Updates from April, 2020 Toggle Comment Threads | Keyboard Shortcuts

  • Justin Pineda 8:51 pm on April 29, 2020 Permalink | Reply
    Tags: business continuity, covid-19, cybersecurity, , malware, pinedacybersecurity, remote work, security awareness, , wfh, work from home   

    Securing the Organization’s IT Assets Amidst COVID-19 

    man having a video call on his phone

    Photo by Edward Jenner on Pexels.com

    How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”

    How organizations are affected by COVID-19

    According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology.  On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient.  They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
    Common cybersecurity issues faced

    Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms.  Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.

    The following are the major cybersecurity issues organizations face:

    • Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
    • There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
    • Remote work/Work from home security issues.

    Cybersecurity defense against attacks

    SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.

    It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.

    It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.

    There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.

    Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.

    The following are some of the security issues that need to be discussed with employees to take note of:

    Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.

    Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases,  unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.

    Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated.  You need to enable Automatic Updating.

    Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.

    VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).

    Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc.  It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly.  Lastly, children/relatives/guests should not be allowed to use company-issued devices.

    The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.

    Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.

     

     

     

  • Justin Pineda 3:41 pm on April 5, 2020 Permalink | Reply
    Tags: , security mechanisms, security services   

    Lesson 10: What are Security Services and Mechanisms? 

     

    silhouette-photo-of-person-holding-door-knob-792032

    Photo Credit: George Becker from https://www.pexels.com/

    In the usual scenario, companies are more reactive than proactive with regard to security. Due to the perception that IT, which includes cybersecurity, is a cost center, procuring technologies may not be appealing to management unless a security incident occurs.  In Lesson 6, we discussed the value of the CISO to help align the company’s strategy and the necessary controls in place to ensure protection.

    Coming from a technical security background, you would like to have the best tools and software available. But remember, the management sees it as a cost without seeing the return on investment since it’s for internal use.  The inconvenient truth list below will make the technical security personnel understand why sometimes (or maybe most of the time), the tools that we want are not approved.

    The Cybersecurity Inconvenient Truths

    • You cannot protect everything from everyone.

    If we will list down all potential threats that an organization can face, it will be a very long one. DDoS, Malware, incompetence resulting in loss of data, ransomware, corporate spies, etc. Since the list of threats is very long, it means that there’s a lot of security controls that we have to put in place. Unfortunately, we don’t have everything to prevent or mitigate all these threats.

    • There are not enough resources and money in the world to totally mitigate all risks.

    Corollary to the discussion regarding the management’s perception of IT/Cybersecurity, the budget for the team is limited. So if resources are limited, we can only do what we can within the budget. And that leads to the next inconvenient truth.

    • Focus on protecting the most important information first, that which must be protected, and that with the highest risk.

    Since we cannot protect everything and we have limited budget, the goal is to prioritize which threats have the highest risk with high severity. In that way, you are able to cover the majority of the security incidents in the organization.

    This activity of prioritizing the controls based on the risk-rating is called Risk Assessment. We will have another discussion about it in another lesson.

    Security Services and Security Mechanisms

    To properly align the organization’s strategy and the cybersecurity team’s goals, we have to define the security services and mechanisms. Security services reflect on how the organization’s objectives are manifested. Security mechanisms, on the other hand, are the specific solutions that we can implement in the organization.

    See example below:

    We conduct risk assessment first before we can come up with the Security Services and Mechanisms.

    • Goal: The organization wants to focus on physical security
    • Security Services: (1)Personnel security; (2) Access control
    • Security Mechanisms: (1) Security clearance, training, rules of behavior; (2) Biometrics, proximity card, mantraps;

    What industry do you think will have this type of security goal?

    It can probably be a bank or law enforcement (government) office.

    It is important to determine the organization’s security services and mechanisms so that the cybersecurity team will also have a level of expectation on the types of controls and tasks that they will be doing.

    So the next time you think about a cybersecurity project, you have to revisit again the defined security services and mechanisms of the team and see if they are aligned with each other. Otherwise, you will have to let it go so you won’t waste your time and effort.

