Remember that creaky old swing set in your backyard? The one your parents told you was "safe" even though it looked like it might collapse any minute? Yeah, WEP encryption for your Wi-Fi is kind of like that. It's outdated, wobbly, and about as secure as a screen door on a submarine.

WEP was the first attempt at Wi-Fi security, but it's more like a historical artifact than a viable option. It's riddled with vulnerabilities, and cracking it is child's play with readily available software. Imagine leaving your front door wide open and expecting nobody to peek in – that's WEP for you.

But wait, there's TKIP! This "upgrade" isn't much better. It was meant as a temporary fix while they figured out something real, like a sturdy steel gate for your network. But just like that rickety swing set, TKIP has its own cracks, some known since its inception! It's time to retire this rusty relic and move on to something stronger.

So, what's the good stuff? Look no further than CCMP/AES. It's like a fortress compared to WEP and TKIP – imagine a vault with triple locks and laser beams. Even the most dedicated cyber-crooks would give up in frustration trying to crack this one. This is where your precious data should be living, not floating around in the open air like a forgotten kite.

But even Fort Knox has its chinks in the armor. Even with strong encryption, your passwords can be the weak link. Think of them as the keys to your digital kingdom. Using weak, predictable passwords like "password123" is like leaving the spare key under the doormat. Instead, go for something long, strong, and unique – a passphrase fit for a king (or queen) of the internet. Think 20 characters with a mix of letters, numbers, and even symbols. Make it something only you could come up with.

And now for the good news: WPA3, the latest and greatest in Wi-Fi security, takes things even further. It's like adding an alarm system and security cameras to your already-fortified castle. Even if someone finds a stray key, they'll be caught red-handed before they can do any damage.

So, ditch the dust covered WEP and rusty TKIP. Upgrade to CCMP/AES and lock down your passwords with a passphrase fit for royalty. And if you're looking for the ultimate peace of mind, welcome WPA3 with open arms (just make sure they're protected by strong authentication!). Remember, your internet security is your responsibility, so choose wisely and stay safe out there in the digital jungle!

Connect with me on LinkedIn and let's continue the conversation: https://linkedin.com/in/jdriscoll-76 

This week in my advanced networking class we reviewed the network layer of the IP model. Allow me to share more with you in this blog today.

The network layer consists of IPv4 and IPv6 which are two different versions of the Internet Protocol (IP), the fundamental protocol that enables communication on the internet. IPv4 is the older version of the protocol, and it is currently used by most devices on the internet. However, IPv4 is running out of addresses, and IPv6 was developed to provide a much larger address space.

IPv4

IPv4 addresses are 32 bits long, which means that there are only about 4.3 billion possible IPv4 addresses. This number of addresses is not enough to accommodate the growing number of devices on the internet, such as smartphones, tablets, and IoT devices.

IPv4 addresses are written in dotted-decimal notation, which consists of four decimal numbers separated by periods. For example, the IPv4 address 192.168.1.1 is written in dotted-decimal notation.

IPv4 is a mature protocol, and it is well-supported by most devices and networks. However, IPv4 is also a complex protocol, and it can be difficult to manage.

IPv6

IPv6 addresses are 128 bits long, which means that there are an almost infinite number of possible IPv6 addresses. This vast address space is enough to accommodate the growing number of devices on the internet for many years to come.

IPv6 addresses are written in hexadecimal notation, which consists of eight groups of four hexadecimal digits separated by colons. For example, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is written in hexadecimal notation.

IPv6 is a newer protocol than IPv4, and it is not as well-supported by all devices and networks. However, IPv6 is a simpler protocol than IPv4, and it is easier to manage.

Comparison of IPv4 and IPv6

Ah, it’s the start of another new term in my quest for a master’s degree in cybersecurity and the next class on my list for the next five weeks is Advanced Networking.  However, before we talk about advanced networking, let’s go back to the basics to have a solid foundation to build upon. This week is a history lesson in computer networking.

The Development of Packet Switching 1961-1972:

In the early 1960s, three research groups independently invented packet switching as an alternative to circuit switching for computer networks. Packet switching is more efficient and robust for bursty traffic, such as that generated by users of timeshared computers.

The first packet-switched computer network, the ARPANet, was built in the United States in the late 1960s. By 1972, ARPANet had grown to 15 nodes and had been given its first public demonstration. The first host-to-host protocol, the network-control protocol (NCP), was also completed in 1972, enabling the development of applications such as e-mail.

The Internet today is a direct descendant of the ARPANet. It is a packet-switched network that uses the Internet Protocol (IP) to route packets between devices. IP is a simple but effective protocol that has allowed the Internet to grow and evolve over the years.

Proprietary Networks and Internetworking 1972-1982:

The initial ARPAnet was a closed network, but in the early to mid-1970s, additional packet-switching networks came into being, such as ALOHANet, Telenet, Cyclades, and Tymnet.  Pioneering work on interconnecting networks (under the sponsorship of DARPA) was done by Vinton Cerf and Robert Kahn, who coined the term internetting.  The early versions of TCP combined reliable in-sequence delivery of data with forwarding functions. Later, forwarding functions were separated out of TCP and the UDP protocol was developed, resulting in the three key Internet protocols that we see today: TCP, UDP, and IP.  In addition to the DARPA Internet-related research, many other important networking activities were underway, such as the development of the ALOHA and Ethernet protocols.

A Proliferation of Networks 1980-1990:

By the end of the 1970s, the ARPAnet had approximately 200 hosts connected to it.  In the 1980s, the number of hosts connected to the public Internet grew tremendously, reaching 100,000 by the end of the decade.  Much of this growth was due to the creation of new computer networks linking universities together, such as BITNET, CSNET, and NSFNET.  In the ARPAnet community, many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  In the early 1980s, France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

The 1980s was a time of tremendous growth for the Internet.  New computer networks were created linking universities together, such as BITNET, CSNET, and NSFNET.  Many of the final pieces of today's Internet architecture were falling into place, such as TCP/IP, congestion control, and DNS.  France launched the Minitel project, a successful attempt to bring data networking into everyone's home.

The Internet Explosion 1990’s:

In the 1990s, the Internet evolved and commercialized. ARPAnet ceased to exist, NSFNET lifted its restrictions on commercial use, and NSFNET was decommissioned.  The World Wide Web was invented at CERN by Tim Berners-Lee and brought the Internet to millions of people.  The Web enabled many new applications, including search, e-commerce, and social networks.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.

The 1990s was a time of rapid growth and innovation for the Internet.  The World Wide Web made the Internet accessible to a wider audience and enabled new applications.  The four killer applications of the 1990s were e-mail, the Web, instant messaging, and peer-to-peer file sharing.  The Internet stock market bubble burst in 2000-2001, but several companies emerged as big winners in the Internet space.

The New Millennium:

In the first two decades of the 21st century, the Internet has transformed society more than any other technology, along with Internet-connected smartphones. Innovation in computer networking continues at a rapid pace, with advances in all areas, including faster routers and higher transmission speeds in both access networks and backbones.

Some of the most notable developments of this period include:

• Aggressive deployment of broadband Internet access to homes, including cable modems, DSL, fiber to the home, and 5G fixed wireless. This has set the stage for a wealth of video applications, including user-generated video, on-demand streaming of movies and television shows, and multi-person video conferencing.

• Increasing ubiquity of high-speed wireless Internet access, enabling new location-specific applications such as Yelp, Tinder, and Waz. The number of wireless devices connecting to the Internet surpassed the number of wired devices in 2011. This high-speed wireless access has also set the stage for the rapid emergence of hand-held computers, such as iPhones, Androids, and iPads, which enjoy constant and untethered access to the Internet.

• Emergence of online social networks, such as Facebook, Instagram, Twitter, and WeChat, which have created massive people networks on top of the Internet. Many of these social networks are extensively used for messaging and photo sharing. Many Internet users today "live" primarily within one or more social networks, which also create platforms for new networked applications, including mobile payments and distributed games.

• Deployment of extensive private networks by online service providers, such as Google and Microsoft, which connect their globally distributed data centers and bypass the Internet as much as possible by peering directly with lower-tier ISPs. This allows Google to provide search results and e-mail access almost instantaneously.

• Migration of many Internet commerce and other applications to the cloud, such as Amazon's EC2, Microsoft's Azure, and the Alibaba Cloud. Cloud companies provide scalable computing and storage environments, as well as implicit access to their high-performance private networks.

This completes today's history lesson on an overview of Computer Networking! See you again soon.

Connect with me on LinkedIn: https://linkedin.com/in/jdriscoll-76 

References

• Kurose, J. F., & Ross, K. (2020). Computer Networking (8th ed.). Pearson Education (US). https://ecpi.vitalsource.com/books/9780135928523

For week 4 of my Cloud Security course, we learned about privacy and security laws.  This is a bit of a review as these were part of the CompTIA CySA+ exam I took back in February.  So, I thought it would be a good idea to create a blog to briefly discuss each one. 

The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; the Family Educational Rights and Privacy Act (FERPA); and finally, the European Union General Data Protection Regulation (EU GDPR). We will review these six frameworks below:

1.   HIPAA Health Insurance Portability and Accountability Act: HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them.  It was also designed to make health care delivery more efficient (HIPAA History, n.d.).  The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

2.    PCI DSS Payment Card Industry Data Security Standard: The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017).  This agreement was established in 2004.  Now, even though it is not a law, non-compliance still has consequences.  These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

3.    GLBA Gramm-Leach Bliley Act: This standard is applicable to the banking industry.  The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017).  It became law back in 1999.  This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

4.   SOX Act Sarbanes-Oxley Act: This act applies to any organization that is publicly traded (Chapple & Seidl, 2017).  It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors.  It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

5.    FERPA Family Educational Rights and Privacy Act: This act mandates that educational institutions protect student information (Chapple & Seidl, 2017).  FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students.  2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.). 

6.    EU GDPR European Union General Data Protection Regulation:  The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018, (Chapple & Seidl, 2022)

References

• Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex. 

• Chapple, M., & Seidl, D. (2022). (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide. Wiley.

• Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html 

• Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act 

• HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history 

• Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp 

• Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

This past week I started my third term in my quest at a master’s degree at ECPI.  In the next five weeks I will be learning about cloud security.  For the reading last week, I read about how blockchain technology can be used in cloud security.  This is interesting as I had only heard about it in terms of cryptocurrency.  So, I decided to do some more research, and this is what I found.

Blockchain technology is a distributed ledger technology that can be used to improve cloud security in several ways:

• Decentralization: Blockchain is decentralized, meaning that it is not controlled by any single entity. This makes it more difficult for hackers to attack the system, as they would need to compromise most nodes in the network to succeed.

• Transparency: All transactions on a blockchain are publicly visible, which makes it difficult to commit fraud or tamper with data. This transparency can also be used to audit the security of the cloud system.

• Immutability: Once data is added to a blockchain, it cannot be changed without the consensus of the network. This makes blockchain ideal for storing sensitive data, such as customer records or financial data.

Below are some specific ways that blockchain technology can be used to improve cloud security:

• Data encryption: Blockchain can be used to encrypt data stored in the cloud, making it more difficult for hackers to access and steal.

• Access control: Blockchain can be used to implement access control policies for cloud resources, ensuring that only authorized users have access to sensitive data.

• Audit logging: Blockchain can be used to create audit logs of all activity on a cloud system. This can be used to detect and investigate security incidents.

• Key management: Blockchain can be used to manage cryptographic keys used to encrypt and authenticate data in the cloud. This can help to prevent unauthorized access to sensitive data (Gupta, Siddiqui, Alam, & Shuaib, 2019).

Some examples of blockchain-based cloud security solutions include:

• Siacoin: Siacoin is a decentralized cloud storage platform that uses blockchain technology to store data securely and efficiently (Siacoin, n.d.).

• Storj: Storj is another decentralized cloud storage platform that uses blockchain technology. Storj also offers encryption and access control features (Storj, n.d.).

• Keyless: Keyless is a blockchain-based key management platform that helps organizations to manage their cryptographic keys securely (Authenticate People, Not Just Devices, n.d.).Blockchain technology is still in its early stages of development, but it has the potential to revolutionize cloud security. As blockchain-based security solutions continue to mature, we can expect to see them adopted by more and more organizations.

Below are some additional thoughts on the use of blockchain technology in cloud security:

• Blockchain can help to reduce the risk of data breaches. By decentralizing data storage and access control, blockchain makes it more difficult for hackers to steal or tamper with data.

• Blockchain can help to improve compliance. By providing a transparent and auditable record of all activity, blockchain can help organizations to comply with regulations such as GDPR.

• Blockchain can help to reduce costs. By eliminating the need for intermediaries, blockchain can help organizations to save money on cloud security costs.

