CSOL-500-Foundations of Cyber Security, Summer 2018
Cyber Security Fundamentals
I was introduced to the notion of Security Policy and to the reasons for making it part of the overall security strategy through CSOL-500-Foundations of Cyber Security during Summer 2018 with professor Roxanne M Morrison. Several other subjects or artifacts will be introduced, such as Threats and Vulnerabilities, Policy, Encryption, Reference Monitor, OSI Models, Topology, Network Scanning, Intrusion Detection, Incident Response, and Privacy Goals.
As part of this discussion, I will be commenting on two that I thought are at the core of cybersecurity existence: Threats & Vulnerabilities and Policy. While the learning process involved doing our research, we used three books to expand our core understanding:
Bosworth, Seymore, M.E. Kabay, and Eric Whyne. Computer Security Handbook. 6th ed. Wiley, 2014. Print.
Schneier, Bruce. Secrets and Lies. Wiley, 2004.
Jackson, Gary. Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security.
A policy is very important to information security as it governs how organization's information is to be protected against breaches of security. It will be difficult, if not impossible, to talk about security if there is not a reference document or model people need to observe, a reference that is applied across the board no matter who the person is in an organization. Furthermore, a policy will play a critical role during incident.
A lack of policy will be a headache for an organization to navigate through the request emanating from authorities and different other entities. When a security policy is in place, it will be much easier to check on what went wrong, who failed the system, how to respond to specific inquiries, and what remedies to implement to improve the system. With no policy in place, not only that a business can see its image being damaged but also will surely suffer consequences from the authority.
Enforcing policy is a duty performed mostly by human resources personnel who educate employees first during the on-boarding process about security policies and the consequences for not following them. And even after hiring, new employees, and old ones shall receive proper training devoted to company policy.
Each of us certainly remembers that employees wear badges, even CEOs do. The reason is evident: Security, and wearing a badge is part of company policy. With a badge, employee is pretty forced to obtain and wear a badge at the building entrance, and if there is a major incident, it will be easy to track people and security logs.
Another example of a policy to make it illegal to use the corporate network to engage in downloading illegal material from the Internet. If there is no policy in place, employees can be attempted to do this activity since there is no policy that prohibits it. The consequences for the business can be huge: lawsuits, fines, malware, and viruses. So, policy is very important to achieve a goal of information security; it saves lives, money, reputation.
To better understand policy it is always good to compare, contrast and talk about it in conjunction with some similar confusing terms: Control, Standard, and Procedures. We have already discussed about policy; here, I will comment on the remaining terms for a good understanding.
Control as Bosworth, Seymore, M.E. Kabay, and Eric Whyne noted (2014) is a mechanism that usually is part of a policy to enable a practical way of accomplishing a given rule in a policy. As an example, a company policy is that each employee must wear a badge to be allowed access to the company premises. But how does one wear it? Around his neck, on his belt or put it in his pocket? That is where control measures can suggest in the policy to have and an entry that says the badge must be visible so security personnel can see it.
Standard is a set of actions expected from members of a group to support the company policy. When a policy is in place, standards need to follow to provide some direction to the policy put in place. A standard can be for example not letting anyone including a colleague entering the building by holding the door open for him to get in by what is called piggybacking. Standards can change easily while policy is built to last.
Procedure, in a nutshell, is a set of steps one will follow to comply with a policy. If a company policy is to have each employee to wear a badge, the procedure will be for example to reach out to security personnel, accept a picture be taken from the employee, wear the badge in certain way so it is visible to all, make sure to contact security personnel if the badge is lost or forgotten at home. We can have a policy of wearing a badge, but if there is no procedure, then the policy is useless.
Threats and Vulnerabilities
When talking about cybersecurity, there is no way to exclude threats and vulnerabilities from the discussion. Threat is a malicious attempt to damage or disrupt a computer network or system, mostly by an actor or an adversary. It might be identified by the damage being done, what is being stolen, or the Tactics, Techniques, and Procedures (TTP) being used. Vulnerability Assessment is the analysis of the security of a system to detect weaknesses thanks to the information gathered in quest of providing or suggesting some remedies.
If there were no threats to information, no one would bother trying to fix something that is not broken, and in the same token, we will not be checking for vulnerabilities since there not threats to worry about in the first place. Penetration testing is one way to check for vulnerabilities in the system to mitigate security risks. Threats evaluation and vulnerabilities assessment are part of routines within an organization to ensure a proactive approach in detecting security issues early on and address them before they have a chance to cause damages.
