Cybersecurity Central | Refining the Human Connection | 501c3 Nonprofit

BLOG BY CC

Cybersecurity Central is excited to share our insights in Blog by CC posts around what our team is learning, thinking, and discovering in their infosec journeys. Join us every Wednesday!


#cybersecuritycentral #diversityofthought #blogbycc

SEP 21, 2022

Cybersecurity Workforce Framework - NIST & NICE

by James Driscoll

September 21, 2022

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.


Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.


The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).


One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).


So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.


In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.


Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.


So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.


References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181


Staying Safe in the Digital World

by Eula Chua

September 21 2022

Not many realize it., but the need for cybersecurity has increased in today’s time and will continue to increase as technology progresses.


Earlier this week, I encountered an elderly client who told me that he did not want to give out his email address unless it was absolutely necessary. This led him to share about a deepfake AI incident he heard about, where another elderly person was lured into believing that the service provider she was communicating with was the “actual” service provider, when in fact, was a scam. She lost thousands of dollars and had a lack of support. It was devastating to hear but even more devastating to know that incidents like this happen daily without us even knowing.


I decided to pursue the path of cybersecurity early Spring of this year. It has become more and more evident to me how important it is to implement it on every level, from your personal devices and home networks to small-medium sized businesses, large corporations, and industrial control systems, and to create awareness designed differently for each age group.


Like the following quote, “Your internal reality becomes your external reality.” (Unknown), it’s relevant to say that this applies everywhere, even in the cyber world. If the internal systems are flawed or compromised, it might show as a data breach, a business closure, or financial loss.


If you haven't been keeping up with Simply Cyber’s Daily Cyber News Brief every weekday, you are missing out! First of all, the community never has a dull moment; second, there is always something happening in the digital world that we don’t hear about on mainstream news. Technology changes every day. Being informed about what is happening is an effective way to learn how to prevent ourselves from getting compromised.


As we approach Cybersecurity Awareness Month in October, below are some great resources to better prepare ourselves and help protect one another from online incidents:

Cybersecurity Central is proud to be an official 2022 Cybersecurity Awareness Month Champion organization with National Cybersecurity Alliance.


There’s no better time than to start now. Stay safe, stay aware, and stay secure.


SEP 7, 2022

Offline vs. Online Identities

by Eula Chua

September 14, 2022

Did you know you have two identities? Well technically, it’s two parts of your identity. Don’t worry, I didn’t either but it turns out that the identity we normally refer to is only one half of what we have. Many forget that our digital identity counts and is as important as our real-life identity.

Let’s call them: offline and online. So, what’s the difference?

Our offline identity is what we mostly refer to. It is who we are, our real-life personas, and how others know us. This is the identity we use at home, at work, or at school. The offline identity includes personal details of our life that even our friends and family might know, such as our full name, date of birth, age, address, and even our favourite colours.

Our online identity is the digital identity that we carry, that indicates who we are and how we present ourselves. This is our online persona. This can include our usernames, emails, or aliases for our accounts. The moment we are active on the web is the moment our online identity is established, regardless whether we create an account online or not.

It’s important to keep in mind that both identities should be secured as each one comes with different risks. Even if one is more secure, this could still pose a risk to the other as both offline and online identities can be entryways or an attack surface.

What preventable measures can we take to protect our offline and online identities?

Awareness is key. Let’s first look into social engineering.

Social engineering attacks are a common way to gain information using social tactics. As we will look into the specifics of social engineering attacks in the future, for this topic, we will focus on shoulder surfing.

Shoulder surfing is a type of social engineering attack where someone casually observes over the shoulder of another person to gain unauthorized information. This is a simple technique that is used for gathering sensitive information, such as credentials, or monetary gains and is often committed in office environments.

Check out some practical ways to prevent shoulder surfing:

  • Position screen monitors in a way where other unauthorized personnel are unable to see them (away from windows, counters, or open spaces)

  • Adjust the screen brightness or use a screen filter that is attachable to the monitor to restrict the visibility of the screen to surrounding bodies


Additional steps we can take are to avoid using the things in the list below, to help protect our identity:


  • Personal information in our usernames or passwords

  • Full name, if not required

  • Parts of our address and phone number

  • The same username and password combinations, especially for our financial accounts

  • Super-odd usernames and reusing it over again for other accounts – this can be easy to track

  • Usernames with password clues or consecutive patterns, for example: having a series of numbers and letters, including the first-part of two-part phrases


Now that we know that our identity is split into two parts, let’s make sure we protect both identities as best as we can. Help us spread awareness by sharing our blog to your network!

To learn more about your digital identity, check out the references below.

References:

Digital identity for individuals. (2017). NIST. https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals

Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.

Introduction to Cybersecurity. (2018, January 22). Networking Academy. https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity

Compliance Frameworks

by James Driscoll

September 14, 2022

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

SEP 7, 2022

What's Happening in Tech & InfoSec? How To Stay (Somewhat) Up-to-Date with Podcasts

by Kimberly McKnight

September 9, 2022

One of the reasons I've made so many connections is tuning into livestreams, attending webinars, and listening to podcasts, then reaching out to those who inspire me and making a personal connection. It's also how I am able to (somewhat) stay up-to-date on infosec news and events.


For today's blog, I wanted to cover podcasts. This is the next section to be built out on the resources page, but to align with the resources already on our site, I want to provide you with the foundations. One topic that isn't highlighted yet on the CC Resources page is podcasts. Podcasts are critical to staying current on what's happening in the worlds of tech and cyber.


