Blog in Retrospect

For my blog this semester I intended to stick to a basic pattern of providing relevant information to any interested persons based on what I was learning in class.  I wanted to try and relate the lessons throughout the chapters to scenarios and discussion that the average person could understand.  I didn’t necessarily achieve this week to week in my opinion, but I think I did an acceptable job.  As I look backwards at my postings I see that towards the latter half of the semester I was definitely using my blog to educate myself on the weekly topics with real world examples.  This type of research was very helpful to me in understanding many of the lessons.  Researching different sources each week to gain a different point of view broadened my understanding of each topic.

I made an attempt to use a different source each week, and I was successful in doing that.  I actively sought out different opinions each week, sometimes they made the blog, but most of the time they went into my favorites to be referenced later down the road.  I do wish I could have spent more time with the blog, it was generally the last thing I did each week and it served to bring it all together for me.   I think with a little more care and feeding this type of blog could really be useful to provide lessons learned to future students.  Taking the information learned in the lessons and text book and relating them to current cyber events could be invaluable in tying the concepts in InfoSec to the real world applications.

Who to call for cybercrime

After discussing and researching laws pertaining to cyber crime this week I wanted to dive a little deeper on what an individual can do to get help if they are victims of a cyber crime.  Banks and financial companies are generally able to return money to individuals rather quickly, but as for prosecuting the perpetrators, this is a much tougher process.    Thankfully I have never been victimized, but I know those who have and have seen their fruitless efforts to contact the local and federal law enforcement agencies.  The local police are not trained properly, and the perpetrator generally doesn’t live within their jurisdiction.  The federal law enforcement agencies have more capability to catch cyber criminals, but an individual losing money in a scan just isn’t high on their list.  This article from the Huffington Post highlights this scenario quite well.  In the article Mike Sena, president of the National Fusion Center Association, an organization that represents state and local intelligence centers around the country, recalled a case in which a California business was the victim of a cybercrime and lost $40,000. Sena said the theft wasn't great enough for the federal government to take up the investigation, and there was confusion about where to turn at the local level.

Things look pretty bleak for the individual.  If reimbursement of stolen funds doesn’t happen through the financial institution or other service, then there is little hope of seeing restitution through law enforcement.  This is not to say that things aren’t improving, because they are, I just think we are a long ways away from being able to feel confident that cyber crime will be prosecuted at a level close to that or other crimes.  The Secret Service, who I didn’t realize was a key player in combatting cyber crime, is doing positive things to track down cyber criminals and proliferating advanced techniques to local agencies.  From the Electronic Crimes Task Forces homepage”:  While the Secret Service leads this innovative effort, the agency believes in partnerships with strong emphasis on prevention and education, in addition to traditional law enforcement measures. The task forces provide a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes.”

I do applaud their efforts here, they seek to establish a solid framework of education and training to help local law enforcement agencies tackle cyber crime.  I think that is the appropriate solution here; establishing more competent agencies at the local level.  If $40,000 isn’t enough to move the football at the federal level, I must have a mechanism to combat this injustice at the local level.

Personal Use Biometrics

I don’t store sensitive personal information on my phone.  If my phone were to be compromised my loss would be the cost of the device plus the time it took to change a few passwords…fairly minimal.  In an increasingly connected world, new technologies are becoming available that change the impact of losing devices such as a smartphone.  The new Apple iPhone leverages Apple Pay, an app that can scan your credit or debit cards and store the information on the phone allowing you to pay using near field communications and a finger print scanner, more can be read here.  This is a neat feature that will almost undoubtedly be used by millions in the coming years, but I suspect the security behind using this feature may not be where it needs to be, and I am not alone.  Frost & Sullivan ICT global program director Jean-Noël Georges issued a statement saying:“

“Due to existing hardware capabilities across devices, most of the growth is expected from facial and voice authentication technologies. While the uptake of biometric technologies will get a boost from the proliferation of new devices with fingerprint authentication capability, their acceptance will be tepid until the market develops more sophisticated and accurate authentication software.”

