Week 7 CYBR 650 Blog


Week 7 Blog Its National Cybersecurity Awareness Month!

October is designated as Cybersecurity Awareness Month, generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.  More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure.

When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many may not be aware of is that the election infrastructure is also designated as a critical infrastructure subsector since 2017. With it being close to November, I did a bit of reading about the upcoming election cycle and the often assumed but not overly analyzed aspect of voting – cyber attacks on the systems used to collect and tally votes throughout our country. All elections are important, but this upcoming election is drawing large interest, and many extreme opinions.

The incentives for our enemies are astronomical

While it is incredibly risky for a nation-state to attempt to modify the voting information of another sovereign nation, this does not mean it cannot happen. It also does not mean that it cannot be executed by a proxy group, or by a non-nation entity for any number of motivations. The risk is high, but the impact could be incredible. It will be attempted. Nations and other groups have already attempted to socially engineer voters by trying to influence their opinions, so this could be the next escalation

Is decentralized control and execution a weakness?

This system is largely decentralized, with the states conducting their own voter registration and maintaining their voting machines. So, does this mean that the DHS cyber forces can now descend on the states to ensure their voting equipment is tamper-proof? Does it also mean that the federal government dictates specifics on how states can conduct their elections? Not really. All it does mean is that these systems are prioritized higher, and assistance can be provided, but only when it is requested. Not overly comforting. So is the system secure? I can’t answer that of course, but it appears that good measures are being undertaken to ensure they are. This article from two weeks ago on Wired.com highlights the existence of many current vulnerabilities within the voting infrastructure. I do know one thing…if the results of the upcoming election are able to be tampered with by any external entity then the fallout and ramifications from that will be enormous.

In an interview on darkreading.com, the CEO of Anomali, a cyber threat intelligence company, Hugh Njemanze was asked about election system security. He praised the increase in information sharing about threat activity and vulnerabilities across the different enterprises who make up this piece of infrastructure. Furthermore, designating this as critical infrastructure at the national level depicts how seriously it is being taken. Mr. Njemanze makes a great point when he talks about the strengths and weaknesses of the decentralization we use in our voting infrastructure. The strength being that exploiting one node in a decentralized/non-standard system doesn’t guarantee exploiting all nodes in the same attack as they are all different. On the other hand, having them all independently managed can bring on weaknesses through that non-standard implementation. Some entities may value or comprehend cyber security more than others, devoting more or less resources to securing the infrastructure. This can manifest itself by differing levels of risk analysis and planning, or in operations and maintenance of systems such as failing to patch security holes in their systems.

The bottom line is that these are critical information systems, just like those in a business, and they are susceptible to exploitation just like the systems we read about getting exploited day in and day out. The owners of this system need to comprehend their weaknesses and vulnerabilities and work to completely eliminate those. Just as important, they must stay abreast of the current threat landscape by participating in information sharing venues with similar organizations and taking advantage of federal assistance opportunities to have their infrastructure analyzed by an experienced 3rd party.








Comments

Post a Comment

Popular posts from this blog

Week 5 CYBR 650 Blog

Image
Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more