Richard J. Bocchinfuso

"Be yourself; everyone else is already taken." – Oscar Wilde

FIT – MGT5155 – Week 6

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Dr. Perez and fellow classmates, first off I am incredibly tardy on this weeks post, my apologies. It’s Been a crazy week with my company being acquired and a number of competing priorities. Anyway, this week I did have the opportunity to spend an incredible amount of time in the air traveling around for regularly schedule QBRs (Quarterly Business Reviews) as well as delivering the acquisition news and what it means to our business. Unfortunately, United Airline’s Wifi service is in line with the rest of their service, but I suppose I should be happy none of the planes that I was on ran out of gas (Links to an external site.)Links to an external site..

While I was in flight, with no internet access I had a lot of time to think about my favorite “Infamous Attack”, after a few minutes of thought it was really an easy decision. One of my favorite books “Ghost in the Wires” (Links to an external site.)Links to an external site. which takes you on a journey with Kevin Mitnick from his perspective.

Ghost in the Wires reads like a contemporary über-geeky thriller…. For those interested in computer history, Ghost in the Wires is a nostalgia trip to the quaint old days before hacking (and hackers) turned so malicious and financially motivated.”―J.D. Biersdorfer, New York Times Book Review

The “Infamous Attack” that I chose is one perpetrated by Mitnick and told in the book  “Takedown” (Links to an external site.)Links to an external site., the story of how Tsutomu Shimomura (Links to an external site.)Links to an external site. a security expert working at the UC San Diego Super Computer Center took down Kevin Mitnick (Links to an external site.)Links to an external site., possibly the worlds most infamous hacker. In December of 1994, Mitnick broke into Shimomura’s computer and stole software that allowed access to cellular phone frequencies. This hack triggered a game of cat and mouse between Shimomura, the FBI, and Mitnick that would last four years. (Shimomura, 2017) As someone who grew up in the 80s, addicted to computers, first the TRS-80 and an acoustic coupler (Links to an external site.)Links to an external site., then a Commodore 64 and my 1200 baud modem (Links to an external site.)Links to an external site. I am nostalgic about the hacking and phone phreaking that took place in the 80s and 90s. I have always been intrigued by the early hackers like Captain Crunch and others because they were the pioneers. In the early BBS (bulletin board systems) like Exec-PC BBS (Links to an external site.)Links to an external site., the entire community was filled with hackers, crackers, (Links to an external site.)Links to an external site. and phreakers (Links to an external site.)Links to an external site..

For those of us old enough to remember POTS (Links to an external site.)Links to an external site. lines, the squeal of a modem connection, and the feeling of connecting with a global community of people just like you.  It’s hard to not say thank you because for me, someone who had their head buried in a computer form the age of eight I am not sure where I would be today without the opportunity I was provided to feed my obsession. In the 80s and 90s hackers, crackers, and phreaks where digital explorers, unlike many of the attacks discussed by other like the Olympic Games program which gave birth to Stuxnet, the Target hack, the Equifax hack, WannaCry, and other ransomware attacks, etc. Hackers, crackers, and phreaks like Kevin Mitnick and Captain Crunch (John Draper) (Links to an external site.)Links to an external site. (Cap’n Crunch Whistle and the Secrets of the Little Blue Box, n.d.) were curious, they were not interested in monetary gain, they were not employed by a nation-state, this is why so many people like me sported “Free Kevin” t-shirts (Links to an external site.)Links to an external site..

Attacks have become far more intricate these days, the curiosity motivator in the context of the modern day attacker/hacker seems almost non-existent, this is because the curious hackers can now hack legally, bug bounty programs are everywhere, with sites like HackerOne (Links to an external site.)Links to an external site. listing pretty much every available bug bounty program. Since I started this post talking about United Airlines, I may as well end it with the story of Oliver Beg (Links to an external site.)Links to an external site.who earned a million miles via the United Airlines bug bounty program (Links to an external site.)Links to an external site..

The world has changed significantly from the days when hackers, crackers, and phreaks were people I admired as the pioneers of a digital frontier to what we see today, organized crime syndicates and nation-states exploiting a connected world.

When I think about the hackers of yesteryear I think about the pioneers of an industry I love, people like Barry Kildall (Links to an external site.)Links to an external site.Steve Wozniak (Links to an external site.)Links to an external site.Dan Bricklin (Links to an external site.)Links to an external site.Bob Frankston (Links to an external site.)Links to an external site.Richard Stallman (Links to an external site.)Links to an external site.and many others who were pioneers in many cases exploited by those with differing motivations.  The Kevin Mitnick’s and John Draper’s of the world represented those of us who didn’t like the Gary Kildall, Digital Research, CP/M and Bill Gates, Microsoft, DOS story (Links to an external site.)Links to an external site.. (How Bill Gates Outmaneuvered Gary Kildall, 2005) While may think these days are over, they are not, what is different is that most of the Gary Kildalls today are Open Sourcing their code, this makes it much harder for the Bill Gates’ of the world.  Few people have heard of Scott Hansen, but he is the third founder of Google (well maybe the number two founder, but this is debatable), a book I recently read entitled “Valley of Genius” (Links to an external site.)Links to an external site. provides some great insight on some of the unsung heroes of Silicon Valley.

 

References

Cap’n Crunch Whistle and the Secrets of the Little Blue Box. (n.d.). Retrieved October 4, 2018, from http://telephone-museum.org/telephone-collections/capn-crunch-bosun-whistle/

Great Rivalries in Cybersecurity: Tsutomu Shimomura vs. Kevin Mitnick. (n.d.). Retrieved October 4, 2018, from https://www.cybersecuritymastersdegree.org/tsutomu-shimomura-vs-kevin-mitnick/

How Bill Gates Outmaneuvered Gary Kildall. (2005, August 18). Retrieved October 4, 2018, from http://arnosoftwaredev.blogspot.com/2005/08/how-bill-gates-outmaneuvered-gary.html

Shimomura, T. (2017, June 04). Catching Kevin. Retrieved October 4, 2018, from https://www.wired.com/1996/02/catching/

Tung, L. (2016, August 09). This Dutch hacker can fly a million miles on his United Airlines bug bounty. Retrieved October 4, 2018, from https://www.zdnet.com/article/this-dutch-hacker-can-fly-a-million-miles-on-his-united-airlines-bug-bounty/

Interesting article on the North Korea cyber threat.
https://zd.net/2yg0gSG

Jonathan, interesting read, I had never heard of WANK, and I always enjoy learning something new. In the mid-90s I worked in big pharma as a Unix Sys Admin, I was a recent college grad, with this being my second job out of school, I used a Sun Microsystems IPC all-in-one workstation in college and Slackware Linux on my desktop, I spent all my time in Emacs and wrote all my paper with LaTeX. When I was hired by a pharmaceutical company with ~120K employees, I was given the reigns of the new Unix systems ranging from Sun Solaris, to DEC Tru64, to IBM AIX, to HP-UX, to SGI IRIX. It was amazing how many DEC and Mainframe people worked in IT in this massive company and how few Unix capable engineers there were, especially given that the plan was to replace a large DEC VMS footprint running on both DEC VAX and DEC Alpha machines. The organization (and the pharma industry back then) was so DEC centric they were deploying Windows NT 3.51 on DEC Alpha, it made total sense to everyone because of course, the developers of Windows NT were also the developers of VMS, the story was that WNT being the letters following VMS was not a coincidence. (Russinovich, 2018)

I remember DECnet, CIQBA, FDDI, and our DEC email system (I think it was called Teamworks) all too well, I don’t miss these days. 🙂 Ken Olsen could have owned the world, if he had just embraced the PC era and open computing, DEC tried to correct late in the game with the acquisition of Compaq, OpenVMS, and Digital Unix, but it was too late. I will say that the industry never really successful delivered something like VMS clustering, which just worked.

BTW – I would argue that the term hacking originated in the 1990s. Gordon French held the first Homebrew Computer Club meeting in his garage in 1975; the attendees were all hackers (Love, 2013). John Draper (aka Captain Crunch) was hacking (phreaking) Ma Bell in the 60s and 70s, Ron Rosenbaum published an article in Esquire Magazin in October 1971 entitled “Secrets of the Little Blue Box” (Rosenbaum, 2011) where he talks about hacking the phone system and the hacker subculture.

References

Love, D. (2013, March 05). An Incredibly Important Tech Event Happened 38 Years Ago Today. Retrieved October 7, 2018, from https://www.businessinsider.com/homebrew-computer-club-2013-3

Rosenbaum, R. (2011, October 07). The Article That Inspired Steve Jobs: “Secrets of the Little Blue Box”. Retrieved October 7, 2018, from http://www.slate.com/articles/technology/the_spectator/2011/10/the_article_that_inspired_steve_jobs_secrets_of_the_little_blue_.html

Russinovich, M. (2018, September 19). Windows NT and VMS: The Rest of the Story. Retrieved October 7, 2018, from https://www.itprotoday.com/compute-engines/windows-nt-and-vms-rest-story

Sergio, like most things in life, attacks or I should say successful exploitation can often be traced to human error. I think this is what makes social engineering so interesting, look around at the amount of data we, as a society are willing to volunteer online. Modern day culture and the rise of FOMO (Fear Of Missing Out) (Rivera, 2018) has created a fertile social engineering hunting ground for hackers, as our society moves closer to “The Truman Show”, we have the actors, those volunteering information, and the voyeurs, those who just watch, wait and manipulate. Our digital footprint makes us more vulnerable to attack; it can make us more or less likely to be hired, it can impact our creditworthiness, etc. I believe that we have no idea of the psychological impact of the experiment we are currently conducting, only time will tell, but as a Gen-Xer, a technologist and a parent I would be willing to take the bet that we will need to achieve better equilibrium because the trajectory we are currently on seems dangerous. (Walton, 2017) I guess my question here is, are we more afraid of the nation-state or the organized hacktivists like Anonymous or are we more afraid of the truly dangerous social engineers like Facebook who are trying to spread “emotional contagion”? (Kramer, Guillory, & Hancock, 2014)

 

References

Kramer, A. D., Guillory, J. E., & Hancock, J. T. (2014). Experimental evidence of massive-scale emotional contagion through social networks. Proceedings of the National Academy of Sciences, 201320040.

