Papers and Publications
March 6, 2019
A CALL FOR CONCERN: The Unbalanced Representation of Minorities and Women in the Cybersecurity Profession.
A paper by Joseph O. Esin
Professor of Computer Information Systems
Jarvis Christian College
Hawkins, Texas USA
Visiting Professor of Research
University of Calabar, Nigeria
Minorities, especially women, are often ready and able to work independently and professionally with prime limited supervision to complete assigned duties exactly as their male counterparts in spite of the challenges against minorities in cybersecurity professions. The imminent challenges against minorities who are deprived of equal treatment in cyber-education to prepare and inspire the new generation to master cyber-education tend to sideline women and undercut them when it comes to personal and professional rewards for underrepresented communities. The panacea to this discrepancy resides in corporate collaboration through the cyber-education of the beset segment of the society to defend and protect vulnerable citizens against cyber-attacks. The world community cannot effectively defend and protect vast defenseless citizens during deep disproportionate approaches against minorities and women. Cybersecurity professionals are strongly urged to form a united front to include minorities, especially women in all facets of cyber-education, intellectual stimulation and professional opportunity. The foundation of this unbalanced lopsided approach, unequal treatment of minorities and women is a narrow-minded discrimination based on the gender penchant for male chauvinism. Fortunately, this male chauvinism tends to be compromised by the plethora of women who have been trailblazers in cyber-activities, scientific education and inventions. The achievements of these women reflect the existence of an inexhaustible repository of untapped resources that could inevitably provide and complement the diminishing supplies of cyber experts ready to confront cyber criminals and attackers today.
Overview of Cybersecurity Profession
The life-wire of cybersecurity operation is undergirded by the primary objective to protect private and public organizations’ and higher education’s asserts, vital data, information and intellectual property against cyber-attacks, cyber-breach, hacking and cracking. Per Beach (2015), cybersecurity profession is critical to organizations and all citizens due to constantly needed skills and expertise required to defend and support system security, availability, integrity, authentication, confidentiality and non-repudiation activities. Alas, males are naturally elevated as sturdy shelters and forefront in the battle against cyber-operation while minorities and women are inevitably and unnecessarily considered as incompetent, unqualified and lack of tenacity and the skill-sets to mitigate cyber-attacks. According to Elan, (2012) and Esin (2018), availability, integrity, authentication, confidentiality and non-repudiation activities are integrated into cybersecurity profession and noncompliance with either of these components into cybersecurity activities would render cyber operations vulnerable to attacks. Attempts to overlook unbalanced representation of minorities and women or the reluctance to elevate minorities and women to the forefront, exposes a disproportionate attack against the minorities, especially women in cybersecurity professions (Weiss, 2016). Cybersecurity unemployment rate has dropped to zero-percent; however, the global benchmark relative to talented cybersecurity professionals is not close to where we need it to be to curb the growing epidemic of cybercrime and cyber-attack (Esin, 2018).
Private and public organizations, higher education and the health care industries are striving to outpace cyber-crime and cyber-attack without the inclusion of much needed cybersecurity aspirants such as minorities and women as members and active partners in cybersecurity profession. As Wirth (1945) and Chabrow (2011) noted, zero-percent unemployment for cybersecurity experts presents challenges for most organizations and a commitment to bridge the gap against the unbalanced representation of minorities in cybersecurity profession and to form a united front to implement unconditional combative fronts against cyber-attacks that do not discriminate in terms of gender or ethnicity. In our present society that is fast becoming unisexual and diversified, a male domineering schema that systematically sidelines females and other minorities is, to say the least, out of touch with reality.
Diversification of cybersecurity professions is a collective and an innovative means to counteract spiteful attacks against vulnerable innocent communities. According to the National Center of Women Information Technology (NCWIT), traditionally, cybersecurity careers lack professional participation and contribution from minorities and women. As Shumba (2013) & Poster (2012) noted, in 2015 only 25% of the computing workforce were women, 5% Asian, 3% African-American, and 1% Hispanic women. Once again, as two cybersecurity analysts, Elan, (2012) and Harkinson (2014) noted, a survey conducted by the United States Department of Labor, Bureau of Labor Statistics (BLS) reveals that only 19.7 percent of cybersecurity analysts are women, 3 percent African-Americans, 3.4 percent Asian-Americans and 5.2 percent Hispanic and Latinos. These statistics clearly and indisputable reveal the lack of diversity in the work force in cybersecurity careers.
This lack of diversity in cybersecurity profession is detrimental to global workforce and the ongoing determined battle against cyber-attacks on vulnerable global communities. Apparently, the unbalanced representation is an unregulated pipeline against minorities and evidence of women’s unwillingness to be active members of the solution to open-ended cyber-attacks and cyber-crime on the vulnerable organizations. To overcome these barriers, Dallaway (2013) and LeClair and Keeley (2015) suggest that minority and women must be empowered as role models with ability to show the new generation that the cybersecurity profession is a veritable tool to protect private and public organizations against perpetrators of cyber-attacks, regardless of gender equality and inequality. Per Shumba (2013), the culture of professional transformation is imperative and must contain a transition to benefit the city, state, nation and global economy immensely, which inevitably requires the combined expertise and talents of minorities and women and their male counterparts on the pilgrimage to set the global community free from cyber-attacks.
Diversity is key to disengage from unbalanced representation in today’s cybersecurity and digital marketplace and to empower all personnel with absolute and equal opportunity. Most organizations have created a multigenerational and multicultural intra community approach, diversity policy, and commitment to maintain balance in minority representation and battle against inequality. Unfortunately, Ngwang (2019) notes that the proliferation of a work place with workers from all walks of life by itself does not constitute diversity, diversity entails the cultivation of the spirit of acceptance, equality, homeliness and integration which comes with complete assimilation where workers do not see and feel their difference. Diversity becomes the internalization of differences and the externalization of sameness and uniqueness of the benefits and education that accrue from a hybrid of these differences (Ngwang, 2019). As Hu (2014) noted, the demographics in cybersecurity workforce reflects the imbalance found in most organizations and efforts to mitigate this pronounced imbalance must focus on increased involvement of minorities and women in cybersecurity operations to close the gap of the critical shortages of skilled cybersecurity personnel in most organizations. Fortunately, most organizations are concentrating on fostering collaborative environments to mitigate this unbalanced approach relative to cybersecurity profession (Tsai (2016). What the new generation needs is an increase of diversity in the workplace and new initiatives to transform the unbalanced gender and ethnic representation to the dynamics of balanced gender equality in order to solve the talent shortage of skilled personnel. In other words, the surest way to handle skill shortages in cybersecurity is by encouraging more minorities and women to embrace a career in cybersecurity.
Minorities (gender, ethnic, national, more.), especially gender minorities are often ready and able to work independently and professionally with prime limited supervision to complete assigned duties exactly as their male counterparts amidst challenges against minority in cybersecurity profession. Without hesitation, Elan (2012) and Dallaway (2013) noted that the prime and looming challenges against minorities and women emanate from deprived equal treatment and the bankruptcy of an introduction to an earlier level of cyber-education to prepare and inspire these minorities to understand challenges and how the mastery of cyber-education will lead to their personal and professional reward. The corporate collaboration through cyber-education of beset segment of the society will credibly and inevitably lead to the understanding of measures to defend and protect vulnerable citizens against cyber-attacks.
The world community cannot effectively defend and protect vast defenseless citizens in the midst of a deeply disproportionate approach against minorities and women. Per Chabrow (2011) cybersecurity professionals are strongly urged to form a united front to include minority women in all facets of cyber-education that encourages intellectual stimulation and professional opportunities. The foundation of unbalanced approach, unequal treatment of minority and women is a narrow-minded and discriminatory mentality based on gender penchant for male chauvinism and the traditional notion of the superiority of the male gender in the sciences.
The global community is a comfort zone for a variety of different professions and nationalities; therefore, minorities and women are eligible to benefit from a higher status and more professional opportunities as male counterparts regardless of gender, national, and ethnic affiliations. The unbalanced approach to minorities is directly related to race, gender, unequal wages, a prejudicial slant in the hiring process and sexism. According to Poster (2012), this unbalanced approach to labor inspires the credence that males are superior to the minorities and women, considered them the second-rate citizens. In the past, minorities and women in the United States were treated as second-class citizens and not given the right to vote. However, the 1920 passage of the Nineteenth Amendment to the United States Constitution provided all citizens in the United States the right to vote regardless of gender disparity (Weiss, 2016 & Wirth 1945).
Who Constitute the Minorities?
Per Wirth (1945) and Shumba (2013), minorities and women are active members of our community who, because of physical and cultural characteristics, are singled out, challenged with differential and unequal treatment, and faced with professional pre-judgement of inability to function as contributive members of the society. The terminology “minority” often denotes subordinate groups of lesser beings with very little and no authority and legislative function compared to main dominant teams, usually male, empowered with legislative authority to operate in any functional society. As Wirth (1945) and Poster (2012) noted, in the United States’ modern history, our elderly people are often considered as minority due to their diminishing physical status. During apartheid in South Africa, numerically majority black inhabitants were exploited and oppressed by the white minority due to the blacks’ lack of power, authority and control. The absence of authority, power and control is a predominant characteristic of a minority which is distinguished in classifications such as unbalanced representation, unequal treatment and less power on the basis of physical and cultural traits. Per Wirth (1945) and Poster (2012), nowadays, minorities and women are making great strides and competing with their male counterparts in winning elections and gaining seats as congress women, senators, national presidents, college presidents, corporate chief executive officers. college professors, and educators in the mist of existing hurdles. As Chabrow (2011) asserts, the cybersecurity profession is engrained into global, private and public organizations, higher education enterprises and attempts to prevent minorities and women from gaining a foothold in this profession is tantamount to running against the current of personal and professionally determined efforts to defend and to protect the vulnerable global communities against the alarming rate of cyber-attacks. The passage of the Nineteenth Amendment of the US constitution granted all US citizens the right to vote in 1920. This show of equality served as redemptive strength for all citizens for the equivalent integration of men, minorities and women into cybersecurity profession and a liberating force against the unbalanced representation of minorities and women in all walks of life (Wirth, 1945 & Elan, 2012).
Nowadays, men often operate on a fixed hero mentality encouraging unbalanced approach against minorities and women and subsequently suppressing women’s and minorities’ determined efforts to reach upper echelons in cybersecurity careers. Per LeClair and Keeley (2015) and Shumba (2013), an interrelated approach to mitigate and eradicate the looming unbalanced engagement of citizens in cyber employment must include professional communication, cyber-education for minorities, women and males. Cyber-attacks often exacerbate inequalities and insecurity against minorities and women and gender predisposition is a point of weakness, vulnerability for insecurity and a corridor to under-tapped skills needed to provide solutions to the danger of the lopsided approach toward minority and women in cyber activities.
Value of Minorities and Women in Cybersecurity Community
Minorities and women are equally productive and stable in large proportions in high-technology and cybersecurity professions exactly as their male counterparts. Unlike in the past decades, the Millennium brought remarkable innovative advancement in minority and women’s technology and cybersecurity operation, a threshold of closing the gap against gender isolation and declining percentage of minority and women in cybersecurity professions. As LeClair and Pheils (2016) and Esin (2017) noted, minorities and women progress in different walks of life including cybersecurity profession is asymmetrical and succeeding at a slow pace. Today, in the 21st Century, minorities and women are ascending and matching the success ladders of their male counterparts. Minorities and women contributions to cybersecurity profession are sidelined for no ostensible reason, except for the fact that they are minority and women. Indeed, the minorities and women have been foremost in cyber-attack and investigative techniques:
a. In 1940, Elizabeth Smith Friedman, (minority & woman) helped to invent the science of cryptography for the United States Federal Bureau of Investigation (FBI), her techniques broke international spy rings, decoded three Nazi Enigma machines and contributed to the early work of the forerunner to the Central Intelligence Agency (CIA). Right after the war, her elite code-breaking unit was shut down and various men took credit for her work (Poster, 2012; Browne, 2015; & Shumba 2013).
b. In the 1950s, an African American female, Katherine Johnson, (minority & woman) a mathematicians at NASA calculated the aeronautical trajectories to put Man on the Moon. The proportion of minority and women in computer science grew until the mid-1980s. Again, right after the discovery, the dawn of personal computing dropped swiftly (Poster, 2012; Browne, 2015; & Shumba 2013).
c. In 2009, Melissa Hathaway, (minority & woman) served as President Obama’s first acting senior director on cyberspace for the National Security Council (NSC) (Poster, 2012; Browne, 2015; & Shumba, 2013).
d. In 2004-2010, Letitia Long, (minority & woman) was the first woman director of the National Geospatial-Intelligence Agency who supplied the satellite, geographical and social-media data that enabled the capture of Osama bin Laden (Poster, 2012; Browne, 2015; & Shumba 2013).
e. In 2013-2016, Dr. Jane LeClair (minority & woman) served as the Chief Operating Officer, providing outstanding leadership for the National Cybersecurity Institute dedicated to increasing knowledge and expertise in the cybersecurity discipline (Esin, 2018; LeClair & Keeley, 2015).
f. In 2016 to present, Dr. Jane LeClair (minority & woman) established Washington Center for Cybersecurity Research and Development (WCCRD), an organization dedicated to the advancement of skills, knowledge and competency of minorities, women and men in cybersecurity education. She organized and convened conferences and training across the globe (LeClair & Pheils, 2016; & Esin, 2018).
g. Today, January 19, 2019, thousands of women and minorities across fifty states of the continental United States are committed, dedicated and willing to strengthen their individual talents and protection of vulnerable citizens against cyber-attacks and cyber-crimes.
Canon of Gender Inequality in Cybersecurity Profession
Today, circumstances have changed drastically and methodically, and minorities and women are making stable innovative advancement toward cybersecurity profession, contributing to a bigger role in the world economy compared to ancient times. Minority and women’s talents are often diluted, prohibited and dominated by emerging distinction of male dominating approach to cyber-jobs. Per Hu (2014) and Elan (2012), three main reasons associated with the decreasing role of minorities and women in high profile jobs, cyber-security, include poverty, responsibility and education. Furthermore, minorities and women are incessantly underpaid, operate on limited financial resources and often given no line of authority. The egocentric and valiant male chauvinism continues to downplay minority and women’s ability to successfully complete assigned cybersecurity tasks that demand diverse skills, talents and expertise needed to protect private and public organizations, and higher education against cyber-crime, cyber-attacks and attacks on vulnerable innocent citizens (Esin, 2018). Cybersecurity operations reflect the ethos of protecting and defending world organizations against cyber-threats, perpetrators, hackers and crackers and to safeguard victims of cyber-crimes and cyber-attacks. In the national and global echelons, battling cyber-crime, cyber-attacks and cyber-threats must be an all-inclusive communal responsibility requiring coordinated action, participation and contribution from all citizens - men, minorities and women (Tsai, 2016 & Benison, 2009).
Per Weiss (2016), the underrepresentation of minorities and women in the cybersecurity profession is entrenched with critical and practical concern among leaders in private and public organizations, higher education and the defense industries. There are not enough cybersecurity professionals across the globe and, as such, the operation is experiencing growing shortage of skilled personnel. Over a quarter-million positions in this domain continue to remain unfilled in most nations and there is a projected shortfall of 1.5 million cybersecurity professionals in the United Sates by 2020. As Hu (2014) and Elan (2012) noted, based on the looming proliferation of cyber-threat, cyber-crime, cyber-attacks, growing concerns of vulnerable citizens and organization data and information, the projected solution must include active steps to encourage private and public organizations, higher education enterprises and military operations to expose, invite and incorporate minorities and women into cybersecurity professional education, workshops, conferences and training.
Minorities (ethnic, national, religious and more) and women must be empowered with cybersecurity knowledge, skills and expertise to acquire their full potential, scientific know-how to confront and contain cyber-attacks and cyber-crimes. As noted by LeClair and Pheils (2016) in their studies on women in cybersecurity, the shortage hurdles can be overcome when minorities and women are supported, elevated to senior levels of administrative positions, educated with ability to mentor the new generation, facilitate substantial influx of minorities and women to embrace cybersecurity professions across the global communities. All-inclusive education on diversity, skills and expertise needed to mitigate cybersecurity snags in solo and in isolation of one gender. The corridor to assuage open-ended breach against qualified cybersecurity aspirants must eschew gender inequality.
