Richard J. Bocchinfuso

"Be yourself; everyone else is already taken." – Oscar Wilde

FIT – MGT5114 – Week8 – Discussion 10

Discuss how having your personal information in online databases may lead to identity theft. How can you protect yourself from this?

Our personal data litters the Internet and as the digital world provides more convenience out digital footprint and the attack surface continues to grow. Most of us continue to trade convenience for security, so there is no end in sight. I could not help but think about the Wired editor who had his digital identity wiped when I read this question, if you haven’t read this story I highly recommend it. The ease with which a hacker can gain access to a single piece of information and use it as the catalyst to take over a person’s life is astounding. Vulnerabilities come in all forms but what is interesting about the Wired editor story is that the vulnerability was in the process and exploited via social engineering. The growth of Identity Theft Insurance demonstrates how real identity theft is. One protection approach is to limit what we store online, for instance when that little check-box pops up asking to save your credit card information don’t click it. More and more organizations are encrypting or hashing personal/private data that they store in online databases, but we still have to be careful. I used to use an expiring credit card designed for online purchasing; the system would generate a temporary credit card number with a credit limit equal to what I was going to purchase, this was a good system, but it became cumbersome, so I traded security for convenience. I try not to use the same passwords because if one online database is compromised, I don’t want to give the person with the data the keys to my kingdom by using the same password everywhere. It’s also important to recognize how important password length and complexity is, tools like hashcat and cloud computing have made cracking simple passwords a trivial and speedy task, what used to take years now takes minutes.

References

Honan, M. (2012, August 06). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved April 26, 2017, from https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

Pascal, A. (2014, February 27). Online Identity Theft Statistics – And How to Protect Yourself. Retrieved April 26, 2017, from http://eggtoapples.com/blog/online-identity-theft-statistics-and-how-to-protect-yourself/

FIT – MGT5114 – Week8 – Discussion 9

Law and ethics are often both considerations when determining the reaction to a computer security incident. For instance, scanning for open wireless networks is not illegal unless the scanner connects to the network without permission. Discuss this issue in terms of the legal and ethical issues that surround using a wireless connection that you do not own.

Wireless network scanning is not unlawful, and the ethics should be determined by the intent of the individual doing the scanning. For instance, if the person is scanning the network to identify unsecured wireless access points or access points with weak encryption protocols like WEP so they can conduct an attack to gain unauthorized access it would clearly be unethical. Tools like aircrack-ng allow hackers to identify access points, obfuscate themselves, promiscuously collect packets and crack WEP keys and WPA passwords.

There is an argument that piggybacking on open wifi access points (APs) in not unethical. Those who argue this perspective state that some APs are intentionally left open so identifying wifi piggybacking on any open AP as unethical would be an incorrect assessment. Those who argue the unethical position state that it is unethical to cheat the ISP out of their revenue. There is the case of the man who was charged with a crime for using a cafe’s wifi by sitting outside and piggybacking from his car; this was deemed unlawful because the free wifi was intended for patrons, which he was not. I think the reality is that it’s hard to know if an open AP was left open intentionally or unintentionally, services like WiGLE provide data regarding “free” wif access points. With regards to the argument that it’s stealing from the ISP thus unethical, I would need to look at the ISPs terms of service. I know of many coffee shops who have residential class Internet service and provide “free” wifi to their patrons so it would seem that sharing you ISP connection via wifi is not illegal or unethical. We live in a connected world, and I think jumping on an open wifi AP has become a way of life thus moral intent is important when deciding if this behavior is ethical or unethical. No doubt this is a topic which is open to debate.

