The Internet of Things (IoT)


IoT may not be apparent in the lives of many but it’s largely already present. Perhaps it’s a lack of imagination, ingenuity, or observation, on the part of consumers but IoT encompasses far more than anyone had previously envisioned. IoT touches virtually every aspect of our daily lives with the purpose of adding conveniences that didn’t exist before. How does this impact industry including auto manufacturers and healthcare providers? These questions are what drives this discussion and will be explored in this paper by referencing recent events as they are happening today.

Continue reading

Risk vs. Costs of using a template or custom IT Security policy


Example IT security policy power point presentation:


You were just hired as the CISO for ABC Medical Services, a large, hospital chain that:

  • provides services in six hospitals within the New England area,
  • has IT systems supporting both administrative (e.g., email, accounting systems, etc.) and critical life support medical services,
  • accepts credit card payments for hospital services,
  • does not have an IT Security Policy, and
  • did not previously have a dedicated IT Security function.

The hospital’s Board of Directors is composed of only medical professionals, with no IT background, but the C level officers (e.g., CEO, CIO, CFO, etc.) are all very proficient in their specialties.  The Board of Directors and the C level officers only have a superficial understanding of IT security.

Continue reading

Thinking Like a Hacker – “How to Mitigate Attacks”


It seems like almost every week there’s a new giant cyber security breach in the headlines. Some major corporation or government entity has yet once again been hacked by cyber criminals. The question we keep asking ourselves is how did this happen. Not again! The truth is that all these major security breaches were bound to happen as some point because cyber criminals are becoming much more exploitative and cunning when it comes to making a political statement or attempting financial gain. This is nothing new but what is new is the size and scope of these attacks. Cyber criminals have become emboldened by the seeming vulnerabilities projected by each subsequent successful major American corporate breach. It doesn’t help when U.S. government agencies aren’t able to prosecute the perpetrators of these crimes. Enter, a new way of thinking…”Think Like A Hacker!”

Continue reading

USB Forensics on Windows Computers

USB device history plays a critical role in the security administration of computer networking. Since USB flash drives are small robust storage devices that fits easily into anyone’s pocket it’s crucial for security administrators to have the ability to view USB device history and also have the ability to block their use.

There are a number of ways to explore USB device history which all revolve around analyzing the Windows registry in some way or another. Some techniques can be done manually while others utilize software designed specifically for this purpose. An examination of USB device history will be performed by using a freeware based USB forensic tool and also manually by using registry key searches. Continue reading

Wireshark Packet Capture Analysis


This purpose of this document is to examine the results of several Wireshark captures. Areas to be explored are the exploit type, impact of the exploit, vulnerability type, and any other relevant information. In order for network administrators, penetration testers, or any other type of security experts to combat cyber crimes, it’s critical that they know how to use the same tools that the criminals do. Wireshark is instrumental in helping security professionals dissect intersected communications to formulate new security policies and put new safeguards in place. This experiment will be conducted on a 2009 Mac Pro running OS X Yosemite 10.10.4. Kali Linux will be used to exploit Metasploitable 2 both of which are running inside of Parallels 10 virtual machines.

Continue reading

Risk Assessment Methodologies


I will discuss three of the top information security risk assessment methodologies; OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), FAIR (Factor Analysis of Information Risk), and NIST RMF (National Institute of Standards and Technology’s Risk Management Framework) . Included will be a brief overview of each including three pros and cons associated with the use of each one. Lastly, I will discuss my recommendations and the reasoning behind why.

Continue reading