The End, and The Beginning

CYBR650 Week 12

What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.  - T. S. Eliot

Focus on the journey, not the destination. Joy is found not in finishing an activity but in doing it.  - Greg Anderson

Beginnings and endings.  As T. S. Eliot implied, they are often easily inverted.  This is clearly an ending for me.  One more item to check off my bucket list, completion of a Master’s Degree.  But, also a beginning.  I’m not sure what this is the beginning of, so, it’s with a sense of anticipation that I look to the future, with a sense of serendipity. 

So what have I learned in these final courses for the completion of my MS in Cybersecurity?  First, I’m humbled by the eternal lesson of learning what I don’t know.  Every lesson showed me one more time that there is so much more to know, knowledge that will only come with practice.  And with each question answered, the humbling realization that I now have more questions. 

But on a more practical note, I feel prepared to take on new challenges.  I’ve also gained confidence to learn those new lessons, and to step into challenges I wouldn’t have had the courage to attempt.  I know they won’t all be successes, but some of the best lessons are tempered in failure. 

At moments like this I often think of my father.  He was a scholar in the true sense of the word.  Always curious, always asking and always seeking a better understanding of the world around him.  He loved history.  I’m liking it more and more, but my passion is technology.  However, I would say technology in the realm of relationships.  Technology provides the puzzles that need to be solved, people make the search for the answer interesting.  We often talk about the human factor as the great variable in cybersecurity.  It takes the work from being a technical solution to one more art than science.  I know my father would find my work and my understanding of life in this context something worth discussing.

And I know my father would appreciate that I embraced the challenge and saw it through.  I encourage anyone who reads this to challenge yourself.  It may not be a degree in cybersecurity, but find your passion and begin the journey.  Bellevue University is a great place to pursue a degree, well designed with enthusiastic staff who sincerely work to help you find your success.  But if your passion is something else, pursue it, embrace it, follow it, grow through it.   Reach outside yourself, step out of your comfort zone.  It will be an exciting journey, a beginning, and an end, all at the same time.

The Advantages of Women in Technology

CYBR650 - Week 10

"When you put the helmet on, it doesn't matter if you are woman or man: your mission is to compete to win.  The important thing is your ability, your intelligence and your determination." 
Milka Duno, race car driver

“Recognize and embrace your uniqueness.  I don’t think the ratios are going to change anytime soon.  But I don’t think it has to be a disadvantage.  Being a black woman, being a woman in general, on a team of all men, means that you are going to have a unique voice.  It’s important to embrace that.”
 Erin Teague, Yahoo director of Product Management

While 57 percent of occupations in the workforce are held by women, in computing occupations that figure is only 25 percent.  This disparity is apparently getting worse, as fewer women are graduating from college with computer science degrees than there were in the 1980’s.  What is the impact of fewer women in technology jobs? 

Women are needed in technology fields

Current research indicates gender diversity has many benefits.  Diverse teams –not all male or all female -- tend to be more productive and have better team dynamics.  Interestingly, technology work teams stay on schedule and under budget when they are gender diverse.  These teams are more likely to experiment, are more likely to share knowledge and to complete tasks.  On the organizational level, when diversity is actively encouraged and facilitated in the workplace, it’s beneficial, but if ignored, there are more communication issues and weaker cohesion in work teams.

Time magazine reported that the gender gap in cybersecurity makes everyone less safe.  This is partly driven by the fact that there are fewer people available to work in cybersecurity when only half of the population are seeking jobs in the field.  Women only comprise 10 percent of the information security workforce.  Another significant factor is that security solutions aren’t developed with half the population in mind.  Since women experience the world differently, they also come up with different solutions to security issues.  In general, women are more sensitive to privacy issues than men, most likely because they are more affected by attacks on privacy.  One factor in this disparity could be due to the military and industrial roots of the field.  Terminology such as 'cyberwar' tend to discourage women from being interested. 

So what can be done to improve the situation?  Time suggests cybersecurity job postings should emphasize communal, mission oriented, human-centered impact, instead of corporate mission and defense.  But women need to be interested and trained long before the job posting.  Audrey MacLean, former CEO and financier for numerous successful tech start-ups, says the key is to interest girls in computing in grade school, with games that don’t involve violence, but offer challenges they find interesting.  My own experience with a daughter who became an industrial engineer, is that she found the teamwork, problem solving and product development interesting during college and loves the data analysis work she’s doing now.  But what peaked her interest in middle school, was a Disney website that discussed careers for their amusement parks. 

Whatever the solution, it may be too late for the technology demands in the next 10 to 15 years.  The tech sector is already short on college graduates who can fill IT jobs.  