Mass implementation of biometrics in this fashion is something I am not ready to place my trust in just yet.  I don’t know the false rejection rate, and more importantly, the false acceptance rates of the technology, nor could I find it.  How easily could my fingerprint be spoofed on this device?  Is there a chance I could be locked out of my device due to software problems?  Don’t know the answer to these questions.  There is no way I will be placing my financial information on my phone with the current maturity of personal biometrics.

With all this said, I believe this type of technology is the way of the future for simple transactions and other day to day activities.  The tech will eventually catch up, but I feel becoming an early adopter right now is not worth the risk.

Why Risk Analysis

I like to browse the internet before posting on here in an attempt to relate the week’s lessons to current trends in Cyber Security.  This link: http://www.securityweek.com/cost-cyber-attacks-jumps-us-firms-study really fits the bill in my eye.  According to the Security Week Report “A survey of 59 US firms by the Ponemon Institute with Hewlett-Packard found the average annual cost of responding to cyber attacks was $12.7 million, up 96 percent over the previous five years.  The organizations saw a 176 percent increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.”

We know that attacks are on the rise each year, and protecting your assets and recovering from the attacks that do succeed is becoming a very expensive bill.  Comprehensive risk analysis through asset identification, classification, and listing associated vulnerabilities with their chance of occurrence is a task that absolutely must be accomplished no matter the company.  You must know which assets you have that are most critical to your operations and what current threats exist to your organization.  These assets must be ranked based on their attack surface, the likelihood of an attack, and the criticality of the asset.  Only then can you know where to investigate and place your security countermeasures.  Any other method is just guessing.

Even if you have an unlimited security budget a comprehensive asset valuation and risk analysis must be done.  If you aren’t spending your security budget on protecting the most important assets in your organization from the attacks that are the most likely to occur then you might as well give that money away because “hope” most likely isn’t a reliable security stance for your company.

Information Security Metrics Conundrum

Me: “My patch compliance is at 99.75% and my user education percentage is 100.”

CEO:  “Wonderful, but we just got taken for 18 million records containing customer accounts.  Those metrics sure do look nice, make sure you and your dedicated pie chart creator take those reports with you on your way out the front door!”

To determine the effectiveness of any process used by a company it is always good to record metrics for future analysis.  In the InfoSec world it is also true that using metrics can be especially helpful in showing if your policies, procedures, and controls are actually keeping your network safe.  Unfortunately in InfoSec you can research and develop great policy, train your users to not be a victim and maintain vigilance, and reduce the known vulnerabilities on your network to a near perfect level, but you cannot always prevent an attack.  New exploits are constantly surfacing, and it only takes one slip up by a user to lead to data compromise.  And we all know that successful data attacks and compromise are the real metrics that leadership will be reviewing when determining InfoSec program effectiveness, not the multitude of pie charts you have detailing training status and patch compliance. 

I don’t make the argument against keeping InfoSec metrics, they are essential for tracking progress and status of the program, but I don’t know if they can really be relied upon when used to prove overall effectiveness.  You could reduce the number of successful attacks by 90%, but what if the attacks that did get through were more severe than anything before?  I think metrics for the most part should be kept internal to the InfoSec division.  Instead of trotting out charts with percentages and numbers to leadership, I think the InfoSec team should use their collected metrics to translate the numbers into a big picture view of the company’s security posture to prove that the program is truly effective and is constantly getting better.

 I guess the key here is to make sure you research and develop metrics that will actually contribute to a more secure network, while identifying and removing metrics that may generate interesting stats while not necessarily enhancing the security posture.  So you are at 100% for security training, but is the program adapting to the environment and still effective?  You have 99% patch compliance, but is our web server and database secure against SQL injection?  The metrics must be constantly analyzed for effectiveness and trends so effort is not wasted, because taking and evaluating metrics can be rather time intensive and focusing energy in the wrong spot can be fatal.

