Richard J. Bocchinfuso

"Be yourself; everyone else is already taken." – Oscar Wilde

FIT – MGT5155 – Week 8

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Unlike Andrew who intelligently worked ahead, I have been just trying to keep up given my travel the last month or so. I live in New Jersey and in the last 30 days I have been to SFO four times, LAX once, SNA once, LAS once, CMH once, DUB once, CDG twice and LHR once. Today I arrived home on a redeye from SFO and Sunday night I fly to Heathrow. It’s been a long few months and at the moment my travel schedule looks the same through March 2019. I have really enjoyed the discussion post style in this class, I like the open-ended thought-provoking approach and the latitude it provided. I really feel this provided a great approach to develop the dialog and I have enjoyed reading and contributing each week.

“We Have Met the Enemy…”

Have We Met the Enemy? IMO, ABSOLUTELY NOT! The enemy lives in the shadows, we have met the threat, but not the enemy. We hypothesize on who the enemy might be based on the target, but in most case, we have not met the enemy. I really like this quote “the benefit of finding out just who is poised to attack you pales in comparison to finding out what they have an opportunity to attack.” (Robb, 2016) This is interesting to me from a few perspectives:

  1. Does knowing who the enemy is or meeting them offer a benefit? If so, what?
  2. What is the probability of identifying the enemy vs. identifying the vulnerabilities? Are we looking to answer the question of “who” before we answered the question of “what”?
  3. Do you focus on the intangible and arguably insignificant answer to the question of “who” or do you focus on the tangible and valuable answer of “what”?

We know that there is an increase in threats from nation-state hackers (Sheridan, 2018) and hacktivist groups like Anonymous (OConnell, 2016) but is relevant? Yes, the intent is relevant because a script kiddie just joyriding on your network is a lot different than a nation-state exfiltrating data. Yes, it’s relevant to know what you offer to a hacker, why you might be the target of an APT (Advanced Persistent Threat), to hypothesize on where attacks might originate because this might allow you to get into the mind of the attacker and thinking like the attacker can help you better prepare. With this said I think it’s important to realize that regardless of if it’s a nation-state of script kiddie looking to joyride the vulnerability was what they exploited; hedging a strategy based on who the attacker might be and the damage they might do is probably not the right decision.

Anticipating the “who” is like watching NFL game tape, it helps you prepare to read the offense so you can orchestrate a defense with a higher probability of success. While NFL players may not be better raw players as a result of sitting and watching game tape they are developing the edge that allows them to exploit the opponents’ vulnerability, hackers do this, but an unprepared or underprepared end-user (the human factor) is often what the hacker is betting on. The ability to read the defense or the offense comes from education. The ability for the end user to identify a potential phishing attack comes from education and vigilance. The difference between the opposing forces in the NFL and the hacker vs. the end-user is the hacker is far more invested than the end-user. We need to educate the end-user to realize that we live in an era where data is more valuable than oil, that they, the end-user, the human factor is the best defense or the biggest weakness.


de Bruijn, H., & Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1-7.

OConnell, J. (2016, September 13). 10 Most Notorious Hacking Groups of All Time. Retrieved October 19, 2018, from

Robb, S. (2016, September 30). Cyber Defense and the Unknown Enemy: 3 Best Practices. Retrieved October 19, 2018, from

Sheridan, K. (2018, February 29). 8 Nation-State Hacking Groups to Watch in 2018. Retrieved October 19, 2018, from

The world’s most valuable resource is no longer oil, but data. (2017, May 06). Retrieved October 19, 2018, from

Wright, K. (2012, March 01). Cybersecurity Roundtable: The Enemy is Unknown. Retrieved October 19, 2018, from

Andrew, I can certainly relate to your travel schedule, my past few months have been brutal as well. Glad to be nearing the finish line.

I agree with you that the enemy is the human factor. Let’s face it the internet is one giant honey pot and for those with skill, des, re and malicious intent, it’s the perfect storm of riches and anonymity. If we believe that data is the new oil, we (as individuals) often leave our most valuable asset (data) unprotected. While I don’t use dictionary words or l33t passwords, I don’t use single-factor authentication, etc. the average person puts their information on the information superhighway with an easy to remember l33t password, no multifactor authentication and they use that same password everywhere. Hacks, where user information is exfiltrated, allow the creation of huge word lists which can be used for dictionary attacks. There is a multiplier affect each time user data is exfiltrated because of our individual security practices.

The Target data breach is just plain scary. Why would an HVAC contractor have access to Target’s internal systems? Assuming they needed access for whatever reason why they would be given access to systems on a network segment which can route to their payment systems is just beyond odd. In the case of Target, it seems there was a massive technology architecture fail that occurred way upstream from the IPS/IDS events and SOC response.

The human element is by far the largest vulnerability in any system, old-school espionage is alive and well, social engineering is on the upswing and FOMO is not helping our security posture.


Kerbs, B. (2014, February 5). Target Hackers Broke in Via HVAC Company. Retrieved October 20, 2018, from

Passwords. (n.d.). Retrieved October 20, 2018, from

Kamelia, I agree, the biggest vulnerability being exploited by hackers is the uneducated or undereducated end user. But we have some real things to be concerned about when it comes to the human factor.

  • Rule #1: We have an entire generation entering the workforce which has been labeled the “Click Generation”. (Marcia, 2015) This generation (Gen Z) will eclipse Millenials in terms of economic power by 2020. (Morris, 2018) Like their pseudonym suggests they like to “click”, and they do it fast and furiously.
  • Rule #2: What’s email? Isn’t that for old people?
  • Rule #3: What’s a “preview” pane? Oh, something else for old people.

The world is changing fast, but there is some good here.
My kids who are both Gen Zers have no desire to use Windows or MacOS, they are either on their iPhone or Chromebooks. This is good and bad, In theory, because they don’t use thick clients a centralized security paradigm may be easier to architect and enforce. The ransomware we’ve come to know that attacks CIFS shares is made extinct via the extinction of the CIFS/SMB protocol. The bad news is the “Click Generation” oozes FOMO so the idea of slowing down clicking seems unlikely. Centralization creates a larger honey pot with a much larger blast radius. Only time will tell.


Marcia. (2015, July 27). Generation Z Coming Into The Workforce | Click Generation. Retrieved October 20, 2018, from

Morris, C. (2018, May 2). Gen Z will outnumber millennials by 2020. Retrieved October 20, 2018, from

8.3 Exam Results

Score for this quiz: 300 out of 300

FIT – MGT5155 – Week 7

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

“Pen Testing” or Penetration Testing is typically conducted by white hat hackers, also known as ethical hackers. In contrast to black hat hackers who attempt to hack, penetrate, exploit, vandalize, etc. systems the white hat hacker attempts to penetrate a system to identify vulnerabilities so they can be remediated. It is important to realize that vulnerability scans and penetration tests are not synonymous. Vulnerability scans are often automated and inspect systems for known vulnerabilities, while penetration tests focus on attempting to exploit a system, this can be any combination of attack tactics including both social engineering (hacking the human factor) and technical hacking (hacking the machine). (Barnett, 2017) A penetration tester acts as an attacker, adopting the mindset of the attacker. Penetration testers need to possess the technical skills to conduct attacks, but they also need the mind of an attacker. This is why we see famous black hat hackers like Kevin Mitnick running successful cybersecurity businesses like MitnickSecurity (Links to an external site.)Links to an external site.. The move from black hat hacker to white hat hacker is no different than the story told in “Catch Me If You Can” (Links to an external site.)Links to an external site. where Frank Abagnale Jr. makes the move from a check counterfeiter to FBI counterfeiting expert. Thinking like the individual you trying to protect against is key to being a good penetration tester. (CyberVista, 2017)

While penetration testing tools and toolkits are varied there is a process that most testers follow. This process is (Incapsula, n.d.):

  1. Planning and reconnaissance: Define the scope of the test and gather intelligence. During the planning phase, the tester would determine the testing method. Because penetration testing is an ethical hack the tester is given permission to try to gain access and exploit a system. Testing methods include:
    1. External Testing: Testing internet accessible assets from outside the internal network.
    2. Internal Testing: Testing internal assets which are not internet accessible, but that could be attacked but a malicious insider.
    3. Blind Testing: Test us, here is our company name.
    4. Double Blind Testing: Same as blind testing, but insiders and security personnel are not informed of the test.
    5. Targeted Testing: Insiders and security teams work collaboratively. This type of testing is valuable for training security personnel because the pen tester provides real-time information to the security team.
  2. Scanning: Static and dynamic target inspection. There are various tools to automate scans.
  3. Gaining access: Access system and exploit vulnerabilities.
  4. Maintaining access: Determine if access can be persistently maintained.
  5. Analysis: Compile the results of the penetration test.