Watson Applies Machine Learning to Cybersecurity

CYBR650 - Week 9

By learning you will teach, by teaching you will learn. – Latin Proverb

I'm working on artificial intelligence. Actually, natural language understanding, which is to get computers to understand the meaning of documents. -- Ray Kurzweil, computer scientist and futurist

IBM announced earlier this week that they were beginning a new year-long cybersecurity initiative with eight North American Universities.  These universities all have strong cybersecurity programs.  The university students will be working to train and then analyze security data for trends using IBM’s Watson technology platform. 

http://www.wallpaperhd.pk/machine-learning-smart-brain-wallpaper/

IBM’s Watson is a cognitive computing system and former Jeopardy champion.  Watson uses machine learning to extrapolate patterns from large data sets.  The process is to allow the computer to learn from unstructured data, then to make predictions based on its programming, then repeat the process.  This produces reliable, repeatable results.  It’s very similar to artificial intelligence.  Machine learning uses large amounts of unstructured data (in this case, on a specific topic) and makes predictions, tests them against the data and then modifies the algorithm and repeats the “learning” process again.  As new data is added, the system adjusts.  This is one of the methods Google used to program its self-driving car.  The Google car used machine learning to understand how other vehicles behave on the road with 70,000 miles of driving data.  Recording how other drivers and different types of vehicles respond to slow vehicles, obstructions in the road and other situations.  The car learns from others and from its own actions and constantly adjusts the rules that it uses to drive.  The more the car drives in an area, the better it does.

In the case of Watson’s cybersecurity machine learning, the students will train Watson by feeding large amounts of security reports, and other unstructured data.  This includes IBM’s X-Force research library which contains 100,000 documented vulnerabilities.  Watson uses natural language processing to read blog posts, news reports and other information.  The expectation is that Watson for Cybersecurity will reveal emerging threats and how to deal with them.

The project won’t start until fall of this year, so we don’t know if this will revolutionize cybersecurity, but IBM believes this will strengthen the case for Watson’s cognitive computing as a serious business platform.  It may also help with the skills gap of training new cyber professionals.  

Security Trends by Generation

Cyber650 Week 8

Age is a high price to pay for maturity.  Tom Stoppard

Each generation imagines itself to be more intelligent than the one that went before it, and wiser than the one that comes after it.   George Orwell

One of those things that I’ve been wondering about lately is the differences in the generations,

demographic groups of people who share common characteristics. The chart gives one breakdown of the currently accepted generation titles and age ranges.  It isn’t news to anyone, that young and old view the Internet differently.  But if we look behind the curtain, there are some interesting differences in how people of different generations view security, online safety and their willingness to buy stuff online. 

I recently stumbled across an online report by a commercial VPN provider who offers a application based service to protect privacy, increase security and hide your location from others on the Internet.  The report, called The Dangers of Our Digital Lives, discusses the apparent disconnect between our attitudes and actions regarding online security.  I would expect that older people would be less trusting and therefore more cautious online.  On the other end of the spectrum, young people would care less about privacy, since they’ve grown up sharing too much information (at least in my opinion) on social media sites.  Of course, the report is biased toward getting people to use their service, but some interesting details come out.  I’ll summarize a few I found interesting here.

- The most secure are those who’ve experienced a security problem.  They improve their security posture by using two-factor authentication, password managers (and probably stronger passwords) and security layers (encryption, two-factor authentication, anonymizers and VPN’s). 

- Two thirds said they want extra layers of security, but very few actually use the tools that are available. 

- Two thirds shred their personal documents, but many post email addresses, home addresses and phone numbers online.

- Sixty percent post inaccurate information on social media as a safety precaution.

So how does age fit into this data?  Does age matter for good security decisions?  According to Kevin Murname, in his Forbes blog about boomers and privacy, baby boomers are the most likely go online daily (93%).  Murname says this is because they spent so much time using PC’s.  He points out the big names in creating the technology behind the Internet are all boomers.  They’re also least likely to use social media.  They’re the least likely to feel safe online.  Older generations like the Internet a lot less. 

So how do the first adopters of the Internet protect themselves?  They tend toward older technology protections such as encryption and anti-virus software and less likely to use two-factor authentication.  Oddly, the millennials felt more protected and reported the most security incidents. 

Just a few more statistics.  In general, most Americans have strong opinions about privacy and confidentiality.  According to a 2015 Pew Research Center report, the majority feel they should be able to maintain privacy about their personal lives.  Ninety three percent say it’s important to control who can get information about them.  Only six percent are confident the government can protect their records.

I’m at the tail end of the baby boomer generation, born in 1960, and I only partially fit demographic.  I took the online quiz that they offer to see what my security profile is and I came up “digitally enlightened.”   Most likely because I’m studying cybersecurity, I take more precautions than most to protect myself. 

What do you do to protect yourself?

