Blog 7: Cloud Security with Diversity of Defense

Image courtesy of ddpavumba at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on the use of cloud based solutions for storing data and security measures to consider that could assist in reducing some associated risks.

As we use different devices to obtain our data, having the ability to utilize cloud-based storage, like One Drive, Google Drive, and Drop Box, seem to have become a useful convenience for some. The convenience resides in the fact that you can have instant access to your data, anytime, and anywhere you have an Internet connection. Even more, some providers allow the opportunity to share your data with team members of your choice to provide an incredible opportunity for collaboration efforts. However, what if your data is being shared with individuals who are not a part of your team. What steps can you take to protect the information and confidentiality of your data?

First of all, a 100% protected and safe cloud based system and environment, more than likely, does not currently exist (none that I have seen thus far). Additionally, consumers must accept that risk does exist with the use of these systems, so the cloud solutions may not be for everyone. In fact, many businesses have policies that strictly prohibit the storage of company data within cloud based storage systems. Even so, measures can be taken to increase the level of security, thus reducing risk, to bring a feeling of comfort when utilizing the cloud as a storage location for your data. However, never go against your company policies, even if you implement security measures to protect the data. Policies put in place by your organization are MANDATORY and must be adhered to at all times. With that being said, let's focus on security measures for the data you own or have explicit permission to store within a system of your choice.

The first security measure to consider when storing data within the cloud is fairly simple to implement and is called password management. Make sure you have a secure and hardened password in place. Even more, ensure to change this password on a frequent basis. A useful tool to assist in this process is called a password manager, such as LastPass, DashLane, and 1Password, just to name a few. These programs can provide you with a means of changing, tracking, and hardening your associated passwords.

Another measure to consider, that corresponds with your password, is multi-factor authentication. By implementing this along side a hardened and frequently changing password, you are creating what is known as diversity of defense. Diversity of defense is a layered approach to security and protection. To illustrate, if a malicious user were to discover your hardened password, prior to your next scheduled change, they would not be allowed to log into your cloud based account without having possession of the device you selected to receive the pass code when you implemented multi-factor authentication. This, in effect, provides an additional layer of protection of your data, as well as a notification to assist you in taking an immediate action if you receive a pass code notification, but were not attempting to log into the system yourself. 

Lastly, and an extremely important measure, is encrypting your data. Even though you have applied diversity of defense with a hardened password and multi-factor-authentication, encrypting your data provides one more layer for that "just in case" situation. For example, If, for some reason, a malicious user were able to obtain your associated password, as well as the multi-factor pass code, your cloud based storage account could be accessed (breached). However, if you have an encryption solution implemented, such as Sookasa, the data residing within would be unreadable and therefore useless to the malicious user. 

Cloud based computing is an exciting and convenient opportunity for data access and sharing that you should not fear. If you put forth the due diligence and layers of security in place, you can enjoy the freedom to access your data from anywhere you have an Internet access, with the comfort of knowing you have several measures in place to protect the confidentiality of your data.

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!



    

Blog 6: A "Combination" of Issues

Image courtesy of Anoop Krishman at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on combination locks, for physical security, and how easily they can be "cracked."

I remember being in high school and securing all of my items inside of my locker. As long as I could remember the three digits in the combination, I would be able to retrieve those items, while keeping others out. This locker provided a sense of security and a feeling of protection for the items residing within. In fact, I remember storing personal belongings, such as my really cool Sony Walkman I got for Christmas in the 80's. Lucky for me, I always remembered the correct numbers, which allowed me to have my books readily available for class...not that that helped me any as I couldn't hear the teacher over the Def Leppard music blaring on my Walkman (just kidding).

Anyways, back to the combination locks. Even though they are considered a physical security device that can assist in protecting items behind closed doors, there are ways to discover the code. If the code is discovered, the lock can be opened. If the lock can be opened, my Sony Walkman can be taken. If my Walkman was taken, Def Leppard would not sing to me in class!  Of course, I am still just kidding...I think!

So, how would someone be able to accomplish this? The first thing you need to do to "crack" a combination lock is to discover the third number in the code. To do this, you simply lift up on the clasp and rotate the dial in a specific way to find the "gap." It takes a little time to learn the technique of identifying the gaps within the numbers, as this is actually the hardest part.

Once you have identified the "gap", it becomes your third number of the combination. With this number, you simply fill in the Combination Lock Cracking Form listed below by following the instructions, which will have you write that number in the cell labeled #3. I created this form in 2015 to allow students to practice some lock cracking techniques in a course called Hacker High. Now just continue to follow the written algorithm to reveal all of the possible combinations.

Once you have all of the combinations written down, you attempt each one. You should have the combination revealed within 15 minutes. In fact, my record is just under 2 minutes for a lock I demonstrated for a class I was teaching. You will find that some are easier than others, but they all can eventually be opened utilizing this technique.

Have fun and use this knowledge for good, not for Walkman stealing evilness!