Benison, L. (2009) “Are men or women better
Browne, S. Dark Matters (2015) “On the Surveillance of
Blackness.” Duke University Press.
Chabrow, E. (2011). Women, Minorities Scarce in IT Security
Dallaway, E. (2013). Let’s Hear it for the Ladies: Women in Information
Elan, S. (2012). Study: Women encounter inequality in science &
technology fields. Retrieved from https://www.elsevier.com/connect/study-women-encounter-inequality-in-science-and-technology-fields
Harkinson, Josh (2014) “Silicon Valley Firms are Even Whiter and More
Male Than You Thought.”
Hu, Elise, (2014) “Facebook’s Diversity Numbers Are Out, And They’re What You Expect,”
LeClair Jane & Pheils, Denis (2016). “Women in Cybersecurity.”
Excelsior College Press. Albany: New York.
LeClair, Jane & Keeley, Gregory (2015). Protecting Our Future
in Our Digital Lives. Excelsior College Press. Albany: New York.
Ngwang, Emmanuel N. The challenges of practical ethics and leadership in the age of cyber education: A crisis in management. Journal of Educational Research and Technology (JERT) 7 (7)
Poster, W. R. (2012). “Global, Technology Diffusion and
Gender Disparity: Social Impacts of ICT.
Shumba, R. et al (2013) “Cybersecurity, Women and Minority.”
Tsai, P. (2016). “Cybersecurity skills gap? Most organizations lack IT
Weiss, S. (2016). “The Biggest Problem Women Face in The Workplace
Isn’t What You Might Expect.”
Wirth, Louis. 1945. “The Problem of Minority Groups.” The Science of Man in the World
Crisis, edited by R. Linton: 347. In Hacker, Helen Mayer. 1951. Women as a Minority Group. Retrieved December 1,
A CALL FOR CONCERN: The Unbalanced Representation of Minorities and Women in Cybersecurity Professi
November 6, 2018
Offensive and Defensive Approach to Ethical Hacking Operation
A paper by Joseph O. Esin
Professor of Computer Information Systems
Jarvis Christian College
Hawkins, Texas USA
Visiting Professor of Research
University of Calabar, Nigeria
Hacking and cracking are a felony and horrible occurrence in most countries and an
open-ended operation allowing unauthorized users to obtain information from various
sources against a target organization. Naturally, hackers regularly retain extraordinary
skills and expertise to break into any organization’s secured network center to adopt
automated freeware tools available on Internet and open up these tools to cybercriminals
to break into the organization’s network center. However, ethical hackers are often
inclined to overcome the underworld cybercriminals and eradicate these culprits through
multiple endeavors such as a combination of human interventions, surveilling monitoring
system and talented information technology (IT) experts, to protect organizations against
the vulnerability of data, assets and resources.
Unfortunately, most organizations do not subscribe to the fact that ethical hacking
threats and associated vulnerabilities terminate
at the four walls built around data security centers. Cyber-technology improprieties such
as cracking and hacking operations are often attributed to a thought-out installation and
configuration of operating system (OP), network operating system (NOS), router, firewall
and flouting manufacture’s built-in setup directives, often requiring strategic plans to
mitigate offensive cyber-attack, and defensive cyber-assault. Organization offensive plan
of action must include proactive interaction with personnel regarding the regular updating
of employee’s passwords by means of providing additional layers of protection,
encryption of vital data, installation and configuration of firewall, comprehensive backup
and acceptable disaster recovery plan. Similarly, an organization’s defensive approach
requires assess control against data and information breach and data recovery proactive
plan of action. Consequently, offensive and defensive ethical hacking operations will
amplify, augment and strengthen each organization’s employees and IT security team to
preempt and battle ever-emerging cyber-threat across the globe. Ethical hacking is
prefixed on the assumption that although technology was designed to make life easier, it
has, unfortunately, made life very challenging for the current generation
Framework of the Research
The emerging reliance on technology to daily activities has ushered an aggressive
offensive cyberwar between hackers and well-intentioned uses of information technology. This
conflict-oriented relationship has called for the examination of challenges of offensive and
defensive approach to ethical hacking, in preparing vulnerable organizations, information
technology (IT) team, grade and high school educators, college and university professors, and
security professionals to be sensitive to the problems that may eventually lead to security
improprieties. The community can only hold them responsible and accountable if they are
thoroughly educated in the detection and identification of these hacking improprieties. My
colleagues on the first school of thought argue that professional preparation against ethical
hacking rest on the domain or is the purview of the IT team, while leaving vulnerable
organization’s personnel and aspirant security professionals in a divided line. My academic
institution and I subscribes to the second school of thought, which affirms that professional
training on cyber-attacks and data-threatening operations such as ethical hacking requires the
participation of entire administrators and authorized users of any organization, especially those
connected to the Internet with direct access to centralized security center. Per Juneja (2013), the
scope of professional preparation must include discovering the origin of ethical hacking and
underground purpose, to uncover operational flaws, malicious Internet, security breach and
proactive plan against outlets of wide range security breach. Ethical hacking is a familiar
nomenclature often popular in private and public organizations, and serve as a benchmark for IT
directors, pundits and security personnel in reference to revisiting offensive and defensive
approaches needed to protect any organization’s data, assets and intellectual property (Greene,
2014). Such proactive, protective initiatives against crackers’ and hackers’ mischievous
operation requires every minute of monitoring of culprits’ attempts to break into the
organization’s security center.
Most organizations learned that ethical hacking threats and vulnerabilities are not
circumscribed by territorial structures like those that the four walls are built around data and
security center facilities. Such lip service ignores the irreversible consequences if the adverse
activity lingers without advanced precautions. It is worth noting that offensive and defensive
ethical hacking processes often advance interruptedly as far as the vulnerability permits.
According to Kleespie (2000) and Green (2004), the Fair Credit Reporting Act (FCRA) offered a
redemptive channel of control by regulating ethical hacking operation with emphasis on trust,
and confidence, but this trust must be earned by current employees and officials representing
The urgency of hacking has been created by the modification in shopper’s attitudes.
Today, most shoppers have moved away from carrying physical cash to carrying credit and debit
cards. Such a move on the part of shoppers inevitably pushed hackers to respond with more
sophisticated hacking techniques to outpace the credit companies and shoppers. The recent
episode of Target Corporation credit card hacking in December 2013 revealed the paucity of
credit card invincibility to hackers and placed Target on drawbacks by consumers. Per Jones &
Bartlett Learning, (2015) and Grama, Marty and Michael (2016) Target’s 23 days’ delay in
notifying shoppers and the public about such magnitude of data breach was unequivocally
mistaken and disturbing to consumers. From November 27 through December 19, 2013, the
very day that Target publicly notified the customers is approximately 23 days. Consumers should
have been notified immediately to allow them all-inclusive options to contact their banks,
financial institutions, debits and credit card’s corporations for protective measures. Because of
the Target Corporation prevailing episode, FCRA needed to revisit existing standards and
regulation relative to offensive and defensive approach to ethical hacking operations. The
project’s parameter must include the ability to examine and regulate the strength, weakness and
guidelines to prevent and protection against five segments of ethical hacking approach which
include script kiddies, green hat hackers, white hat hacking, black hat hacking and gray hat
hacking, and cyber-attacks, unethical attacks and malicious attempt to disorganize or disorientate
an organization’s procedure.
To heighten and enhance extra protective measures against ethical hacking operations,
private and public organizations and higher education enterprises should create a generic contact
phone number and e-mail address,(for example, email@example.com) to protect the
organization’s databases, assets and intellectual property against active hackers. Replacement of
actual names with generic names will deter culprits from wide-ranging illegal activities on an
organization’s database. For example, if an ethical hacker discovers that the network manager’s
name is Paul Adams who works at the institution in Dallas campus, and if Paul Adams sends e-
mails to the main campus using , this action clearly constitutes
credible attempt of social engineering (SE). There is clearly a geographical and locational
disconnect because Jarvis Christian College main campus is not in Dallas, an indication that IT
teams and other Internet users should be trained to be mindful of imminent cyber-attack.
Traditionally, perpetrators of SE normally use psychological moralities to circumnavigate
security threats through persuasion and crafty manipulative techniques to convince official users
to disclose confidential information about their organization (Easttom and Taylor, 2011 & Esin,
The initial phase of ethical hacking is to gain information about the organization prior to
cyber-attack, which involves alerting the team of the first-responders to step up in preparation to
thwart the perpetrators’ illegal access to organization’s network security center. As David (2004)
and Esin (2018) maintain, ethical hacking is a covert operation, which enables crackers and
hackers at early phase, to find accurate information within the target organization from
authorized users, administrators and IT directors. As earlier asserted, ethical hacking is an open-
ended operation where perpetrators can obtain information on target organization from various
sources such as www.netcraft,com and to provide all-inclusive data about the
target facility (Easttom and Taylor, 2011).
Per Walker (2017), and Easttom & Taylor, (2011), the Internet security service (ISS),
codename (net-craft), is a central source designed to protect against anti-fraud, anti-phishing
services, application testing, code reviews, automated penetration testing and secured sockets
layer (SSL) certificate authorities. The archives of some organizations are often entrenched with
collection of vital documents, historical records and physical locale of the primary source of
personnel and organization data, resources and authentic point of reference. The SLL tends to
support offensive and defensive ethical hacking approach to restructure the organization’s policy
relative to the hiring of new personnel, redeployment of employees, implementation of new
technologies, and the reconfiguration of existing websites and webservers.
Initial representation of offensive and defensive approach to ethical hacking include
Cross-site request forgery (CSCR), cookies, and malicious exploitation by unauthorized and
trusted users against organizations. As Walker (2017), and Dimkov & Hartel (2011) noted,
cross-site request forgery signifies tricks by ethical hackers to inherit identity and privileges from
official user to perform unethical hacking in the organization’s network security center. Most
organization browsers are often configured with automatic features consisting of credentials of
official users’ session cookies, passwords and Internet protocol (IP) (Thomas, (2002 &Walker,
2017). Ethical hacking processes are often mitigated by configuring an organization’s webserver
to send trial-error test across the network system. Furthermore, users must read the screen and
learn not to respond to trial-error test. Such a refusal will make it easier to identify illegitimate
requests initiated by cyber-criminals. Cookies is a small text-based file stored on computer
memory for futuristic use by webserver user next time the same user login into the system. Per
Schell, Dodge & Moutsatsos, (2002) and Walker (2017), cookies are often indispensable for
information such as authentication details, site preferences and session features.
Emergence of cyber-hacking
The explosive evolution of the Internet has brought advantages, challenges, and
shortcomings to international communities. Innovative technological advances include electronic
commerce, stress-free access to massive reference material, e-mail communication, and
inventive avenues for advertisement, and dissemination of data and information. The emergence
of innovative cyber-technology has led to the advent of ethical hacking, the illegal attempt to
break into organization’s Web server, replace original logo with pornography, steal credit card
numbers from on-line shopping sites, install software programs to transmit the organization’s
confidential data and leak information to the public and open Internet. Ethical hackers are
sophisticated in the use of conspiratorial tactics to provoke contentious conversations, precisely
on script kiddies and the black hat hacker’s activities. As Schell, Dodge and Moutsatsos, (2002)
noted, the world community is witnessing an alarming number of persons in formative years of
high schools, two year and four years college graduates who for a variety of psychological
intention have become addicted to Internet and the exploitation of their talents to engage in
criminal undertakings. Ethical hacking operations involve telecommunications swindle, credit
card fraud and unauthorized hacking and cracking into any organization security center. Victims
of ethical hacking must learn to identify vulnerabilities and risk factors, in order to strengthen
security measures to stop culprits from deliberate and premeditated attempts to disclose any
organization’s confidential data and intellectual property to the public.
Fundamentals of Ethical Hacking
Approaches to offensive and defensive ethical hacking operations include five important
components such as script kiddies, green hackings, white hat hackers, black hat hackers and gray
hat hackers (Letow, 2015). Notably, ethical hacking is a midway approach against breaching an
organization’s secured data and information center. The complex nature of offensive and
defensive ethical hacking calls for a more comprehensive means to mitigate hacker’s tactics,
myriad security vulnerabilities, and emerging security technologies (David, 2004, & Danish,
2011). Perpetrators of ethical hacking often scan for an organization’s weaknesses, current
employees helping hands to primary targets, and development of strategies to pinpoint available
resources and accurate actionable plan to placate entirely their culprits’ activities.
Per Schell, Dodge and Moutsatsos (2002) and Krehel (2015), script kiddies (SK) are
aspirant unskilled hackers operating without practical knowledge and expertise. They rely
completely on other’s expert hacker’s readymade applications software and talent to write their
own code, with different architectures to interact and penetrate organization’s networks security
center. SKs are unskilled hackers, often motivated by political and religious belief to create fears
on a large-scale disturbance and fracas on private and public organizations and higher education
systems. On the other hand, green hat hackers (GHH) are a group of ambitious hackers with
limited knowledge on ethical hacking. Parallel to script kiddies, green hat hackers depend on
readymade tools and applications to breach into organizations’ passwords, assets and system
resources. (Flaherty, 2003 and Lasker, 2005).
White hat hackers (WHH) are Internet gurus with ability to hold down high paying
professional’s positions such as security analysts and security specialists in most organization
based on their stretchy nature of operation. Per Letow (2015) and Trabelsi (2011), white hat
hackers are capable of thwarting innovative techniques and methodologies to breach into
organizations’ network security centers. White hat hackers often act decisively and operate
within the legal frameworks set forth in any organization’s policies and procedures, and
frequently refrain from revealing acquired skills and expertise without prior consent of the
Black hat hackers (BHH) are experienced career crackers and hackers who are
often responsible for data breaching, rooted with malicious intent to steal, destroy intellectual
property, distribute viruses across organization security centers. They often deny the authorized
users access to their organization’s resources. Black hat hackers are experts with extensive
immeasurable knowledge of the Internet, with ability to gain unauthorized access to network
security center, unleash maliciously cyber-attack, steal vital data and information, extort money
through blackmail, perpetrate payment card, banking fraud and act maliciously to exploit
vulnerabilities in modern-day communities (Schell and Dodge, 2002 & Smith, Yurcik & 2002).
Per Walker (2017), gray hat hackers (GHH) actively represent the middle ground amongst white
hat hackers; they operate without the malicious intent ascribed to black hat hackers’ operations.
As Walker (2017) and Schneier (2000) noted, gray hat hackers are not naturally classified as
experienced ethical hackers, since they do not have any intention to crack and breach into any
organization’s security center.
Ethical hacking operations have three functional segments, namely physical, practical,
and organizational control. Per Walker (2017), physical control includes items such as light
bulbs, television sets, washer and drying devices, encryption, cipher text, brute-force, spyware,
cyberterrorist, and access control. In addition, physical control includes comprehensive and well-
structured professional staff development education to enhance outgrowth, knowledge, expertise
and understanding the focus of security operation. Effective ethical hacking preparation must
clinch to these three ensuing components such as authentication of alarm bells to deter
unauthorized access to an organization’s security center, implementation of alerts components on
authorized access to resources, auditing process, backups, and active disaster recovery plan.
Ethical hacking represents the hackers’ malicious process of identifying limitations, weaknesses
and vulnerabilities relative to electronic devices, data and information through replication,
activation penetration, intrusion and intent of malicious hackers. As Greene (2004) and Juneja
(2013) in their studies on ethical hacking noted, ethical hackers’ undertaking cannot be
successful and effective without the permission and authorization of official users within
organizations who are fully aware and informed of the modus operando of where, when and time
the culprits will launch a planned malicious attach.
Unethical Hackers Operations.
