Stephen Giorgi

IDS493_21939: Electronic Portfolio Project

Dr. Virginia Tucker Steffen

October 11, 2024

Introduction

Cyber Security as a field and major rests upon a foundation of integration. Integration of disciplines is so important to Cyber Security that we at ODU are required to take a class in interdisciplinary studies for our degree. The disciplines that we are required to engage in can range from networking and cyber law to criminology and philosophy, none of which live in a bubble. Today I will be discussing three general skills I have learned, some works that exemplify these skills (each under respective skills in the subpages to the current page you are on), and the overarching skills and how each skill ties together.

Ethical Manipulation and Protection

This skill is easily the most hands-on I’ve had to acquire. Arguably, it is the most important skill when discussing Cyber Security as this is what the average person thinks of when they think “Cyber Security.” What I mean by “ethical manipulation and protection” is a familiarization of the tactics of threat actors and understanding the common ways that systems and their end-users can be safeguarded from said tactics. Unfortunately, I’ve only had one class with assignments that exemplify this skill and are presentable for the average person.

Digital Steganography

Steganography is the practice of hiding one message in a non-secret message. This practice had been used since at least 1499 in the form of invisible ink or Morse code on yarn and other various forms. How this applies to my line of study and work is in its digital form but for other reasons than to send a message. Hackers use steganography to hide scripts into unassuming files, like a media or text file, that upon interaction will run a script on the user’s system to download malware so their system can be further exploited (Stanger, 2020).

This assignment was actually really simple and that was concerning. I didn’t have to think hard about this at all, I only had to effectively attach two files using a steganography software which was already installed on the virtual environment. So, all I had to do was make a simple text file then use a single command. Thinking of the wider implications, though, this is concerning because this showed me how low the level of entry was for hacking and how someone with poor cyber hygiene can fall victim to this kind of method. From my other classes like human factor and policy, I had learned how common it was for individuals and companies to be victimized by spam emails and suspicious links.

Ethical Hacking with Metasploit

Metasploit is a framework for penetration testing systems by writing and using code meant for exploitation. It is very robust and very difficult to use if experience is limited (GeeksforGeeks, n.d.). I had a difficult time performing the tasks in this assignment in part because of the controlled virtual environment. Most of these kinds of attacks usually take some prior exchange in data between systems of information gathering, usually using Wireshark or Nmap. I needed the right port number, a payload ready, the IP addresses, and of course the exploit I intended to use and knowledge of how it works. This was sometimes made difficult when properties of the virtual machines in the virtual environment would be changed.

Once the configuration was correct, though, and I had the IP, ports, exploit, and payload, the sky was the limit on what I could do on another system. If I wanted to, I could create a profile on the target system, escalate privileges of that profile, and lock out the rest of the users from their accounts. Given what we have discussed with steganography, this is terrifying to me. If I were to download something from an unfamiliar link, a threat actor could effectively steal my computer and everything on it while it is still in my hands.

Password Cracking

For this assignment, I was required to use a password cracking tool (Cain and Able in this case) against multiple user profiles that I set up on a different virtual machine. The most basic form of cyber hygiene is a strong password. I believe it is a fair assumption that most people that have used a computer have been told to use a complex password, many websites require one. This assignment highlighted exactly how important that basic practice is. The actual application was as simple as using a hash dump command to receive the encrypted passwords from a target system, then running those hashes through the password cracking tool. Depending on the wordlist I equipped to this tool and the complexity of the passwords, the time to do this could range from a few seconds to a few days or even years. When a simple solution is so effective, I can’t help but wonder why so many people don’t do it. From some of my other work involving policy, my guess is that it is a convenience issue, and, according to Auth0 CISO Joan Pepin, it is (Pepin, 2018).

Troubleshooting and Vulnerability Identification

Troubleshooting is a required skill of any IT professional in any setting. It is the bulk of my work with the Marine Corps, but I obviously can’t show any of that here. It is ultimately a very basic skill; it is basically seeing something isn’t working then going “how do I fix this? What could be causing this issue?” The past three assignments discussed could be used to demonstrate the same thing. However, I wanted to include some assignments that highlight every system’s greatest vulnerability, and that’s the human factor.

Sword vs. Shield

The Sword vs. Shield assignment is the last assignment from my techniques and operations class that I will be discussing today. The objective of this assignment was familiarization and implementation of port scanning (Nmap) and firewall (PFsense). This required scanning for other systems on the network, then scanning a target system for vulnerable ports and then pinging it. After I changed the rules on the PFsense firewall, I then tried to ping and scan the other hosts again to see if the firewall was working as intended. A firewall is very simple, but it is more inconvenient than other hygienic practices like multifactor identification or a strong password. This is why people will more commonly use an automated firewall or forego one altogether.

