What I've learned

 Like most classes I’ve taken towards my cyber security degree, I’ve learned a lot throughout the term. It’s always difficult for me to come up with the one thing that stands above the others, but in this case it was a little easier. Instead of a class that just teaches us the information, this one also provided instruction in how to use the information we were taught.  I think the most important thing I’m taking away from this class is the process of transforming my knowledge into a usable product. Not only did I learn new information, but I learned what to do with it. Writing papers to satisfy a class requirement is one thing; however, gathering that information and presenting it into a report for management is an entirely different matter. This class was especially helpful in taking what I’ve learned and assembling it into a useful document that could be presented to others. Going a further step Is taking that report and then reformatting it into a visual presentation.

Enforcement

 I saw the below article on CNN this morning while I was bored at work, and felt like I needed to share some thoughts about it. As cybercrime evolves and grows, law-enforcement continues to make corresponding adjustments to fight it. Although the Secret Service may have prevented 1 billion in cyber crime fraud last year, the estimated cost annual cost of cybercrime is about 400 billion (CNN). Needless to say, we have a long way to go before we get a handle on it. Ed Lowery is a special agent with the US Secret Service, who acknowledges that there has been a marked increase in the level of sophistication in both the nature and accomplishment of cybercrimes.

 Cyber criminals are no longer the lone hacker looking to make a quick buck, now they are organized cartels and governments targeting the US and other countries. According to Lowery, the US is an especially appealing target for infiltration. Adding to the problem is the fact that they often operate from locations were enforcement is particularly difficult, which may be due to lack of cooperation and geographic tensions.   These regions make ideal stopping grounds for cyber criminals.

 Even when policing is possible, there is still the critical elements of detecting and hunting these criminals. Lowery believes that the skill sets of law-enforcement must mirror (or exceed) those possessed by the cyber criminals. In addition to cyber skills, law-enforcement also needs to have investigative skills, which is not a common combination. Both take years to develop and they don’t often occur simultaneously.

 In my opinion, the biggest problem facing cyber security is not the skill set of the investigators, or even the laws in place. The larger issue is enforcement, and the ability  to police in regions with little or no cooperation. This is going to be the greatest hurdle in the feeding an annual fraud bill of 400 billion.

Lake, M. (2014). Police vs Cartels In The High-Tech Battle To Stop Cybercrime.  Retrieved from http://www.cnn.com/2014/10/30/tech/web/police-vs-cartelscybercrime/inde.html.

I was initially going to write about something else this week, but  I couldn’t resist this headline: “China Is Hacking Its Own Citizens' iCloud Accounts.”   

The attack coincides with the iPhone 6 and 6 plus release in China.  China has previously launched attacks against their citizens’ Google and Yahoo accounts, but those attacks only resulted in the government being able to see what was accessed.  This new attack on Apple  is different though. Instead of just seeing what was access, the Chinese government is attempting to gain  the username and password for individuals utilizing iCloud. It wasn’t the idea of a government hacking its own citizens that caught my attention, it was the fact that I am absolutely not at all surprised that China is doing this. What does surprise me is that this headline didn’t show up before now. I would have guessed China was trying to crack into the iCloud years ago.   (I still suspect that this might be the case, and I doubt they are the only company involved in this kind of activity)

If they are successful in their attack, it will give them access to people’s pictures, documents, messages, etc. It  would be quite possible for the government to use this kind of information to build a case against an individual.  

It could be a criminal who successfully launches an attack against a company who acquires personal information, or it could be a government.  The bottom line here is that there really is no such thing as privacy anymore.

O’Toole, J. (2014). China Is Hacking Its Own Citizens' iCloud Accounts. Retrieved from http://
money.cnn.com/2014/10/21/technology/security/china-icloud/index.html.

Cash Payments

 For some reason I had a hard time coming up with a topic for this week’s post. I figured if I just started typing, something would come to me eventually – and it finally did (I’ll spare you the rambling that got me to the final topic). Our assignments have focused on the restaurant chain of Harry and Mae’s and the breach they experienced in their payment processing system. Even though this is a fictional company, the situation could very well be real. I got to thinking about the protection of my information whenever I pay after eating in a restaurant. I generally tend to fall on the side of paranoid, which means I never pay with my debit card when the waitstaff takes the card from the table to go pay at a terminal. I just use my credit card or pay in cash in the situations because I refuse to let someone walk away with access to my checking account. However, I willingly handover my debit card whenever I’m paying at the register. Because of our Harry and Mae’s case study, I’m starting to rethink this habit. Granted, the person behind the counter that I’m handing my card to isn’t going to have time to steal my information while I’m watching them, but I really don’t know what their payment processing system is like or how well protected my information is. Going forward I think I’m going to start using my credit card or cash in these instances as well. It’s not that I really want my credit card information taken, but with the ever increasing number of breaches lately, I expect it is likely at some point. No loss of information is pleasant to deal with, but I really don’t want  my checking account compromised along with everything else. This happened to a friend of mine, and it was months before she got everything straightened out. I just don’t have the patience to deal with that kind of a mess.