Rivera, J. (2018, August 04). The Rise of Fomo – Julia Rivera – Medium. Retrieved October 7, 2018, from https://medium.com/@riverajulia0/the-rise-of-fomo-4e9c2419b791

Walton, A. G. (2017, October 03). 6 Ways Social Media Affects Our Mental Health. Retrieved October 7, 2018, from https://www.forbes.com/sites/alicegwalton/2017/06/30/a-run-down-of-social-medias-effects-on-our-mental-health/#4367e3592e5a

Assignment

FIT – MGT5155 – Week 5

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

I’ve spent the last year building and hardening policies using the ITIL (Information Technology Infrastructure Library) framework (Links to an external site.)Links to an external site. as my team I and I worked on a SOC 2 (Links to an external site.)Links to an external site.audit and certification. Our ITSM (Information Technology Service Management) (Links to an external site.)Links to an external site. platform is ServiceNow (SNOW) (Links to an external site.)Links to an external site.. The ServiceNow platform is responsible for managing and automating all aspects of service management for us and our customers, this includes incidents, requests, changes, problems, knowledge, etc… We use a ton of tools in our development and operations (DevOps) toolchain to drive agile development models, automated testing, automated deployments, measurement, self-healing, etc…

Source:  Rich Bocchinfuso

During our system design, we made a deliberate decision to separate our ITOM (Information Technology Infrastructure Operations) platform from our ITSM platform.  Our element management tools, our instrumentation, out ITOM tooling which manages event correlation, alert management and escalation and out ITSM platforms are all decoupled.  We had a good reason for doing this which focused on flexibility, the best tool for the job with the ability to integrate.  Fast forward a few years and we may look to lever ServiceNow ITOM because it is quickly elevating to a best-in-class ITOM tool.

I found it interesting that Ronda R. Henning defined an “incident” as anything that is abnormal on a system. When I think about an incident using the ITIL framework definition I think about as something which has the potential to cause a service disruption. While abnormal activity may trigger an event or an alert this does not mean an incident will be created. The example of Henning provides of Joe being on the system at midnight might trigger an event or an alert, but this event or alert would be trapped by our ITOM system, identified as benign and would not be elevated to an incident.

A simple graphical representation  of the ITIL service management framework:

Source:  Rich Bocchinfuso

In this weeks lecture, Rhona R. Henning also mentions syslog and event logging. This is often referred to as security information and event management (SIEM) (Links to an external site.)Links to an external site.. The idea is to aggregate and analyze events across the enterprise to gain better clarity on what is occurring, the root cause, etc. As an Open Source proponent, I have built this capability on the ELK (Elasticsearch, Logstash, and Kibana), but Splunk is also a popular SIEM.  SIEM has become in intergral IT operations tool.

For continuous monitoring, specific to security we use a number of tools ranging from SIEM, to Lynis (Links to an external site.)Links to an external site. system audits to OpenVAS (Links to an external site.)Links to an external site. and Qualys (Links to an external site.)Links to an external site. vulnerability scans. We use Common Vulnerabilities and Exposures (CVE) (Links to an external site.)Links to an external site. and Common Weakness Enumeration (CWE) classifications to make decisions on criticality and reaction time.

Source:  Rich Bocchinfuso

We have witnessed an evolution that has evolved from traditional infrastructure –> converged infrastructure –> hyper-converged infrastructure –> composable infrastructure, this evolution has dramatically improved our ability to instrument, monitor, automate and selfheal infrastructure.  (Thome, 2017)

Traditional Infrastructure: Decoupled discrete infrastructure consisting of servers, storage, and networking components.
Converged Infrastructure: An integrated solution which bundles compute, storage and networking into a system which addresses a particular workload or solution such as virtualized desktops or a database application.
Hyper-converged Infrastructure: Compute, storage, and networking integrated into a single solution. Hyper-converged infrastructure is often driven by integrated hardware and software-defined technologies.
Composable Infrastructure: Build on converged and hyper-converged technologies thought enhanced software-defined intelligence, unified API (Application Programmable Interfaces) to “compose” and automate the infrastructure.

One of my favorite visualizations of self-healing infrastructure is the Netflix vizceral (Links to an external site.)Links to an external site. network visualization of the networking automagically detecting a failure and rerouting traffic.

I mention this because, in contrast to what Ronda R. Henning states in this weeks lecture, I believe the advent of composable infrastructure and the increased use of machine learning (ML), deep learning (DL) and artificial intelligence (AI) has moved us closer to being able to automagically do more.

Composable infrastructure has given way to A/B testing (Links to an external site.)Links to an external site.blue-green deployments (Links to an external site.)Links to an external site., rapidly iterating and continuous delivery (Links to an external site.)Links to an external site. over rigid release cycles. These advances IMO are largely attributable to composable infrastructure, some call this software-defined. Composable infrastructure is fundamentally driven by software, the agility of software-defined everything, exposed APIs, a focus on usability and orchestration has dramatically changed how we consume, instrument, monitor and selfheal information technology infrastructure.

Lastly, PagerDuty released their Incident Response framework and process (Links to an external site.)Links to an external site. to the Open Source community and it provides a great starting point to begin for building an Incident Response framework.

References

Continuous Delivery. (n.d.). Retrieved September 27, 2018, from https://continuousdelivery.com/

Fowler, M. (2010, March 1). Bliki: BlueGreenDeployment. Retrieved September 26, 2018, from https://martinfowler.com/bliki/BlueGreenDeployment.html

Greene, J. (n.d.). The Essential Guide to ITIL Framework and Processes. Retrieved September 26, 2018, from https://www.cherwell.com/library/essential-guides/essential-guide-to-itil-framework-and-processes/

Henning, R. R. (n.d.). Security Operations, Part 2. Retrieved September 27, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU04VjEvRGF0YS9tb2R1bGUueG1s

Netflix. (2016, October 28). Vizceral. Retrieved September 26, 2018, from https://youtu.be/JctsPpgEsVs

Netflix. (2018, September 05). Netflix/vizceral. Retrieved September 26, 2018, from https://github.com/Netflix/vizceral

PagerDuty, P. (n.d.). PagerDuty/incident-response-docs. Retrieved September 26, 2018, from https://github.com/PagerDuty/incident-response-docs/blob/master/docs/index.md

Rawat, S. (2018, June 08). A/B Testing – The Complete Guide | VWO. Retrieved September 26, 2018, from https://vwo.com/ab-testing/

Rouse, M. (n.d.). What is security information and event management (SIEM)? – Definition from WhatIs.com. Retrieved September 26, 2018, from https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM

SDxCentral. (n.d.). What is Software Defined Everything (SDx) – Defined. Retrieved September 26, 2018, from https://www.sdxcentral.com/cloud/definitions/software-defined-everything-sdx-part-1-definition/

Thome, G. (2017, June 29). Just What the Heck Is Composable Infrastructure, Anyway? Retrieved September 26, 2018, from https://www.itprotoday.com/business-resources/just-what-heck-composable-infrastructure-anyway

This past week was an Interesting week in tech, with the Facebook security breach and Jim Cramer in San Francisco @ Dreamforce interviewing some of the silicon valley goliaths.  One interesting interview I thought I would share was Cramer’s interview with Kevin Mandia, CEO of FireEye.

https://www.cnbc.com/video/2018/09/25/fireeye-ceo-every-cyberattack-is-related-to-geopolitical-conditions.html (Links to an external site.)Links to an external site.

 

Andrew, we live in interesting times where it seems just about every enterprise has the need to adopt an Agile approach and a DevOps culture.  The move/fail fast paradigm seems to be powering the innovators in the tech industry, but let’s face it, there are a few FANNG (Links to an external site.)Links to an external site. companies.  There is a ton of pressure to move and innovate faster, and many believe the path to success is to mimic the Netflix culture, easier said than done.  Most organizations have a legacy to tend to which impedes the pivot.  The “Subscription Economy” (Links to an external site.)Links to an external site. and the age of cloud and cloud-first strategies is upon us, but we are starting to see some equilibrium and a shift to a “cloud-smart strategy”. (Staff, 2018)

References

Heath, N. (2015, August 24). Should you follow Netflix and run your business from the public cloud? Retrieved September 30, 2018, from https://www.techrepublic.com/article/should-you-follow-netflix-and-run-your-business-from-the-public-cloud/

Staff, R. (2018, September 27). Moving Beyond a ‘Cloud First’ Strategy | VMware Radius. Retrieved September 30, 2018, from https://www.vmware.com/radius/moving-beyond-a-cloud-first-strategy/?src=so_5a314d05ddb83&cid=70134000001SkJd

Scott, careful with all that talk about security only being there to keep the bad guys out and the fact that it’s not if you get attacked, but rather when because you’re sounding like Richard Stallman (Goffman, 2018), not a bad thing. 🙂

Philosophically I agree with many of Stallman’s views, but security is not just about the bad guys. When I think about IAM (Identity and Access Management) (Stroud, n.d.). I think about least privilege, protecting the system from human error, logging, auditing, etc… as much if not more than I think about authentication as a padlock.

I think we will continue to see machine learning play a role in advancing automated incident response, where the plan, process, and procedures are codified, where we take an algorithmic approach to response. Moving to an open model where were the system governs the response aids us in governing transparency because IMO the term “disclosure” is open to far too much interpretation for my liking and this is not helping the situation.

References

Goffman, K. (2018, January 11). Richard Stallman : Last of The True Hackers? (MONDO 2000 flashback 1989). Retrieved September 30, 2018, from http://www.mondo2000.com/2018/01/11/richard-stallman-last-true-hackers-mondo-2000-flashback-1989/

Stroud, F. (n.d.). IAM – Identity and Access Management. Retrieved September 30, 2018, from https://www.webopedia.com/TERM/I/iam-identity-and-access-management.html

Carmen, do you think the two individuals at Uber acted unilaterally?