Unethical hackers’ activities differ from traditional ethical hackers’ operations. Unethical
hacking involves malicious, criminally motivated techniques and ability to create approaching
danger. The landscape of unethical hackers’ activities supports the much-needed comprehensive
and real-world offensive and defensive apparatus to hacking operations. Based on present-day
increased sophistication and success rate of unprincipled hacker’s operations; organizations,
nations, states and law-enforcement crime units must embrace and retain highly- motivated
teams of experts to provide long-term solution to mitigate negative effects of unethical hackers
Offensive Ethical Hacking Operation
Krehel (2015) and Himanen (2001) maintain that victims of ethical hackers learn that
offensive attacks are often untimely, occur when it is too late to apply offensive measures and
consequences are repeatedly dramatic. Employees of organizations and information technology
(IT) team constitute the first-time responders, but they have limited tools and skills to challenge
the perpetrators and protect the organization’s vital data. The likely offensive mechanisms to
demystify ethical hacking operations must include security fortresses, weighty alarm systems,
protected doors and windows, and the ability to monitor and detect untimely hacker’s activities
around organization’s security command centers. Black hat hackers are groups who often work
hard to find vulnerabilities and breach organizations’ network security centers to steal, alter data
and crash systems for malicious purposes and financial gain. However, white hat hackers are
individuals entrenched with the same techniques as black hat hackers. In contrast, white hat
hackers use their endowed skills to organize and analyze data and report findings to the
pretentious organizations to mitigate imminent flaws of ethical hackers. Effective offensive
approach to ethical hacking must include taking full control of incoming and outgoing traffic into
any organization, continued education, updating of website and webserver configurations,
Internet vulnerabilities, revisiting of organization policy, configuration of firewall to deter safe
passage of likely intruders against the use of virtual private network (VPN) and secure socket
shell (SSH) keys to authenticate patching network security systems, protect organization data
and intellectual property (Flaherty, 2003 & David 2004).
Defensive Ethical Hacking Operation
Most organization are willing to establish well-structured defensive mechanisms to
safeguard the operation, while large segments of some organizations often restrain from
defensive measures to protect their vital assets and resources. Ethical hackers are sophisticated,
delinquents, crooks who participate in offensive activities against organizations. Per Krehel
(2015), defensive approaches to overcome underworld hackers, also known as cybercriminals,
must include combination of human intervention, surveilling monitoring system and talented IT
experts to protect vulnerable organizations from loss of customers, financial profit and damages
of billions of dollars per year. Ethical hacker operations are self-motivated, asymmetric and
difficult to predict. As Juneja (2013) and Letow (2015) asserted, organizations and law
enforcement communities are aware of the speedy growth of coldblooded hackers and looming
cyber-threats on vulnerable citizens; therefore, a balanced defensive mechanism must be
implemented to battle hard-hearted cyber-terrorists.
My past thirty-one (31) years in academia, administrative and corporate high technology
and five years in cybersecurity industry have revealed to me that private and public organizations
and higher education enterprise’s security network facilities have vulnerabilities, undefended and
ready for exploitation by hackers and cybercriminals at any time. Defensive setback relative to
hacker activity is often attributed to mistakes on installation and configuration of operating
systems (OP), network operating system (NOS), router, firewall and failures to keep an eye on
manufacture’s built-in setup direction. A hacking process is a felony and horrible occurrence in
most countries and in the United States. Per Schell and Dodge (2002) and Lasker (2005), hackers
often retain exceptional skills and expertise to adopt automated freeware tools available on the
Internet by exposing these tools to cybercriminals to break into any organization’s security
Systematic approaches to defensive ethical hacking operation should include five stages:
exploration, examination, acquisition, upholding and pathways to security centers (Trabelsi
(2011). The exploration stage serves as a preparatory phase allowing hackers to gather data and
information about the target organizations prior to launching the intended cyber-attack.
Collection of data and information during the exploration stage is similar to social engineering.
This process engages a smooth-talking person with techniques to persuade an organization’s
personnel to reveal sensitive data, information, passwords and security policies to the public.
Retrieving sensitive data and information already revealed to the public pose challenges to the
defensive approach to ethical hackers’ activities. The exploration stage often overlaps with the
The examination stage precedes the actual hacking stage allowing perpetrators to gather
data and information about the organization’s Internet protocol (IP) address, operating system
(OP), network operating system (NOS), organization system architecture (OSA), available
resources and techniques to breach into the organization’s security center. Acquisition stage is no
longer a likelihood operation, but a high risks stage allowing hackers to obtain elevated
privileges, much needed access to inflict damages as well as launching denial of attack (DoS),
buffer flow-attack, inserting viruses and Trojan horses into the organization’s security center.
The Pathways stage is the damaging phase, allowing hackers to delete files and folders, disable
operating and auditing systems, to log records and files by using audipol.exe to disable OS
loggings. The pathway stage is the most challenging stage of defensive approach to ethical
hackers. Integration of the five systematic approaches to offensive and defensive ethical hacking
operation will play a key role to protect organization data, assets and resources.
In today’s ever-evolving cyber-threats on organization, offensive and defensive
approaches are adequate to mitigate challenges posed by ethical hacker to sniff out hackers prior
to launching cyber-attacks. Ethical hacking is a midway methodology against breaching
organization secured data center. Imminent challenges ahead of the complex nature of offensive
and defensive approach to ethical hackers must include the creation of proactive measures to
mitigate hacker’s tactics, myriad security and vulnerabilities. There are indeed five components
associated with ethical hackers that include script kiddies, green hackings, white hat hackers,
black hat hackers and gray hat hackers, each of them operates in accordance with the culture of
ethical hacking operation. Organizations and businesses enterprises and educational institutions
must come up with comprehensive plans to prevent and protect cyber-attacks. These offensive
measures must spell out what to do after cyber-assault and defensive measures must equally
identify adequate plan of action to mitigate the cyber-attacks. The offensive and defensive plans
of action must include proactive interaction with personal, regular updating of employee’s
password by providing additional layers of protection, encryption of vital data, installation and
configuration of firewall, comprehensive backup and disaster recovery policy and procedures to
protect organization goals and objectives.
Bratus, S., Shubina, A., & Locasto, M. (2010). “Teaching the principles of the hacker curriculum
to undergraduates”. Proceedings of the 41st ACM Technical Symposium on Computer
Science Education – SIGCSE ’10.
Danish, J. and Muhammad, A. N. (2011) “Is Ethical Hacking Ethical?” International
Journal of Engineering Science and Technology, Vol 3 No. 5, pp. 3758-3763.
David, H.M. (2004) “Three Different Shades of Ethical Hacking: Black, White and Gray,” in
GSEC Practical Assignment, Version 1.4b, Option 1,
Dimkov, T., Pieters, W., & Hartel, P. (2011). Training students to steal: A practical assignment
Computer security education. Proceedings of the 42nd ACM Technical Symposium on
Computer Science Education – SIGCSE ’11.
Easttom, Cuck and Taylor, Det. Jeff (2011), “Computer Crime, Investigation,
and the Law.” Course Technology. Boston, MA: Cengage Learning,
Esin, Joseph Esin (2017). Landscape of Cybersecurity Treats and Forensic Inquiry.
Bloomington, IN: Author House.
Flaherty, Julie. (2003). “Enlisting the Young as White Hat Hackers.” New York Times Online.
2003 May 29. Available: www.nytimes.com.
Grama, Joanna L. Weiss, Marty & Solomon, Michael G (2016). Excelsior College
CYS 541 Custom VitalBook, 2nd Edition. Jones & Bartlett Learning, 02/2016.
Greene, Tim (2004). Training Ethical Hackers: Training the enemy? Retrieved
Himanen, Pekka. (2001). The Hacker Ethic. New York: Random House.
Jones & Bartlett Learning, LLC (2015) Ascend Learning Company.
Juneja, Durpreet, K (2013). “Ethical Hacking: A Technique to Enhance Information
Security” International Journal of Innovative Research in Science, Engineering and
Technology (IJIRS), Vol. 2, Issue 12, December 2013.
Kleespie, Steven L. (2000). “The Role of ‘White Hat’ Hackers in Information Security.”
Krehel, Ondrej (2015). “Elite Russian Hackers: The Growing Threat.” The
United States Cybersecurity Magazine, Volume 3, Number 8 (Pages 9-11).
Lasker, John. (2005). “U.S. Military’s Elite Hacker Crew.” Wired News Online
Letow, Larry (2015) “Playing Both Sides of the Field: An Offensive and Defensive
Approach to Cybersecurity.” The United States Cybersecurity Magazine, Volume 3,
Number 8 (Pages 9-11).
Sanabria, Elio (2018). “Why the Best Defense is a Good Offensive
Security Strategy”. Security Intelligence, Armonk: N.Y.
Schell, Bernadette H., & Dodge, John L. (2002). The Hacking of America:
Who’s Doing it, Why and How. Westport: Quorum Books.
Schneier, Bruce. (2000). Secrets & Lies. Indianapolis: Wiley Publishing, Inc.
Smith B., Yurcik W. and Doss D. (2002) “Ethical Hacking: the security justification redux”,
IEEE Transactions, pp. 375-379.
Thomas, Douglas. (2002.) Hacker Culture. Minneapolis: University of Minnesota Press.
Tipton, Harold F., & Krause, Micki (2001). Information Security Management.
Boca Raton: CRC Press LLC. “White hat hackers: Use a hacker
to catch another.” Retrieved 23 April 2005
Trabelsi, Z. (2011). Hands-on lab exercises implementation of DoS and MiM attacks
using ARP Cache poisoning. Proceedings of the 2011 Information Security Curriculum
Development Conference on - InfoSecCD '11.
Walker, Matt (2017). CEH-Certified Ethical Hacker. New York: McGraw Hill Education.
October 24, 2018
A Paper by Charles Parker II
Connected and autonomous vehicle (CAV) GPS: Attacks and using defensive AI implementation
The connected vehicle is presently on the road in several different models from the various vehicle manufacturers. The functionality includes many aspects that have been designed to improve the user experience (UX) and have been shown to indeed accomplish this. As time
has passed, the associated technology has also improved, as evidenced by the connected vehicle
advancing to the autonomous stage. While this is not yet a fully functioning vehicle for the masses at this junction, this new form is actively being tested and is in a limited scope use in certain locations, such as the University of Michigan-Ann Arbor with a limited number of buses
(Phelan, 2018) and shuttles (Carney, 2018) for the University students utilize for transportation, along with limited bus routes in other areas.
One of the primary requirements for the autonomous drive (AD) vehicles is for the vehicle to be fully aware of its geographic location at all times. This is an absolute requirement as the vehicle needs to be actively engaged with driving on the road and not driving on
inappropriate areas or unintended objects, including persons, or off of the intended driving area, e.g. a cliff. This would prove to be disastrous for the object or person being struck by the AD vehicle, the driver and vehicle occupants, and the vehicle. To ensure the appropriate driving procedures are implemented, one application is the use of global navigation satellite systems (GNSS) within the vehicle modules. This would work to pinpoint the vehicles location in relation to the road, landmarks, or area in which it is driving. Without this and other mechanisms in place, the result would be difficult to fully imagine. To complicate matters, dependent on the
physical structures proximate to the vehicle, the precise vehicle location may be affected by the number of satellites the vehicle is receiving the signals from, the ionosphere, and the environment (e.g. tall buildings surrounding the vehicles, as encountered in large cities). GPS/GNSS is not a new technology. This was engineered and implemented over 44 years ago by the military and has been in use since in varying capacities. This has been in use for navigation by the government, including the military, and private industry for decades (Warner, & Johnston, n.d.). Although initiated by the military, the civilian applications have grown much more in use (van Niekerk, & Combrinck, 2012). This includes buses, taxes, delivery vehicles, emergency vehicles, civilian vehicles, marine traffic, and air traffic. This was allowed for civilian use in the 1980s and uses at least 24 satellites in determining the vehicles location (Garmin, n.d.; Kyes & Ravikumar, 2017). The GNSS works, in short, by interpreting the ephemeris data, or orbital information from the satellite(s), to determine the receiver’s location.
GNSS is better known by several acronyms, dependent on the country of origin. The examples of this include this being known as Galileo in the European Union (EU), GLONASS in Russia, BEIDOU in China, IRNSS/NABIC in India, GPS in the U.S., and soon QZSS in Japan.
Over time, the technology utilized with the GPS/GNSS has improved and evolved (Schmidt, Radke, Camtepe, Foo, & Ren, 2016). This has been achieved through more advanced equipment and communication methods. At this point, the process provides the receivers position within one meter (Parkinson, Ward, Wilson, & Miller, 2017) dependent on several factors.
Clearly this functionality is a requirement for safe operations. Without this system in place, robust and tested, there would be rather significant and immediate issues. As this is pertinent, GPS/GNSS has become an attack vector. The attackers are able to create new and
adjust prior methods to attack these units. The equipment used for the attacks cost is not prohibitive and the units are not excessively large or cumbersome (Schmidt, Radke, Camtepe, Foo, and Ren, 2016). To further complicate the situation and environment, the units used to attack GPS and counterfeit the GPS signals are relatively easy to assemble (Humphreys, 2012).
For a few hundred USD (Gowand, 2017; SWLING, 2018; Alongi, 2018), any person is able to perfectly spoof the GPS signal to indicate the specific geographic point is anywhere on the globe. Proof of concept (PoC) tests have been clearly shown to spoof a GPS signal for an object in Michigan to be falsely located in Russia, above the Chernobyl reactor. While clearly is not plausible, the counterfeit data indicates otherwise to the vehicle’s GPS.
To improve their trade and services, spoofing research also is on-going (Schmidt, Radke, Camtepe, Foo, & Ren, 2016), to ensure the optimal attacks are available and robust. This is a natural progression in the attack and defense cycle. Based on this troubling information, the remediation objectives and plan should be analyzed and created now to avoid the potential issues in the future. Without this actively and directly in place, the implementation of AD vehicles would be problematic at best, and a disaster in implementation as the vehicles GPS may indicate the equipment is several miles or continents away from the accurate location.
As noted, spoofing the GPS signal in order to trick the AD vehicle into accepting its location is different than it actually is has been shown to be inexpensive and not difficult to emulate. This has been due in part to the popularity of GPS creating a more transparent architecture for the attackers to research and analyze (Parkinson, Ward, Wilson, & Miller, 2017).
The GPS spoofing works by deceiving the GPS receiver by broadcasting the GPS signal for the false location (Zhan, & Zhu, 2017). This fraudulent GPS signal is received and deemed as authentic, although incorrect. The GPS spoofing can be very simple to implement (Aloni, 2018). The attacker simply implements a software defined radio (SDR) and antenna, which are not excessively costly items, and the software, which is open source. To expand the range and number of vehicles potentially affected, the attackers may also use an amplifier, which also is easily secured and integrated into the attack platform. To further complicate the GPS spoofing attack for the defensive teams and engineers involved with these vehicles, the attackers are not required to be present or proximate to the vehicle to affect the attack (Fan, Zhang, Trinkle,nDimitrovski, Song, & Li, 2015).
There have already been extensive field tests for GPS spoofing completed by researchers (Fan, Zhang, Trinkle, Dimitrovski, Song, & Li, 2015). A recent lab test in September 2018 indicated a perfectly viable GPS spoofed signal received over a quarter mile from the GPS
spoofing equipment with an adequate signal strength to be received and utilized by the target party’s vehicle. This was accomplished with a minor signal amplifier. With a greater level of amplification, which is not an issue or complicated process, the spoofed GPS signal could have easily reached over a mile. These tests have unequivocally indicated the traditional defensive mechanisms are unable to prevent the GPS spoofing attacks.
The underlying issue involves the GPS function itself. This is problematic due to many issues inherent to its processes and operations (Parkinson, Ward, Wilson, & Miller, 2017). The standard defense is to increase the number of satellites being monitored by the module. In theory, this would provide better coverage for the AD vehicle. This was potentially a mild remediation until this defense was overcome by additional and stronger GPS signals and a greater number of spoofed GPS sources (i.e. more than one module spoofing the GPS signals) (Parkinson, Ward, Wilson, & Miller, 2017).
The GPS spoofing attack targets may be divided into two separate types. These are focused on the target as being static or dynamic (Montgomery, Humphreys, & Ledvina, 2009). The static target is fixed, much like a building or other permanent site. The dynamic target, however involves the target moving and being mobile. This would be the case with marine vessels on the lakes or oceans, aircrafts, vehicles, or other targets which are not stationary. Notably another dynamic target would be the UAV or drones (Kerns, Shepard, Bhatti, & Humphreys, 2014). These are both viable targets for the GPS spoofing attack. As noted, the attacker may simply use an SDR to affect the GPS spoofing attack. Another form of viable attack tools are the GPS jammers (Montgomery, Humphreys, & Ledvina, 2009), which are easily procured and utilized. These units are also inexpensive, sold by many vendors, and have been proven to be very effective. The GPS jammer attack is effective in the inverse manner to a typical described GPS attack. Instead of providing a false location, the receiving unit is flooded with GPS signals. The module received such a mass of signals, that it may not differentiate the true signal among the many.