Claude Shannon

CYBR650 Week 7

“The stone age was marked by man’s clever use of crude tools; the information age, to date, has been marked by man’s crude use of clever tools.”-Author Unknown

The Information Age offers much to mankind, and I would like to think that we will rise to the challenges it presents. But it is vital to remember that information — in the sense of raw data — is not knowledge, that knowledge is not wisdom, and that wisdom is not foresight. But information is the first essential step to all of these.  Arthur C. Clarke

April 30^th marks the 100^th birthday of Claude Shannon, credited with being the father of the information age.  So who is this person who gets this kind of title, but was unknown to me until I saw today’s Google Doodle? 

Born in 1916, Shannon was a mathematician and an electrical engineer.  The most significant work that Shannon did was his master’s thesis called “A Symbolic Analysis of Relay and Switching Circuits” which described a new mathematical way to analyze and design circuits rather than the trial-and-error method of the day.  This came from his work at MIT trying to build an analog computer.  It worked, but took a week to solve a simple equation.  He discovered little known Boolean algebra and expanded on it to describe digital circuits.  His work, explained in the thesis, is the basis of all digital circuits such as microprocessors.  A chart of boolean circuits, used in all digital electronics, is displayed here. 

Some consider his paper written 8 years later, while he worked at Bell Laboratories in 1948, called “A Mathematical Theory of Communication” more important.  It presented the founding work of information theory, which studies the transmission, processing and extraction of information on a highly theoretical level.  It is the basis of cryptography, artificial intelligence complexity science and informatics.  It has more to do with probability than data.  While this theory is quite complex, its where the concept of the binary digit, or bit, was defined by Shannon which can be used to describe any information such as a song or picture.  The transistor was invented at Bell Laboratories that same year.

One really interesting aspect of his life is his design of a wearable computer he used to beat Las Vegas casinos at Blackjack with professional gambler Edward O. Thorpe.  The money they won was invested using the same theoretical basis in probability to beat the stock market, and Shannon didn’t need to work for the rest of his life.  He invented a lot of things but didn’t have any further impact on the world.  He died at age 87 suffering from severe dementia, so he never saw the results of his work that we call the Internet.

This post doesn’t specifically address anything directly related to security, but we wouldn’t be actively working in the information age and using the Internet without his work. 

Picture credit:  http://www.allaboutcircuits.com/worksheets/boolean-algebra/

Cyberwarfare on a Personal Level

CYBR650 Week 6

The supreme art of war is to subdue the enemy without fighting.
Sun Tzu

Ten soldiers wisely led will beat a hundred without a head.
Euripides

Cyberwarfare is Internet-based conflict involving politically motivated attacks on information and information systems. Cyberwarfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems -- among many other possibilities.

In 2009 the Secretary of Defense established the United States Cyber Command.  They have a threefold mission; Defending the Department of Defense (DoD) Information Network; support military commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to a cyberattack.  So how is the Cyber Command doing in its three fold mission seven years later? 

1.  Defend the DoD Information Network – One of the first actions the Cyber Command took was to consolidate all the IT systems from the entire DoD – three branches, four uniformed services and nine unified commands (over 7 million devices) into a single unified architecture.  Very soon, the entire military will be linked through one command-and-control structure.  They’ve modernized the equipment and streamlined operations. There are some potential weaknesses created by this, but it seems to be outweighed by centralized monitoring, easy updating and quick response to attacks.

2.  Support Military Commanders - One of the biggest advantages of the unification is being able to provide a unified response to any attack from all services and from air, land or sea.

3.  Defend our nation against a cyberattack – While not perfect, defenses are getting stronger through a series of initiatives.  The DoD experiences 41 mission scans, probes and attacks each month.  The penetrations that were detected have all been quickly dealt with.  One of the biggest weaknesses in all of the breaches has been the human factor.  And believe it or not, the Cyber Command is doing better in fixing the human factor weaknesses than most private sector companies using a concept called high reliability organization or HRO.  These are systems that can’t afford to learn from mistakes such as nuclear power plants, air traffic control systems and high-speed rail, they have to correct deviations before they become problems.

How they did it – If any of you have experience with the US military, you will recognize they got a lot of work done in 7 years.  The Cyber Command modeled its operation on the US Navy’s nuclear propulsion program which has arguably the best safety record.  The nuclear program has built a culture on six principles that limit the impact of human error.

Integrity – strongly held convictions that eliminate deliberate departures from clear protocol.  Everyone reports mistakes immediately.  The standard is set very high and there are no second chances.  Everyone is accountable and held accountable for their actions.  The result is minor problems are reported and fixed quickly.

Depth of knowledge – training is thorough and broad.  The system is fully understood, including weaknesses.  Close supervision, testing and drills are common.

Procedural compliance – operational procedures are followed to the letter.  There is an extensive inspection system including simulated emergencies.

Forceful backup – Everyone who performs a high risk action is backed up with another fully qualified person so all risky tasks are performed by two people.  Everyone is authorized to stop a process when a problem arises.