  • Fact:  Many organizations pay hacker ransom demands.
  • Fact:  Many organizations who pay hacker ransom demands and get their data back don’t disclose the hack.  Those who hack for financial gain (e.g., ransomware) are an honorable bunch because if they didn’t deliver, organizations would stop paying the ransoms and the business of ransomware would collapse.
  • Fact:  Disclosure of a hack impacts the hacked organization’s reputation so debates within organizations around the globe are happening.  These debates include to disclose or not disclose, what constitutes disclosure, how nebulous can the disclosure be, when to disclose, etc… The answers to all these questions more often than not are to disclose at little as possible, to be as nebulous as possible and to disclose at a time when the disclosure is least damaging.

Uber is not alone in how they disclosed.  Equifax (Isidore, 2017) delayed their breach disclosure while insiders participated in a stock sell-off.  What happened?  Absolutely nothing, but somehow Elon Musk is demonized because he tweets that he has secured funding to Tesla private.  Right and wrong isn’t a game of inches, but influence often is.  In Elon Musk’s case, the short-sellers controlled the influence.

 

References

Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved September 30, 2018, from https://money.cnn.com/2017/09/08/technology/equifax-hack-disclosure/index.html

 

FIT – MGT5155 – Week 4

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

“Reactive or Proactive?”

As technology professionals, and astute human beings I believe that we always strive to be proactive (at least I hope so), honestly in today’s world to say you have a reactive strategy to security is almost taboo. We see this in all aspects of IT, the sysadmin (operations team) and developer role have been collapsed into a DevOps (Links to an external site.)Links to an external site. or SRE (Site Reliability Engineering) (Links to an external site.)Links to an external site. role with a focus on instrumentation, analysis, automation, and self-healing. We are seeing these DevOps philosophies make their way into the security realm despite the cloak and dagger InfoSec folks. Relying on reactive strategies where action only occurs following an incident has become almost unacceptable. Yes, we still have incident response plans, but the plan is to proactively thwart incidents avoiding having to enact the dreaded incident response plan. We instrument, monitor and automate to avoid reactive response. From an evolutionary perspective, the automation takes the longest. Some might say that if you are actively hunting for threats you have a proactive approach, but I would say that if you don’t automate analysis and response you still have a reactive process. (Contributor, 2017)

Instrumentation, monitoring, thresholding and automating response is a technique we try to use to avoid the reactive fire drill. When we think about what it takes to build a proactive system, it requires commitment. To build a system which continuously learns is not easy, it requires massive data sets, anomaly detection, and automated response. In the area of security Machined Learning (ML), Deep Learning (DL) and Artificial Intelligence (AI) will play a critical role in the transition from reactive to a proactive response which can aggregate and analyze variables on multiple vectors and infer intent. (Lomonaco, 2017)

When we look at security we can see attacks which have identifiable variables and thresholds managed proactively, an example is DDoS attack mitigation. For instance, a cloud provider known as OVH has built a robust DDoS attack mitigation strategy. This strategy depends on instrumentation, real-time traffic monitoring and analysis, anomaly detection and automated response.

Attack Detection

 

Mitigation

The real-time analysis identifies the attack traffic, this traffic is redirected to the VAC while legit traffic flows to the target server. As systems continue to mature we will see more complex behavioral patterns analyzed in realtime, and inference engines will make decisions about how to proactively respond. The market is moving very fast right now.

Side Note: If you have not watched the Joe Rogan interview with Elon Musk, you should. Musk’s discussion on how AI will become an extension of the cortex and limbic system once we solve the data rate problem is awesome.

 

References

Contributor. (2017, July 24). The Shifting Data Protection Paradigm: Proactive vs. Reactive. Retrieved September 19, 2018, from https://devops.com/shifting-data-protection-paradigm-proactive-vs-reactive/

HelpSystems. (2016, August 19). Is Your IT Systems Management Reactive or Proactive? Retrieved September 19, 2018, from https://www.helpsystems.com/blog/your-it-systems-management-reactive-or-proactive

Lomonaco, V. (2017, October 04). Why Continual Learning is the key towards Machine Intelligence. Retrieved September 19, 2018, from https://medium.com/@vlomonaco/why-continuous-learning-is-the-key-towards-machine-intelligence-1851cb57c308

Scott, as I think about my day-to-day and our legacy security practices which some might consider “proactive”, tend to be more routine maintenance activities than “proactive” action based on instrumentation and metrics which provide identification of anomalous behavior and use inference to proactively mitigate a threat. An example is our security patching process which we use:

FireShot Capture 1 - Patching SLAs - Google Sheets_ - https___docs.google.com_spreadsheet.png

FireShot Capture 2 - Patching SLAs - Google Sheets_ - https___docs.google.com_spreadsheet.png

Using the Common Vulnerability Scoring System (CVSS) (Links to an external site.)Links to an external site. we have a process for patching the threat, but what if this is a zero-day exploit? The only path to a proactive approach is baselining normal behavior, instrumentation, anomaly detections, inference and some action (automated proactive response).

I like Andrew’s automobile analogy, I just struggle with calling an oil change a proactive security practices.  The use of audit tools like Lynis (Links to an external site.)Links to an external site. and vulnerability audit tools like OpenVAS (Links to an external site.)Links to an external site. may be akin to the oil change, but when I think proactive I think about a collision avoidance system or an autonomous vehicle, these systems are able to take input in realtime and make proactive decisions.

FWIW, I have yet to see a situation where cyber insurance has prompted an organization to improve their security posture. Adding insurance just changes the organizational risk equation, IMO not in favor of improved security, although I suppose it does help with the regulation and enforcement of a baseline.

 

Scott, I think you make a great point about defining proactive and reactive. I agree with your definitions, I think where I struggle is the variance in acceptable “proactive” approaches. As we learned this week, much of this is dependant on best practices and best effort which defined by relative measures within a given industry. With just about every industry today gathering and storing personal data I think it may be time to have a basic requirement for a proactive approach, hunting down that which you can’t see, when you don’t know what you are looking for requires a level of sophistication that many industries have not adopted. Regulations like GDPR are imposing certain requirements regarding privacy on just about every industry.

I think of term life insurance as a reactive plan. I have a reactive plan should the unpredictable happen, because anything can happen, but hopefully I am being proactive enough to avoid needing term life insurance. 🙂

 

Monique, good point on the ineffectiveness of reactive practice when it comes to APT (Advanced Persistent Threats). In the world of APTs we can’t react fast enough, because while we’re busy reacting the attackers are continuing their crusade. We’ve seen attacks like the attack that took place against Code Spaces’ (Goldman, 2014) where a DDoS attack enacted a reactive mitigation plan, while the Code Spaces’ was busy reacting to the DDoS attack the attackers were busy gaining control of Code Spaces’ AWS EC2 control panel. The attacker essentially ransomed all Code Spaces’ digital assets and put them out of business.

 

References

Goldman, J. (2014, June 23). Code Spaces Destroyed by Cyber Attack. Retrieved September 23, 2018, from https://www.esecurityplanet.com/network-security/code-spaces-destroyed-by-cyber-attack.html

David, great reactive Mr. Mom reference.  Those of us with children know that playing catch-up with a reactive approach is a recipe for disaster.

I would bet those with a reactive approach also do so with a “220, 221. Whatever it takes. Honey if you call and I’m not home I’ll be at the gym or the gun club.” approach.

4.3 Midterm Exam

Score for this quiz: 200 out of 200

FIT – MGT5155 – Week 3

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

First off, my apologies for my late post this week, I spent this week in France with a customer, a large U.S. based manufacturing company who eight months ago acquired a France based manufacturing company in the same market to grow their business in Europe. As a U.S. based company, operating from the U.S. there were many challenges that they faced, information technology is often an area that organizations immediately look to post-acquisition to drive synergies and efficiencies, but when a U.S. based company enters the European market this can be significantly more complex. The reason I mention this is because the legislation and cyber law differences between the U.S. and the E.U. can make this complex and pretty challenging. Regulations like GDPR (E.U. General Data Protection Regulation) (Palmer, 2018) is an example of one regulation that the E.U. imposed to protect data privacy. There are plenty of other regulations like PCI, HIPPA, SOX, etc. that all need to be considered in the context of GDPR, this is a real challenge for many organizations.

A side note on why I was late this week, and maybe some travel advice for anyone flying from the New York area (EWR) to Paris (ORY).  As a million mile flyer on United, I more often than not fly United, although I dislike the airline immensely, I was a loyal Continental flyer for a very long time and it’s hard to give up airline status when you travel 100K+ miles a year. My typical process week after week is to work while I travel, well this trip I flew La Compagnie, a small French boutique airline, with two 757s in their fleet flying between Newark (EWR) <-> Paris and Newark (EWR) <-> London, the flights are all business class at a price below United economy fares, seating only 74 passengers, with good service the only downside (for me at least) is no WiFi. Anyway, sorry for the tangent, but just wanted to give some background.

In this weeks Legislation lecture, Ronda R. Henning states that “Legislation, the legal foundations of cyberlaw, lag technology.” (Henning, n.d.) She goes on to say that most legislators are technologically illiterate; that most cyberlaw is derived from legacy mediums (e.g. – print) and this legacy legislation has been applied to cyberlaw. Henning also discusses the topic of authenticity, maintaining chain of custody, and being able to demonstrate through metadata that digital assets have not been tampered with. In the past, we have discussed hashing as a method of creating a digital signature, hashes like MD5, SHA-256, etc. can create a digital signature of a file which can be used to validate data integrity and authenticity. (Simon, 2013)

I think a telling and interesting aspect of cyberlaw and “Legal Obligations” when it comes to the relative measure of obligations, meaning that things like “best effort” and “industry standard” are defined by relative measures of what others are doing within a given industry or discipline.  What this means is there are frameworks for governing how we maintain and audit our security posture, but what we need to do is far more fluid.

