CYBR 650 Week 2 - Credible Sources for Information Security

With any type of research, it is critical to have references in your arsenal to ensure the information is complete, accurate, and comes from a reputable source. Threat modeling is no different, and some of my favorites for reporting on threats, vulnerabilities, updates, and security news are listed below:

1. SOPHOS’ nakedsecurity - http://nakedsecurity.sophos.com/ - I use this site a lot because it covers security for a variety of platforms, most notably Macs. I am a Mac user myself, and it is beneficial to have someone on the IT staff that can provide expertise in this area. Despite popular belief, Apple products are not immune to attacks, and this is one website that delivers great information for securing Apple devices. They also provide a section that focuses on vulnerabilities in general at http://nakedsecurity.sophos.com/category/security-threats/vulnerability/.
2. TechTarget’s SearchSecurity - http://searchsecurity.techtarget.com/resources#parentTopic4 - Tech Target is a great news source for any topic related to IT, but SearchSecurity also includes an area specially designed for information security threats. It covers several types of threats, hacking tools and techniques, security awareness training, and more.
3. SANS @Risk: The Consensus Security Alert - http://www.sans.org/newsletters/risk/ - This newsletter gives a synopsis of the top vulnerabilities each week, with a complete listing of all new vulnerabilities. While anyone can just browse the archives, subscribers also receive SANS Flash Alerts several times per year.
4. Forbes - http://www.forbes.com/security/ - Forbes is not just a financial resource anymore. It has expanded its horizons to encompass technology. Security is listed as a sub-topic under technology, and the authors do a great job of keeping up with current security trends.
5. NIST’s National Vulnerability Database - http://nvd.nist.gov/ - Last but not least, this website hosts the Vulnerability Search Engine to query common configuration enumeration (CCE) or common vulnerabilities and exposures (CVE) for any type of software contained in the database. It also has a repository of security checklists based on accepted standards for organizations to use as a benchmark for securing their own systems.

Additionally, CSO Online provides a one-stop-shop dashboard of valuable security tools and information, located at http://www.csoonline.com/article/2926005/techology-business/cso-online-daily-dashboard.html.

While all of these sources have a proven track record for reliability and trustworthiness, experts are not always going to agree. One course of action is to go with the majority for any conflicting information. More knowledgeable individuals can go a step further and use these resources to develop their own analysis.

CYBR 650 Week 1 - Introduction

Welcome back! For my final class in the Master of Cybersecurity program, our task is to create our own threat process model using Visio to map it out. This blog will follow my efforts.

During some basic research on this topic, I came across Microsoft's SDL Threat Modeling Tool. It requires Visio to run, and it aids in analyzing threats for this particular endeavor. Since I need to have Visio installed anyway, and the SDL Threat Modeling Tool is free, my goal is to incorporate it into the assignments and post evaluations of the tool along the way.

For more information on how to use the SDL Threat Modeling tool, visit:
https://www.youtube.com/watch?v=iV2SAuTxIUc

To download this tool, visit:
https://www.microsoft.com/en-us/download/details.aspx?id=49168

The Risks of B.Y.O.D.

A new trend has been slowly emerging with the increased prevalence of smartphones and tablets in the market. Not only do they have enormous benefits for the corporate environment, but it has become a staple for every household. As employees become accustomed to their own personal brand, they have adopted an expectancy to sync their devices with the corporate network in order to avoid juggling two separate devices. The practice of Bring Your Own Device (B.Y.O.D.) does bring additional benefits to the organization, but not without security risks.

Cisco Systems issued a survey that asked participants whether their employer allowed personal devices in the workplace, and 95% responded positively (Burt, 2012). Unfortunately, it also poses more challenges for IT. Administrators would have more devices to support, which means more devices that they have to research for vulnerabilities and find ways to mitigate the likelihood and severity of threats for any corporate information stored, processed, or transmitted on the personal device.

