Free Write Week 2
Future Plans in Cybersecurity
Cybersecurity is now more than ever becoming an important role in society. It is important for students to understand that after graduation, there will be plenty of jobs out there that will need to be filled in this field of study. The New York Times stated that according to Cybersecurity Ventures, “an estimated 3.5 million cybersecurity jobs will be available but unfulfilled by 2021.” (Perhach) With that being said it is important to look into the jobs that are being left unfulfilled and understanding what is some standard requirements for these jobs.
To start, my main interests within cybersecurity involve penetration testing. Every professor I had a class with at TCC, highly recommended that we participate in any available CTF events. This was to help brush up on our skills and allow us to learn new things. I have learned so much just by competing in the National Cyber League and also by finding free CTF challenges online such as, HackTheBox. There is always something new to learn in cybersecurity and that both excites and overwhelms me. I used Indeed.com and found three jobs within Hampton Roads that need to be filled. I have decided to choose one entry level job and two penetration testing applications.
As a student I fully understand that I will most likely not be able to immediately jump into a penetration testing job. The requirements for this type of job requires years of experience. This will be my starting guideline on how I will successfully achieve my goals of becoming a penetration tester.
To start, I found an entry level job as a cybersecurity analyst. The key responsibility for this position is to consolidate DIACAP packages into a single package. The duties and the required skills seem pretty basic. The duties include: moving data from multiple excel sheets into a single excel file, moving multiple Visio diagrams into one single diagram and also moving data from multiple web forms into one single web form. This job is to transition from the DIACAP process into the RMF process. DIACAP, also known as, Department of Defense Information Assurance Certification & Accreditation Process, is “an attempt to standardize how information systems achieve confidentiality, integrity, and availability or how they manage and reduce risk.” (Galliani) To fulfill this job I will need to read up and understand the DIACAP process. Not only do I need to understand it, I will also need to to learn about its transition into the new RMF process.
I decided to choose two penetration testing jobs as a way to compare and contrast what two different companies are looking for. There were more similarities than differences when comparing these jobs. Education requirements include a Bachelor’s degree in computer engineering or a field of similar study. They also give the chance to completely negate the degree requirement as long as you have a lot of experience within the field. Basic qualifications include: three or more years of experience in penetration testing, a basic understanding of Windows, Linux, and UNIX operating systems, experience with scripting languages such as Python or Ruby. They also require experience with offensive tools like Metasploit, Cobalt Strike and Burp Suite. Certified Ethical Hacker is a must and you will also need to have GIAC Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP), or the Offensive Security Certified Expert (OSCE). Another important qualification is the ability to obtain secret clearance.
Currently, I am studying to take my Security+ soon and move up in roles at my current job in IT. By the time I graduate ODU, I will achieve my CEH and find an entry level job within the cybersecurity field. Participating in CTF events will allow me to maintain and expand my knowledge when it comes to programs such as Metasploit, Burp Suite and Wireshark. I will do my best to attempt a couple challenges each month and build an arsenal of knowledge along the way. Out of everything I have listed programming is probably what I fear the most. I have tried teaching myself Python through Youtube, but like everything else, the beginning is always the hardest part. By the time I graduate I will obtain basic knowledge of Python and continue to move forward in learning more about it. One thing I am looking forward to is the day that I can finally take the OSCP. My previous professors have all said that the OSCP will always add an extremely positive benefit to your career.
For right now my end goal will always be penetration testing but anything can happen in this field of study. I believe having an end goal is important as long as you have checkpoints along the way to achieve this goal. I think that by taking my time will provide the best results because too much of something can leave me drained.
Works Cited
Galliani, J. (2017, April 27). Understanding the DIACAP Monster. Retrieved from https://www.seguetech.com/understanding-diacap-monster/
Morgan, S. (2019, November 19). Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021. Retrieved from https://cybersecurityventures.com/jobs/
Perhach, P. (2018, November 7). The Mad Dash to Find a Cybersecurity Force. Retrieved from https://www.nytimes.com/2018/11/07/business/the-mad-dash-to-find-a-cybersecurity-force.html
Applications from Indeed
https://careers-falconwood.icims.com/jobs/1083/entry-level-cyber-security-analyst/job
https://careers-fti-net.icims.com/jobs/1196/penetration-tester/job
https://careers.boozallen.com/jobs/JobDetail/Norfolk-Cyber-Penetration-Tester-Mid-R0034219/6302
Free Write Week 3
Cybersecurity Policies
Now that our lives are being heavily reliant on technology, it is important for companies to have standard procedures set in place when it comes to security. Companies that handle sensitive information such as credit cards, medical records, or even social security numbers need to have a global standardized policy that needs to be followed.
