An Introduction to Cyberthreats
Jalel Belaid
08-26-2019
In this module I learned that Cyber Security is not just a technological issue but also a social, cultural, personal, and business issue. In this post I will be focusing on the Cyber Security tutorial for small business. Cyber Security and Cyber Threats are essentially in an eternal game of cat and mouse. As one Security finds a solution for a threat, cyber criminals change and adapt their attacks to circumvent these solutions. Essentially, a cyber attack is an attack on a computer, website that compromises the confidentiality, integrity, and availability (CIA) of the data stored on these mediums. The objectives of these attacks can be summarized by the following, “gaining unauthorized access to data […] denial of service attacks, […] viruses, […] unauthorized use of a computer system for processing or storing data, […] changes to the hardware, firmware, or software of a system without the owner’s knowledge, instructions, or consent, as well as inappropriate use of a system by current or former employees.”
Threats can come in many different forms including, “APTs which are long term targeted attacks that break into a network in multiple phases, DDoS which intentionally overloads a server making it inaccessible for a time, Inside attacks by current or former disgruntled employees, malware that causes system damage, Password attacks which crack a user’s password in order to gain unauthorized access, and phishing attacks that seek to collect personal and sensitive information.”
Ultimately, the user is the first line of defense in any cyber security effort for any business and it is of paramount importance that a business should have some sort of cyber security infrastructure to mitigate the effects of an inevitable intrusion usually taking the form of a Security Incident Response Team (SIRT) and Business Continuity Plan (BCP).
References:
Tutorial 2: Introduction to Cyberthreats. Retrieved from https://www.sbir.gov/tutorials/cyber-security/tutorial-2#
Defining Cyber Security
Jalel Belaid
09-08-2019
This article reinforces what I’ve learned in Modules 1 and 2. Cyber Security truly is an interdisciplinary study covering many industries and the definition of the term often depends on the context in which it is used.
This article examines five aspects of Cyber Security in order to come up with a more comprehensive definition, “i) technological solutions, ii) events, iii) strategies, processes, and methods, iv) human engagement, and v) referent objects of security” (Craigen 2014).
I’ve always viewed Cyber Security from a technical lens. Based on my course work where I learned about incident response, intrusion detection and prevention. This article helped me remember that although Cyber Security revolves around the techniques and technology to protect digital assets, there is also a human factor to this equation.
The authors of this article through a variety of studies and research conjured up the following definition, “Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights” (Craigen 2014).
This definition repositions cybersecurity as an interdisciplinary study instead of a strictly technical one. It supports the inclusion of technological solutions, events, strategies, processes, and human engagement. It also supports the transition to a more interconnected world via cyberspace. Finally this definition emphasizes the importance of protection and security in light of intentional events, accidental events, and natural hazards. (Craigen 2014).
Source:
Craigen, D., Diakun-Thibault, N., & Purse, R. (2014, October 1). Defining Cybersecurity. Retrieved from https://timreview.ca/article/835
Protecting Businesses Using Technology
Jalel Belaid
09-28-2019
Cyber threats have become a dire concern for both large and small business alike. Especially for small businesses where even one security event could prove to be catastrophic. Small businesses often find themselves in a dilemma having to choosing between the expensive cost of investing in a cyber security program or facing the inevitable risk of a disaster. NISTIR 7621 Revision 1 defines Cybersecurity as “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation” (Paulsen 2016).
Although it is costly in terms of labor and resources to build the necessary cyber security infrastructure, the dividends can be well worth the investment. The first step is to identify what information the business stores and uses (Paulsen 2016). The Second step is to prioritize the importance of said information. Finally putting together systems and procedures to limit access to this information to only those who need it is essential. One of the best defenses against attacks is the principle of least privilege, where each user is only allowed access to the bare minimum of sensitive information required to carry out their duties. As with any disaster response, training of personnel is a key ingredient in efficient recovery. It is imperative for all employees to be educated in the basics of cyber security such as avoiding suspicious links in emails, avoiding connecting to unsecured networks, properly managing their passwords and changing them regularly.
During this modern era where cyber threats pose a significant and constant threat to any business, the recovery phase of incident response is where we see the real benefit of a cyber security program. Being able to recover core business functionality will enable a business to reduce the damage to their operations and clients caused by downtime.
