Another Layer of Protection: Thank-you Google (Week 8)

In one of my previous posts I talked about phishing attacks and measures you can practice to prevent yourself from becoming a victim of one.  The fact is, phishing attacks are continuing to increase in frequency and attackers are creating phishing attacks to appear more credible which is making it more difficult for users to protect themselves.  Sure, you can continue to implement controls such as never providing private information when solicited to in an email and checking email carefully before opening it or attachments, but the reality is, you can only do so much before you are finally outwitted by a clever attacker.  So wouldn’t it be great to have another layer of protection that is designed and implemented to watch over your actions and help prevent you from being outwitted by a clever attacker?

The good news is Google has created that extra layer of protection to help protect their users from phishing attacks.  The bad news is that extra layer of protection is only offered to Google users.  At this time you may be asking yourself what is this extra layer of protect that Google has developed and implemented to help protect their users from phishing attacks?  That’s a great question.

Google calls their new layer of protection “Password Alert”.   It is a free open-source Chrome extension that Google users can elect to install that protects them from phishing attacks and encourages them to use different passwords for different sites.  This is how it works.  After it is installed, users activate the feature by entering their password into accounts.google.com.  The password alert application then stores the password as a secure thumbnail.  It will then use the thumbnail to compare to your recent keystrokes within Chrome when you attempt to login to a website.  If you attempt to enter your Google password on a site that does not have Google sign-in, Password Alert will alert you that you have just exposed your password to a site that is not related to Google and recommends for you to change your Google password as soon as possible.  Users using the Password Alert application that attempt to use their Google password on a site that does not have Google sign-in will see the following alert:

This new security feature may seem like a minor addition to the other layers of security and it may be when compared to other security features such as two-factor authentication.  The important thing to take away from this is that this little addition to the existent layers of security is a security feature to protect Google users from phishing attacks.  Security features like this have been virtually nonexistent until now.  This will hopefully move other websites to develop and add a security feature like Googles Password Alert to help protect their users from phishing attacks.

References

Protect your Google account with password alert. (2015, April 29). Retrieved April 30, 2015, from http://googleblog.blogspot.com/2015/04/protect-your-google-account-with.html

STRIDE and DREAD (Week 7)

I have used a few different methods and procedures for identifying threats and determining risk over the years.  However, I have never used the STRIDE model for identifying threats and the DREAD model for determining risk, that is, until this week.

Throughout this week I have been using both models to identify threats and determine risk for an assignment in my final class, Current Trends in Cybersecurity.  What I quickly discovered about the two models is they are not methods used just for identifying threats and determining risk in applications and software.  They can also be used to identify threats and determine risk for just about anything related to information security.  A quick explanation of each model will help you understand what I am talking about.

The STRIDE model is an acronym used to help remember the following threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.  Each threat corresponds to a security property that information security professionals try to achieve which are authentication, integrity, non-repudiation, confidentiality, availability, and authorization.  The table below shows each STRIDE threat and its corresponding security property.

Threat	Security Property
Spoofing	Authentication
Tampering	Integrity
Repudiation	Non-repudiation
Information Disclosure	Confidentiality
Denial of Service	Availability
Elevation of Privilege	Authorization

The DREAD model is an acronym used to help remember the categories for measuring and prioritizing risk created by identified threats.  The categories that compose the DREAD acronym are: damage potential, reproducibility, exploitability, affected users, and discoverability.  The table below explains what each category analyzes:

Category	Explanation
Damage Potential	How much damage can the threat cause?
Reproducibility	Can the threat be reproduced easily?
Exploitability	What is the level of knowledge and experience needed?
Affected Users	How many user will be affected?
Discoverability	Can the threat be easily discovered?

A numerical value can be assigned to each category to assist with determining the overall risk level.  For example, for my assignment this week I used 1 through 3 with 1 representing low, 2 representing medium, and 3 representing high.  Then, I added each category up to determine the overall risk level.  So, a threat assigned the following: D=1, R=2, E=2, A=3, D=1 would have an overall risk level of 9.

Remember I said I quickly learned that the STRIDE and DREAD models can both be used for applications other than application and software security.  I used both models to analysis and determine the threats and risks for an entire network.  However, after using both models I think they can be used to analyze threats and risk for just about anything security related such as threats and risk associated with physical security.

Cybersecurity Internet Resources Take 2 (Week 6)

In my previous post titled “Cybersecurity Internet Resources”, I identified credible web sources of information for threats, vulnerabilities, updates, and security news in general.  In this week’s post I am going to reevaluate the list of provided web sources to determine if I use those web sources regularly to assist me with my assignments or if there are any other sources I can add to the list.