Focusing heavily on training, educating and understanding how various technological devices work would be effective in negating off attacks. I would require that companies provide an active bi-monthly training course on identifying threats. Training courses would help educate people on how to identify any potential danger such as phishing. Phishing has become notorious in both small and big businesses. Depending on the size of the company it is also important to setup a practice environment or even push certain security methods into a live environment. Hiring a team to send out phishing emails and collecting data on the percentage of people who clicked the link would be an effective training method. Sending out a weekly newsletter with a required quiz at the end would also help raise awareness on the dangers in the cyber world.
Companies that have freely open doors also pose a risk of allowing someone to come in unannounced. Any company that handles data should input a reliant way of having employee access and a screening process for all guests. Having employee badges that need to be scanned on entry would help with this process. If properly implemented, it would be important for employees to understand that when one badge is scanned, only person can enter. Raising awareness on a social engineering technique called “Tailgating” would be important for this kind of physical security.
I believe companies need to follow a standard procedure when it comes to cybersecurity. Punishment for breaches can be tricky especially when a company is following a standard procedure to the dot. For example, a company has updated to the most recent Windows 10 update which is supposed to improve quality in security. After updating, the company falls victim to a zero day attack due to this specific update. It’s hard to determine whether or not the company needs to be fined or punished
Free Write Week 4
Cyber Attacks on Military Defense Systems
Similar to the Stuxnet worm that took down nuclear facilities in Iran, I believe any malicious activity directed towards military infrastructure has the potential to be deadly. Malware that can cause a halt in military operations would affect a country as a whole. Leaving its citizens with decreased morale as their tax dollars go to waste and also leaving the country vulnerable to attacks.
If ransomware were able to get into a country’s missile defense system, then the next step would be to quickly determine if the attacker was a non-state actor or a state actor. If it is a non-state actor then the question of what they want or who are they working for comes into play. Payment demands could be a non-state actor’s true purpose, however even after making the payment, you will not be guaranteed to receive the encryption key to the ransomware. This becomes a tough situation due to the payment coming from the citizens tax money. If you decide not to make the payment, then you leave your citizens vulnerable and will have to work quickly to restructure your defense systems. If news of the ransomware attack reached out to enemy countries, then that also becomes a problem. Even if the original purpose of the ransomware was to obtain money.
If the attacker is a state actor, then there would be a high possibility of an incoming missile strike on the targeted country. By locking down a missile defense system you allow for missiles to exploit the sky freely.
Ransomware can be attached to any type of file. It is important to train employees on what to look out for while on the Internet or browsing emails. While cybersecurity has plenty of hardware to secure networks, one defense that is almost always guaranteed to be penetrable is human error.
Free Write Week 5
Interview Process
A face to face interview can be nerve racking, but going in humble and confident of your skills is the best way to go. If I were in a situation where I was interviewing a potential employee for an information security position these would be some of the first questions I ask them.
Question 1
In a team environment it is important to understand everyone’s strengths and weaknesses. What are your strengths and weaknesses?
Reason
In cybersecurity it is extremely difficult to be strong in every part of the field. I want my employees to be comfortable and confident in their work. If they are an expert at setting up servers but lack in configuring routers then I can assign the right employees to work with them. I believe this is efficient and prevents any hiccups. Slowly their weakness becomes their strength as they are learning about the strengths of their coworkers.
Question 2
If any, in past work environments what was one thing you would have done differently to improve the security team?
Reason
I need to know how they express their opinions. Their thought process and reasoning is important. I don’t want employees who are scared to speak up if they don’t agree with how a process is being implemented. I’m not saying to start an argument, I just want them to express themselves because it shows their passion in their work.
Question 3
Do you have a lab setup at home to practice security skills?
Reason
This is a crucial question to ask. This field is always changing and developing. It is important to keep up with the changes and practice. A security feature that worked a year ago will not protect someone a year later. Keeping up with cyber news and new things such as IoT is important.
Question 4
When designing security infrastructure, what would your first steps be in applying a new security system?
Reason
While money is everything these days, I would like to know their first thoughts when beginning a new security project. Are they thinking of the money it will take to implement or are they thinking of the security/protection of the company requesting the security. In my opinion this is a tough question and I would expect a wide variety of answers here.
Question 5
Encryption can sometimes slow down the way that data is communicated to others. What type of data should be encrypted and what should be left unencrypted?
