Blog in Retrospect

For my blog this semester I intended to stick to a basic pattern of providing relevant information to any interested persons based on what I was learning in class.  I wanted to try and relate the lessons throughout the chapters to scenarios and discussion that the average person could understand.  I didn’t necessarily achieve this week to week in my opinion, but I think I did an acceptable job.  As I look backwards at my postings I see that towards the latter half of the semester I was definitely using my blog to educate myself on the weekly topics with real world examples.  This type of research was very helpful to me in understanding many of the lessons.  Researching different sources each week to gain a different point of view broadened my understanding of each topic.

I made an attempt to use a different source each week, and I was successful in doing that.  I actively sought out different opinions each week, sometimes they made the blog, but most of the time they went into my favorites to be referenced later down the road.  I do wish I could have spent more time with the blog, it was generally the last thing I did each week and it served to bring it all together for me.   I think with a little more care and feeding this type of blog could really be useful to provide lessons learned to future students.  Taking the information learned in the lessons and text book and relating them to current cyber events could be invaluable in tying the concepts in InfoSec to the real world applications.

Who to call for cybercrime

After discussing and researching laws pertaining to cyber crime this week I wanted to dive a little deeper on what an individual can do to get help if they are victims of a cyber crime.  Banks and financial companies are generally able to return money to individuals rather quickly, but as for prosecuting the perpetrators, this is a much tougher process.    Thankfully I have never been victimized, but I know those who have and have seen their fruitless efforts to contact the local and federal law enforcement agencies.  The local police are not trained properly, and the perpetrator generally doesn’t live within their jurisdiction.  The federal law enforcement agencies have more capability to catch cyber criminals, but an individual losing money in a scan just isn’t high on their list.  This article from the Huffington Post highlights this scenario quite well.  In the article Mike Sena, president of the National Fusion Center Association, an organization that represents state and local intelligence centers around the country, recalled a case in which a California business was the victim of a cybercrime and lost $40,000. Sena said the theft wasn't great enough for the federal government to take up the investigation, and there was confusion about where to turn at the local level.

Things look pretty bleak for the individual.  If reimbursement of stolen funds doesn’t happen through the financial institution or other service, then there is little hope of seeing restitution through law enforcement.  This is not to say that things aren’t improving, because they are, I just think we are a long ways away from being able to feel confident that cyber crime will be prosecuted at a level close to that or other crimes.  The Secret Service, who I didn’t realize was a key player in combatting cyber crime, is doing positive things to track down cyber criminals and proliferating advanced techniques to local agencies.  From the Electronic Crimes Task Forces homepage”:  While the Secret Service leads this innovative effort, the agency believes in partnerships with strong emphasis on prevention and education, in addition to traditional law enforcement measures. The task forces provide a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes.”

I do applaud their efforts here, they seek to establish a solid framework of education and training to help local law enforcement agencies tackle cyber crime.  I think that is the appropriate solution here; establishing more competent agencies at the local level.  If $40,000 isn’t enough to move the football at the federal level, I must have a mechanism to combat this injustice at the local level.

Personal Use Biometrics

I don’t store sensitive personal information on my phone.  If my phone were to be compromised my loss would be the cost of the device plus the time it took to change a few passwords…fairly minimal.  In an increasingly connected world, new technologies are becoming available that change the impact of losing devices such as a smartphone.  The new Apple iPhone leverages Apple Pay, an app that can scan your credit or debit cards and store the information on the phone allowing you to pay using near field communications and a finger print scanner, more can be read here.  This is a neat feature that will almost undoubtedly be used by millions in the coming years, but I suspect the security behind using this feature may not be where it needs to be, and I am not alone.  Frost & Sullivan ICT global program director Jean-Noël Georges issued a statement saying:“

“Due to existing hardware capabilities across devices, most of the growth is expected from facial and voice authentication technologies. While the uptake of biometric technologies will get a boost from the proliferation of new devices with fingerprint authentication capability, their acceptance will be tepid until the market develops more sophisticated and accurate authentication software.”

Mass implementation of biometrics in this fashion is something I am not ready to place my trust in just yet.  I don’t know the false rejection rate, and more importantly, the false acceptance rates of the technology, nor could I find it.  How easily could my fingerprint be spoofed on this device?  Is there a chance I could be locked out of my device due to software problems?  Don’t know the answer to these questions.  There is no way I will be placing my financial information on my phone with the current maturity of personal biometrics.

With all this said, I believe this type of technology is the way of the future for simple transactions and other day to day activities.  The tech will eventually catch up, but I feel becoming an early adopter right now is not worth the risk.

Why Risk Analysis

I like to browse the internet before posting on here in an attempt to relate the week’s lessons to current trends in Cyber Security.  This link: http://www.securityweek.com/cost-cyber-attacks-jumps-us-firms-study really fits the bill in my eye.  According to the Security Week Report “A survey of 59 US firms by the Ponemon Institute with Hewlett-Packard found the average annual cost of responding to cyber attacks was $12.7 million, up 96 percent over the previous five years.  The organizations saw a 176 percent increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.”

We know that attacks are on the rise each year, and protecting your assets and recovering from the attacks that do succeed is becoming a very expensive bill.  Comprehensive risk analysis through asset identification, classification, and listing associated vulnerabilities with their chance of occurrence is a task that absolutely must be accomplished no matter the company.  You must know which assets you have that are most critical to your operations and what current threats exist to your organization.  These assets must be ranked based on their attack surface, the likelihood of an attack, and the criticality of the asset.  Only then can you know where to investigate and place your security countermeasures.  Any other method is just guessing.