Below are some of what I feel are must listen podcasts. Some are daily, others weekly, or even monthly. How do I find time to listen and keep up? Full transparency, I don't get to keep up with all of them all the time, but I definitely find time to listen in the morning, a little during the day, a lot at night, and even small doses on the weekends. I enjoy mixing podcasts that aren't all technical and also include the human side of things:



Please note: The podcast list above is a only a quick snapshot. There are many more I've listened to and recommend, and will include in the CC Resources page in the future, as well.


One of the primary reasons I named this nonprofit foundation Cybersecurity Central was because I want it to be a resource to those who desire is to learn more about where to learn more about all things cybersecurity. Cybersecurity Central has a resources page newly released, but there are many topics still to be added from the lists I've accumulated over the past 2 years, researching and discovering where some of the most applicable, engaging, and trustworthy resources. Feel free to check out the CC Resources page for a flavor of the absolute essentials everyone should check out. Be sure to bookmark and check back regularly for new resources. I have TONS of resources still to share, but building it out one by one is super tedious, bear with me. ;)

If you haven't already, be sure to check out Cybersecurity Central’s YouTube channel.

And while you are there, please subscribe, like, and share with your network if you found some value. Take care and thanks as always for the continued support for Cybersecurity Central!


Common Attacks on Public Wi-Fi

by Eula Chua

September 7, 2022

From an end user’s perspective, it can be exciting when we find free Wi-Fi is available. Unfortunately, “free” does not always mean it’s safe to use. In today’s blog, we will bridge from last week’s blog topic, Public Wi-Fi is Not Your Friend, and highlight some of the risks of using public Wi-Fi.


Although there are many risks that can occur, we will focus on the following three common attacks:


  • Identity Theft

  • Man-In-The-Middle Attack (aka On-Path Attack)

  • Session Hijacking


Identity Theft

We often use our identity to verify who we truly are in order to open or access important accounts like our bank accounts. It is crucial that we keep our personal information safe and protected to prevent others from stealing it. This is what identity theft is – when someone steals your personal information such as your name, address, credit card information, social security numbers, health insurance numbers and more. Those who attempt to steal these sensitive information often use it to commit identity fraud for financial gain. To prevent identity theft from occurring, especially under public wi-fi, avoid visiting websites where you’re required to fill in your personal information or bank login credentials.


On-Path Attack/Man-In-The-Middle Attack

With an open connection, there can be an influx of network packets traveling within that network all coming from different devices. This is susceptible to an on-path attack, where a different, and possibly malicious, computer can intercept the connection between two other computers within the same network. This is a form of active eavesdropping. Be aware that any unusual activity, such as having large amounts of data transfers occur over public wi-fi, may possibly indicate an on-path attack. For prevention, devices are recommended to be equipped with anti-malware software, firewalls, and intrusion detection systems. As with any device, ensure that strong passwords are always used and that software are regularly patched and updated.


Session Hijacking

Session hijacking is similar to the on-path attack. The goal is to either steal personal information, execute a denial-of-service attack, or infect a system with malware. Rather than intercepting between two computers, the malicious hacker intercepts a connection between the computer and the server of a website by recording your session ID. Session IDs may be attached to links or requests that are sent to the websites you visit. Active, passive, and hybrid are the three different types of session hijacking attacks that also include different techniques on how it’s conducted. To prevent this, avoid clicking links you’re unsure about, make sure to log out of your accounts in each session to terminate it, install a firewall and anti-virus software on your device, ensure that the websites that are visited are secured, with URLs beginning with “HTTPS”, and last but not least, use a VPN (virtual private network). Using a VPN will make it more difficult for hackers to intercept traffic.


In Conclusion


There are many other threats out there that need to be covered, but we will need to take things one step at a time. The more devices we hold, the more points of entry we have open. Cybersecurity attacks and breaches happen quite frequently and the scary part is that we might not even know it’s happening until it reaches the news. Prevention is one of the best ways to protect ourselves and our systems from any attack. We don’t always know how to prevent unless we know what we are preventing from. This is why the importance of cybersecurity awareness is crucial to all users. We hope that we can continue to bring you more cybersecurity awareness content to you here at Cybersecurity Central to help you stay protected online.


AUG 31, 2022

The Computer Fraud and Abuse Act (CFAA)

by James Driscoll

August 31, 2022

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom. Now, we all know that this is illegal, but do we know why it is illegal? The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986. This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.


History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984. There was a part of this act that made the following two activities related to computers illegal. 1) Gaining unauthorized access to a computer. 2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022). Basically, this is privilege escalation.


Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests. More specifically the actions had to involve one of three scenarios. 1) Accessing information vital to national security. 2) Gaining access to personal financial records. 3) Gaining unauthorized access to government computers (CFAA Background, 2022).


Let's skip ahead to 1986. This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA). This separation facilitated the addition of three more prohibitions:

  1. Gaining unauthorized access with intent to defraud (CFAA Background, 2022). Now, you will notice that the gaining unauthorized access is the same as in the Comprehensive Crime Act. The addition is the intent to defraud. So, the bottom line for this prohibition is to gain unauthorized access with the intent of illegally receiving money from an organization through deception.

  2. Gaining unauthorized access, same as before, but adding to that the threat actor changes the data in some way that it affects the Confidentiality, Integrity, and Availability (CIA triad) of that data.

