W6-3/3 Personal Research for Internship (8/1)
During my internship I researched
cyber security by reading “Network Security Through Data Analysis, Building
situational Awareness” by Michael Collins and “Ghost in the Wires: My
Adventures as the World's Most Wanted Hacker” by Kevin Mitnick. I recommend both
books, especially Mitnick’s autobiography since it is a good read for the pure
story alone (even to those who have little to no interest in computer science,
also his book is really good for anybody with interests in criminal justice or
law). Collins’ book really helped me gain a better general understanding
of cyber security, tactical awareness, and security incident trend analysis as
well overall data analysis for that can be applied to actionable reports. It has
some good information on applications of relevant softwares commonly used
within the industry today and what to watch out for, especially in regard to
network traffic (e.g. traffic on obsolete and unsecure FTP ports). I think the
biggest take away I got from this book was the balancing acts of cyber
security, those included between redundancy & vantage and coverage &
efficiency. There is an economy when it comes to these matters and things like
false positives (false alarms to sensors) and redundant defenses can have
extremely negative consequences for the security of a network. I think Collin's
book will give anyone a good basis for both network security and the
application of data analysis (which is given by the straightforward title). I
think what is especially helpful with giving pointers for a starting point or
protocol of how to do things. Almost every chapter follows through on how you
could apply the skills in way that would be particularly helpful for a process
and notes on how to be nuanced in these approaches (e.g. vertical scans to be
extra sure that your software is being reliable, basically checking if the data
from your computer and your software is matching and in most cases if not then
the software is at fault, and the characteristics of what makes up a good log
message, being descriptive, relatable to other data, and complete).
Mitnick’s book was good for giving me a good look into the mind of
a hacker, the concept of ethical hacking, the history of hacking (pre-internet
and early internet), the evolution of cyber security laws and pen testing as a
service (to a small extent), dispelling misconceptions of how hacking works,
social engineering (which when successful can undermine nearly any defenses),
and helped to pique my interest in cyber security in general. I think Mitnick's
strong suit when it came to hacking was his memory (which I can't expand on
much and I don't think it is as big of an asset for modern day hackers- since
phone freaking isn't really as common and it seems as if now technology is made
in such a way that we try to avoid remembering more "trivial" things
like phone numbers) and his ability at social engineering. This book shows a
lot of accounts of social engineering which could be good for one's future
intuition. From these accounts you can see just how important accountability
and reliability are to cyber security employees. If the hackers cannot
manipulate the systems, then they will try to manipulate the system's admins
and architects. The good will and camaraderie of people can be manipulated at
times so skepticism can be a good thing for management to implement and
promote. Perhaps familiarity between employees at various levels and greater
requirements for communication (e.g. video calls). A lot of times Kevin would
impersonate employees of a company and would have little trouble since the
employees were not familiar with the person whom he was impersonating. I think
having a better means of identifying who is who would certainly mitigate the
risk of this happening to an establishment. I am certainly going to read more
about cyber security in the future, in fact I already have some books in mind:
Spam Nation by Brian Krebs and The Dragon’s Quantum Leap by Timothy L. Thomas.
Not to mention Mitnick’s other works (which I found out on my own time have
easily accessible PDFs with a simple google search).”
PS-
At my current understanding of cyber security the most critical matters are
prioritization and prevention regarding the efficiency in use and economy of
defensive resources. With proper prioritization and prevention, a cyber
security team can reach its very highest efficiency. Preventive measures will
manifest in the firewall and alarms implemented within the system and most
passive means of defense. The issue here of course is false positives (false
alarms) and false negatives (undetected breaches). Your firewall needs to
hinder invaders not the denizens of the network. Thus, one should watch ports
that invaders commonly used to undermine firewalls (e.g. 53/udp DNS). These are
usually more critical or obsolete ports (e.g. 23/tcp Telnet). Then protective
measures that are more redundant and less useful should be avoided. While
overlapping protection may seem more "robust" they can be far less
efficient and can complicate the configuration of your defenses (i.e. how they
interact and affect each other's use). When created it is not bad to consider
staggering alarms, so a user is not overwhelmed by a sudden influx of alarms
(especially in the case of a brute force attack or something spam-related where
the matter of threat will most likely be coming in at a high quantity).
Prioritization affects the active defenses. To work the most efficiently, one
most work smart and hard. Proper prioritization is a big part of working smart. A
means of determining and ranking possible threats is vital. There is nothing to
be gained in making unnecessary reactions and using up your precious
resources and time in vain. If there is nothing you can do about it (worst
case), no damage that it can cause, or no chance that it can occur than there
is nothing to be gained in pursuing this and only loss to be had. With this in
mind it is best for one to try and develop an equation that will rank these
threats well. Characteristics like chance of occurrence, potential damage,
and how well the system is protected against this threat should be considered
when creating this equation and other equations may determine this
characteristic. This will determine what you react to and what you react to first. CIRT
protocols (NIST-800 61 & NIST-800 137) are important because they determine
how one will react and accordingly how one should react. This gives an orderly
process to respond to events. Which will lead to more consistent results. It is
also easy to follow along with where they are within the process which improves
communication between departments. If one's methods of prioritization and
prevention are appropriate and effective than their employees/coworkers can
perform at their very best.
Comments
Post a Comment