The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
Unlike Andrew who intelligently worked ahead, I have been just trying to keep up given my travel the last month or so. I live in New Jersey and in the last 30 days I have been to SFO four times, LAX once, SNA once, LAS once, CMH once, DUB once, CDG twice and LHR once. Today I arrived home on a redeye from SFO and Sunday night I fly to Heathrow. It’s been a long few months and at the moment my travel schedule looks the same through March 2019. I have really enjoyed the discussion post style in this class, I like the open-ended thought-provoking approach and the latitude it provided. I really feel this provided a great approach to develop the dialog and I have enjoyed reading and contributing each week.
“We Have Met the Enemy…”
Have We Met the Enemy? IMO, ABSOLUTELY NOT! The enemy lives in the shadows, we have met the threat, but not the enemy. We hypothesize on who the enemy might be based on the target, but in most case, we have not met the enemy. I really like this quote “the benefit of finding out just who is poised to attack you pales in comparison to finding out what they have an opportunity to attack.” (Robb, 2016) This is interesting to me from a few perspectives:
- Does knowing who the enemy is or meeting them offer a benefit? If so, what?
- What is the probability of identifying the enemy vs. identifying the vulnerabilities? Are we looking to answer the question of “who” before we answered the question of “what”?
- Do you focus on the intangible and arguably insignificant answer to the question of “who” or do you focus on the tangible and valuable answer of “what”?
We know that there is an increase in threats from nation-state hackers (Sheridan, 2018) and hacktivist groups like Anonymous (OConnell, 2016) but is relevant? Yes, the intent is relevant because a script kiddie just joyriding on your network is a lot different than a nation-state exfiltrating data. Yes, it’s relevant to know what you offer to a hacker, why you might be the target of an APT (Advanced Persistent Threat), to hypothesize on where attacks might originate because this might allow you to get into the mind of the attacker and thinking like the attacker can help you better prepare. With this said I think it’s important to realize that regardless of if it’s a nation-state of script kiddie looking to joyride the vulnerability was what they exploited; hedging a strategy based on who the attacker might be and the damage they might do is probably not the right decision.
Anticipating the “who” is like watching NFL game tape, it helps you prepare to read the offense so you can orchestrate a defense with a higher probability of success. While NFL players may not be better raw players as a result of sitting and watching game tape they are developing the edge that allows them to exploit the opponents’ vulnerability, hackers do this, but an unprepared or underprepared end-user (the human factor) is often what the hacker is betting on. The ability to read the defense or the offense comes from education. The ability for the end user to identify a potential phishing attack comes from education and vigilance. The difference between the opposing forces in the NFL and the hacker vs. the end-user is the hacker is far more invested than the end-user. We need to educate the end-user to realize that we live in an era where data is more valuable than oil, that they, the end-user, the human factor is the best defense or the biggest weakness.
References
de Bruijn, H., & Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1-7.
OConnell, J. (2016, September 13). 10 Most Notorious Hacking Groups of All Time. Retrieved October 19, 2018, from https://hacked.com/hacking/
Robb, S. (2016, September 30). Cyber Defense and the Unknown Enemy: 3 Best Practices. Retrieved October 19, 2018, from https://www.controlscan.com/blog/cyber-defense-unknown-enemy/
Sheridan, K. (2018, February 29). 8 Nation-State Hacking Groups to Watch in 2018. Retrieved October 19, 2018, from https://www.darkreading.com/attacks-breaches/8-nation-state-hacking-groups-to-watch-in-2018/d/d-id/1331009
The world’s most valuable resource is no longer oil, but data. (2017, May 06). Retrieved October 19, 2018, from https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
Wright, K. (2012, March 01). Cybersecurity Roundtable: The Enemy is Unknown. Retrieved October 19, 2018, from https://www.elp.com/articles/print/volume-90/issue-2/sections/cybersecurity-roundtable.html
Andrew, I can certainly relate to your travel schedule, my past few months have been brutal as well. Glad to be nearing the finish line.
I agree with you that the enemy is the human factor. Let’s face it the internet is one giant honey pot and for those with skill, des, re and malicious intent, it’s the perfect storm of riches and anonymity. If we believe that data is the new oil, we (as individuals) often leave our most valuable asset (data) unprotected. While I don’t use dictionary words or l33t passwords, I don’t use single-factor authentication, etc. the average person puts their information on the information superhighway with an easy to remember l33t password, no multifactor authentication and they use that same password everywhere. Hacks, where user information is exfiltrated, allow the creation of huge word lists which can be used for dictionary attacks. There is a multiplier affect each time user data is exfiltrated because of our individual security practices.
The Target data breach is just plain scary. Why would an HVAC contractor have access to Target’s internal systems? Assuming they needed access for whatever reason why they would be given access to systems on a network segment which can route to their payment systems is just beyond odd. In the case of Target, it seems there was a massive technology architecture fail that occurred way upstream from the IPS/IDS events and SOC response.
The human element is by far the largest vulnerability in any system, old-school espionage is alive and well, social engineering is on the upswing and FOMO is not helping our security posture.
References
Kerbs, B. (2014, February 5). Target Hackers Broke in Via HVAC Company. Retrieved October 20, 2018, from https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Passwords. (n.d.). Retrieved October 20, 2018, from https://wiki.skullsecurity.org/Passwords
Kamelia, I agree, the biggest vulnerability being exploited by hackers is the uneducated or undereducated end user. But we have some real things to be concerned about when it comes to the human factor.
- Rule #1: We have an entire generation entering the workforce which has been labeled the “Click Generation”. (Marcia, 2015) This generation (Gen Z) will eclipse Millenials in terms of economic power by 2020. (Morris, 2018) Like their pseudonym suggests they like to “click”, and they do it fast and furiously.
- Rule #2: What’s email? Isn’t that for old people?
- Rule #3: What’s a “preview” pane? Oh, something else for old people.
The world is changing fast, but there is some good here.
My kids who are both Gen Zers have no desire to use Windows or MacOS, they are either on their iPhone or Chromebooks. This is good and bad, In theory, because they don’t use thick clients a centralized security paradigm may be easier to architect and enforce. The ransomware we’ve come to know that attacks CIFS shares is made extinct via the extinction of the CIFS/SMB protocol. The bad news is the “Click Generation” oozes FOMO so the idea of slowing down clicking seems unlikely. Centralization creates a larger honey pot with a much larger blast radius. Only time will tell.
References
Marcia. (2015, July 27). Generation Z Coming Into The Workforce | Click Generation. Retrieved October 20, 2018, from http://www.employeedevelopmentsystems.com/2015/07/whats-coming-next-generation-z/
Morris, C. (2018, May 2). Gen Z will outnumber millennials by 2020. Retrieved October 20, 2018, from https://www.tradeonlytoday.com/industry-news/gen-z-will-outnumber-millennials-by-2020