Monday, February 25, 2019

Week 12 - Lessons Learned


Week 12 – Lessons Learned

Well, here we are. The last week of class for my Master’s program. I can’t believe that I actually did it! I jokingly said to my wife that I’m pretty sure if I were to compile ALL of my assignments from this program it would probably amount to a books worth of writing. I have never written, and read for that matter, so much in my life. That’s one of the takeaways from this course, communication. The ability properly convey knowledge and to ingest it, is a skill that will prove invaluable in any career field of which that is required.

One point of contention for me personally is my lack of creativity. Looking at some of the network diagrams from my other classmates made me feel a level of inadequacy that I’ve never felt before. It made me want to try harder, and perhaps that is why some, myself included, take short cuts. Thankfully, I was able to atone for my wrongdoing, but if given a chance I would definitely go about that whole scenario differently. Bottom line, I did not and should have allotted more time for myself to properly complete the assignment. Therein lies lesson learned three, time management. Knowing how to properly budget your time can be the difference between turning a polished project or a dud full of mistakes, typos, and anything else that demonstrates lack of effort.

And on effort. You only get out what you put in. I genuinely tried to read as much of the material as I could. Some of it I knew, but at times it felt like it was a whole different class. It was during those moments when I wanted to quit, that I knew I had to pull myself up by the boot straps and try harder. Had I not done that, I’m sure that my grade would’ve suffered. Effort is applicable to many other facets of life as well. Cheers!

Friday, February 15, 2019

Week 10 - Cryptography now being used in the fight against deepfake videos



Video is now ubiquitous in our daily lives. Law enforcement, in particular, relies on it for investigations in addition to footage from witnesses and other sources. Reliance on video has opened up an unforeseen threat, “deepfakes.” The integrity of video footage has now come into question as the proliferation of software allowing video manipulation increases. Fortunately there is a project on the horizon that takes aim in curbing “deepfakes” via cryptographic authentication.
            
Amber Authenticate, a tool developed to run silently in the background during video capture, can generate hashes at user defined intervals. Hashes are then recorded on a public blockchain which can be used to authenticate the same footage snippet through the algorithm at a later date. Dissimilar hashes tip the user off to the possibility of tampering.
Best practices should be used when setting hashing intervals of course. Too long of an interval could result in quick, undetectable tampering, while too short of an interval may be cause system constraints and can be overkill. Situations that would benefit from short intervals would law enforcement body camera footage while storefront CCTV camera recordings would best be suited for long intervals.

Shamir Allibhai, Amber CEO, expresses that systemic risk with police body cameras inherent to many manufacturers and models and the threat of deepfakes can make it almost impossible to detect a fake once entered as evidence. Currently, detection is always a step behind, which Amber Authenticate aims to bring in-step with efforts to manipulate video.
Human rights activists, free speech advocates, and law enforcement oversight committees see great potential in a tool like Amber Authenticate in exposing cover-ups of abuse. The governments can also benefit from a video integrity tool as well. Allibhai presented his video cryptography solution to Department of Defense and Department of Homeland Security representatives. Also in attendance were vendors like Factom who are also working on a similar video authentication tool.
Built on popular open-source blockchain platform Ethereum, Amber Authenticate includes a web-based Graphical User Interface. The interface provides feedback, in the form of a green frame, when the video is authentic, and a red frame when a mismatched hash has been identified. Amber Authenticate also displays an “audit trail” listing original file creation, uploaded, hashed, and submitted to the blockchain.

Amber Authenticate creator Shamir Allibhai is confident manufacturers will want to license his software for use in CCTV and body camera applications. This comes after his research consultant Josh Mitchell was able to find vulnerabilities in five different models of popular body cameras. Mitchell was able to prove compatibility of Amber Authenticate with some of those popular brands.
Video authentication tools for body cameras in particular is a long time coming for this platform. Civil liberty union policy analyst Jay Stanley says that Amber Authenticate will have to be evaluated against industry standards for tools of this caliber. Stanley is hopeful that other products like Amber become the available standard and perhaps provide confidence in evidence back to communities.

References


Newman, L. H. (2019, February 11). A New Tool Protect Videos From Deepfakes and Tampering. Retrieved from Wired.com: https://www.wired.com/story/amber-authenticate-video-validation-blockchain-tampering-deepfakes/

Saturday, February 9, 2019

Week 9 - Cyber-attack Insurance? Is that a thing?

Cyber-attack Insurance? Is that a thing?


Few things are more certain in 2019 than death and taxes and that is cyber-attacks. A recent report published by the Cambridge Centre for Risk Studies and authored by the Cyber Risk Management (CyRiM) project outlines costs for cyber attacks in 2019 into the billions of dollars.