Hacking has always been an important learning tool for me. Learning to exploit vulnerabilities can be a fun way to dig deeper into a particular technology and strengthen skills, it’s not always about exploiting something, the process of reverse engineering has often exposed details about a specific technology that I otherwise would not have investigated. I started hacking, cracking and phreaking the mid 1980s, back then I followed Captin Crunch (John Draper) (Links to an external site.)Links to an external site. and phone phreaked, today I am still a 2600 (Links to an external site.)Links to an external site. subscriber and I have added podcasts like Hak5 (Links to an external site.)Links to an external site. to my portfolio of edutainment. In the 80s I was really into BBSes (Bulletin Board Systems) (Links to an external site.)Links to an external site., online communities that pre-date the internet. FidoNet (Links to an external site.)Links to an external site. for life, but I digress, anyone who was BBSing in the 1980s knows that long-distance and exchange costs were painful; let’s just say the blue box (Links to an external site.)Links to an external site. was hard to resist. While I do love playing with application and OS exploits as well as WiFi hacking my current passion is RF hacking.

If you are looking for something to do with that old DirectTV mount I suggest repurposing it for for a high-gain WiFi antenna rig to supercharge your WiFi hacking. Here is a pic of my setup. 🙂

My RF hacking tool of choice is the HackRF One (Links to an external site.)Links to an external site. which I use for fun and to spread awareness of just how insecure the radio waves can be. My neighbors really love when I show them how easy it is for me to lock and unlock their car, pop their trunk, opening their garage door, and disable their alarm system; with their permission of course).

Like any good techie (hacker), my home office is filled with lots of RasperryPis (Links to an external site.)Links to an external site., multiple computers with my hacking machine running Parrot Linux (Links to an external site.)Links to an external site. as opposed to the more mainstream Kali (Backtrack) Linux (Links to an external site.)Links to an external site.. I am a fan of bWAPP (Links to an external site.)Links to an external site. aka a buggy web application to practice skills but I also use Pentester Lab (Links to an external site.)Links to an external site. and Hack This Site (Links to an external site.)Links to an external site. for learning. I have machines running in AWS and OVH, and a rack of equipment in my basement. There aren’t enough toys to keep me entertained.

With the explosion of edge technologies and the connected world, the attack surface continues to increase. Today we don’t just need to pen test the glasshouse data center but we have to worry about every edge device, many of which are manufactured with well know exploits. It’s well known that many low-cost Bluetooth can easily be hacked. @jasongorman recently posted the following tweet “Of all the responses by Facebook to some massive data breaches oh and then accidentally possibly helping to end Western democracy, ‘We want to put a webcam in every home’ seems to lack self-awareness” He is referring to the Facebook portal device (Links to an external site.)Links to an external site., and that idea that FB just gave up access to the information of 50 million users, maybe releasing a camera that people can connect to their Facebook account is a bit mistimed. I agree it seems to lack a certain sense of self-awareness or maybe Facebook realizes that the same number of people who read the terms-of-service will care about the hack and not buy the Facebook portal, maybe they are very self-aware and @jasongorman and I are just situationally unaware.


Barnett, P. (2017, December 20). Vulnerability Scanning vs. Penetration Testing. Retrieved October 12, 2018, from

CyberVista. (2017, April 24). Penetration Tester: The Secret Agent. Retrieved October 12, 2018, from

Incapsula. (n.d.). PENETRATION TESTING. Retrieved October 12, 2018, from

Pentester’s Guide to IoT Penetration Testing. (2018, July 02). Retrieved October 12, 2018, from

Christopher, it’s interesting, we hear a lot about how machine learning, deep learning, and artificial intelligence are being used to improve security offerings, everything from SIEM (security information and event management) to antimalware to next-generation firewalls. Cisco calls the use of artificial intelligence in next-generation security products the network intuitive, where the system continuously learns and develops intuition and the ability to infer intent. (Walker, 2017)

What few people realize is that machine learning, deep learning, and artificial intelligence is also being used by hackers. A project called DeepHack where the developers weaponize a machine learning algorithm. (BishopFox, 2017) The technologies for defenders and attackers are getting far more sophisticated, in the future, much will depend on how the user can leverage these underlying complex but powerful technologies. I believe penetration testers will have to learn how to use machine learning frameworks such as TensorFlow, MXNet, and PyTorch.


BishopFox. (2017, July 31). Bishop Fox Introduces Hacking AI “DeepHack” at DEF CON 25. Retrieved October 14, 2018, from

Walker, K. (2017, June 26). Introducing The Network. Intuitive. Retrieved October 14, 2018, from


Carmeshia, I enjoyed the post. The timing of your post is impeccable in the wake of the October 4th Bloomberg Businessweek article (Robertson & Riley, 2018) which stated that the Chinese government (military) was manufacturing microchips that were being placed on motherboards at Chinese factories that manufactured motherboards for Supermicro. The article went on to state that he motherboards went into servers which shipped to dozens of U.S. companies including Amazon and Apple.

Supermicro, Apple and Amazon (Schmidt, 2018) all issued statements of denial, stating that there is no evidence to support the claims made in the Bloomberg report. (Naughton, 2018)

This the truth is not clear here, what is clear is that a country (China) which is a major component manufacturer and a critical supplier to most tech companies has been linked to more than one nation-state attack with a well know cyberwarfare unit (PLA Unit 61398, 2018). Dr A. Theodore Markettos, a Cambridge University researcher, conducted an initial investigation of a key bit of the Supermicro hardware to see if the Bloomberg claim passed what he called “the sniff test” of initial plausibility. He concluded that the Bloomberg report does pass the sniff test. (Markettos, 2018)

Implanting malware on devices during the manufacturing process is nothing new, we’ve seen reports of malware being inserted during the manufacturing process on low-end Android devices (phones and tablets) for years. (Jones, 2018) I expect we haven’t heard the last on the Supermicro saga, it will be interesting to watch it unfold and see how major corporations like Apple and Amazon react.


Jones, R. (2018, May 24). More Than 100 Cheap Android Phones Found to Have Malware Preinstalled. Retrieved October 14, 2018, from

Markettos, T. (2018, October 5). Making sense of the Supermicro motherboard attack. Retrieved October 14, 2018, from

Naughton, J. (2018, October 13). The tech giants, the US and the Chinese spy chips that never were… or were they? | John Naughton. Retrieved October 14, 2018, from

PLA Unit 61398. (2018, August 12). Retrieved October 14, 2018, from

Robertson, J., & Riley, M. (2018, October 4). The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. Retrieved October 14, 2018, from

Schmidt, S. (2018, October 04). Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article | Amazon Web Services. Retrieved October 14, 2018, from


FIT – MGT5155 – Week 6

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Dr. Perez and fellow classmates, first off I am incredibly tardy on this weeks post, my apologies. It’s Been a crazy week with my company being acquired and a number of competing priorities. Anyway, this week I did have the opportunity to spend an incredible amount of time in the air traveling around for regularly schedule QBRs (Quarterly Business Reviews) as well as delivering the acquisition news and what it means to our business. Unfortunately, United Airline’s Wifi service is in line with the rest of their service, but I suppose I should be happy none of the planes that I was on ran out of gas (Links to an external site.)Links to an external site..

While I was in flight, with no internet access I had a lot of time to think about my favorite “Infamous Attack”, after a few minutes of thought it was really an easy decision. One of my favorite books “Ghost in the Wires” (Links to an external site.)Links to an external site. which takes you on a journey with Kevin Mitnick from his perspective.