The good news is that there are a few solutions to ease the burden. One is to install a virtual machine on each device, where the user would have separate personal and corporate computing mechanisms. They could securely connect to the corporate network, where the administrators would have more direct control, such as forced encryption and password complexity. (Trumbo, 2012)

Mobilisafe also offers a commercial product known as Mobile Risk Management to aid administrators in their quest to align business strategy with IT objectives. According to Mobilisafe’s CEO Giri Sreenivas, the cloud-based solution “gives administrators real-time visibility of all such devices connecting to the network and assesses the risks involved with each one, from the level of security on the devices to whether the firmware has been upgraded to whether applications on them are malware or spyware.” (Burt, 2012) Where one technology digs a security hole, another is within reach to fill it.


References:

Burt, J. (2012, June 6). Mobilisafe Cloud Solution Assesses BYOD Risks to Businesses - Enterprise Networking - News & Reviews - eWeek.com. Technology News, Tech Product Reviews, Research and Enterprise Analysis - News & Reviews - eWeek.com. Retrieved July 27, 2012, from http://www.eweek.com/c/a/Enterprise-Networking/Mobilisafe-Cloud-Solution-Assess-BYOD-Risks-to-Businesses-194734/ 

Trumbo, J. (2012, March 16). What Can Be Done About Personal Devices In The Workplace?. Cloud File Security. Retrieved July 27, 2012, from cloudfilesecurity.biz/2012/03/16/what-can-be-done-about-personal-devices-in-the-workplace/

Double Columnar Cipher Challenge

As one of my cybersecurity classes comes to an end, this will be my final blog. Most of my postings have covered Mac OS X security configurations or cryptology, both subjects being a great interest of mine. Other topics, such as National Cyber Security Awareness Month, just happened to coincide with the area I was studying. The Mac OS X source was myself, playing around with the features on my own Macbook. I incorporated other sources into the postings where applicable, and tried to use a variety.

I hope this blog will be useful to other students and security professionals by providing a clear understanding of the chosen topics and resources for more information.

Since the holidays are just around the corner, I thought I would put a little cheer in this finale. Not only will you learn how a double columnar cipher works, but I challenge you to crack my own code!

The first step is to pick two code words or phrases of the same length, and put each letter in its own column. Letter by letter, write out your message under the first code word/phrase, like this:

R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

In this example, the first code phrase is RED MUSTANG, and the message is DON’T FORGET TO DRINK YOUR OVALTINE RALPHIE. The message is not long enough to cover all the cells, so X’s are used for padding.

Next, order the code word/phrase according to the alphabet – 1 for A, and so on. If you have duplicate letters, I suggest numbering them in the order of appearance in the code word/phrase. It should look like this:

7	3	2	5	10	8	9	1	6	4
R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

Starting with the column under #1, string the message into blocks of 5 letters, continuing on to the next number if needed (do not count the code word/phrase, just the message). This makes the first ciphertext, which is GYNXN DVPOO OLTUR XTRAH EOEXD TRAON TERKI XFILI.

The first ciphertext is used to fill the cells under the next code word, NIGHT MOVES:

6	4	2	3	9	5	7	10	1	8
N	I	G	H	T	M	O	V	E	S
G	Y	N	X	N	D	V	P	O	O
O	L	T	U	R	X	T	R	A	H
E	O	E	X	D	T	R	A	O	N
T	E	R	K	I	X	F	I	L	I

To generate the final ciphertext, perform the same operation in the example above, with letters in blocks of 5: OAOLN TERXU XKYLO EDXTX GOETV TRFOH NINRD IPRAI. To decrypt, the operation is performed backwards, starting with this final ciphertext. If you know the code word/phrase, start by ordering the letters into numbers and place the first block of 5 letters into column #1, moving on to the next column. Once you have the cells filled in, do the same using the first code word/phrase.

Now that you have learned how to compose a double columnar cipher, I have two code phrases for you. The first is APPLE CIDER, and the second is SANTA CLAUS. The final ciphertext is NSAPO VHAAE AHFYA IEDHP YAANS ODSEL.

Happy Holidays!