Effects of Social Engineering in Cyber Incidents

One of the most common types of threats to cybersecurity is social engineering. As opposed to attacking the end-user systems, social engineering is about attacking the end-users. The purpose is to coerce the users into willingly giving sensitive information, think phishing schemes or pretexting. The effects of such attacks can be incredibly damaging to companies and individuals alike by taking and abusing the information of the users to gain unauthorized access to various systems. Bank accounts could be compromised or entire security systems for multiple companies, like RSA SecurID in 2011, can be compromised (Gallagher, 2011). Despite the awareness of this type of security threat, it persists as an ongoing issue because it is a human issue.

For this paper, I had to present an understanding of social engineering and what about the average person’s psychology the methods would be attacking. I also gave an overview of the possible damage that could be caused and a few examples of data breaches resulting from social engineering. Lastly, I had to formulate a solution for the general issue, which of course is not a simple or concrete one. The human factor will always be a vulnerability, so much like what I learned from criminology, crime and victimization can be mitigated, but it can never be stopped.

Words as Weapons

The purpose of my “Words as Weapons” essay was to show what I had learned and researched about the effects of misinformation on election security for my election security class. This topic was a large portion of this class and discussion on the last two elections because faith in the voting system and democracy as a whole had greatly diminished. There I go into detail about misinformation, malinformation, and disinformation (MDM), the possible damage, and the strategies to combat them. Ultimately, though, the onus of responsibility is on the vigilance of the end user.

Recovery

This section was originally supposed to be digital forensics for my E-portfolio class. However, I have not taken any digital forensics classes. So, in the spirit of digital forensics—learning from and analyzing the past—I will be looking at assignments that revolve around looking toward and analyzing the past.

Historic Presentation

Despite the name and topic, this PowerPoint was for a communication and info tech class. The purpose was to give us an opportunity to talk about any issue we wanted to bring awareness to and practice public speaking. The topic I chose was a lynching that occurred March 14, 1891. If it doesn’t sound familiar it’s because it isn’t taught in schools, despite it being continuously called the largest mass lynching in American history. I had a few sources, but I mainly had to go by a book titled Vendetta by Richard Gambino (2000) and a few other news sources from the modern day and at the time (Gambino, 2000; Fouts, 2017; The Washington Post’s 1891 article on New Orleans lynchings, n.d.).

What does this have to do with Cyber Security or recovery? I learned a lot from this project, but mainly the average person’s tendency to disregard information that might make them uncomfortable and a further awareness of how impressionable people are regardless of setting. During an age where most information was disseminated from a few publications or one where there’s more information than can be verified, the result is the same. I think it exemplifies the hard truth of history that we need to remember and learn about what happened so nothing similar happens again.

IT410: BI Team Project

For my business intelligence class, I and my group would have to look at large collections of data, organize it, then analyze it. This often required me to think outside of the numbers and graphs in front of me and think about the cause of the data. For the project, which also required us to present it for public speaking, we were looking at the general welfare of nations recognized by the UN and how it related to educational expenses. I tended to analyze and speculate about the subjects of these data assignments. This worked out well with the rest of my group because word or time limits were not an issue to me. Ultimately, what I found from the data was that there is some correlation between general welfare and educational expenses, but it really came down to prioritization.

Case Analysis on Information Warfare

My Cyber Security Ethics class was mainly about integrating philosophy with policy design. The assignments were mainly doing case studies of prior cybersecurity incidents with the lens of a selected philosophical framework. I have a couple of other case analyses under Laws and Ethics, but the case analysis I have on the respective subpage is the most comprehensive. This was kind of a retread of the “Words as Weapons” paper, but this time focusing on the 2016 presidential election through the lens of deontology. This, along with the other case analyses, were true applications of taking more abstract subjects like philosophy and integrating them into a technical field (Zimmer, 2010).

Tying it all together

Cybersecurity as a major is inherently interdisciplinary. I may have separated these nine assignments into three different sections, but all of them have some form of overlap. A commonality with every assignment is the impressionability of people and the importance of vigilance of the individual. Furthermore, I feel like I’ve demonstrated some hard skills along with soft skills like critical thinking, collaboration, a larger picture mindset, and adaptability.

An E-portfolio, such as this, is effective in reinforcing this integration by displaying the wide range of topics that we, with this major, have touched on. Furthermore, it allows me to reflect on what I have learned to fully understand, and show others, how these disciplines work together. The process of creating my E-portfolio required me to have major reflection on my personal and professional life and really think about the individual I wanted to present myself as. In the future, I will revisit it to adjust it to match the experiences that I have gained (Stanger, 2020; Pepin, 2018).