issc642 discussion and discussion responses 6- Savvy Essay Writers | savvyessaywriters.net
issc642 discussion and discussion responses 6- Savvy Essay Writers | savvyessaywriters.net
Hello,
This is a two part questions. First I will need the discussion question answer which will be below in bold, 300 words APA format. For those response I will need two responses of at least 175 words each.
Security expert Chris Nickerson is often asked by clients to conduct penetration testing of their on-site security. Watch Nickerson and his team recently pull off a $24,000.
Nickerson and crew recently took on such an exercise for a client he describes as “a retail company with a large call center.” With some prep work, Nickerson says the team was able gain access to the company’s network and database quite easily. Read on to find out how they did it and what lessons you can take away for shoring up your organization’s defenses.
http://www.infoworld.com/d/security-central/social…
Nickerson and crew recently took on such an exercise for a client he describes as “a retail company with a large call center.” With some prep work, Nickerson says the team was able gain access to the company’s network and database quite easily. Read on to find out how they did it and what lessons you can take away for shoring up your organization’s defenses.
http://www.infoworld.com/d/security-central/social…
Part two
Student one:
I found this week’s reading and lesson to be fascinating; it really highlighted the importance of physical security, and revealed vulnerabilities that exist through even the most basic social engineering. Along with my M.S. pursuit through AMU, I’m also studying for the CISSP (god help me!). I wanted to share some common and related principles from this certification and this week’s lesson. Physical security is a key tenant of overall information systems security. There’s a reason why most military cyber professionals work in secure facilities (SCIFs) – our physical information systems are just as critical as the networked data they process. Server rooms and data centers are often restricted to employees with need to know privileges…and for good reason…we’ve talked often about the insider threat these last few weeks (Chapple et al, 2018). Good practices for NSM analysts and CISSPs alike are strong secure facility plans, PHYSICAL intrusion detection systems (not just the network based ones we’ve discussed), motion control sensors/CCTV monitors, and much, much more.
Chris Nickerson and his team leveraged holidays and sporting events to their advantage so that everyone’s guard was more relaxed (e.g. going in when the majority of employees were at a horse race). Their social media usage was also savvy – they used an employee’s Twitter account to monitor their locations. Stop telling everyone where you’re at! Confidence is key – wearing a company t-shirt (and having a plausible story WITH COOKIES) was more than enough for Chris and his team to appear legitimate and drop USB keys and start pilfering data with quick data dump tools such as Ophcrack/John the Ripper (Goodchild, 2009).
I watched a TED Talk that Chris gave in 2014, and I thought some of his insights were useful for NSM analysts trying to bolster their overall defenses. According to Chris, a lot of hackers are genuinely curious, and tinker with all sorts of pathways and methods when targeting. Good hackers will be tenacious – you’ll have to be prepared for continuous network penetration attempts at times. Also, Chris touts that security is more of a feeling – nothing is 100% guaranteed. NSM analysts need to keep that in mind, and be prepared to tinker and tweak NSM processes/tools ad hoc (TEDx, 2014). Chris opines that awareness is sometimes greater than knowledge i.e. don’t back yourself into a corner thinking you have a hold on all the vulnerabilities out there…you will fall into a hubris trap and be caught off guard eventually. This goes back to this week’s lesson – oftentimes we don’t put focus on some of the little things we take for granted. These little things can be pathways to important things. Your access badge that you swipe to get into your building is useless to you if you lose it, and the world for a hacker who shows social engineering prowess. A mobile device with trade secrets is no longer secure lost or in the hands of a hacker (or even in close range e.g. bluetooth hacking). “The more we are aware of these things, it becomes easier to defend it.†One of his biggest points in the TED Talk is that humans are genuinely the core problem for most security issues, and that just like a patch for software, hiring people with experience is analogous to a patch for human behavior (TEDx, 2014).
This is a bit of an aside, but around the same time this article was published, the STUXNET incident occurred. Based on executive summaries of what happened, its highly plausible multiple USB drives were dropped around the Iranian nuclear facility and were subsequently plugged in by employees because of curiosity (Terdiman, 2012). This is the same tactic Nickerson and his team utilized! If it can happen in a state sponsored nuclear facility, it can happen at your city’s IT start up.
Stay safe out there, and good luck on everyone’s final assignment and quiz!
References
Bejtlich, R. (2004). The Tao of Network Security Monitoring. Boston: Addison-Wesley.
Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)² CISSP Certified information systems security professional: Official study guide. Indianapolis, IN: John Wiley & Sons.