  3. The addition of prohibiting trafficking in computer passwords (CFAA Background, 2022).


Now, in addition to what was mentioned above, lets see was else is in the CFAA. There are also punishments defined in this document. These punishments are defined by the type of offense. In addition, the CFAA dictates who (depending on the offense) will investigate. It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service. Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).


2022 Update

Over the years, the CFAA has been updated numerous times. The most recent update was in May 2022. Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022). This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).


Conclusion

I highly recommend at least scanning over it. I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased. Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing. This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.


References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act


Public Wi-Fi is Not Your Friend

by Eula Chua

August 31, 2022

I have been deceived and probably, so have you.

There was a time in life when my friends and I would get excited when Wi-Fi became publicly accessible in certain coffee shops, restaurants, airports, and libraries. This meant that we didn’t have to spend extra money to pay for cellular data overages.

We would instantly connect wherever public Wi-Fi was available as if he hit a jackpot. Okay, maybe that’s a little exaggerated. But it defined the quote, “the best things in life are free.”

Although that quote does not exactly hold true. It should have been, “the free things in life come with consequences.” Here is where convenience versus security comes to mind.

Public Wi-Fi is not our friend. Connecting to it puts ourselves at potential risk. At your discretion, you can use it when it comes to desperate measures but if it’s possible, avoid it at all costs.

I’ll tell you why.

There are probably hundreds of people passing by the same location as you. This means with these hotspots, any one of these people can connect. This also means any one of these people may be a cyber criminal.

Another point to think about is how the public Wi-Fi was configured. Was it properly secured? Are you able to gain access to the network as an admin? Maybe they didn’t change the default settings on their router.

Here are a few risks that may be encountered through using public Wi-Fi:


  • Identity Theft

  • Data Breach

  • Man-in-The-Middle Attack (aka On-path attack)

  • Eavesdropping/Packet Sniffing

  • Session hijacking

  • Unencrypted connections

  • Malware distribution


We will go over each one of these in a future post. But for now, what can we do to protect ourselves and mitigate the risks that we can control?


Here is a list compiled by Get Cyber Safe, a Canadian national public awareness campaign:


  • Turn off the Wi-Fi on your device in a public Wi-Fi zone if you’re not connected to the Internet

  • Ensure that a firewall is enabled

  • Be careful what you browse and avoid visiting websites that contain sensitive information

  • Use a VPN (virtual private network) that encrypts data and allows you to browse under a secure network

  • Be wary of shoulder surfers that may be watching your screen
    Ensure that websites you visit are using HTTPS, not HTTP


Do you have other recommendations, tips, or tricks on how to protect ourselves online? Visit us on social and let us know!


Below are some great resources and studies to check out regarding public Wi-Fi:


(PDF) Why do people use unsecure public Wi-Fi? An investigation of behaviour and factors driving decisions

-

Public Wi-Fi - Get Cyber Safe


https://irjhis.com/paper/IRJHISIC2203054.pdf


Until next time, stay safe out there… and online!


AUG 24, 2022

Let’s Talk About Phishing

by Eula Chua

August 24, 2022

Did you know there are different kinds of phishing attacks that exist? First, let’s define what phishing means.

According to Phishing.org, phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

Phishing is one of the most common ways for cyber attackers to target people online via email. Many times, this type of attack is used on specific groups of people or high-profile individuals to gain personal information and most of the time, for financial gains.

As phishing continues to adapt, cyber attackers have found other communicative pathways to trick users into providing information. Some examples are voice messages, SMS text messages, and phishing through search engines. There are multiple ways in which phishing techniques are conducted, however, in today’s blog, we will be focusing on the different types: email phishing, vishing, smishing, spearphishing, and whaling


Email phishing

When we hear phishing, we automatically think of email phishing. That’s because it is the most common technique used to conduct a phishing attack. If you check your spam/junk folder in your inbox right now, you might notice emails coming from unknown email addresses with odd subject lines. There could also be emails coming from people you think you know. Beware that the purpose of phishing is to trick users into revealing personal information and believing that the sender or organization is legitimate. How is this conducted? Usually, phishing attacks that are done through email may contain links that lead to a malicious website that appears legitimate. These websites could either load up a trojan virus or something that enables you to input your credentials. Other emails could contain malicious attachments.


Vishing aka. Voice phishing

Vishing is a combination of “voice” and “phishing”. This occurs when a “phisher” utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID.


Smishing aka. SMS phishing

“SMS” and “phishing” make up the term “Smishing”. Rather than it being done through email, phishing is done via text message. With the same purpose of gaining personal or financial information from a target, malicious links and attachments can also be sent through text. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.


Spearphishing vs. Whaling

If you get these two terms mixed up, you are not alone. Let’s go over the main differences.

Spearphishing is a specific type of phishing in which an attack is conducted on a particular person or specific groups of users, most often within an organization.

Whaling is a specific type of spearphishing, where a high-level executive is either the victim or the one being impersonated.

There are so many different ways a phishing attack can be done. Importance of end-user security awareness is crucial to our online safety and privacy as phishing attempts occur every minute of every day.


As end-users, how can we do our part to prevent these phishing attacks from progressing?


  • First and foremost, staying informed about these types of attacks help bring awareness. Being knowledgeable of what we are up against will help us find methods on preventing these attacks from surfacing.

  • Stay curious and think before you click. If you’re not familiar with the sender and the purpose of the email, do not click the link. If you think you might know the sender but are unsure why they may be sending you an attachment, directly contact the person via phone to verify that they actually intended to send that email.

  • Never give out personal or financial information to people you don’t know over the internet and especially through email.