References

Cheng – May 22, 2007 3:37 pm UTC, J. (2007, May 22). Michigan man arrested for using cafe’s free WiFi from his car. Retrieved April 26, 2017, from https://arstechnica.com/tech-policy/2007/05/michigan-man-arrested-for-using-cafes-free-wifi-from-his-car/

Bangeman, E. – Jan 4, 2008 3:12 am UTC. (2008, January 03). The ethics of “stealing” a WiFi connection. Retrieved April 26, 2017, from https://arstechnica.com/security/2008/01/the-ethics-of-stealing-a-wifi-connection/

Pash, A. (2008, January 04). The Ethics of Wi-Fi “Stealing”. Retrieved April 26, 2017, from http://lifehacker.com/340716/the-ethics-of-wi-fi-stealing

Writer, L. G. (2011, September 10). Is it Legal to Piggyback WiFi? Retrieved April 26, 2017, from http://smallbusiness.chron.com/legal-piggyback-wifi-28287.html

FIT MGT5114 – Wk7 Discussion 1 Post

Security and risk are clearly related; the more at-risk a system or data set is the more security is desirable to protect it. Discuss how prices for security products may be tied to the degree of risk. That is, will people or organizations be willing to pay more if the risk is higher?

Absolutely, maybe, hmmm, what a complex world we live in. There is seemingly a direct correlation between, value of assets, reputation, etc… and the risk associated with a potential vulnerability, a successful exploit and what an organization is willing to pay to protect themselves. Some market segments make the decision to spend on security products clearer by imposing regulatory requirements that make the cost of non-compliance steep enough to mandate compliance.

For example:
Processing credit card transactions? You are subject to PCI DSS.
Do something regulated by the FDA? You are subject to Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Do pretty much anything in health care? You are probably subject to Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health Act (HITECH) which means you better keep that patient data secure.

These regulations and other make the decision to invest in security products seemingly straightforward, but not everything is what it seems. Major breaches like Target who had 40 million credit and debit card records 70 million customer records (including addresses and phone numbers) lifted from their systems netted a loss of only 0.1% of their 2014 sales. The same is true of Home Depot who in 2014 had 56 million credit and debit card numbers and 53 million email addresses lifted from their systems which netted a loss of only 0.01% of their 2014 sales. These and many other firms have Cyber Liability Insurance to mitigate their losses, between payments from insurance and tax right offs the losses diminish, and so does the incentive to invest in security products.

When we look at sites like http://map.norsecorp.com/#/ that depict the velocity of attacks, and we think about the attack surface of an online entity the idea of “if there is a breach” probably should be replaced with “when there is a breach”. I would say there is some hedging occurring in the enterprise, where there is the balance between investments and projected losses due to a breach. No investment makes you hack proof, and if and when you are hacked having invested millions in technology to protect against a hack garners no reputation points so being smart about your security posture but not over investing and rolling the dice (it’s happening regardless) may be a prudent business decision. Stuxnet proved that even a facility which is off the grid is vulnerable to attack.

References

Data Breach & Cyber Liability Insurance. (n.d.). Retrieved April 19, 2017, from https://www.thehartford.com/data-breach-insurance

Michael Kassner | April 9, 2015, 12:45 PM PST. (n.d.). Data breaches may cost less than the security to prevent them. Retrieved April 19, 2017, from http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/

Staff, C. (2012, December 19). The security laws, regulations and guidelines directory. Retrieved April 19, 2017, from http://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html#Electronic-Fund-Transfer

Zetter, K. (2014, November 03). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. Retrieved April 19, 2017, from https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

FIT MGT5114 – Wk6 Discussion 1 Post

Discuss three possible inclusions in a security policy. How do they differ from those included in a business continuity plan?

“A security policy documents an organization’s security needs and priorities.” (Pfleeger, Pfleeger & Margulies, 2015, p. 671) “A security policy is a high-level statement of purpose.” (Pfleeger, Pfleeger & Margulies, 2015, p. 671) A security policy does not merely address a security posture from a technical perspective, such as identifying known vulnerabilities. A security policy is nuanced, having to take into consideration the assets which need to be protected, the value of these assets, potential regulatory concerns, etc… A security policy should consider the following:

  • Organizational goals.
  • Delegation of responsibility.
  • Organizational commitment.

While a security policy is a macro level statement of purpose, a security plan includes the security policy, but also includes details such as current state (the current security posture including gaps, likely the result of an assessment), requirements, recommendations, accountability (possibly in the form of a RACI matrix), timetable (project plan) and a maintenance plan focused on operational upkeep.

