Cyber Security in

Prepared by Dr. Maurice Dawson, CSSLP, CGEIT, C|CISO

Agenda

Presenter Background

Your Motivation for this Session

Hyperconnectivity

Guidance

Products

Tools

Cyber Security Training

Personnel Hiring

Closer to Home

Speaker

Dr. Maurice (Mo) Dawson Jr.

Assistant Professor, Information Systems

Office: 228 Express Scripts Hall

Voice: TBA

Email: dawsonmau@umsl.edu

Work Experience Assistant Professor of Information Systems, University of Missouri- St. Louis, 08/14 - Present Fulbright Grantee, South Ural State University, Russia, 09/14 - 09/14 ABET CS Accreditation Consultant, Colorado State University - Global Campus, 04/14-07/14 Assistant Professor of Management Information Systems, Alabama A&M University, 08/11 - 05/14 Visiting Professor, The University of the Gambia, 03/14 - Present Visiting Assistant Professor (Honorary) of Industrial and Systems Engineering, The University of Tennessee, Knoxville & Space Institute, 02/14 - Present Research Associate, Morgan State University, 08/10 - 08/11 Engineering Manager, Textron Systems - AAI Unmanned Air Systems (UAS) Division, 01/10 - 08/11 Information Assurance Director, Future Research Corporation, 07/08 - 12/09 Senior Program Manager, Rockwell Collins - Government Systems Division, Scout, Attack & Special Mission Solutions, 06/06 - 07/08 Senior Systems Engineer, Rockwell Collins - Government Systems Division, Rotary Wing & Cryptographic Embedded Systems, 08/04 - 06/08 Information Assurance Engineer, British Aerospace Engineering (BAE) Systems - Missile Defense Agency (MDA) Support, 05/04 - 08/04 Cryptographic Technician, United States Navy Reserves, 10/05 - 09/08 Senior Systems Analyst, Iowa National Guard, 01/00 - 10/05

Current Research Dawson, M. (2015) Software Assurance Maturity Model: The Need for Secure Design Process Management. Managing Software Process Evolution, How to handle process change?. proposal accepted, in process

Dawson, M., & Leonard, B. (2015) Software and Supply Chain: Ensuring the Delivery of Secure Systems. Encyclopedia of Global Supply Chain Management. proposal accepted, in process

Dawson, M., Wright, J., & Truesdale, J. (2015) Cyber Security: Designing Solutions for Mobile Security & Health Information Technology. Encyclopedia of E-Health and Telemedicine. proposal accepted, in process

Dawson, M., Wright, J., & Omar, M. (2015) Mobile Devices: The Case for Security Hardened Systems. Handbook of Research on New Threats and Countermeasures in Digital Crime and Cyber Terrorism. accepted for publication and forthcoming.

Leonard, B. & Dawson, M. (2015) Legal Issues: Security and Privacy with Mobile Devices. Handbook of Research on New Threats and Countermeasures in Digital Crime and Cyber Terrorism. accepted for publication and forthcoming.

Dawson, M., Leonard, B., & Rahim, E. (2014) Advances in Technology Project Management: Review of Open Source Software Integration. Technology, Innovation, and Enterprise Transformation. accepted for publication and forthcoming.

Dawson, M., Marwan, O., & Abramson, J. (2014) Understanding the Methods Behind Cyber Terrorism. Encyclopedia of Information Science& Technology 3rd Edition. accepted for publication and forthcoming

Dawson, M., Al Saeed, I., Wright, J., & Onyegbula, F. (2014) Open Source Software to Enhance the STEM Learning Environment. Encyclopedia of Education and Technology. accepted for publication and forthcoming

Dawson, M., Omar, M., Abramson, J., & Bessette, D. (2014). The Future of National and International Security on the Internet. Information Security in Diverse Computing Environments. accepted for publication and forthcoming

Dawson, M. E., & Al Saeed, I. (2012). Use of Open Source Software and Virtualization in Academia to Enhance Higher Education Everywhere. Cutting-edge Technologies in Higher Education, 6, 283-313.