Questioning attitude – operators are trained to question any anomalies that are detected and they must be corrected.

Formal communications – Directions are clearly stated in a formal, prescribed manner and repeated back verbatim.  Small talk is discouraged.

What we can learn – What are the lessons cyber professionals can learn from Cyber Command and the nuclear program?  Pretty much every human factor that leads to a breach is a violation of at least one of the principles.  Is it possible for your organization to operate at such a high standard?  Most likely it’s not possible, but everyone can build these concepts into their daily practices.  Training goes a long way in recognizing when something isn’t right.  Document processes and then follow them.  Always have a backout plan.  Communicate clearly.  Empower everyone on the team to speak up when they aren’t sure or don’t understand.  Strong leadership is critical to build this kind of environment.  If you don’t have a leader like this that you can follow, lead from where you are by enforcing these principles on yourself and those you can influence.  Be a high reliability employee in your cyberwarfare.

Is Bitcoin Secure?

CYBR650 Week 5

Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do. –Steve Job

Digital currency.  Just the thing tech-savvy individuals like you and I should be both concerned and excited about.  It’s been around for 7 years now and all indications are it’s here to stay.  So, is bitcoin the currency of the future or just another way to lose money with technology?  Digital currency certainly could have security concerns.  It seems to be used for all sorts of illegal activities. But then again, real currency can be used for illegal activities.  First, let me explain how Bitcoin works.

Bitcoin is decentralized digital currency also referred to as cryptocurrency.  First, it’s digital, meaning there are no coins or paper money exchanged.  It uses public key cryptography certificates on a peer-to-peer network of bitcoin users.  It’s decentralized, meaning there is no main database of transactions and no central authority.  The transactions are stored redundantly on all the user’s computers in a blockchain ledger (distributed database), broadcast to the network.  A transaction is broadcast in a process that prevents bitcoin from being spent twice or spent in two transactions at the same time, since the transactions are recorded on all the computers in the peer-to-peer network.  Each transaction creates a hash value that is stored with the transaction.  If the hash changes, the transaction information has been changed and is not trusted.  Another blockchain ledger entry will be used to validate the data.

Bitcoins are mined by allowing a computer to process bitcoin transactions as part of the peer-to-peer network.  Anyone allowing their computer to be used for the transactions gets a small bitcoin reward for participating and the new bitcoins are added to the blockchain.  Bitcoins are stored in a bitcoin wallet, either an application on your computer or cell phone that stores your bitcoins, a web based third party that stores them for you or a hardware wallet which stores the keys on specially designed removable media.  Only the person with the private cryptokey can spend the bitcoin.  The wallet stores the private keys and a record of anyone you exchange bitcoins with without actually knowing who the other person is since you only have an address for the person.  The address doesn’t have any personal information.  The address is actually just a number.

Key Characteristics

Open Source – nobody owns or controls bitcoin.  Once it was introduced to the world, it started being used and will only cease to exist if everyone stops using it.

Efficient – There’s no third party (bank or credit card company) processing the transaction, so it’s fast and reliable. 

Inexpensive - There’s no third party (bank or credit card company) processing the transaction, so it’s very low cost.  Credit cards typically charge 2 to 4% per transaction for processing (transferring the funds from the buyer’s bank to the seller’s bank).  This is cheap because there is no bank involved, only the buyer and seller.  The transaction is stored in the blockchain.

Anonymous – transaction is recorded but the two parties are untraceable.  Anyone can see how many bitcoin are in an address, but they can’t find out who has that address.  To increase anonymity, a person can use multiple addresses for a single transaction.  There’s no record of what was bought or sold.

Secure – Bitcoin uses SHA-256 encryption for transactions and verification.  The next section outlines the security problems that bitcoin has had so far.

Security

There have been four bitcoin security breaches, but the security problems weren’t bitcoin issues, they were the same security issues any network faces.  All involved attacks on bitcoin wallets or accounts.  The first breach one was a social engineering attack that stole a password to an email address used for a bitcoin account.  The second, the Mt. Gox bankruptcy, was caused by inadequate network security in what was at one time the largest bitcoin exchange.  What wasn’t stolen by hackers was lost to poor management.  The third, Silk Road 2.0 was an attack against the darknet website’s bitcoin account.  There is speculation that it was a cover-up for corruption within the illegal site.  The fourth breach, called the Pony botnet, stole passwords to 85 personal, locally stored bitcoin wallets.  The weakness exploited was the computer system security, not a weakness in the bitcoin algorithm. 

Bitcoin appears to be here to stay.  There’s even some talk about banks and other large financial organizations using blockchain technology for transactions.  So the bottom line seems to be, bitcoin is safe, quick, cheap and reliable--as long as you protect your digital wallet.  Once again we find the importance of good security practices.

Bitcoin image courtesy of Imgur, http://imgur.com/Jdszyq9