Security Fatigue

By now, most of us know that humans are the weakest link when it comes to computer security. However, the reason behind it has shifted. According to NIST, users are now experiencing what’s known as security fatigue. This means that users are feeling "weariness or reluctance to deal with computer security" (Brown, 2016).

The difference is that previously, humans were considered the weakest link due to lack of awareness or urgency, or lack of controls. In comparison to today’s standards, they are now overwhelmed with the number of passwords they must maintain, weary of complex security policies and training, and tired of just jumping through security hoops in general. The problem is that users will now find ways to either take the easiest road or circumvent security altogether, exposing them to greater risk.

The NIST provided some recommendations for easing this burden:

• Limit the number of security decisions users need to make
• Make it simple for users to choose the right security action
• Design for consistent decision making whenever possible

Unfortunately, the buck doesn’t stop there. What’s even more alarming is that security fatigue has also extended to security professionals, albeit for other reasons. Studies have shown that of those who admitted to it, “10% of security professionals have quietly paid ransomware demands, and that 35% have admitted to circumventing, disabling, or otherwise bypassing their organization's security” (Vigliarolo, 2017). Security professionals are spending most of their time reacting to the constant demands resulting from the controls they have put in place, such as system notifications.

TechRepublic lists some things security professionals can do to reduce redundant tasks:

1. Minimize security fatigue by using a single sign-on system like Okta, Shibboleth, or OneLogin
2. Do a better job of filtering security alerts and notifications to your IT team
3. Create an extra level of administrative privileges that lives between regular users and true admins
4. Hold your team accountable when something happens

I can’t say I haven’t experienced security fatigue myself on both ends, though I fully understand the importance of security. I feel the answer is to implement more automated and fool-proof solutions, such as biometrics for authentication.

References

Brown, E. A. (2016, October 19). 'Security Fatigue' Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests. Retrieved May 20, 2017, from https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

Vigliarolo | May 9, 2017, 10:27 AM PST, B. (2017, May 09). Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms. Retrieved May 20, 2017, from http://www.techrepublic.com/article/study-finds-cybersecurity-pros-are-hiding-breaches-bypassing-protocols-and-paying-ransoms/

Cybersecurity Prediction for 2017

The Threat from Computer Hacker Groups will Increase

“Computer hacker groups will continue to emerge in developing countries around the world, increasing the threat of malicious attacks motivated by religion, politics, and money”

The prediction that the threat from computer hacker groups will increase refers to the number and strength of attacks we will see in the near future because of the growing use of the Internet in developed countries. As more people start using the Internet to feed their special interests, the hacker subculture also advances in numbers and abilities as they continue to share information, techniques, tools, and common objectives.

Pierluigi Paganini, Chief Information Security Officer at Bit4Id, has outlined his predictions in relation to cybersecurity for 2016 and 2017. All of his predictions for 2016 have been fulfilled, including Cyber espionage will be the most serious threat to governments and private businesses, stating “nation-state actors have continued to represent one of the main threats to government and private businesses. In the last twelve months, the number of cyber-attacks aiming to steal sensitive information and intellectual property continued to increase.” Nation-state actors fall into the computer hacker group category with a political motivation, as they are typically hired by their government to carry out espionage, propaganda or outright sabotage through the use of hacking techniques.

Paganini has also cast his predictions for 2017, including Nation State Actors hacking and the urgency of norms of state behavior. This prediction builds on last year’s, but surmises that the detection abilities will also increase, exposing more hacking agendas.

We will be able to watch how this prediction plays out by evaluating attacks by origin, type, and target at http://map.norsecorp.com/#/. This map is a live feed of a threat intelligence network, and while it doesn’t specifically show the motivation for the attacks, we can use the data to speculate motivations based on the current state of affairs within and between borders. 

What are your observations for 2017 so far?


References

Norse Corp. (n.d.). Norse Attack Map. Retrieved August 29, 2017, from http://map.norsecorp.com/#/  

Paganini, P. (2016, December 18). 2017 Cyber Security Predictions. Retrieved August 29, 2017, from http://resources.infosecinstitute.com/2017-cyber-security-predictions/#gref


Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2015). Digital Crime and Terrorism. In Digital crime and digital terrorism (pp. 355-356). Upper Saddle River, NJ: Pearson/Prentice Hall.

CYBR 650 Week 12 – What is cybersecurity?

This seems a little counter intuitive, but I want to address the topic of what cybersecurity really is as my final post in this class.

When the topic of cybersecurity comes up in conversations, there tends to be some confusion as to what it entails. While knowledge about networking is crucial to be successful in cybersecurity, it is only one piece of the puzzle. 

