Week 12 - Ethics who needs it?

Ethics.. Who needs it?

As I finish up my Graduate career, I had to really think about what my last Blog as a graduate student will be.  Should I look back at the last 3 years and fondly dissect it piece by piece or class by class? Should I blow it off? Nope, I want to discuss Ethics… As a graduate student, my professors were constantly reminding us not to plagiarize our work.  Not to cheat on assignments and never compromise your principles.

                                              (LinkedIn.com)

I’ll be honest, as a student it is very easy to cheat but who gets cheated? Only you.  The information that you don’t read for the assignment or the information that you take from someone else’s work to pose as your own, is information you will eventually need as you go through your career and especially your life in general.  So why cheat yourself out of the knowledge and the experience.

So, what are “Ethics” Your definition of this subject may differ from mine but in my opinion, “Ethics is doing the right thing even when no one is looking or will notice”.  In other words, YOU know that what you are doing is the right thing to do.  

                                          (deepgreenpermaculture.com)

The right thing can come from many sources, the rule of law, the Bible or even science.  All of these sources or disciplines teach us what is fact and what isn’t, what is true and what is false and of course, what is right and what is wrong.  All of these sources or disciplines instruct us how to live and how to act in a positive manner.

Examples:

You find a wallet with $100 dollars in it.  The wallet has an ID.  Do you:

 A.) keep the $100 and throw away the wallet?

 B.) locate the owner and give them back the wallet with the $100.

You walk by a co-workers desk and his PC is unlocked, his e-mail is open and you notice an e-mail that has your name on it or a friend’s name.  Do you:

A.) Read the e-mail and hope no one sees you?

B.) press Ctrl/Alt/Del and lock the PC?

Ethical dilemmas can arise at any time and how you react to the challenges put in front of you will determine who you are and how people look at and perceive you.  Do yourself a favor and always try and do the right thing.  Once you look the other way and fudge something, you lose…

Week 10 - Teach a kid today, secures our data tomorrow.

Can you figure this cipher out?

(Ronald Woerner, securityintelligence.com)

It’s a simple cipher and for those of us who have a little… well.. Seasoning to us, it is easy to figure out.  But to a young child or high school student, it is a challenge.  This is the beauty of these types of problems. 

I am in the last term of my Cyber Security Graduate program and wanted to give an “Atta boy” to my Professor Ron Woerner who believes the way to fixing our cyber security issues, is to teach our youth what this subject is all about and how to identify and troubleshoot cyber issues.  One of the ways he achieves this is to promote Cyber Security competitions in high schools, “Young folks from around the world are answering the call of “Do you have what it takes?” as a part of cyber competitions. They’re stepping up to the plate and facing the challenges of information security, programming, cryptography, and network reconnaissance and computer forensics”. (Woerner, 2016). As Professor Woerner states in his article below, these types of competitions and capture the flag (CTF) events are not new, they were first started in the early 90’s at DEF CON and have taken off like wild fire across the nation and even the globe as teams of young adults hone their security skills while trying to best their opponents. 

Professor Woerner wrote a very interesting article titled Cyber Competitions: Do You Have What It Takes? For Securityintelligence.com that discusses this very topic and I encourage you to take a look.  He isn’t the only one who believes in this educational path, there are many organizations and teachers throughout America who believe strongly in this.  An example of this is the Air Force Association, they sponsor the CyberPatriot National Youth Cyber Education Program which Professor Woerner is involved in. 

WHAT IS CYBERPATRIOT?

​Cyber Patriot is the National Youth Cyber Education Program.  At the center of CyberPatriot is the National Youth Cyber Defense Competition. The competition puts teams of high school and middle school students in the position of newly hired IT professionals tasked with managing the network of a small company. In the rounds of competition, teams are given a set of virtual images that represent operating systems and are tasked with finding cybersecurity vulnerabilities within the images and hardening the system while maintaining critical services in a six hour period.  Teams compete for the top placement within their state and region, and the top teams in the nation earn all-expenses paid trips to Baltimore, MD for the National Finals Competition where they can earn national recognition and scholarship money.​

(uscyberPatriot.org)

I commend the men and women who believe so deeply in the security of our public and private networks.  The fact they can work a full day, and then spend time outside work to provide guidance and support to the youth of our country is amazing.  They do this knowing the minds they shape today will be the White Hats that protect our data tomorrow.

