Week 10 - Teach a kid today, secures our data tomorrow.

Can you figure this cipher out?

(Ronald Woerner, securityintelligence.com)

It’s a simple cipher and for those of us who have a little… well.. Seasoning to us, it is easy to figure out.  But to a young child or high school student, it is a challenge.  This is the beauty of these types of problems. 

I am in the last term of my Cyber Security Graduate program and wanted to give an “Atta boy” to my Professor Ron Woerner who believes the way to fixing our cyber security issues, is to teach our youth what this subject is all about and how to identify and troubleshoot cyber issues.  One of the ways he achieves this is to promote Cyber Security competitions in high schools, “Young folks from around the world are answering the call of “Do you have what it takes?” as a part of cyber competitions. They’re stepping up to the plate and facing the challenges of information security, programming, cryptography, and network reconnaissance and computer forensics”. (Woerner, 2016). As Professor Woerner states in his article below, these types of competitions and capture the flag (CTF) events are not new, they were first started in the early 90’s at DEF CON and have taken off like wild fire across the nation and even the globe as teams of young adults hone their security skills while trying to best their opponents. 

Professor Woerner wrote a very interesting article titled Cyber Competitions: Do You Have What It Takes? For Securityintelligence.com that discusses this very topic and I encourage you to take a look.  He isn’t the only one who believes in this educational path, there are many organizations and teachers throughout America who believe strongly in this.  An example of this is the Air Force Association, they sponsor the CyberPatriot National Youth Cyber Education Program which Professor Woerner is involved in. 

WHAT IS CYBERPATRIOT?

​Cyber Patriot is the National Youth Cyber Education Program.  At the center of CyberPatriot is the National Youth Cyber Defense Competition. The competition puts teams of high school and middle school students in the position of newly hired IT professionals tasked with managing the network of a small company. In the rounds of competition, teams are given a set of virtual images that represent operating systems and are tasked with finding cybersecurity vulnerabilities within the images and hardening the system while maintaining critical services in a six hour period.  Teams compete for the top placement within their state and region, and the top teams in the nation earn all-expenses paid trips to Baltimore, MD for the National Finals Competition where they can earn national recognition and scholarship money.​

(uscyberPatriot.org)

I commend the men and women who believe so deeply in the security of our public and private networks.  The fact they can work a full day, and then spend time outside work to provide guidance and support to the youth of our country is amazing.  They do this knowing the minds they shape today will be the White Hats that protect our data tomorrow.

If you are interested in this subject or want to sponsor a team or school, please visit:

Air Force Associations CyberPatriot Educational Program

National Initiative for Cybersecurity Careers and Study (NICCS)

High School Capture the flag competitions

Collegiate Cyber Defense Competitions

Ron Woerner, aka The Coach..

DEF CON Capture the Flag

Thanks Coach for all your time, your dedication and love of security.  Without it, I wouldn’t have gotten as far as I have in my graduate career.  Keep up the great work…

Week 9 - Risks… Good, bad and ugly?

What is Risk? Thanks to Merriam-Webster we see that risk = possibility of loss or injury. A simple definition but true none the less.  Too much risk can cause businesses to fail because there is confusion and uncertainty within the organization.  Mainly because the corporate leaders do not understand what “Risk” is and how to mitigate, transfer or even accept it and the full impact of the “Risk” hasn’t been dissected by the business to get a grasp of what they are challenged with.

                                      (healthcareglobal.com)

What I mean is this, if a company does not fully understand a subject such as employee theft, then the possibility of loss, either monetarily, intellectual property or customer data will be greater and the cost to the company will be much more to mitigate when the event occurs.  Therefore, it is very important for all groups within a business to understand what risks are present and how to mitigate, control and even avoid them.  This isn’t always easy though, since new (Potential) threats crop up every day.  Having a Risk Management Plan (NIST Special Publication 800-30 Revision 1) in place will help keep businesses calm during times of tumult.  The following diagram from NIST.gov displays a great overview of the Risk management process. 

                                           (NIST.gov)

Questions to ask when the event occurs….

ü  What is the threat?

ü  What is the impact of the threat?

ü  How vulnerable are we?

ü  Who needs to be involved and notified?

ü  How quickly must you act?

ü  What actions need to be put into play in order to mitigate or manage the threat?

Businesses can’t avoid risks, as a matter of fact; risks are inevitable and sometimes needed in a business strategy so develop your plan now.  The following demonstrates how to prioritize the Risks in your business.  Putting an importance on the Risk such as Miner, Major, critical or Minor, Moderate and Significant will help everyone involved understand the significance of the threat.

