When I think of anything cybersecurity, I typically do not immediately think about any social sciences. I’ve been spending more of my free time practicing network penetration testing in an effort to assist guiding a few friends towards earning their OSCP, and it’s easy to have an almost straight-forward, almost completely technical approach to the challenge. Watching this video, however, is a good reminder that it’s not always about the computers.

The big stand out, early on, was exactly how much the legal realm interacts in the the world of digital forensics. It’s not enough to simply find evidence. Understanding how that evidence can be lawfully collected, preserved, and presented is critical. Without considering the legal and procedural aspects, even the most technically sound work can be rendered useless,or worse, inadmissible, in a real-world investigation. This really highlights the importance of taking a more interdisciplinary approach to cybersecurity. Technical skill is essential, but without an understanding of the legal, ethical, and social frameworks that surround it, that skill can only go so far by itself.

Using Other People’s Internet Networks
Some people feel this one is rather victimless, but I don’t agree with that statement. If I paid for a service, I expect to receive that full service. Using another person’s internet cuts into their bandwidth. If I paid for 1Gbps, but find out I’m only getting half because someone else decides they’ll stream 4k on my dime, I’d be rather upset. Stop stealing my bandwidth. Especially if it’s metered. If someone was allotted a set amount, you just stole from that allotment. I find that no different than physically stealing an object from another individual.

Collecting Information About People Younger Than 13
I think COPPA sums this one up as to why. It definitely fits the “harmless, but illegal” category. Arguably, it is not harmless when you consider that the minor either does not know the information is being collected, or does not understand the ramifications of how the information may be used.

Bullying and Trolling
More-so the bullying than trolling. Trolling I equate to either just being annoying or obnoxious. Bullying, however, I view in the same light as harassment. The internet and social media has made it easier for people to bully one another online. With the perceived anonymity, some individuals are considerably more aggressive with bullying than they probably would be otherwise.

Using Unofficial Streaming Services
This one kind of could be lumped together with the copyrighted images below. It’s taking potential revenue from not just the larger companies, but everyone involved with the show/event being streamed on that platform. I see this a lot in the wrestling business, actually, and it’s rather odd. Many people will publicly ask for a good stream-link for certain events, especially if someone they may personally know is booked on said show. But the moment it’s them on the show and someone asks for a link, “you’re taking food off my table!” Ironic.

Using Copyrighted Images
This is one I’ve have some experience with from my wrestling days. I always carried my own camera equipment to the shows I was booked for. I would have no problem providing a promo photo or two to the promotion for their advertising needs, specifically posters. However, it’s always a hard-no when they want to use my photos for anything else. The photos I had taken would be used for my own merchandise to sell at the shows. I absolutely would not permit a promotion to use any of my personal photos so they could do the same. It cuts into my livelihood.

The article Hacking for Good: Leveraging HackerOne data to develop an economic model of Bug Bounties looks into the use of bug bounty programs as a cost-effective approach to cybersecurity, leveraging freelance ethical hackers and cyber researchers to identify and report vulnerabilities in exchange for financial reward. It is mentioned that small and medium enterprises have difficulty with recruiting workers, with major companies spending large amounts of money on cybersecurity. By utilizing a gig economy, entities that may have struggled to hire professionals can better afford to mitigate risks and vulnerabilities. Interestingly, research has found that hackers participating in the programs are not financially motivated, as some may wish to gain experience or reputation, indicating that even with smaller bounties being rewarded, smaller companies can still benefit from the program.

Reading over the sample breach notification letter, a couple different economic and social theories come to mind.

For economic theories, the first that comes to mind is the Rational Choice Theory. Beginning with the customers, they have to immediately make some choices in response to the breach. As their payment information has been compromised, they must now decide if they need to cancel their cards or possibly monitor their credit for potential identity theft. The company, in response to the breach, has enlisted the services of a third-party cybersecurity company for the removal of malware and to help secure their data. These choices are made with those entity’s best interest in mind. The Laissez-Faire Theory stands out to me as well. The breach had been undetected for nearly a year, leading me to question, if any, regulation or guideline/framework, such as PCI-DSS, were in place. While PCI-DSS is not government-run, regular audits, particularly those performed by a third-party, may have detected the breach sooner.