If you are interested in this subject or want to sponsor a team or school, please visit:

Air Force Associations CyberPatriot Educational Program

National Initiative for Cybersecurity Careers and Study (NICCS)

High School Capture the flag competitions

Collegiate Cyber Defense Competitions

Ron Woerner, aka The Coach..

DEF CON Capture the Flag

Thanks Coach for all your time, your dedication and love of security.  Without it, I wouldn’t have gotten as far as I have in my graduate career.  Keep up the great work…

Week 9 - Risks… Good, bad and ugly?

What is Risk? Thanks to Merriam-Webster we see that risk = possibility of loss or injury. A simple definition but true none the less.  Too much risk can cause businesses to fail because there is confusion and uncertainty within the organization.  Mainly because the corporate leaders do not understand what “Risk” is and how to mitigate, transfer or even accept it and the full impact of the “Risk” hasn’t been dissected by the business to get a grasp of what they are challenged with.

                                      (healthcareglobal.com)

What I mean is this, if a company does not fully understand a subject such as employee theft, then the possibility of loss, either monetarily, intellectual property or customer data will be greater and the cost to the company will be much more to mitigate when the event occurs.  Therefore, it is very important for all groups within a business to understand what risks are present and how to mitigate, control and even avoid them.  This isn’t always easy though, since new (Potential) threats crop up every day.  Having a Risk Management Plan (NIST Special Publication 800-30 Revision 1) in place will help keep businesses calm during times of tumult.  The following diagram from NIST.gov displays a great overview of the Risk management process. 

                                           (NIST.gov)

Questions to ask when the event occurs….

ü  What is the threat?

ü  What is the impact of the threat?

ü  How vulnerable are we?

ü  Who needs to be involved and notified?

ü  How quickly must you act?

ü  What actions need to be put into play in order to mitigate or manage the threat?

Businesses can’t avoid risks, as a matter of fact; risks are inevitable and sometimes needed in a business strategy so develop your plan now.  The following demonstrates how to prioritize the Risks in your business.  Putting an importance on the Risk such as Miner, Major, critical or Minor, Moderate and Significant will help everyone involved understand the significance of the threat.

   (Managementstudyguide.com)

A thorough risk assessment audit and plan can lessen the impact of a breach and make your life much easier.  But, these assessment plans need to be very accurate, comprehensive and also need to be run on a regular basis in order to build up a stockpile of historical data and benchmarks. 

So get to work…. And Happy Assessment (ing)…

Week 8 - Using Risk management tools.

     While researching the last two assignments about Threat Modeling and Threat Analysis, I did some reading on Risk Management tools and came across several.  The one that stood out more to me is the OCTAVE method which stands for "Operationally Critical Threat, Asset and Vulnerability Evaluation".  It was designed and developed at the CERT Coordination Center at Carnegie Mellon University and is a very good method to Assess and manage risks in any size organization.

slideshare.net

This risk based security assessment planning approach can help all businesses to get a better understanding of what threats and risks they are faced with (Please see NIST-SP 800-30. Risk Management Guide for Information Technology Systems) .  It is a self-directed method that requires the business to oversee and maintain the threat evaluation process and make informed and unbiased decisions that will strengthen the organization’s security presence. 

   To get started, an analysis team is put together; this team includes people from many different areas of the business.   Some of the functions of this team is to:

• Identify IT related assets.
• Target the critical assets that the business has judged to be crucial.
• Determine the Risks that are associated with the assets.
• Evaluate and protect the key assets.
• Communicate a plan to safeguard the assets.

Itgovernanceusa.com. 2003

 There are normally 8 processes in the OCTAVE method but it has been broken down to 3 phases to simplify the process.

Phase 1 – Initial security planning is designed and developed.

o   What is important?

o   What is the current state of asset?

o   How are the assets being protected?

o   Describe the requirements needed for securing critical assets.

o   Create the threat profile per asset.