     

     

     

     

  • Justin Pineda 1:28 pm on April 4, 2020 Permalink | Reply  

    Lesson 9: How a Court Decision Changed Privacy Laws in the World 

    Privacy as a concept is considered as a subjective phenomenon because of different factors such as culture and beliefs. For example, the Japanese can see each other naked in an onsen which is considered normal to them culturally. However, it is taboo to do the same in the Philippines. It can be considered a breach of the person’s privacy to see other people naked.

    On the other hand, part of Filipino culture is hospitality, which to some extent involves caring and oversharing. Some Filipinos tend to ask too personal questions even if they have just met the person. For the Japanese, this may be breaching their personal privacy.

    The universally acceptable definition of privacy can be, “Any information that an individual wants to protect from becoming public knowledge.” Do you agree?

    There are different philosophical viewpoints of privacy described in Muzamil Riffat’s paper entitled, “Legal Aspects of Privacy and Security: A Case-Study of Apple versus FBI Arguments.” For this article, however, we will only be focusing on one viewpoint, which is the Privacy Right in the United States. 

    Fourth Amendment in the US Constitution

    The Fourth Amendment primarily focuses on the protection of the people against illegal searches and seizures by the government. The Fourth Amendment states: “The right of the people to be secure in their persons, houses, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”.

    The amendment is intended for government search and seizures only.  The important questions about the provision are: 1) What constitutes an unreasonable action? (Protected from “unreasonable” searches);  and 2) What is probable cause? (Warrant could only be granted if there is a “probable cause.”)

    Katz vs. United States (1967)

    One of the landmark cases that helped define the scope of the Fourth Amendment in Katz vs. United States in 1967. To summarize the case, the FBI eavesdropped Charles Katz’s phone conversation in a telephone booth upon suspicion that he was giving gambling information to clients in other states.

    The question was whether Katz was protected by the Fourth Amendment against the FBI to eavesdrop the conversation in a public phone booth without a search warrant.

    The Supreme Court voted 7-1 in favor of Katz. According to Justice Potter Stewart, “The Fourth Amendment protects people, not places.” The court ruling extended the Fourth Amendment protection beyond homes and properties.

    Justice John Marshall Harlan II on a concurring opinion, interpreted the law by passing a two-part test: 1) That a person has exhibited an actual expectation of privacy; and 2) That the expectation is one that society is prepared to recognize as “reasonable.”

    The “Katz Test” has been used in thousands of cases related to privacy especially related to communication, media, and the use of advanced devices.

    Although it was a triumph for Charles Katz, it also opened so many opportunities for criminals to do malicious activities and get protected by the Fourth Amendment later on.

    architecture-booth-buildings-bus-374815

    Photo Credit: Stock Photo from Pexels.com

    Further Reading:

    1. Legal Aspects of Privacy and Security: A Case-Study of Apple versus FBI Arguments, Muzamil Riffat, SANS
    2. Katz v. United States, 389 U.S. 347 (1967), Justia US Supreme Court
    3. Katz v. United States, Oyez
    4. Katz v. United States, Legal Information Institute, Cornell Law School
    5. Katz v. United States, Wikipedia

     

     

  • Justin Pineda 3:33 pm on April 3, 2020 Permalink | Reply  

    Lesson 8: What are the challenges in responding to cybercrimes? 

    woman-sitting-on-chair-2157191

    Photo by Martin Lopez from Pexels

    Cybercrimes are criminal activities punishable by law that are done using a computer or the Internet. It could range from identify theft, vandalism/ defacement of websites, scams or even large-scale Distributed Denial of Service (DDoS).

    Sample real-life cybercrimes are listed in the further reading below.

    Types of Cybercrimes

    Primarily, both as an investigator and responder, you need to be able to determine the type of cybercrime committed. It is important for you to be able to determine the correct response (technical and legal) in the incident.