YOUR MOTIVATION FOR THIS SESSION

Motivation

HYPERCONNECTIVITY

Introduction

Hyperconnectivity is a growing trend that is driving cyber security experts to develop new security architectures for multiple platforms such as mobile devices, laptops, and even wearable displays. The futures of national and international security rely on complex countermeasures to ensure that a proper security posture is maintained during this state of hyperconnectivity. To protect these systems from exploitation of vulnerabilities it is essential to understand current and future threats to include the laws that drive their need to be secured. Examined within this presentation are the potential security related threats with the use of social media, mobile devices, virtual worlds, augmented reality, and mixed reality. Further reviewed are some examples of the complex attacks that could interrupt human-robot interaction, children-computer interaction, mobile computing, social networks, and more through human centered issues in security design.

System of Systems Concept

Information Assurance Defined

Information Assurance (lA) is defined as the practice of protecting and defending information and information systems by ensuring their availability, integrity, authentication, confidentiality and non repudiation. This definition also encompasses disaster recovery, physical security, cryptography, application security, and business continuity of operations.

Cyber Terrorism

Cyber terrorism is on the rise and is constantly affecting millions every day. These malicious attacks can affect one single person to entire government entities. These attacks can be done with a few lines of code or large complex programs that have the ability to target specific hardware. As the United States government has stated, an act of cyber terrorism is an act of war; it is imperative that we explore this new method of terrorism and how it can be mitigated to an acceptable risk.

Recent Events

Cyber security has become a matter of national, international, economic, and societal importance that affects multiple nations (Walker, 2012).

ln Estonia and Georgia there were direct attacks on government cyber infrastructure (Beidleman, 2009). The attacks in Estonia rendered the government's infrastructure useless.

The government and other associated entities heavily relied upon this e-government infrastructure. These attacks help lead to the development of cyber defense organizations that drive laws and policies within Europe.

Laws and Policies to Combat Terrorism

The USA PATRIOT was signed into law by President George W. Bush in 2001 after September 11, 200 I (Bullock, Haddow, Coppola, & Yeletaysi, 2009). This act was created in response to the event of 9/11 which provided government agencies increased abilities. These increased abilities provided the government rights to search various communications such as email, telephone records, medical records, and more of those who were thoughts of terrorist acts (Bullock, Haddow, Coppola, & Yeletaysi, 2009).

Stuxnet Worm

During the fall of 20 l 0 many headlines declared that Stuxnet was the game-changer in terms of cyber warfare (Denning, 2012). This malicious worm was complex and designed to target only a specific system. This worm had the ability to detect location, system type, and more. And this worm only attacked the system if it met specific parameters that were designed in the code. Stuxnet tampered directly with software in a programmable logic controller (PLC) that controlled the centrifuges at Natanz. This tampering ultimately caused a disruption in the Iranian nuclear program.

SCADA Systems

The Department of Homeland Security (DHS) is concerned with cyber attacks on infrastructure such as supervisory control and data acquisition (SCADA) systems. SCADA systems are the systems that autonomously monitor and adjust switching among other processes within critical infrastructures such as nuclear plants, and power grids. DHS is worried about these systems as they are unmanned frequently and remotely accessed. As they are remotely accessed, this could allow anyone to take control of assets to critical infrastructure remotely. There has been increasing mandates and directives to ensure any system deployed meets stringent requirements. As the Stuxnet worm has become a reality, future attacks could be malicious code directly targeting specific locations of critical infrastructure.

Measuring Success & Loss

Virus in Bash Script

Example Copy Script in Bash

Vulnerabilities & Threats

Malware to Hack into Smartphones

Legitimate Applications that Can Be Used to Retrieve Information

Presently, there is valid spy software available for various smartphones. An example of this is FlexiSpy, a legitimate commercial spyware program that cost over $300 (United States Computer Emergency Readiness Team, 2010). FlexiSpy can:

Listen to actual phone calls as they happen;

Secretly read Short Message Service (SMS) texts, call logs, and emails;

Listen to the phone surroundings (use as remote bugging device);

View phone GPS location;

Forward all email events to another inbox;

Remotely control all phone functions via SMS;

Accept or reject communication based on predetermined lists; and

Evade detection during operation (United States Computer Emergency Readiness Team,2010).