I started the cybersecurity program with a background in information management. I chose cybersecurity because it is a specialized area of information management, and I loved working with the tools and methodologies. I have family that worked in law enforcement, so I guess you could say I am continuing the family business, albeit in a different environment. Cybersecurity professionals have different types of skill sets, just like any other field. Diversity is the key to having a successful team, and cybersecurity is no different.

As I complete the final phase of my education, I am better equipped to articulate my thoughts and proficiencies in all areas of cybersecurity. In addition to networking, this includes social engineering, computer forensics, physical security, threat modeling, risk management, disaster recovery, etc. The list is endless, and those were only the high-level takeaways. 

I am excited to go forth and make an impression in the cybersecurity field. There is so much more I would like to share, so please feel free to leave a comment anytime. I would love to hear from other cybersecurity professionals, or folks who just want to know more. 

CYBR 650 Week 10 – Security Tools

In week two, we identified credible sources of information for our threat process model. What about tools? There are hundreds of security tools available, so how do we determine which ones to use?

Fortunately, Offensive Security developed Kali Linux in response to this need. Kali is a security distribution of Linux aimed at penetration testing, but it offers so much more. While there are too many tools to go into detail, a complete listing of tools is available at http://tools.kali.org/tools-listing under the following categories:

• 
• Exploitation Tools
• Hardware Hacking
• Forensics Tools
• Information Gathering
• Maintaining Access
• Password Attacks
• Reporting Tools
• Reverse Engineering
• Sniffing & Spoofing
• Stress Testing
• Vulnerability Analysis
• Wireless Attacks
• Web Applications

If you are a fan of Linux, you will not be disappointed. I had installed its predecessor BackTrack a few years ago, and have been hooked since. Which tools are your favorites? Please leave your comments below.

CYBR 650 Week 9 – Action Plan

As we progress through our threat models with the corresponding assignments, I have come to realize that we are only scratching the surface of threat modeling. The Harry and Mae's case study has so many unknown variables that would normally be addressed in a real environment, and consequently gets left out of the assignments. Some of the known variables are generic descriptions, and we have to make assumptions in order to give a proper analysis.

In any case, I feel threat modeling requires much more time to solicit information, document the environment, investigate specific threats and vulnerabilities, calculate the risks, provide more detailed recommendations, and identify metrics for defining success. As students (most of us with full-time jobs), we have limited time to completely cover all aspects, and I have noticed some scope shrinkage in order to demonstrate that we understand the basic concept of the assignments.

It seems that a comprehensive threat analysis would require a diverse team of security consultants working with the in-house network engineers, system admins, and project managers over a span of weeks to encompass everything that would benefit from a security makeover. As a result, I have a much deeper appreciation for the opportunity to learn this process, and for the experts who carry this out on a daily basis.

CYBR 650 Week 7 – Threat Analysis

This week has been a bit of a challenge in class, as we apply our threat models to a case study. So far, we have created our own threat process models, identified credible sources to stay current, and analyzed the fictitious system in the case study.

Now we are in the threat analysis stage, which means that we have to use the resources we identified earlier in the process to enumerate the business assets, their vulnerabilities, the imposing threats and threat types, and assess the risk to the environment. While there are many ways to demonstrate the relationship between all four elements, a simple Venn diagram seems to illustrate this nicely:

While this assignment proved to be a lot of work researching the material, it was also probably the most rewarding. I was very impressed by the pot of gold I found in NIST's National Vulnerability Database by using just a few keywords that applied to the case study. However, this is only a repository for hardware, firmware, or software weaknesses. Since processes are usually unique to an organization, finding process vulnerabilities will require a supplemental assessment. 

CYBR 650 Week 6 – Women in IT Security

This week I had the privilege of attending the annual ICAN Women's Leadership Conference. The theme this year focused on women balancing work and life, which has been a decades-long struggle while we are still trying to break out of traditional gender roles.

Michael Kimmel, Professor of Sociology & Gender Studies at Stony Brook University, gave one of the most interesting key note presentations on the main stage: The Gendered Society. He stated, "Research by Catalyst and others has shown conclusively that the more gender-equal companies are, the better it is for workers, the happier their labor force is. They have lower job turnover. They have lower levels of attrition. They have an easier time recruiting. They have higher rates of retention, higher job satisfaction, higher rates of productivity."

What does this mean for cybersecurity? Kimmel pondered why there are so few women at the top of STEM careers. His theory is that due to the expectations placed on women within the home, many women are simply unable or unwilling to dedicate the time and effort it takes to advance in a male dominated field. The statistics for women in cybersecurity are staggering:

So what needs to be done to level the playing field? Please leave your comments below.

You can also watch one of Professor Kimmel's recent presentations at: https://www.ted.com/talks/michael_kimmel_why_gender_equality_is_good_for_everyone_men_included