Goodchild, J. (2009). Social engineering: anatomy of a hack. CSO. Retrieved at https://www.csoonline.com/article/2123704/social-e…
TEDx Talks. (2014). Hackers are all about curiosity, and security is just a feeling | Chris Nickerson | TEDxFulton Street. YouTube.
Terdiman, D. (2012). Stuxnet delivered to Iranian nuclear plant on thumb drive. cnet. Retrieved at https://www.cnet.com/news/stuxnet-delivered-to-ira…
Student two:
I thought that Joan Goodchild’s “Social Engineering: Anatomy of a Hack†was a very interesting read. In the article, Goodchild (2009) describes how Chris Nickerson how he and his team performed Red Team Testing against a large retail company and its associated call center. This red team effort resulted in a heist of $24,000.
There are some important lessons and takeaways from the article that are still valid for today. The first one relates to physical security. Nickerson managed to get past security by pretending to have a meeting with an employee who was not at the office and then by being invited to eat in the building’s cafeteria (2009). Even more surprising is that the front desk apparently let him into the cafeteria area without ever checking his identification card. I cannot imagine a scenario like this occurring with most of the commercial semiconductor companies that I visit. In order to gain access to the building, you need both a visit request into the building, require a special badge, and often have an escort. Additionally, if you go to specific areas, such as a foundry floor, you are almost certainly going to need to get multiple visit requests in place.
The second takeaway relates to good practices regarding universal serial bus (USB) drives. A number of business have been fearful of the scenario described by Nickerson and have gone to such measures as banning USB drives and disabling USB ports (Goodchild, 2009) (Svan & Allen, 2008). There are times when this is not practical though. For instance, there are a number of semiconductor foundry tools that can only be given software and firmware updates via USB. In those instances, I am familiar of a couple different mitigation approaches. The most popular one seems to be a tool vendor providing the USB to a network security individual who will move the file from the USB to a standalone computer and examine the file in a sandbox environment. If it is deemed safe, the file will be moved to a company-owned USB drive and they would temporarily enable the USB port on the foundry tool. Once the update is performed, the USB drive is given back to the network security personnel, as to not lead to an exfil of data, and then the foundry tool technician leaves their USB drive behind with the network security personnel for a set number of days before they destroy it. I believe this is likely done if there is an issue in the future they still have access to the original file.
To this day, I am still somewhat confused as to how the 2018 WannaCry events at Taiwan Semiconductor Manufacturing Company (TSMC) occurred. From what I can tell, it appears as though a foundry tool technician managed to get a USB drive in past security and use the infected tool to take down both the foundry tool, and a series of connected systems (Moore-Colyer & Page, 2018) (SkyBox Security, 2018) (Deloitte, 2018). This attack resulted in the loss of $170 million (SkyBox Security, 2018). I found the incident odd because TSMC is the most advanced foundry in the world, and their security should have been on par with the way the rest of the sector operates. Even more surprising was how connected their foundry floor network was with outside networks.
I think the biggest takeaway is that blended techniques, or blended operations, are quite effective. A common phrase is that you are only as strong as your weakest link, and I believe this case study illustrated this point. The company’s physical security was poor, allowing an individual into their facility without providing any form of identification or providing any type of escort. Additionally, no one questioned his activities once he was in the building and touching company equipment. If any entity is able to bypass a large segment of security, then other areas that are meant to provide support to one another also crumble and could ultimately compromise an entire company.
References
Deloitte. (2018). TSMC Annual Report 2018. Retrieved from Taiwain Semicondcutor Manufacturing Company: https://www.tsmc.com/download/ir/annualReports/201…
Goodchild, J. (2009, February 4). Social Engineering: Anatomy of a Hack. Retrieved from InfoWorld: https://www.infoworld.com/article/2675986/social-e…
Moore-Colyer, R., & Page, C. (2018, August 7). TSMC Says Variant of WannaCry Forced Factory Shutdown. Retrieved from The Inquirer: https://www.theinquirer.net/inquirer/news/3037125/…
SkyBox Security. (2018, October 8). TSMC WannaCry Hits OT Plants with a Hefty Price Tag. Retrieved from SkyBox Security: https://blog.skyboxsecurity.com/tsmc-wannacry/
Svan, J. H., & Allen, D. (2008, November 21). DOD Bans the Use of Removable, Flash-type Drives on All Government Computers. Retrieved from https://www.stripes.com/news/dod-bans-the-use-of-r…: https://www.stripes.com/news/dod-bans-the-use-of-r…
Savvy Essay Writers
Place your order Now