Thursday, April 21, 2016

Cybersecurity: Professional Perspective

Source:LinkedIn
In recent months, the word "cybersecurity" has been a major buzzword, sparking debates and curiosity across society.  A large reason for this is the recent Apple-FBI security dispute which has gained enough popularity for everyone to begin paying attention, even those who were previously ignorant or uninterested regarding cybersecurity.

Following this recent rise of interest, this post will focus on presenting things learned from discussing different topics with an industry professional.

1) What are the biggest challenges in the industry?

Source:Psychologicalsciences.org
One of the topics discussed was what challenges organizations faced in the cybersecurity industry. A point that was stressed was the idea that cybersecurity attacks are inevitable. The organization should not think in terms of if a vulnerability is exposed but when it will be exposed and taken advantage of.

Unfortunately the biggest challenges small organizations and non-profits face is the lack of resources available. Experienced cybersecurity consultants and specialist come at a high price, something which these organizations are not able to afford. Instead, organizations (like Chatham) assign cybersecurity responsibilities to an already existing employee and they divide their time between two job-functions. This means that not only is expertise lacking (as many of these employees are taking cybersecurity courses and certifications while already being responsible for cybersecurity measures in their organization), but also the time devoted for cybersecurity measures.

Due to this many small organizations and non-profits are not adequately prepared for any signifiant or large-scale type of attack on their systems, which makes them prime targets for hackers and the like.

2) People Skills are just as Important as Technical Skills!

Source: Stasticservices.com
Phishing and spoofing are common attacks that cybersecurity professionals have to plan for and protect their systems against. These are attacks are built with users in mind and are designed with social engineering in mind.

Hackers and attackers combine both technical skills and people skills in order to develop attacks that will have the largest possible effect. Due to this, the cybersecurity professionals tasked with preventing these attacks and limiting their fallout also have to keep the social aspects of the problem in mind. They must reach out to the system's users and provide the education and tools they need to best prevent them from falling prey to these attacks.

The cybersecurity professionals must also have a thorough understanding of the social engineering techniques attackers may employ in order to create adequate safeguards against attacks.

3) Advice to Users: Protecting Your Information

Source:techtarget.com
Sometimes users come across a website that does not use appropriate encryption techniques or appropriately secure safeguards. When asked for advice to give users who use these websites which sometimes send sensitive data through unsecured means, the best suggestion given was to have the users weigh the costs.

Users should think about the password or data they are providing the website with and weigh the cost of having that information compromised. Does the benefit of using the website provide outweigh the cost of compromised information? It is a personal decision each user has to make when providing sensitive data.

Another recommendation is to not use the same password for different systems, especially for those that store the user's sensitive personal or financial data. Regular password changes are also recommended.

Wednesday, April 20, 2016

Cybersecurity Education


Source: wikipedia.org
Source: us-cert.gov

We have discussed how the CMU Department of Software Engineering's CERN Division offered users resources to help ensure the security of their information and activities online.


This post is based around the same concept that security begins with the user, and explores the initiatives taken by the FBI and NIST's National Institute for Cybersecurity Education (NICE) to educate and inform the community regarding cybersecurity.



Educate Yourself:

Source: jobdiagnosis.com
It is hard to make sure you are being secure secure if you do not know what vulnerabilities or threats to be on the look out for. Especially when for adults, cybersecurity is not something that was traditionally taught in school or even required in college.

As was discussed last post, CERN's Vulnerability Notes Database is a good resource to learn about potential vulnerabilities and the best way to manage them.  Another good resource to subscribe is to is the National Cyber Awareness System which provides timely updates regarding security topics and threats.

Users can subscribe to these mailing lists and feeds via the  this link which is provided as a resource on the FBI Cybersecurity Page.

The FBI Cybersecurity page also provides information regarding internet fraud, an testimony of the cybersecurity threats the country faces (presented to a Senate Committee), and information on how to report a cyber incident.

Additionally, the FBI Cybersecurity page also provides access to Homeland Security's "Stop.Think.Connect" Campaign, which promotes awareness regarding cybersecurity calling it a "shared responsibility" and provides more resources to educate oneself.


Educate Others and Start Young:

Source: Telegraph.co.uk


As Homeland Security states: cybersecurity is a shared responsibility. Not only do we need to ensure that we are being secure and safe, we need to make sure that others who have access or interact with technology are also being safe.

Each generation is born into more technology than the previous generation. The gap between technology use increases at a exponential rate. Even the difference in access to technology for those who are currently in college and those currently in high school is very very wide.

This means that we as a society need to ensure we begin providing education regarding cybersecurity and general internet safety to everyone from a very young age.

NICE works with the NSF and Department of Education to "bolster formal cybersecurity education programs". They are one of the hosts of the K-12 Cybersecurity Education Conference which has workshops, panels, and exhibits meant to address the challenges and opportunities regarding teaching cybersecurity in schools.

NICE also maintains the Cyber Education Map which provides a network of the organization, schools, and individual which support cybersecurity education initiatives.

Exploring CERN's Vulnerability Database and User Responsibility



CERT? What is That?

CERT Division is part of Carnegie Mellon University's Software Engineering Institute
Man clicking a holographic screen showcasing a lock
Source: Georgetown University

The CERT Division focuses on studying and solving problems with widespread cybersecurity implications. They do this through research, working with organizations, developing new technology, publishing related blog posts, and providing training on topics such as Incident Handling, Network and Software Security, and Risk Assessment and Insider Threats.




Who is Responsible?

As is commonly discussed throughout any cybersecurity course, cybersecurity starts with the user, and the information CERT provides makes it very clear that this is accurate and provide users with tools and services to help them stay secure.

This post will discuss one such service: CERT's Vulnerability Notes Database.


Although users have limited to zero control regarding the precautions taken by a developer making a an item, software or hardware, they do have control over if they use it and how they use it. Scanning through the vulnerability database CERT provides and the National Vulnerability Database (NIST) they link to is a good way to stay informed about any security flaws that may effect them.

Although it might be tempting to deem such precautions insignificant for a single individual, that would be a grave mistake. The vulnerability report shown will make the reasoning clear.

Vulnerability Note VU#981271: Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol.



A social security card folded into a lock
Source: nextadvisor.com
In today's world, almost everything is done online and it requires a user to submit a lot of sensitive private information such as credit card and social security numbers.  Most of the time, this information is submitted through the use of a keyboard and mouse on the computer. Sometimes, through wireless versions of these devices.

All information submitted first passes through these devices. If they not secure, then it means all of that information is at risk. This is something people need to be aware of, so they can take the proper precautions to either use a different device or follow the advice in the database to secure their devices.

For the users who have discovered vulnerabilities by themselves and have reached out uselessly to developers and producers regarding them, CERT encourages the submission of such vulnerabilities to their database. At which point they will work with vendors on how to best manage such vulnerabilities.

Keep CERT's Vulnerability Database and other services in mind as you go about your online activities, because remember:


Image of Detective Shadow saying "Vigilance Begins With You"
Source: U.S Army