Reason
This would solely be based on the type of company I would be hiring for. I expect the answers to remain consistent in this question. If it is a hospital, I would expect answers such as, protecting personal information and medical records.
Free Write Week 6
Create app that rates software.
Yacht GPS software that is secure.
Brake software that measures the efficiency of car brakes.
Elevator system that uses a badge to determine which floor you need to go to.
Real time detection of malicious attacks. Anti Malware software.
Security system that requires badge access.
Encryption for credit cards.
Cash apps on cell phones.
Urgent notification extension when visiting malicious sites.
Router with firewall capabilities.
Internet of Thing devices used to start the car while not in it.
Ticketing system that takes payments from credit cards and then prints out a ticket.
Yearly budgeting software app for the phone.
A small business that provides internet browser extensions that notify the user that they are visiting a malicious site. The extension will block them before entering the site but will also allow them to proceed at their own risk. We would also add a child proof system as well. If it is enabled, then before proceeding to the potentially malicious site a password will be required. This extension will also block any ADs that are deemed malicious. The main purpose of this business would be to protect users from malicious sites. Our goals would include documenting and reporting malicious sites with frequent security updates. These security updates will give our customers some peace of mind when browsing the Internet. The child proof system will also give parents the peace of mind of not having to worry about their child navigating to a malicious site. This service would be a subscription based service where customers can choose to pay by the month, 3 months or a yearly subscription. If a yearly subscription is purchased then they would receive a 20% discount. The beginning of this small business would start as a home project. This extension will grow by keeping it up to date and providing detailed guides on how to safely browse the Internet. Eventually after enough work it would slowly turn into a small business that will allow for its employees to contribute more to its success.
Free Write Week 7
Lead By Example
As CEO of a company it is important to lead by example. Leading by example will encourage employees to follow suit especially when rewards are involved. Systems I would like to implement would be a point system where you earn points and can purchase gift cards with those points. Included in the point system would be a weekly phishing attempt email. The email would be different each time so employees can see different versions of phishing attempts through email. If they don’t click the link then they will receive points. If they do click the link then no points will be given. A sanction placed on this reward is the mandatory video that has to be shown if the user clicks the link. This helps educate the user on phishing attempts.
A clean desk policy meaning that employees must keep computers locked when away from their desk, important documents kept tucked away or locked in a cabinet and no notepads with passwords are to be placed on the desk. Rewards for clean desk policy would be employee recognition. Sanctions to finding passwords laying around would be immediate password changes. Documents with sensitive information left out in the open would be documented by the employer. This policy is important because it will recognize employees with well kept workspace and document those who leave their work laying around when away from the desk.
Behaviors that encourage others to also work safely online would also be rewarded. Continuous encouragement and practice would be rewarded with extra PTO. While those who continue to work carelessly would continue to be watched more carefully.
Mid Term Project
Steps taking to create this video included sending out emails to each person who was assigned to the group. Once each individual responded we all joined a group chat through text messaging where we all agreed to start a group chat on Skype to improve out communications. Over the course of two weeks we all did research on our assigned argument and posted links to articles within the Skype group. Once we agreed to the direction we wanted to take the argument, we organized articles that related towards our direction and put them into a document. Romeo then volunteered to create the video.
Working with a team that is motivated to achieve their goals is very beneficial. The only hiccup we really encountered was setting up a time to discuss the argument. Once we understood each others schedule it was a piece of cake from there.
Free Write Week 8
Future Challenges of Cybersecurity
I believe that one of cyber security’s biggest challenges in the next 20 years are companies keeping their equipment up to date in terms of patches and frequent updates. An example of this would be Microsoft’s recent end to Windows 7 on January 14, 2020. Microsoft has stated that, “Windows 7 does not meet the requirements of modern technology, nor the high security requirements of IT departments.” (Kelly) Microsoft will stop posting any security patches or feature updates towards this operating system which will eventually force companies to upgrade to a Windows 10 machine. Failure to do so could potentially result in dangerous cyber attacks on a company.
Microsoft gave a significant amount of time notice about Windows 7 end of life. Companies who are still operating under Windows 7 and are hacked need to be held liable. If I were to walk into a bank or a doctors office and saw Windows 7 on any machine today, I would be extremely worried about my personal information. Not only that but a very famous exploit called, EternalBlue, was also discovered within the Windows 7 operating system leading me to believe that Windows 7 also has other major flaws within it. I believe the government needs to step in and create laws that demand proper security measures. Microsoft announced Windows 7 end of life would be January 14, 2020. If a hospital were to be hacked after this date on a machine that is still using Windows 7 then legal action needs to be taken. Fines or even an audit on security, maybe something similar to OSHA but on security.
