The most interesting concept that I learned from the reading is the fact that they managed to make a mathematical formula to calculate privacy. You would think something like privacy metrics being quantified would be trivial. Being a simple question, was my personal information leaked/exposed/etc. yes or no. If no, we’re set. If yes, what kind of data, how many people now have access to it, etc. However, the mathematical formula they list in the reading had me flabbergasted. ” Information-theoretic metrics measure the information that an adversary learns by observing an event or a system (all observable events in a communication system).” The equation is essentially broken down into prior knowledge, information gained, and level of entropy protecting the data.
Almost any data can be quantified and qualified mathematically. The fact they made a privacy formula is not as surprising to me as that they made a formula that isn’t hotly debated. It does a good job of balancing the important factors, though I’m sure that other experts would say that there are different and better ways to get to the same place.
The most interesting thing i learnt from this reading was how cyber criminals build on social engineering tactics to bait their victim. “”Social engineering can be thought of as an establishment of trust between an attacker and a victim, where the attacker’s goal is to make the victim perform some action, he would not have wanted to perform had he understood the consequences. Attackers leverage preexisting trust between victims and the chosen false identities to spur dubious actions (illegally transferring money, remailing stolen goods, installing malware on computers, and recommending fraudulent services to friends)”. Alot of organizations have fell victim to these tactics leveraged by cyber criminals.
I thought the chapter on identity theft was interesting. Seeing all of the comparisons between the phishing attempt and spoof emails was helpful to have examples. It was also interesting to see how good some of the “fake” email messages were. Seeing examples of the Login page, bad URLs, the Verisign secured logo, how attackers take advantage of stories in the news and/or capitalize on the fears of the public (strong narrative attack), and how messages can be customized to the individual, was very eye opening. We have heard about all of these before and been instructed on what to look for and identify, but I have never seen so many real-life examples listed in one space. lastly, all of this information combined with the results of the study, helped drive home the key points that were made.
Phishing is an incredibly effective way to gain access and data. Attackers have learned the value of this data and the good ones are always a step ahead of the arms race to identify and protect against phishing (and spam) filters. Automated tools to spin up fake websites and log0in boxes have made reduced the effort needed to create a decent fake.
In regards to the phishing attempts. MFA was created to help harden accounts in the event an account’s password was compromised, an additional factor would be needed in order to successfully access the resource. As mentioned by Dave above, the landscape is ever evolving and now threat actors are leveraging MFA fatigue attacks. Where they just spam MFA notifications to the point of annoyance in hopes the person will just cave and accept the access to get it to stop. However, number challenge for MFA has been introduced to combat those attacks. The cat and mouse game is never ending.
The interesting point I learnt this week is the difference between access and identity management. This is because the efficiency of access management is dependent on the data provided by identity management. Users do not know that a completely other management system is being used to establish their access because they are just asked to submit identify information.
References
Hovav, A., & Berger, R. (2009). Tutorial: identity management systems and secured access control. Communications of the Association for Information Systems, 25(1), 42.
I agree that users may not be aware that there is a different process involved when granting/establishing access to resources after submitting identity information. It’s important to understand that there are different processes involved between identity and access management as was discussed in question 2 as one lacking compared to another results in an insecure infrastructure.
I found the chapters related to onion routing/TOR to be particularly interesting. I’m somewhat familiar with these technologies but enjoyed taking a deeper look at their origins and functionality. I didn’t know that it was invented by the Naval Research Laboratory, however, throughout my studies am less and less surprised when the armed forces are responsible for some of the technologies, we use every day. Given the nature of the armed forces such a technology would be of great use.
I wouldn’t say that it is a big surprise that the military is heavily invested in confidentiality, integrity, and availability of data. The same pillars of cyber security are important to military communications and operations. Having data or messages corrupted, stolen, or blocked is not just a hassle or loss of profit like in business, it could literally be a case of life or death.
If I’m not mistaken many of the technologies we have today were created by the government for confidential use and just branched out to the public. It really surprised me as well that the Navy invented this technology considering the purpose that many use it for now.
An interesting point I learned from the readings this week was from Chapter 59 regarding the study of a valid email and a fake phishing email disguised as being from banks. It was interesting how the study included plain layouts versus fancy layouts and how closely the means were to each other of the formats that were selected as the “legit” email. It is so important in today’s world to be aware of the characteristics of a phishing email and how closely the fake emails look like legit emails.
I found it very interesting that onion routing was developed by the Naval Research Laboratory and was used to provide anonymous connections that are super easy to set up and require very little performance.