JP Morgan Attacked, User Attacks Pending

Seems like every week there is a cyber attack in the headlines.  This week it is the compromise of 83 million customer records from JP Morgan Chase sometime this year.  The attack methods are not as of yet released, but this incident checks many of the boxes that are all too common these days.  First, it was going on for an extended period of time undetected, second the fact that there was a leak was not made public until absolutely necessary (a regulatory finding), and finally the motives of the attack were financial.  There were reports of this potentially being politically motivated, but based on what I have learned throughout this course, this is probably not the case.  A vast majority of cyber attacks are financially motivated, and the political angle serves to make a story where there probably isn't one.

So what does one do with 83 million customer records?  Usually, they sell it on the black market.  These records did not contain account information such as usernames or passwords.  They did contain customer names, addresses, phone numbers and email addresses.  The exact kind of information for spamming or phishing purposes.  This is not as valuable as passwords and usernames, but it can be valuable to hackers because it fills in a piece of the puzzle.  They don't know what your account information is, but they know two important pieces of information:

1. They know who you are and how to contact you via e-mail, phone, or postal.
2. They know that you have an account with JP Morgan Chase.

This makes anyone with an account with this bank a prime candidate for a phishing attack.  You can change your passwords immediately, but most likely the attack is yet to occur.  What these people must do is educate themselves and their family on phishing protection and be extra vigilant towards anything they receive from the bank, because the attack is most definitely coming.   With that many records compromised the hackers who end up with the information can cast a very wide net.  I found This Reuters link  interesting.  It goes into some of the ways this information is broken up and sold based on location with wealthy demographics going for more money on the market. 

For this week's assignment I wrote an issue specific security policy regarding home network use.  Actually brainstorming items that should be permitted online, items that could be permitted with permission from an adult, and items that were always prohibited made me realize how many threat vectors there are out there.  My children are young, but they are starting to explore the internet in some positive ways, and some ways that just waste time.  I had not done a deliberate home network threat analysis before.  I think taking this systematic look at what threats could affect my family is a good start to keeping them safe in the cyber world.

This process may be a little easier for me due to being in the IT field.  I know how to set up strong technical controls to filter out a lot of the nonsense, review network activity, and check browsing history.  A lot of people probably do not secure their network as strong as it should be, but for the most part I would bet there is an adequate level of security.  Also, the scope of securing your home network is larger than this week's blog posting...maybe next week.  I wanted to fill this space with things every parent can control, the human education factor.

I think all parents should take an active role in what their kids are doing on-line.  That may seem like a boiler plate statement, but it probably isn't being done well enough.  There are so many avenues to share and search for information online these days that it is a constant effort to stay current with the technology.  By knowing where there kids are spending time online they can guess what information may be at risk.  This is easy for me, my kids are young and their online interests are simpler.  When they get a little bit older it becomes more difficult as it will be looked at as an invasion of privacy, and kids may even make attempts to cover their tracks.  I think if a child is young enough to live in my house then they are not mature enough to make responsible decisions online, so I will be doing some type of monitoring, and I suggest all parents do the same.

In closing I wanted to share this link: http://www.internetsafety101.org/agebasedguidlines.htm .  It is an excellent resource for parents to educate themselves on the subject of on-line safety.  It even approaches technical topics such as software configurations and monitoring, video game information, and mobile device options.  A really useful section of this website, age-based guidelines, focuses on what kids at specific ages are more apt to get into, and how you can make sure they are protected.  I really think this is something that everyone should at least read once, even if they think they are an expert.

Don't Be a Victim

Next month is National Cyber Security Awareness Month,  an initiative by the Department of Homeland Security to spread awareness of cyber security and increasing the resiliency of the nation in the event of a cyber incident.  I applaud their efforts here and think this is coming at a good time given the current cyber climate.  Educating people is the foundation of strong security.  It helps if the education is in a format that can be understand by all levels of society, which I think this accomplishes.