Threats & Vulnerabilities along with Policy are very important cybersecurity artifacts. A business needs to worry about threats and do something about them, and part of the actions to be taken must involve vulnerability assessment and policy that must be followed by all the actors of the organization: This includes employees, contractors, partners, and any others entities that will interact with the company in some way. The reason is that security is not only a one-person task obligation. With so many threats a business faces every day, there is no time for rest. As suggested by Secureworks (2017), the following is a shortlist of threats businesses need to worry about:
1. Network traveling worms
2. Advanced Persistent Threats
7. Distributed Denial of Service (DDoS)
8. Wiper Attacks
9. Intellectual Property Theft
10. Theft of Money
11. Data Manipulation
12. Data Destruction
14. Man in the Middle (MITM)
15. Drive-By Downloads
17. Rogue Software
18. Unpatched Software
The above list appears long, but it is not exhaustive. The security of organization information is classified under three categories of impact to data called the CIA Triad: Confidentiality, Integrity, and Availability.
Deep into Threats and Vulnerability
Distributed Denial of Service (DDoS) attack is classified under the Availability category. An adversary uses multiple compromised information systems to attack a single target and could cause denial of service for users of the targeted information systems. According to Pierluigi Paganini (2016), a Distributed denial of service attack was sustained by DynDNS on Oct 21, 2016. The result was an extended Internet outage affecting websites such as Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify. The underlying method was that DynDNS was flooded by a devastating wave of frequent requests originated by millions of Mirai malware compromised Internet of Things (IoT). The Dyn company reported a huge army of hijacked Internet of Things devices could be abused by attackers to power the massive DDoS attack.
In the above case, the threats presented by this case are the over growing presence of IoT devices that surely lack proper security and can be easily used as botnets for hackers' exploitation. The vulnerability is the error of ignoring this reality and, therefore, neglecting to take preventive measures to secure against potential attacks. Anything that we try to protect against ourselves is defined as threat, while vulnerabilities are weakness in our setup.
Adversary attempts to acquire sensitive information such as usernames, passwords, or Social Security Number (SSN), by pretending to be communications from a legitimate/trustworthy source.
Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to Web sites that appear to be legitimate, while stealing the entered information.
Ubiquiti Networks was victimized in what appeared to be a social engineering or phishing attack, which led to a transfer of $39 million to hackers. According to Brian Honan (2015), the is incident took place in 2015, and the company was aware of it on June 5th, 2015. In this incident, criminals were able to impersonate the email address of a Company executive of one of its subsidiary companies in Hong Kong. According to the filling, the incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
Even though some money was recovered, this incident highlights the threats we face every day as we rely more and more on the use of emails with no apparent attention to security.
The vulnerability, in this case, was that the company's internal control over financial reporting was ineffective due to some material weaknesses. The interesting part is that Ubiquiti is not alone in these types of incidents. In its warning, the FBI states that there were 2126 victims of this type of fraud in 2013, with 1198 being in the United States, with losses totaling up to $214,972,503.
Policy, along with Threats and Vulnerabilities study, has brought new insight professionally and ethical reasoning I did not possess. Without going through these subjects, I would not be aware that a business must have a security policy in place to address cyber threats. I also come to realize that not addressing vulnerabilities on time is an ethical failure from a management standpoint, as it may lead to huge cybersecurity incidents.
I chose to comment on policy because I consider this requirement as the foundation of a successful cybersecurity strategy. A business cannot be branding itself of having implemented security if there is no policy. An organization cannot secure its information if there are no security controls as they are supposed to be spelled out in a security policy. The security policy as company declaration statement to convey a clear message to all insiders or outsiders that they take security seriously, and here is the document to prove it.
I also chose to comment on threats, and vulnerabilities not only define these sometimes confusing terms but also to be used as an example of bringing cybersecurity to the mainstream comprehension before digging further in other areas. Threats and vulnerabilities cannot be excluded in the cybersecurity conversation. With no Threats and Vulnerabilities, there will be no need to talk about cybersecurity. Threats convey risks, while vulnerability conveys weaknesses of a system. So, this area of the cybersecurity field is vital as it plays a foundational role in the whole security paradigm.
Going through this course has proved to be motivational, especially as it was my first course in the curriculum. Penetration testing, Risk and Vulnerability Assessment, and many other subjects were all part of the new learning subjects that have changed me professionally. They instilled in me ethical values so needed for a cyber professional.
Furthermore, interacting in discussion forums with people that share the same passion was a very rewarding experience, both professionally and ethically. This interaction will force us to take into consideration the input from others but also ethically, will model the mind, and recognize that cyber professionals are to act ethically face to the new profession that is still looking its footing.
Cybersecurity is not that old science compared to other fields, and a lot of things, standards, laws, or regulations are still to be implemented. This work in progress status, unfortunately, can lead bad actors to take advantage of the vacuum. This is the more reason cyber professionals have the highest obligation to act ethically and not to exacerbate things. On the contrary, they should engage in a professional practice that translates due diligence to protect information. And this course has certainly help me in that direction.
Honan, B. (2015, August 6). Ubiquiti Networks victim of $39 million social engineering attack. Retrieved from CSO website:Ubiquiy Phishing Attack of 2015