IE 673 Assignment 5

Social Networking Discussion

C: Carlos G. Garces
F: Fady Khalla

Cybersecurity standards and guidelines -- are you just checking the boxes?

F: Cybersecurity is becoming one of the major controversial topics in many industries. Making
sure that the organization security system is up-to-date is not as easy as it sounds. The article
highlights the two types of organizations currently in the market. The first type are organizations
the know that through blind ignorance or willful negligence, ignore all standards and guidelines
and just go ahead pursuing their own way of compliance. The second type are organization that
put an effort to adopt state of the art standards and guidelines. The first type of organizations
are usually the ones that always fall preys to major breaches and they end up paying substantial
amounts of settlement, legal and corrective costs. These organizations usually feel safe until
they are slammed with a major data breach or hack that they end up spending so much efforts
to correct such flaws. The second type of organization also have a major of pitfall of just
checking the boxes that they have implemented the top level security although there are no
standard or guideline that currently exist that will have the full step by step instruction to ensure
that their system is secure. Organizations are required to ensure that the proper risk
assessment have been performed on their systems while following guidelines and obtaining a
cyber-insurance policy.

C: Cyber security crisis means preventing data breaches. All organizations fall under two
categories: disregard standards and guidelines or adopted some kind of standard/guidelines
and applying it. As the article mention a good security program has a good risk assessment, it
also requires to minimize the common risk in an organization especially if the organization is
prone or at a higher risk of an attack or breach. Cyber insurance companies require an
organization to follow some sort of security standard before a policy is issued. Insurance look at
how organization was adherent to the standard before paying out a claim, this not only protects
insurance companies but it forces organization to take a look at their compliance in order to
adhere to regulations set by insurance companies. In the event of a claim, they will review
compliance with the standard as part of their basis for deciding to pay out against the claim.

In order to achieve good reasonable security one must:

Choosing a standard/guideline to follow. An example: HIPAA in healthcare
organizations to protect the information of patients
Document your selection:
o An effort to comply with standard must be documented
o Example Information Security Policy document, whole organization must adhere and
comply.
 Conduct risk assessment:
o What is company "at risk for" make appropriate changes and document such changes
to increase security
Implement appropriate measures:
o Identify requirements that are not being met and update security measure
Repeat:
o Renew risk assessments yearly (at least) and document assessments as effort
attempts to reach good security (as these are back up proof if breach occurs)

GOOD SECURITY ISN'T JUST "CHECKING OFF BOXES" IT IS A LIVING EFFORT

TO CONSTANTLY CHECK AND UPDATE SECURITY FREQUENTLY AND OFTEN.

GoDaddy revokes nearly 9,000 SSL certificates issued without proper

validation

F: The well established internet giant GoDaddy have been forced to suspend about 9000 SSL
certificates due to a domain validation automated system failure. The Certificate Authority (CA)
GoDaddy discovered that the failure occurred after a routine update. The Automated validation
system works by asking the certificate owner to place a certain predetermined code in the root
folder of their domain. When the system tries to access that file, the domain returns a 404 error
message with the predetermined code embedded in it as part of the text. The system verifies
that code to issue the certificate. The introduced bug allowed the system to issue the certificate
even if the code is not available in the displayed page. Simply the system send the message
and accepted the certificate without a response. This raises a huge concern regarding
cybersecurity and validity of the automated domain validation systems. Such organizations such
as GoDaddy should have implemented the proper quality systems in place to ensure that any
code changes are verified and validated to avoid the introduction of such bugs. These
uncontrolled, unverified and unvalidated changes could lead to major data breaches that will
affect millions of citizens across the world.

C: GoDaddy (GD) is a provider of internet domains that has taken center stage due to issues it
has faced from providing nearly 9000 SSL certificates without proper validation. At this point, GD
has revoke their SSL certificates, it seems that due to a routine code change made in July 29,
2016 a bug caused the system to validate domain ownership before certificate was issued. This
is an example of poor quality and security, quality due to the fact that this bug was left unnoticed
for an extended period of time until a customer contacted Microsoft who then in turn contacted
GD to bring the issue into the spotlight. This shows the poor review system, or the lack of a
quality check. This brings me to the security issue, while this could have been spotted earlier on
even prevented altogether. This open the door for malicious attacker who if they possess the
knowledge of the issue could have obtain fraudulent certification to sites they dont own.
However, GD seems to lack a proper procedure to currently determine if the bug was use to
exploit GD clients. As of now GD has taken a step away from this method of validation but it
leaves us to wonder what other if other CAs are using the similar if not the same method. We
can just hope that with this issue out in the open other organizations will step up and ensure
clients that all measurements for safety and quality are being taken to prevent this sort of error
from happening again. As for CA/Browser forum is an organization that regulates the certificate
issuance, has drafted a new set of rules to prevent this from happening which should have been
implemented on March 1st.

Siblings arrested in what may be Italy's most severe case of cyberespionage

C: The arrest of these siblings seems like something out of a TV show (Mr. Robot), one can say
that this type of threat is not something farfetched in this day and age. With this case however
as explained in the article I say there are somethings to be question. The idea that attacks of
this level were taking place for years in high government profile in Italy by two individuals that as
for we are told have a high level of education perhaps not in a programing field have gone
unnoticed for as long as they have is something to think about. It puts Italys cybersecurity in a
position of weakness. There is also the question on why did these individuals use a personally
licensed Dll to do such things? when they have orchestrated such elaborated attacks for years it
seems like a careless mistake. Judge Maria Tommaselli has implied that other people may be
involved as well, and this seems logical due to the size and profile of the victims. Overall this
issue raises questions and concerns regarding cybersecurity not only in Italy but all around the
world, are the proper procedures taken place to ensure the public as well as the government
security against these threats? One can think that total quality must be implemented in this field
for complete quality regarding security should be top priority in public as well as private sectors.

F: Cyberattacks utilizing trojans have been the nightmare of any security engineer or IT
personnel across the world. Experienced hackers utilize trojans through spear-phishing
techniques to invade secure systems and be able to extract data seamlessly through the
internet. The siblings Giulio Occhionero and his sister were recently arrested for planting the
Pyramid Eye remote access Trojan on about 18,000 high profile targets in EU and US. These
targets include former prime minister, president of the European central bank as well as heads
of various ministries. The article highlights how simple and achievable is data breaches even if
the breach is being carried out outside the country where the victim is. Data breaches such as
the one carried out by the Occhionero siblings raises a red flag regarding the safety and
robustness of our current security systems. These hackers are suspected to not have carried
out this major attack alone. The FBI as well as the italian police are working hard to establish
the required connection to understand who else could have been involved in such cases