Overall, blockchain technology has the potential to significantly improve cloud security. As blockchain-based security solutions continue to develop and mature, we can expect to see them adopted by more and more organizations (Gupta, Siddiqui, Alam, & Shuaib, 2019).

References

• Authenticate People, Not Just Devices. (n.d.). Retrieved from Keyless: https://keyless.io/

• Gupta, A., Siddiqui, S. T., Alam, S., & Shuaib, M. (2019). Cloud Computing Security Using Blockchain. Journal of Emerging Technologies and Innovative Research (JETIR), 791-794.

• Siacoin. (n.d.). Retrieved from Coin market Ca[: https://coinmarketcap.com/currencies/siacoin/

• Storj. (n.d.). Retrieved from Storj: https://www.storj.io/

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

This week in my Security Architecture and Design course we discussed a concept called an Audit First Methodology.

The Audit First methodology is a risk-based approach to auditing that focuses on identifying and assessing risks early in the audit process. This allows auditors to focus their resources on the areas of highest risk and to develop a more tailored audit approach.  It is implemented via the following steps:

1. Threat Analysis.  The goal of this step is to focus on the threats that are most likely and most dangerous, or a combination of the two.  This allows the organization to prioritize its resources and address the greatest risk first.

2. Audit Controls.  The goal of this step is to create threat audit controls that search for threat activities (also known as threat hunting).  These controls should be tailored to the specific threats that the organization is facing.

3. Forensic Controls.  The goal of this step is to ensure that these controls are properly configured to log the data that is needed to investigate likely threat scenarios first.  Logs that are less likely to be needed in an investigation do not need to be as easily accessible as other logs.

4. Detective Controls.  The goal of this step is to create effective and efficient controls that alert on suspected attacker activity while minimizing false positives and maximizing the probability of detecting attacks.

5. Preventive Controls.  The goal here is to block undesired activities and prevent them from occurring.  While important, organizations should focus more on the other controls.  These controls can be disruptive to the business to implement and operate, and they may not be effective against determined attackers (Donaldson, Siegel, Williams, & Aslam, 2015).

There are numerous benefits to utilizing this methodology, including:

• It allows auditors to focus their resources on the areas of highest risk.

• It helps to ensure that the audit is tailored to the specific needs of the organization.

• It can help to identify and address risks early on before they cause problems.

• It can improve communications between auditors and management (Donaldson, Siegel, Williams, & Aslam, 2015).

The only challenge that I anticipate using the Audit First Methodology is the reluctance to focus more on the other controls versus the preventive controls.  As stated in the textbook, organizations typically put more stock in preventive controls (Donaldson, Siegel, Williams, & Aslam, 2015).  They way around this challenge is to explain the benefits of following the Audit First Methodology while emphasizing the downside of focusing on the preventive controls in a language that the business side of the organization can understand.  Typically, this is done by translating the cybersecurity jargon over to business jargon.

References

• Donaldson, S., Siegel, S., Williams, C. K., & Aslam, A. (2015). Enterprise Cybersecurity. Springer Nature.

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

This week for Blog by CC Weekly, I am continuing with sharing my master’s degree cybersecurity course assignments with you. The class this term is Security Architecture and Design.  First, this blog will discuss some of the challenges and benefits of implementing an enterprise security architecture. Second, we will look at how organizations can overcome some of those challenges.  Third, it will analyze the importance of logical and physical security.  Finally, I give my thoughts and opinions on which are more important. Discover more below:

Challenges and benefits to implementing an enterprise security architecture:

Challenges:

• Lack of communication and coordination: An enterprise security architecture (ESA) requires coordination and communication between different departments and teams within an organization. This can be difficult to achieve, especially in large or complex organizations.

• Lack of understanding of the need for security: Not everyone in an organization may understand the importance of security or may not be willing to take the necessary steps to protect information. This can make it difficult to implement and enforce security measures.

• Cost: Implementing an ESA can be expensive, especially for large organizations. This can be a barrier to adoption, especially in organizations with limited resources.

• Complexity: ESAs can be complex and difficult to implement. This can lead to problems such as implementation delays, errors, and security gaps.

• Change management: Implementing an ESA often requires changes to the way an organization does business. This can be disruptive and difficult to manage.

Benefits:

• Reduced risk: An ESA can help to reduce the risk of a security breach by providing a comprehensive framework for protecting information.

• Improved compliance: An ESA can help organizations to comply with industry regulations and standards.

• Increased efficiency: An ESA can help to improve the efficiency of security operations by providing a centralized view of the security landscape.

• Enhanced visibility: An ESA can help to improve visibility into the security posture of an organization, which can help to identify and address security risks more quickly.

• Improved decision-making: An ESA can provide decision-makers with the information they need to make informed decisions about security.

• Policies and business processes that may help companies overcome their challenges:

• Establish a security governance framework: This framework should define the roles and responsibilities of different stakeholders in the security program, as well as the processes and procedures for managing security risks.

• Develop security policies and procedures: These policies should be aligned with the security governance framework and should define the specific security controls that are required to protect the organization's information assets.

• Implement security controls: This includes deploying security technologies, such as firewalls and intrusion detection systems, as well as implementing security procedures, such as password management and user training.

• Monitor and enforce security controls: This includes regularly reviewing security logs and reports to identify potential security incidents, as well as taking steps to remediate any vulnerabilities that are identified.

• Continuously improve the security program: This includes regularly reviewing the security policies and procedures to ensure that they are still effective, as well as implementing new security controls as needed.

The Importance of logical and physical security:

• Logical security is the protection of digital information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.  Some of the methods used include: 1) user authentication, 2) access control, 3) encryption, 4) firewalls, and 5) intrusion detection systems.

• Physical security refers to the protection of physical assets including buildings, equipment, and data centers from unauthorized access, use, damage, or theft.  Some of the methods utilized include 1) access control, 2) security guards, 3) video surveillance. 4) intrusion detection systems, 5) fire protection.

• Defend why you feel logical or physical security is more important for an organization.

• Neither logical nor physical security are more important than the other.  Logical and physical security are complimentary and should be implemented together to provide a comprehensive security solution.  By protecting both digital and physical assets equally, organizations can reduce the risk of a security breach.

References

• Ghaznavi-Zadeh, R. (2017, July 28). Enterprise Security Architecture - A Top-down Approach. Retrieved from ISACA: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach

• Joint Task Force. (2020, September). Security and Privacy Controls for Information Systems and Organizations. Retrieved from NIST: https://doi.org/10.6028/NIST.SP.800-53r5 

• Melendez, J. C., Luse, A., Townsend, A. M., & Mennecke, B. (2008). Convergence of Physical and Logical Security: A Pre-implementation Checklist. MWAIS 2008 Proceedings, (p. 10).

• Ramani, G. (2015, December 1). Challenges in IMplementing Enterprise-Wide CyberSecurity Strategy. Retrieved from LinkedIn: https://www.linkedin.com/pulse/challenges-implementing-enterprise-wide-cyber-security-ganesan-ramani/ 

• What is Security Architecture, and What do You Need to Know. (2022, February 9). Retrieved from Dig8ital: https://www.dig8ital.com/post/what-is-security-architecture-and-what-do-you-need-to-know 

Connect with James on LinkedIn: https://linkedin.com/in/jdriscoll-76 

For the last week of my Ethical and Human Aspects in Cybersecurity we talked about Technological Convergence.  So, what is it?   Technological convergence is the process by which different technologies merge and evolve into new forms that can fulfill multiple functions. This means that devices and applications that were once separate and distinct are now becoming more integrated and interconnected (McGuigan, 2023).  For example, the smartphone is a prime example of technological convergence. It combines the functions of a phone, a computer, a camera, a music player, and more into a single device. This makes it more convenient for users to access all their favorite content and services from one place.

There are numerous potential social and ethical concerns that can arise due to technological convergence.  They include:

• Privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes.

• Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property.

• Employment: Technological convergence is leading to the automation of many jobs. This could lead to widespread unemployment, as machines take over the tasks that are currently performed by humans. This could have a significant impact on the economy and society.

• Inequality: The benefits of technological convergence are not being evenly distributed. Those who have access to the latest technologies are likely to benefit the most, while those who do not have access may be left behind. This could lead to increased inequality and social unrest.

• Bias: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation.

• Environmental impact: The production and use of technology has a significant environmental impact. This includes the emission of greenhouse gases, the depletion of natural resources, and the generation of waste. Technological convergence could exacerbate these problems (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

Technological convergence can jeopardize a company's code of conduct in several ways, including:

• Data collection and privacy: As more and more devices become interconnected, they collect and store more and more data about us. This data can be used to track our movements, monitor our activities, and even predict our behavior. This raises concerns about our privacy and the potential for this data to be used for malicious purposes. For example, a company might use data collected from its employees' smartwatches to track their movements and productivity. This could violate the company's code of conduct, which might promise to respect employee privacy.

• Security: The interconnectedness of devices also makes them more vulnerable to cyberattacks. If one device is hacked, it could potentially compromise the security of all the devices that are connected to it. This could lead to the theft of personal data, financial information, or even intellectual property. For example, a company might be hacked if its employees' laptops are infected with malware. This could lead to the theft of confidential company information.

• Ethical use of technology: Technological convergence can also raise ethical concerns about the use of technology. For example, a company might use facial recognition technology to track its employees' movements. This could be seen as an invasion of privacy and a violation of the company's code of conduct.

• Discrimination: Technological systems are often biased, reflecting the biases of the people who create them. This could lead to discrimination against certain groups of people, such as those based on race, gender, or sexual orientation. For example, a company might use a facial recognition system that is biased against people of color. This could lead to the company discriminating against these people in its hiring practices (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

It is important for companies to be aware of the potential ethical and legal implications of technological convergence and to take steps to mitigate these risks. This includes updating their codes of conduct to reflect the challenges posed by new technologies.

Here are some specific things that companies can do to mitigate the risks of technological convergence:

• Be transparent about data collection and use: Companies should be transparent about the data they collect from their employees and customers, and how they use this data. This can help to build trust and avoid violating privacy expectations.

• Implement strong security measures: Companies should implement strong security measures to protect their data from unauthorized access. This includes using encryption, firewalls, and other security technologies.

• Educate employees about ethical use of technology: Companies should educate their employees about the ethical use of technology. This includes training them on how to use technology responsibly and how to avoid violating company policies.

• Monitor for bias: Companies should monitor their technology systems for bias. This can help to identify and address any potential discrimination issues.

By taking these steps, companies can help to mitigate the risks of technological convergence and protect their employees, customers, and data (Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues, 2019).

References

• McGuigan, B. (2023, August 10). What is Technological Convergence. Retrieved from Easy Tech Junkie: https://www.easytechjunkie.com/what-is-technological-convergence.htm#google_vignette 

• Technological Convergence: Regulatory, Digital Privacy, and Data Security Issues. (2019, May 30). Retrieved from Every CRS Report: https://www.everycrsreport.com/reports/R45746.html#:~:text=Technological%20convergence%20poses%20three%20potential,security%2C%20and%20theft%20of%20data 

Last week in my Ethics and Human Aspects of Cybersecurity class, the topic of cybersecurity in the global economy came up. Specifically, if it is possible. Below is more of my take on this topic.

In 2023, the concept of an individual country's economy is no longer. Anything that affects one country’s economy affects the economies of other countries. We truly have a global economy. Now, when I talk about anything, I mean absolutely anything. It could be something as innocent as weather to something more malicious such as a cyber-attack. An example of a cyber-attack that has the potential to affect the global economy is the Stuxnet Worm.

What is the Stuxnet Worm? This little piece of malware was created in 2010 with the purpose of attacking Industrial Control Systems (ICS) (Mueller & Yadegari, 2012). For anyone that does not know, an ICS is used in sectors such as “manufacturing, transportation, energy, and water treatment” (Industrial Control System, n.d.).

Now, since those sectors mentioned above are used all over the world the potential impact on the global economy is going to be huge. Let us look at the energy sector as an example. Energy is one thing that is not only needed, but also has an almost immediately affects the global economy when there are changes and right now, we get that energy from oil. Just a simple change in production output by Saudi Arabia can cause energy prices to fluctuate, which causes the prices of other products to fluctuate around the world.

What can be done against countries that either actively engage or sponsor people that engage in cyberespionage and launch cyber-attacks? Well, the main tactic that is used are financial sanctions. The theory is that limiting the amount of business that can be conducted thus hitting them in the wallet so to speak should deter someone from engaging in criminal activity. Based on events over the past three years, I am not a fan of it. Perhaps if it is done swiftly and comprehensively it may have the desired effect, but I am not so sure.

There is another tactic that can be used to deter cyber-attacks called “hacking back”, sometimes referred to as “active cyber defense.” However, these two terms are completely different. Techniques and tactics normally associated with active cyber defense include things like utilizing honeypots to study and gain information about cyber-attackers. It also includes scanning your network / looking through logs trying to find Indicators of Compromise (IoC’s).