The report examines ransomware specifically but it is an obvious representation of how costly and disruptive cyber-attacks are. The figures in the report, $25 billion in costs for retail and health along with $90 billion for the U.S. alone, include disruption to processes like supply chain and production, ransom payments, and mitigation expenses.

It is no longer a question if cyber-attacks will happen, but rather a question of when they will happen. Costs per incident will continue to rise in conjunction with the frequency and complexity of the attack. This was not more evident than the recent ransomware attack experienced by the city of Atlanta which essentially ground the city to a halt.

An unintended consequence of a cyber-attack is survival. Is your organization poised to not only mitigate an attack but also ensure business continuity? What about your financial posture? If the answer is “no” to any of these, it would be wise to seek out a lesser explored mitigation technique of risk transference – cyber insurance.

Expected to reach the $9 billion-dollar mark by 2020 (Siekierska, 2018), it seems that there is still some apprehension regarding this oft unknown lifeline. Organizations are reluctant to the tune of only one-third of companies making the choice to explore this option. In some circles, cyber-attack insurance is viewed as a bit of a novelty rather than a necessity of the cost of doing business. One of the reasons for this point of view is its recent popularity. Enterprise is still very much dominated by the “old guard” who view cyber-attack insurance as the trendy new-kid-on-the-block instead of another layer of insulation against potential disruption or ultimate financial ruin. But this type of mentality may not be without merit given the sometimes-fickle nature of security tools. What is hot today, is all but abandoned tomorrow leaving organizations fuming over unnecessary expenditures that could have been better utilized elsewhere.

And of course, the biggest point of contention with cyber-attack insurance is the lack of understanding of what is and what isn’t covered. This is akin to automobile insurance with slightly more confusing and obscure language. On one hand, mid-to-large businesses find it difficult to prove a loss to their carrier and on the other, carriers find it hard to properly write a policy which provides adequate coverage for the policy holder. Time will tell if cyber-attack insurance will become a thing or not. In the meantime, organizations would be best served by analyzing their risk appetite against their business continuity procedures and leveraging a policy which covers any gaps that are identified.
        

References

Poremba, S. (2019, Feb 5). Cyber Insurance Adoption Low, Despite Rising Cyberattack Threats. Retrieved from Securiyt Boulevard: https://securityboulevard.com/2019/02/cyber-insurance-adoption-low-despite-rising-cyberattack-threats/
Daffron, J., Ruffle, S., Andrew, C., Copic, J., Quantrill, K.,
Smith. A., Leverett, E., Cambridge Centre for Risk Studies, Bashe Attack: Global Infection by Contagious Malware, 2019

Siekierska, A. (2018, Nov 9). Hackers targeting small town governments, prompting need for 'cyber insurance'. Retrieved from Yahoo Finance: https://finance.yahoo.com/news/hackers-targeting-small-town-governments-prompting-need-cyber-insurance-154730070.html

Thursday, January 31, 2019

Week 8 - Huawei, a cautionary tale

I still remember like it was yesterday. We came into work one chilly morning to learn of a “security flaw” that enabled Chinese agents to eavesdrop via Huawei’s new handset. Or so we were told. Flash forward to present day to find that the world’s largest spy agencies don’t want any of their equipment anywhere near their borders. This aversion to the makers’ equipment stems from their close ties with the Chinese military. The belief here is that Huawei “could” be spying for the Chinese military, which of course poses a national security risk. So what’s the problem? Well, despite years of congressional hearings and scrutiny over their technology there has not been a single conclusive answer to the question, is Huawei using their phones to spy for the Chinese military? Sure, concerns have been found but concrete evidence has yet to materialize. Some argue that Huawei is not spying now because they know that getting caught would mean a rapid downfall of the brand and a potential international incident. The ultimate worst-case scenario here is that Huawei’s tech is reverse engineered and implemented by every single telephone company out there in a rush to be the first 5G carrier. Then when the Chinese government is ready, they execute a zero-day vulnerability to steal economic secrets from around the globe. And of course, the damage would be done since immediate removal of the hardware would prove next to impossible. Our government persists that Huawei is a national security concern after a 2012 report from the House Intelligence Committee. What the report didn’t contain is the most shocking to me, evidence. Renown UFC commentator and podcaster Joe Rogan recently said that he believes the reason Huawei and ZTE phones were banned is because they make a better phone for cheaper. He insists that their competitors, namely Samsung and Apple, conspired against Huawei and ZTE to get them banned from most first world nations. I’m far from a conspiracy theorist but in the face of baseless accusations I think that there is more to this story that we don’t know.
Reference
Z. Whittaker. (2019, January 26). Without proof, is Huawei still a national security threat? Retrieved from TECHCRUNCH.com at: https://techcrunch.com/2019/01/26/is-huawei-a-national-security-threat/