               

Phase 2 – Identify Infrastructure risks and vulnerabilities.

o   Evaluate the IT infrastructure.

o   Identify classes of IT equipment relevant to each critical asset.

o   Team can now evaluate the asset and how resistant it is to potential attacks.

Phase 3 – Design and implement security planning.

o   Decide what to do about the identified risks for each asset.

o   Create and design an asset protection scheme for the network.

o   Create a risk mitigation plan for each asset and for the network as a whole.

       It isn’t possible for any business to fully be risk free, but they can take steps to minimize and even mitigate the threats that are facing them.  Utilizing Risk Management techniques and programs, businesses can identify, categorize, assess and implement strategic planning to help alleviate potential vulnerabilities and threats within their networks to minimize losses. 

Week 7 - SHRED IT!! BURN IT!! Vaporize it…

I was going through some old assignments last week getting them ready to present them to my instructor prior to graduation when I came upon an assignment from my undergrad days... The instructor wanted the class to go through our garbage and look for pieces of anything that might be useful to a dumpster diver or social engineer. At first, I thought it to be a lesson in futility since I was sure that I never throw personal data away.  I was mistaken….

Here are excerpts from the assignment:

I thought this would be a no brainer for me, look in my trash and see that I have absolutely nothing that could identify me or give a person an inkling about who I am. Uhmm not true…

Things that I found are listed below.

1.      Credit card advertisement, it was ripped up in several pieces but still had enough data on it to give me away.

2.      My Flight boarding pass from SFO to Mexico City.  I wasn’t the one who threw this out, so it must have been my wife.

3.      Half of my itinerary from Expedia, including the hotel name.  Again, wife.

4.      A utility bill.

I was concerned, I am usually very careful about what I toss out; I usually burn or shred it, or dowse it in H2O and put it in the mulch pile. 

                                     (haikudeck.com)

I asked my lovely wife if she had thrown the data away and she looked shocked and said she didn’t even realize she had done it.  I’m sure it was a mistake since I am always on my family to not take any chances and always toss everything into the shred bin even if they don’t think it is of consequence.  This bothers me a lot since on garbage days, you will occasionally see people walking through the neighborhood looking into the garbage cans hoping to find recyclables, or are they?

Looking back on this experiment, I see that it is easy to forget and just toss stuff out.  This should never happen since people make a good living sifting through garbage then stealing your identity…

In an article about identity theft on the FTC website, statistics are given for 2015,“47 percent increase over the prior year, and the Department of Justice estimates that 17.6 million Americans were victims of identity theft in 2014”.  The graph helps to illustrate the point.

                                                      (FTC.gov)

Identity theft is a big issue and is only getting worse. Protect yourself and your loved ones and make sure you keep your data safe. And don’t do what my family did and throw out personal papers.  Shred them…

Here are a few good websites to learn more about identity theft.

Federal Trade Commission tips and advice.

IdentityTheft.gov  Report identity theft and get a recovery plan.

FBI.gov – Identity theft information.

Identitytheft.info - Identity Theft Victim Statistics by Rob Douglas

Week 6: Why cyber-crimes are severely under reported.

Why cyber-crimes are severely under reported. 

I was looking for some light reading last week when I came across an article at CBS.com titled “These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?”.  The author describes cyber-crime statistics that will make someone not in the know, jaw drop.  Me? I just shake my head and wonder what can be done to avoid becoming a statistic. 

 (The author also provides a link to IBM’s 2015 Cost of Data Breach Study).

As we advance in technology, we also increase the number of vulnerabilities that can be present simply because there are so many new avenues into the system or device that haven’t been realized, therefore tested. This means we can all expect a visit of some kind from Mr. Hacker.... 

“With 1.5 million annual cyber-attacks, online crime is a real threat to anyone on the Internet. That number means there are over 4,000 cyber-attacks every day, 170 attacks every hour, or nearly three attacks every minute” (CBS.com, 2015).