Internet Stalking

The increase of the social networking trend can be based on the security features of for every user. Internet stalking can be noted by a threat from an outside source that harms or conflicts harm to a piece of information or person. These threats can international or nation depending on where the organization or user is geographically located. With internet stalking being noted more often in today's society; it is also presumed that people are also becoming more vulnerable to attacks from internet insecurity. Insecure internet can be looked at based on what the user currently is using in terms of connectivity but can always be looked at as a threat to any customer.

When international threats are aimed at consumers, it can be perceived as a threat that is directed to the nation based that it is from outside the country. These circumstances can be legal or illegal based on the source of the threat. Many users see these types of threats as being identified as acts of terror based that many users do not know much information about the types of threats that are visible.

Internet Stalking

Certification & Accreditation

GUIDANCE

NIST Special Pubs

NIST Publications

PRODUCTS

CESG Ubuntu Report

Linux Distros

Linux Distro Timeline

Common Criteria

Security Technical Implementation Guides (STIGs) and the NSA Guides

TOOLS

BlackBuntu

BackTrack Linux

Kali Linux Offensive Security

Special Features Available in Kali

Over the months of development, we occasionally add cool new features to Kali and document them on our blogs. The following list attempts to gather some of

Automating Kali Linux deployment via Unattended PXE installations Kali Linux ISO of doom, the perfect hardware backdoor. Customizing and bending Kali Linux to your will using Kali Linux live build recipes. Mastering Kali Linux tool sets with Kali Metapackages. Kali Linux in the cloud Kali Amazon EC2 images available. Kali Linux LUKS Full Disk Encryption (FDE). Nuking your Kali Linux hard disk with the Kali LUKS nuke option. Kali Linux running on Android through Linux Deploy. Kali Linux accessibility features, adding support for blind and visually impaired users. Kali Linux on a Raspberry Pi and a bunch of other interesting ARM devices. Kali Linux Live USB persistence with LUKS encryption. Click http://www.kali.org/official-documentation/ for further information

Fern WiFi Cracker

Burp Suite Test Web Applications

HydraGTK Brute Force Password Cracker

John the Ripper

Maltego

Metasploit: Penetration Testing Software

Zenmap GUI for Nmap

Zed Attack Proxy (ZAP)

SQL Map

SourceForge

Big Data Wonders: 8 'Free'Data Visualisation & Analysis Tools 1. OpenRefine http://openrefine.org/

2. R Project for Statistical Computing http://www.r-project.org/

3. Google Fusion Tables https://support.google.com/fusiontables/answer/2571232

4. Exhibit http://simile-widgets.org/exhibit/

5. JavaScript InfoVis Toolkit http://philogb.github.io/jit/

6. Protovis http://mbostock.github.io/protovis/

7. OpenLayers http://openlayers.org/

8. Gephi https://gephi.github.io/

Virtual Box

VMware

VMware

CYBER SECURITY TRAINING

Cyber Security Education, Training and Awareness

Click http://iase.disa.mil/eta/index.html for online training

Order Cyber Security Products Click http://iase.disa.mil/eta/downloads/pdf/products_order_form.pdf to go to order form

IA Courseware Institutions

NSA & DHS CAE

DoD 8570

PERSONNEL - HIRING

(ISC)2 Hiring Guide

(ISC)² Global Information Security Workforce Study

CLOSER TO HOME

Analytics

Anonymous Hacked Multiple Sites

Actually Stole From U.S. Companies Solar power technology

Nuclear power plant technology

Inside information on U.S. business strategy

Data enabling the Chinese to outwit U.S. regulators

US Navy Sailor Hacked Government Computers, Released Secret Records

Secret US Embassy Cables

Secret US Embassy Cables

Any Questions

Twitter Google Scholar Research Gate Academia.edu - Selected Works