Looking at the IBFS (Intergalactic Banking and Financial Services) case study, while fictitious, we can see requirements and challenges which are likely common across the finance and banking industry which is steeped in legacy and highly regulated. We can see the need to balance cost and capability, to increase agility and elasticity via partnerships and outsourcing and to do this while being compliant with regulations which govern the banking and finance industry. As we look at the emergence of game-changing technologies and such as the emergence of blockchain and cryptocurrencies, applying legacy legislation becomes more difficult. While copyright example moved from print media to video content to digital assets, not perfectly but fairly easily, applying legacy financial regulations to technologies like blockchain and cryptocurrencies will not be as easy. I will be interesting to see how regulatory bodies adapt, the idea of legislators being technology illiterate will probably need to change.

Cyberlaw is very complex, we can to some degree understand aspects of cyberlaw such as copyright and regulations, but when we add things like the Patriot Act and the NSA to the mix things get really complex. (Diamond, 2015)

We have discussed security frameworks like NIST, ISO 27001, SABSA and SSAE-16 and I have looked at all these frameworks, which are primarily process driven frameworks. We learned this week that protecting an organization is about best effort, best practices, and industry standards, I use the Center for Internet Security (CIS) (Links to an external site.)Links to an external site. as my guide for industry standards and best practices is the. CIS provides best practices, benchmarks, and toolsets and they do this all in the context of the platform you are securing, Windows, Linux, Hypervisor, etc.

References

CIS Center for Internet Security. (n.d.). Retrieved September 11, 2018, from https://www.cisecurity.org/

Diamond, J. (2015, May 23). Patriot Act debate: Everything you need to know – CNNPolitics. Retrieved September 11, 2018, from https://www.cnn.com/2015/05/22/politics/patriot-act-debate-explainer-nsa/index.html

Henning, R. R. (n.d.). Legislation. Retrieved September 11, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s Florida Institute of Technology

Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. Retrieved September 11, 2018, from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Simon. (2013, May 29). Verifying File Authenticity via Hashing. Retrieved September 11, 2018, from https://www.anotherwindowsblog.com/2013/05/verifying-file-authenticity-via-hashing.html

 

Yacine, a very interesting and thought-provoking post. I may be a bit of a conspiracy theorist but I think operating under the premise that Ronda R. Henning touches on this week, in regards to wiretapping or eavesdropping and how living in the digital world alters information intercept. I found it really interesting that Ronda R. Henning pointed out Skype of wireless or VoIP. She points out CDRs (call detail records), what the industry refers to as metadata. I think or metadata as the data that matters, if I have the metadata, I likely have a path to all the data. While the Patriot Act has been reeled in (at least publically) by the Freedom of Information Act, we still see the government looking to take control of communication mediums, most recently the movement to nationalize the 5G network. These are complex issues, the nationalization of anything scares me a little, but on the other hand, I think it would be naive not to consider the complexity of maintaining order in a wireless world where information moves free and frictionless over the airwaves, on the other hand, if it’s on the airwaves it can be intercepted by anyone who can decode it. I reminded of a scene from the movie Heat.

We should pay attention to the fact that the FBI broke the encryption on the iPhone. They politely asked Apple to assist, when Apple said not they figured out how to crack it. The best way to operate is to assume someone is always watching.

References

ACLU v. FBI – FOIA Case for Records Relating to Patriot Act Section 215. (2014, October 6). Retrieved September 16, 2018, from https://www.aclu.org/cases/aclu-v-fbi-foia-case-records-relating-patriot-act-section-215

Henning, R. R. (n.d.). Legal Obligations. Retrieved September 16, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s

Miller, D. (2017, October 03). FBI allowed to keep details of iPhone hacking secret. Retrieved September 16, 2018, from http://www.abc.net.au/news/2017-10-02/fbi-to-keep-details-of-san-bernardino-iphone-hacking-secret/9007400

Vazquez, M., Berlinger, J., & Klein, B. (2018, January 30). FCC chief opposes Trump administration 5G network plan. Retrieved September 16, 2018, from https://www.cnn.com/2018/01/28/politics/trump-nationalize-5g/index.html

Wendy, good post. Is the purpose of legislation and law to “set expectations of proper behavior”, or to set rules which can be used to police behavior?
I agree that legislation and laws have typically been created to managed social behavior and protect the citizens of a community (local, state, federal, etc.), but with the world becoming increasingly flat we see that legislation in on country (e.g. – GDPR in the EU) can have an impact of organization which are multinational, in the digital era and the connected world this includes just about everyone, GDPR is the reason we are being asked to accept or decline cookies on just about every site we visit on the internet. (Irwin, 2018)

While Cyber Deterrence and Response Act of 2018 (H.R.5576, 2018) (Blinde, 2018) aims to create a registrar of hackers, pulling them out of the shadows and punishing them, but what percentage of hackers are known vs. what percentage are anonymous? This can be really tricky. This is an interesting move by the government, sounds good on paper, but it seems that it will be difficult to police. We know that nation-states have cyber warfare divisions, the U.S. included, we know that they are in the shadows gathering cyber intelligence and acting on it, but I am wondering if this can be attacked overtly, with something like sanctions. (Richards, 2018)

References

Blinde, L. (2018, July 02). Bill to fight state-sponsored cyber threats passes out of House foreign affairs committee. Retrieved September 16, 2018, from https://intelligencecommunitynews.com/bill-to-fight-state-sponsored-cyber-threats-passes-out-of-house-foreign-affairs-committee/

Irwin, L. (2018, August 16). How the GDPR affects cookie policies. Retrieved September 16, 2018, from https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies

Richards, P. (2018, April 19). Nation state attacks – the cyber cold war gets down to business. Retrieved September 16, 2018, from https://www.csoonline.com/article/3268976/cyberwarfare/nation-state-attacks-the-cyber-cold-war-gets-down-to-business.html

 

Assignment

FIT – MGT5155 – Week 2

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

“Risks to the Enterprise.”

According to Ronda R. Henning, risk is usually expressed as the probability of an occurrence.  Enterprise risk metrics the probability of harm to the enterprise as a result of disclosure, modification or downtime.

A key aspect of protecting data in the enterprise is assessing the situation, categorizing aspects of the enterprise and applying the proper protections and/or risk mitigation strategies.  We know that the threats are everywhere, the question is what is the threat posed to a specific enterprise, what is the probability that a vulnerability will be exploited and what is the impact of the exploit.  A quick visit to NORSE Corp and fear will have you believing you should disconnect from the internet, disable all ports, prohibit removable media, only use wired connections, etc… but there is security and then there is productivity prohibition.

(Click the image above for live attack map)

Some call this usable security, the text highlights this as “dealing with the conflicting objectives” where the security protocols need to balance security, cost, and usability. (Sherwood, Clark, & Lynas, 2005, p. 27) Making a system secure, but still usable is a complex issue the security architect faces, make the security too tight and humans will look to work around the system, make the system too lose and increase risk.  A complex problem indeed.

One of my favorite examples of usable security and human-computer interaction is highlighted in the course intro to Usable Security on Coursera (Links to an external site.)Links to an external site.. BTW – This is a great course, I highly recommend it.  I bet you can’t think of how a styrofoam cup could be a security threat and how a styrofoam cup could violate HIPPA compliance.  Watch the video above, it’s short and enlightening.

While living in a connected world can be a scary thing, each of us balance risk vs. reward each day, every time we use an ATM or online bill pay system we make the decision that the reward is worth the risk, in most case this for the consumer this reward is convenience.  We also balance risk vs. reward when we think about what password we will use to secure our information, should we use MFA, should we encrypt our data, etc… These personal decisions are similar to the decisions that are made within the enterprise, for example, I use strong passwords eight to ten characters in length, these passwords contain upper and lower case letters, numbers and special characters, they are not dictionary words or leet (Links to an external site.)Links to an external site. passwords 100% of the time, I don’t use twenty character passwords because usability diminishes, the risk vs. reward model just doesn’t work for me.  The password paradigm is used everywhere, email, bank accounts, etc… As things progress up my personal security stack I apply my password best practices and add MFA, a good example here is my AWS login.  Lastly, if data is super sensitive I apply an encryption scheme which requires a passphrase and a 256-bit encryption key.

It’s important to remember that even what may be perceived as the tightest security protocols still contains vulnerabilities.  From Stuxnet (Links to an external site.)Links to an external site. to Heartbleed (Links to an external site.)Links to an external site. we can see how even what is thought to be the securest possible protocols can be thwarted, these systems and protocols were by humans, making them exploitable by other humans.  The emergence of the APT (Advanced Persistent Threat) (Links to an external site.)Links to an external site. has focused the attackers on specific objectives, these attacks are not being perpetrated by high school student looking to change a grade, but rather a nation-state looking to engage in cyber warfare.

These attacks are complex, one of my favorite stories is the story of AMSC (aka American Semiconductor) (Links to an external site.)Links to an external site. who was nearly destroyed when they had intellectual property stolen via old-school corporate espionage.  Who could fathom this story, but if the source code for the PM3000 had this sort of value to AMSC maybe providing an individual located in Austria with access to the source code tree was not the brightest move.  Today we see the FAANG (Links to an external site.)Links to an external site. (Facebook, Amazon, Apple, Netflix, and Google) type companies rely on the volume of code and dependencies to protect their intellectual property, these companies have a level of scale, but this isn’t the case for every company.  Another story that I like is the story of Code Spaces or as InfoWorld titled the article “Murder in the Amazon cloud” (Links to an external site.)Links to an external site., this company had their AWS root account hijacked and all their AWS services being held for ransom, when Code Spaces did not pay the ransom the attackers deleted all their EC2 instances, EBS volumes, snapshots, AMIs and S3 buckets and put Code Spaces out of business.  We know that the attacker used a DDoS attack as a smokescreen but we don’t know how they actually gained access to Code Spaces’ AWS console, but they did. We are seeing this more and more, as organizations open source more software, developers check their code into public Git repositories and they leave behind artifacts that expose credentials, like API keys.  Tools like truffleHog (Links to an external site.)Links to an external site. can crawl git repositories for secrets, digging deep into commit history and branches, finding secrets accidentally committed.