Hacking back is just as it sounds. A victim of a cyber-attack, attacking the attacker. This is not recommended as it is illegal under 18 U.S. Code Section 1030 Fraud and Related Activity in Connection with computers. This is also known as the Computer Fraud and Abuse Act (CFAA) (18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

The Russian invasion of Ukraine has brought up an interesting dilemma. That dilemma is if it is acceptable for countries engaged in a conventional war to also engage in cyberespionage. After reading the ACM, the answer to that is a resounding no. The reason for that is in section 1, point 1.2 stipulates that practitioners should avoid causing harm (ACM Code of Ethics Booklet, 2018).

Finally, there is the question of cybersecurity being possible in a global economy. According to ISACA there are eight requirements that every country would need to adopt for cybersecurity. They include: 1) adopting a security by design model, 2) teach cybersecurity awareness to everyone, 3) follow applicable cyber laws, 4) participate in international cooperation, 5) establish and maintain an acceptable level of cybersecurity practitioners, 6) create strong deterrence mechanisms, 7) follow NIST frameworks, and 8) emphasize internet freedom (Ramachandran, 2019). Until these eight requirements are completed, true cybersecurity cannot be achieved in a global economy. The best we can hope for is cyber resiliency.

References

• 18 U.S. Code § 1030 - Fraud and related activity in connection with computers https://www.law.cornell.edu/uscode/text/18/1030 0

• ACM Code of Ethics Booklet. (2018). Retrieved from ACM: https://www.acm.org/binaries/content/assets/about/acm-code-of-ethics-booklet.pdf 

• Mueller, P., & Yadegari, B. (2012). The Stuxnet Worm. Retrieved from University of Arizona: https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/topic9-final/report.pdf 

• Ramachandran, R. (2019, January 23). Cybersecurity and its Critical Role in Global Economy. Retrieved from ISACA:  https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/cybersecurity-and-its-critical-role-in-global-economy 

Living in America comes with numerous rights as laid out in the Constitution. One of those rights is covered by the Fourth Amendment and states “the right of the people" to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” (Constitution of the United States: Fourth Amendment, n.d.). This is basically our right to privacy. So, what do I suggest this means? The government is prohibited from searching us and taking our property without a good reason.

When the constitution was written, the technology we have today did not exist. So, this begs the question as to how that technology impacts our right to privacy. Perhaps this is not the right question to be asking. Perhaps the question that we should be asking is, is there a way to adapt the Fourth Amendment so that the technology we have today is included in its protections. The reason I say that is because as I said earlier, the technology we have today did not exist when the Fourth Amendment was written. Let’s look at what was around at that time. Specifically houses, papers, and effects (property). That means the original meaning behind the Fourth Amendment is that the government cannot search a person’s house and take papers or property just because they want to (Brenner, 2005).

So, taking the original meaning into consideration, that would mean that the means of communications that we have today (telephone, email, instant messaging, online communications, etc.) would all be fair game to being searched and taken by the government for any reason. That is because the Fourth Amendment is the basis for property law and what is needed is additional legislation that covers the technology we have today. This is where legislation such as wiretapping laws come into play. What this basically does is provides the Fourth Amendment protections to the technology we have today (Kerr, 2003).

Now, I am all in favor of the Fourth Amendment and any legislation that is associated with it and as such I do not believe the government has an obligation to monitor all internet traffic.

I need to mention the Patriot Act which was enacted after the attack on 11 September 2001. The basic premise of the Patriot Act was to expand the governments’ ability to conduct searches on U.S. citizens with little to no evidence to warrant it. The problem is that some sections reduce the protections of the Fourth Amendment while other sections outright violate it (Surveillance Under the USA/Patriot Act, 2001).

Here is the thing, everyone-I understand why the Patriot Act was pushed through. It was pushed through to prevent another terrorist attack. The problem with it is we have lost our right to privacy for something that does not work. Let me explain my personal observation and opinion further. I don’t know about anyone else, but I would consider all the mass shootings we have had just in 2023 alone to be terrorist attacks.

With all of these attacks, the people committing them posted plans online beforehand and the government knew nothing about it. It was not until after the attack that their online presence was investigated, and the evidence found. Why are we losing our Fourth Amendment right to privacy when we are no more protected than before?

References

• Brenner, S. W. (2005). The Fourth Amendment in an Era of Ubiquitous Technology. Mississippi Law Journal, 75.

• Constitution of the United States: Fourth Amendment. (n.d.). Retrieved from Congress: https://constitution.congress.gov/constitution/amendment-4/

• Kerr, O. S. (2003). The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution. Michigan Law Journal, 801-839.

• Surveillance Under the USA/Patriot Act. (2001, October 23). Retrieved from ACLU https://www.aclu.org/documents/surveillance-under-usapatriot-act 

No matter where we look, we are bound to see an IoT device. So, what exactly is an IoT device? Basically, an IoT device is a device that has sensors, processors, software, and network capability implanted inside them. Some examples include smart home devices (smart thermostats and smart appliances), smart watches, and even self-driving vehicles and Industrial Control Systems (ICS) (Stair & Reynolds, 2020).

Now, while IoT devices were designed to make life easier, they are inherently vulnerable to attack. The reason for that is in their design as they are designed to be pulled out of the box and easily connected to a network via a default username and default password. The reason for this is ease of use, not security.

An example of just how vulnerable IoT devices is and what a threat actor can accomplish with them is the Mirai Botnet attack. The premise of this attack is that in late 2016 several high-profile targets were hit with a Distributed Denial-Denial-of-Service (DDoS) attack. The source of this attack was approximately 600,000 of IoT devices that had been compromised and became a botnet called Mirai. This botnet initially started in August of 2016 and ran until late February 2017 when the threat actor was identified and arrested. The malware used to compromise these devices utilized rapid scanning to find a potential target and once found it immediately started brute-forcing the username and passwords via port 23 (telnet). Once compromised, they sat and waited for the threat actor to issue the commands to start the DDoS attack (Antonakakis, et al., 2017).

What is interesting about this incident is how the threat actor was identified and subsequently arrested. The successful attribution was due to analysis of data gathered through honeypots and DNS data. In addition to that the original source code was published online by the threat actor. So, while this was helpful in leading to attribution, it also paved the way for other threat actors to create their own botnets and add to the ongoing incident (Antonakakis, et al., 2017). The fact that the Mirai Botnet was shut down in five months speaks volumes of the amount of time and effort that went in to fighting this attack.

So, the question that needs to be answered is how we prevent this type of attack in the future. The United States government takes securing IoT devices so seriously that they are included in the 2023 National Cybersecurity Strategy that was published in March 2023. The main strategy mentioned here is the use of labeling. It would be like the labels on food products but instead of providing the ingredients, these labels would provide what security controls an individual device is using. This would allow organizations and private citizens to easily compare multiple devices and choose the one that works best (Biden, 2023).

Also, The Cybersecurity and Infrastructure Security Agency (CISA) has some basic tips that everyone can follow. 1) Change default login credentials (username and password). 2) Keep devices patched and updated. 3) Adjust the devices security settings. The goal is to have enough security but still maintain usability. 4) Decide if the device needs a constant connection to the internet. If it does, then consider placing it on its own network segment (Securing the Internet of Things (IoT), 2021).

References

• Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., & Zhou, Y. (2017). Understanding the Mirai Botnet. Security Symposium, pp. 1093-1110.

• Biden, P. (2023). National Cybersecurity Strategy. p. 20.

• Securing the Internet of Things (IoT). (2021, February 01). Retrieved from CISA: https://www.cisa.gov/news-events/news/securing-internet-things-iot 

• Stair, R., & Reynolds, G. (2020). Principle of Information Systems (14th ed.). Cengage Learning US.

Out of all three elements of the CIA triad, two are questioned after every election. They are integrity and availability. Now, out of those two, integrity gets the most publicity. So, why the disparity between these three elements. Well, integrity is the most important as it is imperative that the American people perceive that the vote they cast has not changed before it is counted (ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT, 2020). Now, availability comes in second because while it is important for all eligible citizens to vote, when there is a problem (usually mechanical), there are options that can be used to ensure everyone can vote. Finally, confidentiality is last.

So, how did we get to this point? Well, we need to look back at the Help America Vote Act that was signed into law in 2002. While this law came from the federal government, it leaves the decision making up to the individual states as it only set minimum guidelines for what the states could do. Because of this, many states have decided not to update their voting equipment. Specifically, “as of 2016 43 states were using equipment that was 10 years old or older” (King & Michael, 2016).

Why mention that? The reason is because the technology is always changing. First there were only paper ballots, now we can not only electronically vote, but we also can have our paper ballots scanned by a machine. Next on the horizon will be the ability to vote online.

Now, online voting while convenient only makes the integrity more important as with the current technology it would be ripe for cyber-attacks and other fraud related issues. One question that get raised during every Presidential election is that of foreign interference. This would be more prevalent with online voting as virtually anyone anywhere could initiate an attack that could affect both the availability and integrity of the election. Multiple studies on this subject have been conducted by numerous groups of computer experts and the consensus is that a lot of work needs to be done to ensure the availability and integrity of the system before it is implemented (Von Spakovsky, 2015).

References

• ELECTION INFRASTRUCTURE CYBER RISK ASSESSMENT. (2020, July 28). Retrieved from http://CISA.gov : https://www.cisa.gov/sites/default/files/publications/cisa-election-infrastructure-cyber-risk-assessment_508.pdf 

• King, C., & Michael, T. (2016). Security of Electronic Voting in the United States. The CIP Report.

• Von Spakovsky, H. (2015). The Dangers of Internet Voting. The Heritage Foundation.

Cybersecurity is a constantly evolving field, and it is important for organizations to stay up-to-date on the latest threats and trends. One way to do this is to conduct research and documentation.

Purpose of Academic Research

Academic research is the process of gathering information, analyzing it, and drawing conclusions. It can be used to gain new knowledge, improve understanding, and develop new solutions.

In the field of cybersecurity, academic research can be used to:

• Identify new threats and vulnerabilities

• Develop new security measures

• Improve understanding of how cyberattacks work

• Test the effectiveness of security solutions

Relevance to Cybersecurity

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Research and documentation can also help organizations to improve their incident response capabilities. By understanding how cyberattacks work, organizations can develop plans to respond to incidents more effectively.

Definition of "Scholarly" Articles

When conducting research it is critical to use scholarly information. Information from things like blog sites and Wikipedia scholarly information. A scholarly article is a research paper that has been published in a peer-reviewed journal. Peer-review is a process in which experts in the field review the paper and provide feedback before it is published.

Scholarly articles are an important source of information for cybersecurity professionals. They provide up-to-date information on the latest threats and trends, and they can help professionals to develop and implement effective security measures.

Cybersecurity Example

A recent study by the Journal of Medicine found that hospitals are at high risk of cyberattacks. The study found that the complexity of hospital networks makes them easy targets for attackers. The study also found that two factors that correlate to the amount of risk a hospital has to being attacked are network complexity and internal stakeholders.

The study's findings highlight the importance of research and documentation in cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack.

Conclusion

Research and documentation are essential for effective cybersecurity. By understanding the latest threats and trends, organizations can develop and implement security measures that are more likely to protect them from attack. There are many resources available online and in libraries. You can also find a wealth of information by attending conferences and workshops. By staying up-to-date on the latest threats and trends, you can help to protect your organization from cyberattacks.

References

• Carcary, M. (2021, February 23). The Research Audit Trail: Methodological Guidance for Application in Practice. Electronic Journal of Business Research Methods.

• Jalali, M. S., & Kaiser, J. P. (2018, May 28). Cybersecurity in Hospitals: A Systemic, Organizational Perspective. Journal of Medicine.

• Morganelli, M. (2023, April 10). What is a Scholarly Source. Retrieved from SNHU: What is a Scholarly Source?

• Scholar. (n.d.). Retrieved from Merriam Webster: Definition of SCHOLAR

QR codes are everywhere, and they are here to stay. They show up on TV during daytime talk shows. They show up during televised sporting events. They are used in restaurants to access menus. They are used to pay for parking in some cities. They are even used to set up MFA. I recently had to use one to Add ECPI to a Block Cert wallet so they can send me a digital copy of my degree. It is futile to attempt to avoid using them at some point. Now, there are risks associated with QR codes as criminals can create fake malicious sites to get money, or personal information. So, how do we stay safe when using them?

Great question! Here are some tips to help you stay safe when using QR codes:

1. Only scan QR codes from trusted sources. If you see a QR code in a public place, such as on a poster or flyer, be careful before scanning it. It could be linked to a malicious website or app. Only scan QR codes from sources that you trust, such as businesses or organizations that you know.

