Chris's CYBR650 Blog

Action Plans  This week I finished up creating my Action Plan for the Harry and Mae case study in my Current Trends in Cybersecurity course. This is the culmination of many weeks analyzing assets, threats, and vulnerabilities for the simulated enterprise. We delivered an action plan, detailing the steps recommended to fix some of the vulnerabilities. As I was detailing these steps I realized how incredibly complex and difficult some of these actions actually are. For academic purposes, some of this information can be handwaved as we are understanding the process, not necessarily all of the project management projection of some of these tasks we were detailing.       For example, recommending that an organization move from no password policy to two-factor authentication briefs very well, but it can be incredibly complex, expensive, and time consuming. At many points during the drafting of the Action Plan I felt like the employee in the above Dilbert...

Are We More Vulnerable Mid-week? While conducting research this week I stumbled across an interesting statistic in the eSentire 2nd Quarter Threat Report . This is an excellent threat source. Towards the end of this product, they were reviewing statistics associated with phishing. They claim that Tuesdays, Wednesdays, and Thursdays are days that employees are more likely to click on a phishing link. Additionally, Wednesday and Thursday account for nearly 50% of credential submitting occurrences. I had honestly never thought of this before. Generally being interested in social engineering, I wondered why this is true. eSentire Q2 Threat Report Explanations for this Wombat Security's 2018 State of the Phish also highlighted a similar notion. So is this a human thing to be more careless in the middle of the workweek. I could not find anything to support that claim. Monday's are the most common day for a workplace mishap. It is probably more related to the work...

Week 8 Blog Cyber Warriors? My organization, the US Air Force, is eyeing a major shift in how it approaches what was considered “IT” when I first entered the service. Most personnel in computer career fields spent 100% of there time on fielding and supporting whatever computer systems were deemed necessary for mission success. The new initiative is driving the effort to transition these support personnel to cyber defensive personnel. Gone will be “blue suiters” imaging computers, mapping home drives, or managing e-mail boxes. These personnel will transition into defense teams with specialized missions of defending critical cyberspace terrain. This isn’t new, as a lot of organizations are looking at something similar. In many cases though, I would imagine they can often hire new staff and rapidly train those that remain. In a large and relatively slow-moving organization though it will be interesting seeing how this unfolds. It may seem like a natural transition to take someone...

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...

Week 6 Blog, but more a review of “Self-Defending Networks: AI and the Future of Cyber Defense” I wrote an article review for a Risk Management class this week. The article discussed the need for financial IT risk analysts to start capitalizing on the advent of new technologies such as AI, blockchain, and cognitive computing. The article was mainly about framing how these technologies might introduce new risks or threat vectors, or how they can be leveraged to help them manage risks and controls better. Not a lot of specifics on what actually is going to change. AI sounds great, but what does it actually do? Also, what is now obsolete? This got me thinking about what the future of cyber security is going to look like. I have never actually worked in the industry (19 years in the military), receiving most of my knowledge through formal education, so my thoughts on this are still developing as I learn and gain experience. Enterprise Immune System I stumbled across a video fr...

Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...