Risk management is iterative, a big mistake is the belief that a security posture is established and the posture that was established on day one is the same posture require on day one hundred.  A framework like NIST (Links to an external site.)Links to an external site. can assist in ensuring that risk is continually evaluated, classified and prioritized.  Security controls and systems are evaluated and monitored to ensure that the security controls (technical, management and operational) are adjusted as needed.

There are numerous frameworks which can help with assessing and evaluating risk by providing a way for an organization to assess their entire system, including people, process and technology.  Some framework examples include:

(Source: Sherwood, Clark, & Lynas, 2005, p. 43)

Realizing that security is evolutionary is important, that static protocols are unlikely to thwart modern attacks, that AI/ML may hold promise for intelligent and adaptive threat protection and response, but also realize that attackers have access to all the same technology and can create adaptive attacks using attack vectors which were inconceivable just ten years ago.  We see this with projects like deephack (Links to an external site.)Links to an external site. and a ridiculously low barrier to entry for things like cloud-based GPUs for password cracking (Links to an external site.)Links to an external site..  IMO, vigilance, a commitment to iterate and mitigation are the keys to reducing risk in the enterprise, we may not be able to keep everyone out, but keeping them in is a viable strategy.  All too often it seems we focus more on checking the boxes of regulatory bodies and not enough time on actually securing our systems.

While the ability to flash a slide filled with your security credential logos probably looks impressive a developer in most cases can still publish keys or credentials on GitHub (Links to an external site.)Links to an external site. at which point all bets are off.  In the era of cloud computing one commit to GitHub that contains a snippet of code like the below could be the end.

References

Clark, J. (2015, December 04). Hacker uses cloud computing to crack passwords. Retrieved September 5, 2018, from https://www.zdnet.com/article/hacker-uses-cloud-computing-to-crack-passwords/

Collins, K. (2016, May 04). Developers keep leaving secret keys to corporate data out in the open for anyone to take. Retrieved September 5, 2018, from https://qz.com/674520/companies-are-sharing-their-secret-access-codes-on-github-and-they-may-not-even-know-it/

Dxa4481. (2018, August 27). Dxa4481/truffleHog. Retrieved September 5, 2018, from https://github.com/dxa4481/truffleHog

Henning, R. R. (n.d.). Frameworks. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU00VjEvRGF0YS9tb2R1bGUueG1s

Henning, R. R. (n.d.). Risk-Based Security. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU0zVjEvRGF0YS9tb2R1bGUueG1s

Osborne, C. (2017, January 09). GitHub secret key finder released to public. Retrieved September 5, 2018, from https://www.zdnet.com/article/trufflehog-high-entropy-key-hunter-released-to-the-masses/

Sears, C., & Isikoff, M. (2015, November 2). Chinese firm paid insider ‘to kill my company,’ American CEO says. Retrieved September 5, 2018, from https://www.nbcnews.com/news/world/chinese-firm-paid-insider-kill-my-company-american-ceo-says-flna6C10858966

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Stahl, L. (2016, January 17). The Great Brain Robbery. Retrieved September 5, 2018, from https://www.cbsnews.com/news/60-minutes-great-brain-robbery-china-cyber-espionage/

Venezia, P. (2014, June 23). Murder in the Amazon cloud. Retrieved September 5, 2018, from https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html

Sharing this because I have shared many classes with many of you and we have often talked about how enterprises balance security investments vs. the cost of an exploit.  I have argued in the past and continue to argue that many organizations focus on JES (Jest Enough Security) to satisfy regulators, insurance companies, etc… The focus is not on securing personal information, but rather on reducing corporate risk, this is just another example of why.

https://techcrunch.com/2018/09/08/equifax-one-year-later-unscathed/ (Links to an external site.)Links to an external site.

 

Scott, always a good read, although I do have a bit of an issue with making the word “hacker” synonymous with “the big bad wolf”. 🙂 The “hackers” of the Homebrew Computer Club (Links to an external site.)Links to an external site. would probably take issue with this as well, folks like Ed Roberts who built the Altair, the hardware platform that gave birth to Microsoft and Steve Wozniak (aka Woz) who of course designed and developed the Apple I.

Hackers are individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes. Now I do understand the modern day (security) hacker colloquialism, so we have now turned what used to be a hacker culture (Links to an external site.)Links to an external site. into a maker culture (Links to an external site.)Links to an external site. but they are essentially the same thing.

Furthermore, even if we stay with the colloquial definition of “hacker” I am not sure that white hat hackers (Links to an external site.)Links to an external site. would appreciate being called “the big bad wolf” but then again maybe they are “the big bad wold” just a sanctioned wolf.

I couldn’t agree more, nation-state hacking is modern-day warfare, waged int he depths of cyberspace with digital assets and information as the objective. Stuxnet is a great example and the Stuxnet virus was just one virus in a massive U.S. cyber warfare operation called Olympic Games.

References

Sanger, D. E. (2012, June 01). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved September 9, 2018, from https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

Schafer, S. (2017, March 31). White Hat vs. Black Hat Hackers and The Need For Ethical Hacking. Retrieved September 9, 2018, from https://www.clearpathit.com/white-hat-vs-black-hat-hackers-and-the-need-for-ethical-hacking

Regardless of my politics, my parents raised me with more sense than to burn my own (expensive) clothing.  Here is an idea, if you don’t like the Nike campaign, don’t burn your clothes, take the money you now need to spend replacing the clothes and put it to work.

I am what you would call a value and comfort shopper, so if Nike shoes are comfortable and on sale, I buy Nike, not because I have an affinity for the swoosh or Phil Knight or Bill Bowerman or the latest ad campaign, but because they were comfortable and cheaper than the Addidas sitting next to them on the rack.  Just Do It!  Keep gluing rubber to a leather upper that is comfortable and having good sales I’ll be a customer. 🙂  I am actually amazed at the power of a shoe company to excite and enrage people.

Andrew, I know from being in numerous classes with you and reading other posts that you are focused on cloud technologies.  I think we are seeing vulnerabilities in the Open Source and cloud world today that will be both challenging for enterprises to plug and will likely create an entirely new security market.  With applications like truffleHog (Links to an external site.)Links to an external site. popping up every day and being made available to the masses, it’s far to easy to scrape public repositories like GitHub (Links to an external site.)Links to an external site. for security credentials.

I think we are in a world today where we are looking to enable developers, this means technology adoption is decentralized, occurring from the individual inward, rather than from the centralized and being pushed from IT organizations outward.  We are trying to balance enabling developers to increase the velocity of innovation while maintaining corporate governance, this is not easy.

When corporate IT was the glasshouse with centralized command and control we had Shadow IT, today DevOps has replaced Shadow IT.  In some cases, this shift was accompanied by governance, but in many cases organizations realized that the war on Shadow IT was unwinnable and pivoted to DevOps to reposition the exposure of Shadow IT as the fuel of innovation and competitive advantage. I believe there is a ton of opportunity for security providers to deliver tools that are transparent and frictionless to the enterprise that will identify things like API keys being committed to a git repo and either stop the commit or better yet strip the sensitive information and allow the commit to happen (aka frictionless).  The key here is transparent and frictionless.

References

Vadaganadam, A. (2018, May 30). Has DevOps Caused the Re-emergence of Shadow IT? Retrieved September 9, 2018, from https://devops.com/has-devops-caused-re-emergence-shadow-it/

 

Assignment

FIT – MGT5155 – Week 1

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Hello all, full disclosure, I spend my days writing code and automating repetitive tasks. Introductions in this context are a repetitive task so those who have been in prior classes with me have seen some variation of the introduction below.  Need to read on; questionable. 🙂

My name is Rich Bocchinfuso; I hold a BS in Computer Information Systems and I am pursuing an MS in Information Technology with a specialization in Cybersecurity at Florida Tech. I am 45 years years old and have been in technology for ~ the past 23 years, and I am lucky in the sense that my career as a technologist and developer is also my passion because I spend 10 to 15 hours a day in front of a computer. I live in New Jersey and work in from somewhere in the world on any given day (flying over 100K miles a year that is probably the best way to describe it). I am married to my amazing wife of eighteen years, Gwen, and we have two little girls Maddy who is thirteen and Eden who is seven. Both my wife and I are originally from Pennsylvania, but we have made in New Jersey our home for the past twenty years.

My desire to attend graduate school is driven by personal fulfillment as well as a desire to develop skills which will allow me to grow professionally. My goal is to complete the master’s program in information technology with a specialization in cybersecurity and to make practical use of the academic skills I acquire. I am a driven self-starter who is committed to achieving my educational and professional goals. With the half-life of discrete technical knowledge shrinking I have been leveraging learning platforms such as Coursera, edX, Udemy, CloudAcademy, Pluralsight, CBT Nuggets, Codeacademy, SoloLearn, PentesterLab and others for years to combat mental atrophy. I regularly listen to and watch podcasts, and read industry publications and whitepapers to stay abreast of industry happenings.

For as long as I can remember I have loved tinkering and it is this love of tinkering that became the basis of my love of computing and technology. Over the past twenty-plus years, I have invested an immense amount of time honing my craft. I am an avid maker; I enjoy building things, writing about and sharing what I create. For the past ten years, I have been maintaining and sharing my ideas via my blogs:

 (Links to an external site.)Links to an external site.These two sites pretty much tell my story.

I am an analytical person who enjoys making decisions rooted in empirical data, and I am an INTP (https://www.16personalities.com/profiles/57648d209ea7b (Links to an external site.)Links to an external site.).

This is my tenth course in an elven course program, next stop for me a PhD program.  I am happy to be part of this class, and I look for to sharing this learning experience with all of you.

-Rich

BTW – If anyone happens to be in Vegas this week at VMworld DM on twitter (@rbocchinfuso) and let’s grab a cocktail.

 

Brian, nice to virtual meet you.  Parenting the hardest and most rewarding job on the planet, not sure if I’ll ever consider myself accomplished.  I have my fingers and toes crossed that I feel good about what I accomplished at the end of the rainbow; if parenting has taught me anything it’s there is a lot in life that is outside your control.

This week I had the honor to see Malala Yousafzai  (Links to an external site.)Links to an external site.speak and it was truly amazing. Her parents set the bar pretty high.  Such an amazing young woman.

