Week 8 - Huawei, a cautionary tale

I still remember like it was yesterday. We came into work one chilly morning to learn of a “security flaw” that enabled Chinese agents to eavesdrop via Huawei’s new handset. Or so we were told. Flash forward to present day to find that the world’s largest spy agencies don’t want any of their equipment anywhere near their borders. This aversion to the makers’ equipment stems from their close ties with the Chinese military. The belief here is that Huawei “could” be spying for the Chinese military, which of course poses a national security risk. So what’s the problem? Well, despite years of congressional hearings and scrutiny over their technology there has not been a single conclusive answer to the question, is Huawei using their phones to spy for the Chinese military? Sure, concerns have been found but concrete evidence has yet to materialize. Some argue that Huawei is not spying now because they know that getting caught would mean a rapid downfall of the brand and a potential international incident. The ultimate worst-case scenario here is that Huawei’s tech is reverse engineered and implemented by every single telephone company out there in a rush to be the first 5G carrier. Then when the Chinese government is ready, they execute a zero-day vulnerability to steal economic secrets from around the globe. And of course, the damage would be done since immediate removal of the hardware would prove next to impossible. Our government persists that Huawei is a national security concern after a 2012 report from the House Intelligence Committee. What the report didn’t contain is the most shocking to me, evidence. Renown UFC commentator and podcaster Joe Rogan recently said that he believes the reason Huawei and ZTE phones were banned is because they make a better phone for cheaper. He insists that their competitors, namely Samsung and Apple, conspired against Huawei and ZTE to get them banned from most first world nations. I’m far from a conspiracy theorist but in the face of baseless accusations I think that there is more to this story that we don’t know.

Reference

Z. Whittaker. (2019, January 26). Without proof, is Huawei still a national security threat? Retrieved from TECHCRUNCH.com at: https://techcrunch.com/2019/01/26/is-huawei-a-national-security-threat/

Week 7 - My life as an ISSM

January 26, 2019

     I recently (January 7) started a new position as an ISSM. And while it is very interesting, I am realizing now that the learning curve is a steep one. Sure, courses like risk management and current trends in cyber security have exposed me to the concepts I deal with at work but it's almost like another language. Coupled with the fact that my organization (Testing and Engineering) is chock full of prior service Air Force personnel with a penchant for acronyms and well, let's just say my head swims most days. I am on the cusp of starting my 4th week and while I wouldn't say it's getting "easier", I am understanding the scope of my responsibilities and what my purpose in the organization is.
     In a way, I think that I am on the right track. Prior to this position I worked in a data center. When I started there, I also did not know how to do any of the work. With proper training though I was able to work unsupervised in a few weeks. I wish this position was a little like my last one in that my production was easily measured by the number of items i processed daily. I currently find myself entangled with an SSP (System Security Plan) re-write for accreditation from our SCA (security controls assessor) so that we can be issued another ATO (authority to operate). See, I told you there were a lot of acronyms ;).
     I short, I told my supervisor when I interviewed that I wanted to be challanged. Well, be careful what you wish for. 

Week 6 – Resources, upon resources, upon resources

Week 6 – Resources, upon resources, upon resources

In week 2, I provided a list of resources which I felt would be instrumental to me for constructing my blog posts. These resources were:

https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions. This website is a great resource for Cybersecurity professionals who seek information on the latest threats from various vectors.

https://www.csoonline.com/about/about.html. CSO online is built to provide security decision makers with the latest knowledge to stay in front of the latest threats and defend against criminal cyberattacks.

Both of these resources, while great in their respective discipline, leave information on the table that can be useful to security professionals. Since week 2 I have written three more posts ranging from the advancement of AI and our lack of preparation for it to how the government shutdown is and will continue to have lasting impact in the area of cybersecurity. When composing both those posts I also discovered the following resource:

https://slate.com/about. Now, while Slate.com is not your typical tech based resource, I find that their take on subjects ranging from politics to tech is a refreshing one. I particularly enjoy the fact that their articles are easy to read and disseminate information in a way that captures the readers’ mind. If anything, Slate has unfortunately highlighted some of the shortcomings in my own writing style that I hope to rectify.