Ghost in the Wires reads like a contemporary über-geeky thriller…. For those interested in computer history, Ghost in the Wires is a nostalgia trip to the quaint old days before hacking (and hackers) turned so malicious and financially motivated.”―J.D. Biersdorfer, New York Times Book Review

The “Infamous Attack” that I chose is one perpetrated by Mitnick and told in the book  “Takedown” (Links to an external site.)Links to an external site., the story of how Tsutomu Shimomura (Links to an external site.)Links to an external site. a security expert working at the UC San Diego Super Computer Center took down Kevin Mitnick (Links to an external site.)Links to an external site., possibly the worlds most infamous hacker. In December of 1994, Mitnick broke into Shimomura’s computer and stole software that allowed access to cellular phone frequencies. This hack triggered a game of cat and mouse between Shimomura, the FBI, and Mitnick that would last four years. (Shimomura, 2017) As someone who grew up in the 80s, addicted to computers, first the TRS-80 and an acoustic coupler (Links to an external site.)Links to an external site., then a Commodore 64 and my 1200 baud modem (Links to an external site.)Links to an external site. I am nostalgic about the hacking and phone phreaking that took place in the 80s and 90s. I have always been intrigued by the early hackers like Captain Crunch and others because they were the pioneers. In the early BBS (bulletin board systems) like Exec-PC BBS (Links to an external site.)Links to an external site., the entire community was filled with hackers, crackers, (Links to an external site.)Links to an external site. and phreakers (Links to an external site.)Links to an external site..

For those of us old enough to remember POTS (Links to an external site.)Links to an external site. lines, the squeal of a modem connection, and the feeling of connecting with a global community of people just like you.  It’s hard to not say thank you because for me, someone who had their head buried in a computer form the age of eight I am not sure where I would be today without the opportunity I was provided to feed my obsession. In the 80s and 90s hackers, crackers, and phreaks where digital explorers, unlike many of the attacks discussed by other like the Olympic Games program which gave birth to Stuxnet, the Target hack, the Equifax hack, WannaCry, and other ransomware attacks, etc. Hackers, crackers, and phreaks like Kevin Mitnick and Captain Crunch (John Draper) (Links to an external site.)Links to an external site. (Cap’n Crunch Whistle and the Secrets of the Little Blue Box, n.d.) were curious, they were not interested in monetary gain, they were not employed by a nation-state, this is why so many people like me sported “Free Kevin” t-shirts (Links to an external site.)Links to an external site..

Attacks have become far more intricate these days, the curiosity motivator in the context of the modern day attacker/hacker seems almost non-existent, this is because the curious hackers can now hack legally, bug bounty programs are everywhere, with sites like HackerOne (Links to an external site.)Links to an external site. listing pretty much every available bug bounty program. Since I started this post talking about United Airlines, I may as well end it with the story of Oliver Beg (Links to an external site.)Links to an external site.who earned a million miles via the United Airlines bug bounty program (Links to an external site.)Links to an external site..

The world has changed significantly from the days when hackers, crackers, and phreaks were people I admired as the pioneers of a digital frontier to what we see today, organized crime syndicates and nation-states exploiting a connected world.

When I think about the hackers of yesteryear I think about the pioneers of an industry I love, people like Barry Kildall (Links to an external site.)Links to an external site.Steve Wozniak (Links to an external site.)Links to an external site.Dan Bricklin (Links to an external site.)Links to an external site.Bob Frankston (Links to an external site.)Links to an external site.Richard Stallman (Links to an external site.)Links to an external site.and many others who were pioneers in many cases exploited by those with differing motivations.  The Kevin Mitnick’s and John Draper’s of the world represented those of us who didn’t like the Gary Kildall, Digital Research, CP/M and Bill Gates, Microsoft, DOS story (Links to an external site.)Links to an external site.. (How Bill Gates Outmaneuvered Gary Kildall, 2005) While may think these days are over, they are not, what is different is that most of the Gary Kildalls today are Open Sourcing their code, this makes it much harder for the Bill Gates’ of the world.  Few people have heard of Scott Hansen, but he is the third founder of Google (well maybe the number two founder, but this is debatable), a book I recently read entitled “Valley of Genius” (Links to an external site.)Links to an external site. provides some great insight on some of the unsung heroes of Silicon Valley.



Cap’n Crunch Whistle and the Secrets of the Little Blue Box. (n.d.). Retrieved October 4, 2018, from

Great Rivalries in Cybersecurity: Tsutomu Shimomura vs. Kevin Mitnick. (n.d.). Retrieved October 4, 2018, from

How Bill Gates Outmaneuvered Gary Kildall. (2005, August 18). Retrieved October 4, 2018, from

Shimomura, T. (2017, June 04). Catching Kevin. Retrieved October 4, 2018, from

Tung, L. (2016, August 09). This Dutch hacker can fly a million miles on his United Airlines bug bounty. Retrieved October 4, 2018, from

Interesting article on the North Korea cyber threat.

Jonathan, interesting read, I had never heard of WANK, and I always enjoy learning something new. In the mid-90s I worked in big pharma as a Unix Sys Admin, I was a recent college grad, with this being my second job out of school, I used a Sun Microsystems IPC all-in-one workstation in college and Slackware Linux on my desktop, I spent all my time in Emacs and wrote all my paper with LaTeX. When I was hired by a pharmaceutical company with ~120K employees, I was given the reigns of the new Unix systems ranging from Sun Solaris, to DEC Tru64, to IBM AIX, to HP-UX, to SGI IRIX. It was amazing how many DEC and Mainframe people worked in IT in this massive company and how few Unix capable engineers there were, especially given that the plan was to replace a large DEC VMS footprint running on both DEC VAX and DEC Alpha machines. The organization (and the pharma industry back then) was so DEC centric they were deploying Windows NT 3.51 on DEC Alpha, it made total sense to everyone because of course, the developers of Windows NT were also the developers of VMS, the story was that WNT being the letters following VMS was not a coincidence. (Russinovich, 2018)

I remember DECnet, CIQBA, FDDI, and our DEC email system (I think it was called Teamworks) all too well, I don’t miss these days. 🙂 Ken Olsen could have owned the world, if he had just embraced the PC era and open computing, DEC tried to correct late in the game with the acquisition of Compaq, OpenVMS, and Digital Unix, but it was too late. I will say that the industry never really successful delivered something like VMS clustering, which just worked.

BTW – I would argue that the term hacking originated in the 1990s. Gordon French held the first Homebrew Computer Club meeting in his garage in 1975; the attendees were all hackers (Love, 2013). John Draper (aka Captain Crunch) was hacking (phreaking) Ma Bell in the 60s and 70s, Ron Rosenbaum published an article in Esquire Magazin in October 1971 entitled “Secrets of the Little Blue Box” (Rosenbaum, 2011) where he talks about hacking the phone system and the hacker subculture.


Love, D. (2013, March 05). An Incredibly Important Tech Event Happened 38 Years Ago Today. Retrieved October 7, 2018, from

Rosenbaum, R. (2011, October 07). The Article That Inspired Steve Jobs: “Secrets of the Little Blue Box”. Retrieved October 7, 2018, from

Russinovich, M. (2018, September 19). Windows NT and VMS: The Rest of the Story. Retrieved October 7, 2018, from

Sergio, like most things in life, attacks or I should say successful exploitation can often be traced to human error. I think this is what makes social engineering so interesting, look around at the amount of data we, as a society are willing to volunteer online. Modern day culture and the rise of FOMO (Fear Of Missing Out) (Rivera, 2018) has created a fertile social engineering hunting ground for hackers, as our society moves closer to “The Truman Show”, we have the actors, those volunteering information, and the voyeurs, those who just watch, wait and manipulate. Our digital footprint makes us more vulnerable to attack; it can make us more or less likely to be hired, it can impact our creditworthiness, etc. I believe that we have no idea of the psychological impact of the experiment we are currently conducting, only time will tell, but as a Gen-Xer, a technologist and a parent I would be willing to take the bet that we will need to achieve better equilibrium because the trajectory we are currently on seems dangerous. (Walton, 2017) I guess my question here is, are we more afraid of the nation-state or the organized hacktivists like Anonymous or are we more afraid of the truly dangerous social engineers like Facebook who are trying to spread “emotional contagion”? (Kramer, Guillory, & Hancock, 2014)



Kramer, A. D., Guillory, J. E., & Hancock, J. T. (2014). Experimental evidence of massive-scale emotional contagion through social networks. Proceedings of the National Academy of Sciences, 201320040.