A “Business continuity plan documents how a business will continue to function during or after a computer security incident.” (Pfleeger, Pfleeger & Margulies, 2015, p. 681). “An ordinary security plan covers computer security during normal times (under normal operations) and deals with protecting against a wide range of vulnerabilities from usual sources.” (Pfleeger, Pfleeger & Margulies, 2015, p. 681). The text simply states that the difference between a security plan and a business continuity plan is that one is focused on establishing security guidelines that will be used during normal operations while the other is invoked by either a catastrophic failure or a prolonged outage which will negatively impact the business.

I would say that a security policy is part of business continuity plan (BCP), in other words, security policies exist inside the BCP plan. When a BCP plan is invoked due to a catastrophic event or prolonged outage, the goal of a business continuity plan is to have a playbook to return to normal operations under the worst of conditions, at which time security policies are reinstituted as part of the BCP plan. A security policy may also govern the execution of a business continuity or disaster recovery plan.

A final thought, this week’s discussion question seems to ask for a “security policy” to be contrasted with a “business continuity plan,” not a “security plan” with a “business continuity plan.” I hedged a bit with my response. 🙂

References

Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Upper Saddle River: Prentice Hall.

FIT MGT5114 – Wk5 Discussion 1 Post

Question:

Telecommunication network providers and users are concerned about the single point of failure in the “last mile”, which is the single cable from the network provider’s switching station to the customer’s premises. How can a customer protect against that single point of failure? Provide an analysis on whether this presents a good cost-benefit trade-off.

Response:

The obvious answer here is to have redundant providers, but redundant links alone do not provide redundancy. To truly be redundant the solution must incorporate transparent failover. This is no different that a blown electrical circuit in your home. If the freezer is connected to a circuit which blows the idea that an adjacent outlet is available to power the freezer is meaningless if your sleeping or on vacation. For a system to have no single point of failure, redundant infrastructure (the easy part) must exist, but these systems also need to be self-healing. This concept has prompted the emergence of a field called site reliability engineering; this field focuses on the self-healing aspects of information systems at scale. Consumers or SMBs looking to protect themselves from “last mile” failures via infrastructure redundancy might use a “dial-up” connection but probably not because who still has a POTS line? The more likely option is a router which will handle both and wireline broadband and wireless broadband connections. Devices like the Failsafe Gigabit N Router for Mobile Broadband from Cradlepoint provide a cost effective way to transparent circuit failover. Because most ingress and egress traffic is NAT’d on a consumer grade networks (e.g. – your home network) a move from one provider to another can be performed quickly and nondisruptively. NAT’d traffic moves between your LAN and the Internet using a single IP public address (typically a DHCP address assigned by your provider), this makes it reasonable to use this approach for redundancy.

My home network is fairly complex (some pics from my home lab) with two circuits and multiple site-to-site VPNs to cloud providers. Both my wireline circuits as well as my broadband circuit are Verizon circuits with one wireline circuit being a business grade and one being a consumer grade, I leverage wireless broadband as my tertiary Internet connection (used broadband for two weeks following Hurricane Sandy). The business circuit differs in speed from my consumer circuit, and the business circuit provides me with public facing IP space and the ability to use my own router vs. the Verison FiOS provided router, these are key differentiators between consumer circuits and business circuits. I use pfSense as my router and firewall or choice, pfSense manages all my routing and circuit failover. Because this is my home lab I do not use something like BGP to manage external traffic and allow for transparent failover, what I do is monitor my home lab circuits using a witness process which runs a check against two IP addresses. For simplicity, IP address 1 is the advertised static public facing IP address on my Verizon Business circuit, and IP 2 is the NAT’d port forwarded address on my consumer grade FiOS circuit. IP 1 maps to host.domainname and IP2 resolves to host.dyndns, where dyndns is Namecheap’s dynamic DNS service. When all is well the host is directly accessible via IP 1, if something goes wrong, the host will become available using IP 2. Obviously, the use of BGP and an AS number to facilitate failover for my home lab would be a bit costly, so the witness process watches for service availability on IP 1 or IP 2 and updates the DNS A record of the service with my domain registrar if the service becomes reachable on an alternate path. My DNS provider is Namecheap, so the witness server test the process for accessibility and then uses PyNamecheap to update the A record programmatically. With a short TTL, the DNS records propagate, and public services are again available, albeit not no all services will failover, but web services are available with a little help from NGINX and reverse proxying.

