For this week's assignment I wrote an issue specific security policy regarding home network use.  Actually brainstorming items that should be permitted online, items that could be permitted with permission from an adult, and items that were always prohibited made me realize how many threat vectors there are out there.  My children are young, but they are starting to explore the internet in some positive ways, and some ways that just waste time.  I had not done a deliberate home network threat analysis before.  I think taking this systematic look at what threats could affect my family is a good start to keeping them safe in the cyber world.

This process may be a little easier for me due to being in the IT field.  I know how to set up strong technical controls to filter out a lot of the nonsense, review network activity, and check browsing history.  A lot of people probably do not secure their network as strong as it should be, but for the most part I would bet there is an adequate level of security.  Also, the scope of securing your home network is larger than this week's blog posting...maybe next week.  I wanted to fill this space with things every parent can control, the human education factor.

I think all parents should take an active role in what their kids are doing on-line.  That may seem like a boiler plate statement, but it probably isn't being done well enough.  There are so many avenues to share and search for information online these days that it is a constant effort to stay current with the technology.  By knowing where there kids are spending time online they can guess what information may be at risk.  This is easy for me, my kids are young and their online interests are simpler.  When they get a little bit older it becomes more difficult as it will be looked at as an invasion of privacy, and kids may even make attempts to cover their tracks.  I think if a child is young enough to live in my house then they are not mature enough to make responsible decisions online, so I will be doing some type of monitoring, and I suggest all parents do the same.

In closing I wanted to share this link: http://www.internetsafety101.org/agebasedguidlines.htm .  It is an excellent resource for parents to educate themselves on the subject of on-line safety.  It even approaches technical topics such as software configurations and monitoring, video game information, and mobile device options.  A really useful section of this website, age-based guidelines, focuses on what kids at specific ages are more apt to get into, and how you can make sure they are protected.  I really think this is something that everyone should at least read once, even if they think they are an expert.

Don't Be a Victim

Next month is National Cyber Security Awareness Month,  an initiative by the Department of Homeland Security to spread awareness of cyber security and increasing the resiliency of the nation in the event of a cyber incident.  I applaud their efforts here and think this is coming at a good time given the current cyber climate.  Educating people is the foundation of strong security.  It helps if the education is in a format that can be understand by all levels of society, which I think this accomplishes.

There have been a multitude of headlines recently of cyber crime which affect many places Americans frequent.   I believe many people are intimidated or confused by the term cyber security, and always fall back to what is easy for them.  Well, cyber security isn't just for geeks or tech-heads anymore, everyone must do their part.  The basic principles of protecting yourself and your interests on the internet should be well known to most by now, they just need to look at it in a different light and not be shied away by a few technical terms.  Raising awareness and reminding individuals of the simple steps they can take to protect themselves can help most people from being victimized and help ensure our country as a whole is more secure. 

Some of the tips referenced from the link above:

Set strong passwords and don’t share them with anyone.

Keep your operating system, browser, and other critical software optimized by installing updates.

Maintain an open dialogue with your family, friends, and community about Internet safety.

Limit the amount of personal information you post online and use privacy settings to avoid sharing information widely.

Be cautious about what you receive or read online—if it sounds too good to be true, it probably is.

I think the efforts shown here by the government are in everyone's best interests.  As InfoSec professionals this could be a useful method for educating your users about security, especially the ones who are the least tech savvy.  They should actually should be the focal point of this effort in an attempt to remove some of the haze surrounding cyber security.  You are only as secure as your weakest link.

Scary topic that must be acknowledged

Fox News has posted an article that is truly frightening to me.  Digital jihad: ISIS, Al Qaeda seek a cyber caliphate to launch attacks on US.