2. Check the URL before scanning. When you scan a QR code, your phone will show you the URL of the website or app that it is linked to. Take a moment to check the URL before you click on it. If the URL looks suspicious, don't click on it.

3. Use a security app. There are numerous security apps available that can help you scan QR codes safely. These apps can scan QR codes for malicious content and warn you if they find anything suspicious. One of those is the “QR Scanner” from Trend Micro. It not only blocks dangerous sites that are associated with the QR code, but it also alerts the user of the danger.

4. Be aware of phishing scams. Phishing scams are a common way for hackers to steal personal information. In a phishing scam, the hacker will send you a message that looks like it is from a legitimate company. The message will ask you to click on a link or enter your personal information. If you receive a message from a company that you do business with, don't click on any links in the message. Instead, go to the company's website directly and log in there.

By following these tips, you can help to protect yourself from the risks associated with using QR codes.

Additional tips:

• If you are using a public Wi-Fi network, be especially careful when scanning QR codes. Hackers can use public Wi-Fi networks to intercept your traffic and steal your personal information.

• Keep your phone's operating system and security software up to date. This will help to protect your phone from known vulnerabilities.

• Be aware of the risks associated with scanning QR codes from unknown sources. If you are not sure whether a QR code is safe, do not click on it.

Ever We all know that backing up our organizations data is critical to being able to recover from a disaster or incident. Now, there are numerous methods that can be used to accomplish data backup. They include external hard drives, USB drives, optical media (cd’s or dvd’s, cloud storage, and finally Network Attached Storage (NAS). The Network Attached Storage (NAS) is going to be the focus of this blog.

So, what is a NAS? Basically, it is a dedicated file storage system that is attached to a network. One concept that is associated with a NAS is RAID (Redundant Array of Independent Disks). Some of you might be wondering what RAID and that is a good question. A RAID is a data storage virtualization technology that combines multiple physical disks into one or more logical units. Now, the reason this is done is for redundancy.

When using RAID, there are several configurations that can be utilized. They all have pros and cons that need to be considered to ensure the most appropriate configuration is used. Those configurations are discussed below.

Raid 0 – With this configuration the data is split up and written (striped) among all the disks.

· Advantages – an increase in the number of drives equals better performance. Good for applications that need high throughput.

· Disadvantages – No redundancy

Raid 1 – With this configuration, even number of disks are utilized, and the same data is written to all disks (mirroring).

· Advantages – provides redundancy.

· Disadvantages – costly

Raid 3 – With this configuration the written to every drive except one and uses parity for error correction. The last drive is used for parity, which is a way to protect the data from a drive failure without the added cost of mirroring.

· Advantages – Good performance for applications that need large sequential data access.

· Disadvantages – Requires 1.25 times the size of the data disks. Rarely used.

Raid 4 – Same as Raid 3 except striping is done at block level versus at the byte level (Raid 3).

· Advantages – can write to a single disk without rewriting an entire stripe.

· Disadvantages – Write performance suffers due to single parity drive.

Raid 5 – With this configuration, the drives utilize striping and are also able to be independently written to.

· Advantages – there is no dedicated parity drive. Parity info is evenly split among all drives in the array. Error correction is available. Since all blocks of data are written at the same time there is improved read/write times. Can survive one disk failure.

· Disadvantages – none to speak of

Raid 6 – This configuration is like Raid 5 except for an additional parity element.

· Advantages – able to survive two drive failures.

· Disadvantages – Requires a minimum of four disks. Since there are two parity elements, rebuilding the failed drives will take longer (Services, EMC E, 2005)

References

Services, EMC E. Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments. Available from: ECPI, (2nd Edition). Wiley Professional Development (P&T), 2005.

Ever since listening to CyberWire Daily podcast back in October 2020 and hearing about an Advanced Persistent Threat (APT) group named Fancy Bear, I have always wondered how these groups got their names. Then recently I found out that the same group can have multiple names which adds to the confusion. This topic has come up within the past couple weeks or so, so I thought it would be a good idea to try to reduce some of the confusion by breaking down how these groups get their names and why it is usually multiple names.

Let us start with the easiest question. Why are there multiple names for the same APT group? The short answer is because each research company (Microsoft, Mandiant, etc.) has their own naming convention. For example, Microsoft names APT groups utilizing the periodic table however, it was announced last week that they are changing their convention to a weather-themed naming convention. Now, some other companies like CrowdStrike utilizes the word “Panda” for Chinese groups, “Bear” for Russian groups, “Kitten” for Iranian groups, and “Chollima” for North Korean Groups. Symantec gives APT groups names of insects and finally Palo Alto names APT groups using constellations (Sabin, 2022).

So, with that out of the way, we need to address why the naming convention is not standardized. Basically, there are three reasons why the naming convention is not standardized. Those reasons are human, technical, and operational. Let us look at each one closer:

Human

·         The operation conducted is used as the APT’s name.

·         The name of the malware used is given as the APT’s name.

·         The research companies do not relate their research to the research of other companies.

·         Media refuses to correct wrong mapping in public articles.

Technical

·         Different companies see different aspect of the same thing. For example, one company only sees the TTP’s while another only sees the C2 infrastructure.

·         Either an APT group splits up or multiple groups combine.

·         Multiple APT groups share their tools with each other.

Operational

·         Each company using their own naming convention gives them the ability to take their research in any direction they want.

·         Each company may feel that by using another company naming convention signals that the other companies research is more complete than their own (Roth, 2018).

So, while the reasons behind all the different names makes sense, there is still the argument for a standard naming convention. I mean communication between organizations alerting each other to IoC’s that are being noticed is vital, so why can’t these security research companies communicate and collaborate with each other. I have said it before that no one organization can be successful on its own. Everyone must work together to defeat our adversaries.

References

·         Roth, F. (2018, March 25). The Newcomer's Guide to Cyber Threat Actor Naming. Retrieved from Medium: https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

·         Sabin, S. (2022, September 20). Cyber Firms Explain Their Ongoing Hacker Group Name Game. Retrieved from Axios: https://www.axios.com/2022/09/20/cyber-firms-hacker-group-name-game

Disasters whether natural or man-made are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).

For a BC / DR plan to be successful the following five steps should be taken.

1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.
2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.
3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.
4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.
5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:

1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.
2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.
3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.
4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.
5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.
6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).

References
An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: 

5 steps to creating a backup and disaster recovery plan

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

A honeypot is a security measure that creates a virtual trap to lure attackers into targeting a particular part of an organizations network. There are two classifications of honeypots depending on how they are used. First, is a production honeypot. These are used by large organizations and companies. Second, is a research honeypot. These are used by educational institutions, governments, and militaries. No matter the classification their purpose is to gain knowledge of threat actors’ tactics, techniques, and procedures (TTP’s) (EC-Council 2020).

So, basically honeypots can fall into one of three categories: Low-interaction honeypot, medium-interaction honeypot, or high-interaction honeypot. Now, the low, medium, and high represent the services the threat actor can see. For the low-interaction honeypot, there is a limited number of emulated services. The medium-interaction honeypot has more emulated services. Finally, the High-interaction honeypot has nothing emulated. It is basically a real-world vulnerable system (Mahmoud, 2019).

Are there any legal or ethical implications to using honeypots? The answer is maybe, depending on its purpose, there could be legal implications in using honeypots. Reason for that is, what are honeypots designed to do. They are designed to lure threat actors into gaining access and attacking those systems thinking they are attacking an organizations actual system. Well, in legal terms, that is called entrapment. So, depending on the reason for the honeypot, for instance, researching threat actors to better bolster network security will probably not trigger a law enforcement response. Now if the purpose is to prosecute these threat actors, that is a whole other story as it may trigger a response in the form of a claim from the threat actor. It may also leave the organization open to regulatory action and it may even subject the organization to criminal prosecution for hacking (Overly, 2019).

The bottom line is that if an organization wants to setup a honeypot, it would be best to consult an attorney and that specializes in information security and law enforcement to get some advice beforehand. This will ensure that the organization is in compliance with 18 U.S.C Section 1030 which has a statement in it that exempts lawfully authorized investigative, protective or intelligence activity of a law enforcement agency of the United States (Section 1030. Fraud and related activity in connection with computers, n.d.)

References:

• EC-Council (2020). Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volume 3: Web Attacks and Defense). International Council of E-Commerce Consultants (EC Council). VitalSource Bookshelf Online

• Mahmoud, R. V. (2019). Deploying a University Honeypot: A Case Study. Retrieved from ceut-ws: http://ceur-ws.org/Vol-2443/paper03.pdf 

• Overly, M. R. (2019, November 25). Avoiding the Pitfalls of Operating a Honeypot. Retrieved from CSO Online: Avoiding the pitfalls of operating a honeypot

• Section 1030. Fraud and related activity in connection with computers. (n.d.). Retrieved from House.gov: 18 USC 1030: Fraud and related activity in connection with computers

We have all “failed” at something. Whether it was a test in school, running a business, maybe even a marriage, etc. Now, let me ask what does fail really mean? According to Google, fail as a verb has two meanings 1) to be unsuccessful at something. 2) To neglect to do something. To me both sound negative. My goal with this blog is to take the first definition and look at it from a different perspective as it does not necessarily have to have a negative connotation.

Let us look with the first meaning “to be unsuccessful at something”. Now, we have all been unsuccessful at something at some point in our lives. Whether it was a test in school, running a business, maybe even a marriage that ended in divorce, etc. All of these can be seen as things we may have “failed” at. Now personally, I have “failed” numerous tests in school, and I “failed” running a business and I have felt bad about both as I am sure everyone else has when we “fail” at something. So, why do we feel bad when we “fail” at something? The reason we feel bad is due to the negative connotation that surrounds that word.

What if we look at “fail” from a different perspective. The word “fail” can be looked at as an acronym. That acronym is First Attempt in Learning. Let us look at the above examples in a different light. For example, a year ago, I took my first certification test. It was the CompTIA CySA+ and I missed passing it by 32 points. Essentially, I failed it because I did not get the minimum passing score however, the fact that I learned the format of the exam and learned that I had studied old material, it was a success. Now in terms of running a business, I had one when I first retired from the military. I had to shut it down after three months, so essentially it failed. Now, given that it was a learning experience in what not to do next time, it was a success. The point is that if lessons are learned, then whatever is seen as a “failure” is not unsuccessful, thus making the first definition inaccurate. If that makes sense?

So, do not be afraid to try something new, because when we do and “fail” at it, that is when we not only learn about the new thing we tried but also we learn more about ourselves. It is how we grow as human beings. 

There is a saying in the cybersecurity field. That saying is “compliance does not equal security”. Now, when I first heard about this, my first thought was why doesn’t it. The reason I asked that is because of my 20 plus year experience in non-IT regulatory compliance. In these cases, especially regarding safety, if we were compliant with the regulations, we were certain things were going to be safe. So, compliance not equaling security confused me for a bit.

After finally being able to do some research, it turns out to be a true statement. Compliance does not equal security for three reasons. 1) Regulatory updates are not keeping pace with technology advancements. 2) There are instances when multiple regulations that govern an organization contradict each other. 3) Organizations simply check the box, saying they are compliant because they are required to do so, not because they see value in the regulations.

Now, let me talk about each of these three points. 1) Regulatory updates are not keeping pace with technology advancements. This absolutely makes sense. My experience with the Air Force is that they update their regulations every few years as things change. The cybersecurity field seems to not have that mentality. Take for example the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1986 and is not only still applicable 37 years later, but also in serious need of an update. That is just one example of the numerous regulations that need to be updated. Updating outdated regulations is one of the goals of the 2023 National Cybersecurity Strategy.

Now, let us move onto point number 2. There are instances when multiple regulations that govern an organization contradict each other. It is highly probably that on organization can be governed by more than one regulation and by complying with one means not complying with another one. When I first started studying cybersecurity and saw that an organization can be governed by more than one regulation, I asked what they are supposed do, which one takes precedence. The reply I got was that all applicable regulations get followed. Now, I realize that is not always possible. This is something that the 2023 National Cybersecurity Strategy wants to remediate. This is desperately needed.

Finally, let us look at point number 3. Organizations simply check the box, saying they are compliant because they are required to, not because they see value in the regulations. I do not understand how we got to this point. Is it because regulatory updates are not keeping pace with technology advances? Is it because there are instances when multiple regulations that govern an organization contradict each other? Is it possible that the current regulations are a bit ambiguous? Going back to my Air Force career, the regulations that I dealt with every day were specific in their requirements and non-compliance had consequences.

So, how do we as cybersecurity professionals rectify this? Like I said earlier, points 1 and 2 are basically covered by the 2023 National Cybersecurity Strategy. The problem is that the timeline for completion is unknown. Point 3 on the other hand, we have influence in. I think this is where being able to translate the technical verbiage into business verbiage and communicating how the regulations affect the business is critical. I would love to hear if you all have any thoughts or ideas on this. 