I’ll be honest I don’t love InfoSec focused podcasts.  I do on occasion listen to Down the Security Rabbithole (Links to an external site.)Links to an external site., if it’s a topic I like.

I read the Kerbs on Security blog (Links to an external site.)Links to an external site. regularly.

While not security focused, I suggest checking out Datanauts (Links to an external site.)Links to an external site..

I like Tim Ferriss, I listen to the Tribe of Mentors podcast regularly.

I listen to quite a few other tech-related podcasts, most notably a16z, The Cloud Cast, The HOT Aisle, PodCTL, Hak5, Talk Python to Me & AWS Podcast.

Others Tim Ferriss like podcasts I like include Rocketship, Masters of Scale, StartUp and The Pitch.

Links to most of these podcasts, if your interested can be found here (sorry, got tired of creating the hyperlinks):  http://bocchinfuso.net/index.php/links/ (Links to an external site.)Links to an external site.

 

 

Scott, good to see you again.  Hope things are going well with the new house.  I am still in Vegas, feel like I’ve been in a time warp for a week.  I am probably here six times a year, six times too often, if every conference was moved somewhere else I would be good with it.  Luckily tonight I have no commitments, so room service, peace an quiet is on the agenda.

My normal travel routes take me to EWR (home), LAS, SFO, LAX, AUS, CMH, and DUB on a regular basis. Would be great to grab a beer or two sometime.

Glad you like my posts, I like to write so I do.  Spent most of this week writing and here I am still writing.  If you are interested here is my first blog post from VMworld: http://gotitsolutions.org/2018/08/30/vmworld-2018-goodness-and-the-purpose-motive/ (Links to an external site.)Links to an external site.

I have 3 others which I have to complete so they can be published but shifted gears because I was getting writer’s block.

We’re nearing the end.  Good luck with this class.

-Rich

Carmeshia, good you see you again and thanks for the kind words.  Gotta convince my family to say goodbye to me for 3 more years, the toughest part of adult education.

Tech is the type of business where you have to be committed to learning forever, I’ve enjoyed the program because it helped me push into areas I wouldn’t go on my own and I have leveraged a lot of what I have learned.  For instance, the Org Behavior class wasn’t my favorite but I have you the motivation theory in like six presentations.

Having had the please of seeing Malala YousafzaiLinks to an external site. speak this week, it really drives home how powerful education is, and how threated some are by it.

Good luck in the class.

-Rich

Scott, tech is used to HR nightmares, somehow it’s gotten worse, not better I am sure HR would have no time to worry about you.  Wanna have your mind blow, read Brotopia (Links to an external site.)Links to an external site..  The world seems to be getting stranger and stranger with each passing day.

When you get your first Cyber Security gig were gonna meet at DerbyCon by far the most fun InfoSec conference out there.  Check out the Hack My Derby Contest, 7:00 minutes into this video:  DerbyCon 6.0 2016: Hack My Derby Contest – Hak5 2105 (Links to an external site.)Links to an external site.DerbyCon 6.0 2016: Hack My Derby Contest - Hak5 2105

-Rich

Carmeshia, I think I am one of the few people I know who still builds their own PC.  I have been a Linux user on the desktop since the early 90s, and the circles I run are full of propeller heads, but the entire industry has moved away from hardware towards software, people just want a hardware platform that is stable, the Mac w/ macOS which is really just BSD (Darwin (Links to an external site.)Links to an external site.), the cloud, etc.  As a Linux user, I have never really seen the point in overpaying for an Intel-based machine with metal case, I say this as I type this post on my Pixelbook. 🙂  I think Google will give Apple a run for their money as they have built a great hardware platform that makes it easy to support ChromeOS, Android and Linux apps, and soon it looks like they will support Windows on the bare metal.  The cloud has really changed the PC market and I feel we are just at the beginning, from an applications perspective like Google Docs and Office365 and from a security perspective as well as more and more desktop security applications leverage the cloud and data captured a network of connected endpoints.

I recently finished a Coursera course entitled Usable Security (Links to an external site.)Links to an external site., the course focused on the balance between security and human-computer interaction, security has to consider human-computer interaction to drive adoption and adherence; when security measures impede progress users will spend more time working around security measures, often creating greater risk.

References

Coursera. (n.d.). Usable Security. Retrieved September 2, 2018, from https://www.coursera.org/learn/usable-security

Feeling a bit dense here, posted my “Introduction” and “Information” week one discussion post without realizing that the “Information” side of the post should have been a commentary on the “Information” lecture. I will chalk it up to a long week, adding my “Information” commentary below.

I’ve spent 18 years of my 25-year career in the information storage and data protection space. Over this 18 years, I have focused on primary, secondary and tertiary storage platforms with careful attention paid to data classification for the purpose to determine the appropriate architectures to satisfy data protection (replication, backup, etc.), performance, encryption, etc. requirements. Data classification has always been and continues to be an essential aspect of what I do. For years I have classified information to determine RPO (Recovery Point Objective) (Links to an external site.)Links to an external site. and RTO (Recovery Time Objective) (Links to an external site.)Links to an external site.. Today with the emergence of the cloud we organize data to assess where to place it in the cloud. Does the data need to live on block storage like AWS EBS; can the data live on object storage like AWS S3 (Links to an external site.)Links to an external site.; does the data require eleven 9s of availability; is reduced redundancy storage (Links to an external site.)Links to an external site. with four 9s of availability acceptable; does tiering to long-term archive storage like AWS Glacier (Links to an external site.)Links to an external site.work; is encryption needed; at what level does the data need to be encrypted; what is the key rotation strategy; what key management system should be used, etc.

Data and information classification is key to balancing capability and cost. As we experience greater data sprawl with the increased adoption of Hybrid IT (hybrid cloud) and multi-cloud provider strategies, data governance becomes even more critical. We are all seeing the impact of privacy regulations like GDPR (EU General Data Protection Regulation), just about every website we hit today requires explicit consent to cookies, the result of GDPR. (Irwin, 2018)  There is no end in sight to the amount of data we are creating and we can expect the need for information classification and security to increase exponentially.

References

Henning, R. R. (n.d.). Information. Retrieved September 2, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU0yVjEvRGF0YS9tb2R1bGUueG1s

Irwin, L. (2018, August 16). How the GDPR affects cookie policies. Retrieved September 2, 2018, from https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies

FIT – MGT5157 – Week 7

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

One-off post because Defcon (Links to an external site.)Links to an external site. is happening in Las Vegas, if you wanna see what you’re trying to protect against I suggest the following week’s activities. 🙂  https://twitter.com/hashtag/defcon?src=hash (Links to an external site.)Links to an external site.

From solving fizzbuzz with TensorFlow (Links to an external site.)Links to an external site. to curing cancer (Links to an external site.)Links to an external site. and everything in between machine learning is changing how we programmatically solve problems, no longer focusing on loops, conditionals, and functions to solve a finite problem, but rather using training data and machine learning to teach the computer how to solve problems even if the inputs change from what is expected.  Essentially we are using training data to teach the computer to reason, we call this inference.  Solving the fizzbuzz problem with TensorFlow is a great example of how machine learning can be used to solve a simple problem.

If you are not familiar with fizzbuzz, it’s a common programmer interview questions.

Write a program that prints the numbers from 1 to 100. But for multiples of three print “Fizz” instead of the number and for the multiples of five print “Buzz”. For numbers which are multiples of both three and five print “FizzBuzz”.

A solution written in python might look like this:

Above you can see the python code solves the problem as presented, but I would have to alter the program to do the same things for a dataset from 101 to 1000. The ridiculous example of using TensorFlow to solve fizzbuzz is the work of Joel Grus and he wrote a hilarious blog (Links to an external site.)Links to an external site. on it. Even though it is a ridiculously complex solution to the problem, and it yields the wrong answer it is a great simple exercise to demonstrate the value of a neural network.

Maybe Elon Musk’s warning that AI could become “an immortal dictator from which we would never escape” is exaggerated for effect and Twitter fame, but it seems that AI will clearly be a strong field general with supreme control over the chosen battlefield.  It’s about more than autonomous machines, it’s about autonomous everything, it’s about not solving fizzbuzz with loops and conditional statements, but rather by building a neural network that can solve any variation of fizzbuzz.  It’s not about using malware signatures and firewall rules which statically protects north-south and east-west traffic or stateful packet inspection which requires a known signature but rather building a neural network that can continuously train and continuously improve protections, bad news, the hacker community is leveraging machine learning, deep learning and AI to find and exploit vulnerabilities.  It’s an arms race and both sides have fully operational uranium enrichment plants, we’ll call them TensorFlow, MXNet, Pytorch and a seemingly endless supply of uranium which we’ll call cloud GPUs. 🙂  Cisco calls this “The Network. Intuitive.” I only use Cisco as an example because they made a fancy commercial that that dramatizes the uses of Machine Learning, Deep Learning and Artificial Intelligence to build what they call “The Network. Intuitive.”  Oh, and who doesn’t love Tyrion Lannister?

 

Discussion: Identify requirements that should be considered when determining the locations and features of firewalls. What are some important steps to take to keep firewalls effective?

In the context of “determining the locations and features of firewalls,” I believe it is critical to understand how infrastructure and traffic patterns are evolving. Firewalls have always been essential in filtering and protecting north-south network traffic. The emergence of technologies like virtualization and software-defined networking (SDN) has dramatically increased east-west network traffic. Like long-range ballistic missiles have impacted aspects of the layer one protection provided by the oceans, these technologies have negated aspects of the physical layer one protection provided by physical network segmentation. Technologies like virtualization and SDN have accelerated the development of next-generation firewalls (NGFW) that deliver a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” (Aldorisio, 2017)

Most people are reasonably familiar with perimeter security best practice.
A model that many people are familiar with is the bastion host topology. The bastion host topology would be the type firewall topology deployed on most home networks where the LAN (Intranet) and WAN (Internet) are firewalled by a cable modem which acts as the router and firewall.