Rivera, J. (2018, August 04). The Rise of Fomo – Julia Rivera – Medium. Retrieved October 7, 2018, from

Walton, A. G. (2017, October 03). 6 Ways Social Media Affects Our Mental Health. Retrieved October 7, 2018, from


FIT – MGT5155 – Week 5

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

I’ve spent the last year building and hardening policies using the ITIL (Information Technology Infrastructure Library) framework (Links to an external site.)Links to an external site. as my team I and I worked on a SOC 2 (Links to an external site.)Links to an external site.audit and certification. Our ITSM (Information Technology Service Management) (Links to an external site.)Links to an external site. platform is ServiceNow (SNOW) (Links to an external site.)Links to an external site.. The ServiceNow platform is responsible for managing and automating all aspects of service management for us and our customers, this includes incidents, requests, changes, problems, knowledge, etc… We use a ton of tools in our development and operations (DevOps) toolchain to drive agile development models, automated testing, automated deployments, measurement, self-healing, etc…

Source:  Rich Bocchinfuso

During our system design, we made a deliberate decision to separate our ITOM (Information Technology Infrastructure Operations) platform from our ITSM platform.  Our element management tools, our instrumentation, out ITOM tooling which manages event correlation, alert management and escalation and out ITSM platforms are all decoupled.  We had a good reason for doing this which focused on flexibility, the best tool for the job with the ability to integrate.  Fast forward a few years and we may look to lever ServiceNow ITOM because it is quickly elevating to a best-in-class ITOM tool.

I found it interesting that Ronda R. Henning defined an “incident” as anything that is abnormal on a system. When I think about an incident using the ITIL framework definition I think about as something which has the potential to cause a service disruption. While abnormal activity may trigger an event or an alert this does not mean an incident will be created. The example of Henning provides of Joe being on the system at midnight might trigger an event or an alert, but this event or alert would be trapped by our ITOM system, identified as benign and would not be elevated to an incident.

A simple graphical representation  of the ITIL service management framework:

Source:  Rich Bocchinfuso

In this weeks lecture, Rhona R. Henning also mentions syslog and event logging. This is often referred to as security information and event management (SIEM) (Links to an external site.)Links to an external site.. The idea is to aggregate and analyze events across the enterprise to gain better clarity on what is occurring, the root cause, etc. As an Open Source proponent, I have built this capability on the ELK (Elasticsearch, Logstash, and Kibana), but Splunk is also a popular SIEM.  SIEM has become in intergral IT operations tool.

For continuous monitoring, specific to security we use a number of tools ranging from SIEM, to Lynis (Links to an external site.)Links to an external site. system audits to OpenVAS (Links to an external site.)Links to an external site. and Qualys (Links to an external site.)Links to an external site. vulnerability scans. We use Common Vulnerabilities and Exposures (CVE) (Links to an external site.)Links to an external site. and Common Weakness Enumeration (CWE) classifications to make decisions on criticality and reaction time.

Source:  Rich Bocchinfuso

We have witnessed an evolution that has evolved from traditional infrastructure –> converged infrastructure –> hyper-converged infrastructure –> composable infrastructure, this evolution has dramatically improved our ability to instrument, monitor, automate and selfheal infrastructure.  (Thome, 2017)

Traditional Infrastructure: Decoupled discrete infrastructure consisting of servers, storage, and networking components.
Converged Infrastructure: An integrated solution which bundles compute, storage and networking into a system which addresses a particular workload or solution such as virtualized desktops or a database application.
Hyper-converged Infrastructure: Compute, storage, and networking integrated into a single solution. Hyper-converged infrastructure is often driven by integrated hardware and software-defined technologies.
Composable Infrastructure: Build on converged and hyper-converged technologies thought enhanced software-defined intelligence, unified API (Application Programmable Interfaces) to “compose” and automate the infrastructure.

One of my favorite visualizations of self-healing infrastructure is the Netflix vizceral (Links to an external site.)Links to an external site. network visualization of the networking automagically detecting a failure and rerouting traffic.

I mention this because, in contrast to what Ronda R. Henning states in this weeks lecture, I believe the advent of composable infrastructure and the increased use of machine learning (ML), deep learning (DL) and artificial intelligence (AI) has moved us closer to being able to automagically do more.

Composable infrastructure has given way to A/B testing (Links to an external site.)Links to an external deployments (Links to an external site.)Links to an external site., rapidly iterating and continuous delivery (Links to an external site.)Links to an external site. over rigid release cycles. These advances IMO are largely attributable to composable infrastructure, some call this software-defined. Composable infrastructure is fundamentally driven by software, the agility of software-defined everything, exposed APIs, a focus on usability and orchestration has dramatically changed how we consume, instrument, monitor and selfheal information technology infrastructure.

Lastly, PagerDuty released their Incident Response framework and process (Links to an external site.)Links to an external site. to the Open Source community and it provides a great starting point to begin for building an Incident Response framework.


Continuous Delivery. (n.d.). Retrieved September 27, 2018, from

Fowler, M. (2010, March 1). Bliki: BlueGreenDeployment. Retrieved September 26, 2018, from

Greene, J. (n.d.). The Essential Guide to ITIL Framework and Processes. Retrieved September 26, 2018, from

Henning, R. R. (n.d.). Security Operations, Part 2. Retrieved September 27, 2018, from

Netflix. (2016, October 28). Vizceral. Retrieved September 26, 2018, from

Netflix. (2018, September 05). Netflix/vizceral. Retrieved September 26, 2018, from

PagerDuty, P. (n.d.). PagerDuty/incident-response-docs. Retrieved September 26, 2018, from

Rawat, S. (2018, June 08). A/B Testing – The Complete Guide | VWO. Retrieved September 26, 2018, from

Rouse, M. (n.d.). What is security information and event management (SIEM)? – Definition from Retrieved September 26, 2018, from

SDxCentral. (n.d.). What is Software Defined Everything (SDx) – Defined. Retrieved September 26, 2018, from

Thome, G. (2017, June 29). Just What the Heck Is Composable Infrastructure, Anyway? Retrieved September 26, 2018, from

This past week was an Interesting week in tech, with the Facebook security breach and Jim Cramer in San Francisco @ Dreamforce interviewing some of the silicon valley goliaths.  One interesting interview I thought I would share was Cramer’s interview with Kevin Mandia, CEO of FireEye. (Links to an external site.)Links to an external site.


Andrew, we live in interesting times where it seems just about every enterprise has the need to adopt an Agile approach and a DevOps culture.  The move/fail fast paradigm seems to be powering the innovators in the tech industry, but let’s face it, there are a few FANNG (Links to an external site.)Links to an external site. companies.  There is a ton of pressure to move and innovate faster, and many believe the path to success is to mimic the Netflix culture, easier said than done.  Most organizations have a legacy to tend to which impedes the pivot.  The “Subscription Economy” (Links to an external site.)Links to an external site. and the age of cloud and cloud-first strategies is upon us, but we are starting to see some equilibrium and a shift to a “cloud-smart strategy”. (Staff, 2018)


Heath, N. (2015, August 24). Should you follow Netflix and run your business from the public cloud? Retrieved September 30, 2018, from

Staff, R. (2018, September 27). Moving Beyond a ‘Cloud First’ Strategy | VMware Radius. Retrieved September 30, 2018, from

Scott, careful with all that talk about security only being there to keep the bad guys out and the fact that it’s not if you get attacked, but rather when because you’re sounding like Richard Stallman (Goffman, 2018), not a bad thing. 🙂

Philosophically I agree with many of Stallman’s views, but security is not just about the bad guys. When I think about IAM (Identity and Access Management) (Stroud, n.d.). I think about least privilege, protecting the system from human error, logging, auditing, etc… as much if not more than I think about authentication as a padlock.

I think we will continue to see machine learning play a role in advancing automated incident response, where the plan, process, and procedures are codified, where we take an algorithmic approach to response. Moving to an open model where were the system governs the response aids us in governing transparency because IMO the term “disclosure” is open to far too much interpretation for my liking and this is not helping the situation.


Goffman, K. (2018, January 11). Richard Stallman : Last of The True Hackers? (MONDO 2000 flashback 1989). Retrieved September 30, 2018, from

Stroud, F. (n.d.). IAM – Identity and Access Management. Retrieved September 30, 2018, from

Carmen, do you think the two individuals at Uber acted unilaterally?

  • Fact:  Many organizations pay hacker ransom demands.
  • Fact:  Many organizations who pay hacker ransom demands and get their data back don’t disclose the hack.  Those who hack for financial gain (e.g., ransomware) are an honorable bunch because if they didn’t deliver, organizations would stop paying the ransoms and the business of ransomware would collapse.
  • Fact:  Disclosure of a hack impacts the hacked organization’s reputation so debates within organizations around the globe are happening.  These debates include to disclose or not disclose, what constitutes disclosure, how nebulous can the disclosure be, when to disclose, etc… The answers to all these questions more often than not are to disclose at little as possible, to be as nebulous as possible and to disclose at a time when the disclosure is least damaging.