With the ease of securing the GPS spoofing equipment in its various forms, the attacks being rather successful, lack of the need to be proximate to the target (Fan, Zhang, Trinkle, Dimitrovski, Song, & Li, 2015), and many other factors, this technology has the direct potential to be a detriment to the targets operations, i.e. AD vehicle, and persons involved. As the geographic impact area for GPS spoofing is rather extensive with the described equipment, the defenses and remediations need to be researched, tested, and implemented. Any delay in this has the potential to delay AD vehicles, and have a distinct negative impact on all other vehicles and
modes of transportation using any form of GPS.
Significance of the Research
GPS use is widespread in consumer and commercial vehicles, marine vessels, aircraft, and virtually all other vehicles in use today manufactured in the last decade in various capacities. This expansive implementation is only going to increase as the AD vehicles are in use at greater levels, and other modes of transportation become autonomous to a greater extent. The thought experiment and proof of concept (PoC) testing to date has shown the GPS spoofing effects can be significantly serious and effect vast numbers of people immediately (Humphreys, 2015b) given the affected area. There have also been field tests with GPS spoofing (Fan, Zhang, Trinkle,
Dimitrovski, Song, & Li, 2015). Beginning in at least 2001, the federal government has noted there is an issue with GPS spoofing and its potential for detrimental effects to those within the effected geographic area. In 2001, the U.S. Department of Transportation analyzed the infrastructure utilized by the different modes of transportation (Montgomery, Humphreys, & Ledvina, 2009), which noted the vulnerabilities with civil GPS disruption.
Until 2015, GPS spoofing, while an issue, did not have the opportunity for widespread abuse as this presently does. Granted, this was a possibility, however did not garner a significant amount of attention or use. In 2015 at a hacker’s convention, this changed. The presenter shown the ease needed to affect this attack (Goward, 2017; DefCON, 2015). The research and subsequent remediation protocols will secure the GPS against known and potential future unknown attacks, as the defensive measures will be forward-looking and encompass many more forms of defense than what has been nominally put into place. These measures, as noted, are extensive and when used in conjunction, further reduce the opportunity for a successful GPS spoofing attack on the targeted mode of transportation. While this may appear to be ethereal and an esoteric exercise, there allegedly have been successful GPS spoofing attacks located outside of the lab and PoC testing in the real-world. One of which allegedly occurred in December 2011 when Iranian forces may have spoofed the GPS
signal to disable a drone (Psiaki, & Humphreys, 2016). There have also been potential incidences in the Korean peninsula and the Ukraine. A notable alleged incident occurred with GPS interference regarding shipping in the Black Sea. Over an extended period of time, the ships GPS indicated the location was at an airport several miles inland, while the ship was 25 miles off-shore (Gowand, 2017). The implications for this form of attack are rather significant for several industries, most of which have not fully considered this as an attack vector.
This timely topic requires additional research with an AD vehicle in the field in order to test the proposed defenses. The defenses have been noted to be relevant, and in some cases used in other applications, however these need to be physically tested with a robust environment in conjunction with the AD vehicle to ensure the robust-nature of the equipment and defense posture. The hypothesis is the defenses, as following, will make a difference in the mode of transportation being able to detect the GPS spoofing attack and the defenses in place are effective in defeating the GPS spoofing attack.
There are a number of workable defenses to the GPS attacks within the environment. These defensive measures, while viable on certain levels, are not all on the same level of applicability or functionality. These are however noted to present an extensive list of defenses
Defenses Requiring Further Research and Testing
There are defensive measures available for defending against GPS spoofing, which are completely operationally viable and fiscally responsible. These options weigh the robust value of the defense, balancing the expense involved. Granted there are GPS spoofing defenses available which are quite expensive, however if these are not fiscally viable, the use case for these is moot. The first option considered is frequency hopping (Leek, 2013; Gabay, 2015). Certainly the attacker has fully read and digested the specification sheets for the varying GPS models. These detail the modules mechanics, and the bandwidth used. These are available from various sources. When the GPS uses only one signal bandwidth, the attacker has a predictable vector of attack. With frequency hopping, the attack vector changes per the proposed convention in use by the manufacturer. This additional layer of complexity would be difficult with today’s level of technology in place to successfully attack. To adjust the attack to mirror the frequencies would be problematic for the attacker in that the timing and frequency would have to be known and a script coded to accommodate this given the precise nature for the process. Although encapsulated in this section, this task would be substantial.
The use of in the minimum at least two antennas is a viable defensive measure (Gabay, 2015). This is beneficial for several reasons, including ease of use and fiscal considerations. Even when two antennas are not a substantial distance apart, these will receive slightly different authentic GPS signals. When the counterfeit GPS signal is received, both antennas would receive exactly the same signal. This quick and easy test would alert the vehicle of the GPS spoofing attack and take appropriate measures. These measures would include returning to trusted GPS signals from trusted satellites. This would include using the L1 and L2 bands.
In addition, the module may use drift monitoring as a plausibility or reality test (Psiaki, & Humphrey, 2016). This would analyze the present signal and attempt to detect any anomalous changes in the GPS receiver’s position or clock fix. The attempted GPS spoofing attack would cause the GPS receiver’s clock to indicate an error as the clock would be changing too rapidly, such as in the case in which one minute the module is in Grosse Pointe Park, MI, and the next in Lansing, MI or Montana. Clearly this is not possible. There would be a small margin of error built in. This is however not what the attacker is seeking to accomplish.
The module may also be reviewing the GPS signals for signal geometry based attacks. The module would need to monitor the direction of arrival of the signals by considering the received direction vectors (Psiaki, & Humphreys, 2016). In the authentic GPS signal use case, the direction vectors would be distributed across the sky. With the counterfeit GPS signal, this would not be the case as the signal origination would be terrestrial and the vectors would not be from the sky or distributed.
This was also researched in focusing on the hardware, as the antenna itself would be used to distinguish the direction of the signal arriving to the antenna (Stanford University Engineering, n.d.). The test itself in this particular detection method is relatively simple. Clearly the angle for the GPS should be relatively steep, as the signal is being sent by satellites orbiting the earth. If the angle were to be, for example, 30 degrees, there is an issue that would need to be resolved. The vehicle would not use this signal as one of the GPS signals it would be utilizing for the location. This aspect was also researched as the angle of arrival (AOA) would be detected and analyzed as a method of detecting counterfeit GPS (Montgomery, Humphreys, & Ledvina, 2009). Marshall (2018) recognized the usefulness of the time aspect and location alterations in the GPS signals as potential spoofing defenses. The algorithm utilized with this was engineered
to mitigate the effects of spoofed GPS attacks by detecting the counterfeit GPS time and location signals. The algorithm estimates the clock bias and drift of the GPS receiver along with the possible attack and detects if these are not relatively the same, accounting for a slight margin of error. This defense, along with the rest, is implemented in real-time. This was also researched by Khalajmehrabadi, Gatsis, Akopian, & Taha (2018) and Stanford University Engineering (n.d.).
The Spectral Subtraction (SS) model has also been proposed (Collins, Anderson, &yglinski, 2016). This model has its roots in audio processing. The model uses a baseline of frequency-domain noise measured with the GPS signal is not present. The next signal measurement is done with the authentic GPS signal. The signal, with this specific test or the others focused on the signal strength detection and comparison, at this point would need to be clean (Humphreys, 2012). This aspect is simple, inexpensive, and quickly implemented. The baseline is deducted from the secondary measurement with the authentic GPS signal to arrive at the expected authentic GPS signal strength. This estimated signal strength is then used to measure against subsequent signals to gauge the authenticity, both with and without the baseline. When the attacker is attempting to provide the module with a counterfeit GPS signal, the general use case involves using a vastly greater signal, amplified to achieve this state. This method would detect this and would not use the counterfeit GPS signal. The signal strength also was researched as a viable defense (Warner & Johnston, n.d.). The absolute GPS signal strength was monitored and recorded as the average signal strength over
time. This would be compared with the expected signal strength based on prior active recordings as the vehicle were to leave the manufacturing facility and within the first few days of operation. In the case where the signal strength would be significantly greater than this expected amount, as with a terrestrial spoofed GPS signal, the system would detect an issue and not use that particular
satellite or set of satellites for the location. This test format also analyzed the relative GPS signal from one data point to the next. Any large or significant change in the relative signal strength would indicate a counterfeit signal to be managed. This aspect is used more as a plausibility check for the signal. This secondary test may also be used to monitor the heading, vehicle speed,
and other aspects.
Kerns, Shepard, Bhatti, and Humphreys (2014) researched the monitoring of the signal strength. With this research also, when the GPS signal power within the bandwidth is significantly great than what is expected under quiescent conditions, there is an indication of an
issue, which needs to be addressed.
Defenses of Marginal Value
As noted, not all defensive measures have the same ability to defend against the GPS spoofing attacks. One defensive avenue may be to increase the power of the authentic GPS signal (Leek, 2013). Although in theory this is an acceptable alternative, there are issues. In the case where the GPS transmitter is terrestrial based and the target or mode of transportation under study is very localized, this may be a viable option. This is however not the case, would not be workable, and would however be problematic. Another option considered would be directional signals (Leek, 2013). For the same rationale as for the alternative of increasing the power of the authentic GPS signal, this is problematic. In a very select and static geographic boundary, this may be workable. This is however not the use case.
A cumbersome, problematic method would be encryption based defenses (Psiaki, &Humphreys, 2016). This would encrypt portions or entirety of the authentic GPS signals. The industry standard encryption would certainly be workable from the view of this not being able to be broken within a remotely timely manner by any attacker. This is one of the strongest defenses. With the encryption utilized, the transmitter GPS satellite and GPS receiver would have copies of the key, and work through the usual decryption process. The issue with this method is it is cumbersome, requires a secure method to distribute the keys to both the module and satellite, and
is not timely in the operation of the vehicle in many circumstances.
Defense in Depth
The GPS spoofing attack is unfortunately easily accomplished and done so with little expense. There is a bit of expertise required in the initial set-up, however there are tutorials to assist with this.
Although the defenses assuredly would be of great benefit individually to securing the GPS function of the vehicle, the issue presents itself of the person attacking the vehicle. With only one form of security with the vehicle in place for this function, the attacker would need to defeat only one defense to successfully attack the vehicle. To provide a defense in depth, much like with the enterprise, there would need to be in place more than one defensive measure. This would add the extra layer of complexity needed to dissuade attackers. As each layer is included in the defense, the complexity, time, and effort requirements also increase substantially. This
decreases the group of attackers willing to research and reverse engineer the processes for a successful attack.
To summarize the defenses, there are as viable defenses frequency hopping, implementation of multiple antennas, monitoring time and location drift, signal geometry/angle of arrival (AOA), and GPS monitoring. These defenses require varying levels of cost and effort
to implement. These do however provide the viable defense in depth needed for the GPS signals and AD vehicle to ensure any issues are minimal at the most. The combinations of these would not add a significant level of processing time or weight to the vehicle. As an example, the AOA may be incorporated into the system along with monitoring the drift and signal strength. In the alternative, as an example, the addition of another antenna may be utilized along with AOA. These are merely two of the possible, viable combinations which could be implemented with a not significant level of cost or processing usage (e.g. power and time).
ML and AI INTEGRATION
The defensive measures, while pertinent and needed for future production and AD vehicles, have the distinct possibility of not only repelling nearly all of the attacks, but also acting in a more intuitive manner to increase the connectivity with the user and vehicle, along
with improving the user experience. Instead of merely monitoring the situation and resisting the attack, the module would be able to not only note the attack, but also react to the attack and mold an approved response. The module would not simply repel the attack due to the form and protocols in place, but recognize the issue, report this, and gather data or information as needed to alert the third party this is occuring and the metadata associated with the attack. Without regard to the chosen defense in depth, the integrated AI would have a protocol in place to defend the vehicle and by extension the user(s). The AI system would continuously be monitoring the system and the data generated from its operations. This function would work within the logging workflow. In the instance of an unusual data point as compared to recent prior data points or the trend, the system would note this immediately. Not every data point would be perfect, as noted there is an acceptable, yet slight, margin of error at this point. If this were to continue pat the one or two sequential data points, this would be indicative of a system failure or an attack. Either one of these is problematic at best and has to be remediated in an exceptionally timely manner. The GPS system would be triggered to contact the central system node. This feature acts to report an issue and to correlate potential anomalous and attack activities with other modules, and metadata.
Per the OEM, standards and requirements, well before deployment, there would be in place a criticality scale for these events. Based on the placement of the issue on the criticality scale, the AI system would react accordingly. This may include simply asking the driver to
verify an estimated location or a landmark the vehicle would be approaching (e.g. the AI system pardoning itself for an interrupting the human and asking if the vehicle is approaching the FCA corporate headquarters during a drive on I-75 in Auburn Hills, MI) or letting the driver know they may need to take control over the vehicle operations temporarily.
Based on where the issue is placed on the scale by the AI module, there may be other events that need to occur, such as the log being uploaded by the OEM or other designated party immediately in comparison to daily or weekly. The possible combinations for the noted defenses are rather substantial. To test each of these combinations would prove to be rather exhaustive, time-consuming, and costly in terms of the direct and indirect labor, exclusive of the time element. If time and expense were not to be presented as an issue, certainly each of these could be tested at length. This would however not be an efficient or optimal use of resources. An option not requiring a significant number of modules or equipment would incorporate these factors focused on more the processing of the data. With the first noted option, the hardware added to the vehicle would be an altimeter. The data processing software would
include the GPS monitoring, time and location drift, and in the instance when the hardware had the capacity, adding in the signal geometry/angle of arrival. These would add a sufficient number of layers to the defense in depth to increase the effort and time requirements to a sufficient level, while adding in an exponential layer of complexity, to deter most attackers. If, in the specific use case for the OEMs, the altimeter would not be within a workable solution, an alternative piece of equipment would be the incorporation of at least two antennas. This, while accumulating the other processing factors, still provides for the more than adequate vehicle cybersecurity protection.
While a data flow for each of the use cases could be generated, the exercise would indeed be expansive. The data for the applied use cases would be analyzed and compared to prior authenticated data to verify if the present data is authentic or counterfeit. An example of this would involve GPS monitoring and ancillary, related monitoring. As the vehicle nears the end of the manufacturing line, during the final stages of production, the vehicle would be wheeled or driving outside of the manufacturing facility. The vehicle would acquire the authentic signal strength to record the estimated baseline GPS signal strength. Later after the vehicle is sold, during the vehicle operations, this would be receiving GPS signals. The module would monitor the signal strength, location, altitude, and time. During
this time the data would be added to the data set already recorded. The module would measure the signal strength. This would provide a plausibility test. The signal strength should be relatively the same as the original baseline amount. This would be checked periodically as each signal is received. The signal strength would also be checked against the receipt GPS signal coverage, within the last day. Lastly the actual location would be compared with the recent past location to ensure the vehicle is actually at or near the estimated location. The users are constrained by the laws of physics. A spoofed GPS signal may place the vehicle in Texas, when
this actually was in Flint thirty seconds prior. In the case there is an issue with the GPS, the follow-up action would be determined by
the OEM. This may manifest itself in the form of leaving a message for the user, OEM, or other predetermined action.
With the location, time, and altitude, these are also monitored and checked with a plausibility test. Time follows a linear path. This is easily analyzed and checked with a simple algorithm. If the time were to not align to where it should be (e.g. to far behind or ahead of
where it should be), there is an indication of an attack or an issue with the vehicle. In either circumstance, this would need to be reviewed by the appropriate persons (i.e. the dealership). The test for the altitude also is relatively simple. At this junction, there are not flying vehicles. If the vehicle is located, per the data, 300 meters above where the ground actually is, there is an issue that needs to be resolved.