Because cyber-crimes are occurring at such a rapid pace, some of them if not more… are not even being reported to law enforcement.  Why? Would it do any good? I believe there are many reasons why this occurs and it depends on the type and severity of the crime that has occurred.  Lesser crimes such as, someone hacking into a personal device isn’t that big of an issue for law enforcement.  What I mean is this, yes, it is a crime but it isn’t such a big crime where law enforcement wants to spend many man hours working on it to solve.   They just don’t have the man power to put towards it. 

“80% or more of cyber-crimes go unreported due to lack of awareness of the crime or the ability to report it, embarrassment on the part of individuals, or fear of consumer backlash on the part of businesses”.

I can see this point, if a bank or Health care Co. got hacked, they may not want the bad publicity that comes with the hack.  They may try and keep it under wraps until they can perform as many security checks and audits as they can in order to determine the who, what, where and how much, before going public.

One thing is for sure, death is inevitable, those who pay taxes must pay them and you and I will become a victim of online theft in some fashion or another… OK, that’s three things.

Be prepared.. Get educated and lock your systems down.

More statistics to digest:

On a slightly smaller scale, cyber-crime reported to the FBI in 2013 totaled losses of over $781 million, with an average loss of nearly $3,000 per complaint. 

That includes:

$81 million taken by romance scammers, who target people on online dating sites, feigning love and then asking for money — averaging more than $12,000 per victim.

$51 million taken by auto scammers, who convince their targets to pay for cars that don't exist — raking in an average of $3,600 per victim.

$18 million in real estate rental scams which, like auto scams, attempt to convince buyers to pay for property that doesn't exist — to the tune of nearly $1,800 per victim.

$6 million taken by FBI scammers, who pretend to be government officials to intimidate and extort money — averaging nearly $700 per victim.

(CBS.com) 

Week 5. Hey Uncle Sam... Step back a bit.

An issue has arisen that I hope does NOT become a trend.  Eduard Kovacs (Securityweek.com) wrote the following article, “Grey Hat Hackers Helped FBI Hack iPhone”, the title says it all in my opinion.  This is a troubling concept in a lot of ways in that the Government of the United States is (allegedly) actively soliciting the help of hackers to break into an American company’s product in order to gain access into the device.  Not just one device, but all of them.   “At least one of the people who helped the FBI access the information on the San Bernardino shooter’s phone without triggering Apple’s protections is a grey hat hacker who provided the law enforcement agency a previously undisclosed software vulnerability”, says Kovacs.   I believe we all know the scenario, terrorists attack innocent Americans, Police and FBI find terrorist phone, FBI demands that Apple give them a back door into the product, Apple balks and a whole host of opinions, both pro and con, start to flow across the news wire.  The FBI said they paid “Researchers” to find the solution for them but a known hacker is not a researcher.  Sorry I am running off the rails here.  I understand the national security issues and the ramifications concerning this case, but isn’t there a legal process set up in this country to follow?

It seems that Uncle Sam feels they have a right to this back door and they use scare tactics and bullying under the guise of, “Keeping you safe” in order to justify their actions.  Here Uncle Sam, take a little bit more of my freedom from me so I can feel a little safer.  How about playing by the rules and abiding by the laws you have passed and not pretending that you are only looking out for our best interests.  No Uncle Sammy, you are looking out for your best interests and American industry be damned.

                                                                                  (Play.google.com and me)

I ranted today because I feel that it is important for all of us who care about National Security, Cyber-Security and about personal freedoms, to voice our concerns, we should be outraged that our government would demand such access then pay someone to come up with a solution and NOT give the solution to the company who is in charge of the vulnerability so they can fix it.  Keeping intellectual property secure and out of the hands of someone who will exploit it for gain is a major concern for every company in existence today or at least it should be.  Apple and thousands of other companies spend millions if not billions of dollars on Research and Development to perfect and supply a product to the masses and enlist the best and brightest minds to make sure those products meet strict security standards, so to have the government (Our government) knowingly compromise Apples intellectual property is mind boggling to me.

The Federal government could have gotten the data they desired and I even bet that Apple would have supplied it to them if the proper legal channels had been followed.  Put the Feds wanted more than the data, they wanted CONTROL!!.

That is not what our country stands for.