A more complex network may utilize a screened subnet topology the implementation of a DMZ (Demilitarized Zone). In the screened subnet topology, systems that host public services are placed on the DMZ subnet rather than on the LAN subnet. The screened subnet topology separates public services from the LAN or trusted subnet by locating publically accessible services in the DMZ. This approach adds a layer of protection so that if a publically available service becomes compromised, there is an added layer of security aimed at stopping an attacker from traversing from the DMZ subnet to the LAN subnet.

A topology which takes the screened subnet a step further is a dual firewall topology where the DMZ (Demilitarized Zone) is placed between two firewalls. The dual firewall topology is a common topology implemented by networking security professional, often using firewalls from different providers as an added layer of protection should an attacker identify and exploit a vulnerability in a vendors software.

Enterprise-grade firewalls also allow for more complex topologies which extend the topologies described above beyond internal (LAN), external (WAN) and DMZ networks. Enterprise-grade firewalls support more interfaces, faster processors which allow more layered intelligent services, higher throughput, etc. The support of software features such as virtual interfaces, VLANs, VLAN tagging, etc. allows for greater network segmentation enabling the ideas discussed above to be applied discretely based on requirements.

Some steps to maintain firewall effectiveness include (Mohan, 2013):

  • Clearly defining a firewall change management plan
  • Test the impact of firewall policy changes
  • Clean up and optimize firewall rule base
  • Schedule regular firewall security audits
  • Monitor user access to firewalls and control who can modify firewall configuration
  • Update firewall software regularly
  • Centralize firewall management for multi-vendor firewalls

References

Aldorisio, J. (2017, November 27). What is a Next Generation Firewall? Learn about the differences between NGFW and traditional firewalls. Retrieved August 17, 2018, from https://digitalguardian.com/blog/what-next-generation-firewall-learn-about-differences-between-ngfw-and-traditional-firewalls

Chapple, M. (2018, August 17). Choosing the right firewall topology: Bastion host, screened subnet or dual firewalls. Retrieved August 17, 2018, from https://searchsecurity.techtarget.com/tip/Choosing-the-right-firewall-topology-Bastion-host-screened-subnet-or-dual-firewalls

Ergun, O. (2015, January 10). What is East-West and North-South Traffic | Datacenter Design. Retrieved August 17, 2018, from https://orhanergun.net/2015/01/east-west-north-south-traffic/

Hossain, M. (2014, May 21). Trends in Data Center Security: Part 1 – Traffic Trends. Retrieved August 17, 2018, from https://blogs.cisco.com/security/trends-in-data-center-security-part-1-traffic-trends

How Does Micro-Segmentation Help Security? Explanation. (n.d.). Retrieved August 17, 2018, from https://www.sdxcentral.com/sdn/network-virtualization/definitions/how-does-micro-segmentation-help-security-explanation/

Mohan, V. (2013). Best Practice for Effective Firewall Management. Retrieved August 17, 2018, from http://cdn.swcdn.net/creative/v9.3/pdf/Whitepapers/Best_Practices_for_Effective_Firewall_Management.pdf

Network and Traffic Segmentation. (n.d.). Retrieved August 17, 2018, from https://www.pluribusnetworks.com/solutions/network-traffic-segmentation/

Scott, good post.  Question: Do you think that it will be possible to compete in the enterprise NGFW market without a cloud-based model?  My contention is that the aggregation and profiling of data gathered from deep packet inspection across the entire the industry will allow NGFW OEMs to better identify and address threats.  These datasets will also function as training data for machine learning, deep learning and AI models.  My belief is that the cloud is and will continue to play a huge role in the innovation and adoption of NGFW technologies.

Assignment

FIT – MGT5157 – Week 6

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Discussion: Describe the basis for effective collaboration of security defenses within and between organizations.

This is an interesting question. I think ten years ago effective collaboration of security defenses within and between organizations would be highly dependent on effective open communication between these organizations. Today I think the effective collaboration of security defenses is being aided by two core technology shifts:

  1. Cloud
  2. Machine Learning, Deep Learning, AI

Let’s start with the cloud. Today’s security providers are increasingly becoming cloud-enabled, they are relying on the aggregation of massive data sets (big data) for heuristics on massive compute farms that far surpass what is possible in a heuristics engine on a laptop, desktop or mobile device. Just about every security technology provider is leveraging the cloud and vast resources it provides. When organizations buy into the cloud-based security paradigms it is the equivalent of sharing and communicating information, but this information is now being aggregated, anonymized, analyzed and cross-referenced in real-time.  (Quora Contributor, 2018)

Machine learning, deep learning, and AI are not just buzzwords, they are technologies that harness data and continuously train models that can begin to see things which are not visible to the naked eye. These technologies are greatly altering how we think about security. Security providers like AlertLogic (Links to an external site.)Links to an external site.Secureworks (Links to an external site.)Links to an external site. and many others that focus on IPS/IDS and incident responses models that leverage data which is anonymized, but aggregated and analyzed across their entire customer base, this has tremendous value. Security providers like Tanium (Links to an external site.)Links to an external site. and Panda Security (Links to an external site.)Links to an external site. and others who focus on end-point security also use cloud technologies, big data and machine learning to provide superior heuristics. For example, the embedded anti-malware in Windows 10 makes use of “cloud-based protection” to better protect users, users are opted-in to collaborating and opting-out requires the user intervention that is buried in the bowels of the operating system and anti-malware (Windows Defender) configuration settings.

Collaboration and engagement require a focus on Human-Computer Interaction (HCI) to drive system usability and adoption, this is especially true in the field of security. Users vary and they have different expectations of the systems they interact with, a simple blacklist of whitelist approach no longer gets the job done, these approaches slow productivity and encourage working around the system. (Coursera, 2018)

Intelligent security systems which leverage AI may be able to adapt security protocols based on user usage profiles. For example, what users took the lollipop and what users didn’t and should how security is enforced for these two user types differ? (DreamHost, 2018)

To close out my thoughts this week, I will end with an example of a security problem that is not a platform problem, but rather a use problem, as is often the case. For those of us who have used Amazon (AWS) S3, the AWS object storage servicer we know that AWS offers extremely fine-grained ACLs for S3 buckets, the security paradigm is quite robust and defaults to no-access, but this robustness and fine-grained programmatic and composable infrastructure comes with complexity (Amazon, 2018), complexity leads to usability challenges which leads us to exposing data which is not intended to be exposed. This week that victim was GoDaddy who exposed an S3 bucket containing configuration data for tens of thousands of systems, as well as sensitive pricing information, apropos given our collective conversations last week regarding GoDaddy and DNS registrars.  (Chickowski, 2018)

With > 80% of all corporations experiencing a hack of some sort, exploitation is on the rise and there is no end in sight. (Lipka, 2015) As we continue towards a public cloud world, platforms are providing more choice, easier access, and the ability to be agiler, build faster and come to market faster but we’ve lost the simplistic nature of layer 1 security. We have to have security systems that live at a layer above layer 1 human interaction, and communication. I believe that Progress will depend on the ability of the security systems of today and tomorrow to facilitate zero touch collaboration in an automate and secure way.

References

Amazon. (2018, August 10). Bucket Policy Examples. Retrieved August 10, 2018, from https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Chickowski, E. (2018, August 9). AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models. Retrieved August 10, 2018, from https://www.darkreading.com/attacks-breaches/aws-employee-flub-exposes-s3-bucket-containing-godaddy-server-configuration-and-pricing-models/d/d-id/1332525

Coursera. (2018, August 10). Usable Security. Retrieved August 10, 2018, from https://www.coursera.org/lecture/usable-security/course-intro-60olh

DreamHost. (2018, January 30). Take This Lollipop… I Dare You! Retrieved August 10, 2018, from https://www.dreamhost.com/blog/take-this-lollipop-i-dare-you/

ElsonCabral. (2011, October 26). Take This Lollipop. Retrieved August 10, 2018, from https://www.youtube.com/watch?v=pbQm-nIMo_A

Lipka, M. (2015, June 05). Percentage of companies that report systems hacked. Retrieved August 10, 2018, from https://www.cbsnews.com/news/percentage-of-companies-that-report-systems-hacked/

Quora Contributor. (2018, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved August 10, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#34f878166147

James, I would go as far as to say unless mandated by a regulatory requirement very few enterprises are advertising breaches and even when mandated by regulatory bodies they are pushing the boundaries of the disclosure.  For example, Equifax took six weeks to disclose the hack, not the only major enterprise in a regulated industry looking to delay disclosure.   The bigger the organization the more sensitive the data the tighter and more broad sweeping the NDAs.  Ed Snowden’s are not falling out of trees and the number of statistical breaches, when contrasted with the number of reported breachs, say there is more interest in obfuscation than there is in disclosure.  Sure, the OTR conversations can happen at an InfoSec meetup, but the bigger the enterprise the more isolated and focused exposure is becoming, with access to systems, processes, conversations, etc. becoming so tightly governed that it’s getting harder and harder to assemble a full picture of a situation. Those who do have the complete picture don’t attend InfoSec meetups, they are busy having dinner at Le Bernardin. 🙂

I think it’s a fair assumption to assume we know only a small fraction of what’s happening and that the preponderance of the most diabolical stuff never makes it into the mainstream.  As technology becomes a profit center for every company, we will see more and more of this.  The days of we are a manufacturing company and tech is a cost center are over, big data, analytics, and machine learning are driving every industry, with the CMO spending more on technology than the CIO.

Not saying we shouldn’t keep trying, but I believe we will see significant innovations that will change the game, relying less on the good behavior of people and more on the machine to make and monitor decisions.  Andrew mentioned the Target breach, there is no reason that and PLC network for HVAC controls should have >= layer 2 access to a network for payment processing, IMO layer 1 is even questionable, what should have been disclosed is the name of the network architect who built that infrastructure and everyone who looked at it thereafter and didn’t yell from the rooftop.