What I learned this week and found interesting was phishing and social engineering tactics. Phishing remains one of the most commonly social engineering tactics used by the bad guys. And for some reason many end-users still fall victim to this tactic. It is very concerning because even after given proper trainings and cyber awareness, end-users still get lured.
I agree with you Shepherd, phishing tactics are becoming more sophisticated every day and no matter how much training is involved, people will always fall victim to it. One thing that can help companies is to employ some level of progressive discipline. For example, in my organization, we receive training quarterly, and phishing tests are executed quarterly. One failure results in an email reminder and enhanced training, two failures result in a meeting with the information security managers for in person training, three failures result in a 1:1 meeting with the ISO. In addition, if you do not report the email as a phishing attempt and just choose to ignore it, you receive a reminder email to ensure to report all suspected emails to information security. lastly, there is positive reinforcement in the shape of small rewards that are given for passing the “phishing attempts”. Since this structure has been introduced, the number of positive results have increased.
The most interesting thing I read about was the ex ant and ex post TETs. I consider myself an online privacy advocate and try to keep up to date on tools and information relating to online privacy and I had never heard of P3p or PPl or the Prime and A4Cloud projects.
The most interesting point I found was regarding Online Privacy, specifically the amount of security available for communications and preferences towards personal data. Users can increase their own security by utilizing anti-virus software, turning off tracking and specific services such as location, checking the security of a site, and more. Threat actors can take advantage of weak settings and security exploits through phishing or malware.
Hi Kenneth,
I also thought the security available for personal data was interesting. With the threat landscape evolving every day, I was happy to learn about the available resources for personal protection. As we have learned, it is not a matter of if a cyber breach will occur, but when it will occur. These resources can help us prepare for that event so our data is well protected. We can fit or customize the level or coverage that works for us by assessing our risk tolerance and cost benefit analysis related to our personal data and act accordingly.
Nicholas Foster says
The most interesting concept that I learned from the reading is the fact that they managed to make a mathematical formula to calculate privacy. You would think something like privacy metrics being quantified would be trivial. Being a simple question, was my personal information leaked/exposed/etc. yes or no. If no, we’re set. If yes, what kind of data, how many people now have access to it, etc. However, the mathematical formula they list in the reading had me flabbergasted. ” Information-theoretic metrics measure the information that an adversary learns by observing an event or a system (all observable events in a communication system).” The equation is essentially broken down into prior knowledge, information gained, and level of entropy protecting the data.
David Vanaman says
Almost any data can be quantified and qualified mathematically. The fact they made a privacy formula is not as surprising to me as that they made a formula that isn’t hotly debated. It does a good job of balancing the important factors, though I’m sure that other experts would say that there are different and better ways to get to the same place.
Abayomi Aiyedebinu says
The most interesting thing i learnt from this reading was how cyber criminals build on social engineering tactics to bait their victim. “”Social engineering can be thought of as an establishment of trust between an attacker and a victim, where the attacker’s goal is to make the victim perform some action, he would not have wanted to perform had he understood the consequences. Attackers leverage preexisting trust between victims and the chosen false identities to spur dubious actions (illegally transferring money, remailing stolen goods, installing malware on computers, and recommending fraudulent services to friends)”. Alot of organizations have fell victim to these tactics leveraged by cyber criminals.
Christa Giordano says
I thought the chapter on identity theft was interesting. Seeing all of the comparisons between the phishing attempt and spoof emails was helpful to have examples. It was also interesting to see how good some of the “fake” email messages were. Seeing examples of the Login page, bad URLs, the Verisign secured logo, how attackers take advantage of stories in the news and/or capitalize on the fears of the public (strong narrative attack), and how messages can be customized to the individual, was very eye opening. We have heard about all of these before and been instructed on what to look for and identify, but I have never seen so many real-life examples listed in one space. lastly, all of this information combined with the results of the study, helped drive home the key points that were made.
Jill Brummer says
I agree and have the same thoughts on this topic. The facts were very interesting and stood out to me too regarding the fake emails.
David Vanaman says
Phishing is an incredibly effective way to gain access and data. Attackers have learned the value of this data and the good ones are always a step ahead of the arms race to identify and protect against phishing (and spam) filters. Automated tools to spin up fake websites and log0in boxes have made reduced the effort needed to create a decent fake.