One day till my CompTIA CySA+ exam. So, for this last blog before the exam, I thought I would talk about corporate cybersecurity documentation. Having clear and precise documentation is critical if an organization is to have a successful cybersecurity program. There are four types of documentation that I will cover below, 1) policies; 2) standards; 3) procedures; 4) guidelines:

1. Policies – This type of documentation describes the organizations intent regarding a particular subject. As such, they are typically signed by the CEO. There is no set length for a policy, it just needs to completely cover the intent of the organization. The biggest take away here is that compliance is mandatory.

2. Standards – This type of documentation tells how the organization will implement the policy. Compliance here is also mandatory. Standards do not have to be signed by the CEO. Someone at a lower level can approve these.

3. Procedures – This type of documentation provides a step-by-step process for completing a specific task. Just like policies and standards, compliance with procedures is also mandatory. This could also be considered a checklist or even a playbook.

4. Guidelines – Compliance with this type of documentation is not mandatory however, probably highly recommended. The reason for that is because guidelines consist of best practices and recommendations. They are simply meant to be helpful advice.

I will post on LinkedIn my results. I want to thank everyone that has followed this journey and sincerely hope there was value from these posts. I will be on vacation for the next couple weeks so I will not have a blog until 1 March.

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Alright everyone, just eight days 'til my CompTIA CySA+ exam. For this week’s blog, I thought I would talk about the various containment strategies once an incident has been discovered. If you remember from last week, I mentioned the different phases of incident response. Containment is one of those phases.

When we talk about containment, we are talking about restricting the movement of the threat actor to the systems or part of the network they already have access to. This also means not providing a path to the rest of the network. There are four ways in which to restrict that movement, noted below:

1. Proactive Segmentation – This is typically accomplished during the preparation stage with the goal of reducing organizations attack surface. This is also used as part of a defense in depth strategy. When configured correctly, it will prevent a threat actor from moving from one segment of the network to another.

2. Segmentation in response to an incident – This strategy takes segmentation one step further. Let’s say for example that only a couple of computers on a segment have been compromised. What would happen is that those computers would be placed in their own separate segment. This would restrict the threat actor’s ability to compromise the rest of the segment and prevent movement through the rest of the network.

3. Isolation – This is a third option that takes segmentation even further by completely disconnecting the compromised systems from the rest of the network yet retaining their internet connection. The goal is to ensure that the threat actor has no way to move through the network. The threat actor does however maintain access to the compromised systems.

4. Removal – As the name suggests, with this strategy compromised systems are completely removed from the network and the internet. This absolutely ensures that movement through the network is impossible. It also cuts off the threat actors’ access to those compromised systems. Now there is one critical aspect that we all need to be mindful of when deciding to remove compromised systems from a network and internet. That is, it may still be possible to lose all the data stored on those systems. There is a chance that the threat actor installed a script designed to delete all data when access is lost. The way the script would know is by using a separate script designed to reach out to an external host. Think of it as a ping request. When there is no response, the second script runs deleting all the data.

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

With only two weeks left until my CompTIA CySA+ exam, I am moving right along. This week I will be discussing the Phases of Incident Response, which is Chapter 11 of the CompTIA CySA+ Exam Study Guide CSO-002.

Before I get into the phases of incident response, we must define a couple terms and determine what constitutes a security incident. Those terms are security event, an adverse security event, and a security incident:

1. Security event – Literally anything that typically occurs on a network. These are things such as accessing a file, changing permissions on a folder, or a port scan by a threat actor.

2. Adverse security event – These are things that have a negative impact on a network. Think of this in terms of an actions that affects the CIA triad. Examples are the introduction of malware, a server crashing, or even a person accessing a file they do not have permission to access.

3. Security incident – this is either a direct violation or a threat of violation of policies, or standards. Some examples of an incident include a DoS/DDoS of a website, a threat actor installing a keylogger to capture login credentials, or the accidental loss of sensitive information.

Now that is out of the way, we can move onto the phases of incident response. There are four phases to incident response. Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. All of these will be discussed in detail below:

1. Preparation – This is the time when an incident response team is established, policies and procedures are created, required equipment is purchased, and applicable training is conducted. Other actions to reduce the attack surface of an organization are also conducted.

2. Detection and Analysis – As the name suggests, this is where incidents are detected and analyzed. There are basically four ways that incidents are detected.

• a. Alerts – These come from things like IDS / IPS, SIEMS, antivirus software, file checking software or other monitoring services.

• b. Logs – Logs can come from anywhere to include the operating system, network devices, various services, applications, and even network flows.

• c. Publicly Available Information – These are notifications resulting from vulnerabilities / exploits published by other organizations.

• d. People – This is employees noticing and reporting abnormalities that may indicate an incident has occurred or is occurring.

3. Containment, Eradication, and Recovery – After it has been determined an incident has occurred or is occurring, this is where we first limit the damage being caused by limiting the malware’s access to the rest of the network. Once this is accomplished, we move on to removing the malware from the infected systems. After the infected systems have been cleaned up, we can move on to recovery. This is where we get everything back to normal operations.

4. Post Incident Activities – Once everything is back to normal, the incident response is not completely over. There is one final step that is important to accomplish. That step is a lesson learned review. In the military this is called a “Hot Wash”. Basically, what this is, is a formal review where everyone involved get together and go back over the incident noting what went well and what needs to be improved. 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

For week 7 of my journey to become CompTIA CySA+ certified I will be looking at software testing. When software is developed, no matter what it is, should be done with security in mind.

One way to ensure that software is secure is through testing. This testing is broken down into two types: 1) static code analysis and 2) dynamic code analysis. Both will be discussed below.

Static code analysis – This is also known as source code analysis. The premises behind this is looking at the source code. So, as you all can guess by the name, with this type of analysis the code is not run. It is simply reviewed either manually or using automated tools. The purpose of it is to understand the logic behind how it is written.

Dynamic code analysis – In this type of analysis, the code is run to see how it responds to various input. It can also be completed either manually or through automated tools. There are six types of testing that can be used in this type of analysis.

1. Fuzzing – Also known as Fuzz testing. This type of dynamic code analysis uses invalid or random data entered by the user to see how an application responds. What analysts are looking for are if the application crashes, fails, or responds incorrectly. This is most useful for finding simple problems.

2. Fault Injection – While this type of analysis sounds like Fuzzing, there is a difference. That difference is that random data is entered into the error handling paths to see how the application responds. Due to the propensity of human error, this test is best completed by using automated tools.

3. Mutation Testing – This type of analysis is like Fuzzing and Fault Injection. The only difference here is that the program itself is modified slightly. These modified versions are then tested and if they fail, they are discarded. This information is just what is in the CompTIA CySA+ study guide. I do not completely understand the whole point behind it.

4. Stress / Load Testing – In this type of analysis, an application is subject to actual use. The purpose is to basically see the maximum number of users the application can handle before issues arise. Fault Injection testing can also be implemented during this type of test again to see how the application reacts.

5. Security Regression Testing – This type of test is completed when changes are made to an application, more specifically when a patch is applied. This test ensures that there are no new issues, such as vulnerabilities, misconfigurations, etc. This testing is conducted by using standard automated tools.

6. User Acceptance Testing – While all the other five tests are important, this one is probably the most important. I say that because this test allows the user to validate that the application meets or exceeds their usability expectations. If an application fails this test, then the other five do not matter because the application will most likely be scrapped or sent back to be redone. That means all six tests would have to be redone as the application would have changed. 

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Week 6 of my journey to become CompTIA CySA+ certified. For this post I will be covering the various authentication protocols. Authentication is the first part of the AAA, which stands for Authentication, Authorization, and Accounting (AAA). When accessing a network, we must give the network credentials that it can use to prove that we are legitimate users of that system. These credentials are our identity to the network. This is what the network uses to prove or authenticate that we are legitimate users.

Now, there are various protocols that can be used in the authentication process. I will cover the three that are in the CompTIA CySA+ Exam Study Guide CSO-002. They include TACACS+, RADIUS, and Kerberos.

TACACS+ - The Terminal Access Controller Access Control System + (TACACS+) is an expanded service of the original TACACS. One thing to keep in mind about this protocol is that there are a couple of issues with it:

1. The traffic is sends is not checked for integrity. That means that a threat actor can make changes to the traffic sent or they can utilize a replay attack.

2. TACACS+ also utilizes an insecure encryption algorithm. This means that the threat actor can discover the encryption key.

So, what is the compensating control that can be used when changing protocols is not possible? The best practice is to place devices using TACACS+ on its own administrative network that is isolated from everything else.

RADIUS – Remote Authentication Dial-in User Service (RADIUS) the most widely used AAA service. This service is used in client-server networks and runs both TCP and UDP. Passwords are hashed using MD5 while in transit from client to server. So, it is more secure than TACACS+ but there is room for improvement.

Kerberos – This protocol is designed specifically for untrusted networks. All traffic is encrypted. There are three aspects associated with Kerberos:

1. Principles, which are users.

2. Instance, used to differentiate similar primaries.

3. Realms, which are groups of principles. These are based on trust boundaries.

Something to keep in mind is that Windows Active Directory utilizes Kerberos for authentication.

Until next week!

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

Week five of my 10-week journey to becoming CompTIA CySA+ certified, I am halfway through. This week is all about Security Controls. What are security controls? Security controls are implemented to “prevent, detect, counteract, or limit the impact of security risks” (Chapple & Seidl, 2020). These controls are divided into two groups: 1) How they are applied and 2) what the control is designed to accomplish.

Let us look at each group starting with controls based on how they are applied. Now, depending on you we talk to, there are three maybe four controls that fit in here. They include:

• Technical controls – these are things like “firewalls, IDS / IPS, network segmentation, authentication / authorization systems”, etc (Chapple & Seidl, 2020).

• Administrative controls – These are nothing more than policies and procedures.

• Physical controls – Think items used in physical security of property

• Legal controls – Possible fourth control. As the name suggests, these are controls that are required to be implemented by law. Could also be lumped in with administrative controls.

Now, we can move on to the controls based on what they are designed to accomplish. There are three in this group:

• Preventive controls – As you can guess by the name, these controls are designed to prevent an incident. We are talking about things like “firewalls, awareness training, security guards” (Chapple & Seidl, 2020).

• Detective controls – These are designed to discover an incident and report

• Corrective controls – These controls are designed to either clean the network and or reduce the impact of the incident. These include things like applying software updates / patches, using antivirus / antimalware, and utilizing backups.

Finally, there is one more type of control that does not fit into either group. The reason for that is this control is designed to be an alternative when one of the others cannot be used for whatever reason. The name of this control is called a compensating control.

References

Chapple, M., & Seidl, D. (2020). CompTIA CySA+ Study Guide Exam CSO-002. Indianapolis: John Wiley and Sons: CompTIA CySA+ Exam Study Guide CSO-002

For week two of this 10-week excursion into CompTIA CySA+ I will be discussing the various attack frameworks.  These frameworks are utilized by organizations attempting to predict how an adversary will probably attack their organization.  This allows them to create defenses that are more likely to be effective in the event of an attack. 

According to the CompTIA CySA+ Study Guide, there are four attack frameworks that we should be familiar with.  They are 1) MITRE ATT&CK Framework, 2) The Diamond Model of Intrusion Analysis, 3) Lockheed Martin’s Cyber Kill Chain, and 4) The Unified Kill Chain.  I will go into further detail about each framework in the following paragraphs.

The first framework we will look at is the MITRE ATT&CK Framework.  The MITRE corporation created the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework as a way for organizations to have access to common descriptions, tactics, techniques, and procedures of known adversaries.  The good thing about this framework is that there is no cost to access it.  To access it, just go to https://attack.mitre.org.  On the first page is the ATT&CK matrix.  There is a plethora of information regarding adversary TTPs available.

The second framework is the Diamond Model of Intrusion Analysis.  The key thing to remember about this is that it is relationship based.  All the vertical lines of the model are called events.  So, the way this works is that analysts try to find as much information as they can by tracing the relationships between the events.

I am currently studying for the CompTIA CySA+ exam, which stands for the CompTIA Cybersecurity Analyst.  Over the next 10 weeks, I will be picking topics from the CompTIA CySA+ Study Guide.  This first blog in the series will cover risk.

The concept of risk is a major player in the world of cybersecurity.  As professionals we constantly talk about our organizations risk acceptance aka risk appetite, but how do we define what a risk is.  To define a risk, we need to discuss two other concepts.  The first concept is vulnerability, which is nothing more than a weakness.  The second concept is a threat, which is any outside force that can exploit a vulnerability.