Kids and Information Security

When most people think about protecting their kids, its usually from bullies on the playground, accidents, and illness. In the past few decades, it extended to censoring their exposure to graphic media such as TV, movies, and music. In today's world, kids are very technology-savvy, yet they know little about the consequences of using it inappropriately. That's where we need to step up as parents and offer our guidance, establish rules, and enforce our restrictions.

When it comes to kids, I feel that some level of censorship should be implemented, depending on their age level. As they get older, it will be increasingly difficult to shield them from every danger, so it is our job to talk to them about what they might encounter, and how to handle it. Why should information security be any different? With the increasing prevalence of online predators, cyberbullies, and malicious content disguised as legitimate offers, your kids and devices are at stake.

At the same time, we all know that kids do the exact opposite of what we want them to do, so some controls will help keep them on track. Installing a pop-up blocker or web filter on your browser is an obvious choice, but if you have read my previous blogs, you know that I advocate features built in to Mac OS X. One feature that addresses this topic is the Parental Controls under Accounts in System Preferences:

With this feature, you can manage areas such as System, Content, Mail & iChat, Time Limits, and Logs:

This example uses the default guest account, but you can set up several accounts and tweak the controls to suit the level of permission for each. Not only does this protect your children from the evil forces that be, but it also prevents other users from accessing sensitive information or modifying controls set by the administrator.

While this is a great way to keep tabs on what your kids are involved in, they still need to know the rules set by your family. Do they know what your expectations are and the risks of deviating from those expectations? Do they know what dangers to look for and how to avoid them? Keeping your kids educated is the best prevention. You will not be able to hold their hand forever.

Firewall for OSX Leopard (10.5)

How many of you knew that a Macbook comes with a built-in firewall? Well, it does, and now is the time to take advantage of it.

To configure this firewall, you will need to open System Preferences and click on the Security icon. The Security menu has three tabs: General, FileVault, and Firewall. Select the Firewall tab, which should look like this:

Three radio buttons appear in the box:

•Allow all incoming connections stops the firewall from running
•Allow only essential services blocks any service from making a connection
•Set access for specific services and applications allows the user to set permissions for trusted connections

The last one is probably the best choice for an average user. The + and - box will let you choose which applications are allowed to make connections. Once you activate the firewall, the Advanced button becomes available. Clicking on it will bring up a submenu:

I recommend checking both Enable Firewall Logging and Enable Stealth Mode. A great way to see if the Enable Stealth Mode option is working is to visit the ShieldsUP! website. From the Home page, click on the Proceed button, and choose All Service Ports. A quick run of my ports aced the test:

This configuration should be done with administrator privileges to avoid any changes being made, and don't forget to click the Lock icon when you are done!



*Answers to last week’s quiz:
1)d 2)b 3)c 4)d 5)b

Take the quiz: Information Security in the Media

Information security is not a new trend. It has masqueraded for ages as a form of entertainment. In celebration of National Cyber Security Awareness Month, I have dug up some fun facts for your own amusement. Go ahead and test your knowledge!



1. Which famous author used a polyphonic substitution cipher in one of his or her short stories?

a. Edgar Allen Poe
b. Washington Irving
c. Stephen King
d. Virginia Woolf


2. What type of cipher did Ralphie use on his Code-O-Graph in A Christmas Story?

a. Transposition cipher
b. Simple cipher
c. Block cipher
d. Stream cipher


3. In 2001, a movie about hackers gaining access to a government slush fund in a counter-terrorism scheme hit the box office. The movie was named for a famously used password. What is the name of the movie/password?

a. Antitrust
b. Hackers
c. Swordfish
d. Takedown


4. Who was the famous hacker that went by the code name c0mrade?

a. Kevin Mitnick
b. Adrian Lamo
c. Kevin Poulsen
d. Jonathan James


5. What breakfast cereal contributed to the popularity of phone phreaking in the 1990’s because the toy whistle inside the box was tuned to the frequency of most AT&T phones?

a. Fruity Pebbles
b. Cap’n Crunch
c. Golden Grahams
d. Frosted Flakes


*Answers will appear in next week’s blog. Happy hunting!