Source:
Paulsen, C., & Toth, P. (2016, November). Small Business Information Security: The Fundamentals. Retrieved September 29, 2019, from https://doi.org/106028/NIST.IR.7621r1.
Computer Security Incidents and Technology
Jalel Belaid
10/06/2019
As is often the case, prevention is the best cure. This hold true for cybersecurity as well. Preventing incidents is often far more cost effective than reacting and recovering from them. Incident prevention includes training staff in accordance with company security policies as well as setting in place proper controls to limit the risks of attack.
In the event of an attack, a company will have to communicate and share information with outside entities, “such as other incident response teams, law enforcement, the media, vendors, and victim organization” (NIST 800-61) and so the company should have pre-existing rules and guidelines to ensure only the appropriate people communicate appropriate information with the appropriate party.
NIST 800-61 Rev 2 gives several guidelines and best practices for communication with outside entities. For example, in the case of the media, an organization should “conduct training sessions on interacting with the media regarding incidents, which should include the importance of not revealing sensitive information, such as technical details of countermeasures that could assist other attackers, and the positive aspects of communicating important information to the public fully and effectively” (NIST 800-61). In the case of law enforcement, the NIST 800-61 framework suggests that “law enforcement should be contacted through designated individuals in a manner consistent with the requirements of the law and the organization’s procedures” (NIST 800-61). Other outside parties that might be communicated with in the event of an incident include the organization’s ISP in case assistance is required in blocking a major network based attack or tracing its origin, software vendors in case of suspicious activity or false positives generated by intrusion detection and intrusion prevention systems, as well as affected external parties such as the company’s users and clients.
Citations:
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (n.d.). Computer Security Incident Handling Guide. doi: http://dx.doi.org/10.6028/NIST.SP.800-61r2
Computer Behaviors and Cybersecurity
Jalel Belaid
10-13-2019
One of the longest running problems in the world of technology and specifically the field of cybersecurity is in fact password management. If left up to an individual, passwords are usually created with convenience and not security in mind. This presents a huge risk to organizations. Passwords created for convenience are usually easy to guess or easy to crack with a little social engineering or a dictionary attack. Conversely, passwords created with security in mind provide their own problems where often the users will forget them or resort to writing them down on paper which introduces other types of risks such as shoulder surfing. Although many solutions have been presented to combat this conundrum such as biometric and multi-factor authentication, none have managed to have a deep and definitive answer to the authentication problem. The FIDO alliance is a group of organizations dedicated to solving this issue by creating a convenient and secure means of authentication. They envision “an ecosystem of authentication, which extends across hardware, mobile and biometrics to access applications and websites” (Eide 2018). FIDO intends to accomplish this using protocols based on standard public key cryptography. “During registration […] the client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device of the user. The local unlock is done by a local user friendly and secure action such as a pin, finger swipe, or pressing a button” (fidoalliance.org).
Citations:
How FIDO Works – Standard Public Key Cryptography & User Privacy. (n.d.). Retrieved October 16, 2019, from https://fidoalliance.org/how-fido-works/.
Eide, N., Schwartz, S. A., & Hickey, A. (2018, April 23). 5 password management trends businesses need to know. Retrieved from https://www.ciodive.com/.
System Engineering & Cyber Technology
Jalel Belaid
10/27/2019
Although security and privacy are distinctly separate principles, they are very closely related. NISTIR-8062 recommends separate leadership to manage privacy and security and that a coordinated approach does not always mean an identical approach.
“Systems engineering balances the often-conflicting design constraints of performance, cost, schedule, and effectiveness to optimize the solution while providing an acceptable level of risk” (NISTIR-8062). Risk management is the key concept that engineers use to develop a system that meets the requirements of stakeholders and at the same time minimizing negative outcomes. The NIST Risk Management Framework, the ISO Privacy Framework, and the Organization for the Advancement of Structured Information Standards (OASIS) Privacy Management Reference Model all include sections on privacy risk assessment but they do not provide specific guidance on how to actually assess risk. Systems engineers should use both the Privacy Impact Assessment and Fair Information Practice Principles when developing systems for clients. This will not only guarantee that these systems follow federal laws and regulations regards Personally Identifiable Information (PII) but also help organizations “determine the privacy risks associated with a system and evaluate ways to mitigate privacy risks” (NISTIR-8062).
