Journal Entries

It’s a little difficult to decide between the Protection & Defense field versus the Implementation & Operation fields, as I have a strong interest in both. I already have networking knowledge and have earned my CCNA certification in high school, which is how I gained my love for networking and the idea of maybe implementing what I learned at home. This falls perfectly into the Implementation & Operation field, as establishing network architecture and ensuring its security and availability is a key role in cybersecurity. I’m also interested in other roles in this field, as I like to learn a lot about how a system works and what threats systems had that caused any attacks. Furthermore, according to Cyberseek, these roles fit under the Cybersecurity Analyst and Cybersecurity Engineer fields, which are both lucrative. I still do have an interest in the protection & defense field because I want the chance to put what I’ve learned to the test and do red-blue team events, pen tests, and digital forensics. Knowing how to break or protect a system feels like a sort of puzzle and game to me, and I find it extremely interesting. I also like the idea of digital forensics because without this field, we wouldn’t be able to identify who committed a cyberattack and how they committed it. This knowledge is vital for arresting those who have caused harm but also for preventing future attacks from happening, as now we know the methods and vectors used for the attack. I worry the job would get stressful, however, especially in the presence of an ongoing attack. The field I’m least interested in is the Cyberspace Intelligence field. I understand it’s important to prepare and gather information on your target or the system you’re managing, but it focuses too heavily on purely collecting and compiling data and not much else. It also just reminds me of how egregious companies like Google, Amazon, Meta, etc., are when it comes to collecting data for “valid” purposes; they go overboard with data collection that is invasive to privacy.

The seven scientific principles relate heavily to cybersecurity and are vital when determining cybersecurity strategies and frameworks. Relativism is important because you have to understand what services and functions an organization uses when you make plans or change settings in a system. If you release an update, you have to ensure it won’t break any active or critical systems. Objectivity can be used to ensure offending groups aren’t being overlooked because of bias. Just because major services are popular and widely loved doesn’t mean they get a green light to implement unethical and dangerous systems due to having less scrutiny. Parsimony is another essential principle, as humans are a threat to systems and are far more easy to “hack” compared to a system. By keeping descriptions clear and concise, you can increase the chance users know how to operate a system in a safe and secure manner. Empiricism is good for analyzing the data of a system or network to get a factual idea of how a system is performing and protecting its users. You need to know how much network traffic is normal on a system to identify when a DDoS attack is happening. Ethical neutrality should be considered too because we have to gather data from systems and users to create plans and frameworks, but how data is collected and how much is collected should be outlined in documentation like a privacy policy. Determinism is important to cybersecurity because it focuses on the human side of it; studying why people commit cyberattacks or use bad cyber hygiene can prevent future attacks or be used to identify who and how they committed an attack. Finally, skepticism is important because it should be used when analyzing all cybersecurity systems. You need to be unbiased and critical when evaluating a system to ensure that it’s working in top condition or to see if new security measures are needed.

PrivacyRights.org provides a detailed record of known data breaches across the US, and even lets researchers look at archival data for free. They also provide information on how the individual states handle data breaches and the disclosure of information about said breaches. An extremely useful feature on their website is the ability to look at breaches by category of the attack, and which type of organization was attacked. This is vital information to researchers, as it lets them know which areas do we need to improve the most when it comes to protecting our data and privacy. According to the data and charts provided, the medical industry suffers far the most breaches, and then followed closely by financial services, which is unsurprising as they’re going to have some of the most lucrative and sensitive data about patients. The most common breach type is the unknown category, but of known methods, external hacking is the highest. Now by using this website and knowing our weak points, researchers could use this information to improve cybersecurity systems in the medical and financial fields, as they need them the most.

Maslow’s hierarchy of needs can be applied to various human behaviors, including human behaviors regarding technology and cybersecurity. For physiological needs, I have experienced negative emotions, such as anxiety and frustration, when a device of mine doesn’t work or if I’m afraid I lost my data on a device. For my safety needs, I try my best to employ firewalls, antivirus software, a VPN, and common sense when I use my devices because I know how important it is to keep my devices secure. I also employ privacy methods like restricting app permissions and using open-source software to meet my privacy needs, which do relate to security. For a sense of belonging and love, I use messaging and phone calls to communicate with my family, and I use social media to look at content of media I like. However, I almost never post, and I’ve begun to use social media less. For my self-esteem, I like to spend my time learning about technology and studying for IT certifications because I know I have accomplished something difficult when I earn one. This merges a little into self-actualization, because by earning those certifications and learning new skills, I can use it to achieve my end goal of becoming a professional who works in the IT field. I want to use those skills to find a job that feels fulfilling and like I am doing something good for the world, and I want to be able to make my own software and educate others to improve their lives with technology.