Even if you have an unlimited security budget a comprehensive asset valuation and risk analysis must be done.  If you aren’t spending your security budget on protecting the most important assets in your organization from the attacks that are the most likely to occur then you might as well give that money away because “hope” most likely isn’t a reliable security stance for your company.

Information Security Metrics Conundrum

Me: “My patch compliance is at 99.75% and my user education percentage is 100.”

CEO:  “Wonderful, but we just got taken for 18 million records containing customer accounts.  Those metrics sure do look nice, make sure you and your dedicated pie chart creator take those reports with you on your way out the front door!”

To determine the effectiveness of any process used by a company it is always good to record metrics for future analysis.  In the InfoSec world it is also true that using metrics can be especially helpful in showing if your policies, procedures, and controls are actually keeping your network safe.  Unfortunately in InfoSec you can research and develop great policy, train your users to not be a victim and maintain vigilance, and reduce the known vulnerabilities on your network to a near perfect level, but you cannot always prevent an attack.  New exploits are constantly surfacing, and it only takes one slip up by a user to lead to data compromise.  And we all know that successful data attacks and compromise are the real metrics that leadership will be reviewing when determining InfoSec program effectiveness, not the multitude of pie charts you have detailing training status and patch compliance. 

I don’t make the argument against keeping InfoSec metrics, they are essential for tracking progress and status of the program, but I don’t know if they can really be relied upon when used to prove overall effectiveness.  You could reduce the number of successful attacks by 90%, but what if the attacks that did get through were more severe than anything before?  I think metrics for the most part should be kept internal to the InfoSec division.  Instead of trotting out charts with percentages and numbers to leadership, I think the InfoSec team should use their collected metrics to translate the numbers into a big picture view of the company’s security posture to prove that the program is truly effective and is constantly getting better.

 I guess the key here is to make sure you research and develop metrics that will actually contribute to a more secure network, while identifying and removing metrics that may generate interesting stats while not necessarily enhancing the security posture.  So you are at 100% for security training, but is the program adapting to the environment and still effective?  You have 99% patch compliance, but is our web server and database secure against SQL injection?  The metrics must be constantly analyzed for effectiveness and trends so effort is not wasted, because taking and evaluating metrics can be rather time intensive and focusing energy in the wrong spot can be fatal.

JP Morgan Attacked, User Attacks Pending

Seems like every week there is a cyber attack in the headlines.  This week it is the compromise of 83 million customer records from JP Morgan Chase sometime this year.  The attack methods are not as of yet released, but this incident checks many of the boxes that are all too common these days.  First, it was going on for an extended period of time undetected, second the fact that there was a leak was not made public until absolutely necessary (a regulatory finding), and finally the motives of the attack were financial.  There were reports of this potentially being politically motivated, but based on what I have learned throughout this course, this is probably not the case.  A vast majority of cyber attacks are financially motivated, and the political angle serves to make a story where there probably isn't one.

So what does one do with 83 million customer records?  Usually, they sell it on the black market.  These records did not contain account information such as usernames or passwords.  They did contain customer names, addresses, phone numbers and email addresses.  The exact kind of information for spamming or phishing purposes.  This is not as valuable as passwords and usernames, but it can be valuable to hackers because it fills in a piece of the puzzle.  They don't know what your account information is, but they know two important pieces of information:

1. They know who you are and how to contact you via e-mail, phone, or postal.
2. They know that you have an account with JP Morgan Chase.

This makes anyone with an account with this bank a prime candidate for a phishing attack.  You can change your passwords immediately, but most likely the attack is yet to occur.  What these people must do is educate themselves and their family on phishing protection and be extra vigilant towards anything they receive from the bank, because the attack is most definitely coming.   With that many records compromised the hackers who end up with the information can cast a very wide net.  I found This Reuters link  interesting.  It goes into some of the ways this information is broken up and sold based on location with wealthy demographics going for more money on the market. 

For this week's assignment I wrote an issue specific security policy regarding home network use.  Actually brainstorming items that should be permitted online, items that could be permitted with permission from an adult, and items that were always prohibited made me realize how many threat vectors there are out there.  My children are young, but they are starting to explore the internet in some positive ways, and some ways that just waste time.  I had not done a deliberate home network threat analysis before.  I think taking this systematic look at what threats could affect my family is a good start to keeping them safe in the cyber world.

This process may be a little easier for me due to being in the IT field.  I know how to set up strong technical controls to filter out a lot of the nonsense, review network activity, and check browsing history.  A lot of people probably do not secure their network as strong as it should be, but for the most part I would bet there is an adequate level of security.  Also, the scope of securing your home network is larger than this week's blog posting...maybe next week.  I wanted to fill this space with things every parent can control, the human education factor.

I think all parents should take an active role in what their kids are doing on-line.  That may seem like a boiler plate statement, but it probably isn't being done well enough.  There are so many avenues to share and search for information online these days that it is a constant effort to stay current with the technology.  By knowing where there kids are spending time online they can guess what information may be at risk.  This is easy for me, my kids are young and their online interests are simpler.  When they get a little bit older it becomes more difficult as it will be looked at as an invasion of privacy, and kids may even make attempts to cover their tracks.  I think if a child is young enough to live in my house then they are not mature enough to make responsible decisions online, so I will be doing some type of monitoring, and I suggest all parents do the same.

In closing I wanted to share this link: http://www.internetsafety101.org/agebasedguidlines.htm .  It is an excellent resource for parents to educate themselves on the subject of on-line safety.  It even approaches technical topics such as software configurations and monitoring, video game information, and mobile device options.  A really useful section of this website, age-based guidelines, focuses on what kids at specific ages are more apt to get into, and how you can make sure they are protected.  I really think this is something that everyone should at least read once, even if they think they are an expert.