Tuesday, July 29, 2014

GPEN Certified!!!

Hi Anything Cyber community,

Although I'm usually modest, I have to brag a little today. Months of studying paid off when I passed the GIAC Penetration Tester exam earlier this month to earn the GPEN credential. To pass the exam, I had to become proficient in numerous ethical hacking and penetration testing topics such as: password cracking, pass-the-hash techniques, wireless hacking, SQL injections, XSS attacks, Metasploit, Wireshark, tcpdump, user enumeration, Nmap, etc. Prior to the months of study, I completed a week long SANS 560 course to gain hands-on experience identifying computer vulnerabilities and exploiting them to gain unauthorized access.

While I already had the CISSP and ISSMP credentials, the GPEN credential was very hands-on versus just reading a book and completing practice exams. I now have an arsenal of software tools and the know-how to perform penetration testing. The GPEN certification furthered my computer security knowledge and I highly recommend learning the concepts taught in SANS 560.

Jimmie Walker

Tuesday, June 24, 2014

Social Engineering as relevant as ever!

Anything Cyber Community,

Although I've studied social engineering on plenty occasions during my career in Cyber security, I did not realize how much damage can be caused by a good social engineer on a victim company. Mandiant a few months ago reported over 90% of attacks involve spear-phishing e-mails. Based on what I see on a day to day basis, spear-phishing has matured significantly since a few years ago when the bogus emails were laden with broken English and misspelled words. Now social engineers use a combination of phone calls and well-crafted emails to influence personnel at companies with access to the corporate bank account to transfer large sums of money. The transfers will be necessary for a big deal to be completed. Yet, in reality, the big deal is making the Cyber criminals rich.

While a company may have above average network and data security in place, it is important not to take for granted the human element. Annual security awareness training is a must for all personnel. Also, so that the training has a chance to be absorbed by personnel, make the training interesting and interactive to keep the attention of employees. Don't allow employees to simply plow through the training without absorbing anything. Also, make sure employees are fully aware not to click on links from unknown or untrusted email senders. Last, make sure employees with access to the corporate bank account have well documented and visible protocols for the approval of bank transfers or wires. One person, not even the owner of the company, should have sole authority to transfer sums of money over a corporate-defined threshold.

And remember, if you receive an email or any other offer that emphasizes you must act today and you cannot tell anyone else, 99.9% of the time it's a scam. Don't buy it.

Jimmie Walker, CISSP-ISSMP

Tuesday, April 29, 2014

The importance of Pen Tests

Hi Anything Cyber community,

Since I just finished a week long course in Penetration Testing (Pen Testing) hosted by SANS, I was inspired to discuss the importance of having a professional Pen Test performed on corporate networks and computers periodically. During the course, I was exposed to and practiced many techniques used by hackers to crack passwords and gain access to sensitive data (i.e. PII). Companies cannot with confidence say that  they have performed due diligence in regards to network security unless a professional Pen Test is performed periodically against their network. The Pen Test will reveal the vulnerabilities of a network and also make recommendations to the corporation that will strengthen their defenses to mitigate the likelihood of sensitive data compromise.

While performing a Pen Test is great, the corporation must take the resulting Pen Test report and apply the recommendations of the Pen Testers. It's hard to say which is worst: not having a Pen Test or having one and not doing anything to remedy the findings.

Jimmie Walker

Wednesday, March 26, 2014

Unravelling Cybersecurity Myths

Hello AnythingCyber community,

Today I'd like to discuss a few of the major myths regarding Cybersecurity. Myths are what keep many people and companies from taking Cybersecurity serious which leads to not having the appropriate level of defense to protect computer systems and networks from external and internal Cyber threats.

A prevalent myth is that top management is not involved in Cybersecurity. However, if buy-in is not achieved by top management, who will allocate the funds to pay for Cybersecurity defense? As well, top management should not only preach proper Cybersecurity but also practice it. If the CEO is allowing administrative assistants and others in their circle to logon to their account on their behalf unattended, lower-level employees will follow suit and allow the same Cyber insecurity at their level.

The next myth is that investing in Cybersecurity yields no return on investment (ROI). The recent Target data breach cost impacted financial institutions over $200 million. It has also cost tens of millions of dollars and a significant drop in profits for Target. Having a sound Cybersecurity architecture in place that could quickly react and mitigate a security breach would have cost Target a small fraction of the losses incurred. ROI is definitely there for those who take Cybersecurity serious and implement a sound multi-layer defense.