    1. Computer-assisted crime (source) – Computer is the enabler in the commission of the crime. (Ex. Stealing of credit card information through sniffing or phishing)
    2. Computer-targeted crime (destination) – Computer is the primary target of the crime. (Ex. Denial of Service attacks)
    3. Computer-incidental crime (indirect) – The involvement of the computer is secondary but important to the commission of the crime. (Ex. CHILD pornography is stored on a computer. Emphasis on CHILD since pornography in many places is legal but CHILD pornography is NOT)

    Issues on Investigating and Resolving Cybercrimes

    For developing countries like the Philippines, the cybersecurity infrastructure of the government in combatting cybercrimes is far from maturity.  But even the developed and well-funded cybersecurity programs of other advanced countries still face issues on investigating cybercrimes. The list below are the significant ones:

    • Difficult to equate physical and logical assets.

    The common misconception is that people don’t equate physical money to virtual money simply because the latter is not tangible. The P1 million in a bag is perceived as really one million. But transferring P1 million online is perceived as just sending bits and bytes using a web application. Due to this perception, cybercrimes are not treated as serious as physical crimes.

    • Cyber-law environment has not been fully defined by courts.

    For developing countries like the Philippines, cyber-law is not yet fully defined by courts because the basic principles of proving innocence or guilt are different in the cyber world. For instance, the common way of proving innocence is to show proof that you have evidence and witnesses that will show that you are not in the crime scene when the crime happened. However, you can be in the Philippines when you launched an attack in China. It will be hard for lawyers and courts to interrogate further without the proper knowledge in IT.

    • Cybercrime spreads global.

    Why do you think that even though there is a law that prohibits Torrent sites (P2P) that share pirated films and software, there are still a lot of Torrent sites online? A lot of countries may have laws against piracy, but there are still a lot of countries that don’t. Due to jurisdiction issues, our government cannot control everything on the Internet especially those that are not hosted in our own country.

    • Cyber laws are highly technical

    To explain Denial-of-Service (DoS) attacks, you need to be able to explain the purpose of port numbers, OSI Model, TCP and UDP to name a few.  The technical aspect of cybercrime adds more challenges in making the courts understand how the incident happened. It is not only the technical knowledge that is crucial but also how you are able to explain it in layman’s term, which is the usual problem in the IT industry. (techy but having a hard time explaining it to normal people)

    These are some of the issues when investigating cybercrimes. The bottom line is that cybersecurity professionals need to be involved in the legal aspects of creating and implementing cybercrime laws. Lawyers may be good at putting into words how crimes work but they need expert inputs to ensure that all aspects are covered. On another angle, the need for cybersecurity professionals’ involvement shows the demand for the profession in the industry.

    Further reading:

    1. Cybercrimes up by 80% in 2018 (Philippine Star, March 2019)
    2. Online child abuse top cybercrime in Philippines (Philippine Start, April 2019)
    3. That Insane, $81M Bangladesh Bank Heist? Here’s What We Know (Wired, May 2016)
    4. Equifax Data Breach Settlement (Federal Trade Commission, January 2020)

     

     

     

     

  • Justin Pineda 1:58 pm on April 2, 2020 Permalink | Reply  

    Lesson 7: Why HR Policies complement Information Security 

    The perception of most employees to both the HR and Cybersecurity Department is that they exist so they can look for a mistake and punish you. Some say that HR is the principal’s office, while the Cybersecurity team is the surveillance arm.  Although most of the time during investigations, the cybersecurity team becomes the expert witness to help either acquit or punish the employee. (This will be discussed in another lesson.)

    There is truth in perception and claim. To add to that, a lot of the policies in organizational security (discussed in Lesson 6)have overlapped with HR. This means, either the policy was created by HR or both HR and Cybersecurity teams. For example, the Acceptable Use Policy (AUP) outlines the expected behavior of an employee in the organization. A part of the AUP is the Internet Usage Policy (IUP) and other policies related to the acceptable use of the company issued assets such as laptops, mobile phones to name a few. These policies are created and monitored by the cybersecurity team.  The AUP is usually signed by the employee together with his/her job offer/contract prior to onboarding.

    Without HR explicitly contributing to information security, they have made an administrative-deterrent control. (Administrative because it’s a policy; deterrent because it discourages people to violate the rules)

    Other HR policies that help information security are background checks (administrative-preventive control) because they check whether you are good not only in your CV and mandatory vacations (administrative-detective) to check and audit whether you are doing something not on your job description without you being present in the office.