Now, there are a couple of ways to look at risk.  1) We can look at it as a mathematical equation which looks like “Risk = Threat X Vulnerability”.  Keep in mind that with this type of representation, there no numerical values to be entered.  It is merely a statement that to have a risk, an organization must have both a vulnerability and a threat that can exploit it.  2) Look at it through the lens of a Venn Diagram, below:

In my last blog, I discussed the reasons why organizations should not pay adversaries when they are the victim of a ransomware attack. In this blog, I will discuss things organizations can do to facilitate recovery from an attack.

There are numerous things an organization can do to avoid paying a ransom in the event of an attack. The thing is that these need to be completed before an attack. That means organizations need to change their mindset of “we will not be attacked” to “we will be attacked at some point”. Only then will the following be effective.

One thing that is an absolute must are backups of your data. Now, in the case of backups, there is a generally accepted rule that should be followed. It is called the 3-2-1 backup rule. It breaks down like this. 3 total copies of the data (1 original, 2 copies). Now, the 2 copies need to be saved on two different types of media. The media could be anything if they are different types. Finally, 1 of the copies needs to be stored off site. Cloud storage covers the last two (Elliot, n.d.).

Something else that is a necessity is an Incident Response Plan. A word of advice regarding this, make sure to print out a copy so it can be used in case of an attack. It is useless if it is saved on either a workstation or server that is locked with ransomware. Luckily, our friends at NIST have a special publication that spells most of the elements out. NIST SP 800-61r2 states 8 elements that should be in any Incident Response Plan. Those elements are:

1. Statement of management commitment

2. Purpose of the policy

3. Scope of the policy

4. List of definitions

5. Organizational structure

6. Prioritization or severity ratings of incidents

7. Performance measures

8. Reporting and contact forms (Computer Security Incident Handling Guide, 2012)

These next few steps are designed to make the organization a hard target. In case some of you are wondering what a hard target is, it is a term the military uses to describe an entity that has a low susceptibility to an attack. The reason I say low susceptibility is that there is no way to get the susceptibility level to zero. If an adversary wants to get onto a network, they will. So, the goal is to make it as difficult as possible, make them waste so much time that simply give up and try to attack another organization. This is accomplished by:

1. Consistent user training

2. Keeping Operating Systems, software and applications up to date

3. Using anti-virus and anti-malware software (Ransomware, n.d.)

The good thing about taking the above steps is that they help protect against more than just ransomware.

The one thing that I want everyone to take away from this is that we need to ensure our organizations are prepared. I say that because it is 2022 almost 2023 and from what I can tell is that every organization is fair game to ransomware. It is not longer a matter of if an organization is going to become a victim, but rather when will it become a victim. So, by having an Incident Response Plan and testing it, training our users, updating software, and using anti-virus / anti-malware software, our organizations will hopefully not have to struggle with the decision whether to pay a ransom and face a fine from the government because the ransomware group is on the sanctions list or have their data released on the dark web.

References

• Computer Security Incident Handling Guide. (2012). Retrieved from NIST

• Elliot, J. (n.d.). What is the 3-2-1 Backup Rule?. Retrieved from US Chamber

• Ransomware. (n.d.). Retrieved from FBI

We may all remember back in September, the Los Angeles Unified School District becoming a victim of a ransomware attack. A month later, we heard about Medibank, the largest insurance company in Australia, also becoming a victim of a ransomware attack. So, besides both joining the club of ransomware victims, what else do they have in common? Well, both organizations decided not to pay the ransom. In this blog I will discuss some of the reasons why an organization may not want to pay a ransom.

There are three main reasons an organization may not want to pay a ransom:

1) There is no guarantee that the organization will regain access to its information.

2) It almost guarantees that the organization will be attacked again.

3) It may be illegal to pay the ransom.

Let's take a deeper dive into each:

1. There is no guarantee that the organization will regain access to it information. Even though the ransomware group promised to provide a decryption key once a ransom was paid, it is possible that they will simply take the money and run and not provide that key (Fruhlinger, 2020). The main thing to remember is that the organization is dealing with criminals and ethics, or integrity are not necessarily in their vocabulary

2. It almost guarantees that the organization will be attacked again. According to a report that came out earlier this year, 80% of the organizations that were victims of a ransomware attack and paid the ransom were attacked a second time (Townsend, 2022). The reason for this is that by paying the ransom, the organization is telling the group they are willing to pay to get their information back. So, naturally the group is going to see them as an easy way to make money.

3. It may be illegal to pay ransom. I would say that this is the primary reason not to pay a ransom. You see there is an office within the U.S. Treasury Department called the Office of Foreign Asset Control (OFAC). This office is responsible for sanctioning not only the ransomware gangs, but also any other entity that sponsors, or provides any type of support for these activities (Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments, 2020).

So, how did OFAC obtain jurisdiction to provide policy on ransomware? Well, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) delegates jurisdiction to OFAC. Now as part this jurisdiction, they are responsible for not only creating the lists of entities that U.S. citizens cannot conduct transactions with, but also with enforcing those embargoes.

In next week’s blog I will discuss some of the things that organizations can do to protect themselves from becoming a victim of a ransomware attack.

References

• Advisory on Potential Sanctions Risks For Facilitating Ransomware Payments. (2020, October 1). Retrieved from Treasury Department: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

• Fruhlinger, J. (2020, June 19). Ransomeware Explained: How it Works and How to Remove it. Retrieved from CSO Online: 

• Ransomware explained: How it works and how to remove it

• Townsend, K. (2022, June 08). It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again. Retrieved from Security Week: It Doesn't Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again | SecurityWeek.Com

There is one aspect of cybersecurity that get very little fanfare. That aspect is the insider threat. An insider threat is in my opinion the most dangerous type of cybersecurity attack. I say that because most of the time it involves an employee of an organization which obviously has inside knowledge of the organization and has easier access to the data then an outsider would. Below is a recent case of an insider threat.

This past September, an information security designer by the name of Jareh Sebastian Dalke received a visit from the FBI in Denver Colorado. Mr. Dalke was arrested and charged with three counts of violating the Espionage Act. Apparently, he reached out to someone that he thought worked for a foreign government and told this individual that he had classified documents for sale. The two agreed to an $85,000 price. According to the story, in order to prove that what he had was legit, Mr. Dalke sent the foreign government official, who was actually an FBI agent, snippets of the documents which had the classification markings on them (Kelley, 2022).

This incident which occurred only two months ago is a perfect example of an insider threat, which is the subject of this blog. One disclaimer about this case. Mr. Dalke has only been charged with violating the Espionage Act. He is innocent until he is proven guilty by a jury of his peers (Kelley, 2022). I will discuss what an insider threat is, how to spot one, and what to do if you suspect there is an insider threat in your organization.

Before we can discuss what an insider threat is, we need to define what an insider is. Basically, an insider is anyone whether it is an employee or contractor that an organization trusts to give access to their resources. It can also be a vendor, custodian, or even a repair person. The Cybersecurity and Infrastructure Security Agency (CISA) has an extensive list of who could be considered an insider (Defining Insider Threats, n.d.).

The essence of an insider threat is the potential that an insider, which was described above, will use their access or knowledge of their organization’s resources for nefarious reasons. According to CISA, those reasons include:

• Espionage

• Terrorism

• Unauthorized disclosure of information

• Corruption

• Sabotage

• Workplace violence

• Intentional or unintentional loss or degradation of organizational resources or capabilities (Defining Insider Threats, n.d.).

An insider threat can take one of three forms:

• Unintentional threat

  • Negligence – This type of threat occurs when someone inside the organization that has been trained on the IT or security policies knowingly does not follow them.

  • Accidental – This type of threat occurs when someone inside the organizations knows what the IT and security policies are, but simply makes a mistake and possibly forgets to follow them.

• Intentional threat – This type of threat occurs when someone inside the organization takes actions to intentionally circumvent IT and security policies to cause harm to the organization. These threats are considered malicious in nature.

Other threats:

• Collusive threats – This type of threat occurs when two or more people inside the organization work together to circumvent IT and security policies resulting in harm to the organization.

• Third-Party threats – These threats originate from people that are not part of the organization. They could be contractors, vendors, or even outside visitors (Defining Insider Threats, n.d.).

Let's take a look at what may be indicators of an insider threat. One thing to keep in mind regarding any indicators is that just because an employee of an organization, remember from above that most cases of insider threat are employees, shows any one of these signs does not necessarily mean they are an insider threat. What needs to be noted is when an employee shows multiple signs below. The takeaway? If something does not seem right, say something to your supervisor or manager:

• Poor performance Appraisals – No one likes to get a poor appraisal from their supervisor/manager. While an employee getting a poor appraisal would not be an indicator in and of itself, the thing to watch out for is if they are overly vocal about it. That may mean they are disgruntled and willing do cause harm to the company.

• Voicing Disagreements with Policies – Not everyone is going to like organization policies and that is fine. The thing to watch out for is like the first indicator, employees that overly critical and vocal about their dislike for the policies.

• Disagreements with Coworkers – It is not the disagreement itself that can be an indicator, but rather how the employees handle themselves after the disagreement is over.

• Financial Distress / Family Issues – Employees that are having financial problems or family issues might try to find a way to make a lot of money quick and what better way to that than selling their organizations data.

• Unexplained Financial Gain – The indicator here is an employee that starts living above their annual income.

• Odd Working Hours – This boils down to employees coming to work for no official reason during weekends or the stay late

• Unusual Overseas Travel – This would look like an employee traveling to a country that they normally would not be interested in go to and there is no official reason to go.

• Leaving the company – The employee may be leaving for a benign reason, but it may warrant looking into their activity for the past three or six months as it may be an indicator (The Early Indicators of an Insider Threat, n.d.).

An example of an employee showing multiple indicators is as follows: an employee is overly critical of a poor performance appraisal, which he got because he is distracted due to financial issues resulting in his wife filing for divorce. These things make this employee vulnerable. One day he starts showing up to work in fancy cars and wearing newer clothes he normally does not wear. A week later he puts in for a vacation to a country that he cannot normally afford to go to, nor does he have an official reason to go. So, as we can see one indicator by itself is probably meaningless however, when stacked together, it becomes something that needs to be reported.

References

• Defining Insider Threats. (n.d.). Retrieved from CISA: Defining Insider Threats | CISA

• Kelley, A. (2022, September 29). Former NSA InfoSec Designer Jareh Sebastian Dalke was Arrested by the FBI in Denver, Colorado on Wednesday as Paty of a Sting Operation. Retrieved from Next Gov: NSA Employee Leaked Classified Cyber Intel, Charged with Espionage

• The Early Indicators of an Insider Threat. (n.d.). Retrieved from Digital Guardian: The Early Indicators of an Insider Threat

This week the topic discussed is SIM swapping. The reason I chose this topic is due to a news story that came out early last week. On 18 October, Verizon revealed that their prepaid service was attacked because of SIM swapping (Gatlan, 2022). A few things discussed today will be: 1) what is SIM swapping?   2) how does a SIM swap work, 3) Indicators of an attack, and 4) how to defend against this attack.

So, let us look at what SIM swapping, also known as SIM hijacking, is. It is pretty much as it sounds, moving the SIM card or E-SIM from one device to another. The key here is that it is the criminal that is doing the swapping, not the victim (SIM Swapping, n.d.). There are two reasons that criminals engage in this type of attack 1) is to take advantage of SMS messaging that some organizations use for their MFA, and 2) take advantage if MFA is not setup to secure an account (What is a SIM Swap, n.d.).

Now, let us move on and look at how this type of attack works. The typical SIM swapping attack starts with the victim giving the criminal their log in credentials through a phishing email (SIM Swapping, n.d.). This gives the criminal access to the victim’s online account. A second part of this attack involves the criminal taking over the victim’s email account that is associated with cell phone account (SIM Swapping, n.d.). The reason for this is that it gives the criminal to intercept any email correspondence from the phone company to the victim. Typical emails include confirmation that there was change to the account or One Time Passcodes (OTP), six digits used for authentication.

Once the criminal has control of the victims email and has the log in credentials for the account, they can conduct the SIM swapping attack. This can be done in a few ways: 1) online using the log in credentials received though the phishing email. 2) In person either by phone or by the criminal going inside the phone company’s physical location (Cryptopedia Staff, 2021). One thing to keep in mind is that no matter how this is done there is going to be social engineering performed.

So, how can a person tell if they are a victim of a SIM swap? As it turns out there are three indicators a person might be a victim of an attack. 1) The victim cannot access their online account. 2) There is no service despite being in an area with good reception. 3) The victim somehow receives a notification about account changes they did not make (Adamu, 2022).