One of the first things that comes to my mind, particularly when a breach occurs, is was this the result of social engineering, or an insider-threat looking to benefit from their actions. While it is not specifically stated how the breach occurred, other than being blamed by malware, it leads me to believe that it would of been the result of social engineering between the two. End users tend to be the weakest link in cyber defense, and attackers know this. People can be manipulated or tricked into practically giving over the keys to the network by unknowingly installing malware on the system. For the victims of the breach, the trust once held with the company is most likely diminished. Particularly if this was a well established, well known company, the users most likely had not put much real thought into how their data may be handled and had assumed everything would be safe. However, now the users are made aware that, at one point in time, their private information was stored unencrypted, leading to an understandable amount of questioning as to how their data would be handled going forward if they continue to do business with them.

Watching the video, the first thing that stuck out was cybersecurity analysts dealing with phishing attacks and end-user awareness training. While I work as a cybersecurity analyst, these are two areas I do not have to handle. The closest I do in terms for either one is the implementation of technical controls to prevent phishing attacks and ensuring the customer is implementing yearly security awareness trainings for the end-users. I mainly focus on the technical side of cybersecurity. I feel having end-user training remains as one of the most important aspects of cybersecurity. Reducing the factors that contribute to victimization is one of the first lines of defense for a network. Working to understand and adjust user behavior, communication, and education when online and using the network helps minimize the risk of a potential attack or breach.

The article “Social Cybersecurity: An Emerging National Security Requirement” explains how cybersecurity isn’t just about protecting computers from being hacked—it’s also about protecting people from being tricked or influenced online.

Today, countries and other groups use the internet to spread false information, manipulate opinions, and cause divisions. This kind of attack is called “social cybersecurity”, or sometimes “cognitive hacking.” Instead of attacking computers directly, these attacks target people’s minds and beliefs through social media and online platforms.

The article points out that these tactics can damage trust in governments and society. Because of this, it’s important for the military and the government to understand and fight against these new threats. To stay safe, we need to recognize that protecting people’s thoughts and beliefs is just as important as protecting technology.

This week, with being tasked to complete the Social Media Disorder Scale (at the end of the post), I thought I would complete it first and write in some comments as I went along. I answered “no” to everything. I think my reason for everything being “no” the same for each question: I grew up during a time when social media was nowhere near prominent as it is today. I somewhat miss it.

Sure, we had some different internet communities geared towards similar interests and hobbies, and even a few fun Massive Multiplayer Online Role Playing Games, but growing up when dial up internet was relatively new and only having a single computer in the household, you just live your normal, best life without it most of the time. I also prefer to be more on the private side when it comes to my life. Other than for a few people, I just want to be left alone in a hidden-mountain-house.

Even among those I work with and several of my friends are more-or-less the same. They may have accounts on certain popular social media platforms, but they’re mostly inactive and mostly use it to keep in contact with people that also use the service, such as family. I guess we just grew up in a different time.

It is interesting to see there is more cross-country consistency with girls being a victim to cyber-bullying online than boys. However, looking at the course material, I can’t seem to find anything that states social media use is different (aside from the platform used). I’m going to take a nap and try to remember to look over everything again and revisit this paragraph.

Regularly found that you can’t think of anything else but
the moment you will be able to use social media again?
Yes/No (Preoccupation).
No.

Regularly felt dissatisfied because you want to spend more
time on social media? Yes/No (Tolerance).
No.

Often felt bad when you could not use social media?
Yes/No (Withdrawal).
No.

Tried to spend less time on social media, but failed?
Yes/No (Persistence).
No.

Regularly neglected other activities (i.e. hobbies, sports,
homework) because you wanted to use social media?
Yes/No (Displacement).
No.

Regularly had arguments with others because of your
social media use? Yes/No (Problems).
No.