Works Cited
Kelly, Gordon. “Microsoft Warns Windows 7 Is Dangerous To Use [Updated].” Forbes, Forbes Magazine, 19 Jan. 2017, www.forbes.com/sites/gordonkelly/2017/01/17/microsoft-windows-7-security-hardware-support-problems/#361bcc36ecdb.
Linkedin Learning Certificates
Click to expand certificate
Free Write Week 9
Virtual Private Networks
Virtual Private Networks (VPN) have plenty of advantages that I believe outweigh their disadvantages. With the ongoing pandemic of COVID-19, VPNs are now more relevant than ever. Advantages of using a VPN include:
1) The ability to work from home. By connecting to your company’s VPN, you can securely access files that are stored on your company’s server. Right now companies who utilize VPNs are at an advantage due to the recent pandemic. This allows for their employees to work from home.
2) VPNs provide privacy when browsing. They are designed to hide your IP from outsiders.
3) All data sent while connected to the VPN is encrypted. This means that if someone was using wireshark to analyze traffic on the network they wouldn’t be able to determine what is being sent through the VPN.
4) Visiting other countries also means having to deal with their laws regarding what can be accessed on the Internet. By using a VPN you can bypass their filters and access websites that are blocked. China’s Great Firewall has sites such as Google or Facebook blocked. By using a VPN you can bypass their firewall rules and connect to these sites.
5) Instead of having to transfer files from your workstation at work to your home computer/laptop, you can just set up a Remote Desktop Connection to your workstation. By using the VPN you can RDP into your computer and continue working from your workstation from home.
Disadvantages include:
- Although bypassing a country’s firewall to access certain sites, chances are that using a VPN to bypass the firewall is illegal.
- Depending on how many employees a company has, if everyone is trying to connect to the network through a VPN this could lead to latency issues and put a heavy load on the network.
- While VPN companies ensure that your data is safely encrypted, they are also not invincible to hackers. There is a chance of data breaches like the recent NordVPN data breach. While major user data wasn’t stolen, their TLS encryption key was stolen. This allows for hackers to decrypt any encrypted data sent through NordVPN.
- Sending data through a VPN can slow down throughput because of the encryption process.
- Some companies offer VPN connections for free but in exchange they often store your data and use it to their advantage. They can either sell off the data or use it to their benefits.
Works Cited
Simmons, Jay. “NordVPN Data Breach 2019: What You Need to Know.” Arctic Wolf, 20 Mar. 2020, arcticwolf.com/resources/blog/nordvpn-data-breach-2019-what-you-need-to-know.
“NordVPN Data Breach 2019: What You Need to Know.” Arctic Wolf, 20 Mar. 2020, arcticwolf.com/resources/blog/nordvpn-data-breach-2019-what-you-need-to-know.
Free Write Week 10
Cyber Criminals
Offender: Stephen Watt, age 25, from New York
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2012/03/15/wattSent.pdf
Offenders: Sergei Tsurikov, age 25, from Tallin, Estonia; Viktor Pleshchuk, age 28, from St. Petersburg, Russia; Oleg Covelin, age 28, from Chisinau, Moldova; included one other person who could only be identified as “Hacker 3.”
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2012/03/15/tsurikovIndict.pdf
Offenders: Kenneth Lowson, age 41, Kristofer Kirsch, age 37, from Los Angeles; Joel Stevenson, age 37, from Alameda, California
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2012/03/15/kennethPlea.pdf
Offender: James Bragg, age 41, from Chandler, Arizona
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2012/03/15/braggPlea.pdf
Offender: William J. Ederer, age 47, from Skokie, Illinois
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2012/03/15/kebelPlea.pdf
Offender: Enrique Matinez, age 37 from Miami, Florida
Michael Holub, age 48, Norfolk Virginia
https://www.justice.gov/usao-edva/pr/norfolk-man-pleads-guilty-mail-and-computer-fraud-charges
Ryan Cauble, age 41, from Olathe, Kansas
https://www.justice.gov/usao-ks/pr/olathe-man-sentencedon-federal-computer-fraud-charge
Iurie Stratenco, age 26, from Moldova
https://www.justice.gov/usao-wdny/pr/moldovan-man-sentenced-wire-fraud-conspiracy
Audrey Elaine Elrod, age 45, from Bluefield, Virginia
From the 10 cases I found I noticed that majority of wire fraud charges involved one individual, while fraud that involved credit cards and ATMs involved multiple people. Not only that but I also noticed age differences. From the 10 cases when cases involved multiple people they were younger than cases that involved only one person.