Now that we have looked at what a SIM swap attack is and how to spot one, let us now move onto what can be done to protect ourselves from being a victim. Believe it or not, there is a lot we can do. Below are seven recommendations:

1. Protect both the phone and the SIM card or E-SIM. That means setting up and turning whatever form of protection they have. That could be a PIN, password, or utilizing a pattern to unlock the device. Newer devices can utilize either a fingerprint or facial recognition to unlock. If able, lock the SIM. What that does is forces the user to enter a PIN every time the device is started. If anyone locks their SIM, use one that is different than the PIN used to unlock the device and do not use something that is easily figured out or guessed (birthdays of yourself or a family member) (Adamu, 2022).

2. Lock the phone number with the service provider. The reason that this is recommended is because it prevents changes to the account, in this case moving the SIM from one device to another unless a customer provides an authentication PIN or by going to the store and authenticating that way (Adamu, 2022).

3. Utilize strong/complex passwords and security questions. That means if the password used to access the online account does not have at least 12 characters consisting of lowercase letters, uppercase letters, numbers, and special characters. The same is also true for any other accounts keeping in mind not to reuse passwords. This would be a good time to invest in a password manager because it is impossible to remember multiple passwords that are 12 characters in length (Adamu, 2022).

4. Set up Two-Factor Authentication (2FA). Best thing to do is to use an authentication app such as Google, Microsoft, or Authy. Do not use SMS-based or email-based authentication if possible (Adamu, 2022).

5. Utilize biometric authentication on the device. Using this type of authentication is dependent on the device as newer models support it while older models do not. If that functionality is available it is recommended as a criminal would not be able to bypass that barrier (Adamu, 2022).

6. Keep personal information shared online to a bare minimum. Any information that is posted online can be used by a criminal to impersonate their victim. I know that is easier said than done. I say that because our society is addicted to posting every part of our lives to social media. I understand why, it is a way to keep friends and family that are geographically separated up to date with what is going on and that is fine. The problem is posting too much information that criminals can use. I am talking about things like the name of a pet, best friends name, favorite food, etc. (Adamu, 2022). Do those examples look familiar? Well, they should since they are typical security questions that we are all asked to provide answers for to authenticate ourselves when we have forgotten our password to an online account.

7. Know how to spot phishing emails, texts, and phone calls. One resource I recommend checking out is to look some of our other blogs, specifically look at the Aug 24th blog as well as the blogs on October 12th and 19th. Miss Eula Chua discusses what phishing is and what to look for in emails and texts.

References

• Adamu, H. (2022, march 13). How to Protect Yourself From a SIM-Swap Attack. Retrieved from Android Police: How to protect yourself from a SIM-swap attack

• Cryptopedia Staff. (2021, October 6). What is a Cell Phone SIM Swap Attack. Retrieved from Gemni: Sim Swap Attacks: What Are They? | Gemini

• Gatlan, S. (2022, October 18). Verizon Notifies Prepaid Customers Their Accounts Were Breached. Retrieved from Bleeping Computer: Verizon notifies prepaid customers their accounts were breached

• SIM Swapping. (n.d.). Retrieved from Verizon: What is a SIM Swapping Scam? Protect Your Device Against SIM Hackers

• What is a SIM Swap. (n.d.). Retrieved from Yubico: What is a Sim Swap?

What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).

While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.

I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.

So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.

When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.

Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).

After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.

1. Start with configuring the router correctly.

a. Do not use default credentials. Change both the login ID and password.

b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.

2. Put IoT devices on their own network separate from everything else.

a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.

3. Another option is to turn off features you are not going to use.

4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.

5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.

6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).

So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.

References

18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products 

Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable 

Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices 

The data breach at Uber is just the latest in a long list of data breaches this year. While the tactic used to gain network, access is not new, I do not believe it has gotten a lot of press till now. You all might be wondering which tactic that is. That would be Multi-Factor Authentication (MFA) fatigue. So, what is MFA fatigue? As we all know, there are different types of MFA. They include hardware keys, biometrics, authentication applications, SMS, and push notifications. MFA fatigue targets push notifications (Abrams, 2022).

The way this attacks works is the threat actor gets an employee’s credentials, either by phishing or buying them off the dark web or some other way. Then the threat actor tries to log in and the victim gets a push notification. Obviously, the victim knowing they are not attempting to log in, is not going to accept the notification. Now, not having gained access to the network, the threat actor will continue to attempt to log in repeatedly in rapid succession until the victim gets tired of the notification that they finally decide to accept it just to make the notifications stop (Abrams, 2022).

So, what can be done to safeguard against this type of attack? Artic Wolf, a leading Cybersecurity company has three recommendations.

1. Educate all users on indicators of an attack:

a. Unexpected MFA push notifications

b. Unknown location of login attempt

c. Receiving communication supposedly from a person in the organizations IT department asking the user to accept the request

d. Continuous MFA requests in rapid succession over a short period of time

2. Restrict the number of MFA push notifications allowed

3. Disable MFA push notifications and use another form of MFA (Tatar, 2022)

One thing to keep in mind is that MFA is another tool in the cybersecurity toolbox. It is subject to compromise just like any other tool we have. The reason I say that is because from what I have seen is that the expectation is for MFA to be the end all be all of security, but it is not. I am pretty sure that is an unpopular opinion and that is fine.

I am pretty sure that some people reading this are wondering “if MFA can be compromised, then why use it?”. This is a valid question. The reason MFA still needs to be used is because it is part of a layered defense. By that I mean the first layer are a user’s login credentials (username and password). If those get compromised, that is when the second layer (MFA) comes into play and will generally prevent a threat actor from gaining access to an organizations network.

Like I alluded to earlier, MFA is not foolproof, as proven with the attack on Uber and numerous other organizations. I mean let’s be honest, if a threat actor wants to gain access to a network, they are going to find a way in. The whole point of using MFA as part of a layered defense is to make gaining access to our networks so difficult and time consuming that they move onto another target. The military would consider this being a “hard target”. By being a “hard target”, your organization becomes less desirable to an attack and a threat actor will normally move onto another target.

There are two important takeaways I want everyone to gain from this blog:

1. MFA is simply another tool. It is good at preventing a threat actor from gaining access to a network, but it can be compromised.

2. Educate your users. That means everyone from the CEO all the way down to the newest employee that is at the bottom of the corporate ladder. Securing our networks is everyone’s responsibility. There is an African proverb that states “it takes a village to raise a child” (Reupert, Straussner, Weimand, & Mayberry, 2022). I would say that in this context, it takes a village to secure our networks.

References

Abrams, L. (2022, September 20). MFA Fatigue: Hackers' New Favorite Tactic in High-Profile Breaches. Retrieved from Bleeping Computer: 

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches

Reupert, A., Straussner, S. L., Weimand, B., & Mayberry, D. (2022, March 11). It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the "Village". Retrieved from Frontiers: It Takes a Village to Raise a Child: Understanding and Expanding the Concept of the “Village”

Tatar, S. (2022, September 22). The Growing Risk of MFA Fatigue Attacks. Retrieved from Artic Wolf: What is MFA Fatigue? | Arctic Wolf

Let's begin with a typical conversation between someone in Cybersecurity and someone wanting to break in to the industry. New person: “I want to get into Cybersecurity, but do not know where to start”. Cybersecurity professional: “What part of Cybersecurity do you want to get into?” New person: “I do not know.

Does this sound familiar? It should because I am willing to bet that most if not all of us have either initiated or been a party to this very type of conversation. How do we respond when a new person says, “I do not know”, when asked what part of Cybersecurity they want to get into? Luckily, NIST has us covered. They created the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.

The NIST NICE Framework also known as NIST SP 800-181, was created in 2017 to deconstruct the Cybersecurity realm into 52 roles. It also acts as a foundational reference that provides base line information regarding the knowledge, skills, and abilities (KSA’s) for these roles. It was updated to Rev. 1 in November 2020 (Newhouse, Keith, Scribner, & Witte, 2017).

One thing that I like about this framework is that it is easy to read. It is logically laid out. Now, as with any other framework, NIST 800-181 is full of acronyms however, the first time one is used it is spelled out, which alleviates some confusion for people reading it. Another aspect of it I like is that is spells out not only who the audience is, but how it is going support them. For example, NIST 800-181 is designed for everyone, but for employers, there are five aspects that will help them basically write a job description for a particular role. It also describes how it supports current and aspiring employees. Finally, it discusses support for the educators, trainers, and technology providers (Newhouse, Keith, Scribner, & Witte, 2017).

So, everyone might be wondering what part of NIST 800-181 do we refer a new person to when answering they do not know what part of Cybersecurity they want to get into. Well, there is a table in Attachment A3. Specifically, they want to look at the Work Role, which is in the middle of the table, and the Role Description, which is the far right of the table (Newhouse, Keith, Scribner, & Witte, 2017). One thing to keep in mind is that while as stated earlier the NICE Framework identifies 52 roles, that does not mean that individual organizational positions are going to be identified the same way. This may cause some confusion. The best idea that I can think of to alleviate that confusion is to compare the role description in the NICE Framework with the job description is in the job ad.

In addition to the identified roles, the NICE Framework also breaks down those roles and identifies applicable tasks, knowledge, skills, and abilities (KSA’s) required for the specific role. This is going to be in Appendix B. I must warn everyone, this table used a lot of codes to identify the tasks and KSA’s. The tasks / KSA’s codes and their definition are in Appendix A. That means there is going to be a lot of going back and forth between the two Appendices.

Now, if you remember from earlier, I said that the NICE Framework is designed to be used by everyone, not just people trying to decide on what part of Cybersecurity to get into. For example, organizations can use Appendix A and B when they are creating job advertisements. Also, managers can use those same appendices when deciding on employee training.

So, if there is one NIST Framework that I think everyone must read, it would be NIST 800-181. It has information applicable to everyone. For new people wanting to break into the Cybersecurity industry, it breaks down the industry into 52 roles, which can assist them in deciding what part of Cybersecurity they want to get into. For HR, it has a listing of KSA’s for those specific roles, which will help them in creating accurate job listings for open positions. Finally, for trainers, NIST 800-181 can be used as a resource as they create training programs, courses, seminars, exercises, and challenges as they can be based on role specific tasks and associated KSA’s.

References

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017, August). NIST Special Publication 800-181. Retrieved from National Institute of Standards and Technology: https://doi.org/10.6028/NIST.SP.800-181

While studying for my CompTIA CySA+ examination I came across several regulatory frameworks. So, I thought it would be a good idea to create a blog to briefly discuss each one. The regulatory frameworks that I came across include the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); the Gramm-Leach Bliley Act (GLBA); the Sarbanes-Oxley (SOX) Act; and finally, the Family Educational Rights and Privacy Act (FERPA).

The first framework I will cover is HIPAA. HIPAA became a law back in 1996 and was designed to facilitate employees changing jobs to take their insurance with them. It was also designed to make health care delivery more efficient (HIPAA History, n.d.). The heart of HIPAA lies in the security and privacy rules that all healthcare providers, insurance companies, and health information clearinghouses must comply with (Chapple & Seidl, 2017).

The second framework is PCI DSS. The interesting aspect about this standard is that unlike all the others, it is not a law, but rather a collaborative agreement among the major credit card companies (Chapple & Seidl, 2017). This agreement was established in 2004. Now, even though it is not a law, non-compliance still has consequences. These consequences range from simple fines levied by the banks themselves all the way to an organization not being able to take payment cards as a form of payment (Petree, 2019).

The third framework is the GLBA. This standard is applicable to the banking industry. The basic premise is that all financial institutions have a security program and someone to run it (Chapple & Seidl, 2017). It became law back in 1999. This act also mandates that these same organizations communicate how they share and protect customer information (Gramm-Leach-Bliley Act, n.d.).

The fourth framework is the SOX Act. This act applies to any organization that is publicly traded (Chapple & Seidl, 2017). It became law in 2002 in response to numerous financial scandals and was established to thwart these same organizations from defrauding their investors. It is named for the two members of Congress that sponsored it, Senator Paul S. Sarbanes, and Representative Michael G. Oxley (Kenton, 2022).

The last framework to be covered is the FERPA. This act mandates that educational institutions protect student information (Chapple & Seidl, 2017). FERPA became law back in 1974 and has a dual purpose. 1) Returns control of educational records back to the parents or to adult students. 2) Requires written consent from parents or adult students before an educational institution can release Personally Identifiable Information (PII) that is within those records (Family Educational Rights and Privacy Act (FERPA), n.d.).

References:

Chapple, M., & Seidl, D. (2017). CompTIA CySA+ Study Guide. Sybex.

