I'm Finished!

Today, I read something that troubled me.  What I read was another blog post about the author’s lack of faith and confidence in the ability of students graduating with a Master in Science in Cybersecurity to secure a network.  I can’t speak for the individual that wrote that post, however, what I can tell you is I have had a completely different experience than that individual.  Much of what I have learned throughout my journey to earning a MS in Cybersecurity can be contributed to the experiences and knowledge shared by other students.  I am confident that my fellow students have the knowledge and expertise to be valuable assets to the cybersecurity community.  By working together, not as individuals, I believe we can all make a difference.

Okay, I will step off my soapbox and continue on with something more important.  This week marks the end of my journey towards earning a Master in Science in Cyber security degree.   It’s has been a long and hard journey since I started.  Long because of the many nights and weekends I spent in my basement office working on course assignments each week and hard because of all time I had to devote to the assignments in lieu of my family.  So what was the hardest part about earning the degree?  It was time management.  As if work and family is not enough to fill a person’s schedule, I had to complicate it more by carving out time to complete course assignments and to study.  The best advice I can give to someone else that is thinking about continuing their education or has just started a degree program is to stick with it once you start it.  All the time and hard work devoted to it will pay off in the end.

I can’t give myself all the credit though.  I couldn’t have done this without the help of some important people in my life.  I would to thank my parents for the support and encouragement they have given me throughout the years.  I would also like to thank my mother and father in-law for all the time they spent watching my children so that I could work on my assignments as soon as came home from work every day.  I want to thank my two daughters for understanding why I missed all of those important events so I could “work on my school work in the basement.”  Last, I want to thank my wife.  She has sacrifice so much just so I could have the time I needed to work my assignments.  I couldn’t have done it without you.

This may seem like the end, but it is not.  As I mentioned twelve weeks ago, I plan on adding to this blog as I continue my education and career.  So don’t stop visiting my blog.  Stay tuned for more posts about information security and what you can do protect yourself and others from becoming a victim of a cybercrime.

What’s So Hard About Creating an Action Plan? (Week 10)

For the last two weeks I have been creating an action plan that specifies the controls I recommended to manage the risk associated with the threats identified from the threat analysis previously completed.  One thing that troubled me while completing the action plan was determining which threats to address.  In short, should I identify a control to transfer, mitigate, or eliminate every threat or should I pick and choose the threats I feel should be mitigated?  After much thought, I decided that since I was tasked with determining the cause of recent data breach and preventing it from occurring again that it was not my place to pick and choose the controls to present to the senior management.  Instead, I decided I would present all of the controls and let the senior management determine which ones to implement.

Finally, I had a resolution to my initial problem.  However, after reviewing my final product I felt as if it presented “the sky is falling” kind of assessment.  That is definitely not what I was trying accomplish.  I simply wanted to make the management aware of all the potential security issues found with the organization’s network.  How in the world was I going to be able to achieve senior management buy in and get them to implement some or all of the controls developed to fix the critical vulnerabilities?

After some more critical thinking and one sleepless night I developed a course of action that I would employ in order to achieve senior management buy in without making them feel as if the sky was falling.  The first thing I would do is show the senior managers the level of risk assigned to each threat.  It would be recommended that threats with a higher level of risk should be addressed prior to threats with a lower risk rating.  The second method that could be used to achieve senior management buy in is to present each threat with a cost benefit analysis.  The cost benefit analysis can be used to compare the cost of implementing a recommended control with the cost associated with responding and recovering from an incident caused by a threat.  If the cost to implement a control is less than an unwanted incident then it only makes sense to opt to implement the recommended control.  The last option I thought of is something I learned in one of my previous classes.  It is called a la carte pricing.  Basically, recommended controls are represented as options to select from.  For example, Option A is to transfer the risk and costs $1,000.  Option B is to accept the risk and costs $2,000.  Option C is to mitigate the risk and costs $500.  I wonder which option the senior management would choose if presented the aforementioned options?  I know the one I would probably choose.

To Share or Not To Share, That is the Question (Week 9)

Last week I had an interesting conversation with another student in my class about sharing information in the cybersecurity field which led me to think about how cybersecurity information is shared.  If you really think about it, there is a lot of information out there that suggests we are sharing information.  The only downside to the plethora of information that exists is it makes it difficult to learn about new and emerging threats as they are discovered because they are spread across many resources.  Sure, we can spend our days searching and reading through resources, but who has time to do that?  Wouldn’t it be great if there was a one stop shop we could all go to learn and share information about new and emerging cybersecurity threats?

Apparently I am not the only that has thought about this.  Efforts within our government are on the way to develop and enact a cybersecurity bill that calls for the creation of a system for sharing cybersecurity information as it is discovered between public and private entities.  The proposed bill is called the Cybersecurity Information Sharing Act and is very close to being enacted.  Finally, a one stop shop for us to utilize to learn about new and emerging cybersecurity threats before we learn about them the hard way; when they strike our organization.