The connected vehicle, relative to the industry, is newer and the AD vehicle is currently being designed. At this stage, the focus has been on the operations, receiving, and analyzing data. The cybersecurity features have not been overly scrutinized. This new application of security, as it relates to the GPS defenses, would add cybersecurity to the GPS monitoring system. This
would monitor and analyze the GPS traffic, from the chosen sources, to secure the vehicle and user(s) in the vehicle during operations.
At this time, the cybersecurity for GPS is not being applied to a sufficient level. As the AD vehicles continue to be engineered, this aspect of cybersecurity will need to be addressed.
The connected vehicle has been in production and driven by consumers and in commercial applications for over a decade. The next iteration of paradigm shift is with the AD vehicle. This is not if, but when these vehicles will be in full production and on the various roadways through the U.S. and other countries. As these vehicles are autonomous, there has to be a rather significant set of safety features in place to ensure the safety of not only the drivers and occupants of the vehicle, however the others also on the roadway. One aspect to focus on is the GPS for the vehicle. In the case where the GPS data is not reflective of the vehicle’s actual location, there is the potential for a disaster. The security measures noted provide a sufficient defense in depth, while not over-burdening the vehicle or the computer processors in the modules. While this is only one set of security features, this is merely
one piece of the overall cybersecurity for the vehicle.
Aloni, P. (2018, January 16). New defenses sought against cyberattacks. Retrieved from
Carney, S. (2018, June 4). MCity driverless shuttle launches on U-Ms north campus. Retrieved from
Clemson University. (2018, January 17). New defenses sought against GPS spoofing attacks. Retrieved from
Collins, T., Anderson, C., & Wyglinksi, A. (2016). Implementation and analysis of spectral subtraction in deterministic wide-band anti-jamming scenarios. Wireless Communications & Mobile Computing, 16(18), 3201-3211. doi:10.1002/WCM.2751
DefCON. (2015). Using GPS spoofing to control time. Retrieved from
Fan, Y., Zhang, Z., Trinkle, M., Dimitrovski, A.D., Song, J.B., & Li, H. (2015). A cross-layer defense against GPS spoofing attacks on PMUs in smart grids. IEEE Transactions on Smart Grid, 6(6), 2659-2668. doi:10.1109/TSG.2014.2346088
Gabay, J. (2015, September 3). Jamming and anti-jamming technologies for RF links. Retrieved from
Garmin. (n.d.). About GPS. Retrieved from
Gowand, D. (2017, August 22). GPS spoofing incident points to fragility of navigation satellites
Humphreys, T. (2012, July 18). Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing. Retrieved from
Humphreys, T. (2015b, June 11). Toughening techniques for GPS receivers: Navigating message
authentication. Retrieved from
Kerns, A.J., Shepard, D.P., Bhatti, J.A., & Humphreys, T.E. (2014). Unmanned aircraft capture and control via GPS spoofing. Journal of Field Robotics, 3(4), 617-636. Retrieved from
Khalajmehrabadi, A., Gatsis, N., Akopian, D., & Taha, A.F. (2018). Real-time rejections and mitigation of time synchronization attacks on the global positioning system. IEEE Transactions on Industrial Electronics, 65(8), 6425-6435. doi:10.1109/TIE.2017.2787581
Kyes, J., & Ravijumar, A. (2017, October 26). What is GPS? Retrieved from
Leek, T. (2013, August 23). Strategies against jamming attacks? Retrieved from
Marshall, P. (2018, March 20). Patching security holes in GPS, computer timing. Retrieved from
Montgomery, P.Y., Humphreys, T.E., & Ledvina, B.M. (2009, March/April). A multi-antenna defense: Receiver-autonomous GPS spoofing detection. Inside GNSS, 40-46.
Montgomery, P.Y., Humphreys, T.E., & Ledvina, B.M. (2009). Receiver autonomous spoofing
detection: Experimental results of a multi-antenna receiver defenses against portable civil GPS
spoofer. ION 2009 International Technical Meeting, 2009, Anaheim, CA. Retrieved from
Parkinson, S., Ward, P., Wilson, K., & Miller, J. (2017, March). Cyber threats facing autonomous and connected vehicles: Future challenges. IEEE Transactions on Intelligent Transportation Systems, 2017(March), 1-18. doi:10.1109/TITS.2017.2665968
Phelan, M. (2018, April 13). Self-driving electric shuttle buses to begin at University of Michigan.
Psiaki, M.L., & Humphreys, T.E. (2016). GNSS spoofing and detection. Proceedings of the IEEE, 104(6), 1258-1270. Retrieved from
Schmidt, D., Radke, K., Camtepe, S., Foo, E., & Ren, M. (2016). A survey and analysis of the GNSS spoofing threat and countermeasures. ACM Computing Surveys, 48(4), 64:1-13.
Stanford University Engineering. (n.d.). Anti-spoofing. Retrieved from
SWLING. (2018). Software defined radio primer part 1: Introduction to SDRs and SDR applications.
Van Niekerk, A.F., & Combrinck, L. (2012). The sue of civilian-type GPS receivers by the military and their vulnerability to jamming. South African Journal of Science; Pretoria, 108(5/6), 1-4. doi:
Warner, J.S., & Johnston, R.G. (n.d.). GPS spoofing countermeasures. Retrieved from
Zhang, T., & Zhu, Q. (2017, October 4). Strategic defense against deceptive civilian GPS spoofing of unmanned aerial vehicles. In: Rass S., An D., Kiekintveld, C., Fang F. Schauer S., (eds.).
Decision and game theory for security. GameSec 2017. Lecture Notes in Computer Science, vol
10575. doi: Retrieved from
Connected and autonomous vehicle (CAV) GPS: Attacks and using defensive AI implementation
May 1, 2018
A paper by Joseph O. Esin
Eliminating Gender Disparity in Cybersecurity Professions Through Education
Gender disparity refers to an unequal representation of one gender and attempt to eliminating the process will require understanding, development of an aggressive, analytical approach and comprehensive plan of action. Certainly, there is no specific occupation designed for only men or women; henceforward, all individuals must be afforded equal representation in cybersecurity profession. Gender disparity tends to limit cybersecurity profession to the male domain and lapses in the implemention of measures to eliminate gender disparity will intensify poverty and unequal career opportunities across the globe. Determined efforts to elimination of gender disparity must include the creation of equal education opportunities for men and women, equip everyone with skills and expertise to protect the vulnerable and unguarded global population. The educational system is designed to sponsor solutions toward the eradication of the looming gender disparity. High school, college, university graduates will like to live in cities, states and nations where job opportunity is a promising norm, respect, and dignity upon the completion of the rigorous academic exercise and most parents want their children to secure stable employment upon graduation. In addition, leaders within educational systems are encouraged to establish a Parent's Education Career Advisory Council (PECAC) to keep parents duly informed on their children's academic performance, leading to a muchneeded cybersecurity career pathway.
Cybersecurity is a branch of computer forensics managed by a team of expressly trained information security professionals who are ready to battle cybersecurity attacks, cybercrime, corporate theft, the destruction of intellectual property, and financial fraud. Apparently, most individuals within private, public, healthcare and higher education organizations view cybersecurity as a male-dominated profession. As Weingarten (2017) noted, the origin of gender disparity in cybersecurity occupations supports the premise that men invest more time pursuing cybersecurity careers than their women counterparts. The unequal representation of women in cybersecurity profession can be eliminated through well-conceived education, increased exposure to structured conferences, training, and workshops.
Per Esin (2018) and LeClair and Pheils (2016), gender inequality is detrimental to the international community; hence, despite women's efforts to promote equality, they are often subjected to lower wages and lack of leadership roles. As LeClair and Pheils (2016) and Weingarten (2017) posited, men continue to earn higher wages and achieve leadership positions notwithstanding women's astonishing gains to dismantle the gender barriers in a conventionally male-dominated profession. Freedman's (2016) findings on gender disparity in cybersecurity careers revealed the gradual erosion of undesirable opinion to wipe out the gender disparity in cybersecurity careers is still active regardless of women's growth and advancement in the cybersecurity realm.
Per LeClair and Pheils (2016) and Esin (2018), women who are entrusted with positions of responsibility are often proactive, innovative, and effective leaders in private and public, healthcare, and higher education organizations. Gender inclusiveness is a much-needed means of eliminating gender disparity across the globe. Most women are tenacious, resourceful, and often willing to accept a precarious position of responsibility, even in the face of insurmountable odds; therefore, they must be accepted as active members of cybersecurity operations (Jackson, 2018).
Despite the current atmosphere, women are well suited and able to help in expanding the horizon of cybersecurity career. The apparent decline in the number of women pursuing careers in cybersecurity is directly related to disproportionate hiring practices, lopsided selection processes, and uneven recruitment policies portraying women as less effective than their male counterparts. Per Chuang (2017) and Weingarten (2017), women often face challenges such as peer intimidation, sexual harassment, aggressive and authoritarian imageries depicted in social media and news headlines. No occupation including cybersecurity is designed to be dominated by men or women; fairly, all persons, regardless of race, gender, or creed, must be afforded equal representation in cybersecurity professions (Esin, 2018; Jackson, 2018; LeClair, 2016).
Gender disparity is detrimental to the institution of human civilization and can intensify poverty and unfortunate standards of living in any community. Creation of Cybersecurity Education Per Forrester (2015), eliminating gender inequality in cybersecurity and in a growing digital world is a challenging undertaking. Individuals in most segments of the academic biosphere argue in support of the premise that grade school and high school students were not actively included in cybersecurity education because of the intensive physical and mental involvement required to acquire adequate skills and expertise in cybersecurity professions.
Cybersecurity education should be integrated into grade school, high school, undergraduate, graduate, and postgraduate programs (Freedman, 2016). Incorporating of cybersecurity education within the grade school and high school settings will empower the new generation with the skills and expertise needed to battle the proliferation of cybersecurity attacks, cybersecurity threats, identity theft, electronic fraud, cyberbullying, cyberterrorism, and support the creation of job opportunities for aspiring cybersecurity professionals across the globe.
Results of studies conducted by the International Trade Union Confederation (ITUC, 2009), Raytheon-NCSA (Forrester, 2015), and the Workplace Gender Equality Agency (WGEA, 2018) on the gender disparity in cybersecurity careers showed the following:
• In the United States, 67% of men and 77% of women support the formation of collaborative cybersecurity education within grade schools through high schools (Grades 9 through 12), undergraduate, graduate, and postgraduate programs to empower the new generation with the skills and expertise to battle cybersecurity attacks and guarantee the growth of job opportunities in cybersecurity professions across the 50 states in the continental United States;
• 62% of men and 75% of women across the nation support the formation of collaborative cybersecurity education within grade schools through high schools (Grades 9 through 12), undergraduate, graduate, and postgraduate programs to empower the new generation with the skills and expertise to battle cybersecurity attacks and guarantee the growth of job opportunities in cybersecurity professions across the globe;
• 47% of men and 39% of women across the globe support the premise that cybersecurity fits into the male domain; and
• 52% of young women and 39% of young men across the globe believe women have limited opportunities within cybersecurity professions.
Measures to eliminate gender disparity cannot be successful without accepting and recognizing the process as a hindrance to women professional advancement. Henceforward, leaders of private, public, healthcare and higher education organizations need to accept the existence of gender disparity and recognize that women are underrepresented in cybersecurity career pathways and put a plan of action in place to resolve the alarming gender disparity problem. As Ricciuto (2017) noted, men and women operate differently, and both are capable of being prominent and productive members of global cybersecurity operations. Raytheon-NCSA (Forrester, 2015) and the ITUC (2009) attested that a career in cybersecurity must be viewed as attainable by both women and men in the new generation (Forrester, 2015; LeClair & Pheils, 2016; Ricciuto, 2017).
The statistics reinforce that women are underrepresented, which tends to hinder their growth and development in cybersecurity operations (LeClair & Pheils, 2016; Ricciuto, 2017). Men and women, regardless of academic disciplines such as sociology, psychology, history, counselor education, philosophy, and social work, can help in the evaluation of the behaviors of perpetrators of cybersecurity attacks.
The Raytheon-NCSA (Forrester, 2015) and ITUC (2009) reports showed that 47% of men and 39% of women across the globe support the premise that cybersecurity fits into the male domain. Most leaders of organizations tend to maintain a bias in favor of appointing men to leadership positions within cybersecurity career realms (Sethi, 2017). As LeClair and Pheils (2016) posited in their studies on “women in cybersecurity”, organizational leaders must adopt aggressive step to reshape cybersecurity career paths and establish a culture of encouraging and accepting women as active members of cybersecurity professions. Per Esin (2017) and LeClair and Pheils (2016), redesigning gender inequality concept is a credible pathway toward eliminating the maledominance that is prevalent within cybersecurity professions. The eradication of gender disparity must include the creation of equal education opportunities for men and women, avoid traits of underestimation, intimidation and understanding of the importance of equal partnership in cybersecurity profession.
Creation of collaborative cybersecurity education from grade school and high school (9 through 12), undergraduate, graduate and post-graduate program will empower the new generation with skills, expertise and tenacity to battle cybersecurity attacks and guarantee pace of job opportunities in cybersecurity profession across the globe. (Esin, 2017, p. 3) The projected cybersecurity education must be designed to inspire hope, modulate public fears, eradicate the proliferation of cybersecurity attacks, cybersecurity threats, cyberterrorism against vulnerable and innocent global citizens. The course offerings must be designed in partnership with 2-year community colleges, 4-year liberal colleges, university settings, the United States Naval and the Army Cybersecurity Command Institutes. The future cybersecurity education partnerships must be structured as a team operation with a Steering Cybersecurity Advisory Board (SCAB) to guarantee students of uninterrupted training sessions and reinforcing their participation in the program. Members of the SCAB must include grade school and high school educators, academic and behavioral counselors, students' parents, college and university directors of career services, the United States Naval and Army Cybersecurity Command Institute, college and university instructors and professors. Instructional delivery materials must be designed to accommodate multiple languages, physical learning materials as well as individual and group real-world hands on training sessions.
Education is a process of acquiring knowledge, skills, expertise and developing sovereignties of reasoning, ethical and moral judgment, intelligence, maturity, and life-long profession. The foundation of cybersecurity education leading to cybersecurity careers must recognize family contributions (Forrester, 2015; LeClair & Pheils 2016). A family is a divine institution guided by parents who are often sympathetic with victims of cybersecurity attacks. Parents may influence their children to believe that cybersecurity belongs to the male domain and will take challenging negotiation and both behavioral and academic approaches to change children’ original conviction.
I am a theologian by profession, but twenty-nine (29) years ago, my body, mind, soul, and intellectual power were entrenched in intensive negotiation to switch from theology to computer information systems and cybersecurity and it was not a smooth sailing pilgrimage. Leaving one's original career path in search of a new profession is a risk, even though, it may equally be an opportunity to overcome surprising challenges and ensure a successful future. Women must be encouraged to embrace educational opportunities to circumvent traits of intimidation and become equally represented in cybersecurity professions.
The Raytheon-NCSA (Forrester, 2015) report showed 52% of young women and 39% of young men across the globe believed women have limited chances in this so-pronounced male-dominated profession. Most young men and women are overly cautious and want to be 100% ready prior to venturing into cybersecurity professions (Forrester, 2015; LeClair & Pheils, 2016; Sethi, 2017). There are risks and challenges in any profession and most occupations are engrained with both positive and uninviting consequences. Per Weingarten (2017) and Esin (2018), well-conceived cybersecurity education must involve academic course offerings to dive into a degree program; interactive simulations and instructions leading to productive, in-depth understanding; and reinforcement of the course content. The worldview of cybersecurity careers has expanded because of the projected zero unemployment among cybersecurity professions but faces with denying women equal leadership opportunities within cybersecurity operations (Jackson, 2018). Currently, there are not enough men and women trained to meet the demand; hence, collective efforts are needed to battle global cybersecurity threats. Current researchers on gender disparity, such as Terwoerds, Woods, and Kane (2017), Chuang (2017) LeClair & Pheils (2016), posited that there are presently one million unfilled cybersecurity employment opportunities, a number that is projected to grow up to 1.8 million unoccupied cybersecurity employment openings by 2025.