Looking back on these sources made me think of a couple of scenarios were a writer should discern between sites in order to provide the most up-to-date information. In the case of Slate, I would not choose them as a resource if I was engaged in capturing information that I wished to disseminate to a technical-minded audience. I find that their content is written for more a Tedx discussion wherein the orator’s goal is to inform and entertain without being overly technical. CSO online and the ICS sites are and should be used when delivering content aimed at audiences who have the vocabulary and knowledge to keep pace with the discussion. As far as resources that are not good for use I would say that anything on Wikipedia should be verified against credible sources. Now, that’s not to say that everything on Wikipedia is incorrect but a savvy reader should always scroll down to the bottom and check out the references that were cited. Doing so is the mark of a reader that wishes to be informed and not misled.

Week 5 - Dissmal Cybersecurity Outlook Amidst Government Shutdown

Week 5

Hello readers. So, by now you know that our government is essentially at a stand still. National parks are being "destroyed", TSA agents are working without pay and quitting in some instances, and we remain divided as a nation. What really in trouble is the state of our cybersecurity.

DHS employees, who are responsible for civilian cybersecurity efforts such as threat analysis and information sharing, have been forloughed. This is a huge blow for the private industry who depend on DHS to keep abreast of threats and ensure a safe computing environment for their organizations. Further fallout of the shutdown is the reluctance of talented cybersecurity professionals to join the civil service ranks. Ranks that were already tough to fill prior to the shutdown.

The shutdown has the potential to not only affect the private sector but to also impact the government's security posture. Nearly 85 percent of the National Institute of Standards and Technology’s staff members are furloughed during the shutdown. This number is critical given the central importance of NIST security and privacy standards for not just government agencies but also many private companies.

The impostance of NIST can't be understated. They run a Computer Security Resource Center, which is currently offline, but whose resources can still be accessed by the wiley security expert. Another reason why it's such a "big deal" that the NIST site is not being maintained is the fact that NIST covers everything from encryption to how user accounts should be authenticated, sensitive data storage requirements, network intrusion monitoring, and security incidents response. Currently, federal law mandates that only federal agencies are required to follow the security guidelines issued by NIST, but many other organizations also rely on them as reputable, comprehensive, and well-vetted recommendations for best practices in computer security (Wolff, 2019). Perhaps with a bit of temparance we can all get back to work and continue protecting our national cyber-assets.

Reference:

J. Wolff. (2019, Jan. 9). The Shutdown is Hurting Cybersecurity. Retrieved from slate.com at: https://slate.com/technology/2019/01/government-shutdown-cybersecurity-dhs-nist.html

Week 4 - Out of the security frying pan, into the AI fire

     Currently we find ourselves embroiled in a security arms race which has now been exacerbated by the advent of AI. AI is and has been the proverbial “Paul Revere” of the tech boom. For decades security experts have shouted from the mountain top, “AI is coming, AI is coming.” Well guess what? AI is here and the possibilities of what it can do, good or bad, is frightening for lack of a better word. But not all experts share optimistic views regarding AI but they can all agree that the effect it will have on security will be one with long lasting repercussions.

     Make not mistake about it, cybercriminals will eventually be able to yield AI in nefarious ways which we have not yet envisioned. The only problem? The timeline. Security experts interviewed believe that this activity should be occurring now while others think that we will see AI-based attacks in 3-5 years.

      Chairman of the Delphi Group and advisor to Wasabi Technologies, Tom Koulopoulos says that within three years we will see “AI used to automate highly personalized attacks that use a combination of behavioral data and patterns of online interaction to hyper-target individuals” (Finnie, 2018). And in case you are curios like I, hyper-targeting refers to the ability to deliver advertising content to specify interest-based segments in a network. I felt like I had to explain that word as I had not heard that before myself. The example cited is one where a target receives an email based on interactions that the target has had. For example, imaging receiving an email like this:

“Hey, it was great seeing you at Starbucks! I know you’re interested in traveling to the Mediterranean since your most recent trip to Crete last summer. You might want to check out this offer I came across…” Could you imagine the implications of an AI boosted phishing attack such as this one!? Tom says that an attack of this nature merely “scratches the surface” in relation to other types of attacks that are possible.

References

Finnie, S. (2018, October 30). Cyber threats fueled by AI: Security's next big challenge. Retrieved from www.csoonline.com at: https://www.csoonline.com/article/3315740/security-awareness/cyber-threats-fueled-by-ai-securitys-next-big-challenge.html