    During operations, HR might have their independent and confidential tasks. But their roles are significant in providing a sound and mature information security environment in the organization.

    hr

    Photo Credit: “21 Times Michael Scott’s Hatred For Toby Flenderson Was Out Of Control” https://www.buzzfeed.com/chelseabrown/jerkyjerkface

     

  • Justin Pineda 2:39 pm on April 1, 2020 Permalink | Reply  

    Lesson 6: Organizational Security 

    Coming from a technical team, organizational security might be seen as a domain that only focuses on paper-based policies (sometimes, just copy-paste templated policies), budgets and risk assessment results. There’s also a gap between highly technical security members who have been doing hands-on security and those management guys who may have their MBAs but whose background is not even in IT. However, it is important to emphasize that technical security needs organizational security to exist and vice versa.

    In big organizations, a separate C-level position is appointed for cybersecurity. The Chief Information Security Officer (CISO) is responsible for the over-all cybersecurity operations in the organization. He/she usually reports to the Chief Information Officer (CIO) or Chief Technology Officer (CTO).

    What does it mean to have a CISO? 

    The CISO will have a seat and say on the management level – may it be ManCom (Management Committee) or ExeCom (Executive Committee). He/She will be able to provide insights and expert opinions regarding the organization’s cybersecurity posture vis-à-vis the organization’s business strategy. It is very important to have a person who can voice out and be heard about what the technical members think is the best security for the organization. Without a CISO, it may be difficult for management to understand expensive spending on cybersecurity tools. You might be defending a multi-million peso Unified Threat Management (UTM) firewall and the management will only see it as an additional cost. Since management does not understand the value of the UTM firewall, they decided instead to provide a budget for a home firewall. It’s also a firewall, but way cheaper!

    Also, the CISO is ultimately accountable if any security incident happens in the organization.

    The Governance Team

    Aside from the  Technical Team, the Governance Team reports to the CISO too but they focus on organizational security. They primarily draft policies that the organization must follow. Some of these policies include but not limited to:

    • Password Policy
    • Time of Day Restrictions
    • Classification of Information
    • Acceptation Use Policy (AUP)
    • Internet Use Policy (IUP)
    • E-mail Usage Policy (EUP)
    • Disposal and Destruction
    • Privacy Policy

    They also align with the Technical Team on how they can properly articulate the security requirements in the policy. On the other end, they are also responsible for making sure that these policies are understood by the stakeholders very well.

    For more details about policies and policy templates, I highly recommend you visit SANS.org. They have a ton of templates and guides on how to create, modify and implement security policies. Here is the link: https://www.sans.org/security-resources/policies/

    CISO CMU

    Photo Credit: Structuring the Chief Information Security Officer Organization by Allen, J. et al, Software Engineering Institute (SEI), Carnegie Mellon University

    Further Reading:

    Structuring the Chief Information Security Officer Organization by Allen, J. et al (2015) Retrieved from:
    https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf

     

  • Justin Pineda 5:41 pm on February 20, 2016 Permalink | Reply  

    Machine Project in Infosec 

    Objectives

    ■To be able to configure, implement an open-source security tool.

    ■To simulate a real-world attack scenario where the security tool can be used.

    ■To show how to configure necessary functionalities of the security tool.

    Tasks

    ■Each group will be assigned a specific security tool. Each group will research about the topic and download an open-source version of the tool.

    ■The group can use a recommended tool or look for a preferred application as long as it is open source.

    ■The group will configure and deploy a working prototype and simulate the functionalities of the tool with the prescribed test/s in a lab environment.

    ■The group will demonstrate the output in the 12th week of the term.