Saturday, January 26, 2019

Week 7 - My life as an ISSM

January 26, 2019

     I recently (January 7) started a new position as an ISSM. And while it is very interesting, I am realizing now that the learning curve is a steep one. Sure, courses like risk management and current trends in cyber security have exposed me to the concepts I deal with at work but it's almost like another language. Coupled with the fact that my organization (Testing and Engineering) is chock full of prior service Air Force personnel with a penchant for acronyms and well, let's just say my head swims most days. I am on the cusp of starting my 4th week and while I wouldn't say it's getting "easier", I am understanding the scope of my responsibilities and what my purpose in the organization is.
     In a way, I think that I am on the right track. Prior to this position I worked in a data center. When I started there, I also did not know how to do any of the work. With proper training though I was able to work unsupervised in a few weeks. I wish this position was a little like my last one in that my production was easily measured by the number of items i processed daily. I currently find myself entangled with an SSP (System Security Plan) re-write for accreditation from our SCA (security controls assessor) so that we can be issued another ATO (authority to operate). See, I told you there were a lot of acronyms ;).
     I short, I told my supervisor when I interviewed that I wanted to be challanged. Well, be careful what you wish for. 

Monday, January 14, 2019

Week 6 – Resources, upon resources, upon resources


Week 6 – Resources, upon resources, upon resources
In week 2, I provided a list of resources which I felt would be instrumental to me for constructing my blog posts. These resources were:
https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions. This website is a great resource for Cybersecurity professionals who seek information on the latest threats from various vectors.
https://www.csoonline.com/about/about.html. CSO online is built to provide security decision makers with the latest knowledge to stay in front of the latest threats and defend against criminal cyberattacks.
Both of these resources, while great in their respective discipline, leave information on the table that can be useful to security professionals. Since week 2 I have written three more posts ranging from the advancement of AI and our lack of preparation for it to how the government shutdown is and will continue to have lasting impact in the area of cybersecurity. When composing both those posts I also discovered the following resource:
https://slate.com/about. Now, while Slate.com is not your typical tech based resource, I find that their take on subjects ranging from politics to tech is a refreshing one. I particularly enjoy the fact that their articles are easy to read and disseminate information in a way that captures the readers’ mind. If anything, Slate has unfortunately highlighted some of the shortcomings in my own writing style that I hope to rectify.
Looking back on these sources made me think of a couple of scenarios were a writer should discern between sites in order to provide the most up-to-date information. In the case of Slate, I would not choose them as a resource if I was engaged in capturing information that I wished to disseminate to a technical-minded audience. I find that their content is written for more a Tedx discussion wherein the orator’s goal is to inform and entertain without being overly technical. CSO online and the ICS sites are and should be used when delivering content aimed at audiences who have the vocabulary and knowledge to keep pace with the discussion. As far as resources that are not good for use I would say that anything on Wikipedia should be verified against credible sources. Now, that’s not to say that everything on Wikipedia is incorrect but a savvy reader should always scroll down to the bottom and check out the references that were cited. Doing so is the mark of a reader that wishes to be informed and not misled.

Saturday, January 12, 2019

Week 5 - Dissmal Cybersecurity Outlook Amidst Government Shutdown

Week 5

Hello readers. So, by now you know that our government is essentially at a stand still. National parks are being "destroyed", TSA agents are working without pay and quitting in some instances, and we remain divided as a nation. What really in trouble is the state of our cybersecurity.

DHS employees, who are responsible for civilian cybersecurity efforts such as threat analysis and information sharing, have been forloughed. This is a huge blow for the private industry who depend on DHS to keep abreast of threats and ensure a safe computing environment for their organizations. Further fallout of the shutdown is the reluctance of talented cybersecurity professionals to join the civil service ranks. Ranks that were already tough to fill prior to the shutdown.

The shutdown has the potential to not only affect the private sector but to also impact the government's security posture. Nearly 85 percent of the National Institute of Standards and Technology’s staff members are furloughed during the shutdown. This number is critical given the central importance of NIST security and privacy standards for not just government agencies but also many private companies.

The impostance of NIST can't be understated. They run a Computer Security Resource Center, which is currently offline, but whose resources can still be accessed by the wiley security expert. Another reason why it's such a "big deal" that the NIST site is not being maintained is the fact that NIST covers everything from encryption to how user accounts should be authenticated, sensitive data storage requirements, network intrusion monitoring, and security incidents response. Currently, federal law mandates that only federal agencies are required to follow the security guidelines issued by NIST, but many other organizations also rely on them as reputable, comprehensive, and well-vetted recommendations for best practices in computer security (Wolff, 2019). Perhaps with a bit of temparance we can all get back to work and continue protecting our national cyber-assets.

Reference:

J. Wolff. (2019, Jan. 9). The Shutdown is Hurting Cybersecurity. Retrieved from slate.com at: https://slate.com/technology/2019/01/government-shutdown-cybersecurity-dhs-nist.html