Unfortunately, there is one major concern with the proposed bill.  That major concern is privacy.  Some believe the bill will jeopardize our right to privacy since the information sharing system would open a backdoor for companies to legally share their users’ private data (Greenberg, 2015).  This is a major concern we are all too familiar with after the big fiasco with the NSA breaking privacy rules in the past.  Do we really want to go through something like that again?

In order to defend against cyber threats we are going to have to figure out how to share cyber threat information and intelligence without jeopardizing peoples’ right to privacy.  The Cybersecurity Information Sharing Act seems to be heading in the right direction, but in its current state may threaten our right to privacy.  Hopefully revisions to the bill will be made before it is enacted and then we can use it to help us fight the battle against cybercrime without infringing on our privacy.

References

Greenberg, A. (2015, April 22). House passes cybersecurity bill despite privacy protests. Retrieved May 10, 2015, from http://www.wired.com/2015/04/house-passes-cybersecurity-bill-despite-privacy-protests/

Another Layer of Protection: Thank-you Google (Week 8)

In one of my previous posts I talked about phishing attacks and measures you can practice to prevent yourself from becoming a victim of one.  The fact is, phishing attacks are continuing to increase in frequency and attackers are creating phishing attacks to appear more credible which is making it more difficult for users to protect themselves.  Sure, you can continue to implement controls such as never providing private information when solicited to in an email and checking email carefully before opening it or attachments, but the reality is, you can only do so much before you are finally outwitted by a clever attacker.  So wouldn’t it be great to have another layer of protection that is designed and implemented to watch over your actions and help prevent you from being outwitted by a clever attacker?

The good news is Google has created that extra layer of protection to help protect their users from phishing attacks.  The bad news is that extra layer of protection is only offered to Google users.  At this time you may be asking yourself what is this extra layer of protect that Google has developed and implemented to help protect their users from phishing attacks?  That’s a great question.

Google calls their new layer of protection “Password Alert”.   It is a free open-source Chrome extension that Google users can elect to install that protects them from phishing attacks and encourages them to use different passwords for different sites.  This is how it works.  After it is installed, users activate the feature by entering their password into accounts.google.com.  The password alert application then stores the password as a secure thumbnail.  It will then use the thumbnail to compare to your recent keystrokes within Chrome when you attempt to login to a website.  If you attempt to enter your Google password on a site that does not have Google sign-in, Password Alert will alert you that you have just exposed your password to a site that is not related to Google and recommends for you to change your Google password as soon as possible.  Users using the Password Alert application that attempt to use their Google password on a site that does not have Google sign-in will see the following alert:

This new security feature may seem like a minor addition to the other layers of security and it may be when compared to other security features such as two-factor authentication.  The important thing to take away from this is that this little addition to the existent layers of security is a security feature to protect Google users from phishing attacks.  Security features like this have been virtually nonexistent until now.  This will hopefully move other websites to develop and add a security feature like Googles Password Alert to help protect their users from phishing attacks.

References

Protect your Google account with password alert. (2015, April 29). Retrieved April 30, 2015, from http://googleblog.blogspot.com/2015/04/protect-your-google-account-with.html

STRIDE and DREAD (Week 7)

I have used a few different methods and procedures for identifying threats and determining risk over the years.  However, I have never used the STRIDE model for identifying threats and the DREAD model for determining risk, that is, until this week.

Throughout this week I have been using both models to identify threats and determine risk for an assignment in my final class, Current Trends in Cybersecurity.  What I quickly discovered about the two models is they are not methods used just for identifying threats and determining risk in applications and software.  They can also be used to identify threats and determine risk for just about anything related to information security.  A quick explanation of each model will help you understand what I am talking about.

The STRIDE model is an acronym used to help remember the following threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.  Each threat corresponds to a security property that information security professionals try to achieve which are authentication, integrity, non-repudiation, confidentiality, availability, and authorization.  The table below shows each STRIDE threat and its corresponding security property.

Threat	Security Property
Spoofing	Authentication
Tampering	Integrity
Repudiation	Non-repudiation
Information Disclosure	Confidentiality
Denial of Service	Availability
Elevation of Privilege	Authorization

The DREAD model is an acronym used to help remember the categories for measuring and prioritizing risk created by identified threats.  The categories that compose the DREAD acronym are: damage potential, reproducibility, exploitability, affected users, and discoverability.  The table below explains what each category analyzes:

Category	Explanation
Damage Potential	How much damage can the threat cause?
Reproducibility	Can the threat be reproduced easily?
Exploitability	What is the level of knowledge and experience needed?
Affected Users	How many user will be affected?
Discoverability	Can the threat be easily discovered?

A numerical value can be assigned to each category to assist with determining the overall risk level.  For example, for my assignment this week I used 1 through 3 with 1 representing low, 2 representing medium, and 3 representing high.  Then, I added each category up to determine the overall risk level.  So, a threat assigned the following: D=1, R=2, E=2, A=3, D=1 would have an overall risk level of 9.

Remember I said I quickly learned that the STRIDE and DREAD models can both be used for applications other than application and software security.  I used both models to analysis and determine the threats and risks for an entire network.  However, after using both models I think they can be used to analyze threats and risk for just about anything security related such as threats and risk associated with physical security.