Simon Says...

In one of the chapters assigned for this week’s reading assignment, our book talks about social engineering.  I find this aspect of cyber security especially interesting -probably not surprising given the fact that I have a bachelor's in psychology.  Naturally, this is a topic towards which I would gravitate.  It’s also something I deal with every day at work.  My company has very strict privacy rules regarding client information where we have to verify very specific pieces of information before we can provide any client account data.   Sometimes just the fact that we ask the information upsets people, even after we point out that this is to protect their information. They just like to complain that this is their account they should be able to have their account information.

But what really surprises me is when other companies call for client account information, and argue with me that I should be able to talk to them about the account.  For example, a client’s  account is transferring to another company, and they call us to check the status of the transfer. We can provide limited information about the transfer: if it’s been received, if it’s in process it’s been completed etc. If there is something wrong with the request that we can’t process it, we ask the receiving company to instruct the client to call us.  At least once a day one of these companies will start yelling that I should be able to provide this information to them. When this happens, I usually ask them if their company has rules regarding client privacy, and they always reply yes but in this situation I should be able to give them what they’re asking for. They try various social engineering techniques, such as creating a sense of urgency, attempting to put themselves in a position of authority,  anything to make me feel like I should give them this information.   It’s frustrating, but it’s a factor in protecting client information.

I think I might have learned something

I’ve decided to comment on my assignments for this week’s blog post.  Last week was the initial design of the current system arrangement for Harry and Mae’s restaurants.  Much of the assignment was similar to the analysis we had done for a previous class, but I feel like I understood the assignment so much better this time around.  The purpose behind college and homework is to learn (obviously), but I’m starting to realize just how much I have learned.  I’ve understood all along that there is a learning curve with every class as I’m introduced to new topics and processes; however, for the first time in the program the assignments are requiring the prior knowledge learned in the previous classes. Each of my classes prior to this term, while enjoyable and informative, were pretty independent of one another.  Now they have begun to build on each other, which is interesting to me.  I don’t mean just the assignments, just the way the past has informed my current classwork.  I’m sure I would have been able to complete the assignments this week and last week if I hadn’t had the prior coursework, but it would have been much more difficult, if not overwhelming.  Fortunately I had the previous work that I could reference to complete these assignments.  I’m finally seeing the light at the end of the graduate work tunnel, and am happy to know that I have leaned not only the subject matter, but how to incorporate what I’ve that learning into my new projects.  

New York agrees with me

During a discussion of cyber security, the superintendent for the New York Department of Financial Services (DFS), Benjamin Lawsky, said, “It is impossible to take it seriously enough” (Lopez &  Friefeld ).  The importance of cyber security cannot be understated. Last week I posted specifically about the Home Depot breach, but there are so many more. Just yesterday, the Channel 7 news in Omaha had a story that Jimmy John’s experienced a breach.  J.P. Morgan has also recently reported that they are investigating a potential breach. In fact, the DFS issued a report earlier in the year that the majority of financial institutions have experienced at least one attack in the last three years. Exact numbers were not provided in the article, but this still seems like a significant number of attacks. This doesn’t even include the number experienced by retailers.

In my post last week, I stated that it seems retailers are taking the required extra steps only AFTER an attack has occurred, instead of learning from others and taking steps now. Lawsky points out that lawmakers are in a position to enforce requirements, but I think any policies they put into place to address this specific topic would be to general or too outdated by the time the bills were approved. Technology tends to move faster than Congress (especially of late).

The article ends with Lawsky saying, “Once there is a major event, everyone suffers. We are going to pay for it either now or then” (Lopez &  Friefeld ).  This is my belief to an extent, but I would suggest that it actually costs more to wait for something to happen. Aside from the expense of review and upgrading the system to prevent a breach, the company would have to cover the cost of identity protection and any required reparations after a breach.  In the long run it is cheaper to make changes now instead of waiting for shit hit the fan and have people scrambling to resolve what should happen fix initially. By focusing attention on the importance of cyber security now, Lawsky is positioning New York in a better position to protect the financial institutions.

Lopez, L. &  Friefeld, K. (2014). N.Y. Financial Regulator Says to Focus on Cyber Security. 