Below is a list of the web sources provided in my previous post:

• National Vulnerability Database
• Common Vulnerabilities and Exposures – Official Site
• CVE Details
• Internet Storm Center
• The Honeynet Project
• McAfee’s Threat Center
• Symantec Security Response
• Information Week’s Dark Reading
• Schneier on Security
• Bellevue University’s Cybersecurity Center

What I have found is I like every site and visit each often; however, I do visit some more than others and use five of them extensively to assist me with my cybersecurity studies.  The five sites I find myself visiting and using more than the others are:

• National Vulnerability Database
• Common Vulnerabilities and Exposures – Official Site
• CVE Details
• Information Week’s Dark Reading
• McAfee’s Threat Center

The first three web sources are great for researching and discovering system vulnerabilities.  The last two sources are good for staying current and learning about discovered vulnerabilities, but they are also good sources to use for learning about current and emerging threats.

It is difficult to determine if one or more of the initial web sources should be removed from the list because of not using it extensively for my research purposes.  All of them have been used at some point over the past three years to assist me with obtaining more information about a cybersecurity related topic.  Therefore, I have elected to keep the list as is.  The list can be used as a tool for others to use as a guide to build their own web source library.  Feel free to pick and choose the ones that will work best for you.

There is one web resource I feel should be added to my initial list.  It is a source I can always turn to when I have exhausted my list of sources when trying to obtain information about a topic related to cybersecurity.  That one source I can always count on is Google.

Google always produces other sources that may have something or may lead you to another source containing the information you’re looking for.  Just be sure to verify the discovered information before using it to assist you with whatever you are doing.

Fighting Against Cyber Threats: Another Step in the Right Direction (Week 5)

For years cyber threats have been able to conduct attacks against the citizens and organizations of the United States with little to no consequences for their criminal acts.  As the attacks keep occurring in frequency and sophistication, all U.S. citizens and companies can do is develop and implement a good cyber defense.  Despite their efforts, cyber threats continue to persist and can be quite lucrative when they are successful.

On April 1^st of this year the U.S. government decided to take a more active approach in the fight against cyber threats by creating a tool that can be used to strike back against the individuals and entities conducting cyberattacks.  This new tool that will be used to fight cyber threats is an Executive Order.

So what does this new Executive Order do to help U.S. citizens and companies fight against cyber threats?  The Executive Order really does not give U.S. citizens or companies any power to fight against cyber threats.  On the other hand, it gives the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, the authority to impose sanctions on individuals and entities that have been determined to be responsible for or aided in committing cyberattacks against U.S. government agencies, organizations, and/or citizens (Daniel, 2015).

Many will inevitably question the ability of the Executive Order to make an impact on cyber threats.  It is probably safe to assume that challengers of the order will have strong evidence to support their position and opinions.  However, they are not seeing the big picture.  The main point to take away from the issuing of this Executive Order is that the U.S. government is and will continue to actively pursue new avenues to fight cyber threats.  Issuing this Executive Order give the U.S. government another tool to use to make it more difficult for cyber threats to commit and profit from their cyberattacks.

The inclusion of the Executive Order into the existing tools at the government’s disposal to fight back against cyber threats does not mean we should all sit back and let the U.S. government do all the work.  We still have to do our part.  This means we, individuals and organizations, still have to ensure we maintain and continue to improve our defenses.  It also means that we have to become better at identifying, investigating, and reporting cyberattacks so that information can be relayed and used to assist with imposing sanctions against any identified individuals or entities.

References

Daniel, M. (2015, April 1). Our latest tool to combat cyber attacks: What you need to know [Blog post]. Retrieved from https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know

Incorporating Threat Modeling Into the Security Systems Development Life Cycle (Week 4)

For the past few weeks I have been studying the threat modeling process and developing my own threat modeling process to identify threats for a system or application.  While revising my initial threat model it occurred to me that threat modeling can and probably should be incorporated into the security systems development life cycle (SecSDLC).

The SecSDLC is a process conducted in phases.  Each phase is dependent on the completion of the previous stage and the information obtained from it.  The SecSDLC process consists of six phases: investigation, analysis, logical design, physical design, implementation, and maintenance.  Whiteman and Mattord (2010) used a waterfall model to illustrate the process.

The identification of threats and the risk they create are a few of the primary goals of the SecSDLC process.  Incorporating the threat modeling process into the SecSDLC process would be an effective way to accomplish those goals.  So where in the SecSDLC process would threat modeling fit into?

Well, the analysis phase is where threats and attacks are analyzed to determine the effects they could have on a system and the services provided on it.  Therefore, it would be logical to conduct threat modeling before or in conjunction with the analysis phase of the SecSDLC process.  With threat modeling incorporated before or during the analysis phase, the process illustration can be slightly altered to one of the following:

 

The constantly changing threat landscape makes it challenging for organizations to develop and maintain controls to mitigate their risk exposure.  Incorporating a threat modeling process into the SecSDLC will ensure threats are assessed regularly in order to sustain an accurate risk profile so it can be mitigated to an acceptable level.

References

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.