Uber is not alone in how they disclosed.  Equifax (Isidore, 2017) delayed their breach disclosure while insiders participated in a stock sell-off.  What happened?  Absolutely nothing, but somehow Elon Musk is demonized because he tweets that he has secured funding to Tesla private.  Right and wrong isn’t a game of inches, but influence often is.  In Elon Musk’s case, the short-sellers controlled the influence.



Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved September 30, 2018, from


FIT – MGT5155 – Week 4

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

“Reactive or Proactive?”

As technology professionals, and astute human beings I believe that we always strive to be proactive (at least I hope so), honestly in today’s world to say you have a reactive strategy to security is almost taboo. We see this in all aspects of IT, the sysadmin (operations team) and developer role have been collapsed into a DevOps (Links to an external site.)Links to an external site. or SRE (Site Reliability Engineering) (Links to an external site.)Links to an external site. role with a focus on instrumentation, analysis, automation, and self-healing. We are seeing these DevOps philosophies make their way into the security realm despite the cloak and dagger InfoSec folks. Relying on reactive strategies where action only occurs following an incident has become almost unacceptable. Yes, we still have incident response plans, but the plan is to proactively thwart incidents avoiding having to enact the dreaded incident response plan. We instrument, monitor and automate to avoid reactive response. From an evolutionary perspective, the automation takes the longest. Some might say that if you are actively hunting for threats you have a proactive approach, but I would say that if you don’t automate analysis and response you still have a reactive process. (Contributor, 2017)

Instrumentation, monitoring, thresholding and automating response is a technique we try to use to avoid the reactive fire drill. When we think about what it takes to build a proactive system, it requires commitment. To build a system which continuously learns is not easy, it requires massive data sets, anomaly detection, and automated response. In the area of security Machined Learning (ML), Deep Learning (DL) and Artificial Intelligence (AI) will play a critical role in the transition from reactive to a proactive response which can aggregate and analyze variables on multiple vectors and infer intent. (Lomonaco, 2017)

When we look at security we can see attacks which have identifiable variables and thresholds managed proactively, an example is DDoS attack mitigation. For instance, a cloud provider known as OVH has built a robust DDoS attack mitigation strategy. This strategy depends on instrumentation, real-time traffic monitoring and analysis, anomaly detection and automated response.

Attack Detection



The real-time analysis identifies the attack traffic, this traffic is redirected to the VAC while legit traffic flows to the target server. As systems continue to mature we will see more complex behavioral patterns analyzed in realtime, and inference engines will make decisions about how to proactively respond. The market is moving very fast right now.

Side Note: If you have not watched the Joe Rogan interview with Elon Musk, you should. Musk’s discussion on how AI will become an extension of the cortex and limbic system once we solve the data rate problem is awesome.



Contributor. (2017, July 24). The Shifting Data Protection Paradigm: Proactive vs. Reactive. Retrieved September 19, 2018, from

HelpSystems. (2016, August 19). Is Your IT Systems Management Reactive or Proactive? Retrieved September 19, 2018, from

Lomonaco, V. (2017, October 04). Why Continual Learning is the key towards Machine Intelligence. Retrieved September 19, 2018, from

Scott, as I think about my day-to-day and our legacy security practices which some might consider “proactive”, tend to be more routine maintenance activities than “proactive” action based on instrumentation and metrics which provide identification of anomalous behavior and use inference to proactively mitigate a threat. An example is our security patching process which we use:

FireShot Capture 1 - Patching SLAs - Google Sheets_ -

FireShot Capture 2 - Patching SLAs - Google Sheets_ -

Using the Common Vulnerability Scoring System (CVSS) (Links to an external site.)Links to an external site. we have a process for patching the threat, but what if this is a zero-day exploit? The only path to a proactive approach is baselining normal behavior, instrumentation, anomaly detections, inference and some action (automated proactive response).

I like Andrew’s automobile analogy, I just struggle with calling an oil change a proactive security practices.  The use of audit tools like Lynis (Links to an external site.)Links to an external site. and vulnerability audit tools like OpenVAS (Links to an external site.)Links to an external site. may be akin to the oil change, but when I think proactive I think about a collision avoidance system or an autonomous vehicle, these systems are able to take input in realtime and make proactive decisions.

FWIW, I have yet to see a situation where cyber insurance has prompted an organization to improve their security posture. Adding insurance just changes the organizational risk equation, IMO not in favor of improved security, although I suppose it does help with the regulation and enforcement of a baseline.


Scott, I think you make a great point about defining proactive and reactive. I agree with your definitions, I think where I struggle is the variance in acceptable “proactive” approaches. As we learned this week, much of this is dependant on best practices and best effort which defined by relative measures within a given industry. With just about every industry today gathering and storing personal data I think it may be time to have a basic requirement for a proactive approach, hunting down that which you can’t see, when you don’t know what you are looking for requires a level of sophistication that many industries have not adopted. Regulations like GDPR are imposing certain requirements regarding privacy on just about every industry.

I think of term life insurance as a reactive plan. I have a reactive plan should the unpredictable happen, because anything can happen, but hopefully I am being proactive enough to avoid needing term life insurance. 🙂


Monique, good point on the ineffectiveness of reactive practice when it comes to APT (Advanced Persistent Threats). In the world of APTs we can’t react fast enough, because while we’re busy reacting the attackers are continuing their crusade. We’ve seen attacks like the attack that took place against Code Spaces’ (Goldman, 2014) where a DDoS attack enacted a reactive mitigation plan, while the Code Spaces’ was busy reacting to the DDoS attack the attackers were busy gaining control of Code Spaces’ AWS EC2 control panel. The attacker essentially ransomed all Code Spaces’ digital assets and put them out of business.



Goldman, J. (2014, June 23). Code Spaces Destroyed by Cyber Attack. Retrieved September 23, 2018, from

David, great reactive Mr. Mom reference.  Those of us with children know that playing catch-up with a reactive approach is a recipe for disaster.

I would bet those with a reactive approach also do so with a “220, 221. Whatever it takes. Honey if you call and I’m not home I’ll be at the gym or the gun club.” approach.

4.3 Midterm Exam

Score for this quiz: 200 out of 200

FIT – MGT5155 – Week 3

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

First off, my apologies for my late post this week, I spent this week in France with a customer, a large U.S. based manufacturing company who eight months ago acquired a France based manufacturing company in the same market to grow their business in Europe. As a U.S. based company, operating from the U.S. there were many challenges that they faced, information technology is often an area that organizations immediately look to post-acquisition to drive synergies and efficiencies, but when a U.S. based company enters the European market this can be significantly more complex. The reason I mention this is because the legislation and cyber law differences between the U.S. and the E.U. can make this complex and pretty challenging. Regulations like GDPR (E.U. General Data Protection Regulation) (Palmer, 2018) is an example of one regulation that the E.U. imposed to protect data privacy. There are plenty of other regulations like PCI, HIPPA, SOX, etc. that all need to be considered in the context of GDPR, this is a real challenge for many organizations.

A side note on why I was late this week, and maybe some travel advice for anyone flying from the New York area (EWR) to Paris (ORY).  As a million mile flyer on United, I more often than not fly United, although I dislike the airline immensely, I was a loyal Continental flyer for a very long time and it’s hard to give up airline status when you travel 100K+ miles a year. My typical process week after week is to work while I travel, well this trip I flew La Compagnie, a small French boutique airline, with two 757s in their fleet flying between Newark (EWR) <-> Paris and Newark (EWR) <-> London, the flights are all business class at a price below United economy fares, seating only 74 passengers, with good service the only downside (for me at least) is no WiFi. Anyway, sorry for the tangent, but just wanted to give some background.