  • Double check the URL address of the link. Hover your mouse on the link (do not click it) and see if the URL comes from a legitimate website

  • Verify the website's security by ensuring the URL address starts with an “HTTPS” and contains a lock image beside it.

  • Do not trust pop-ups. Sometimes they can be deceived as part of the website you’re intending to visit. If you’re not sure what the pop-up is about, close the window immediately.

  • Use anti-virus software or enable a spam filter that helps block malicious emails and websites.


If you would like to learn more about phishing, here are some great resources to visit:

- https://www.getcybersafe.gc.ca/en/blogs/phishing-introduction

- https://phishing.org

- https://www.microsoft.com/en-ca/security/business/security-101/what-is-phishing

- https://cybersecurityguide.org/resources/phishing/

- https://www.phishprotection.com/resources/what-is-phishing/

Why Every Organization Needs a Disaster Recovery / Business Continuity Plan

by James Driscoll

August 24, 2022

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).


For a BC / DR plan to be successful the following five steps should be taken:


1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).


When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:


1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).


References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

AUG 17, 2022

DEF CON: The Beginning

by James Driscoll

August 17, 2022

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out.


Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.


It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.


So, why was DEF CON started? It was not envisioned to be the exhibition that we have today. In fact, the origin is mundane. In 1993 a gentleman by the name of Jeff Moss, had a friend that was moving away. Being a good friend, Jeff wanted to give his friend a good send off, so he organized a going away party. Well, in an unfortunate circumstance, the friend moved before this party. So, not wanting to cancel this party and wanting to honor his friend, he asked all his hacker friends to make a trip to Las Vegas to party. Thus, DEF CON was born. There were approximately 100 people in attendance.


As mentioned above, this was originally supposed to be a going away party, so this would have been a one-time event. However, everyone had such a great time they convinced Jeff to host it again in 1994. Reluctantly he agreed and in the 2nd DEF CON there were at least 200 people that attended. With each new DEF CON, the number of attendees consistently grew. For DEF CON 27 which was in 2019, there were approximately 30,000 attendees.


Another interesting bit of information that I did not know is that in 2018 there was a DEF CON event held in China. It was supposed to be an inaugural event, but due to the COVID-19 pandemic, it is still the only DEF CON event that has ever been held outside the United States.

Password Management 101

by Eula Chua

August 17, 2022

We’re exposed to an ocean of information to the point where I can’t even track how many times I’ve seen a post or meme on passwords on paper notes. It’s basically second nature to many of us in the technical field to know that’s something that should always be avoided. It only really hits us when we see another person commit the unforbidden. Then it leaves us in shock.


This happened to me the other day. Upon helping one of the most patient customers I have served, I couldn’t help but noticed that her passwords were stored on a piece of paper tucked in her wallet. I haven’t realized.


You may ask why I’m bringing up this story.

It’s always been a battle between convenience and security.


We’re in a day and age where we have to create multiple accounts for multiple online services and platforms. When it comes to passwords/passphrases, it’s easier for us to write them down on a piece of paper or create a password we can easily memorize. When it comes to convenience, time is valuable and although we want things quick and ready to use, security is on the line. When it comes to security, there are so many steps we need to comply with. How can we find the balance between convenience and security?


Although it may take time before we get to that point, let’s take charge of what we have control of today. As end-users, we are the first line of defense. A big focus we can work on is practicing proper password hygiene.


Before we go and start changing passwords right away, let’s take a moment to reflect on these questions:


  • Have I been writing down my passwords on paper or on a digital note?

  • Am I using a password manager?

  • Are my passwords all the same?

  • Did I use personal information as my password or a part of my password, such as my date of birth, my pet’s name, my favourite colour etc.?

  • Do I have a mix of characters, numbers, and symbols in my password?

  • How long is my password?

  • Am I using multi-factor authentication in my accounts?


Have these questions got you thinking about your current passwords? If so, don’t worry. You are not alone. It may seem overwhelming to have to change every password for every single account. Know that it will take time. Something that has worked for me is utilizing a password manager to keep track of all my accounts and passwords. Whenever I come across an account I have to log in to, I would add it to the password manager, reset my password, and store it.


Before I continue, you may ask, “How does a password manager work?”


Essentially, a password manager uses a secure encryption process to ensure that any password data that transmits online is protected and difficult to crack. While multiple passwords are stored, the main way to access them is by using a master password. This makes it easier for us to remember one password rather than hundreds of passwords. Combining this with multi-factor authentication makes it even more secure. Password managers are one of the safest and most secure tools to use. Nonetheless, complex password requirements should not be neglected.


“What are the complex password requirements we should follow to ensure that they are harder to figure out?”


Some common ones, which you may have also read when creating passwords for new accounts are:


  • Contains lowercase characters

  • Contains uppercase characters

  • Contains digits (0-9) and symbols (~!@#$%^&*...)

