Wednesday, March 1, 2017

What a ride!

My Reflection 

This is my last week of class. This program is coming to an end for me and it’s bittersweet. Like a long job where you have been working for a couple years and you're now leaving...it feels like that. While exciting, it’s also scary. I still don’t know what I want to be when I grow up, haha. Although, I would like to teach. I do enjoy that.

The class I write this blog for was the hardest class to date, yet probably the most memorable and useful. While threat modeling can sound scary and maybe even intimidating, it’s really not. The important thing to remember is that there is no right or wrong way to threat model. And any companies out there that are not doing this, need to consider utilizing this for their processes. Security is only gonna get worse folks. Protect everything and anything with as much effort as possible.

My next step was to continue on to a doctorate, but the hubby misses me. And I gotta be honest, I am so very tired of homework. So instead, I think I will work on certifications and staying up to date on security on goings. Keeps my mind active, but I don’t have deadlines or homework. More video game time with the hubby too! He will love that.

Graphic taken from: https://www.cartoonstock.com/directory/g/graduation.asp


My Advice

Here is my advice, and no you didn’t ask for it, but I am sharing it anyways. I started this program in June of 2014, as you read this I am finished. It is March 1, 2017. It has been a long, hard, and stressful journey. Would I do it again? Absolutely. It is worth the effort, time, and energy spent to gain the knowledge that I did and the diploma helps too. The sense of accomplishing something so intense, also gives a sense of pride and joy.

If you are considering branching out and going for education, training, degrees, etc. do it. I know school isn’t a fav activity for most people; for me it is. But learning is always valuable, whatever your goal, learn, learn, and learn. I encourage you to read and research, because we need more of that in our society. Keeping your mind active is healthy for you, don’t forget that.

Please consider something though. While education is important, don’t rely heavily on your degree. Get work experience. Don’t just go to college and expect a high paying job out of school. While it might happen, it typically doesn’t. So get a job in your field, like an entry level job, gain work experience and go from there. I started in IT back in 1999, well before I had a BS. I am glad I did. Sure I made $10 an hour, but I gained a ton of experience and it grew. So now my MS with my BS and my 18 years of experience in IT on my resume makes it easier to get an amazing job. Learn and grow as much as you can!

I want to thank you all for reading my blog. Thank you all for the support and feedback. I will try to continue this blog as time goes on. Maybe I will get lucky enough to get a teaching position and have more to share with you all. Hmm.. my students may also need to blog, muwahaha (evil laugh).

Until next time and always, stay safe out there!

Week 12 Blog - CYBR 650

Graphic taken from: https://www.cartoonstock.com/directory/g/graduation.asp

Wednesday, February 15, 2017

The Big D

Data 


The big D is data. What and why? I shall explain. Let’s be honest here, the reason that IT people exist is for the big D. There really isn’t any other purpose to my career other than data. We are either sharing it, collecting it, or protecting it. Data makes the world go round. And you thought it was just the Internet that makes it all important, hahaha. But seriously, why else does the Internet exist? It’s to share data. But Angel, Facebook? Yup, even Facebook. At its core, has collected and shared (sort of) data.

So what is data. It’s information at it’s simplest form. I am sharing my brain data on this blog with you and you will be collecting it when you read it. Sounds a bit simple and sci-fi at the same time but it still has value nonetheless. Again the point of a cyber security professional’s job is to protect that data. And I read a story today that inspired this blog.

Wired put out an article titled “Diehard Coders Just Rescued NASA’s Earth Science Data”.

Now regardless of political views or opinions, this is brilliant. Why? Because a bunch of coders decided, they weren’t asked to, tag and bag research data from NASA’s Earth Science. This is important because we are protecting data. Whether or not people believe that data, it should be collected and protected. After all that’s what we (IT Professionals) do.