    Tools

    ■Network Firewall (PFSense)

    ■NIDS- Network Intrusion Detection System (Snort)

    ■HIDS- Host Intrusion Detection System (OSSEC)

    ■WAF- Web Application Firewall (Iron Bee)

    ■Honeypot (Honeyd)

    ■DLP- Data Loss Prevention (OpenDLP)

    ■Anti Spam (SpamAssassin)

    Tests

    Tool Test
    Firewall Allow/Block Website based on IP/hostname

    Allow/Block Website based on Category
    NIDS Detect a port scan

    Detect a backdoor connection
    HIDS Detect a keylogger

    Detect a port scan
    WAF Prevent a SQLi attack.

    Prevent a port scan.
    Honeypot Log port scan to server.

    Log remote access to server.
    DLP Prevent sending of email based on message

    Prevent sending of email based on file type
    Anti-Spam Detect SPAM based on message

    Detect SPAM based on quantity

    Milestones

    ■Week 3 – Finalization of security tool

    ■Week 6 – Security tool configured

    ■Week 7- 10 – Testing

    ■Week 12/13 – Project Demo + Documentation Submission

    Deliverables & Grading

    ■Working prototype 40%

    ■Tests completed 40%

    ■Documentation 20%

    Paper Format

    ■Abstract – Summary of your project

    ■Introduction – Discuss what the tool is all about

    ■Results and Discussion – Discuss the tests done (include screen shots)

    ■Conclusion – Lessons learned

    Sample Projects:

    Video Links

    IDS- SnortV1, SnortV2, SnortV3

    Honeypot – Honeybot, KFSensor

    Firewall – PFSense

    Documentation

    NIDS (Snort, Snorby and Barnyard Installation & Configuration) – comsecinstallation

    HIDS (OSSEC Installation, Configuration & Testing) – USER MANUAL OF OSSEC

    SPAM Filter (MailWasher) – INFOSEC_MachineProject_MailWasher

    Honeypot (Honeybot) – INFOSEC_MachineProject_Honeypot

     

  • Justin Pineda 4:21 pm on February 20, 2016 Permalink | Reply  

    Research Paper on Emerging Technologies 

    Introduction

    A Case Study will be held as an academic symposium during the midterms week to discuss various emerging technologies in the field of information security. Each group will be tasked to research on a specified topic, explore and answer key issues about the subject.

    As its culminating activity, an academic paper with a required format will be submitted and a 15-minute presentation will be presentation will be presented with the classmates and special faculty and industry guests. Question and answer will be followed after the presentation.

    Topics

    1. Security in Social Networking Sites
      1. Cite current issues pertaining to crimes/violations in social networking sites. Describe the usual scenarios.
      2. Show some statistics on social networking related crimes.
      3. What are the actions taken by social networking organizations and government agencies?
      4. How do you see the future of social networking sites? Future attacks and remedy?
    2. Mobile Malware
      1. Can mobile devices get infected by malware?
      2. State news about devices getting infected. What happens to these devices?
      3. Show statistics on mobile malware.
      4. Is there an initiative from AV companies and government about it?
      5. How do you prevent mobile devices from getting infected?
    3. Business Continuity Planning (BCP) for Disaster Prone Areas
      1. Cite news of business disruption due to a disaster and its effects on the business.
      2. Show statistics of business losses due to either natural or man-made disasters.
      3. Are there initiatives/laws that require businesses for BCP?
      4. Discuss usual business continuity planning and disaster management and recovery plans.
      5. Discuss any standard/template regarding BCP.
    4. Internet Surveillance
      1. Is Internet surveillance possible?
      2. What are ways to conduct Internet surveillance?
      3. What are limitations of current security capabilities?
      4. What are solutions for existing Internet surveillance?
    5. Cybercrime Laws and Issues (choose scope)
      1. Discuss current cybercrime laws. (if there are any)
      2. Discuss issues that warrant cybercrime laws. Prove that there is a need for these laws.
      3. Discuss limitations and or threats of these cybercrime laws.
      4. Discuss if there is a need for more laws.
    6. Security in Automated Controlled Vehicles
      1. What are automated controlled vehicles?
      2. Why is there a need for automated controlled vehicles?
      3. Research companies that are utilizing these types of vehicles.
      4. Research for news that show threats on automated controlled vehicles.
      5. Discuss solutions for automated controlled vehicles.
    7. Drones
      1. History on the implementation of drones.
      2. News and development on drones.
      3. What are positive and negative issues (factual) on drones?
      4. Do drones bypass due process?
      5. Do drones violate privacy and freedom?