Family Educational Rights and Privacy Act (FERPA). (n.d.). Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/phlp/publications/topic/ferpa.html

Gramm-Leach-Bliley Act. (n.d.). Retrieved from Federal Trade Commission: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

HIPAA History. (n.d.). Retrieved from HIPAA JOurnal: https://www.hipaajournal.com/hipaa-history/

Kenton, W. (2022, May 08). Sarbanes-Oxley (SOX) Act of 2002. Retrieved from Investopedia: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

Petree, S. (2019, January 4). Five Risks for PCI DSS Non-Compliance. Retrieved from Plante Moran: https://www.plantemoran.com/explore-our-thinking/insight/2017/08/five-risks-for-pci-dss-non-compliance#:~:text=%20Five%20risks%20for%20PCI%20DSS%20non-compliance%20,can%20place%20restrictions%20on%20organizations%20such...%20More%20

We see news stories almost daily of threat actors hacking into an organizations computer network and either taking the data or encrypting it unless said organization pays a ransom.  Now, we all know that this is illegal, but do we know why it is illegal?  The answer lies within 18 U.S. Code 1030, also known as the Computer Fraud and Abuse Act (CFAA) which became law in 1986.  This blog will discuss the specifics of the CFAA, what lead to its passing, and most recent updates.   

History of CFAA

The CFAA got its start as part of another statute called the Comprehensive Crime Act of 1984.  There was a part of this act that made the following two activities related to computers illegal.  1) Gaining unauthorized access to a computer.  2) Having access to a computer but accessing areas that are not authorized (CFAA Background, 2022).  Basically, this is privilege escalation.  

Now for someone to be charged under the Comprehensive Crime Act because of hacking, the victims were limited to government interests.  More specifically the actions had to involve one of three scenarios.  1) Accessing information vital to national security.  2) Gaining access to personal financial records.  3) Gaining unauthorized access to government computers (CFAA Background, 2022).  

Let's skip ahead to 1986.  This is when the provisions of the Comprehensive Crime Act of 1984 related to computer crime officially became 18 U.S. Code 1030, The Computer Fraud and Abuse Act (CFAA).  This separation facilitated the addition of three more prohibitions: 

1. Gaining unauthorized access with intent to defraud (CFAA Background, 2022).  Now, you will notice that the gaining unauthorized access is the same as in the Comprehensive Crime Act.  The addition is the intent to defraud.  So, the bottom line for this prohibition is to gain unauthorized access with the intent of illegally receiving money from an organization through deception.

2. Gaining unauthorized access, same as before, but adding to that the threat actor changes the data in some way that it affects the Confidentiality, Integrity, and Availability (CIA triad) of that data. 

3. The addition of prohibiting trafficking in computer passwords (CFAA Background, 2022).

Now, in addition to what was mentioned above, lets see was else is in the CFAA.  There are also punishments defined in this document.  These punishments are defined by the type of offense.  In addition, the CFAA dictates who (depending on the offense) will investigate.  It will either be the Federal Bureau of Investigation (FBI) or the United States Secret Service.  Finally, definitions of certain terms at the end of the document (18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers, n.d.).

2022 Update

Over the years, the CFAA has been updated numerous times.  The most recent update was in May 2022.  Basically, what this update affirms is that “good-faith security research should not be charged” (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).  This update goes on to define good-faith security research, but essentially it means hacking into a network (with the owner’s permission) to test for vulnerabilities so they can be mitigated, thus protecting the CIA Triad of that network (Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act, 2022).

Conclusion

I highly recommend at least scanning over it.  I think it is an interesting read, of course I am a bit of a nerd so I may be a little biased.  Nonetheless, it is important to be at least familiar with applicable laws, especially if anyone is wanting to get into penetration testing.  This way you will have an idea of how far you can go without breaking the law, because I will tell you as someone with a criminal justice degree, claiming ignorance of the law is not a defense.

References:

18 U.S. Code 1030 - Fraud and Related Activity in Connection with Computers. (n.d.). Retrieved from cornell.edu: https://www.law.cornell.edu/uscode/text/18/1030 

CFAA Background. (2022, July 14). Retrieved from NACDL: https://www.nacdl.org/Content/CFAABackground 

Department of Justice Announces New Policy for Charging Cases under Computer Fraud and Abuse Act. (2022, May 19). Retrieved from Justice.gov:

 https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act 

Disasters, whether natural or man-made, are inevitable. Every company no matter the size or location is going to experience one. How quickly they recover, if at all, depends on whether they have a Business Continuity / Disaster Recovery Plan (BC / DRP). According to the American Management Association, half of the businesses that do not have a BC / DRP and experience a disaster, close their doors forever, (An Overview of U.S. Regulations Pertaining to Business Continuity, n.d.).

For a BC / DR plan to be successful the following five steps should be taken:

1. Be proactive with planning – Basically what this is saying is to create a list of as many conceivable disasters as possible. The imagination is the only limiting factor here if the disaster is conceivable. For example, a company in North Dakota planning for a hurricane is not conceivable.

2. Identify the organizations critical functions and infrastructure – This is the time a company would conduct a business impact analysis. This serves two purposes. First, critical functions can be discovered. Second, the company can make educated guesses causes of disruptions and the repercussions of those disruptions.

3. Create emergency response policies and procedures – This is the meat and potatoes of the process. Creating the BC / DR plan based on the information from steps one and two while also considering any applicable government regulations.

4. Document backup and restoration process – This involves writing down the procedures for backing up the companies’ data prior to a disaster and subsequently restoring it during the recovery phase after a disaster.

5. Perform tests and exercises – A plan is worthless if the employees are unfamiliar with it or do not even know it exists. This is where testing it comes in. Testing a plan makes the employees familiar with it which results in them being able to respond quicker. This is paramount in a disaster where time is critical. It also shows where there are holes in the plan so they can be fixed before a disaster occurs (Delchamps, 2020).

When creating the BC plan, one of the main things to consider is the backup location. This location may have its own risks from disasters that need to be anticipated. Six items that need to be considered when choosing a backup location include:

1. Natural Disaster - Depending on the location, especially if it is close to the primary location, the company could be faced with a disaster-within-the-disaster, resulting in both locations being taken offline. The way to mitigate this is if feasible to pick a location further away.

2. Infrastructure Disruption – This would be the result of damage to infrastructure, for example loss of power, or road closures. The mitigation for loss of power is for the company to invest in backup generators. The mitigation for road closures is to have a backup location that can be reached via multiple routes, or find a location where employees are close by that may be able to walk to get to the site.

3. Human Error – Humans are not psychic. We need to be passed information. A company may have the best BC /DR plan ever created however, if the employees do not know anything about it, it is worthless. The way to mitigate this is through communication.

4. Cyber Attack – While transferring the data to the backup site, companies need to ensure that their customers information is safe and not going to be subject to a cyber-attack. This can be mitigated by ensuring devices at the backup location are constantly patched and updated, anti-virus is used, and data is encrypted.

5. Compliance – No matter where the company is operating of, whether it is the primary location or the backup site, they still need to comply with all applicable regulations. The way to achieve that is to treat the backup site the same as the primary location. That means whenever something is done to the primary location, it is also done to the backup location.

6. Physical Security – Physical security is just as important as securing the companies data. There are a couple ways to achieve this. The company could invest in a security system to include cameras. Another way is to hire security guards to monitor the building (Sampera, 2020).

References:

An Overview of U.S. Regulations Pertaining to Business Continuity. (n.d.). Retrieved from Geminare: https://www.geminare.com/wp-content/uploads/U.S._Regulatory_Compliance_Overview.pdf

Delchamps, H. (2020, March 9). 5 Steps to Creating a Backup and Disaster Recovery Plan. Retrieved from Memphis Business Journal: https://www.bizjournals.com/memphis/news/2020/03/09/5-steps-to-creating-a-backup-and-disaster-recovery.html

Sampera, E. (2020, March 5). 6 Essential Risk Mitigation Strategies for Your Business. Retrieved from VXchange: https://www.vxchnge.com/blog/essential-risk-mitigation-strategies

DEF CON was this past weekend and I started wondering about how it started and when. So, I decided this would be an awesome topic, although I wish I had the idea before last weeks blog went out. 

Now, I do not know about anyone else, but I have always wondered not only how DEC CON originated, and also how the name originated. As you will discover below, it is quite interesting.

It turns out that the name did not originate where I thought it did. With a 20 career in the Air Force, it was my impression that DEF CON was taken from the term for Defense Readiness Condition. While this is accurate and was the inspiration due to the 1980’s movie called “Wargames”. The basic premise of this movie is that a young kid connects to a government system that controls the United States nuclear arsenal. If I had to guess, I would say that it is probably the original hacking movie, but I digress a little bit. It turns out that in the current context, DEF derives from the number three key on a telephone and the CON derives from the world conference. Interesting side note, the official spelling is DEF CON.

So, why was DEF CON started? It was not envisioned to be the exhibition that we have today. In fact, the origin is mundane. In 1993 a gentleman by the name of Jeff Moss, had a friend that was moving away. Being a good friend, Jeff wanted to give his friend a good send off, so he organized a going away party. Well, in an unfortunate circumstance, the friend moved before this party. So, not wanting to cancel this party and wanting to honor his friend, he asked all his hacker friends to make a trip to Las Vegas to party. Thus, DEF CON was born. There were approximately 100 people in attendance.

As mentioned above, this was originally supposed to be a going away party, so this would have been a one-time event. However, everyone had such a great time they convinced Jeff to host it again in 1994. Reluctantly he agreed and in the 2nd DEF CON there were at least 200 people that attended. With each new DEF CON, the number of attendees consistently grew. For DEF CON 27 which was in 2019, there were approximately 30,000 attendees.

Another interesting bit of information that I did not know is that in 2018 there was a DEF CON event held in China. It was supposed to be an inaugural event, but due to the COVID-19 pandemic, it is still the only DEF CON event that has ever been held outside the United States. 

There is a question that I see all the time on the various social media platforms, “will {insert certification name here}, get me a job in Cybersecurity?”  Now I know that there are a million opinions as to whether certifications are even needed to enter this industry.  That is not what this is about.  This is about the apparent myth that simply getting a certification will land a person a job in cybersecurity.

The answer to the above question is no, {insert certification here} will not directly land someone a job.  At most, the certification will help someone get an interview.  From there is it up to you to land the job.  So, does that mean not to worry about getting a certification?  Not necessarily.  What I am saying is, do not get a certification simply because it is a requirement for some jobs.  Get the certification for the knowledge you will gain.  It is one thing to pass the exam and receive the certification.  That may help you get an interview by standing out over other applicants that may not have the specific certification.  During the interview, the fact that you have {insert certification here} means nothing, unless you can apply some of those concepts in the interview and can talk to the interviewer about some of the knowledge you gained by studying for the exam. 

The whole premise is to chase the knowledge, not the certification.

My name is James.  I am a retired Air Force veteran and married to my wife of 22 years.

In the Air Force, my role was in Air Transportation.  Basically, I worked at military airports loading passengers and cargo.  The best way to picture it is to think of a combination of American Airlines and Federal Express.  After I retired in 2014 I continued with the same career field but as a military contractor.  The job is interesting however, no longer challenging.

One aspect of this job that I really enjoy is that of regulatory compliance.  Ensuring that all the passengers comply with not only applicable FAA/TSA regulations but also applicable destination country entry regulations.  On the cargo side, the job entailed ensuring the cargo was prepared and documented correctly.  This is extremely important when hazardous cargo is being transported.  The reason for this is for the safety of the aircraft, crew, and any passengers.  An example of a failure in procedure is ValuJet flight 592 that went down in the Everglades in 1999.  The reason for this crash was that some oxygen generators were not properly packaged or documented.  

In addition to loading airplanes, an additional job that I had was a system administrator.  I was responsible for creating accounts, setting permissions based on the duty position of the individual, working with the help desk to update and patch the system.  This is what initially got me interested in Information Technology.  As a result, I tried numerous times to change career fields into Information Technology but was unsuccessful. 

Why am I making the career change into Cybersecurity?  This is a good question.  It was June 2020, and I was working at a deployed location loading aircraft and suffering every day because of medical conditions created by my military career.  My wife suggested contacting the Veterans Affairs office and applying for something called Vocational Rehab.  Basically, this is a program where veterans with medical conditions can go back to school to get a degree in a field that will not aggravate the condition.  So, I applied.

After speaking with the counselor, I was approved!  Next, it was time to choose a program and school.  I thought to myself, this was the perfect chance to finally change careers and move into Information Technology.  After constantly seeing reports of data breaches and ransomware attacks, I decided to transition into cybersecurity.  The school I chose to attend is ECPI and I will be graduating the end of August 2022.

I am extremely grateful to Kimberly for this opportunity to work with Cybersecurity Central.  It is exciting to be able to give back to such a welcoming community that I am breaking into.  It will be an interesting journey but I hope it will be a journey that everyone can learn and get inspiration from.

Feel free to connect or send me a message on LinkedIn: https://www.linkedin.com/in/jdriscoll-76