“The data collection is methodical, mostly. About half the group immediately sets web crawlers on easily-copied government pages, sending their text to the Internet Archive, a digital library made up of hundreds of billions of snapshots of webpages. They tag more data-intensive projects—pages with lots of links, databases, and interactive graphics—for the other group. Called “baggers,” these coders write custom scripts to scrape complicated data sets from the sprawling, patched-together federal websites (Molteni, 2017).”

I sort of feel like we are modern day librarians - only because we help collect, share, and protect data. Doesn’t a librarian do that, non digitally, with books? I believe so. Or maybe we are Data Scientists? I like that idea too, haha. Can I have a lab coat? Maybe?

Image retrieved from: https://www.pinterest.com/exasolag/fun-about-data/

Not all was saved


So not everything was collected during this event. Which is unfortunate but understandable. The question of whether the data missing was backed up or not is concerning. Which leads me to say, always backup your data.

Now the article goes on to say that they did get over 8,400 NASA and DOE webpages and downloaded over 10 gigs from private pages into the archive, from just this event. But there is still more to get. These volunteers are planning to get even more from national parks and other areas that have some concerns.

Whatever political position your at, I just ask that you admire your IT professionals, cyber security experts, and ethical hackers to realize they are the data keepers of the modern world. I find it amazing that these busy gals and guys took time out of their lives, without pay, without much recognition, to protect data that may or may not impact our lives. But at least it’s there if we want to read it or research it AND that is why isn’t so important. As a graduate student, research is my bread and butter, so to have that available is huge, as data is one of the most important aspects of our society.

Read the article if you have time.

Until next time, backup your data, and stay safe out there.


References

Molteni, M. (2017, February 13). Diehard Coders Just Rescued NASA’s Earth Science Data | WIRED. Retrieved from https://www.wired.com/2017/02/diehard-coders-just-saved-nasas-earth-science-data/


Week 10 Blog - CYBR 650

Wednesday, February 8, 2017

My Thoughts on Credit Card Security

To Swipe or Not to Swipe

So I was out with my mom shopping at a big box discount store. My mother is very scared of credit card theft, someone gaining her pin, access to her accounts, etc. Which I think isn’t unreasonable during this day and age.

Now I know they put in chip readers and chips in your credit and debit cards which was rolled out this last year or so. This is supposed to help again fraud. And I am sure that it has alleviated some. However, has did really worked to the level of expectation? Well mom definitely doesn’t think so, she continues to get cash out to pay for things like gas. And really, I don’t blame her. I think her card was compromised a few times. I know mine has been too.


The Good News



Here’s the deal with the new chip, it's great for one reason, it contains what’s called a cryptographic encryption. It authenticates the card as a legitimate bank card and with that issues a one-time code (key) with each transaction. I know what did I just say, right? OK. They key is a type of control for this encryption that is send out and verifies the legitimacy of the card as a real card...not made in someone’s garage. AND this process is why it is meant to help card users avoid fraud or theft.

Image Retrieved from: http://www.politicalcartoons.com/cartoon/e1e56a2c-5198-495b-9d97-c2d7b31e80a6.html


The Bad

Here’s the problem. Do you remember when there were tons of bad people doing bad things? Oh-wait, they still are. Surprise! Workarounds cometh. So now there are types of hardware that these bad guys can place on machines with card readers. Remember they did this with card swipes? Yeah, same idea.

In fact the lady that was checking us out, mentioned they have a team that only monitors store equipment for this type of hardware. She said they the card read should be tight against where the user inserts the card. If it’s loose don’t use it. This is interesting to me, as I would think that outside at a gas station, OK, you could sneak up on a machine and place a device, but inside a store with people around and cameras watching? You betcha! Kinda gutsy huh? She said that they found a device, as someone was trying to come back and collect it from the machine they placed on.

Now this could be what she heard, I can’t verify the legitimacy of this but really, I am not surprised either way. I thought it was only a matter of time anyways for criminals to find their work around. Looks like it was quicker than expected. Actually Wired.com talks about it before the switch over even completed. Plus look how many retailers are still not using the chip. Oh and another article from CNN.