1. Multiple Reasons – This motive was ranked the highest because hackers tend to have a variety of reasons for picking their victims. If a hacktivist hates greedy corporations and used to work for one, they might target them for both political and revenge reasons. Money isn’t the sole cause of hacking, some do it because they’re entertained and gain money.
2. Money – This motive makes a lot of sense to me because it’s what fuels a majority of cybercrime. Industries like finance and health care are targeted so heavily because the data that can be gathered there is extremely lucrative. Everyone has bills to pay, and many want to enjoy the wants in life too, like luxury items or for simply showing off.
3. Political – This is another motive that makes sense to me, because political motivations can influence both hacktivists, and the most dangerous of all, state actors. Countries like America, Russia, and China are all fighting to gain data and information on each other to gain an advantage.
4. Revenge – This is a motive that could apply to many but not all hackers, as insider threats and disgruntled employees should be taken seriously. If you fire someone who feels they were wronged, they’re likely to lash out.
5. Recognition – The concept of script kiddies and wanting to feel cool makes sense to me, but I feel this is far less serious or valid compared to the above mentioned motives. Not all hackers like to out themselves online as the group who did the attack.
6. Entertainment – This one also feels far less important, as most hackers have a targeted goal for a serious purpose. There are many ways to enjoy penetrating systems and increasing security without actually doing illegal hacking. Maybe bug bounties and CTFs are more of their style.
7. Boredom – This motive makes sense to me, but is ranked the lowest due to its lack of true motive. It’s very similar to entertainment, and many of this group probably do it for some form of rush, but for those who are truly bored and take no enjoyment out of it, why bother hacking? If you’re not doing it for anything listed above, maybe just stick to CTFs and challenges instead?

Fake abcnews website

From https://artpictures.club/autumn-2023.html

Fake paypal website

From https://www.verified.org/articles/scams/craigslist-paypal-scam

Fake Apple website

From https://www.memcyco.com/5-recent-examples-of-fake-websites/

1. Compare the three fake websites to three real websites and highlight the features that identify them as fraudulent.
   1. Fake site #1, abcnews.com.co: The real ABC news website has a link of abcnews.go.com, and the i in the link indicates that the site is not secure (not using HTTPS, using HTTP)
   2. Fake site #2, pay-pail.com: The fake URL has a typo and extra dash in it and no /login path. The design is also different, as the real Paypal requires you to submit your email/phone number first before showing the password field.
   3. Fake site #3, Applelab.co.nz: The fake URL has a weird top-level domain, .co.nz, while the real Apple is just .com. The fake website also claims your account is “locked” but then asks for far too much information, like card details, which Apple would never need to to deal with an account issue, and certainly not on the main page of their website

Meme #1:

People often mention using free VPNs and recommend them to their friends, not realizing that they’re harmful in the long run. People assume that because they’re on a VPN, they’re not trackable, but if a service is free, then you are the product, and the VPN you’re using is probably tracking you. Even worse is if a VPN shows ads in it’s app, that’s a guarantee that they’re selling your web traffic data to whoever is willing to buy. If you use a VPN, choose a provider that is paid, and has strict no-logs policies.

Meme #2:

Companies often do phishing training, and they usually use emails like “click this link to get a $100 gift card!” or some other enticing message about a deal that’s too good to be truw. If people click the link, that means they failed the test and need to go back to training to ensure that they don’t commit the same mistake again, because it could be a cyber threat that leads to a breach the next time.

Meme #3:

People often fall for romance scams on social media and dating apps. Whether it be a message from a “real” celebrity or your everyday cat-fisher, people lower their judgement and do risky actions because they want love. The victims will end up meeting strangers, or sending large amounts of money to these impersonators.