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

Blog 5: The Sticky Key Vulnerability

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on a specific vulnerability within the Microsoft Windows Operating Systems. 

In the world of Information Technology security, a vulnerability is synonymous to the word weakness. The vulnerability I am referring to is called the Sticky Keys. If you press your shift key five (5) times, the Sticky Keys menu will pop up.  Go ahead and try it! 

This weakness can be exploited by a user, potentially malicious, in such a way that it could allow the user to reduce the overall security of the system and bypass your hardened password, no matter how strong it is!  

Based on information provided by (Wikipedia Vulnerability Computing, n/d.), a potential vulnerability generally has these three elements:

1.) An existing flaw within the system.
2.) Access to the system by the malicious user.
3.) Knowledge and capability to exploit the flaw.

With that being said, let's further define the vulnerability elements and compare to see if it applies to Microsoft's Windows operating systems being used on a laptop. Here is the scenario; you left your Windows 8 laptop on the restaurant table while you utilized the facilities (Bio Break!). When you returned to your table, and to your surprise (Really???), the laptop was gone. The individual who took your laptop arrived at their home and uses a Windows 8 DVD to change your local administrator password to access all of your files. How did this user do that? Continue reading to learn the answer.

If the malicious user were to take an existing Windows 8 DVD and place it into the DVD-ROM drive, then turn the laptop on and boot directly off of this DVD, they would be provided with the opportunity to install Windows 8. However, with your particular laptop, Windows 8 is already installed. Therefore, instead of pressing the "Next" button, the malicious user simply holds the shift key down and presses F10. By doing this, he/she receives a Command Prompt. Once they have the Command Prompt visible, they utilize the "CD" command (change directory) to get to the local Windows\System32 directory.

Now that they are at the local Windows\System32 directory, the malicious user would type the following command; "copy cmd.exe sethc.exe." This command will copy the Command Prompt executable file over top of the Sticky Keys executable file. The malicious user has now replaced the Sticky Keys menu program with the Command Prompt program. Once the user reboots the laptop normally, the logon screen will appear. From here, he or she will press the shift key five (5) times, but instead of the Sticky Key menu, they will see the Command Prompt. Even more, the Command Prompt has administrative priviledges, which aligns with the first vulnerability element, "a flaw within the system."

Since administrative privildeges exist, the next commands entered would allow the malicious user to view the name of your local accounts, as well as change the password for access. To view the local user accounts, they would type: "net user" and discover the user ID was, for example, PilotTroy. From here, they would type: "net user pilottroy P@ssw0rd1" to change the password for that local account.  Once this has been completed, they could simply type "exit" and log directly onto your computer to view all of your data, using your own personal account. Thankfully, there are ways to disable the Sticky Keys function, but that is for a different blog.

If you are interested in watching the video I created to see this in motion, **click here**

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!


References:
Wikipedia Vulnerability Computing(n.d.). Retrieved January 13, 2016, from https://en.wikipedia.org/wiki/Vulnerability_(computing)

Blog 4: If It Looks "Fishy", It Just Might Be "Phishy!"

Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net

A fish, that is just floating effortlessly by a rock, all of a sudden sees a flash of white and yellow heading it's way. It thinks to itself, "that looks like something I could eat! Yes, it is something I could eat because it looks just like a minnow. If it looks like a minnow, it must be a minnow. I love minnows! Therefore, I must swim to it fast, open my mouth, and gobble that flashy and tasty little treat up." At this point, the fish is feeling very lucky. So, it moves in a quick direction towards the meal and completes the mission. Unfortunately, that was not a delicious minnow and the fish was tricked! 

Like the fish, I must be the luckiest person on the planet! According to some of the emails I receive, I have people from all over the world wanting to send me money. Out of everyone in the world...they picked ME! How amazingly lucky is that, right?! Even more, they make it so easy to get the money. All I have to do is provide them with some personal information, like my full name, social security number, and a bank account to get the money deposited. I am so incredibly LUCKY! Well, about as lucky as that fish on the end of the hook fighting to stay in the water while being pulled from the other end of the line. You see, after providing the information, I did not see any of the promised money deposited. Instead, I saw money withdrawn, as I too have been tricked! 

Lucky for me, this is just a story and didn't actually happen. As the title of this blog states, if it looks "fishy", it just might be "phishy." Phishing emails come in many forms and can even appear to be legitimate. Therefore, do not become a victim like the fish or my story. Before you click on any attachment or link in an email be sure to R.E.A.D. the email first. Ask yourself if the email is:

• Relevant: Is the email relevant and appropriate for you or your work? If the answer is no, it could be spam or a phishing attempt.

• Expected: Is the email from an expected or trusted source under the sender’s typical email address? Does this source normally send you similar emails or attachments? If the answer is no, it could be a phishing attempt.

• Action Requested: Does the email call for you to perform an urgent/immediate action (click a link or open an attachment)? If the answer is yes, it could be a phishing attempt.

• Defies Logic: Does the email sound too good to be true or seem suspicious? If the answer is yes, it could be a phishing attempt.

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!