Week 12 - Lessons Learned

Week 12 – Lessons Learned

Well, here we are. The last week of class for my Master’s program. I can’t believe that I actually did it! I jokingly said to my wife that I’m pretty sure if I were to compile ALL of my assignments from this program it would probably amount to a books worth of writing. I have never written, and read for that matter, so much in my life. That’s one of the takeaways from this course, communication. The ability properly convey knowledge and to ingest it, is a skill that will prove invaluable in any career field of which that is required.

One point of contention for me personally is my lack of creativity. Looking at some of the network diagrams from my other classmates made me feel a level of inadequacy that I’ve never felt before. It made me want to try harder, and perhaps that is why some, myself included, take short cuts. Thankfully, I was able to atone for my wrongdoing, but if given a chance I would definitely go about that whole scenario differently. Bottom line, I did not and should have allotted more time for myself to properly complete the assignment. Therein lies lesson learned three, time management. Knowing how to properly budget your time can be the difference between turning a polished project or a dud full of mistakes, typos, and anything else that demonstrates lack of effort.

And on effort. You only get out what you put in. I genuinely tried to read as much of the material as I could. Some of it I knew, but at times it felt like it was a whole different class. It was during those moments when I wanted to quit, that I knew I had to pull myself up by the boot straps and try harder. Had I not done that, I’m sure that my grade would’ve suffered. Effort is applicable to many other facets of life as well. Cheers!

Week 10 - Cryptography now being used in the fight against deepfake videos

Video is now ubiquitous in our daily lives. Law enforcement, in particular, relies on it for investigations in addition to footage from witnesses and other sources. Reliance on video has opened up an unforeseen threat, “deepfakes.” The integrity of video footage has now come into question as the proliferation of software allowing video manipulation increases. Fortunately there is a project on the horizon that takes aim in curbing “deepfakes” via cryptographic authentication.

            

Amber Authenticate, a tool developed to run silently in the background during video capture, can generate hashes at user defined intervals. Hashes are then recorded on a public blockchain which can be used to authenticate the same footage snippet through the algorithm at a later date. Dissimilar hashes tip the user off to the possibility of tampering.

Best practices should be used when setting hashing intervals of course. Too long of an interval could result in quick, undetectable tampering, while too short of an interval may be cause system constraints and can be overkill. Situations that would benefit from short intervals would law enforcement body camera footage while storefront CCTV camera recordings would best be suited for long intervals.

Shamir Allibhai, Amber CEO, expresses that systemic risk with police body cameras inherent to many manufacturers and models and the threat of deepfakes can make it almost impossible to detect a fake once entered as evidence. Currently, detection is always a step behind, which Amber Authenticate aims to bring in-step with efforts to manipulate video.

Human rights activists, free speech advocates, and law enforcement oversight committees see great potential in a tool like Amber Authenticate in exposing cover-ups of abuse. The governments can also benefit from a video integrity tool as well. Allibhai presented his video cryptography solution to Department of Defense and Department of Homeland Security representatives. Also in attendance were vendors like Factom who are also working on a similar video authentication tool.

Built on popular open-source blockchain platform Ethereum, Amber Authenticate includes a web-based Graphical User Interface. The interface provides feedback, in the form of a green frame, when the video is authentic, and a red frame when a mismatched hash has been identified. Amber Authenticate also displays an “audit trail” listing original file creation, uploaded, hashed, and submitted to the blockchain.

Amber Authenticate creator Shamir Allibhai is confident manufacturers will want to license his software for use in CCTV and body camera applications. This comes after his research consultant Josh Mitchell was able to find vulnerabilities in five different models of popular body cameras. Mitchell was able to prove compatibility of Amber Authenticate with some of those popular brands.

Video authentication tools for body cameras in particular is a long time coming for this platform. Civil liberty union policy analyst Jay Stanley says that Amber Authenticate will have to be evaluated against industry standards for tools of this caliber. Stanley is hopeful that other products like Amber become the available standard and perhaps provide confidence in evidence back to communities.

References

Newman, L. H. (2019, February 11). A New Tool Protect Videos From Deepfakes and Tampering. Retrieved from Wired.com: https://www.wired.com/story/amber-authenticate-video-validation-blockchain-tampering-deepfakes/

Week 9 - Cyber-attack Insurance? Is that a thing?

Cyber-attack Insurance? Is that a thing?

Few things are more certain in 2019 than death and taxes and that is cyber-attacks. A recent report published by the Cambridge Centre for Risk Studies and authored by the Cyber Risk Management (CyRiM) project outlines costs for cyber attacks in 2019 into the billions of dollars.

The report examines ransomware specifically but it is an obvious representation of how costly and disruptive cyber-attacks are. The figures in the report, $25 billion in costs for retail and health along with $90 billion for the U.S. alone, include disruption to processes like supply chain and production, ransom payments, and mitigation expenses.

It is no longer a question if cyber-attacks will happen, but rather a question of when they will happen. Costs per incident will continue to rise in conjunction with the frequency and complexity of the attack. This was not more evident than the recent ransomware attack experienced by the city of Atlanta which essentially ground the city to a halt.

An unintended consequence of a cyber-attack is survival. Is your organization poised to not only mitigate an attack but also ensure business continuity? What about your financial posture? If the answer is “no” to any of these, it would be wise to seek out a lesser explored mitigation technique of risk transference – cyber insurance.

Expected to reach the $9 billion-dollar mark by 2020 (Siekierska, 2018), it seems that there is still some apprehension regarding this oft unknown lifeline. Organizations are reluctant to the tune of only one-third of companies making the choice to explore this option. In some circles, cyber-attack insurance is viewed as a bit of a novelty rather than a necessity of the cost of doing business. One of the reasons for this point of view is its recent popularity. Enterprise is still very much dominated by the “old guard” who view cyber-attack insurance as the trendy new-kid-on-the-block instead of another layer of insulation against potential disruption or ultimate financial ruin. But this type of mentality may not be without merit given the sometimes-fickle nature of security tools. What is hot today, is all but abandoned tomorrow leaving organizations fuming over unnecessary expenditures that could have been better utilized elsewhere.

And of course, the biggest point of contention with cyber-attack insurance is the lack of understanding of what is and what isn’t covered. This is akin to automobile insurance with slightly more confusing and obscure language. On one hand, mid-to-large businesses find it difficult to prove a loss to their carrier and on the other, carriers find it hard to properly write a policy which provides adequate coverage for the policy holder. Time will tell if cyber-attack insurance will become a thing or not. In the meantime, organizations would be best served by analyzing their risk appetite against their business continuity procedures and leveraging a policy which covers any gaps that are identified.

        

References

Poremba, S. (2019, Feb 5). Cyber Insurance Adoption Low, Despite Rising Cyberattack Threats. Retrieved from Securiyt Boulevard: https://securityboulevard.com/2019/02/cyber-insurance-adoption-low-despite-rising-cyberattack-threats/

Daffron, J., Ruffle, S., Andrew, C., Copic, J., Quantrill, K.,

Smith. A., Leverett, E., Cambridge Centre for Risk Studies, Bashe Attack: Global Infection by Contagious Malware, 2019

Siekierska, A. (2018, Nov 9). Hackers targeting small town governments, prompting need for 'cyber insurance'. Retrieved from Yahoo Finance: https://finance.yahoo.com/news/hackers-targeting-small-town-governments-prompting-need-cyber-insurance-154730070.html