 For a few weeks now in the class we have been discussing many different types of cyber attacks.  The typical goal of these attacks is to exploit businesses or people for financial gains or increased notoriety.  This article details a threat that seeks a more catastrophic effect.  This threat, dubbed e-jihad, is in its infancy.  Their current ability to execute a successful attack on our critical infrastructure tomorrow is unlikely.  What has me worried is the evidence of a long term vision being established by terrorist groups.  They are recruiting talented cyber warriors to their cause, investing in encryption technologies and software development, and progressively increasing the scope of their attacks.  The article mentions that a group teamed with hackers from China to attack some government websites.  This shows a willingness to collaborate with entities who may have more advanced techniques.

While nothing critical has been compromised by this threat, the fact that they are pragmatically planning the establishment of an offensive cyber capability makes cyber security that much more important.  Their target could be in the DoD, to the financial sector, or even to critical infrastructure such as the power grid.  The point is that IF these characters ever obtain the ability to conduct such an attack they WILL follow through without warning.  That is the difference between this threat and cyber threats from other countries governments or independent hacking groups.    Their only goal is to cause as much widespread destruction and panic as possible, and they will pull the trigger without hesitation.

Week 2 Blog 

Apple iCloud hack dominates headlines…and lowly security blogs. 

Whether you are into information security or not you have heard of the recent hacking of the Apple iCloud.  Several “celebrities” were relieved of some of their privacy on the Apple service by having dozens of their rather private media files taken from the cloud and displayed for the world to see.  Are these non-security minded individuals victims here?  Most certainly.  Are they blameless in this attack?  Absolutely not.  The hacker, victim, and service owner all are to blame in an attack like this.  I would like to take this blog entry to outline some big picture issues that typical users are susceptible to, and hopefully follow up each week with more in depth information on how to protect yourself.

After some quick investigation on this case it was determined the hackers’ method to gain access to these accounts was their ability to attack the user names, passwords or security question answers.  Once one of these entities is known to an experienced hacker they can use brute force to get into an account.  In other words they attacked the single factor authentication used by these services.  A few reasons why this was successful, and will always be successful with services such as this:

1.       Most users are susceptible to a Brute force, or a dictionary attack.  This tries a known value such as a username or a password, and attempts to guess the unknown value by trying millions of character combinations.  Eventually, if the password is not overly complex, the software will get the right combination and be allowed access.  Apple could have 10 layers of security, but if somebody enters with legit credentials, they will never know.  This method works with most users of online services because they use easy, memorable passwords.  It might be difficult to create a strong password, but after many repetitions a strong password can be entered without a second thought.  Future entries here will cover how to create strong passwords, and how to store them securely so you don’t even have to remember them all.

2.       Another reason brute force works on these customer centric services: single factor authentication.  There are generally three factors you can use to let a system know you are authorized; something you are, something you know, or something you have.  A username and a password are both something you know, thus single factor of authenticating which is much easier to crack.  Yes, multi-factor authentication is almost impossible on a service like this...this just means the one factor you are using better be strong!  Another technical control that could be used, but is not due to ease of access: max retries before locking an account.  For user convenience a lot of these services will let you try and authenticate until you have literally tried every word in the dictionary.  Simply setting a threshold to lock out the account would prevent a brute force attack.  Additionally, a notification should be sent to a user if someone is unsuccessfully using their username an absurd amount of times.

3.       Lack of personal OPSEC and the ability to be socially engineered.  Some of the victims here willingly gave their account information away via phishing attacks.  You must always be cognizant when online, especially when anyone you don’t personally know is asking for information about you.  Ask yourself what this information could be used for, and verify the authenticity of the recipient at all times.  Don’t allow yourself to become a victim.

This was an interesting case because the lack of security certain high profile people displayed caused Apple to change its security policies.  In this article they detail additional steps they will use to keep hackers out.  They needed a swift response because their stock prices took a hit immediately following the events.  Any negative press towards your security requires immediate action.   All of the new policies are good measures, designed mostly at protecting users from themselves, since ultimately it was their own ignorance that caused their account to become compromised. 

This definitely displayed how a perceived lack of security can cause consumer distrust, resulting in a negative impact to business.  More to come on how to protect yourself from the bad people...