Sunday, April 30, 2017

CYBR 650 Week 7 – Threat Analysis

This week has been a bit of a challenge in class, as we apply our threat models to a case study. So far, we have created our own threat process models, identified credible sources to stay current, and analyzed the fictitious system in the case study.

Now we are in the threat analysis stage, which means that we have to use the resources we identified earlier in the process to enumerate the business assets, their vulnerabilities, the imposing threats and threat types, and assess the risk to the environment. While there are many ways to demonstrate the relationship between all four elements, a simple Venn diagram seems to illustrate this nicely:




While this assignment proved to be a lot of work researching the material, it was also probably the most rewarding. I was very impressed by the pot of gold I found in NIST's National Vulnerability Database by using just a few keywords that applied to the case study. However, this is only a repository for hardware, firmware, or software weaknesses. Since processes are usually unique to an organization, finding process vulnerabilities will require a supplemental assessment. 

Saturday, April 22, 2017

CYBR 650 Week 6 – Women in IT Security






This week I had the privilege of attending the annual ICAN Women's Leadership Conference. The theme this year focused on women balancing work and life, which has been a decades-long struggle while we are still trying to break out of traditional gender roles.

Michael Kimmel, Professor of Sociology & Gender Studies at Stony Brook University, gave one of the most interesting key note presentations on the main stage: The Gendered Society. He stated, "Research by Catalyst and others has shown conclusively that the more gender-equal companies are, the better it is for workers, the happier their labor force is. They have lower job turnover. They have lower levels of attrition. They have an easier time recruiting. They have higher rates of retention, higher job satisfaction, higher rates of productivity."

What does this mean for cybersecurity? Kimmel pondered why there are so few women at the top of STEM careers. His theory is that due to the expectations placed on women within the home, many women are simply unable or unwilling to dedicate the time and effort it takes to advance in a male dominated field. The statistics for women in cybersecurity are staggering:



So what needs to be done to level the playing field? Please leave your comments below.

You can also watch one of Professor Kimmel's recent presentations at: https://www.ted.com/talks/michael_kimmel_why_gender_equality_is_good_for_everyone_men_included

Friday, April 14, 2017

CYBR 650 Week 5 - TechJunction 2016



I recently had the opportunity to be on the advisory committee for TechJuncion 2016, a technology conference geared towards security and server management. It is hosted annually right here in the heartland of America, and the best part is that it's free to attend! Here are some of the highlights:

Passwords Suck: A Platform Approach To Securing Enterprise Identities 
Presented by: Centrify

This presentation advocated single sign-on software. Statistics for password theft show that 63% of breaches were due to compromised accounts.

Ransomware: All Locked Up With No Place To Go 
Presented by: Kaspersky Lab

Kaspersky Labs outlined how businesses can protect themselves against ransomware through backups, updates, and anti-virus programs. Kaspersky offers System Watcher and Automatic Exploit Prevention as security tools to prevent against ransomware. Current statistics of ransomware are available in Verizon'€™s 2016 Data Breach Investigations Report - see below for the link.

Defending Against Modern Malware
Presented by: WatchGuard Technologies, Inc.

WatchGuard delivered a sobering speech about modern malware. They stated that modern malware is moving from signatures to binary patterns. For example, ransomware uses bitcoins for payment, and is almost impossible to track. They also identified three different cyber attacker profiles: Hacktivist, Cyber Criminal, and Nation State. The good news is there are websites that monitor attacks and breaches (see Other Websites section below), and WatchGuard has designed a solution to break the Cyber Kill Chain (see their PDF presentation below).

Why Do You Need DR? 
Presented by: Zerto, Inc.

Zerto started the presentation by pointing out that disasters are both natural and operational. Disaster recovery planning should include backup, redundancy, impact/urgency considerations, and should turn a disaster into a non-event.

Innovation Matters 
Presented by: SimpliVity

Simplivity defined innovation as a means to improve on a service based on current needs. They used Netflix as an example of how they capitalized on Blockbuster's current movie rental service by catering to current and future business trends, and changing the way the service is delivered.

Hyperconvergence is today's way of innovating by combining several functions into one delivery method. An example of hyperconvergence is how phones evolved from just a device to make calls, to smart phones, which can browse the web, track fitness goals, display the current weather, and so much more. Hyperconvergence allows us to virtualize server, data, network resources to optimize delivery and reduce duplication.

Keynote Presentation: Surviving Security Groundhog Day 
Presented by Ron Woerner • Director & Professor, Cybersecurity Studies at Bellevue University 

This speaker deserves special accolades, as he has been the driving force behind my pursuit of a Master's degree in Cybersecurity. Prof. Woerner indicated that technology has advanced to IoT (Internet of Things), but security isn't getting any better. Humans are still the weakest link, and complacency is a big culprit. He reassured the attendees that security never has to be 100%, just good enough, but you need to have an iron-clad contract for cloud services to be secure. His motto: If you SEE something, SAY something!

Thanks for all you do, Coach.


Resources 

Verizon 2016 Data Breach Investigations Report
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ 

IT Policy Compliance for Dummies
https://www.qualys.com/dummy-pc 

PCI Compliance for Dummies
https://www.qualys.com/dummy-pci 

Web Application Security for Dummies
https://www.qualys.com/dummy-was 

Vulnerability Management for Dummies
https://www.qu alys.com/dummy-vm

Other Websites: 

Data Visualizations (Ex: data breaches)
http://www.informationisbeautiful.net/ 

Malc0de Database - an updated database of domains hosting malicious executables
http://malc0de.com/database/ 

Norse - an interactive map of attacks
http://map.norsecorp.com/ 

WatchGuard Presentation
http://schd.ws/hosted_files/trivalentgroupsolutionsexpo2015/5b/WatchGuard-%20Defending%20against%20Modern%20Day%20Malware.pdf 

Sunday, April 9, 2017

CYBR 650 Week 4 - Attack Trees

Attack Trees

Attack trees appeared in the 1990's as an attacker-centric approach to analyze the security of systems. Usually displayed as a Visio flow chart, it diagrams possible attacks against an object. The parent node represents the goal, while child nodes break out the various methods to achieve the goal, as illustrated in this example:



Introduced by Bruce Schneier, attack trees can also assign values, such as difficulty, cost, intrusiveness, legality, or just about any other metric that might tell a security story. For example, if the method to achieve the goal costs more than the goal itself, the probability of the attack is less likely. Security teams can use this information to make recommendations and implement controls as necessary.

This type of threat modeling may seem time-consuming and rebellious to the software-centric approach to the Microsoft's Security Development Lifecycle, but it has some versatility. Once the attack tree is fully grown, it can be linked to other trees so analysts or developers can see the forest. And according to Schneier, “If you're a computer-security expert, you don't have to know the details about how difficult a particular model of safe is to crack; you just need to know the values of the root node.” 

What do you think? Is this approach outdated or still useful? Please post your comments below.



Reference

Schneier, B. (1999, December 1). Attack Trees. Retrieved April 09, 2017, from http://www.drdobbs.com/attack-trees/184411129