So I am not trying to scare you or raise your blood pressure. I promise. My goal on this one is to inform and share. And some food for thought. When you are going to get gas, I would pay cash or use the card as a credit card, not a debit. It’s easier for the bank is way too. Also, check the hardware if something is loose or doesn’t look right don’t do it. AND go with your gut instincts on this. If it doesn’t feel right, it probably isn’t. Always guard your pin, just like you would with your passwords.

I don’t think we are gonna see any of this go away or get better, so all we can do is adjust.

Until next time, stay safe out there!

Week 9 Blog - CYBR 650



Thursday, February 2, 2017

A Time for Reflection

My Brain Said No


This week’s topic was hard to nail down. I think my brain turned off there for a bit. I am about 4 weeks left of school and besides being tired, I am also in a stunned reflection of this program that I went through.

None of this was easy, just in case you are considering grad school. It was one of the harder things that I have done. And I couldn’t be more excited to complete it. My husband can’t wait to have his wife back and video game partner back, hehe. But let's reflect this week, since it is not leaving my brain...so I must share my thoughts.  

When I began this program in 2014, I had already completed a Bachelor of Science in Management Information Systems. I had already worked in IT for many years, but I still had so much to learn. It’s actually funny when I tell people what my degree program is, usually there is a double take involved. Seriously. It’s weird. I remember when I started working in IT many years ago it was a mostly male dominated industry. Still kinda is, but not as much. I still get weird looks. And its OK. The shock value is worth it, haha.


Image taken from: https://larrycuban.wordpress.com/2012/12/

Anyways. I have learned so much, yet I feel like I could learn so much more. I have taken courses in risk management, computer forensics (that is one of my favorites), ethical hacking, information warfare, cloud computing, and of course my capstone...which is what I write this blog for. The capstone is the most demanding course, but yet makes the most sense in a real world setting.

Recent Events in my Head


I have been recently threat modeling. Which sounds scary. And it kind of is. I don’t know if I am doing this right. But I have a sense that this process isn’t as black and white as others in IT. It seems more grey. Lots of areas for interpretation and theory. Which I like, but it does make it challenging when you get to those black and white sections of threat modeling. What I mean by that is that I know there is a risk, we have found the vulnerability to be X, but the grey comes with the organization. Do they accept the vulnerability? Do they mitigate it? Do they rebuild a system? Do they ___? See the grey? It’s interesting from that perspective. You would think it’s cut and dry, but it's not.

Perhaps this is one of challenges to managing IT. Making these hard choices and accepting any blow back should they occur. IT is so dynamic that it isn’t easy to manage or to make choices. Sometimes I think it’s just making the best educated guess we can from the data we are provided.

With our rapid changing environment, I don’t see this type of thinking changing too much. I only see us, IT professionals, rolling with the punches and doing the best we can.

If nothing else, this graduate program has taught information, but has also taught me how to research better, how to objectively review data, analyze better, and think broader.  The experience of the program has really be worth the time, energy, and money in order to better get to where I want to be.

I only hope to teach one day and share my knowledge. That is my ultimate goal.

Until next time, stay safe out there and I promise something with more geek-ery, technical for you.

Imagine taken from: https://larrycuban.wordpress.com/2012/12/

Week 8 Blog Post - CYBR 650

Monday, January 23, 2017

Ransomware 101

Holding your PC Hostage 


So here is the deal, ransomware is basically a piece of malware that when activated on a computer locks the user out of their files/data. Typically this is done with encrypting the data so when the ransomware/malware developer reaches out to the user they say something like, “Give me $500 and I will let you have the “key” to access your data”.


Stay with me. Grab some coffee if needed. I know there is a lot of um and huh moments happening if you have no clue what I am talking about.


We all know what viruses and malware is. Ransomware is a form of malware, so the idea is that it’s distributed like typical malware. Ideas of how malware gets on a system noted below.