Hacker scenes in movies will get some details right that are accurate to the real world like the tools used and the methods, but the media often exaggerates it. Media makes people think hackers can do their activities in a matter of seconds or minutes, and that it’s so sophisticated that they can do their hacking on a mass scale. In reality, not all hacking occurs in dark dens and hackers certainly can’t see a perfect map of a city and hack several cars in seconds. But because the media shows these types of scenes so often for dramatization, people end up thinking that they’re real or easy to do. This creates fear mongering and causes people to think all hackers are nation-state level threats, when many hackers are white hat hackers, and those who aren’t white hat are usually not that sophisticated.

Questions:

1. Preoccupation: Do you frequently find yourself thinking about social media or planning to use it? Yes
2. Tolerance: Have you felt dissatisfied because you want to spend more time on social media? No
3. Withdrawal: Do you feel restless, irritable, felt bad or upset when you are unable to use social media? No
4. Persistence: Have you tried to spend less time on social media, but failed? No
5. Displacement: Regularly neglected other activities (i.e. hobbies, sports, homework) because you wanted to use social media? No
6. Problems: Regularly had arguments with others because of your social media use? No
7. Deception: Regularly lied to your parents or friends about the amount of time you spend on social media? No
8. Escape: Do you use social media to forget about personal problems or to relieve negative feelings such as guilt or anxiety? Yes
9. Conflict: Had serious conflict with parents, brother, sister (friends, relationships etc.) because of your social media use? No

Responses:

1. How did you score?
   1. I scored a 2 out of 9, which would fall under the risky usage range. I said yes to the questions about preoccupation and escape.
2. What do you think about the items in the scale?
   1. I think that the items definitely hit the major questions that need to be answered when people consider their social media use, however they’re too direct. I feel like someone who takes this short test would lie to themselves as you can very obviously tell that saying yes to any of these questions is slightly negative. I found myself hesitating to say no to some of the questions, because they felt too generic. It also feels like questions 6 and 9 slightly overlap, as it’s almost asking the same question. However, I do see why it’s important to ask ourselves these questions because it might help someone who is addicted realize their problematic use of social media.
3. Why do you think that different patterns are found across the world?
   1. I think different social media patterns can be found across the world because social media is based on your social environment. If you speak one language, then you won’t be as easily influenced by posts in a foreign language because you can’t understand them. There’s also the environment that you live in. If your country believes in a certain ideology, that affects your personality and beliefs, which might not be the same as someone living on the other side of the globe. We are all influenced by each other and our social circles, which in turn, influences what we see and get on social media. So people behave differently depending on themselves and how they interact with others based on their habitus.

Social cybersecurity acknowledges the need for defensive measures against misinformation, disinformation, and influence campaigns in the modern, digital age. Anyone is able to post content now, and many platforms have algorithms that promote content based on metrics and interactions with a post, since they want popular posts to circulate as much as possible to keep users on the service. There are positives and negatives to how information maneuvers online, as shown by the BEND framework, however, the negatives can be extremely dangerous, especially if other countries are the ones behind the anonymous accounts that try to promote harmful content. To state my opinion, I wish more people would consider and promote decentralized social media services like Mastodon, as these services have no algorithm and depend purely on users either searching for content or reposting other user’s content to spread popularity. This reduces the risk of artificially boosted posts due to use of bots. It’s not fully foolproof from certain information/network maneuvers, however it puts post discovery in the hands of the user, not an algorithm.

A cybersecurity analyst job is considered an entry level position, and the speaker points out that these jobs are best intended for those who are new to the field and probably don’t have too many commitments in life, like a family. The tasks that entry-level analysts handle consist of doing helpdesk, leading user awareness training, doing patches, and more. These tasks all require good communication and social skills, especially the helpdesk and user awareness training. You have to understand how a layperson would describe a technical issue, and then translate your technical solution into language that the user can understand. Similar thing for user awareness training, it’s fundamental that you’re able to teach people about cyber threats in a way that they can understand but gets the severity of cautiousness across. The field is very free when it comes to where you can work, especially since you could work from home, so someone who’s open-minded and likes to experience new things might enjoy this career as they can go just about anywhere. Despite this, it’s important to consider your financial situation and where you want to live, because some states might cost far more than others. When it comes to applying for government jobs, you have to ensure that you’ve kept a clean record as getting government clearance is hard, so your social life should be one that isn’t too alarming. This is another reason why having a good social network is key, as having neighbors, employers, and other professionals available to vouch for you can lead you to new opportunities you wouldn’t have otherwise.