    Grading

    The Case Study is 10% of your final grade.

    Group Grade is 70% (to be given by the professor)

    Individual Grade is 30% (to be given by the group leader; leader gets 100% in the individual grade)

    Criteria

    Content (Paper) – 50%

    Is the paper complete and comprehensive?

    Mastery – 30%

    Is the group knowledgeable on the topic?

    Did the group have the ability to analyze related real-world problems?

    Did the group answer the related questions?

    Delivery – 10%

    Did the group communicate the message properly?

    Presentation – 10%

    Did the presentation contain creative and comprehensible visuals?

    Required Sections in the Paper

    Section Description

     
    Abstract Your abstract is a maximum of 200-word summary of your case study. It describes briefly about your topic and what you intend to research further. You are establishing the boundaries of your study in the abstract.

     
    Introduction The introduction is a maximum of 300-word overview of the topic. This means you need to discuss the current technology of your topic. Discuss the features, benefits and limitations of the current technology.

     
    Problem Statement Based on your introduction, you have to establish your problem statement. What are the problems or issues that the current technology is facing? You have to state that piece by piece and justify why it has to be resolved.

     
    Results and Discussion Research and establish the solutions for the problems found in the problem statement. Explain processes and procedures of the solutions that you recommend and how it can be done.

     
    Conclusion and Recommendation Provide a conclusion of the case study that you have conducted. Based on your study, will your solutions be helpful in resolving the issues in the problem statement? Give recommendations that can be further investigated and researched in the future to strengthen your study. Make sure the recommendation is out of the scope of your study.

     
    References List all the references for your case study. You need to follow the IEEE reference format. For your guidance, you need to have at least:

    Five (5) technical references related to the topic (journal, scientific publication, conference proceeding)

    Five (5) news article reference related to the topic (newspaper, magazine)

    Three (3) books related to the topic.

    Note: Never plagiarize. It’s equivalent to cheating.

     

    Format of paperMSW_A4_format

    For the presentation:
    1. Create a presentation of your paper. It should be a summary of all sections: Abstract, Introduction, Problem Statement, Discussion, Conclusion.
    2. Follow the 6×6 rule. Each slide should have a maximum of 6 bullet points with maximum of 6 words per bullet point.
    3. Use interesting font/colors. Use images that will help explain your paper.
    4. Everybody should have a part in the presentation.
    5. You have 15 minutes to present your paper followed by Q&A.
    6. Wear business attire for the presentation.

    Deliverable:
    1. Send a PDF copy of your final paper and PPT presentation to justinp@apc.edu.ph & pineda.justin@rocketmail.com with Subject- Case Study Final Deliverable – (Case topic) by Group (Group Name)
    2. Print a hard copy of the paper.
    3. Submit (1) & (2) requirements before the class.

    Sample papers:

    On Social Networking: Online Peers Can Mean Offline PerilsOnline Peers Can Mean Offline Perils-Presentation

    On Mobile Malware: Prevalence of Malware in Mobiles (1)Prevalence of Malware in Mobiles

    On Internet Surveillance: Internet Surveilance by Team ZAFT_presentInternet Surveilance by Team ZAFT draft 4

    On Social Networking: Using Facebook in TOR, INFOSEC PDF

    On Internet Surveillance: Internet Surveillance

    On Drones: Drones Case Study (1), Drones

    On Cybercrime Law: Revised-Cybercrime

    On Mobile Malware: Mobile-Malware-A-Case-Study-in-Information-Security-1

     

     

  • Justin Pineda 11:48 am on February 5, 2015 Permalink | Reply
    Tags:   

    Lesson 5: Social Engineering 

    When I studied and took EC-Council’s Certified Ethical Hacker (CEH) in 2013, I learned a very important lesson: even if you follow the hacking methodologies, it only has a 10% success rate. This lesson has, on the other hand, 90% success rate. In gist: Why would you spend a lot of time to brute force a password when you can just ask for it? That’s social engineering.

