Canadian national public awareness campaign:

• Turn off the Wi-Fi on your device in a public Wi-Fi zone if you’re not connected to the Internet

• Ensure that a firewall is enabled

• Be careful what you browse and avoid visiting websites that contain sensitive information

• Use a VPN (virtual private network) that encrypts data and allows you to browse under a secure network

• Be wary of shoulder surfers that may be watching your screen
  Ensure that websites you visit are using HTTPS, not HTTP

Do you have other recommendations, tips, or tricks on how to protect ourselves online? Visit us on social and let us know!

Below are some great resources and studies to check out regarding public Wi-Fi:

(PDF) Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

- 

Public Wi-Fi - Get Cyber Safe

https://irjhis.com/paper/IRJHISIC2203054.pdf

Until next time, stay safe out there… and online!

Did you know there are different kinds of phishing attacks that exist? First, let’s define what phishing means.

According to Phishing.org, phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

Phishing is one of the most common ways for cyber attackers to target people online via email. Many times, this type of attack is used on specific groups of people or high-profile individuals to gain personal information and most of the time, for financial gains.

As phishing continues to adapt, cyber attackers have found other communicative pathways to trick users into providing information. Some examples are voice messages, SMS text messages, and phishing through search engines. There are multiple ways in which phishing techniques are conducted, however, in today’s blog, we will be focusing on the different types: email phishing, vishing, smishing, spearphishing, and whaling

Email phishing

When we hear phishing, we automatically think of email phishing. That’s because it is the most common technique used to conduct a phishing attack. If you check your spam/junk folder in your inbox right now, you might notice emails coming from unknown email addresses with odd subject lines. There could also be emails coming from people you think you know. Beware that the purpose of phishing is to trick users into revealing personal information and believing that the sender or organization is legitimate. How is this conducted? Usually, phishing attacks that are done through email may contain links that lead to a malicious website that appears legitimate. These websites could either load up a trojan virus or something that enables you to input your credentials. Other emails could contain malicious attachments.

Vishing aka. Voice phishing

Vishing is a combination of “voice” and “phishing”. This occurs when a “phisher” utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID.

Smishing aka. SMS phishing

“SMS” and “phishing” make up the term “Smishing”. Rather than it being done through email, phishing is done via text message. With the same purpose of gaining personal or financial information from a target, malicious links and attachments can also be sent through text. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.

Spearphishing vs. Whaling

If you get these two terms mixed up, you are not alone. Let’s go over the main differences.

Spearphishing is a specific type of phishing in which an attack is conducted on a particular person or specific groups of users, most often within an organization.

Whaling is a specific type of spearphishing, where a high-level executive is either the victim or the one being impersonated.

There are so many different ways a phishing attack can be done. Importance of end-user security awareness is crucial to our online safety and privacy as phishing attempts occur every minute of every day.

As end-users, how can we do our part to prevent these phishing attacks from progressing?

• First and foremost, staying informed about these types of attacks help bring awareness. Being knowledgeable of what we are up against will help us find methods on preventing these attacks from surfacing.

• Stay curious and think before you click. If you’re not familiar with the sender and the purpose of the email, do not click the link. If you think you might know the sender but are unsure why they may be sending you an attachment, directly contact the person via phone to verify that they actually intended to send that email.

• Never give out personal or financial information to people you don’t know over the internet and especially through email.

• Double check the URL address of the link. Hover your mouse on the link (do not click it) and see if the URL comes from a legitimate website

• Verify the website's security by ensuring the URL address starts with an “HTTPS” and contains a lock image beside it.

• Do not trust pop-ups. Sometimes they can be deceived as part of the website you’re intending to visit. If you’re not sure what the pop-up is about, close the window immediately.

• Use anti-virus software or enable a spam filter that helps block malicious emails and websites.

If you would like to learn more about phishing, here are some great resources to visit:

- https://www.getcybersafe.gc.ca/en/blogs/phishing-introduction

- https://phishing.org

- https://www.microsoft.com/en-ca/security/business/security-101/what-is-phishing

- https://cybersecurityguide.org/resources/phishing/

- https://www.phishprotection.com/resources/what-is-phishing/

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).

For a BC / DR plan to be successful the following five steps should be taken:

1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:

1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).

References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out. 

Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.

It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.