In this weeks Legislation lecture, Ronda R. Henning states that “Legislation, the legal foundations of cyberlaw, lag technology.” (Henning, n.d.) She goes on to say that most legislators are technologically illiterate; that most cyberlaw is derived from legacy mediums (e.g. – print) and this legacy legislation has been applied to cyberlaw. Henning also discusses the topic of authenticity, maintaining chain of custody, and being able to demonstrate through metadata that digital assets have not been tampered with. In the past, we have discussed hashing as a method of creating a digital signature, hashes like MD5, SHA-256, etc. can create a digital signature of a file which can be used to validate data integrity and authenticity. (Simon, 2013)

I think a telling and interesting aspect of cyberlaw and “Legal Obligations” when it comes to the relative measure of obligations, meaning that things like “best effort” and “industry standard” are defined by relative measures of what others are doing within a given industry or discipline.  What this means is there are frameworks for governing how we maintain and audit our security posture, but what we need to do is far more fluid.

Looking at the IBFS (Intergalactic Banking and Financial Services) case study, while fictitious, we can see requirements and challenges which are likely common across the finance and banking industry which is steeped in legacy and highly regulated. We can see the need to balance cost and capability, to increase agility and elasticity via partnerships and outsourcing and to do this while being compliant with regulations which govern the banking and finance industry. As we look at the emergence of game-changing technologies and such as the emergence of blockchain and cryptocurrencies, applying legacy legislation becomes more difficult. While copyright example moved from print media to video content to digital assets, not perfectly but fairly easily, applying legacy financial regulations to technologies like blockchain and cryptocurrencies will not be as easy. I will be interesting to see how regulatory bodies adapt, the idea of legislators being technology illiterate will probably need to change.

Cyberlaw is very complex, we can to some degree understand aspects of cyberlaw such as copyright and regulations, but when we add things like the Patriot Act and the NSA to the mix things get really complex. (Diamond, 2015)

We have discussed security frameworks like NIST, ISO 27001, SABSA and SSAE-16 and I have looked at all these frameworks, which are primarily process driven frameworks. We learned this week that protecting an organization is about best effort, best practices, and industry standards, I use the Center for Internet Security (CIS) (Links to an external site.)Links to an external site. as my guide for industry standards and best practices is the. CIS provides best practices, benchmarks, and toolsets and they do this all in the context of the platform you are securing, Windows, Linux, Hypervisor, etc.


CIS Center for Internet Security. (n.d.). Retrieved September 11, 2018, from

Diamond, J. (2015, May 23). Patriot Act debate: Everything you need to know – CNNPolitics. Retrieved September 11, 2018, from

Henning, R. R. (n.d.). Legislation. Retrieved September 11, 2018, from Florida Institute of Technology

Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. Retrieved September 11, 2018, from

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Simon. (2013, May 29). Verifying File Authenticity via Hashing. Retrieved September 11, 2018, from


Yacine, a very interesting and thought-provoking post. I may be a bit of a conspiracy theorist but I think operating under the premise that Ronda R. Henning touches on this week, in regards to wiretapping or eavesdropping and how living in the digital world alters information intercept. I found it really interesting that Ronda R. Henning pointed out Skype of wireless or VoIP. She points out CDRs (call detail records), what the industry refers to as metadata. I think or metadata as the data that matters, if I have the metadata, I likely have a path to all the data. While the Patriot Act has been reeled in (at least publically) by the Freedom of Information Act, we still see the government looking to take control of communication mediums, most recently the movement to nationalize the 5G network. These are complex issues, the nationalization of anything scares me a little, but on the other hand, I think it would be naive not to consider the complexity of maintaining order in a wireless world where information moves free and frictionless over the airwaves, on the other hand, if it’s on the airwaves it can be intercepted by anyone who can decode it. I reminded of a scene from the movie Heat.

We should pay attention to the fact that the FBI broke the encryption on the iPhone. They politely asked Apple to assist, when Apple said not they figured out how to crack it. The best way to operate is to assume someone is always watching.


ACLU v. FBI – FOIA Case for Records Relating to Patriot Act Section 215. (2014, October 6). Retrieved September 16, 2018, from

Henning, R. R. (n.d.). Legal Obligations. Retrieved September 16, 2018, from

Miller, D. (2017, October 03). FBI allowed to keep details of iPhone hacking secret. Retrieved September 16, 2018, from

Vazquez, M., Berlinger, J., & Klein, B. (2018, January 30). FCC chief opposes Trump administration 5G network plan. Retrieved September 16, 2018, from

Wendy, good post. Is the purpose of legislation and law to “set expectations of proper behavior”, or to set rules which can be used to police behavior?
I agree that legislation and laws have typically been created to managed social behavior and protect the citizens of a community (local, state, federal, etc.), but with the world becoming increasingly flat we see that legislation in on country (e.g. – GDPR in the EU) can have an impact of organization which are multinational, in the digital era and the connected world this includes just about everyone, GDPR is the reason we are being asked to accept or decline cookies on just about every site we visit on the internet. (Irwin, 2018)

While Cyber Deterrence and Response Act of 2018 (H.R.5576, 2018) (Blinde, 2018) aims to create a registrar of hackers, pulling them out of the shadows and punishing them, but what percentage of hackers are known vs. what percentage are anonymous? This can be really tricky. This is an interesting move by the government, sounds good on paper, but it seems that it will be difficult to police. We know that nation-states have cyber warfare divisions, the U.S. included, we know that they are in the shadows gathering cyber intelligence and acting on it, but I am wondering if this can be attacked overtly, with something like sanctions. (Richards, 2018)


Blinde, L. (2018, July 02). Bill to fight state-sponsored cyber threats passes out of House foreign affairs committee. Retrieved September 16, 2018, from

Irwin, L. (2018, August 16). How the GDPR affects cookie policies. Retrieved September 16, 2018, from

Richards, P. (2018, April 19). Nation state attacks – the cyber cold war gets down to business. Retrieved September 16, 2018, from



FIT – MGT5155 – Week 2

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

“Risks to the Enterprise.”

According to Ronda R. Henning, risk is usually expressed as the probability of an occurrence.  Enterprise risk metrics the probability of harm to the enterprise as a result of disclosure, modification or downtime.

A key aspect of protecting data in the enterprise is assessing the situation, categorizing aspects of the enterprise and applying the proper protections and/or risk mitigation strategies.  We know that the threats are everywhere, the question is what is the threat posed to a specific enterprise, what is the probability that a vulnerability will be exploited and what is the impact of the exploit.  A quick visit to NORSE Corp and fear will have you believing you should disconnect from the internet, disable all ports, prohibit removable media, only use wired connections, etc… but there is security and then there is productivity prohibition.

(Click the image above for live attack map)

Some call this usable security, the text highlights this as “dealing with the conflicting objectives” where the security protocols need to balance security, cost, and usability. (Sherwood, Clark, & Lynas, 2005, p. 27) Making a system secure, but still usable is a complex issue the security architect faces, make the security too tight and humans will look to work around the system, make the system too lose and increase risk.  A complex problem indeed.

One of my favorite examples of usable security and human-computer interaction is highlighted in the course intro to Usable Security on Coursera (Links to an external site.)Links to an external site.. BTW – This is a great course, I highly recommend it.  I bet you can’t think of how a styrofoam cup could be a security threat and how a styrofoam cup could violate HIPPA compliance.  Watch the video above, it’s short and enlightening.

While living in a connected world can be a scary thing, each of us balance risk vs. reward each day, every time we use an ATM or online bill pay system we make the decision that the reward is worth the risk, in most case this for the consumer this reward is convenience.  We also balance risk vs. reward when we think about what password we will use to secure our information, should we use MFA, should we encrypt our data, etc… These personal decisions are similar to the decisions that are made within the enterprise, for example, I use strong passwords eight to ten characters in length, these passwords contain upper and lower case letters, numbers and special characters, they are not dictionary words or leet (Links to an external site.)Links to an external site. passwords 100% of the time, I don’t use twenty character passwords because usability diminishes, the risk vs. reward model just doesn’t work for me.  The password paradigm is used everywhere, email, bank accounts, etc… As things progress up my personal security stack I apply my password best practices and add MFA, a good example here is my AWS login.  Lastly, if data is super sensitive I apply an encryption scheme which requires a passphrase and a 256-bit encryption key.

It’s important to remember that even what may be perceived as the tightest security protocols still contains vulnerabilities.  From Stuxnet (Links to an external site.)Links to an external site. to Heartbleed (Links to an external site.)Links to an external site. we can see how even what is thought to be the securest possible protocols can be thwarted, these systems and protocols were by humans, making them exploitable by other humans.  The emergence of the APT (Advanced Persistent Threat) (Links to an external site.)Links to an external site. has focused the attackers on specific objectives, these attacks are not being perpetrated by high school student looking to change a grade, but rather a nation-state looking to engage in cyber warfare.

These attacks are complex, one of my favorite stories is the story of AMSC (aka American Semiconductor) (Links to an external site.)Links to an external site. who was nearly destroyed when they had intellectual property stolen via old-school corporate espionage.  Who could fathom this story, but if the source code for the PM3000 had this sort of value to AMSC maybe providing an individual located in Austria with access to the source code tree was not the brightest move.  Today we see the FAANG (Links to an external site.)Links to an external site. (Facebook, Amazon, Apple, Netflix, and Google) type companies rely on the volume of code and dependencies to protect their intellectual property, these companies have a level of scale, but this isn’t the case for every company.  Another story that I like is the story of Code Spaces or as InfoWorld titled the article “Murder in the Amazon cloud” (Links to an external site.)Links to an external site., this company had their AWS root account hijacked and all their AWS services being held for ransom, when Code Spaces did not pay the ransom the attackers deleted all their EC2 instances, EBS volumes, snapshots, AMIs and S3 buckets and put Code Spaces out of business.  We know that the attacker used a DDoS attack as a smokescreen but we don’t know how they actually gained access to Code Spaces’ AWS console, but they did. We are seeing this more and more, as organizations open source more software, developers check their code into public Git repositories and they leave behind artifacts that expose credentials, like API keys.  Tools like truffleHog (Links to an external site.)Links to an external site. can crawl git repositories for secrets, digging deep into commit history and branches, finding secrets accidentally committed.

Risk management is iterative, a big mistake is the belief that a security posture is established and the posture that was established on day one is the same posture require on day one hundred.  A framework like NIST (Links to an external site.)Links to an external site. can assist in ensuring that risk is continually evaluated, classified and prioritized.  Security controls and systems are evaluated and monitored to ensure that the security controls (technical, management and operational) are adjusted as needed.

There are numerous frameworks which can help with assessing and evaluating risk by providing a way for an organization to assess their entire system, including people, process and technology.  Some framework examples include:

(Source: Sherwood, Clark, & Lynas, 2005, p. 43)

Realizing that security is evolutionary is important, that static protocols are unlikely to thwart modern attacks, that AI/ML may hold promise for intelligent and adaptive threat protection and response, but also realize that attackers have access to all the same technology and can create adaptive attacks using attack vectors which were inconceivable just ten years ago.  We see this with projects like deephack (Links to an external site.)Links to an external site. and a ridiculously low barrier to entry for things like cloud-based GPUs for password cracking (Links to an external site.)Links to an external site..  IMO, vigilance, a commitment to iterate and mitigation are the keys to reducing risk in the enterprise, we may not be able to keep everyone out, but keeping them in is a viable strategy.  All too often it seems we focus more on checking the boxes of regulatory bodies and not enough time on actually securing our systems.

While the ability to flash a slide filled with your security credential logos probably looks impressive a developer in most cases can still publish keys or credentials on GitHub (Links to an external site.)Links to an external site. at which point all bets are off.  In the era of cloud computing one commit to GitHub that contains a snippet of code like the below could be the end.


Clark, J. (2015, December 04). Hacker uses cloud computing to crack passwords. Retrieved September 5, 2018, from

Collins, K. (2016, May 04). Developers keep leaving secret keys to corporate data out in the open for anyone to take. Retrieved September 5, 2018, from

Dxa4481. (2018, August 27). Dxa4481/truffleHog. Retrieved September 5, 2018, from

Henning, R. R. (n.d.). Frameworks. Retrieved September 5, 2018, from

Henning, R. R. (n.d.). Risk-Based Security. Retrieved September 5, 2018, from

Osborne, C. (2017, January 09). GitHub secret key finder released to public. Retrieved September 5, 2018, from

Sears, C., & Isikoff, M. (2015, November 2). Chinese firm paid insider ‘to kill my company,’ American CEO says. Retrieved September 5, 2018, from

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Stahl, L. (2016, January 17). The Great Brain Robbery. Retrieved September 5, 2018, from

Venezia, P. (2014, June 23). Murder in the Amazon cloud. Retrieved September 5, 2018, from

Sharing this because I have shared many classes with many of you and we have often talked about how enterprises balance security investments vs. the cost of an exploit.  I have argued in the past and continue to argue that many organizations focus on JES (Jest Enough Security) to satisfy regulators, insurance companies, etc… The focus is not on securing personal information, but rather on reducing corporate risk, this is just another example of why. (Links to an external site.)Links to an external site.


Scott, always a good read, although I do have a bit of an issue with making the word “hacker” synonymous with “the big bad wolf”. 🙂 The “hackers” of the Homebrew Computer Club (Links to an external site.)Links to an external site. would probably take issue with this as well, folks like Ed Roberts who built the Altair, the hardware platform that gave birth to Microsoft and Steve Wozniak (aka Woz) who of course designed and developed the Apple I.

Hackers are individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes. Now I do understand the modern day (security) hacker colloquialism, so we have now turned what used to be a hacker culture (Links to an external site.)Links to an external site. into a maker culture (Links to an external site.)Links to an external site. but they are essentially the same thing.

Furthermore, even if we stay with the colloquial definition of “hacker” I am not sure that white hat hackers (Links to an external site.)Links to an external site. would appreciate being called “the big bad wolf” but then again maybe they are “the big bad wold” just a sanctioned wolf.

I couldn’t agree more, nation-state hacking is modern-day warfare, waged int he depths of cyberspace with digital assets and information as the objective. Stuxnet is a great example and the Stuxnet virus was just one virus in a massive U.S. cyber warfare operation called Olympic Games.


Sanger, D. E. (2012, June 01). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved September 9, 2018, from

Schafer, S. (2017, March 31). White Hat vs. Black Hat Hackers and The Need For Ethical Hacking. Retrieved September 9, 2018, from

Regardless of my politics, my parents raised me with more sense than to burn my own (expensive) clothing.  Here is an idea, if you don’t like the Nike campaign, don’t burn your clothes, take the money you now need to spend replacing the clothes and put it to work.

I am what you would call a value and comfort shopper, so if Nike shoes are comfortable and on sale, I buy Nike, not because I have an affinity for the swoosh or Phil Knight or Bill Bowerman or the latest ad campaign, but because they were comfortable and cheaper than the Addidas sitting next to them on the rack.  Just Do It!  Keep gluing rubber to a leather upper that is comfortable and having good sales I’ll be a customer. 🙂  I am actually amazed at the power of a shoe company to excite and enrage people.

Andrew, I know from being in numerous classes with you and reading other posts that you are focused on cloud technologies.  I think we are seeing vulnerabilities in the Open Source and cloud world today that will be both challenging for enterprises to plug and will likely create an entirely new security market.  With applications like truffleHog (Links to an external site.)Links to an external site. popping up every day and being made available to the masses, it’s far to easy to scrape public repositories like GitHub (Links to an external site.)Links to an external site. for security credentials.

I think we are in a world today where we are looking to enable developers, this means technology adoption is decentralized, occurring from the individual inward, rather than from the centralized and being pushed from IT organizations outward.  We are trying to balance enabling developers to increase the velocity of innovation while maintaining corporate governance, this is not easy.

When corporate IT was the glasshouse with centralized command and control we had Shadow IT, today DevOps has replaced Shadow IT.  In some cases, this shift was accompanied by governance, but in many cases organizations realized that the war on Shadow IT was unwinnable and pivoted to DevOps to reposition the exposure of Shadow IT as the fuel of innovation and competitive advantage. I believe there is a ton of opportunity for security providers to deliver tools that are transparent and frictionless to the enterprise that will identify things like API keys being committed to a git repo and either stop the commit or better yet strip the sensitive information and allow the commit to happen (aka frictionless).  The key here is transparent and frictionless.


Vadaganadam, A. (2018, May 30). Has DevOps Caused the Re-emergence of Shadow IT? Retrieved September 9, 2018, from



FIT – MGT5155 – Week 1

The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.