Male and female students are emotionally committed and depend on assistance from their college professors, instructors, grade school and high school educators, and parents when deciding on a career path. As Freedman (2016) and Esin (2018) posited, cybersecurity aspirants may be wellversed with the belief that the profession belongs to the male domain and tend to trust the education advice-givers when making vital life-long decision. There is a need to establish cybersecurity degree program, course offerings, conferences, workshops, and training sessions to keep up with the challenges in this new and explosive profession. Current and future graduates will like to live in cities, states and nations where job opportunity is a promising norm with reachable career goals, respect, and dignity upon the completion of the rigorous academic exercise. Most parents want their children to secure stable employment upon graduation.
Demand for cybersecurity professional is growing at a rapid pace and job opportunities for aspirants in the field of cybersecurity are strong across the globe than ever before. (Esin, 2018, p. 4) A paradigm shift reflected in the integration of cybersecurity education beginning from grade school, high school, undergraduate, graduate and postgraduate settings requires understanding, motivation, and career advancement regardless of age and gender. A credible and instantaneous global approach is to prepare the next generation with the expertise to protect the defenseless global population. The education system is a universal and promising center intended to develop solutions to eradicate cybersecurity attacks against global innocent citizens. Leaders within educational systems need to establish a Parent's Education Career Advisory Council (PECAC) to keep parents properly informed on their children's academic performance leading to a much needed career pathway.
Education systems are often commended for extending invitation letters to parents and relatives to attain graduation ceremony, or when students are in trouble. Cybersecurity, like other academic disciplines, is a challenging, rigorous, and time-consuming program, requiring an intellectual approach through partnerships and alliances with grade school and high school educators, colleges and universities instructors and professors, behavioral and academic counselors, and directors of career placement services.
Chuang, T. (2017, March 19). Cybersecurity industry hopes women will help fill 1.8 million jobs: Diversity helps cybersecurity industry find new perspectives, new blood, but approach needs to improve. The Denver Post. Retrieved from
Esin, J. O. (2017). The landscape of cybersecurity threats and forensic inquiry. Bloomington, IN: Author House.
Esin, J. O. (2018). From historic to present day culture of social engineering attack. Washington, DC: Washington Center for Cybersecurity Research and Development (WCCRD).
Forrester, A. (2015). Raytheon-NCSA survey: Gender gap widens on cyber career interest. Retrieved from Executive Biz website:
Freedman, L. F. (2016, August 24). The goal of gender equality in cybersecurity. Retrieved from Robinson+Cole website:
International Trade Union Confederation. (2009). Gender (in)equality and women in the labor market: An overview of global trends and development. Brussels, Belgium: Author. Retrieved from
Jackson, R. M. (2018). Seminar: What causes gender inequality? Retrieved from
LeClair, J., & Pheils, D. (2016). Women in cybersecurity. Albany, NY: Hudson Whitman & Excelsior College Press.
Ricciuto, H. (2017, March 15). Representation of women in cybersecurity remains stagnant, despite recent efforts to balance the scales. Retrieved from IBM website:
Sethi, R. (2017, March 14). Women in cybersecurity: My journey to InfoSec. Retrieved from Palo Alto Networks website:
Terwoerds, L., Woods, L., & Kane, K. (2017). Biennial women in cybersecurity report reveal that female representation in the industry remains stagnant [Press release]. Retrieved from (ISC)2 website:
Weingarten, E. (2017). The gender gap in cybersecurity jobs isn't getting better. Slate. Retrieved from /2017/03/a_new_study_suggests_the_cybersecurity_gender_gap_isn_t_getting_better.ht ml
Workplace Gender Equality Agency. (2018, February). Gender workplace statistic at a glance. Retrieved from
About the Author - Joseph O. Esin - Lead Professor of Computer Information Systems Jarvis Christian College, Hawkins, Texas USA Visiting Professor of Research University of Calabar, Nigeria
A Paper by Viesturs Bamban
Viesturs Bambans, information security engineer, M.sc., CISSP, CHFI, CEH, © 2016
Rudolfs Gulbis, M.sc. Phys., RTU researcher, © 2016
Windows 10 encryption issues in the perspective of HIPAA compliance – short overview
Windows 10 implementation in to the Hospital/private practice environment brings benefits and some issues. One of the issues is related to HDD/SSD encryption via Bitlocker. Healthcare environment is populated by diverse computer systems – some are cutting edge, while others are up to 5 years old or older. Those machines are kept in the Hospital environment due to specific needs/tasks. On the other hand there are machines which have self encrypted HDD/SSD and UEFI. This mixed up computer pool provided challenge in implement Windows 10 according to the HIPAA requirements("Breach Notification Guidance | HHS.gov," 2009).
One of the HIPAA requirements is that any devices which are used to store or to
process PHI should have FIPS 140.2 compliant encryption("HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf," 2016). The afore mentioned requirement can lead to twofold issues. Ones comes from incompatibilities between aging machines due to software and unsupported hardware, the second ones comes from ability to physically tamper with laptops which contain self
encrypt drives. Those general issues become more unmanageable due to that the majority of the medical devices are serviced by manufactures contractor and/or technical team("AOA_Report_TrapX_MEDJACK.2.pdf," 2016).
Aging laptops provide challenges for Bitlocker due to hardware/software issues. The extensive list of Bilocker requirements for Windows 10 is provided by Brian Linch in his article “Bitlocker frequently asked questions” (Lich, 2016a).
Another issue with Bitlocker is whether FIPS mode is enabled in Windows 10. In 2014 article by Aaron Margosis, the statement is that Microsoft doesn’t recommend FIPS mode for majority of their product users – “Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode“, (Margosis, 2014). For example Windows 10 E3 enterprise edition didn’t have
enabled FIPS by default: 2 General steps to take whether FIPS is enabled on the particular machine is:
Type Run in the search bar (or Win key +R), it will open Run.
Type gpedit.msc into the Run window.
Locate Computer Configuration, then Windows Settings, then Security Settings,
then Local Policies, then Security Options.
Within Security Options find “System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing” – open with left double click.
Change the settings from “Disabled” to “Enabled”.
Close window and restart machine.
To minimize the issues which are based in hardware please verify whether HDD/SSD drives and their controllers are certified by Microsoft to use in particular Windows 10 edition. Direct link for the Microsoft site is:
Using the tool provided by Microsoft you will be able to find whether your particular hardware is Microsoft certified for use in fallowing editions:
Windows 10 Client;
Windows 10 Client x64;
Windows 10 Aniversary Update Client;
Windows 10 Aniversary Update Client x64;
Regarding Intel RST conflicts with Bitlocker on the Win 10 editions. Some Intel RST
versions had issues with Bitlocker on Windows 10. On the Intel product user forum can found extensive records which starts in in August, 2015 and up to November 2016. (of series of the records can be found - direct link htps://communities.intel.com/message/319342#319342 ).
If on the Hospital/private practices have computers and/or medical devices with older machines which are not supported by the newest versions of the Intel RST drives, then it can lead to inability to deploy Bitlocker. Physical tampering with laptop/tablet. Traveling nurses, doctors and others personal of a hospital/medical practice – which have engadge in traveling between several medical practices locations are daily routine. Due to that the risk of stolen/lost laptop/tablet increase proportionally to the time spend on the road. Additionally it will lead direct
business impact by restoring lost device, if data breaches occur, then the company will need to follow the HIPAA guidelines and company’s own policies.
Recommendation to the HIPAA compliant officer and/or Chief Information Security
Officer to review the inventory list and verify whether people who engage in telework or traveling between hospitals/medical offices and have access to the PHI – have tamper proof laptops/tablets. Ponemon’s Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data(LLC, 2016), on the question – “Resources prevent or quickly detect unauthorized patient data access, loss or theft“, receive agreement in 2016 – 37 from respondents. The data shows, that not all of Hospitals and medical practices follow the guidelines provided by HHS.gov, to minimize the risk of theft.
Microsoft made changes in the November, 2016 update regarding Bitlocker functionality and mitigation of the exploits against the Bitlocker (Hakala, 2016). One of the changes was to ability to block DMA ports during startup it will mitigate threat which involves use of Firewire to capture the content of the RAM(Afonin, 2016).
Some computer manufacturers include in the BIOS settings which allow to prevent
physical tampering with HDD or RAM. Those settings are secured by password in the BIOS.
Additional some manufacturers add detection of tampering with internal storage:
Those settings will help mitigate attacks on systems integrity by exploiting SATA hot plug functions.
The Bitlocker is most vulnerable in pre-boot attack. Microsoft provided guidance that Bitlocker should be used with secondary authentication key stored in the USB or PIN(Lich, 2016b). However people during everyday routine persons tend to forget PIN and lose USB keys. In the guidelines by Microsoft wasn’t mentioned use of BIOS password as preventive to the Bitlocker pre-boot attacks(Haken, 2015).
Hot-unplug attack can be successfully implemented against laptop with Btilocker installed and sleep mode enabled on the machine(Daniel Boteanu, 2015). If computer/tablet is tamper proof it will be more difficult to use Forced Restart Attack, Hot Unplug Attack and Key Capture Attack against machine.
1. Audit computer/tablet inventory to determine if hardware is certfied for use for
Windows 10 OS.
2. Verify weather FIPS is enabled on the computers/tablets which are planned to
encrypt with Bitlocker or already are encryped. Enable FIPS to enforce HIPAA
3. Audit computer/tablet inventory to determine wether Intel RST versions which are installed on the machines are compatible with Bitlocker.
4. Disable Sleep mode on all computers/tablets to lower success rate for Forced
Restart Attack, Hot Unplug Attack and Key Capture Attack against machines.
5. Deploy tamper proof computer/tablets for machines which are use on the move.
6. Audit whether machines which are used on the move have memory slots under
the keyboard and those memory slots can be easily accessible by third party.
Don't deploy such machines to prevent tampering and use of Memory Pins Short
for forcing BSOD.
7. For the computers/tablets which are used on the mode enable BIOS password,
to mitigate Bitlocker pre-boot attack.
8. For computers on the move – use least amount of the HDD/SSD within, the
computer, to prevent carrying around information which are unnecessary for
If you have any questions regarding HIPAA compliance and Bitlocker, please free to
contact me or Rudolfs Gulbis .
Afonin, O. (2016). BitLocker: What’s New in Windows 10 November Update, And How To Break It « Advanced Password Cracking – Insight. Retrieved from website:
AOA_Report_TrapX_MEDJACK.2.pdf. (2016). TrapX Investigative Report. Retrieved from
Breach Notification Guidance | HHS.gov. (2009). Retrieved from HHS.gov website:
Daniel Boteanu, K. F. (2015). Bypassing Self - Encrypting Drives (SED) in Enterprise
Environments. Paper presented at the Defcon 2015.
Hakala, T. (2016). What's new in Windows 10, versions 1507 and 1511 (Windows 10).
technet.microsoft.com. Retrieved from website:
Haken, I. (2015). Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Paper
presented at the Defcon 2015.
HIPAA Security Series #4 - Technical Safeguards - techsafeguards.pdf. (2016). HIPAA Security
Series, 44. Retrieved from HHS.gov website:
Lich, B. (2016a). BitLocker frequently asked questions (FAQ) (Windows 10). Retrieved from
Lich, B. (2016b). Protect BitLocker from pre-boot attacks (Windows 10). technet.microsft.com.
Retrieved from website:
LLC, P. I. (2016). Sixth Annual Patient Privacy & Data Security Report - Resources - Sixth Annual
Benchmark Study on Privacy and Security of Healthcare Data .pdf. Retrieved from
Annual Benchmark Study on Privacy and Security of Healthcare Data
Annual Benchmark Study on Privacy and Security of Healthcare Data
Margosis, A. (2014). Why We’re Not Recommending “FIPS Mode” Anymore.
July 17, 2017
A Paper by Joseph O. Esin
Cybersecurity Professional Education and Inquiry
Cybersecurity has gone high on the list of priorities across the globe. Perpetrators of cybersecurity threats have raised their dreadful and intimidating schemes on vulnerable individuals, private and public organizations. The operative solution to battle the global scourge of cybercrime is to heighten the understanding, knowledge and awareness and reinforce intensive education on cybersecurity threats. As a flexible dialogue continues among vulnerable organizational executives, the startling rate of cyber risks, cybercrimes, hacking and cracking activities must be integrated into these organizations’ imminent plan of action. However many organization executives often tend to ignore solution to cybersecurity threats. Most information technology (IT) directors misguidedly assume that executives are well-versed in the fundamentals of security threats and such false premise often leads to communication failure. IT directors must stand firm in their mission-driven security threats plan to protect organizations against security threats. Over the past few decades, cyber-attacks perpetrators have grown swiftly, sophisticated, organized and often quite aware of intended facilities such as private and public financial entities, cyberwarfare, ransomware and malware across global communities, thereby threatening global data, information transmission and communication landscape. This sophistication must be responded to by a correspondingly heightened operational remedy beginning with intensive and sustained cybersecurity education, conferences, the creation and promotion of cybersecurity training, educating and conferences on how to battle cybersecurity risks of human populations.
Foundation of Cybersecurity
Most private and public organizations are operating without boundaries, including unrestricted integration of laptop and mobile communication devices as a part of the network system (Assenter and Tobey, 2011 & Cameron, 2015). Indeed, local, state and federal governments are responsible for protecting individuals and vulnerable citizens from all types of attacks against personal and/or corporate freedoms and securities. It is now imperative for citizens of the world community to get deeply involved in protecting and securing the nations. (Cross, 2008;Bucci and Rosenzweig, 2014& Smith, 2015). Currently there is practically zero unemployment among cybersecurity professions, and the global demand will outpace supply of cybersecurity professionals at every level in the next seven years. As a result, there is an urgent need for cybersecurity architects and experienced personnel to facilitate security education process.
Most private and public organizations are currently watching and considering cybersecurity aspirants to work in their security operation centers. However, many people consider cybersecurity education very intimidating. In response to assuage of this insecurity and intimidation, cybersecurity institutions, such as Washington Center for Cybersecurity Research and Development (WCCRD), have been established to influence cybersecurity postulants, information technology (IT) and none-IT populations to migrate into cybersecurity profession. WCCRD often presents mission-driven benchmark encouraging private and public organizations to become advocate of cybersecurity threats and work diligently to create and promote cybersecurity training and education and organize conferences on how to battle cybersecurity risks on human populations. Cybersecurity-threats, cybersecurity-attacks and cybersecurity-risks are unquestionably at the forefront of vulnerable global populations. Per Shinder, (2002) & Cashell, William, Jickling and Webel (2014), individuals, higher education institutions, military, and government agencies; all together, utilize the same airspace for data, information transmission and communication; thereby, placing the world population on vulnerable cyber-attack twenty-four hours and seven days a week. The art of using the same airspace often makes cybersecurity training, education and conferences very challenging, enduring and complicated. Per Tohid (2012), the same airspace is repeatedly used by military personnel for defense, private and public organizations for data, information, transmission and communication. And the same airspace is used by hackers and cyber criminals for vicious operation against these entities.
Inquiry and Response
Cybercrime is often intended to trigger mental and physical pain, loss of property, pillory, loss of intellectual property, violation and infringement of security rights, and financial burden on vulnerable innocent citizens of this free global community (Aquilina, Casey & Malin, 2008). Perpetrators of cyber- security attacks often operate on independent mindsets, on behalf of group of none-law abiding citizens. The perpetrators often have specific targets to hack into the systems, blog authorized user access, damage organization data and information, engage in illegal activities with the Internet to disrupt, install malicious programs, stalking Internet activities and creating identity theft. In response, computer inquiry, experts work to relentlessly identify the source and preserve evidences, extract and document every process, validate and analyze evidences, formulate solutions and recommendations to prevent future occurrences is very difficult and challenging. Operative inquiry and response must include reconnaissance, inquiry, research, documentation, analysis and preservation of evidence. Forensic inquiry and response must be conducted by authorized, experienced and professionally skilled officials such as those produced by the Association of Chief Police Officers (ACPO, 2015) who have been drilled on the operational guiding principles of the response team. In 2015, ACPO established four guiding principles relating to computer-based electronic evidence and the four guiding principles must be adopted and executed in the latitude of computer forensic examination and response. As Easton and Taylor, 2011 and Givens, 2016) noted, the scope of inquiry and response must involve restriction of illegal exploitation of computer technologies, use of the Internet to commit cybercrimes such as identity theft, information theft, embezzlement, hacking, cyberbullying, cyberstalking, and damage to organization’s network system. The global population needs cyber-technology advocates to guide and protect against new tactic of committing post-historic cybercrime using the Internet.