   (Managementstudyguide.com)

A thorough risk assessment audit and plan can lessen the impact of a breach and make your life much easier.  But, these assessment plans need to be very accurate, comprehensive and also need to be run on a regular basis in order to build up a stockpile of historical data and benchmarks. 

So get to work…. And Happy Assessment (ing)…

Week 8 - Using Risk management tools.

     While researching the last two assignments about Threat Modeling and Threat Analysis, I did some reading on Risk Management tools and came across several.  The one that stood out more to me is the OCTAVE method which stands for "Operationally Critical Threat, Asset and Vulnerability Evaluation".  It was designed and developed at the CERT Coordination Center at Carnegie Mellon University and is a very good method to Assess and manage risks in any size organization.

slideshare.net

This risk based security assessment planning approach can help all businesses to get a better understanding of what threats and risks they are faced with (Please see NIST-SP 800-30. Risk Management Guide for Information Technology Systems) .  It is a self-directed method that requires the business to oversee and maintain the threat evaluation process and make informed and unbiased decisions that will strengthen the organization’s security presence. 

   To get started, an analysis team is put together; this team includes people from many different areas of the business.   Some of the functions of this team is to:

• Identify IT related assets.
• Target the critical assets that the business has judged to be crucial.
• Determine the Risks that are associated with the assets.
• Evaluate and protect the key assets.
• Communicate a plan to safeguard the assets.

Itgovernanceusa.com. 2003

 There are normally 8 processes in the OCTAVE method but it has been broken down to 3 phases to simplify the process.

Phase 1 – Initial security planning is designed and developed.

o   What is important?

o   What is the current state of asset?

o   How are the assets being protected?

o   Describe the requirements needed for securing critical assets.

o   Create the threat profile per asset.

               

Phase 2 – Identify Infrastructure risks and vulnerabilities.

o   Evaluate the IT infrastructure.

o   Identify classes of IT equipment relevant to each critical asset.

o   Team can now evaluate the asset and how resistant it is to potential attacks.

Phase 3 – Design and implement security planning.

o   Decide what to do about the identified risks for each asset.

o   Create and design an asset protection scheme for the network.

o   Create a risk mitigation plan for each asset and for the network as a whole.

       It isn’t possible for any business to fully be risk free, but they can take steps to minimize and even mitigate the threats that are facing them.  Utilizing Risk Management techniques and programs, businesses can identify, categorize, assess and implement strategic planning to help alleviate potential vulnerabilities and threats within their networks to minimize losses. 

Week 7 - SHRED IT!! BURN IT!! Vaporize it…

I was going through some old assignments last week getting them ready to present them to my instructor prior to graduation when I came upon an assignment from my undergrad days... The instructor wanted the class to go through our garbage and look for pieces of anything that might be useful to a dumpster diver or social engineer. At first, I thought it to be a lesson in futility since I was sure that I never throw personal data away.  I was mistaken….

Here are excerpts from the assignment:

I thought this would be a no brainer for me, look in my trash and see that I have absolutely nothing that could identify me or give a person an inkling about who I am. Uhmm not true…

Things that I found are listed below.

1.      Credit card advertisement, it was ripped up in several pieces but still had enough data on it to give me away.

2.      My Flight boarding pass from SFO to Mexico City.  I wasn’t the one who threw this out, so it must have been my wife.

3.      Half of my itinerary from Expedia, including the hotel name.  Again, wife.

4.      A utility bill.

I was concerned, I am usually very careful about what I toss out; I usually burn or shred it, or dowse it in H2O and put it in the mulch pile. 

                                     (haikudeck.com)

I asked my lovely wife if she had thrown the data away and she looked shocked and said she didn’t even realize she had done it.  I’m sure it was a mistake since I am always on my family to not take any chances and always toss everything into the shred bin even if they don’t think it is of consequence.  This bothers me a lot since on garbage days, you will occasionally see people walking through the neighborhood looking into the garbage cans hoping to find recyclables, or are they?

Looking back on this experiment, I see that it is easy to forget and just toss stuff out.  This should never happen since people make a good living sifting through garbage then stealing your identity…

In an article about identity theft on the FTC website, statistics are given for 2015,“47 percent increase over the prior year, and the Department of Justice estimates that 17.6 million Americans were victims of identity theft in 2014”.  The graph helps to illustrate the point.

                                                      (FTC.gov)

Identity theft is a big issue and is only getting worse. Protect yourself and your loved ones and make sure you keep your data safe. And don’t do what my family did and throw out personal papers.  Shred them…

Here are a few good websites to learn more about identity theft.

Federal Trade Commission tips and advice.

IdentityTheft.gov  Report identity theft and get a recovery plan.

FBI.gov – Identity theft information.

Identitytheft.info - Identity Theft Victim Statistics by Rob Douglas