Hello all, full disclosure, I spend my days writing code and automating repetitive tasks. Introductions in this context are a repetitive task so those who have been in prior classes with me have seen some variation of the introduction below.  Need to read on; questionable. 🙂

My name is Rich Bocchinfuso; I hold a BS in Computer Information Systems and I am pursuing an MS in Information Technology with a specialization in Cybersecurity at Florida Tech. I am 45 years years old and have been in technology for ~ the past 23 years, and I am lucky in the sense that my career as a technologist and developer is also my passion because I spend 10 to 15 hours a day in front of a computer. I live in New Jersey and work in from somewhere in the world on any given day (flying over 100K miles a year that is probably the best way to describe it). I am married to my amazing wife of eighteen years, Gwen, and we have two little girls Maddy who is thirteen and Eden who is seven. Both my wife and I are originally from Pennsylvania, but we have made in New Jersey our home for the past twenty years.

My desire to attend graduate school is driven by personal fulfillment as well as a desire to develop skills which will allow me to grow professionally. My goal is to complete the master’s program in information technology with a specialization in cybersecurity and to make practical use of the academic skills I acquire. I am a driven self-starter who is committed to achieving my educational and professional goals. With the half-life of discrete technical knowledge shrinking I have been leveraging learning platforms such as Coursera, edX, Udemy, CloudAcademy, Pluralsight, CBT Nuggets, Codeacademy, SoloLearn, PentesterLab and others for years to combat mental atrophy. I regularly listen to and watch podcasts, and read industry publications and whitepapers to stay abreast of industry happenings.

For as long as I can remember I have loved tinkering and it is this love of tinkering that became the basis of my love of computing and technology. Over the past twenty-plus years, I have invested an immense amount of time honing my craft. I am an avid maker; I enjoy building things, writing about and sharing what I create. For the past ten years, I have been maintaining and sharing my ideas via my blogs:

 (Links to an external site.)Links to an external site.These two sites pretty much tell my story.

I am an analytical person who enjoys making decisions rooted in empirical data, and I am an INTP ( (Links to an external site.)Links to an external site.).

This is my tenth course in an elven course program, next stop for me a PhD program.  I am happy to be part of this class, and I look for to sharing this learning experience with all of you.


BTW – If anyone happens to be in Vegas this week at VMworld DM on twitter (@rbocchinfuso) and let’s grab a cocktail.


Brian, nice to virtual meet you.  Parenting the hardest and most rewarding job on the planet, not sure if I’ll ever consider myself accomplished.  I have my fingers and toes crossed that I feel good about what I accomplished at the end of the rainbow; if parenting has taught me anything it’s there is a lot in life that is outside your control.

This week I had the honor to see Malala Yousafzai  (Links to an external site.)Links to an external site.speak and it was truly amazing. Her parents set the bar pretty high.  Such an amazing young woman.

I’ll be honest I don’t love InfoSec focused podcasts.  I do on occasion listen to Down the Security Rabbithole (Links to an external site.)Links to an external site., if it’s a topic I like.

I read the Kerbs on Security blog (Links to an external site.)Links to an external site. regularly.

While not security focused, I suggest checking out Datanauts (Links to an external site.)Links to an external site..

I like Tim Ferriss, I listen to the Tribe of Mentors podcast regularly.

I listen to quite a few other tech-related podcasts, most notably a16z, The Cloud Cast, The HOT Aisle, PodCTL, Hak5, Talk Python to Me & AWS Podcast.

Others Tim Ferriss like podcasts I like include Rocketship, Masters of Scale, StartUp and The Pitch.

Links to most of these podcasts, if your interested can be found here (sorry, got tired of creating the hyperlinks): (Links to an external site.)Links to an external site.



Scott, good to see you again.  Hope things are going well with the new house.  I am still in Vegas, feel like I’ve been in a time warp for a week.  I am probably here six times a year, six times too often, if every conference was moved somewhere else I would be good with it.  Luckily tonight I have no commitments, so room service, peace an quiet is on the agenda.

My normal travel routes take me to EWR (home), LAS, SFO, LAX, AUS, CMH, and DUB on a regular basis. Would be great to grab a beer or two sometime.

Glad you like my posts, I like to write so I do.  Spent most of this week writing and here I am still writing.  If you are interested here is my first blog post from VMworld: (Links to an external site.)Links to an external site.

I have 3 others which I have to complete so they can be published but shifted gears because I was getting writer’s block.

We’re nearing the end.  Good luck with this class.


Carmeshia, good you see you again and thanks for the kind words.  Gotta convince my family to say goodbye to me for 3 more years, the toughest part of adult education.

Tech is the type of business where you have to be committed to learning forever, I’ve enjoyed the program because it helped me push into areas I wouldn’t go on my own and I have leveraged a lot of what I have learned.  For instance, the Org Behavior class wasn’t my favorite but I have you the motivation theory in like six presentations.

Having had the please of seeing Malala YousafzaiLinks to an external site. speak this week, it really drives home how powerful education is, and how threated some are by it.

Good luck in the class.


Scott, tech is used to HR nightmares, somehow it’s gotten worse, not better I am sure HR would have no time to worry about you.  Wanna have your mind blow, read Brotopia (Links to an external site.)Links to an external site..  The world seems to be getting stranger and stranger with each passing day.

When you get your first Cyber Security gig were gonna meet at DerbyCon by far the most fun InfoSec conference out there.  Check out the Hack My Derby Contest, 7:00 minutes into this video:  DerbyCon 6.0 2016: Hack My Derby Contest – Hak5 2105 (Links to an external site.)Links to an external site.DerbyCon 6.0 2016: Hack My Derby Contest - Hak5 2105


Carmeshia, I think I am one of the few people I know who still builds their own PC.  I have been a Linux user on the desktop since the early 90s, and the circles I run are full of propeller heads, but the entire industry has moved away from hardware towards software, people just want a hardware platform that is stable, the Mac w/ macOS which is really just BSD (Darwin (Links to an external site.)Links to an external site.), the cloud, etc.  As a Linux user, I have never really seen the point in overpaying for an Intel-based machine with metal case, I say this as I type this post on my Pixelbook. 🙂  I think Google will give Apple a run for their money as they have built a great hardware platform that makes it easy to support ChromeOS, Android and Linux apps, and soon it looks like they will support Windows on the bare metal.  The cloud has really changed the PC market and I feel we are just at the beginning, from an applications perspective like Google Docs and Office365 and from a security perspective as well as more and more desktop security applications leverage the cloud and data captured a network of connected endpoints.

I recently finished a Coursera course entitled Usable Security (Links to an external site.)Links to an external site., the course focused on the balance between security and human-computer interaction, security has to consider human-computer interaction to drive adoption and adherence; when security measures impede progress users will spend more time working around security measures, often creating greater risk.


Coursera. (n.d.). Usable Security. Retrieved September 2, 2018, from

Feeling a bit dense here, posted my “Introduction” and “Information” week one discussion post without realizing that the “Information” side of the post should have been a commentary on the “Information” lecture. I will chalk it up to a long week, adding my “Information” commentary below.

I’ve spent 18 years of my 25-year career in the information storage and data protection space. Over this 18 years, I have focused on primary, secondary and tertiary storage platforms with careful attention paid to data classification for the purpose to determine the appropriate architectures to satisfy data protection (replication, backup, etc.), performance, encryption, etc. requirements. Data classification has always been and continues to be an essential aspect of what I do. For years I have classified information to determine RPO (Recovery Point Objective) (Links to an external site.)Links to an external site. and RTO (Recovery Time Objective) (Links to an external site.)Links to an external site.. Today with the emergence of the cloud we organize data to assess where to place it in the cloud. Does the data need to live on block storage like AWS EBS; can the data live on object storage like AWS S3 (Links to an external site.)Links to an external site.; does the data require eleven 9s of availability; is reduced redundancy storage (Links to an external site.)Links to an external site. with four 9s of availability acceptable; does tiering to long-term archive storage like AWS Glacier (Links to an external site.)Links to an external; is encryption needed; at what level does the data need to be encrypted; what is the key rotation strategy; what key management system should be used, etc.

Data and information classification is key to balancing capability and cost. As we experience greater data sprawl with the increased adoption of Hybrid IT (hybrid cloud) and multi-cloud provider strategies, data governance becomes even more critical. We are all seeing the impact of privacy regulations like GDPR (EU General Data Protection Regulation), just about every website we hit today requires explicit consent to cookies, the result of GDPR. (Irwin, 2018)  There is no end in sight to the amount of data we are creating and we can expect the need for information classification and security to increase exponentially.


Henning, R. R. (n.d.). Information. Retrieved September 2, 2018, from

Irwin, L. (2018, August 16). How the GDPR affects cookie policies. Retrieved September 2, 2018, from