This letter could fall under the neutralization theory, for the company issuing the letter. The letter informs the consumer that the breach occurred due to a third party service provider being hacked, and that law enforcement told them to delay the notification to customers. This could be seen as denial of responsibility, as the company could be trying to do damage and reputation control by making customers know it’s not their fault it occurred, but the fault of the company they use to run their website. A second psychological theory that this letter could represent is cognitive theory. The company knows that people are probably going to be stressed out and upset about their personal and payment information being leaked, and so they try to calm customers down by giving them ways to reduce their chance of credit card fraud. By thinking about how customers will perceive and feel about the letter, they can think of ways to placate them and persuade them to continue doing business with that company. This breach could be an example of Marxian economic theory, as the hackers are the group in power who used their skills to exploit the system of this company, and then, exploit any customers who paid for a service that got breached. This also could be seen as a laissez-faire economic theory, as the government didn’t intervene with this business’ operations until they got hacked. Because this hack collected a lot of personal information about customers, like names, addresses, phone numbers, and credit card information, the government had to step in to protect that customer information, and let people know their accounts may be at risk. Furthermore, the company has to provide a notice of this breach to protect their users, and provide information on what to do after.

More companies are beginning to employ vulnerability disclosure policies (VDPs) and bug bounties because they encourage professionals to find system risks for a monetary prize. Small to medium-sized companies can’t afford to spend nearly as much on cybersecurity professionals and breaches like larger companies do, and more than half fail within 6 months after a breach. By using bug bounty programs instead, they can increase their system security while only paying a small amount per bug bounty reward instead of a constant salary. The studies found that bug bounties were effective for companies of all sizes, and that many hackers were motivated by non-monetary factors, rather wanting the experience, reputation, and altruism of finding vulnerabilities. Unfortunately, the financial, retail, and medical industries receive less valid reports as hackers probably take the chance to use these vulnerabilities to sell the data on the black market rather than report them. With the increase of new bug bounty programs, there hasn’t been much decrease in the reports that company’s receive. Overall, it seems that employing bug bounty programs is great for companies of any size, but especially for smaller ones, as white hat hackers are eager for the chance to exploit systems for experience and clout more than money, saving the company from having to hire as many security analysts.

Of the offenses listed on Clario’s article, I feel that the five most serious violations are collecting information about children, recording a VoIP call without consent, bullying and trolling, using other people’s internet networks, and sharing passwords, addresses, or photos of others. First off, collecting information about children is highly immoral since children likely have no idea how serious they should be about privacy and protecting themselves online. Their innocent searches can be used to target them with inappropriate material, whether that be shady websites with viruses, addictive games that make it too easy to spend money, or porn websites. Second, recording a VoIP call without consent is a serious breach of privacy. It’s reasonable that most people would think their calls are secure and private, and being able to talk to someone privately is a basic right. These calls have sensitive information, and distributing that information online could ruin a person’s life and reputation. Third, bullying and trolling is an act that can have severe consequences. There have been cases of teens committing suicide due to the cyberbullying that they faced, and cyberbullying can lead to serious mental health issues. Fourth, using other people’s networks is both a security and privacy issue. If you’re making illegal searches on someone else’s network, it could lead to them getting into trouble. There’s also the possibility of you accessing a malicious website or downloading an infected file while on their network, and then spreading it to other local devices. Finally, sharing passwords, addresses, or photos of others is both a security risk and a privacy issue. By sharing passwords, you compromise that person’s account, and by sharing addresses or photos, you open that person up to harassment, doxxing, stalking, and any other activity related to unwanted solicitation from online users.

Digital forensics is a field in IT that requires investigators to efficiently work together as a team to figure out who did what in a cybersecurity incident by collecting data from devices. Teamwork and communication skills are necessary for this career, as investigators need to work with companies to establish what the target is, where they can and can’t look to legally find evidence, and eventually, who their target is. Of course the career still needs strong technical skills, like knowledge of networking, knowing what software or tools to use to extract data from files and logs, being good with encryption breaking, etc. But without being able to work with a team and the clients who ask you for help, digital forensic investigators would never get any work done. They also have to worry about external issues, mostly legal issues, which is a social force relating to cybersecurity. The speaker notes that he didn’t initially try to work in IT, as he was more devoted to accounting originally, and only had some side IT knowledge. But by taking the opportunity to join a digital forensics practice, he ended up loving the field.