    Social Engineering is an attempt to gain information from a victim or target through manipulation and deceit. The attacker attempts to gain the victim’s trust then exploits the emotions of the latter.

    Note: There is a reading I wrote in 2011 that is relevant with this lesson. Copies will be/are given during class.

    Why is Social Engineering very successful?

    In the past lessons, we studied about Defense in Depth. This means that in every layer of security, there should be protection. Now in Network Security for instance, you may deploy and implement a firewall. The firewall has its limitations but it will strictly enforce whatever rules are written in the ACL. If it says allow web traffic, it will allow web traffic. If it says deny FTP traffic then it will deny FTP traffic.

    Problems rise when humans intervene. Let’s say a school enforces a “No ID, No Entry” policy. All students are required to wear their ID upon entering the school. One day, one student forgot to bring his ID but the guard still allowed him to enter because they’re friends. Is it correct for a guard to make exceptions even if there’s an explicit ID policy? What if the said student brought his friends? Will the guard still allow it because they’re friends?

    Humans or wetware are the weakest link in the security chain because they simply make a lot of exceptions. That’s why the human vulnerability is a weakness that no patch can perfectly fix.

    Ethics: Social Engineering in Penetration Testing

    In penetration testing, a third party service provider actively tests the security solutions implemented in the network. Active testing means exploiting discovered weaknesses in security. One of the tests is the social engineering test. In this case, the pen tester tries to bypass security through social engineering.

    For example, the company security policy requires the use of a badge/ID to enter the office. The pen tester will carry a lot of heavy things so the guard will help him instead of looking for the ID. The pen tester successfully enters the facility with the guard as accessory to the crime. After the pen testing, the guard is terminated due to abandonment of duty during the test.

    It is the job of the pen tester to lure people into breaking the policy. The targets, out of good-will, will help them. But in the end, they will be terminated. Is that ethical?

    Steps in Social Engineering

    There are three steps in social engineering.

    1. Information Gathering

    In this step, the social engineer gathers as many information about his target as possible. He can do online searches in social networking sites, stalk the target to learn his routines and talk to his friends to learn more about his likes.

    1. Developing Relationships

    After you have gathered enough information about your target, it’s time to build relationship. Let’s say you learned that the target likes Justin Bieber. You can create a “perfect encounter” with him in his daily routine. You could probably sit beside him in a bus and have a little chitchat about Justin Bieber. Ideally, you can build a relationship with the “serendipitous meeting.” In some cases, you will need to “invest” on something. If you learned that the target is in a lot of debt, aside from being a Justin Bieber fan, you can use that to your advantage for the next step.

    1. Exploitation

    In the last step, you push through with your goal of eliciting the information you need from the target. You may have allowed your target to borrow a sum of money from you so that he can pay his debt. Now, you can use that to your advantage. You can ask for the information and remind him that he is in debt so he should return the favor. In this case, you are successful in your mission.

    Types of Social Engineering Attacks

    The Social Engineering Attacks can be classified into 2 categories:

    1. Non-technical – Doing social engineering in a traditional way
      1. Dumpster diving – Literally checking the target’s garbage.
      2. Shoulder surfing – Glancing at other person’s computer, cellphone or paper.
      3. Impersonation – Pretending to be key personnel in your target’s company.
      4. Tailgating – Walking in the vicinity after the person ahead of you taps his badge to open the access door.
    2. Technical – Doing social engineering using technology
      1. Phishing – Getting target’s information using fake e-mail or website.
      2. Spear phishing – A type of phishing targeting a particular person.
      3. Pharming – A type of phishing targeting a group of people/organization.
      4. Vishing – Deceiving target using telephone/cellphone/smart phone.

