Week 2 - How can risk be managed? Can risk be avoided? Can risk be understood?

Risks in business usually occur when there is uncertainty, confusion and a lack of understanding of what risk is within an organization.  What I mean is this, if a company does not fully understand a subject such as employee theft and does not have a plan in place to educate, identify and control it, then the possibility of loss will be greater and end up costing the company much more in the end.  Therefore, it is important that every company have a clear and precise plan in place to educate and identify what risks are present and how to mitigate or avoid them. 

This isn’t always an easy endeavor though, businesses face ongoing challenges and new (Potential) threats crop up every day as new vulnerabilities get identified.  Investing in a comprehensive Risk Assessment will help keep the business and its stakeholders calm during these times of tumult.

Businesses can’t avoid risks, as a matter of fact; risks are inevitable and sometimes needed in a business plan, the more risk that a company takes, the more reward or profit can be realized, but risks must be clearly identified and understood before moving forward with the business plan.  Most Risk assessment plans will prioritize the threats as Minor, medium and critical in order to put significance to the vulnerability so actions plans can be put into play to deal with them. 

Risk Assessments ask;

What is the vulnerability?

How does it affect me?

What is the threat?

What is the impact of the threat?

What severity does this threat have?

Can we live with the threat?

Who needs to be involved and notified?

What can we learn from this threat.

What actions need to be put into play in order to mitigate or manage the threat?

Threat modeling is a great way that businesses can answer these questions.  Threat modeling is a way to identify vulnerabilities and then implement countermeasures to help lessen the impact of the threats.  A sad lesson we have learned is that not all companies use this type of analytical approach to deal with the issues they have within their networks..

Week 1 - 2 1/2 years on this journey... Just hope I can finish strong.

Week 1 - Final term.

     It has been almost 2 1/2 years since I started this journey towards a Cyber Security degree.  In that time-frame, I have gained a great deal of knowledge in this field and feel very confident moving forward.  The threat landscape has changed as well.  Target, Home Depot and Anthem, as well as many others, were hit very hard, and we are still learning the extent of the breaches, well, as much as they will tell us anyway.  

      Almost every American was affected by one of those attacks in one way or another yet it seems to be business as usual for them and what did we get out of it? a whopping 2 free years of credit monitoring.  For those of us who were impacted by multiple or even all of them, we feel that we get monitoring from one of them and they pay the monthly costs but the other two don't have to pay a thing so in some way, they get off scot free.  

     So what happens after the 2 years? the hackers sell our data in the mean time and those that have it may act on it or they wait til the monitoring is over and pounce on us.  We can feel the burn from these acts for many more years to come, if not for the rest of our lives.  

     Hey Home depot, Target how about a 50% coupon that my family could use to buy essentials or a new lawn mower, (mine just gave up the ghost)... Anthem, how about extending the Olive branch and give my kids free doctors wellness checkups til they are 18???

Nope, Nada.. Nothing.. Zip.. Zilch, Goose egg for us.  They have moved on and don't pay a thing. Did anyone even get fired for this? I don't advocate that sort of tactic just to save face but someone had to have failed and failed big so "Where is my sacrificial Lamb!" 

Good fortunes to all.....

12 weeks of blogs and how many different subjects?

Week 1:  Social Media and what you can do to protect your kids.

Week 2:  Social Media and what not to do and Privacy protection.

Week 3:  Blocking stuff on the internet and keeping your kids away from it.  

               Updating our Knowledge.

Week 4:  Government wants you to spy on your neighbor.  Privacy issues.

Week 5:  Old habits and making security changes to stay safe and secure.

Week 6:  Staying informed and educating yourself about network security.

Week 7:  Cyber command unit funding.  Can the government really run it?

Week 8:  Password security and what to do and not to do.

Week 9:  Social Engineering and the importance of knowing what it is.

Week 10:  The new Blackphone and privacy concerns.

Week 11:  Educating friends about the importance of personal security via social 
media.

Week 12:  Privacy concerns and phone apps.

It looks like my main concerns or topics were staying safe when using any social media, keeping kids safe on the web, the importance of education, staying educated and privacy concerns.  Any one of these topics are crucial to a free and safe society.  In order for us to keep ourselves out of harm’s way, we first need to know what to look out for, how to detect it, how to fix it and what NOT to do.  But the biggest is to STAY INFORMED!!  Keep reading books and articles that explain the importance of network and personal security, take a class, talk to a friend or if you know good information, pass it along and help out your brethren. 

Keep your personal data just that… PERSONAL. Never willingly give it out unless you are absolutely sure who you are dealing with and what the impact will be.

I used several sources for my blogs including CNET.com, PCWorld, McClatchy report, Informationweek.com, homelandsecuritynewswire.com, SplashData.com, McAfee as well as others.  All of these sites have a common interest and goal and that is to educate and give us information about certain security issues and needs.  Hey just like one of my blog concerns…. EDUCATING YOURSELF…

Say NO to their terms.... YES to privacy.

Last week I received my new work phone and decided to download a very popular app (Game) to it.  Like all apps, before you download it, you have to accept the terms of the app and of course allow certain permissions for the app.  I went through the list of the permissions and saw the ones I have below.  I was a bit concerned though after reading through them.  Needless to say, I didn’t download it.

Phone Calls:

Allows the app to access the features of this device. This permission allows the app to determine the phone number and device ID’s, whether on a call is active, and the remote number connected by a call.

It needs to know what the phone is capable of, what the phone number is and all the phone numbers of people you call and call you? Why?

Approximate Location:

Allows apps to access your approximate location using location services based on network sources, such as mobile phone towers and Wi-Fi Aps. When these location services are available and enabled, this permission allows apps to determine your approximate location.

The app company needs to know all the hotspots and cell towers that the phone comes in contact with, why?

View Wi-Fi Connections:

Allows the app to view info about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.

Why does any of my Wi-Fi networking and devices need to be passed along to the app company?

View Network Connections:

Allows the app to view info about network connections such as which networks exist and are connected.

Again, why do they need to know about the networks I come in contact with? It isn’t just that they want to map out hotspots is it?

According to several articles I read, all of these can easily be explained by “Well we just don’t want to send too many of the same ads to the customer etc.” or “We need to be able to target our customers more effectively”.  I get it, if you download a “FREE” app, the company needs to make money somehow, but how much of my personal information, the information of those calling me or those that I call, are they allowed to have?  Am I asking the wrong questions? Am I just on old fuddy duddy, an 8-track tape guy living in a Blu-Ray era?

Parting Shots:

We live in a data centric era now where everything about anything is put out on display.  People use social media to show off or worse find out personal information about others and either laugh at them to feel better about themselves or use it in a dark manner.  We have allowed ourselves to become numb to the importance of privacy and the importance of anonymity but why? In these days of reality TV and instant fame, everyone has to be seen if not heard.  But by doing so, you always seem to show a little more of yourself than you need to or should.  We as a society need to start pulling back the reins and forcing our privacy and NOT blindly “Accept their terms”, accept your own terms and say no to the slow incrementalism of privacy loss.

ATTENTION... FRIENDS DON'T BE A VICTIM...

In some of my earlier works, you might have noticed that I do not feel too sorry for people when I hear that they were a victim of “The virus of the day” because they didn't take the time to secure their network or educate themselves properly.  Or maybe they got conned out of something because of a clever Social Engineer etc. My patience wears thin a bit because in these days of data leaks and hacking from a global perspective, It really is a must that everyone use caution and be leery when being presented with the next best web deal from an unknown e-mail. 

P.T. Barnum, the clever ol showman, allegedly coined the phrase, “There is a sucker born every minute.” I would like to think that number has dropped since he made the comment but I really don’t think so.  People these days are either too busy to take the time or they just don’t care or they are ostriches and put their heads in the sand in hopes no one bothers them.  In any one of those cases, they haven't a good excuse. 

So what can people like me do who want to scream and yell from the highest rooftop to “SECURE YOUR JUNK!, DON’T BE A CYBER VICTIM.” I know one thing is for sure; my neighbors wouldn't like me doing that from the top of my house… “It’s 10 o’clock and how secure is your network?” Long gone are the days of the Town Crier.  Aannyway… What can I do to help educate people? I have decided to go social, I plan on getting on Facebook and every once in a while post something that may actually get someone’s attention.

ATTENTION FRIENDS!!

PLEASE DON’T BE A VICTIM!!!

A little too much?? I think so, but I can post a little blurb about wireless security setup, password safety or any number of topics of the day and provide a little direction as to where to find answers to these common security concerns or risks. It may be a small effort but I am sure that some of my Facebook friends are lacking in this area, not a jab, just a fact and if I can point them in the right direction and help them out, then maybe I won’t want to hit my head against a wall when I hear all the daily Cyber-attack horror stories. 

This is a bit Scary....

I read an article about the new Blackphone that can allegedly disguise your phone from surveillance while you use it.  If this is true and I don’t have any reason to doubt that it isn’t, what a fantastic device it will be.  According to the Blackphone manufacturers, its a“Silent Phone, Silent text and Silent contacts.” If you can use a phone on a cellular network without peering eyes or bent ears, that would be fantastic. Now with that said, I move to an article in the New Yorker by Joshua Kopstein (2014), titled A Phone for the age of Snowden.   He starts off by saying this…

“Around midnight on Tuesday of last week, people near the barricaded city square at the center of mass protests in Kiev, Ukraine, received an ominous text message: “Dear subscriber, you are registered as a participant in a mass disturbance.  The message was most likely sent by the Ukrainian government using what’s popularly known as an “I.M.S.I. catcher”—a controversial tool that disguises itself as a cell-phone tower so that nearby devices connect to it, revealing their locations and serial numbers and, sometimes, the contents of outgoing messages. It was a bleak reminder of how cell phones, one of the past decade’s most indispensable and ubiquitous pieces of technology, can silently leave their owners exposed to governments and high-tech criminals.”

I have heard of these devices (IMSI catchers) but only in theory.  I wasn’t as versed in their operability as I should be.  Imagine a government being able to track your every move or a criminal watching you because they have access to this technology.  I can see when used in the proper context, this could be a very useful tool.  Someone goes missing and police are able to find them, a child gets abducted etc.  What scares the hell out of me is that a government entity is willing to use it to track who you are and tell you to “Move along, nothing to see hear citizen”. The day of the Blackphone has arrived and should be heralded as a “Good” device but I’m sure that there will be some who think that these devices are foolish and that the government should…. here it comes…. “Regulate” its usage.  

The Blackphone uses an encryption scheme that allows the phone to scramble the calls and any SMS message so that only the receiving phone can unscramble it. This will allow users to make and receive secure phone and texts messages, video chat and even send and receive files.
  
But alas, no matter how secure a device is, you still have to contend with any third party apps that your phone uses.  Here is where vulnerabilities reside, your favorite app can tell on you and tell a lot about your habits while using the device. 

Parting Shots:

I love it when I hear people say, “If you have nothing to hide, then what is the difference?” The difference is we are supposedly protected by a little known, (almost obscure now) document that says that our government or others do not have a right to do these sorts of things.  The Constitution grants us these privileges and every time we allow someone or the government to do these sorts of things, the hope, the rights of a free society and the luster fades from the document a little more.

References:

Kopstein, Joshua. (2014). A Phone for the age of Snowden. New Yorker Magazine.  Found at

http://www.newyorker.com/online/blogs/elements/2014/01/a-phone-for-the-age-of-snowden.html

Blackphone.  Found at https://www.blackphone.ch/

Murphy, Heather. (2014). Ominous Text Message Sent to Protesters in Kiev Sends Chills Around the Internet.  The Lede. Found at http://thelede.blogs.nytimes.com/2014/01/22/ominous-text-message-sent-to-protesters-in-kiev-sends-chills-around-the-internet/?_php=true&_type=blogs&action=click&contentCollection=Europe&module=RelatedCoverage&region=Marginalia&pgtype=article&_r=0

What college classes must I take to become a “Social Engineer?”

I went online to the college I am attending to see what the course requirements are to graduate with a Social Engineering degree and was flummoxed (I finally used that word… Awesome) to find out there aren't any….. I’m being facetious of course.  You know what a Social Engineer (SE) is but a lot of people do not.  I walked through my office today and asked some very smart folks what the definition of an SE is and I was very surprised to find out that only 64% (7 of 11) of my colleagues knew.  Some of these guys and gals are really smart too, so imagine my surprise if not dismay with my findings.  If they do not know what an SE is, then I think it is safe to say that the general public is less informed, I will be generous and say maybe only half know what they are.  Maybe it is just the fancy name, “Social Engineer”, it sounds so non-threatening but official, but either way, very sad.

The reason for the long winded diatribe is that I continue to get those bank notices in my e-mail or the SMS on my phone telling me that I need to log into the link conveniently provided, and look at the issues that have arisen.  With all my accounts, I have these types of notifications set up so I expect to get them from time to time.  Here is where I do my due diligence though, even when I get them I delete them immediately so no one will click on the link by accident, then log into the web site the way I normally would and see if there is indeed a problem, if there is, I deal with it.  I only use one e-mail account for these types of notifications but on occasion, I receive one on a different e-mail account that I have never set up on any account. These I know for sure are scams.

Social Engineering is on the rise in the past several years and these con-artists are really starting to get sophisticated in how they approach their targets (See how I used Target in this post J), I digress.. We all need to take a few minutes or even more and do some research on this subject and be on the lookout for these types of attacks.  So far, I have only focused on e-mails and SMS, a good SE will have many other types of attacks that they can use to solicit information from you.  Other types of “Human Hacking” include Phishing, Pre-texting, Hoaxes, Tailgating, Shoulder Surfing just to name a few.. Take a moment and do a search on all of these words and get a better understanding of what they are and how an SE can use them to manipulate you.  No links on this post, don’t want you to think I am trying to scam you. But, I will ask you to look up a blog by Neil DuPaul (2013) titled: Hacking the mind: How & Why Social Engineering Works. Found at Veracode.com.  It really discusses these topics in greater detail in a way I could not.

PARTING SHOTS:

Remember the movie “The Sting” it is one of my favorites of all time.  Today’s SE is a Redford or Newman character but can CON you from the comfort of their mothers basement.  They can reach their hands into your pockets electronically and you wouldn't know about it until it was way too late and the damage is done.  Be very leery of anyone you do not know and even leery of those you do, these Con artists can be very persuasive and even very powerful people.  You ever hear of Bernie Madoff?