  • Having a length of 12-24 characters

  • No common names or dictionary words

  • Use passphrases rather than passwords

  • No sequences of more than 4 digits in a row

  • No previously used passwords


Now that we have gone over password complexity requirements and a brief introduction to password managers, here are some notable ones you can start with:


Bitwarden (Bitwarden Open Source Password Manager)


  • Works with Windows, MacOS, iOS, Linux, Android, web, browser extensions, command line

  • Open source

  • Has 2FA (two-factor authentication)

  • Offers both a free tier and a paid tier (free tier goes a long way)

  • Unlimited password storage

  • Accessible across multiple devices


LastPass (#1 Password Manager & Vault App with Single-Sign On & MFA Solutions)


  • Supports multiple browsers and platforms

  • Has 2FA

  • Can be used for personal or business purposes

  • Can use a passwordless login

  • Includes dark web monitoring

  • Offers both a free tier and a paid tier (free version does not sync passwords across devices)


1Password (Password Manager for Families, Businesses, Teams | 1Password)


  • Wide variety of browser support

  • Supports 2FA

  • 1GB storage space

  • Shared password feature up to 5 family members

  • Password auditing

  • 14-day free trial and paid tier only


There are lots of options out there so make sure to do more research and find one that suits your needs.


Changing passwords from multiple logins can take up lots of time and can be overwhelming. Remember to start small and change what you can. Over time, you’ll be able to meet the complexity requirements for every password. The most important part to note here is that practicing password hygiene prevents future compromises. Let’s continue to do our part and stay safe online.

AUG 10, 2022

Multi-Factor Authentication: Factors In-depth

by Eula Chua

August 10, 2022

Almost everything on the Internet requires us to sign up for an account, whether it’s creating an email, a social media profile, or even an account for an e-commerce website. Yet so many data breaches and phishing attacks occur often without our knowledge. Check out this article by Nasdaq on skyrocketing data breaches:

Data Breaches Continue to Skyrocket in 2022

What can we do to protect ourselves on our end?

Multi-Factor Authentication (MFA).

Multi-Factor Authentication is an authentication method that helps verify the identity of the correct user logging in their account. Although usernames and passwords is a method on its own, having only one way to authenticate an account does not fully prevent unauthorized users from accessing it. MFA adds extra layers of protection to keep potential hackers from progressing their attack.

There are 7 Factors/Attributes of Authentication that we will delve into:

3 Factors:

- Something you are

- Something you have

- Something you know

4 Attributes:

- Something you do

- Something you exhibit

- Somewhere you are

- Someone you know


1. Something you are

This factor requires information that is you and only “you”. By this, we mean biometrics. This mainly comes in the form of scanning physical traits, such as your face, retina, fingerprint, thumbprint, voice identification, palm, and more. Do you own any Apple devices? If so, biometric scanning is something you might already be familiar with. Think of Face ID and Touch ID.


2. Something you have

This type of authentication factor asks for something a person physically carries or refers to a token key. A token key is a physical device that generates numbers to help identify that the person logging in is (hopefully) authorized. Some other examples are ID smart badges, a physical key, an authentication app on your phone, and common access cards (CACs).

One-time passwords (OTPs) are one of the common security methods used for MFA and are self-explanatory—use the password once and it’s done. The app using the OTP method would automatically generate a new password to use for next time a login is required. Two types of OTP methods are Time-based one-time password (TOTP) and HMAC-based one-time password (HOTP). Here’s a quick comparison.

TOTP

- Time-based/timestep: the temporary password is only valid within a certain amount of time (usually 30-60 seconds)

- Examples: Google Authenticator App, Microsoft Authenticator App, SecureAuth App

HOTP

- Counter-based: once the temporary password has been used, it will automatically increment by one until it is requested and validated again

- HMAC stands for Hash-based Message Authentication Code, which is an event-based one-time password method that relies on a counter

- Example: Yubiko’s YubiKey


3. Something you know

This factor mainly refers to a specific memory where it can be retrieved when required. Some examples would be personal security questions, passphrase, or personal identification number (PIN). A common example of this would be a password. Passwords are restricted pieces of information that most of us need to remember and retrieve when logging into an account. Using this as a sole method of authentication is not secured and is susceptible to the account getting compromised. This is where the use of password managers come in. Many people are still questioning the use of password managers but for the most part, it has been one of the safest ways to store all your passwords in one. We’ll talk more about proper password hygiene and password management in our future blog posts.


4. Something you do

This is one of four attributes where a physical action is observed. Something is done, a gesture or a touch, in order to gain access or to unlock. A common example for this would be signatures, which can be challenging to reproduce due to the pen movement and its two-dimensional output.


5. Something you exhibit

In most cases, this isn’t commonly included as a factor of authentication but we’ll include it here. This is a specific trigger and response type, similar to “something you are”, to determine whether a response is true or false. An example of this would be a lie detector test.


6. Somewhere you are

This is a factor that uses a person’s location to authenticate a login. This uses Internet Protocol (IP) and Media Access Control (MAC) addressing to indicate where the login attempt is occurring. In some apps or social media platforms (Instagram or Facebook for example), this feature is used to alert the user if a suspicious sign-in attempt was done at an unfamiliar location. This way, the user can make a decision whether to reset their password or not.


7. Someone you know

Similar to “something you know”, this human authentication attribute is an old practice that involves an individual and a whole lot of trust. An example of this would be utilizing the Chain of Trust model, requiring people to vouching for one another. Here’s a study if you would like to read more about this authentication factor: https://people.csail.mit.edu/rivest/BrainardJuelsRivestSzydloYung-FourthFactorAuthenticationSomebodyYouKnow.pdf


After going through this, you might think that implementing MFA is intimidating but in reality, it’s the total opposite. Most companies already have them implemented on their platform. All that is needed is your approval. Next time you log in to any of your accounts, check the privacy and security settings to see if they have MFA included, which can come in the form of using an Authenticator app (recommended), SMS text message, voice call, or e-mail verification. If you noticed that one of your accounts does not use MFA, consider suggesting it to that platform’s customer support or connect with the IT team of your organization. As end-users, we have a big responsibility when it comes to protecting ourselves online. Starting off with multi-factor authentication is a big step in preventing compromised accounts. Let’s keep security on top of everyone’s minds.