There have been a multitude of headlines recently of cyber crime which affect many places Americans frequent.   I believe many people are intimidated or confused by the term cyber security, and always fall back to what is easy for them.  Well, cyber security isn't just for geeks or tech-heads anymore, everyone must do their part.  The basic principles of protecting yourself and your interests on the internet should be well known to most by now, they just need to look at it in a different light and not be shied away by a few technical terms.  Raising awareness and reminding individuals of the simple steps they can take to protect themselves can help most people from being victimized and help ensure our country as a whole is more secure. 

Some of the tips referenced from the link above:

Set strong passwords and don’t share them with anyone.

Keep your operating system, browser, and other critical software optimized by installing updates.

Maintain an open dialogue with your family, friends, and community about Internet safety.

Limit the amount of personal information you post online and use privacy settings to avoid sharing information widely.

Be cautious about what you receive or read online—if it sounds too good to be true, it probably is.

I think the efforts shown here by the government are in everyone's best interests.  As InfoSec professionals this could be a useful method for educating your users about security, especially the ones who are the least tech savvy.  They should actually should be the focal point of this effort in an attempt to remove some of the haze surrounding cyber security.  You are only as secure as your weakest link.

Scary topic that must be acknowledged

Fox News has posted an article that is truly frightening to me.  Digital jihad: ISIS, Al Qaeda seek a cyber caliphate to launch attacks on US.

 For a few weeks now in the class we have been discussing many different types of cyber attacks.  The typical goal of these attacks is to exploit businesses or people for financial gains or increased notoriety.  This article details a threat that seeks a more catastrophic effect.  This threat, dubbed e-jihad, is in its infancy.  Their current ability to execute a successful attack on our critical infrastructure tomorrow is unlikely.  What has me worried is the evidence of a long term vision being established by terrorist groups.  They are recruiting talented cyber warriors to their cause, investing in encryption technologies and software development, and progressively increasing the scope of their attacks.  The article mentions that a group teamed with hackers from China to attack some government websites.  This shows a willingness to collaborate with entities who may have more advanced techniques.

While nothing critical has been compromised by this threat, the fact that they are pragmatically planning the establishment of an offensive cyber capability makes cyber security that much more important.  Their target could be in the DoD, to the financial sector, or even to critical infrastructure such as the power grid.  The point is that IF these characters ever obtain the ability to conduct such an attack they WILL follow through without warning.  That is the difference between this threat and cyber threats from other countries governments or independent hacking groups.    Their only goal is to cause as much widespread destruction and panic as possible, and they will pull the trigger without hesitation.

Week 2 Blog 

Apple iCloud hack dominates headlines…and lowly security blogs. 

Whether you are into information security or not you have heard of the recent hacking of the Apple iCloud.  Several “celebrities” were relieved of some of their privacy on the Apple service by having dozens of their rather private media files taken from the cloud and displayed for the world to see.  Are these non-security minded individuals victims here?  Most certainly.  Are they blameless in this attack?  Absolutely not.  The hacker, victim, and service owner all are to blame in an attack like this.  I would like to take this blog entry to outline some big picture issues that typical users are susceptible to, and hopefully follow up each week with more in depth information on how to protect yourself.

After some quick investigation on this case it was determined the hackers’ method to gain access to these accounts was their ability to attack the user names, passwords or security question answers.  Once one of these entities is known to an experienced hacker they can use brute force to get into an account.  In other words they attacked the single factor authentication used by these services.  A few reasons why this was successful, and will always be successful with services such as this:

1.       Most users are susceptible to a Brute force, or a dictionary attack.  This tries a known value such as a username or a password, and attempts to guess the unknown value by trying millions of character combinations.  Eventually, if the password is not overly complex, the software will get the right combination and be allowed access.  Apple could have 10 layers of security, but if somebody enters with legit credentials, they will never know.  This method works with most users of online services because they use easy, memorable passwords.  It might be difficult to create a strong password, but after many repetitions a strong password can be entered without a second thought.  Future entries here will cover how to create strong passwords, and how to store them securely so you don’t even have to remember them all.