The Federal Bureau of Investigation (FBI), National Computer Crime Squad (NCCS), Federal Computer Fraud and Abuse Act (FCFAA) of 1986 are charged with inquiry and response violators of cybercrimes across multiple states, nations and international boundaries (Grama, 2016). The designation of cybercrime under state law defers depending on the state. Cybercrime law regulations and compliance is beyond the state and national, but involves international boundaries. As noted by Fitzgerald and Schneider (2016) and Parker (2017), cybercrime and activities are complicated and complex because they are borderless, transcending regional and national boundaries. The world communities are interconnected than ever before on matters relating to cyber security threats. Per Vienna (2002) 10th United Nation Congress on the Prevention of Cybercrime and Treatment of Offenders (UNCPCTO), private, public and organizations, and international communities are confronted with unprecedented challenges posed by the modern-day cybercrime. It is true that no one nation by itself can cope successfully with the rapid growth of transnational cybercrime, and fighting cybercrime in its entirety is an open-ended and unlimited battle because culprits are illegally cultured, heartless and well-organized. These cruel criminals often raid the innocent citizens of dignity, basic human rights, possessions, health and precious lives. Per UN (2002) regulations, the statute of cybercrime was designated into two components; computer cybercrime and computer-related cybercrime. Computer cybercrime is limited, relating to illegal conduct directed by means of electronic operations targeting the security of computer systems, data and information processed on organization’s system. Per Esin, 2017, LeClair (2015), computer-related cybercrime is far-reaching relating to illegal activities committed by means of computer network, the internet communication, unauthorized access and distribution of prohibited information. The use of computer, the Internet for cybercrime is the highest growing physical crime in our generation, such activities involve crimes, but are not limited to risks of theft, credit card fraud, abuse, hacking, cracking, cyberterrorist, cyberterrorists, cyberbullying, cyberstalking, financial fraud, cyber deformation, software piracy, copyrights, password trafficking, telecommunication crime and cybercrime. Citizens of the world kingdom are strongly encouraged to be a vital part of the solution, adopt the 2002 UNCPCTO regulations in combatting cybercrime, cyberattacks, security breaches, spam, spear phishing, social engineering, electronic fraud, spyware, cybertrespass, espionage and cybercrime operations.
There is practically zero unemployment among cybersecurity professions and the global demand will outpace the supply of cybersecurity professionals at every level in the next seven years; thereby, revealing an awakening knowledge in the need for more training and education in this very fertile domain of practical employment the entire global population needs cyber-technology advocates to guide and protect them against new tactic of committing historic cybercrime using the Internet. Washington Center for Cybersecurity Research & Development (WCCRD) is established to influence cybersecurity postulants, information technology (IT) and none-IT populations to migrate into cybersecurity profession. WCCRD often presents mission-driven benchmark encouraging private and public organizations to become advocate of cybersecurity threats and work diligently to create and promote cybersecurity training through education and conferences on how to battle cybersecurity risks on human populations. Cybersecurity training, education and conferences are a promising conduit for a successful future, and a future aimed at resolving and mitigating cybersecurity risks and attacks. But the borderless nature of the crime calls for an all-hands-on-deck approach which begins with awareness and moves to education, training and confrontation. It is a difficult battle because the criminals are becoming increasingly sophisticated, but the collective global village has the resources and manpower to deploy in this war to succeed. All it requires is good faith and collective endeavor and trust among the stakeholders who are and should be united in one objective- win the war against cybercrime.
Aquilina, James M., Casey, Eoghan & Malin, Cameron (2008). Malware Forensics:
Investigation and Analyzing Malicious Code. Burlington, MA.
Association of Chief Police Officer (ACOP) (2015), The Protocol on the Appropriate Handling
of Crimes in Prison.
Assenter M. & Tobey, D. (2011). “Enhancing the Cybersecurity Workforce,” IT Professional,
(13),1, pp. 12-15. Http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5708280.
Bem, Derek, Feld, Francine, Ewa, Huebner, Ewa, & Bem, Oscar (2008)
Computer Forensic: Past, Present and Future: Journal of Information Science and Technology, University of Western Sydney, Australia.
Bennett, D (2011) “The Challenges Facing Computer Forensics Investigators in
Obtaining Information from Mobile Devices for Use in Criminal Investigations.” http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations.
Brown, Cameron S. D. (2015). Investigating and Prosecuting Cyber Crime:
Forensic Dependencies and Barriers to Justice. Vol. 9 Issue 1 (55-119)
Cross, Michael (2008). Scene of the Cybercrime. MA, Burlington, Syngress Publishing, Inc.
Easton, Chuck and Taylor, Jeff Det. (2011). Computer Crime, Investigation
and the Law. Boston: MA, Cengage Learning Course Technology.
Esin, Joseph O. (2017) System Overview of Cyber-Technology in a Digitally Connected
Society. Author House. Bloomington, IN.
Fitzgerald, Alvita and Schneider, Jessica (2015). “Keep it Secret, Keep it Safe: Nine Steps
to Maintaining Data Security.” The United States Cyber Security Magazine, Volume 3,
Number 7 (74-75).
Grama, Joanna L. (2016) Excelsior College CYS 541 Custom VitalBook, 2nd Edition.
Jones & Bartlett Learning. VitalBook file.
Givens, Austen D (2015). “Strengthening Cyber Incident Response
Capabilities through Education and Training in the Incident Command System” Journal of the National Cybersecurity Institute. Volume 2, Number 3 (65-75).
LeClair, Jane (2013). Protecting Our Future: Educating a
Cybersecurity Workforce. Hudson Whitman, Excelsior College Press. Albany: New York
McClarkin, Emma (2014) “Cyber Crime- New Investigation Strategies and
New Technologies,” (Brussels, Belgium, Special Committee on Organized Crime, Corruption, and Money Laundering: 2012), Last accessed: 2/10/2014, mcclarkin_/mcclarkin_en.pdf. Norton by Symantec, “2012 Norton Cyber Crime Report,” (Mountain View, CA, Symantec: 2012), Last Accessed: 2/10/2014, crime Report/2012_Norton_ Cyber crime_Report_Master_FINAL_ 050912.pdf.
Parker, Charles (2017) “In Support of Cyber/InfoSec Unification”. Washington Center for
Cybersecurity Center and Development: Washington, USA.
Shinder, Debra L. & Tittel, Ed (2002). Cybercrime: Scene of the Cybercrime Computer Forensics Handbook. Rockland: MA
Smith, John C. (2008). History of the High Technology Crime Investigation Association
(HTCIA): Santa Clara (Silicon Valley) CA
Smith, Christen Marie (2015). “Building the Cyber force of the Future”.
United States Cybersecurity Magazine, Volume 3, Number 9 (43-55)
Tohid, O. (2012). “Bin Laden bodyguard’s satellite phone calls helped lead US forces to hiding
United Nation (2000). Tenth United Nations Congress on Prevention of Crime and Treatment of
Offenders Vienna. www.un.org/press/en/2000/20000410.soccp216.doc.html SOC/CP/216
10 April 2000.
About the Author - Joseph O. Esin is the Lead Professor of Computer Information Systems at Jarvis Christian College, Hawkins, Texas USA
A Paper by Charles Parker II
In Support of Cyber/InfoSec Unification
Cyber/InfoSec is relatively new in comparison to other scientific fields, e.g. physics, chemistry, circuit design, and others. Although this has been in existence well over a decade, this topic has been receiving a significant amount of attention in the last few years, due to the email system breaches with instances of multiple compromises with single providers, utility company’s equipment being compromised, and utilities being shut down for limited periods of time. This has caused a mass amount of issues. This attentiveness has manifested its form with the increase in publication, articles, and even the president this is pertinent.
As this is a newer discipline as related to others, this has not been through the intense, rigorous, and robust scrutiny placed on it that others have. This form of discipline would place a more mature framework on InfoSec. This is shown with other, more mature departments and areas of science. With these, there are laws, axioms, and standards applied to them. Physics has a number of these that are utilized as integral portions. There is temperature measurement and the laws of thermodynamics (Vieland, 2014). The exact type of measurement used is dependent on the environment, e.g. for inter-stellar space and the sun, the Kelvin (K) scale may be used. Celsius may be used for more of the mundane uses on earth. These are the units of the International Temperature Scale of 1990 (ITS-90). Chemistry uses the kilogram for mass (NIST, n.d.; Ivashchuk, Konogov, & Mel’nikov, 2014). This is manifested by the international standard maintained at Se’vres near Paris and is approximately 2.205 lbs. There is also Avogadro’s Law.
Curiously, a standard was also accepted with a non-science industry with the lawn sprinkler industry. An estimated 20 years ago the industry had many competitors (Strand, & Asadorian, 2017). The equipment had many different voltages, diameter of tubing, and types of sprinkler heads. At a point in time, the industry leaders met and agreed this was counter-productive. The result from this meeting of the minds was the industry began to use the same standards. This simplified the equipment and protocols involved.
These among other disciplines, have been capable of researching these standards, vetting these through the academic and applied subject matter experts, and implementing these standards. This has been an extended journey which is fruitful and beneficial with the completion of the implementation phase. These standards have been accepted and applied through their specific fields. Only rarely are these adjusted as a result of an anomalous event. This is the instance with new theories in physics, as with dark matter. For decades the theory of general relativity has held strong. This may be adjusted due to the growing acceptance of the dark matter theory (Rathi, 2017).
The InfoSec field and community has held onto a different application of this, which has tended to be vast unique in comparison to others. There may be a number of reasons, both known and unknown, leading the discipline to this end. This current state may simply be a function of this field not being as mature or seasoned as the others. Within their field, each sub-field exhibits the like issue. There is a lack of a coherent standard across the subfields, which would provide guidance, structure, and ease of use for the pertinent, involved parties. Instead of implementing a simple set of standards, for each transaction type, each sub-field continues to complicate the issue, each with their own standards.
Of areas of research and study within InfoSec, this is the most current. The autonomous vehicle research also is timely as the self-driving vehicles are predicted to be fully operational within the next five years. Ford, BMW, and other entities involved with this endeavor have clearly sted their goal is to have a fully autonomous vehicle operating by 2020-2021. With this goal set in place, many of the other manufacturers and entities are actively engaging their staff to complete the task of creating and manufacturing the fully autonomous vehicle. Through the field, there are many architects and engineers working on this endeavor. The companies involved with these project in various aspects including Google, Apple, Nvidia (Forrest, 2016), Tesla, Mobileye, Delphi (Reese, 2016), Ford (Reese, 2016; Raven, 2016), GM, and others.
Each may have their own idea of the architecture implementing communication protocols, and the other security and communication aspects that need to be addressed in order to be fully prepared. Each has their own budget, staff, and resources being applied to this long-term project. These entities may have wanted to work together at some junction, however this was not a viable option due to fear of losing their intellectual property (IP) or their lead in advanced technology in comparison to others.
There has been a mass amount of cost into this. Each member of this select group has their own staff, overhead, and other expenses. The amounts have not gone unnoticed by the respective senior management and C-level. This investment needs to produce a return on the investment (ROI) for the business. This ratio certainly would not be much larger as it could be if a competitor were to use another’s IP to gain a competitive advantage and market it first.
This is also being researched by DARPA (Whalen, Cofer, and Gacek, 2017). One of the foci is to analyze the methodologies for securing the software located in the networked vehicles. This project would provide guidance, if followed, for the manufacturers and vendors. A framework for this involves utilizing The Update Framework (TUF) as a base and improved on this (Help Net Security, 2017). The new proposal is titled Uptane.
At this junction, the objective is open-ended. There is not a party at this point to lead the project or the members with unified standards. If another business were to attempt to manage the campaign towards the autonomous vehicles, there may be only yet another protocol sitting with the others. There could also be a separate entity comprised of the vendors in the industry presently and academics. This would prove to be problematic. Several questions would be open for interpretation, including:
Would this new entity carry the weight to adequately provide guidance and govern?
Would each entity of the consortium have the same weight of input?
Should this be based on the capital (money) contributed to fund this endeavor?
U.S. Department of Transportation (DOT)
Being researched concurrently is a push with vehicle-to-vehicle communication standards. The DOT is analyzing methods to reduce the number of vehicle crashes. With improved V2V communication, a significant portion of the vast number of vehicle crashes would be avoided and lives saved (NHTSA, 2016). The US DOT began this directed process of rulemaking in August 2014. This process focused on the dedicated short-range communications (DSRC) for the inter-vehicle communications.
This has been studied for over ten years (US DOT, n.d.). The rulemaking has been manifested with the Preliminary Regulatory Impact Analysis (US DOT & NHTSA, 2016) proposing to establish the standard for the V2V communication. This will be proposed to mandate the standard to be used with the DSRC and other technologies that work directly with the DSRC. The phasing-in would begin, in theory, 2021 with 50% of the lightweight vehicles to have the DSRC capacity.
Internet of Things (IoT)
Within the InfoSec field, the unit of IoT is also a relatively new area. There are many manufacturers with their specialized products. There are Honeywell, Hitachi, Comcast, and T-Mobile (Meola, 2016), to list a limited portion of the established manufacturer. There are also a number of start-ups with Samsara, Notion, Losant, Helium, and others (Postscapes, n.d.). With the IoT products, InfoSec has been applied in various levels, ranging from none of all to a not significant amount. The IoT devices have been known to be notoriously insecure (O’Neill, 2016). As a method to secure this, redundancy has been researched for IoT (Venkatakrishnan & Vouk, 2016).
A rather glaring recent example of the IoT insecurity has been the Mirai attack (Feingold, 2016). This bot army used IoT devices to attack its target (Leyden, 2016; Cimpanu, 2016; Heller, 2016). The victims of this include Deutsche Telekom (Kan, 2016), TalkTalk (Thomson Reuters, 2016), and Krebs on Security (Woolf, 2016; Krebs, 2016). These attacks and the bot army brought to light the lack of strict guidance and security to IoT. There has not been a rush to have security applied here. Over time this has been shown to be a higher priority project. The lack of a standard mandated to be applied has only further worsened the InfoSec environment. If there were to be a standard in place, the number and intensity of these DDoS would be substantially lower.
These are medical devices implanted into or onto the human body. These may be not connected with the hip, shoulder, or other joint replacement. These may also be connected electrically. In this instance, the bio-medical equipment communicates to another unit certain data. The connected devices have a rather direct and overt impact on human life.
Security has been likewise applied to these devices in a rather haphazard manner. This is a clear indication that security has not been a primary focus here also. These has also been a lack of unified guidance and standards as to security protocols to apply. Security has not been a primary focus of the manufacturer. The lack of focus is evidenced by the number of proof of concept attacks on the medical devices both implanted in and attached to people. There are a number of devices that fit well within the definition. With the biomedical devices having such a vital role in sustaining human life and the liability in the case of an epic equipment failure, a prudent business and engineering staff should apply a specific security baseline or at least some form of a minimum standard. This lack of a standard that has to be complied with shows yet another detriment to society and consumers.
Two recent examples are the pacemaker and diabetic pump. The pacemaker has been shown to have issues. The communication from the implanted pacemaker to the bus unit has not been secure. St. Jude experienced a recent proof of concept (POC) attack based on this. There also has been like attacks on diabetic devices focusing on the communication vector.
The consumer and commercial clients use programs/applications every hour across the globe. Smart phone, tablets, laptops, desktops, and other equipment use these for their operations, gaming, and other uses. These are an integral part of our way of life. These are used for navigation to drive to a restaurant not visited previously, when travelling for a family vacation, or to visit a new business client. Consumers also use this to check their current transactions with their bank accounts.
With this aspect of IT, there are presently methods to apply security. There is static code analysis, which reviews the code as written. This tends to be difficult as there are greater than hundreds of thousands of lines of code to find any number of areas. There is also dynamic code analysis, which uses applications to complete this analysis. These while worthwhile and viable, are not always applied or applied in a robust manner. Applying this in a non-structured method provides for the opportunity of overlooking errors and later patch requirements. This lack of a mandated standard also has increased and time for patches, which is wholly not necessary and likewise a detriment.