  • You may have installed something that you shouldn’t have (either unsafe or not from a trusted source).
  • Optional installed software with “reputable” software. AKA toolbars - avoid the toolbars! Please for all that is good and holy - NO toolbars!
  • If you are already infected, it cycles to more and more infections.
  • You don’t have an anti-virus or anti-malware software. The key with this one though is that many people have it, but not a lot of people update it and use it. So you need to do that.


With that, ransomware is received much in the same way and what it does is holds your stuff for ransom. There are a couple different types of ransomeware, but I don't want you to start drooling so we will move on.


Cartoon retrieved from: http://www.informationweek.com/it-life/cartoon-whos-writing-all-that-malware/a/d-id/1317267


Gimme the Cash!



I know! I know! WHAT? Right. So in order to get your goodies back they want you to pay a certain dollar amount and if you don’t pay it by a certain time, they either up the ransom or data goes bye bye.


What is frustrating about this is that it’s completely avoidable for one HUGE reason. BACKUP your data. Then who cares? Let them delete your photos and docs, if you data is backed up, your golden.


I actually had a customer when I was running my own company and this happened. The said part is we had to format her pc and she didn’t back up her data. But to her she was excited that I could fix her computer from the ransomware guys. Which is always an alternative, but still this isn’t fun.


The best methods I have found for data backups is the following.


  1. Buy and use an external drive. Set it as a backup and use the thing. Most of these have software that will do it for you and all you need to do is point to the folders and files you want to backup.
  2. Use something like Google Docs/Google Drive. This is my bread and butter in business and school, And yes there is always a risk, but it’s Google...I mean seriously. They probably have backups of their backups.
  3. Email. Email is probably the most underrated and underused system for keeping backups of important things. I wouldn’t recommend this for everyone and everything, but for the average user that just wants to keep a few docs here and there.


So now you're going to get your anti-malware/anti-virus software updated, ran, fix issues then backup your data..right? Please? K-thanks.


Until then, safe out there!


Here are a couple great references for ransomware:


Cartoon retrieved from: http://www.informationweek.com/it-life/cartoon-whos-writing-all-that-malware/a/d-id/1317267

Week 7 Blog Post - CYBR 650

Wednesday, January 18, 2017

A hostage, your cell phone, and SS7

A Hostage Claim

My mother pulled me aside this week to tell me a story about a friend’s husband that was scammed over the phone with a fake hostage claim. The call came through the cell phone, was a rude and abrasive guy claiming that he had the guy’s daughter and was going to start cutting off her fingers if the guy didn’t get money to him. Needless to say the poor guy was terrified. And in the end, the scammer required the money wired to him. That’s when the victim had the light bulb moment of “oh crap, this is a scam”.  Here is a great news article that highlights this scam.

I had never heard of this before and it's scary. However, it’s not all that surprising. Growing up I didn’t have cell phones and we barely had an answering machine - no age jokes, mkay? I remember my father hated answering the phone so he would screen the calls through the answering machine. Why did we ever stop? Ok, we don’t have cell phone answering machines, but we do have voicemail and oh, boy do I use it. I have become so adamant that if I don’t have the number in my address book, I don’t answer the call. Too many scams, marking, surveys - aka junk calls. Ewww.  No more.

SS7 


But Angel, how does this relate to IT. Here’s the weird part, the cell phone of the victim after the attack didn’t work. Odd right? Not so odd. In fact, it's super easy to hack a cell phone just by using the phone number. WHAT? Scary I know. SS7 - no, not a new James Bond movie, is the culprit. This vulnerability is what allows these easy hacks to actually occur. SS7 is Signaling Systems 7, which connects all cellular networks/providers in the world together. This flaw allows for eavesdropping, fraud and all kinds of bad guy activity to happen.  Here is a great you tube video for more information.

There are a few things to consider with SS7

1. This is more likely to happen in Europe - I am not sure this makes this any better, but OK.
2. SS7 is a known vulnerability - OK, um can we fix it then? Maybe?
3. NSA pretty much can do this eavesdropping thing already - Hi, NSA!
4. There may or may not be limitations on this technology.
5. The news isn't talking about it. - Well, in all fairness it isn't nearly as interesting as the Brangelina divorce...


My Advice

As more scams and marketing callers are calling your cell, please consider the following.
1. If the number looks strange or you don't recognize it, don't answer your phone. I won't answer my phone unless I have the number in my address book.
2. Hesitation. If you answer the phone and something strange or scammy starts, give yourself a point of hesitation and ask, "is this real?" When in doubt, hang up your phone.
3. Research the number calling you. Many sites allow you to see the number calling a safe caller or not.
4. Make sure you have anti-virus and malware software on your phones. Especially anything Windows based, since hacks can happen outside of SS7. Really. We are only scratching the surface here. Research, research, research.
As this gets worse, we need to be cell phoning defensively to protect ourselves.
When in doubt - don't. Don't answer the call, don't respond and hang it up.

Until next time, stay safe out there!


Week 6 Blog Post

Tuesday, January 10, 2017

A Boy and his...Drone?

A smile and a giggle I write this blog for week 5 in Current Trends in Cybersecurity and the topic is, drum roll...drones. The reason for the smile and slight snort giggle, yes, I admitted it, is that I bought my husband a drone for Christmas. It has been hilarious and quiet comical if I can say. I believe three times now he has, without a word to me, started his truck and took off to chase after his drone because it went MIA. I am surprised it doesn’t have a name yet. Luckily I had him put a label on the thing with the address and phone number of the owner, since this sucker is much like our beloved pets. Except they don't take off buzzing down the street and end up in a cactus...cough, yeah that happened, cough.

Anyways I got slightly carried away. But seriously, I wish I had video.

Besides the ongoings in my house with regards “the drone”, there is an increased popularity of drones and drone presents in not only military, but civilian space. With that I began to wonder about security, specifically cyber security, with these little things. And there is some interesting information out there on this. I mean we are taking current trends in cybersecurity, so this really is top of that spectrum, I think.

Are these the humans we are looking for?


Apparently a large risk here is that a hacker/attacker could fly a drone into a corporate office building area and start to collect data or a drone could be used to attack WiFi and intercept communication data, use bluetooth channels for data collection, etc. the list goes on and on. These possibilities might be endless and frankly, scary. I see Amazon testing drone delivery and hey that seems kinda cool. Maybe for remote locations or something. Even pizza delivery might sound good as a backup plan for short staff store or with employees calling in sick. But to hack organizations...yeah, it was only a matter of time.


While drones are fun and in the right hands can do some cool things, in the wrong hands we have another avenue of cyber warfare. Now not all drones are capable of being used so maliciously, there are also different types of drones. I know this part because the hubby now wants another one that has a GPS home device AND since the “little one” has gone missing three time that GPS sounds like a good idea. However, that could also be dangerous in the wrong hands. What about strapping a bomb to a drone, GPS program it and bye bye birdie.  I mean that seems more like a military drone, but couldn’t a civilian possibly do this? Yikes. So scary and very bad.

Moving Forward


So what do we do? Well cyber security professionals are concerned and realize that most companies and organizations aren’t really prepared for drones. This is something that a corporation needs to realize that they will have to plan for in their threat modeling. Probably not something that would happen a lot right now, but moving forward when drones are even more popular and cheaper, it could be a huge issue. There are a few up and coming 3rd party companies that specialize in getting drones knocked out of the air by using radio waves. Which can be a bonus for corporations that have this concern. I imagine with drone growth we will also see a growth in vendors offering drone protection services as well.

Just another thing that organizations and even us civilians need to consider when technology changes and advances.

Until next time, stay safe out there...oh, and don’t fly your drone and drive. Bad idea


Week 5 Blog Post