2.       Another reason brute force works on these customer centric services: single factor authentication.  There are generally three factors you can use to let a system know you are authorized; something you are, something you know, or something you have.  A username and a password are both something you know, thus single factor of authenticating which is much easier to crack.  Yes, multi-factor authentication is almost impossible on a service like this...this just means the one factor you are using better be strong!  Another technical control that could be used, but is not due to ease of access: max retries before locking an account.  For user convenience a lot of these services will let you try and authenticate until you have literally tried every word in the dictionary.  Simply setting a threshold to lock out the account would prevent a brute force attack.  Additionally, a notification should be sent to a user if someone is unsuccessfully using their username an absurd amount of times.

3.       Lack of personal OPSEC and the ability to be socially engineered.  Some of the victims here willingly gave their account information away via phishing attacks.  You must always be cognizant when online, especially when anyone you don’t personally know is asking for information about you.  Ask yourself what this information could be used for, and verify the authenticity of the recipient at all times.  Don’t allow yourself to become a victim.

This was an interesting case because the lack of security certain high profile people displayed caused Apple to change its security policies.  In this article they detail additional steps they will use to keep hackers out.  They needed a swift response because their stock prices took a hit immediately following the events.  Any negative press towards your security requires immediate action.   All of the new policies are good measures, designed mostly at protecting users from themselves, since ultimately it was their own ignorance that caused their account to become compromised. 

This definitely displayed how a perceived lack of security can cause consumer distrust, resulting in a negative impact to business.  More to come on how to protect yourself from the bad people...

Lets go!

Intro…

Hello all, welcome to my blog.  My name is Chris Daigrepont, 33 years old and currently residing in Anchorage, AK.  I married my high school sweetheart with whom I now spend a majority of my waking hours herding our three children.  We love to be outdoors, and do so as often as is possible with a young family.  I also love golfing, home brewing and crossfitting.  I completed the final class for my BS degree the day my last daughter was born.  She is quickly approaching 4 now, so I figured it was time to saddle back up.  I have just begun my graduate degree at Bellevue University in Cybersecurity. 

I am a 15 year Air Force service member, the only job I have ever had.  I have had a wonderful career that has truly molded me into who I am today, and allowed me to serve on each continent.  I have been in an IT career field the whole time which has given me a broad understanding of technology and how it is used for the Department of Defense.  Until recently I was strictly on the operational side of IT; helpdesk, system admin, engineering…around a year ago I got the opportunity to attend a CISSP bootcamp, which truly peaked my interest and caused me to refocus on a new future in the IT field.  My current job takes me away from any serious IT or security work, another driving factor in going back to school. 

Seeing as this is a security blog, I wanted to share some quick thoughts from a recent inspection I recently went through that had many points of emphasis relevant to the field.  All businesses practice Operational Security, or OPSEC by one name or another.  It all deals with protecting sensitive information from becoming compromised.  The information OPSEC is concerned with isn’t necessarily your companies’ most confidential secrets, rather it focuses on safeguarding what some may consider non-critical pieces of information.  This information such as PII, proprietary business practices, or operational practices may not be harmful on its own, but when aggregated it can paint a vivid picture of your organizations activities.   Critical in the DoD, we not only practice it, we inspect it. 

My organization recently underwent an inspection, and the common theme brought to our attention afterwards was the average company member not taking an active ownership role in the information security process.  IT security personnel can install the most advanced firewalls, provide encryption mechanisms, perform dirty word scanning on a mail server, but they cannot control everything the end users do.  The employee must take on the challenge of securing their data which means they must encrypt critical information, shred documentation, and be mindful of who they are sending sensitive information to.  Most negligent discharges of information I have seen are a direct result of ignorance of policy and carelessness, not failure of technical controls.  Some members of the organization did not know what data was critical, requiring protection while others knew what was critical, but not how to safeguard it.  To combat this we are becoming more involved as OPSEC managers, which means more mass training, e-mails, presentations and repetitions for the user…no fun for anyone.  Hopefully some measurable results are shown.  I suppose all InfoSec professionals struggle with the concept of achieving buy-in to policy.  It is difficult to stress the importance of doing things the right way over the quick and easy way.