Last, many view Cybersecurity as a one time project like upgrading a kitchen. While it may take years or decades for an updated kitchen to become dated, a Cybersecurity defense can become a trivial annoyance to a Cyber criminal in days if the defense is not maintained and updated frequently. The maintenance of a Cybersecurity defense does require ongoing funds but remember myth two and it should be a much smoother conversation with the C-level when it comes time to fund Cybersecurity.

Jimmie Walker, CISSP-ISSMP


Kosutic, Dejan; 6 greatest cybersecurity myths and why you should not trust them; Defense Systems; March 17, 2014

d'Innocenzio, Anne; Cost of Target data breach for banks tops $200M; http://finance.yahoo.com/news/cost-target-data-breach-banks-212848285.html

Monday, February 24, 2014

Federal Cyber hiring unfrozen

After months and some cases years of  hiring freezes, the federal government is now hiring again including Cyber security positions. With recent Cyber breaches at major retailers such as Target and Neiman Marcus, it is clear that more emphasis needs to be placed on Cyber security in both the board rooms and government. Lip service is not enough. Action and allocation of funds is necessary to mitigate the Cyber criminal threat. The hiring of Cyber security professionals within the government can only help in combating the daunting task of fortifying the defenses against Cyber attacks originating both domestic and abroad.

Monday, January 20, 2014

Attribution is key to deterring Cyber attacks

Hi Anything Cyber community,

   Since today is a special day in which I reflect on all of the blessings in my life, I would also like to thank the late Dr. Martin Luther King Jr. for playing a critical role in advancing civil rights for all. With his diligent efforts to fight inequality at every turn, opportunities were made available for me that would not have been without the Civil Rights movement.

Now for the topic of discussion: attribution. During my first course in Cyber security I was asked to discuss the concept of attribution in regards to Cyber attacks. To start, I had to find out what was meant by the term attribution. In regards to Cyber attacks, attribution can be defined as determining which individual, group, or nation-state is responsible for the attack. Unfortunately, this is not an easy task. Advanced hackers use the following techniques to remain anonymous and avoid attribution: route their attacks through victim systems in various countries so that the attacker's IP address cannot be determined; use sophisticated technologies such as TOR to randomly route traffic through three random systems prior to the malicious traffic landing on the victim system or network; and modify the log files on a victim computer to erase their digital fingerprints.

Although the United States has very sophisticated Cyber exploits that can be used in retaliation for a Cyber attack directed at U.S. critical infrastructure and corporations, without a sound and reliable means to attribute the attack to the perpetrator(s) a response will not be warranted. That's why federal agencies such as the FBI have shifted their strategy to focus on Cyber attack attribution. If Cyber perpetrators do not fear being caught or paying a price for their actions, there's little reason for them not to continue to commit Cyber attacks.


The Attribution Problem in Cyber Attacks, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks

Tuesday, December 24, 2013

40 million credit card accounts is right on TARGET for Hackers

In my last post, I discussed how big targets attract big hacker interest. The recent cyber breach of 40 million credit accounts at Target was a prime example. While some may react to the attack by temporarily suspending business with Target, paying with cash or credit virtually eliminates the risk. If a credit card is used, the cardholder has 100% fraud protection meaning the bank issuing the card assumes the financial liability for fraud. Since it took over 2 weeks for Target to discover the attack, I question whether or not payment card industry data security standards (PCI DSS) were followed.

An overview of the key tenets of version 3 PCI DSS are: build and maintain a secure network and systems; protect card holder data; maintain a vulnerability management; implement strong access control standards; regularly monitor and test networks; and maintain an Information Security Policy. Target most likely needs improvement on multiple PCI DSS tenets such as protection of cardholder data, vulnerability management, strong access control standards, and monitoring networks regularly.

Since investigations by the Secret Service and potentially the Justice Department are ongoing, one can only predict the root cause of the cyber breach. However, over two weeks to detect an ongoing cyber breach is not sufficient on the surface. In reality, 2 weeks to detect is actually pretty responsive based on earlier reports by Mandiant that cyber breaches typically take months to detect and in many cases are detected by third parties.

AnythingCyber community, don't lose faith in Target due to this recent Cyber breach. A breach can occur at any corporation and 100% fraud protection removes the financial risk from the consumer.

Jimmie Walker, CISSP-ISSMP

PCI DSS V 3.0 Requirements and Security Assessment Procedures, November 2013