Nicholas Foster says
In regards to the phishing attempts. MFA was created to help harden accounts in the event an account’s password was compromised, an additional factor would be needed in order to successfully access the resource. As mentioned by Dave above, the landscape is ever evolving and now threat actors are leveraging MFA fatigue attacks. Where they just spam MFA notifications to the point of annoyance in hopes the person will just cave and accept the access to get it to stop. However, number challenge for MFA has been introduced to combat those attacks. The cat and mouse game is never ending.
Samuel Omotosho says
The interesting point I learnt this week is the difference between access and identity management. This is because the efficiency of access management is dependent on the data provided by identity management. Users do not know that a completely other management system is being used to establish their access because they are just asked to submit identify information.
References
Hovav, A., & Berger, R. (2009). Tutorial: identity management systems and secured access control. Communications of the Association for Information Systems, 25(1), 42.
Kenneth Saltisky says
Hi Samuel,
I agree that users may not be aware that there is a different process involved when granting/establishing access to resources after submitting identity information. It’s important to understand that there are different processes involved between identity and access management as was discussed in question 2 as one lacking compared to another results in an insecure infrastructure.
Maxwell ODonnell says
I found the chapters related to onion routing/TOR to be particularly interesting. I’m somewhat familiar with these technologies but enjoyed taking a deeper look at their origins and functionality. I didn’t know that it was invented by the Naval Research Laboratory, however, throughout my studies am less and less surprised when the armed forces are responsible for some of the technologies, we use every day. Given the nature of the armed forces such a technology would be of great use.
David Vanaman says
I wouldn’t say that it is a big surprise that the military is heavily invested in confidentiality, integrity, and availability of data. The same pillars of cyber security are important to military communications and operations. Having data or messages corrupted, stolen, or blocked is not just a hassle or loss of profit like in business, it could literally be a case of life or death.
Matthew Stasiak says
Hey Max,
If I’m not mistaken many of the technologies we have today were created by the government for confidential use and just branched out to the public. It really surprised me as well that the Navy invented this technology considering the purpose that many use it for now.
Jill Brummer says
An interesting point I learned from the readings this week was from Chapter 59 regarding the study of a valid email and a fake phishing email disguised as being from banks. It was interesting how the study included plain layouts versus fancy layouts and how closely the means were to each other of the formats that were selected as the “legit” email. It is so important in today’s world to be aware of the characteristics of a phishing email and how closely the fake emails look like legit emails.
Matthew Stasiak says
I found it very interesting that onion routing was developed by the Naval Research Laboratory and was used to provide anonymous connections that are super easy to set up and require very little performance.
Shepherd Shenjere says
What I learned this week and found interesting was phishing and social engineering tactics. Phishing remains one of the most commonly social engineering tactics used by the bad guys. And for some reason many end-users still fall victim to this tactic. It is very concerning because even after given proper trainings and cyber awareness, end-users still get lured.
Christa Giordano says
I agree with you Shepherd, phishing tactics are becoming more sophisticated every day and no matter how much training is involved, people will always fall victim to it. One thing that can help companies is to employ some level of progressive discipline. For example, in my organization, we receive training quarterly, and phishing tests are executed quarterly. One failure results in an email reminder and enhanced training, two failures result in a meeting with the information security managers for in person training, three failures result in a 1:1 meeting with the ISO. In addition, if you do not report the email as a phishing attempt and just choose to ignore it, you receive a reminder email to ensure to report all suspected emails to information security. lastly, there is positive reinforcement in the shape of small rewards that are given for passing the “phishing attempts”. Since this structure has been introduced, the number of positive results have increased.
David Vanaman says
The most interesting thing I read about was the ex ant and ex post TETs. I consider myself an online privacy advocate and try to keep up to date on tools and information relating to online privacy and I had never heard of P3p or PPl or the Prime and A4Cloud projects.
Kenneth Saltisky says
The most interesting point I found was regarding Online Privacy, specifically the amount of security available for communications and preferences towards personal data. Users can increase their own security by utilizing anti-virus software, turning off tracking and specific services such as location, checking the security of a site, and more. Threat actors can take advantage of weak settings and security exploits through phishing or malware.
Christa Giordano says
Hi Kenneth,
I also thought the security available for personal data was interesting. With the threat landscape evolving every day, I was happy to learn about the available resources for personal protection. As we have learned, it is not a matter of if a cyber breach will occur, but when it will occur. These resources can help us prepare for that event so our data is well protected. We can fit or customize the level or coverage that works for us by assessing our risk tolerance and cost benefit analysis related to our personal data and act accordingly.