Ethical Hacking

Wade Mackey

Ethical Hacking

MIS 5211.001 ■ Fall 2019 ■ Wade Mackey

Daniel Bavaro

How to Maintain Data Privacy During Software Development

by Leave a Comment

This article lists off some popular security models that companies can pull from when building software for a certain market sector. Also in the article, it describes the importance of having a multidisciplinary software development team. If everybody thinks the same and has similar goals, then the software will have security holes. The article suggests having people on the team that are focused on: data privacy, user design, quality assurance, software security and testing. All of these people can have useful input that can direct the path of the project.

https://www.business.com/articles/how-to-maintain-data-privacy-during-software-development/

5 best practices for identity governance and administration

by Leave a Comment

https://techbeacon.com/security/5-best-practices-identity-governance-administration-success

I thought this was a nice list of concepts to keep in mind, when dealing with identity management systems and access control systems.

  • Make identify your foundation
  • Create a strategic plan
  • Build an agile system
  • Help stakeholders make decisions
    • Analytics are your friend
  • Don’t forget unstructured data
    • Collaboration is key

Post-Quantum Cryptography: 10 Things You Need to Know

by Leave a Comment

I think it’s always good time to talk about Quantum. Quantum computer is a looming threat to all forms of cryptography. I have confidence that as quantum becomes available to the “bad guys” trying to brute force our systems, quantum will also be available to the “good guys” and we will have new tools for using the extra CPU horsepower to protect our systems. This article is a nice compilation of what is going on with quantum currently and how it relates to cryptography.

https://www.thesslstore.com/blog/post-quantum-cryptography-10-things-you-need-to-know/

Android gets new security sandboxing features

by Leave a Comment

https://www.itpro.co.uk/google-android/34657/android-gets-new-security-sandboxing-features

This article describes a new feature in Chrome and Android that aims to help with cross-site scripting attacks and other similar attacks. The feature isolates the data in each tab of Chrome and prevents them from reaching out and communicating with each other. So, some malicious code on Tab A, wouldn’t be able to pull your session or credentials from Tab B.

Baltimore Reportedly Had No Data Backup Process for Many Systems

by Leave a Comment

https://www.darkreading.com/attacks-breaches/baltimore-reportedly-had-no-data-backup-process-for-many-systems/d/d-id/1335953

This was an interesting read about a recent ransomware attack to hit the Baltimore government. Apparently, the attack resulted in large losses of key/critical data, that was only stored on user’s local computers. There are a few issues here and the article dives into each of them. First, why were users storing critical/key data locally on their computers? This data should have been stored in a centralized location. Second, this obviously was not a one-off situation. For the government to lose a lot of this data, it was not just a few people not following policies. This was a systemic method for storing and manipulating data. Is the IT department to blame for not implementing a workstation backup solution, to address this systemic problem? The data stored centrally was able to recover from the ransomware attack, but the workstation data was not.

Y2K Offers a Template To Squash the Cyber Bug

by Leave a Comment

https://www.afcea.org/content/?q=node/17477/

I found this article interesting because it gives some insight into how we, as a society, can deal with the modern cyber climate/ransomware, by learning from what we did with the last major hurdle to hit the IT space: Y2K. Looking back, many say that Y2K was a “non-event” that was over-hyped. The reality is that it was a non-event, because of the massive efforts that organizations put in, to fix the problem before it happened.

“Several themes common with Y2K play out today. CIOs and CISOs need to know what applications and devices they actually have—it is time for asset discovery and documentation. It is also time to move away from an “if it isn’t broken, don’t fix it” mentality that keeps outdated equipment and software, increasing cyber risk. While Y2K was the single biggest driver for adopting packaged, off-the-shelf software, today cyber concerns are moving data to the cloud. And as with Y2K, cybersecurity has stirred up fears, becoming a board room discussion. Among C-suite executives, it has generated a lot of review and exercise of business contingency plans.

In some ways, it seems as if we are back at the same starting point as with Y2K: having to convince the powers that be that we have a continuing and growing problem amid actions that are not congruent with a holistic national or global framework to achieve the required objective. The cyber bug appears to be larger than life because we neither approach it in a synergistic way, nor are U.S. and international laws in place to address underlying causes. Lawmakers cannot even agree on common security standards for the IoT.”

Banks confront the insecurity of physical security

by 1 Comment

This article describes some of the vulnerabilities that exist because of IoT security devices that are not being managed properly. For example, the “Devil’s Ivy” vulnerability allowed an attacker to remotely access a video feed from IP cameras, or block another user’s access to the feed. The article mostly focused on physical security systems that banks implement, but the main concept is that devices that are supposed to assist in physical security, can also be an entry point to the organization. These devices need to be patched, hardened and replaced on some sort of cycle.

https://www.securityinfowatch.com/video-surveillance/article/21107167/banks-confront-the-insecurity-of-physical-security

DevSecOps: Recreating Cybersecurity Culture

by 2 Comments

I had never heard the term: DevSecOps, so this article seemed interesting to me. This concept is a fairly new initiate that bring security personnel into the DevOps software development process, much earlier than they normally would be. This allows for security needs to be respected, all throughout the software development life cycle. In some software development circles, security is an afterthought. This new technique will hopefully prove to be the best overall solution.

https://www.darkreading.com/risk/devsecops-recreating-cybersecurity-culture–/a/d-id/1335783

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

by Leave a Comment

https://thehackernews.com/2019/04/xiaomi-antivirus-app.html

I have always been a fan of Android over iOS, but I found this headline to be too awesome to pass up. Certain Xiaomi phones come pre-loaded with an Antivirus app suite called Guard Provider. The main feature of Guard Provider is that it helps to facilitate you choosing an antivirus app, from a list of 3: Avast, AVL or Tencent. I supposed they did this, so that they didn’t have to develop an antivirus app themselves, but also didn’t want to prevent the customers from being able to have some flexibility in which AV app they wanted to use. Not sure why they would do this, since Android let’s you add and remove apps as you please, for the most part. The problem with Guard Provider is that it used an unsecure HTTP connection for downloading AV signature updates and it also allowed the 3 SDKs from the 3 AV apps to co-exist and talk to each other. This combination could allow an attacker to perform and man in the middle attacker over that HTTP connection and slip malware into the download. They also apparently found a way to exploit that connection, so that they could access the user’s pictures, videos and other data. The software has since been patched.

Cybersecurity Regulations: 10 Ways To Encourage Employee Compliance

by 3 Comments

https://www.forbes.com/sites/forbestechcouncil/2019/09/05/cybersecurity-regulations-10-ways-to-encourage-employee-compliance/#81189acead3d

I found this to be interesting, because one of the major hurdles that organizations face is that the employees pose a large risk to information security. If staff are not trained well, they can be the gateway to either initiating a threat or being duped into allowing an attacker inside. The struggle is often not about coming up with good policies, but is about getting employees to adopt them. This article introduces some nice ideas for how to fix that.