Retrieved from http://www.reuters.com/article/2014/09/22/us-regulator-cybersecurity-

lawsky-idUSKCN0HH2J020140922.

Thoughts on Home Depot

CNN posted a short little article about the hack into Home Depot that has been recently reported in the news. This latest breach, involving over 56 million credit/debit cards, only serves to highlight the need for strong security measures. In addition to that, it also raises some questions. How did it happen? Why was it able to happen for such a long time? What’s going to happen in the future?

According to Home Depot, the breach resulted from “a custom strain its security team had never seen before.”  Unfortunately, this is likely to be the future of these kinds of attacks. With changes in technology, and improved methods from the attacker community, this will also be a more common occurrence. Home Depot has said that they are seeking to increase their encryption and security methods, but why did it take a major hack to make those changes? Granted, I don’t know all the facts in the case yet, and it’s easy to judge, but does it really take a 56 million card lost to instigate changes? Target reported a breach of 40 million cards last year, and this should have been a wake up call to any retailer. Instead, the attack was found on September 2, but is believed to have been around since April. This is a long time to be losing information.

There are some lessons that can be taken away from this. We shouldn’t rely on what is in place. Instead, it should be regularly reviewed, tested, and updated. Improvements are constantly made in regards to technology and this should also apply to our defenses. Anytime a client’s information is at risk, companies need to ensure it is protected. Having an effective security plan in place has got to be cheaper then supplying identity protection services for millions of cardholders.

Backman, M. (2014). Home Depot: 56 Million Cards Exposed in Breach.  Retrieved from http://

money.cnn.com/2014/09/18/technology/security/home-depot-hack/index.html.

Patience and Planning

I’m going to write about something that happened at work recently. I apologize for some of the generalities in this post, but I am not going to discuss any company specific technologies in a public forum.  In our cyber-security courses we learn about Confidentiality Integrity and Availability being the cornerstones for protecting information.  This also applies to new systems in development.  My company prides itself on our technology and often uses it as an incentive when we are inviting new agents to join us.  While our agents do think about the Confidentiality and Integrity legs of the triangle, their primary concern is Availability.   

A new program was recently implemented that completely replaced one of the primary services we provide to our agents.  Testing had been done to ensure it worked as designed; however, it couldn’t talk to the agent facing system that is used to view the service.  The new program was security tested, and passed.  Information remained remained secure, but the Availability failed once the program went live.  Because of this the entire Information Security team had to give up their weekend so they could find the problem, fix it, and test it by Monday morning.  

In my opinion, this comes down to planning and patience. I saw this happen at my previous employer, but never to the scale as what happened at my current company.  Management was excited about the new program, and rushed to put it in place.  Once it passed initial testing, it should have gone through a secondary phase of a limited rollout to test it in the live environment.  This wasn’t done, and resulted in a pretty big failure.  Planning and patience could have avoided this. 

Websites for managing threats and vulnerabilities

Establishing a list of reliable sources for breast and bone abilities is important for managing them. Below is a list of the sites I like best with a little bit of a description and why I like them. I’ve also included a link to each one so that you can also visit the site and give me your thoughts.

The National Vulnerability Database (NVD), which is a government sponsored database for vulnerability management.  They provide links to additional websites dedicated to threat and vulnerability management.  Having these additional links all in one place is easy.  

http://nvd.nist.gov

I especially like the link the NVD provide to The National Checklist Program.  These lists provide guidance for setting up security configurations to defeat known threats.

http://web.nvd.nist.gov/view/ncp/repository

Common Vulnerabilities and Exposures provides information about know vulnerabilities and exposures.   This is helpful for the use of vulnerability management, patch management, alerting, and intrusion detection.  

http://cve.mitre.org

Symantec has two pages that I like for current threats and vulnerabilities.  First is their Threats page, which lists the name, severity, height, and discovery date.   Each threat name has a link that provides additional information about it.

http://www.symantec.com/security_response/landing/threats.jsp

Symantec’s vulnerabilities page, lists the name of the threat, it’s severity, and the date discovered. Each name is hyperlinked to a description page that details the problem, and provides recommendations. 

http://www.symantec.com/security_response/landing/vulnerabilities.jsp

A New Introduction

 This is my blog. There are many blogs like it, but this blog is mine. The bulk of my posts will focus on issues surrounding cybersecurity. Dull? Not likely. In an effort to make these posts more interesting, I am going to attempt to link each security related entry to something in pop culture. How my going to do this? I'm not exactly sure yet, but it should be fun to try. Please read along with me and let me know what you think.