The above is not very expensive from a pure infrastructure perspective. The consulting may be a bit costly if you are not capable of configuring it yourself but the cost to build in redundancy is getting lower and lower. Cloud providers like AWS with services Route 53, S3 and Lambda make it very cost effective to leverage all of their site reliability engineering to build disaster tolerant systems cost effectively without every worrying about the physical infrastructure. Is the time, energy and money worth it and is there an ROI depends on what you are looking to accomplish and the value of the services you are providing. I require public IP address space, not offered on a Verizon FiOS consumer grade circuits; I need a consumer grade Verison FiOS line for TV, the internet, and telephone service. For these reasons, it made sense for me to leverage the consumer grade line as a backup to provide access to critical systems and services in the event of something like a physical fiber cut, which has happened with the landscaper putting a shovel through the fiber (there are two fiber runs from the street to my house).

References

Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Upper Saddle River: Prentice Hall.

FIT MGT5114 – Wk4 Discussion 1 Peer Response

Good post and you are certainly in the majority with your perspective regarding the existence of duplicate records in a database and the negative impact on DB integrity. My only issue with this question and the responses is the idea that duplicate “DB” records is primarily explored in the context of RDBMS. Professor Karadsheh mentions Big Data in a few response posts, Big Data and the emergence of NoSQL and Document Databases have challenged some of the concepts firmly rooted in legacy RDBMS best practices where relationships and table joins are foundational, and duplicate data typically presents a significant problem. At a high-level SQL database rely on structured data, tables with fields, normalized data inserted into these fields, relationships between tables and SQL statements to return results. It’s easy to see the pitfalls of a duplication in the context of an RDBMS. NoSQL or Document Databases use a key-value store paradigm, where keys and values are defined when unstructured, denormalized data is ingested. A good example of this is opening a stream from the Twitter API for something like sentiment analysis. I use this as an example because I am a heavy user of ElasticSearch (a NoSQL DB) for log and sentiment analysis. The benefit of NoSQL is the ability to ingest thousands of unstructured, denormalized records per second; these unstructured, denormalized records use key-value pairs to map the keys to data (value).

Here is an example use of ElasticSearch: A data stream is open using the Twitter API, the data stream is pushed into ElasticSearch and then Kibana is used to visualize sentiment. In this case, duplicate records don’t indicate that the that the integrity of the database is suspect, time series don’t matter, etc… What is important is the ability to stream of messages per seconds, use an NLP library to determine sentiment, create a JSON record containing key/value pairs and add to ElasticSearch.

ElasticSearch records look like this:  http://www.awesomescreenshot.com/image/2357496/22cb647c962eb32ee38e8ad8ee3c13d5
POTUS Sentiment Analysis using ElasticSearch and Kibana:  http://gotitsolutions.org/2017/02/24/potus-sentiment-analysis/

Like so many things I think the answer to this question in a context which defines DB as more than just RDBMS is, it depends. With that said I do agree that duplication in the context of traditional RDBMS can wreak havoc on data integrity.

References

Bocchinfuso, R. J. (2017, March 31). POTUS Sentiment Analysis. Retrieved April 02, 2017, from http://gotitsolutions.org/2017/02/24/potus-sentiment-analysis/

Issac, L. P. (2014, January 14). SQL vs NoSQL Database Differences Explained with few Example DB. Retrieved April 02, 2017, from http://www.thegeekstuff.com/2014/01/sql-vs-nosql-db/?utm_source=tuicool

Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Upper Saddle River: Prentice Hall.