If you’re not sure how to use a multi-factor authentication app, check out this video by Microsoft:

Set up multi-factor authentication with a mobile device in Microsoft 365 Business

Most Authenticator apps work similarly so make sure you use one that works for you. Thank you for reading!


Additional sources:


CompTIA Certification Exams

by James Driscoll

August 10, 2022

There seems to be some confusion when it comes to CompTIA certification exams. I constantly see questions about exam expiration and what should be done. These questions are primarily from people who are working to break into the Information Technology (IT) realm, so they cover A+, Network+, and Security+. The purpose of this blog is to clear up some of that confusion. For illustrative purposes I will use the CompTIA A+ exam details to highlight what I am talking about.

Regarding the expiration of the exams. All CompTIA exams are generally valid for three years, give or take a few months. Now, the reason they are valid for such a short time is that as we all know the IT realm is constantly changing. This means that the exams need to be constantly updated for them to stay relevant. For instance, the A+ version 1001/1002 officially launched on 15 January 2019 and will retire 20 October 2022 so, three months shy of three years. What this means is that on 20 October 2022, this exam is no longer available. It does not mean that the certification goes away forever. It simply means that version 1001 is replaced with a newer version.

That newer version is numbered 1101/1102 and was officially launched in April 2022. Some people have asked what this means. In a nutshell this means that there is generally a six month overlap between the retiring version and the newer version and that a person can take either exam. One thing to keep in mind is that if a person wants to take the newer version, the study material associated with the newer exam, may not be available right away. The below screenshots illustrate my points.

The same concept also applies to Network+, Security +, and every other CompTIA certification exam.

In addition to this, there seems to be some confusion as to when a person is ready to take an exam. I have seen people say that they take such and such practice test and have been scoring x% on each test, then asking if they are read to take the exam. Here is an easy way to tell if you are ready. Again, I will use the CompTIA A+ exam as an example. Now, as shown below, to pass either version of core 1 and core 2, a test taker needs to score 675 out of 900 (core 1) and 700 out of 900 (core 2).

Figuring out if you are ready for the exam is fairly simple. Just take 675 and divide it by 900. Then take that answer and multiply by 100 to get the minimum percentage to pass. This is what it looks like: 675/900=.75 * 100 = 75%. This means for core 1, the minimum passing score is 75%. The same formula applies to core 2 and every other CompTIA exam. So, if someone is consistently scoring over that minimum percentage (in this case 75%), they are ready for the exam.

Hopefully, this information is helpful. I wish everyone good luck on which ever test you are all studying for.

AUG 3, 2022

DVWA - The Damn Vulnerable Web Application

by James Driscoll

August 3, 2022

In the world of ethical hacking, it is important to constantly practice your skills to maintain proficiency. Now there are a multitude of way to accomplish this. There are websites like TryHackMe and Hack the Box. Another option is to setup a home lab utilizing either physical or virtual machines.


Using virtual machines offers numerous options. Operating Systems that are intentionally vulnerable can be downloaded and created to practice on. This is fine if you want to practice hacking into a machine. However, what are the options if you want to practice hacking a web application? Well, I found an answer while taking part in an ethical hacking class while working on my bachelor’s degree in Cybersecurity, the Damn Vulnerable Web Application (DVWA).


DVWA can be downloaded and installed on a Virtual Machine (VM), offering the ability to practice concepts such as SQL Injection, Cross-Site Scripting, and Cross-Site Request Forgery, to name a few.


Where can the DVWA be downloaded from? Good question. There are many versions of the DVWA floating around the internet, but the best place it to go to this Github page https://github.com/digininja/DVWA and download from there. This version is the most up-to-date and is the only one that has any type of support.


So, how is it accessed? Since it is a web application it should really be from a separate VM. Just as if you were accessing a normal web application during a penetration test. Simply put the IP address of the VM hosting the DVWA, below:


The login information should be provided:


After logging in, you will see the below screen:


What is interesting about the DVWA is that it has adjustable security settings that range from Low to impossible. If you look at the screenshot above, on the left side is DVWA Security. This is where the security level can be adjusted. This should be the first thing you do.


After the security level is adjusted, then any of the other options can be selected. In this case I chose to go with SQL Injection.

This platform really makes it easy to practice these valuable skills. I highly recommend giving this a try. I hope you all have as much fun using this as I did.

This platform really makes it easy to practice these valuable skills. I highly recommend giving this a try. I hope you all have as much fun using this as I did.


Check out this DVMA resource: YouTube video from @CryptoCat on DVMA setup, first step. There is a series outlining all the steps. Another great find to walk you through the process, step by step: https://youtu.be/GmWQ1VIjd2U



End-user Security Awareness Overview

by Eula Chua

August 3, 2022

The online space has no bounds. We are all connected in some way. From our smart TVs and Wi-Fi-enabled home appliances to computers and mobile devices. we are surrounded by technology everywhere we go and probably didn’t think we would get as far as becoming dependent on it. Yet, we hear about data security breaches happening all over the world and to all types of organizations, and sometimes we don’t realize how close we are to being a part of one. All it takes is one account to open the gates – to getting compromised.