Noticeable differences are age differences it appears that the younger criminals were working on long term goals in obtaining credit card information, while the older criminals were effectively using get rich quicker schemes.
Free Write Week 11
Cyber War
Determining the interference of the 2016 presidential election as cyberwar can be a bit tricky by definition. There is no universal definition of cyberwar, meaning that the United States definition of cyberwar could be completely different from China’s definition of cyberwar. The Law of War Manual released by the Department of Defense in 2015 did not mention any definition of cyberwar. However, Shanghai Cooperation Organization has defined a cyber attack as, “mass psychological brainwashing to destabilize society and state, as well as to force the state to take decisions in the interest of an opposing party.” (Hathaway)
Ethically speaking, both Twitter and Facebook should have been held accountable for allowing bot farms to spread false information. In 2019, CEO of Twitter, Jack Dorsey announced that Twitter will no longer be allowing political advertisement on their platform. Stating the following: “We’ve made the decision to stop all political advertising on Twitter globally. We believe political message reach should be earned, not bought.” Zuckerberg argued back saying that banning political ads is a means of censorship. In my opinion this isn’t about censorship. The real question is why were bots allowed to run rampant on both platforms continuing to spread false information.
The type of tactics the Russian troll farms used were to divide and rile up Americans. To determine cyberwar you would first have to determine if the act was a cyber attack. No damage was done to networks in terms of virus attacks, DDoS, or even shutting down of facilities such as power grid systems. The type of tactics the troll farms used are more like an early stage to cyberwar because they overloaded both Facebook and Twitter with bots.
Works Cited
Hathaway, Oona A., et al. “The Law of Cyber-Attack.” California Law Review, vol. 100,
no. 4, 2012, pp. 817–885. JSTOR, www.jstor.org/stable/23249823.Ivanova, Irina. “Twitter Announces Ban on All Political Ads.” CBS News, CBS Interactive, 31 Oct. 2019, www.cbsnews.com/news/twitter-political-ads-will-be-banned-ceo-jack-dorsey-announced-2019-10-31/.
Free Write Week 12
Cybersecurity Challenges in 2040
I believe the biggest challenges that cybersecurity will face in the future are the creation of global policies on handling cybercrime. Determining the best course of action on prosecuting the individual or group involved in a crime could be tough. This is because the attacker could be across the world, in another country, or even have the ability to spoof their location so they can be tracked. Not only that but also determining whether or not this was a state actor or a non-state actor. What happens when a non-state actor from a foreign country takes down a government facility? What would be the proper procedures for the victim country to take in order to arrest the individuals involved?
In order to overcome the challenge of accepting global policies countries would have to be able to get together and agree to specific policies. Agreeing on how to handle non-state actors would most likely be easier than agreeing to terms on how to handle state actors. If cybercrime is done by a state actor, the country that the state actor resides would likely not comply with handing over the hacker or accepting responsibility. This would increase tension between both parties involved.
Implementing global policies would be a slow burn process and take years upon years to onboard all countries into an agreement. The evolution of cybercrime will continue to change at a rapid pace. This pace will not slow down so that countries can agree on how to handle attacks on foreign countries.
Free Write Week 13
Social Engineering
In March of 2011 a hacker was able to successfully break into RSA Security. This successful break-in was done within a three stage operation that included multiple phishing attempts. Phishing is an easy manipulation tool to use especially against those who aren’t trained to spot phishing attempts. What makes this phishing attempt so amusing is that the phishing emails he sent out were sent straight to the employees junk mail. Meaning that the employee went into their junk mail and purposely opened the document containing the malware.
This phishing attempt would benefit other hackers as this shows that RSA employees are not well trained in spotting phishing attempts. Especially when the employees occasionally browse their junk mail folder. The consequences of the employee opening the document was that the hacker was able to obtain multiple login credentials. Some of these credentials even allowed the hacker to gain access to other employees systems. After further exploration the hacker began transferring files out of RSA’s network. According to the New York Times, RSA was able to detect the attack while it was in progress and managed to stop it before more data was leaked.
The fact that an employee opened a document that was sent immediately to their junk mail folder without questioning it is worrisome. The best way to prevent this kind of behavior is to provide monthly training on spotting phishing attempts. It is not hard to hover over an email header and see that the email address that is in plain sight isn’t the actual email address. It is too easy to spoof an email address and this should be the first thing that is checked before opening an email.
Works Cited
Richmond, Riva. “The RSA Hack: How They Did It.” The New York Times, The New York Times, 2 Apr. 2011, bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/.