 

References

Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved August 10, 2018, from https://money.cnn.com/2017/09/08/technology/equifax-hack-disclosure/

McLellan, L. (n.d.). By 2017 the CMO will Spend More on IT Than the CIO. Retrieved August 10, 2018, from https://www.gartner.com/webinar/1871515

 

Andrew, let’s assume that an organization or organizations have a well designed and implemented network infrastructure using platforms from providers like Cisco, Juniper, Palo Alto, etc.

Image result for good private spine leaf design principles

Organizations acting together (e.g. supplier and buyers in a supply chain system), can secure their data exchange on encrypted channels, they can use multi-factor authentication, they can use Geo-fencing, they can use certificate-based PKI Smart Cards, but what if the exploit resides in the router or firewall code?  What if there is an APT (Advances Persistent Thread) against organization X which exploits some vulnerability in the router or firewall code?  When organization X identifies the breach, do they communicate that they have been breached?  If so to whom?  While agreeing that open communication is key to slowing the bad guys, reducing the blast radius, etc. I also believe there are few organizations willing to volunteer that they have been breached, this is especially true if the breach has to do with human error, which they so often do.  The reports we see are typically driven by watchdog groups, like the recent GoDaddy breach (Links to an external site.)Links to an external site.; by a regulatory requirement to disclose like the Target (Links to an external site.)Links to an external site. or Equifax (Links to an external site.)Links to an external site.breach; by a catastrophe like the CodeSpaces (Links to an external site.)Links to an external site. breach, but it most cases the motivation to disclose is not very strong at all.  I believe the answer resides in anonymizing the breach reports, focusing a little less on corporate accountability and more of getting the data needed to start programmatically plugging the gaps, making the system less punitive and manding more tech to secure the network so the machine may save us from ourselves.  In essence more carrot and less stick.  For example what if in the case of Target there was stateful packet inspection which saw both PLC data and payment processing data flowing on the same network, and took automated action to segment the traffic, shut the traffic down, etc.  Sure these technologies will get hacked as well, but people are inherently poor binary decision makers and I think we will a different paradigm emerge.  I think we are seeing it already.

Scott, enjoyed the post.  I think this is my first comment on one of your post in this class.  I like Canvas 1000x better than the old LMS but it feels like this class has more students or something because the discussion threads are long.  Anyway, I have a few friends who work for FireEye, they are 100% focused on APTs (Advanced Persistent Threats) and what they will say is that FireEye focuses on four things: Prevent, Detect, Contain, Resolve. While prevention and detection are important with APTs the bad guys will typically find a way in so they put a heavy focus on containment.  What containment is about is about is not letting the bad guys leave one they are in.  I always think about the bar scene from the movie “A Bronx Tale”.  The bad guys walk it the bar, but then they are contained. 🙂

Stating to see more and more focus on preventing data exfiltration (DLP).

Assignment

FIT – MGT5157 – Week 5

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Discussion: What is the market for DNS control? Who are the big players in managing domain names? Can domain names be exploited?

The market for DNS control is competitive. There is more to DNS control than just owning the DNS resolution, companies like GoDaddy (Links to an external site.)Links to an external site. are domain registrars, but they also provide services which leverage those domains, services like web hosting and email.  Organizations like GoDaddy started as registrars and grew into internet service providers, the same is true of organizations like AWS who started as service providers and saw an opportunity to be the domain registrar so AWS started a service called Route53 (cool name because port 53 is the port that DNS runs on).

Domain names are controlled by ICANN (Links to an external site.)Links to an external site. (Internet Corporation for Assigned Names and Numbers). ICANN is a non-profit organization that acts as the governing body tracking domain names maintained by domain name registrars like GoDaddy and NameCheap. The ICANN database master domain name database can be queried using “whois”.

Authoritative DNS root servers are controlled by only a few key players, these hostnames actually point to an elaborate network or DNS servers around the world.

Source:  Iana. (2018, August 3). Root Servers. Retrieved August 3, 2018, from https://www.iana.org/domains/root/servers

It’s not hard to understand why VeriSign is at the top of the list when you understand the relationship between ICANN and VeriSign.  As you look down the list, not surprisingly there is a correlation between the authoritative DNS root servers and Class A address ownership. WIth the DoD owning 12 Class A addresses you would imagine they would have an authoritative root DNS server.

Source:  Pingdom. (2008, February 13). Where did all the IP numbers go? The US Department of Defense has them. Retrieved August 3, 2018, from https://royal.pingdom.com/2008/02/13/where-did-all-the-ip-numbers-go-the-us-department-of-defense-has-them/

 

Querying the ICANN database for s specific domain name will return relevant information about the domain name as well as the registrar.

Above we can see that a “whois bocchinfuso.net” reveal the registrar as NameCheap, NameCheap IANA ID, etc…

Each domain registrar is assigned a registrar IANA (Internet Assigned Numbers Authority) ID by ICANN.

DomainState (Links to an external site.)Links to an external site. tracks statistics about domain registrars so we can easily see who the major registrars are.

Source:  DomainState. (2018, August 3). Registrar Stats: Top Registrars, TLD Marketshare, Top Registrars by Country. Retrieved August 3, 2018, from https://www.domainstate.com/registrar-stats.html

GoDaddy is ~ 6x larger than the number two registrar. GoDaddy has grown to nearly 60 million registered domains both organically and through acquisition.

Yes, DNS can be exploited. DNS allows attackers to more easily identify their attack vector. DNS servers are able o perform both forward (mapping a DNS name to an IP address) and reverse lookups (mapping an IP address to a DNS name) this allows attackers to open the internet phone book, easily acquire a target and commence an advanced persistent threat (APT).

Domain names are often linked with branding, so once an APT commences against a domain the resident can’t move.  DNS can also play a role in protecting against threats. Services like Quad9 (Links to an external site.)Links to an external site. and OpenDNS (Links to an external site.)Links to an external site. provide DNS resolvers which are security aware. These DNS resolvers block access to malicious domains.

Because DNS names are how we refer to internet properties typosquatting  (Links to an external site.)Links to an external site.is a popular DNS threat. Typosquatting is a practice where someone uses a DNS name that is similar to a popular domain name capturing everyone who typos the popular domain name.

DNS servers are ideal DDoS (Links to an external site.)Links to an external site. attack targets because the inability to resolve DNS addresses has an impact across the entire network.

Registrar of domain hijacking (Links to an external site.)Links to an external site. is when the attacker gains access to your domain by exploiting the registrar. Once the attacker has access to the domain records they can do anything from changing the A record to a new location to transferring the domain to a new owner. There are safeguards that can be put in place to protect unauthorized transfers, but someone gaining access to your registrar is not a good situation.

DNS is massive directory and to decrease latency DNS caches are placed strategically around the Internet. These caches can be compromised by an attacker and resolved names may take an unsuspecting user to a malicious website. This is called DNS spoofing or cache poisoning. (Links to an external site.)Links to an external site.

These are just a few DNS attack vectors, there are plenty of others. The convenience of DNS is also what creates the risk. DNS makes it easy for us to find our favorite web properties like netfix.com, but it also makes it easy for an attacker to find netflix.com.

 

References

DomainState. (2018, August 3). Registrar Stats: Top Registrars, TLD Marketshare, Top Registrars by Country. Retrieved August 3, 2018, from https://www.domainstate.com/registrar-stats.html

Iana. (2018, August 3). Root Servers. Retrieved August 3, 2018, from https://www.iana.org/domains/root/servers

ICANN. (2018, August 3). ICANN64 Fellowship Application Round Now Open. Retrieved August 3, 2018, from https://www.icann.org/

Mohan, R. (2011, October 5). Five DNS Threats You Should Protect Against. Retrieved August 3, 2018, from https://www.securityweek.com/five-dns-threats-you-should-protect-against

Pingdom. (2008, February 13). Where did all the IP numbers go? The US Department of Defense has them. Retrieved August 3, 2018, from https://royal.pingdom.com/2008/02/13/where-did-all-the-ip-numbers-go-the-us-department-of-defense-has-them/

Carmeshia, I enjoyed your post. You bring up an interesting point regarding centralization, control, and exploitation. What do you think is more secure, a centralized or decentralized DNS registrar system?

With the increase in APTs (advanced persistent threats) I tend to favor decentralization, but everyone has a perspective, interested in hearing yours.

Nawar, good post, I enjoyed reading it. While DNS is not a security-centric protocol, few protocols are. The network’s reliance on DNS is both a good and bad thing. Because DNS name resolution is such a critical network function, it is the target of attacks like DDoS attacks because the blast radius of an attack on DNS is significant. With this said the essential nature of DNS also has many focused on protecting and mitigating risk. Services like Cloudflare (Links to an external site.)Links to an external site.Akamai (Links to an external site.)Links to an external site.Imperva Incapsula (Links to an external site.)Links to an external site.Project Shield (Links to an external site.)Links to an external site. and others have built robust Anti-DDoS system to identify and shed DDoS traffic.

Sharing some pretty interesting data when comparing the top DNS providers.

https://www.datanyze.com/market-share/dns/Datanyze%20Universe/ (Links to an external site.)Links to an external site.

When you start to segment domains by Alexa rank (Links to an external site.)Links to an external site. GoDaddy gets outranked by Cloudflare, Amazon Route 53, Akamai, and Google DNS pretty consistently.

dns market share

Some good detail on why in this article:  https://stratusly.com/best-dns-hosting-cloudflare-dns-vs-dyn-vs-route-53-vs-dns-made-easy-vs-google-cloud-dns/ (Links to an external site.)Links to an external site.

The moral of the story here is that while GoDaddy appears to the Goliath, they are in terms of domain name registration volume, but the FANG (Facebook, Apple, Netflix, Google) type companies (Links to an external site.)Links to an external site. own the internet traffic the volume DNS registration game is becoming a commodity.  GoDaddy has the first mover advantage but competitors like namecheap.net (Links to an external site.)Links to an external site.and name.com (Links to an external site.)Links to an external site. are coming after them.  With Netflix accounting for nearly 40% of all internet traffic (Links to an external site.)Links to an external site., the FANG companies matter, and I don’t think the Cloudflare’s, Akamai’s, Amazon Route 53’s of the world want to chase the GoDaddy subscriber base.

Assignment