Unfortunately, we ourselves have become the primary attack vector for threat actors, as mentioned in the SANS 2022 Security Awareness Report (https://www.sans.org/blog/sans-2022-security-awareness-report/). These companies and vendors can only do so much until they’re left with no choice. How can we improve from here? Security Awareness.


To specify, we will be focusing on information security and end-users in particular. We’ll do a quick overview.


According to Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/), “Security Awareness is a formal process for training and educating employees about IT protection.” Because most of us these days are working online, whether it’s for work, education, or personal purposes, security awareness is no longer limited to employees but to everyone.


What are some of the topics security awareness covers?

Topics may include, but are not limited to:


- Email usage

- Social engineering/Phishing

- Online Safety

- Privacy

- Proper password hygiene

- Common errors and how we can prevent it

- Mobile Device usage

- Encryption

- Social Networking

- AUP (Acceptable Use Policies)


Who does it involve or affect?

It involves all end-users, which may include:


- Executives

- Employees

- Students/Educators

- Grandparents/Parents

- Teenagers/Children

- You


Overall, it would be any target that a threat actor chooses to attack.


Where is security awareness needed/Where can it be found?

It is needed everywhere and anywhere we have Internet access. Nowadays, we’re seeing educational facilities bring up online end-user awareness campaigns, especially with the rise of hybrid learning. Most commonly, businesses and large organizations implement security awareness as formal training. Considering how much damage one small mistake can do, it can either do little harm or completely negatively affect the business, whether it’s financially related or business closure. Because budget may be limited, small businesses that need training often are not able to implement it. This is now being made aware, and thankfully, online resources are made available to small businesses to help them get started. Here’s an article by Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-training-can-protect-small-businesses/). For end-users in general, most well-known vendors and service providers offer free online security awareness training programs. Amazon offers a free cybersecurity awareness training course that anyone can take on their learning website: https://learnsecurity.amazon.com/.


When would security awareness training take place?

In terms of organizations, If it was possible, it should be an ongoing program however, there may be factors that hinder it from being constant such as time, budget, and resources. Most businesses opt for monthly, bi-monthly, quarterly, or bi-annually employee training depending on the factors previously mentioned. Others may do it annually but that may be a stretch.


How can we prevent ourselves from being attacked?

The key to prevention is being aware. Creating awareness of what type of cyber attacks have been committed allows an individual or an entity to be prepared for what may possibly occur. Then we can move on to taking action.

A few actionable topics to start with, that can be included and taught during security awareness training are:

- Setting up MFA (multi-factor authentication)

- Importance of password managers

- Strong password requirements (i.e. include uppercase, lowercase, numbers, and symbols)

- Wi-Fi and VPN usage

- Tips on identifying phishing emails

- Keeping workstations and devices updated and patch

- Online privacy


Why is security awareness important?

Since the start of the pandemic in 2020, there has been a surge of employees working from home or hybrid. Even many of the websites we visit nowadays require our information, for example, e-commerce, email lists, social media, and more. Because of this, so much of our personal identifiable information (PII) is being made available online in some way. With more network or website traffic happening online, users are more vulnerable to encountering an attack and sometimes might not even know it. There can be many tools implemented to prevent attacks to a certain extent. Raising awareness on common cybersecurity threats and risks can help users protect themselves and their assets, reduce anxiety, become less vulnerable, and be more prepared.

As mentioned earlier in this post, the online space has no bounds. Remember that behind every technology is a human behind it.

Security starts with you.


Resources to help you get started:

JUL 27, 2022

How I Hacked Into Cybersecurity

by Kimberly McKnight

July 27, 2022

It was almost Q3 2020 and felt like the world was falling out of place. In some new awkward reality, attempting to decode what was happening. We were in the early phases of a global pandemic. At that time, no one really understood what that meant, or what it was going to look like. A company trip to D.C., corporate headquarters, was cancelled last minute. The company scrambled to put together a travel policy and guidelines. For now, it was deemed no travel, companywide, until more was known.

Next, another major bombshell announcement: no more hiring. Period. Like zero, globally. What? Wait, no one had ever heard of such a thing. We just finished interviewing and offering positions to candidates last week. Our Fortune 100, Best Company to Work For, is no longer hiring, globally? Even the most seasoned recruiters who were in the industry for years were in complete shock.

When you work in recruiting and hear no more hiring, you understand the writing on the wall. Instantly I knew what was going to happen next. Hours were decreased and then the furlough news came down. If anyone didn’t know what was next, they had their heads buried in the ground. The layoff email was sent the last day of furlough, informing myself and 200+ corporate team members, our positions with the company were no longer.

At first, I wasn't sure what to think. Looking back on it now, I believe I was traumatized. When you envision yourself with a company and the ride ends early, it is a sinking feeling. Even though there were people who had been with the company much longer, many right around retirement and had 20+ years invested, I still couldn't help but feel it was due to my own actions. I ultimately knew it wasn't true, but it didn’t make the feelings any less real. After a while, you can start to believe those feelings... don't.

While on furlough pending the inevitable layoff news, I began thinking about what I really wanted in a career. What did I want to do with the time I had left? After all, I’ve been working for over 20 years already. I had to find something that continues to drive my curiosity and allows me to constantly grow and learn. Hospitality was amazing in providing endless opportunities to work in so many areas of business, but after the pandemic experience, I wanted to be sure I picked something that wasn’t tied to worldwide travel. The way things were looking, it was going to take a long time to recover from and could come back around at any time.

What happens next? Check out my video on “How To Get Into Cybersecurity | How I Hacked Into Cyber,” posted on Cybersecurity Central’s YouTube channel.