According to NISTIR-8062, aside from the Confidentiality, Integrity, and Availability security objectives, engineers must also incorporate three privacy objectives into their system designs. Predictability – enabling reliable assumptions by individuals about PII and its processing by an information system, Manageability – providing the capability for granular administration of PII including alteration, deletion, and selective disclosure, as well as Disassociability – enabling the processing of PII or events without association to individuals or devices beyond operational requirements of the systems.
Citations:
Brooks, S., Garcia, M., Lefkovitz, N., Lightman, S., & Nadeau, E. (n.d.). An Introduction to Privacy Engineering and Risk Management in Federal Systems. doi: https://doi.org/10.6028/NIST.IR.8062
Cybersecurity, Technology & Workplace Behavior
Jalel Belaid
11/03/2019
According to Routine Activity Theory (RAT), criminal activity typically requires three parameters; a suitable target, a motivated offender, and the absence of a capable guardian (Collins 2011). Situational Crime Prevention (SCP) is the practical application of Routine Activity Theory (Collins 2011).
Cyber technology has allowed the proliferation of workplace deviance due to a perceived sense on anonymity. According to Brian Payne, cyber technology has allowed for an increase in white collar crime in the workplace. The reason for this according to Payne is while white collar criminals have evolved and incorporated cyber technology, from a legal perspective, law enforcement is still does not have a full understanding of the similarities, differences, and overlap of white collar and cybercrimes. Another reason for this disconnect is that “white collar cybercrime is not sufficiently reported due to reluctance or ignorance” (Payne 2018).
Disgruntled employees are the greatest threat to a computer’s security (Payne 2018). Employees that feel slighted can tamper with computer systems, steal sensitive information, or expose passwords to do great harm to an organization.
There are several steps that an organization can take to prevent cybercrimes from within. First and arguably most importantly is employee education. Informing employees of the rules of conduct, policies, and procedures for handling computer systems is a great way to minimize the threat of cybercrime. Another step that can be taken is to introduce a system such that employees know the consequences of cybersecurity policy violations. Such a system would increase the risk an employee faces for committing a cybercrime while at the same time reducing their incentives.
Citations:
Payne, B. K. (2018, January). Criminology, Criminal Justice, Law & Society. Retrieved November 2, 2019, from https://ccjls.scholasticahq.com/.
Collins, J. D., Sainato, V. A., & Khey, D. N. (2011). Organizational Data Breaches 2005-2010: Applying SCP to the Healthcare and Education Sectors . International Journal of Cyber Criminology, 5(1). Retrieved from http://www.cybercrimejournal.com/collinsetal2011ijcc.pdf
Cybercrime and Justice
Jalel Belaid
11/10/19
Although there is a clear link between cybercrime and criminal justice, the pace at which criminal justice is incorporating cybersecurity principles appears to be shockingly slow according to research conducted by Brian Payne and Lora Hadzhidimova. The dawning of the computer age has accelerated the use of technology by professionals and individuals but it has also created a new space for criminals, namely cybercrimes. From an academic perspective, Brian Payne and Lora Hadzhidimova report that less than 20% of criminal justice majors include cybersecurity as part of their required coursework. The inverse is also true, less than 20% of cybersecurity programs have criminal justice material as part of their required coursework. According to the research, one of the main issues is the preconceived notion that cybersecurity and cyber crimes are fields associated with STEM fields and so criminal justice researchers don’t invest the required time and resources into them as traditionally criminal justice has been seen as a sociological discipline. Another preconceived notion is that criminal justice researchers view cyber crimes as white collar crimes and so they do not want to pursue such cases.
To remedy the situation, it is important to examine how cybersecurity and criminal justice both benefit from their joint application. For instance, cybersecurity is applied to reinforce and harden computer systems against attack while criminal justice focuses “strategies to protect against victimization” (Payne 2019). If a computer system is attacked, technology alone will not prevent the expulsion of intruders but applying criminology principles may help identify patterns in the attacks and thus lead to a faster termination to the attack according to Brian Payne and Lora Hadzhidimova. Another added benefit of the cooperation of criminal justice and cybersecurity is in the legal arena. Research in cybercrime trends and their sentencing may allow criminal justice researchers to create and apply more effective laws.
Citations:
Payne, B., & Hadzhidimova, L. (2019). Cybersecurity and Criminal Justice: Exploring the intersections. INPRESS at International Journal of Criminal Justice Sciences.