Week 3 - What constitutes responsible security breach disclosure to user base?

Everyday there seems to be a new security breach that spews tons of important/sensitive data on the user base. In the US, there seems to be this shortage of regulations on what is required of the company that lost the data. They have to send a simple notification letter to the government and their users, and show 'some' level of concern and action. However, there is no check-in after a couple months to determine how far they recovered information or validate their incident response. I think it stems for a lack of concern out of us until we see our information stolen. Then we have to rely on the government entity to stop the perpetrator.

From a bystanders point of view, this seems like a 'fake' plateau of concern followed up with business as usual for almost all companies. From the companies that have seemingly no concern or timeline for the real victims, us. "Marriott is yet to offer more detail on just how its Star wood database was stolen. The original hack was traced back to 2014, but no specific month or date was given." So this attack has been happening for a while, and here at the end of December, we still don't know much more about the attack. While there is responsible disclosure if the hack was a zero-day, they have yet to confirm or deny what it actually was.

 Why is this considered the only required public statement for a breach?

I'd like to see a governance discussed that states requirements for data types held by a business. For instance, if you want to store a customers payment information, you must have x,y,z requirements in place. If you want to hold onto social security information, your organization must use X encryption, have systems, air-gaped, etc. These systems have to be inspected, have proof of regular system maintenance and such.


Thankfully, I stumbled upon this site which tracks incidents that are reported: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. While it is a great resource to query against, as a user we are concerned about our information. Here is a site that shows us if our email has ever been 'acquired' without the company letting us know: https://haveibeenpwned.com/

Week 2 - Sources

 Now that I am posting something on the internet for all to see, does it make my written word accurate? Does it mean that anyone who reads this should take it as the sole source to be quoted and potentially ruin a project? If there is contention, how do we know that we are making a the right decision to take someone's word on a matter? Finding a credible course of information is often more difficult because there are no regulations against correcting false information on the internet. Unlike news channels in the USA, there is no reprisal for articles posted that do not even permit comments. Relying on a source that is not validated can lead you astray. Moreover, the difficult part to finding a source of data is verifying that it is accurate.

There are several methodology to finding a credible source that are free and will not take long. Initially, if you are looking for a specific answer to a question and do not know where to start, you can simply start using a search engine. Doing so should land you with several articles, forums, and potentially published books on the matter. While articles and forums are not usually considered scholarly, they can point you in the right direction. Often times, forums will quote a book or a famous subject matter expert. From there you can modify your search to find editorials, speeches, and publications that you should be able to quote.

When it comes to evaluating a source, the chief concern is to get publications that have been scrutinized, tested, and validated by their peers. This is the just like the process to validate a theory -- peer review. The peer review process is an excellent way to confirm that a speaker/author on topic is giving information that is repeatable by others.

For scholarly journals, most universities have both online and in-person access. However, you may be in luck when you search for scholarly journals on Google.com. Although more times than not, you will need an account that has access to the archives as this information can be locked behind a fee.

Here are a couple sites that I specifically consider as legit sources of truth:

https://www.omicsonline.org/computer-science-journals-impact-factor-ranking.php

This site has both journals and conferences that can be watched, quoted, and openly discussed among your peers. It also references IEEE conferences and several other sites that have peer-reviewed articles. 

https://thehackernews.com

While this is a bit more showy and does not offer a means for readers to comment, it does usually list its sources. When they quote a publication or a person, they make sure they list who they were, where they are from, and their back ground experience to provide relevance to the topic.

https://www.us-cert.gov/

This is a government hosted site that published articles, digital security trends, and reliable information about security practices. Taking some of their articles and doing a simple google search shows that other sites are reporting the same information. This helps with their credibility.

Week 1 - It is more than just clicking buttons ...

As an introductory post, I'd like to inform the world of my intentions. As a "senior" system administrator, I've come across several aspects of the cyber world that are both troubling and awe-inspiring. When I compare our cyber world to what everyone else does, it blows my mind at how far and deep we can get. From an outside perspective, I think that most folks look at any computer related field and simply think, okay they click buttons for a living. Unfortunately, they fail to see just how many avenues down the computer highway are significantly different from each other. Initially, here are a couple of the analogies that come to my head when I think about comparing our fields to the real world:

-Hardware maintenance: anything related to a garage mechanic. We see those professionals using specialized tools to diagnose failures, swap out parts, and require several years of experience working on a slew of different types of physical internal components. Just as vehicles change their engines, electrical systems, and body, computers are equally diverse and require a much of the same skill sets.

-Networking: Anything related to routing cars, shipping packages, or transportation (buses, boats, airplanes, etc). A person in the transportation world has to be able to move item things from A to B. If there is a change in the route it takes, has special handling like with gas or flammable liquids, or requires other physical structures to move the item (like changes from airplane to semi-truck) then it needs these professionals to come in. The same thing happens when a network engineer has to work on VPNs/routers/switches or analysis specific types of data coming through ports.

-IT Security: Super easy -- Cops and Detectives! The mystique of cyber security is baffling because most folks here that and think of the atypical hacker in a hoodie who steals everything. Really it is a field that attempts to provide as much protection around people and assets and prevent others from "unauthorized access." Much like a cop, they inspect processes, to random searches on military bases, investigate anomalies and attacks, etc. Cyber security does the same thing by implementing logical and physical protections, inspects logs, and performs audits for an enclave.

-System Admins: These guys are your normal, run-of-the-mill, job profession. They can range from a dentist to a secretary. Some system administrators can have several specific areas that they are gurus in. Other administrators are a jack of all trades like a handyman. Their skill sets are usually built on a pile of on-the-job training. Even though most gigs require a degree, they are usually experiences with certain tools that get the job done, which correlates to the average worker. The average worker has to get into a role, learn some tools to get a job done, and then maintain x,y,z for a while.

-Project Managers: Much like the blue-collar world, most jobs require a foreman of sorts. They need someone to manage the books, plan out the upcoming work, manage personnel, and make sure tasks get completed properly. They are a vital role within their respective fields, although they do not usually perform the specialized functions required to get the actual project completed. However, they have to have a certain level of understanding with their field to make successful decisions.

There are definitely more comparisons to be made (pen testers, software developers, storage teams, etc) but ultimately, there is a large misconception that all IT folks can fix all computer related issues. Much like walking into a hospital and saying that every M.D. is able to fix every sickness, the IT community needs to work harder to convey that we specialize. I believe there are fewer jack-of-all folks in our field than there are in other fields.