    —– NOTHING FOLLOWS —–

    You can download the PDF version of this lesson here: INFOSEC_L5_SE

     

  • Justin Pineda 9:48 am on February 4, 2015 Permalink | Reply  

    Lesson 4: Types of Authentication and Access Control 

    Authentication

    Authentication is defined as proving who you are claiming to be. By default, we have 3 types of authentication:

    1. Something that you know – A form of authentication coming from what you know (residing in the mind)

    Ex. Password, pin

    1. Something that you have – A form of authentication that is tangible.

    Ex. Token, cellphone, ID

    1. Something that you are – A form of authentication where the uniqueness of the part of your body is used.

    Ex. Fingerprint, voice recognition, iris scan

    Not one of the authentication types can be considered the strongest. Something that you know authentication such as password can be cracked using brute force or social engineering. Something that you have authentication such as ID’s can be stolen or reproduced. Something that you are authentication such fingerprint is prone to false positives (you have sweaty hands etc.)

    To make your authentication stronger, it is advised that you use 2 or more types of authentication to provide a layer of security. This is what we call 2-factor or multi-factor authentication. Examples include:

    1. ATM + Pin (something that you have and you know)
    2. Credit card + signature (something that you have and you know)
    3. Cellphone for One-Time Password (OTP) + password (something that you have and you know)
    4. Badge + biometric (something that you have and you are)

    Note: Usernames and passwords are not considered multi-factor because both are something that you know type of authentication.

    Questions to search on:

    1. What is the fourth type (or other types) of authentication?
    2. What is the most accurate biometric? Why?

    Types of Access Control

    Access Control or Authorization determines the type of privilege a user has after being authenticated. If you enter the school, an authentication mechanism could be your school ID. Access Control determines which rooms in the school you can access. If you’re a student, you can access the classrooms, computer laboratories and cafeteria. However, you are prohibited from accessing the faculty room and server room. A faculty member can access more rooms compared to a student.

    Mandatory Access Control (MAC)

    MAC is the strictest type of access control. This access control can be seen in government especially in military. It uses Sensitivity Labels (SL) both for the subject (initiates an action) and object (waiting for action). It is also known as a multi-level type of access control.

    SL can be classified as:

    Top Secret

    Secret

    Confidential

    Public

    Let’s say a File A (Object) has an SL of Secret. Only the subject that has an SL of either Top Secret or Secret can access the file.

    To visualize, let’s say a 5-star General has an SL of Top Secret, Colonel with SL of Secret, Lieutenant with SL of Confidential and Sergeant with SL of Public. Only the Colonel or 5-Star General can access File A because they have clearance to do so because of their SL. A subject can access all objects that are below his/her SL. MAC uses a top-down approach.

    Discretionary Access Control (DAC)

    DAC is the direct opposite of MAC. In this case, this type of access control can be seen in non-military institutions (commercial use, usually). In DAC, the owner of the file determines the privilege of the subjects to the objects. It is also known as a single-level type of access control.

    DAC uses an Access Control Matrix (r-read, w-write, x-execute) shown below:

    S (down) O (right) Chicken File

    Owner: Riza

    Object 1

    		 Pasta File

    Owner: Reese

    Object 2

    		 Beef File

    Owner: Rex

    Object 3
    James

    Subject 1

    		 rwx -wx
    Ray

    Subject 2

    		 rw- rw- -wx
    Ogawa

    Subject 3

    		 rwx -wx

    In the above scenario, we have 3 users (subjects) trying to access 3 files (objects). Each file is owned by a specific individual (owner). It becomes the discretion of the owner on what privileges he/she wants to give the subjects. These privileges may change also.

    Role-based Access Control (RBAC)

    RBAC is also known as a non-discretionary access control. It gives privileges based on the roles/tasks. It is beneficial for large organizations in organizing group privileges to objects. For example, all students have read only access to File 1, File 2 and File 3. All faculty members, on the other hand, have full access to all the files mentioned. The admin will just add users (subjects) on the groups created for consistency and convenience.

    Rule-based Access Control

    Rule-based Access Control basically gives privilege based on a list of an enforced policy. A good example is an Access Control List (ACL) in a firewall. The firewall will grant/deny access based on the rules found in the ACL. However, if no rule is present, then no privilege should be given. (implicit deny)

    —– NOTHING FOLLOWS —–

    You can download the PDF version of this lesson here: INFOSEC_L4_AuthAC

     

← Older posts

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: