My MAC, your iPhone, and a vulnerability issue

A long time ago in a valley far away... When I was 8 years old our first computer was a Macintosh. My mother fondly nicknamed it Mac-Baby. She would travel with it to accounting jobs. For lack of a better way to explain it - because my old brain doesn’t remember the model/type, it was an all-in one, with the huge floppy drive and square CRT monitor. I used to play chess on it among other black & white graphic type “video games”.

Now fast forward to 2016 and I ditched the Windows machines, bye Felicia...and I now have 2 Macs. I love the stability of it. The lack of viruses and issues that make it appealing to me, so here we sit. And yes, I know it can still get viruses..I am not delusional.

Recently though there has been a issue with Apple’s calendar feature. What? I know. Looks like someone took note of a system vulnerability and had its way with it. Spammers unit! Ugh. It was black Friday a few weeks ago and myself and hubby both noticed these crazy alarm/alert notifications coming through. On my computer and his phone. We both looked at each other confused and then decided to Google it. And there you have it. Apparently Apple is trying to fix this none sense asap, which is good. But the reason I am touching on this now is because in my current course work we are threat modeling and part of that comes with noting system vulnerabilities.

What broke and what do we do with it

As I am in the thick of building a threat model, which by the way is even harder than it sounds when you feel overwhelmed by two graduate level course and your risk management course was months past and you can’t remember things...just throwing that out there, lol. However, I do know that a key component is identifying threats and vulnerabilities. With that being said...what the heck Apple! You missed one. Anyways..to my points.

1. Something like this issue should have been caught during whatever process is used for system development testing. Test before release. Say it with me, test before release. Not afterwards. This is how many famous viruses/worms get out and about.
2. If that was done properly, it would have been repaired or a non-issue.
3. If it wasn’t caught here, it should have been at least on a radar of some sort in a threat modeling process cycle...maybe? I mean I think so, but I also don’t work for Apple. AND I am in no way bashing them..but this is a really good example in vulnerability assessments.
4. If it was determined and found, was it considered a part of the risk appetite for the organization or not? My basic question would have been, who dropped this ball?

What to do

So what happens when we miss these? Clearly processes need to be more reformed if things like this are being missed. I mean I know accidents happen, but there is process in place to avoid stuff like this. If it was caught, but it wasn’t determined to be a consider a threat...yikes! I mean it could have been worse for sure! It’s more annoying than anything for the users/customers, but it’s not necessary either.

Threats and vulnerabilities need to always be defined and cataloged in some way shape or form, these processes then help use this to determine next steps and preventive measures. Although even when we try our best, things will still be missed. I realize this and it is OK. I just hope all of these are learning experiences and allow for organizational growth. Plus, I hope no one got fired.

For now, I am going to go work on my threat modeling process some more..maybe I will share that with you all at some point? Either way until next time, stay safe out there!

More info on the Apple calendar debacle: http://www.itnews.com/article/3149056/software/apples-promised-calendar-spam-fix-is-coming.html

Cartoon from: http://www.glasbergen.com/

Week 3 Assignment - CYBR 650

Credible news sources 101

Just gonna lay this on the table - Wikipedia does not count. I just want to throw this out there to anyone reading who might be a young adult heading to college..Wikipedia is not a credible news source for any type of research paper or believable content.

What it actually can be used for is looking up something and getting an idea what it might be about. However, that is all it should be used for. Do not go to college and use Wikipedia as a legit reference or source. Your professor will most like have flames shoot from their eyeballs.

BUT but but….

OK why isn’t it credible...because other random people in the world can edit it. AND it is never checked or reviewed for accuracy. So if some random person wanted to write content on brain aneurysms, but he/she is a craps dealer in Las Vegas...with no educational background in that field of study...You see where this is going right? Just avoid it, mkay?

So then, what is a good credible source. The obvious answer is published peer reviewed articles that you will typically find in a library. But Angel, not everyone has access to those fancy online libraries like you do. Correct! However, you can go to your local library and read a book. Kids..seriously you have no idea what a card catalog is do you...ugh that struggle was real.

Without a library, there is also the option of using online search engine. Such as, Google or Yahoo as a starting point. Personally, I use much of the following sites for IT based news. These are legit (aka credible) and generally they don’t contradict each other. These are my "go-to" for IT/Technology based news and information.

www.cnet.com

www.computerworld.com
www.itnews.com

www.infoworld.com

www.computerweekly.com

Other news sites such as, New York Times, Time, Forbes, or Wall Street Journal.

Credible Sources - How and Why

Evidence. That is really the key factor in determining if a source is credible. Do you remember in math class, I hated math too so for me to use this example is very important, when the teacher would tell you to check your work? You would work a problem backwards and this would let you see if the answer you got actually worked with the problem presented? Same idea. Fact checking, subject matter experts, published articles that are reviewed for accuracy by other subject matter experts - this is the stuff that goes into credible sources. Not craps dealers writing about brain aneurysms. Or me writing about gardening, I have no clue.

What if…

So what happens if these credible sources provide conflicting information. Well the world will still go round and round, but we need to do our due diligence to research further and make an educated conclusion. Ooh, that might be dangerous. But remember that math problem backwards thing? Do that again. Check. Check. Check. This is the only way this will work successfully is if you research and check.

Until then, stay safe out there, use your head, check your "facts", and all will be well.

Imagine above taken from https://pleasureinlearning.files.wordpress.com/2012/12/laffoon2.gif?w=640

Week 2 Assignment - CYBR 650