Regularly lied to your parents or friends about the amount
of time you spend on social media? Yes/No (Deception).
No.

Often used social media to escape from negative feelings?
Yes/No (Escape).
No.

Had serious conflict with parents, brother, sister (friends,
relationships etc.) because of your social media use?
Yes/No (Conflict).
No.

I typically do not enjoy how hacking is portrayed in entertainment. I almost always groan when I have to watch any hacking scene in a movie or TV show. In fact, I also groan watching different police and medical shows. Sigh, but I still sit down and watch 9-1-1. I just prefer things to be more realistic.

There is one scene that always sticks out when I think about TV hacking: https://www.youtube.com/watch?v=u8qgehH3kEQ

I hate it. Two people using a keyboard?!?

Admittedly, I do understand why hacking scenes are typically unrealistic. Sometimes, hacking just isn’t really exciting, visually, at least. And even if it was, would the average person understand? Much of my CTF time is spent eating a pizza, drinking an energy drink, and clacking away at the keyboard while looking at a wall of text. For work, once much of what I need to do is scripted, I just lock the workstation and wander away. Waiting for scripts to complete running, or an assessment to finish, just isn’t exciting. Reviewing those reports is none the better. So I understand why some liberties are taken to make TV and movie hacking scenes a tad more exciting.

However, I feel this can give an unrealistic perspective of what hacking and cybersecurity is. I do feel the depiction is changing for the better, but some people will still choose to believe what they see on television and treat it as reality.

A few memes related to the Cybersecurity Human Systems Integration Framework:

Keep the Workstation Unlocked

Inspired by something I occasionally spot on my travels for work: the Wildlife Windows 7 Sample Video. I will typically work with the Communications/Radio department in their designated spaces. While the duties I am assisting them should be a part of their normal, regular tasks, the truth is: they’re usually understaffed. This leads to a person occasionally taking on the responsibility of two or more people, and that’s not taking into account the visit. One of these tasks involves watching an email inbox and quickly rerouting and responding to messages. The catch? The workstation will lock automatically from inactivity. The crew member could be sitting directly in front of the workstation while performing other duties, but if that mouse doesn’t jiggle at a set interval, it’s locked. To combat this issue, a lot of the crew members discovered that playing a video will prevent the station from locking, allowing them to continue other duties while monitoring the messages. Nobody denies that the auto-locking is necessary, but it does prevent an individual from performing other duties alongside monitoring the messages. I honestly think it’s a rather genius way of circumnavigating the policies in place. It’s a method of bypass that will continue, I’m sure, as those that write and enforce the policy either do not understand the hindrance it can create, or have just accepted users will just continue to use the video as a means to continue to passively monitor their messages.

Did you Really Empty the Recycling Bin

This one is an inside joke between another individual and I on the team. I was showing him the prompt for this journal entry this week, and it somehow resulted in us sending work-related memes back and forth with each other. I got a chuckle out of him after I sent him this one, despite it being a rather unusual and frustrating day: The day we were asked if we emptied the Recycling Bin, or really emptied the Recycling Bin, followed by instructions on, sigh, how to empty the Recycling Bin. Classic Dave.

But, you just right-click and select empty, right? Well, yes, and no.

We needed some space on a server we were working on, but that’s “not our job”. Admittedly, there’s things we will do, but we do not know what exactly can be removed safely that will not impact the crew’s duties, such as the files and documents they’ve created/received themselves. It is not uncommon for there to be items ready to be purged in the Recycling Bin, so it’s one spot we can quickly target to get some extra space. We’ll then make note, and continue doing what we need to do. But, it only empties the Recycling Bin for that user. Not the entire system. Many techs we’ve encountered in the past, and the crew themselves, are not aware of this. The solution?

rd /q /s C:\$Recycle.Bin\

At a glance, it does look the same, but this command empties all of the Recycling Bins instead of just in the context of the user. Kind of interesting there isn’t an “easy” way to just, you know, empty the Recycling Bin. And yes, David, we really emptied the Recycling Bin.