And while you are there, please subscribe, like, and share with your network if you found some value in it. Take care and thanks for supporting Cybersecurity Central!


Chase The Knowledge, Not the Certification

by James Driscoll

July 27, 2022

There is a question that I see all the time on the various social media platforms, “will {insert certification name here}, get me a job in Cybersecurity?” Now I know that there are a million opinions as to whether certifications are even needed to enter this industry. That is not what this is about. This is about the apparent myth that simply getting a certification will land a person a job in cybersecurity.


The answer to the above question is no, {insert certification here} will not directly land someone a job. At most, the certification will help someone get an interview. From there is it up to you to land the job. So, does that mean not to worry about getting a certification? Not necessarily. What I am saying is, do not get a certification simply because it is a requirement for some jobs. Get the certification for the knowledge you will gain. It is one thing to pass the exam and receive the certification. That may help you get an interview by standing out over other applicants that may not have the specific certification. During the interview, the fact that you have {insert certification here} means nothing, unless you can apply some of those concepts in the interview and can talk to the interviewer about some of the knowledge you gained by studying for the exam.


The whole premise is to chase the knowledge, not the certification.


JUL 20, 2022

It takes a lot of courage

by Eula Chua

July 20, 2022

My name is Eula. As a Cybersecurity Content Creator for Cybersecurity Central, I wanted to provide you with a glimpse of how I made it here.


It takes a lot of courage for someone to make a career switch or let alone, begin an entirely new career. If you’re one of these people, thank you for being a great example to those around you, for showing that where we are is not the “end-all-be-all” and that there is more for us out there.

A few years ago, I was transitioning out of a career in the Beauty industry not exactly thinking about what was next for me but rather to “go with the flow”. A friend offered me to take on an interview in tech retail and got the job. It was something I would leverage until I make my next move. I thought of pursuing careers in the environmental, medical, behavioral, and educational routes but every time, something would prevent me from continuing. One day, I sat in my Communications class (in a Medical program I was in at the time) and heard my professor say this to the entire class, “You’re in this program because you love it. You’re passionate about it. You want to be here.” Everything she was saying did not translate to how I was feeling. In fact, it was the opposite. I stuck to my commitment, finished Level 1 of that program, and left it. It was difficult to leave but it was freeing.

During my discernment, I remembered someone telling me to reflect on my childhood and recall everything that sparked a light in me. A few of those moments were playing video games with my friends, hosting group chats, researching new technology, learning basic web development to create websites, creating backgrounds and video editing using Adobe tools. All of that had to do with being on the computer. Everything else clicked to me – working on the computer, being surrounded by devices at work, seeing how much of our world has shifted into the digital age. Having a strong Community Outreach background with a desire to help people, being introduced to this side of tech by one of my good friends, and amongst other factors that aligned, I found myself on the path of Cybersecurity. It took a while to get here but I’m here and we’re just getting started.

I hope that our content brings value to you, whether it be something you implement personally or professionally or something you can relate to or learn from. If you have suggestions on topics you would like us to cover, feel free to send me a message on LinkedIn: https://linkedin.com/in/eulac-lipro


Veteran in Cybersecurity

by James Driscoll

July 20, 2022

My name is James. I am a retired Air Force veteran and married to my wife of 22 years.


In the Air Force, my role was in Air Transportation. Basically, I worked at military airports loading passengers and cargo. The best way to picture it is to think of a combination of American Airlines and Federal Express. After I retired in 2014 I continued with the same career field but as a military contractor. The job is interesting however, no longer challenging.


One aspect of this job that I really enjoy is that of regulatory compliance. Ensuring that all the passengers comply with not only applicable FAA/TSA regulations but also applicable destination country entry regulations. On the cargo side, the job entailed ensuring the cargo was prepared and documented correctly. This is extremely important when hazardous cargo is being transported. The reason for this is for the safety of the aircraft, crew, and any passengers. An example of a failure in procedure is ValuJet flight 592 that went down in the Everglades in 1999. The reason for this crash was that some oxygen generators were not properly packaged or documented.


In addition to loading airplanes, an additional job that I had was a system administrator. I was responsible for creating accounts, setting permissions based on the duty position of the individual, working with the help desk to update and patch the system. This is what initially got me interested in Information Technology. As a result, I tried numerous times to change career fields into Information Technology but was unsuccessful.


Why am I making the career change into Cybersecurity? This is a good question. It was June 2020, and I was working at a deployed location loading aircraft and suffering every day because of medical conditions created by my military career. My wife suggested contacting the Veterans Affairs office and applying for something called Vocational Rehab. Basically, this is a program where veterans with medical conditions can go back to school to get a degree in a field that will not aggravate the condition. So, I applied.


After speaking with the counselor, I was approved! Next, it was time to choose a program and school. I thought to myself, this was the perfect chance to finally change careers and move into Information Technology. After constantly seeing reports of data breaches and ransomware attacks, I decided to transition into cybersecurity. The school I chose to attend is ECPI and I will be graduating the end of August 2022.


I am extremely grateful to Kimberly for this opportunity to work with Cybersecurity Central. It is exciting to be able to give back to such a welcoming community that I am breaking into. It will be an interesting journey but I hope it will be a journey that everyone can learn and get inspiration from.


Feel free to connect or send me a message on LinkedIn: https://www.linkedin.com/in/jdriscoll-76


SUPPORT OUR MISSION

STAY CONNECTED WITH CC

LinkedInYouTube