Although this is a relative new sub-field of IT, there have been attempts to implement a security framework in the individual disciplines. Although the attempt has been made to implement these to strengthen the security to at a minimum baseline level, this governance has failed to effectively govern the relevant parties, and assist these parties to understand and comprehend the pertinence of these across the respective discipline. There may be varying levels of implementation, however on average the respective parties within each discipline have not embraced this.
With IoT, there has been no governing entity to direct research and which standards should be followed and applied. The US Department of Homeland Security (DHS). In order to work towards supplementing this and having a forum of principles to interpret, the DHS released a set of principles to secure the IoT devices (DHS, 2016; Schumann & Lieberman, 2016). This would not have been required if a mandated standard had been completed but is only a set of principles. As these are only designed to be a set of principles, these would not have to be followed. There would be no impetus to apply these. This is still evident as the IoT devices continue to be compromised and used in attacks against others.
This area is vital as these pieces of equipment keeps people alive. A malfunction or hack of these may have dire consequences. To secure these, providing a solid, robust security framework would be prudent. Establishing this standard for security is not a new or novel idea. Klonoff and Kleidermacher (2016) researched diabetes and securing the connected devices to measure the user’s glucose level. These devices monitor blood glucose on a static and continues level, insulin pumps, and the closed-loop artificial pancreas systems.
The researchers noted the Diabetes Technology Society (DTS) created in July 2015 the DTS Cybersecurity for Connected Diabetes Devices project. This standard was intended to be used with the industry, clinicians, patients, and others to gauge the applied cybersecurity. This is merely guidance, along with the FDA’s guidance.
The FDA has put in place a set of rules regarding methods equipment manufacturers should manage their product’s security (BBC, 2016). This was not a regulation, but a recommendation or suggest (Hatmaker, 2016; Smith, 2016; FDA, 2016). The enforcement value of this would not be significant.
As these are multiple sources of guidance, the waters are still muddied at best. There is a bright point of light with this. There is another push for a protocol. This new project is focussed on the “federated networking and computational paradigm for the Internet of Things…” (Madanapalli, 2017). This project to form the ROOF computing standard is sponsored by IEEE and is labeled as P1931.1.
There has been a unified set of standards published for these fields. NIST has a number of “guidelines, recommendations, and reference materials” (NIST, n.d.). These, although exceptionally well-written, are recommendations. There is not in place any form of direct oversight.
In an attempt to implement a global standard, an international agreement for InfoSec with 41 countries was buoyed through the participants. This was known as the Wassenaar Arrangement (Camarda, 2016). This was not implemented.
On the US state level, several states have recognized there needs to be statutes enacted regarding the security. Specifically, states have focused on legislating the autonomous vehicles. The individual, respective states have enacted the legislation (NCSL, 2016). California, Florida, Louisiana, and Michigan have several statutes with two (2012 and 2016), four (two in 2012 and 2016), one (2016), and six (two in 2013, and four in 2016). The U.S. states have also introduced legislation regarding autonomous vehicles (NCSL, 2016) with 16 bills in 2015, 12 in 2014, and over 9 in 2013.
This, granted, is a momentous initial and continuing system towards securing the autonomous vehicles. Even with this tremendous amount of effect, the same issues abounds. These statutes and bills are per state. These are not unified. State “A” and state “B” may have statutes that are similar yet different. The court’s interpretation may also be different. Although this does appear to be a positive step, this is still indicative of a fractured set of direct guidance.
The bi-product and symptom of this issue is rather clear. The glaring product of all the different unique standards continues to be the breaches in email providers (e.g. Yahoo twice), the federal government (e.g. IRS, FDIC, OPM, etc.), and too many other entities in the U.S. and abroad. The user's personal data, intellectual property, and other data and information stolen during these breaches has been sold in the Dark Web, used for fraudulent activities and scams, and other deviant activities. This, among other factors, has led to a decline in the confidence associated with cybersecurity (Help Net Security, 2016). This is not only in the U.S., but on a global basis.
These projects all have the same focus and goal. These endeavor to make the world a better place to live in via implementing a standard which everyone follows. This may manifest in the future as a not significant number of breaches, consumers being able to meander on the internet without fear of ransomware or being a victim of personal identification theft, industry not having to fear other nation states breaching their system for data and intellectual property. This would improve on the present state and application of security. The driving force for this continues to be issues from the lack of security. This is evidenced by the vast number of breaches and compromised systems, the number of systems and businesses directly affected by ransomware, vast amounts of PII being sold on the darkweb, and government agencies being targeted.
The primary source of these issues continues to be the splintered InfoSec community standards. The community is working towards the same goals. This, for example, would be securing the enterprise, securing communication between endpoints or intr-company, securing the data at rest, and other projects or transactions. This has not been focused though. These efforts are being spent with individual groups, not necessarily working together or at least consulting with one another. There are multiple groups working with post-quantum computing encryption as an example. These efforts are not being accumulated at a pace these should be. The advances with these are being artificially depressed by the infrastructure the community has self-imposed. The effort may be much further advanced if these groups had been working together towards a single standard.
The space program is an example. Space exploration would not be at this stage if multiple groups in the 1950’s and 1960’s had been working on this. With this endeavor being under a single, driving force (NASA), significant advances were made.
There is a commonality with the processes being reviewed. Within each protocol, there may also be slight differences. The equipment may also be vastly different. There still exists commonalities with these.
With Wi Fi, there is the same action being undertaken. “A” is communicating with “B”. These endpoints send and receive data and information. The data may consist of appointments, Human Resource Payroll records, new circuit designs, or other intellectual property. This process is replicated with a vehicle communicating with an application on a smartphone to unlock or start the vehicle, a person working on a laptop connecting to their work email, and biomedical equipment sending and receiving data.
Presently each system has its own protocol and methodology. In Figure A, each communication or transaction channel communicates using their own methodology, even though this is the same act.
These all have in common the act of communication. This should be standardized, since this is the same act. The “A” and “B” parties are not necessarily pertinent in that these could be any business. The method or channel are however what is pertinent. Figure B represents this as each party follows the common Wi Fi method, inclusive of the Wi Fi security and encryption.
This is only one example of the myriad of other potential transactions.
This conundrums has evaded a solution and direction. There are three primary options with this. As an indicator, the leadership can do nothing. This would only continue to perpetuate the InfoSec issues that abound in the news with breaches, compromises, data being stolen, and increased expenses for the affected parties due to incident response, credit monitoring, and lawsuits. This is optional.
A second option would be for the industry to regulate itself and apply common sense and a sufficient level of resources to research, analyze, and implement these security rules. Over the years, this likewise has not been successful. This lack of focus, multiple protocols, and mixed levels of implementation have led directly to the breaches and compromised systems. This option likewise is not viable. As an industry and field, the self-regulation in any form has been lacking.
The third option is to form an entity to research, publish, mandate, and evangelize these standards. The intent is not to overreach and be dictatorial, but to form a safer, more secure environment the industry has not been able to do so yet. The intent is also to be an altruistic movement. This would greatly assist the field, and users.
The guidance to this point has been splintered. The standards in place effectually have been merely recommendations, with the exception of the state statutes for autonomous vehicles. These though are different per state with each state’s judicial interpretation being unique. These specific industries (e.g. FDA, DTS, and DH) have their own guideline in place, which are not unified.
There should be a central standard for each type of transaction in InfoSec. For instance with communication, this should be secured with a form of encryption, regardless if this involves a vehicle communicating to an application on a smartphone, a user checking their email account from a phone, a website being secured (HTTPS) versus not (HTTP), SSO using SAML 2.0, or a pacemaker transmitting data to its base equipment and not in clear text or a low, inappropriate level of encryption (e.g. MD5 or AES 56). The data at rest also is notable, and should be encrypted with an acceptable protocol. Instead of each type of equipment or action having its own method, they should each have the same standard.
This is being proposed simply for the common good. These and other protocols being placed onto systems would be in the least a baseline needed to be secure. For example, WEP would not be acceptable, and would be replaced with WPA2. Also, appropriate levels of encryption would be required. These standards being applied across the U.S. or further would provide a minimum baseline the industry and users would be required to follow. This would need to be on a national level due to the fluidity and dynamic nature of data and InfoSec. A state by state implementation would be problematic. A user is able to scan an IP from nearly everywhere on the globe. A state border oriented system as it relates to InfoSec is meaningless.
Technology has made our environment potentially very dangerous for humans. There are many vectors that are able to hurt or kill humans with little effort. One attack involves compromising diabetic pumps. There has been a POC attack shown to be a viable attack vector that could potentially kill a person. This mode of attack is likewise applicable to pacemakers. The security has not been adequately applied to this equipment, which is a problem.
The attacks may also focus on tools we use. There have been many POC attacks to compromise a vehicle’s security and system. The vehicles may be manipulated while being driven, which could lead to injury or death of a human.
Utilities also have been targets of attack. These have been successful, at times, to compromise the utility’s enterprise. These attacks have been successful against dams, power plants, wastewater utilities, and other facilities. With these targets, a significant, well-planned attack would alter substantially our way of life and security.
Unfortunately, the number of attacks with the same vulnerability, each industry’s own standards guiding the same act, wasted concurrent efforts, and other factors have made it rather clear the industry is at a bit of a loss to govern itself in certain instances to push toward the current action. There needs to be a single, unified application of InfoSec for each type of transaction. This would not need to be overly rigid or unbending, but able to flex with each situation. No environment is the same, however the underlying needs and actions are the same.
The FDA has noted the industry is at a crossroads of InfoSec and technology advancing (Schwartz, 2016). A unified InfoSec platform would be beneficial to the specific industry, the overall industry, consumers, and government with this single source of information and guidance to be applied. There needs to be an action to bring this altogether. This would ensure the relevant, germane parties are all operating under one set of rules and knows what to apply to comply. This, as a bi-product, would also reduce the opportunity for ambiguity. With one set of standards being in place, deployed, and actively implemented, this would ensure the best practices are being reviewed and applied day-to-day, and not simply on an e-shelf collecting e-dust. As an example SHA-1 would not be implemented, while SHA-2 in one of its key size would be.
This would be used as a better means of applying security to each endpoint or transaction. The entities involved would clearly know the industry best practices as mandated by the appropriate standard. The parties would clearly know these would be required to be followed. There would be little doubt what security protocol and action to apply. For instance, legacy systems tend to use outdated security practices. This is due to several features including these simply being difficult to update, and the update being cost prohibitive. Although there may be hindrances to updating the system and security, it is still prudent to update the application. This may add value to the application and usage, however the costs may not be able to passed onto the clients.
The unified InfoSec protocols would remove the guesswork in this industry. The appropriate parties would know what standard and protocol to apply to your project. Everyone in the industry should be working the same set of standards. Any future changes to the protocol would be well-publicized and the germane audience would be notified as this would be well-known. This may be communicated with press-releases, email updates, tweets, and other accepted methods.
With a set of enforced standards as a simple baseline, issues with security would not continue to abound. Without this, the attacks will continue. These may become more frequent in occurrence and be larger. Future DDoS attacks may make the Krebs on Security DDoS appear to be a practice run.
The process to arrive at these standards should not be arrived at lightly. There needs to be an abundance of caution and thought with this process. To formalize this there would need to be a format or template for the process. This would be utilized to form and approve the standards. This removes the potential for varying methods and outputs. With one format, all involved know what to expect. This would not be a government committee due the potential political skew, which would be counter-productive. As President Ronald Reagan is quoted, “The nine most terrifying words in the English language are: “I’m from the government and I’m here to help…”.
These standards would need to be processed through a vetting process. This may be done with a committee composed of academia and industry members. This brings together the many viewpoints. The process would provide for the best methods in theory and practice. These would be provided with a single person or faceless entity. With the group, there are many views and opinions. These are able to be molded together.
After the draft of the standard is put in writing, there should be testing and/or a pilot study. The standard would not be put into place without this being done in the various environment. This would also function to verify what works best across the industries.
This is a rather substantial project on several fronts. After gaining acceptance, which would not be a small feat in its own right, forming the committee would also require an immense amount of time, effort, and resources. As for the protocols, there are a number of generally accepted protocols for encryption, web applications, firewalls, authentication, defense in depth, Wi Fi, and log management. These would provide a starting point to be followed. The committee may begin to grow in depth the knowledge on these topics prior to reviewing future movements.
There needs to be a form of motivation to adhere to these. Without the industry following these unified standards, these standards would only be yet another one in the field for review. In effect the community would be splintered yet further. The new set of standards would require some form of liability, as a motivator. If these standards are not followed, the entity electing not to follow it may be considered acting in a grossly negligent manner. These standards would be designed to be the minimum, baseline standard to be applied. These would also be based on industry uses, academia, and persons leading the thoughts in the industry.
There has been a vast abundance of breaches and compromises in the different fields in recent years. There has been a leading indicator of potentially becoming a target-there is something the attacker wants to steal or keep people from accessing. The commonality with a majority of these attacks has been the attacker exploiting vulnerabilities. The vulnerabilities may have been remediated, however were not. With these standards being followed, there would be fewer breaches.
The effect of this would be resources not being wasted, a lesser degree of consumer and business frustration, and a safer world. Until this point, a set of standards to be used throughout the industry to this end has not been created or followed. With these in place, the industry would clearly know what standard is the best practice, and apply it to the project.
Without this being used, there will continue to be more compromises, breaches, and lack of confidence in InfoSec.
Barton, D. (2015, March 10). When will your data breach happen? Not a question of if but when. Retrieved from www.securityinfowatch.com/article/12052877/preparing-for-your-companys-inevitable-data-breach
BBC. (2016, December 28). Medical device cyber-safety rules issued by US watchdog. Retrieved from http://www.bbc.com/news/technology-38458864
Camarda, B. (2016, December 28). ‘Meltdown’ over international cybersecurity agreement. Retrieved from https://nakedsecurity.sophos.com/2016/12/28/meltdown-over-international-cybersecurity-agreement/
Cimpanu, C. (2016, November 24). You can now rent a mirai botnet of 400,000 bots. Retrieved from https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/
DHS. (2016, November 15). DHS releases strategic principles for securing the internet of things. Retrieved from https://www.dhs.gov/news/2016/11/15/dhs-releases-strategic-principles-secruing-internet-things
FDA. (2016, December 28). Postmarket management of cybersecurity in medical devices: Guidance for industry and food and drug administration staff. Silver Spring, MD:Center for Biologics Evaluation and Research (CBER). Retrieved from http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegrulatoryInformation/Guidances/default.htm and http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
Feingold, J. (2016). Dyn issues analysis of cyberattacks: Comppany identifies mirai botnet as primary weapon in attacks. New Hampshire Business Review, 38(24), 26.
Forrest, C. (2016, December 12). Nvidia’s self-driving car test showcases company’s shift to AI solutions. Retrieved from www.techrepublic.com/article/nvidias-self-driving-car-test-showcases-companys-short-to ai-solutions/
Haber, M. (2016, November 29). Mirai botnet is evolving and now has a 5th victim in Germany. Retrieved from https://www.beyondtrust.com/blog/mirai-botnet-evolving-now-5th-victim/
Harnish, R. (2016, December 29). Balancing cybersecurity practices with the realities of healthcare operation. Retrieved from http://www.forbes.com/sites/forbestechcouncil/2016/12/29/balancing-cybersecurity-practicts-with-the-reality-of-healthcare-operations/#d67423d6f749
Hatmaker, T. (2016, December 28). FDA issues new security guidelines so that your pacemaker won’t get hacked. Retrieved from https://techcrunch.com/2016/12/28/fda-issues-new-security-guidelines-so-that-your-pacemaker-wont-get-hacked/
Heller, M. (2016, November 30). Modified mirai botnet could infect five million routers. Retrieved from http://searchsecurity.techtarget.com/news/450403881/modified-Mirai-botnet-could-infect-five-million-routers
Help Net Security. (2016, December 5). The decline of cybersecurity confidence. Retrieved from https://www.helpnetsecurity.com/2016/12/05/cybersecurity-confidence-decline/
Ivashchuk, V.D., Kononogov, S.A., & Me`nikov, V.N. (2014). Results of measuring the avogadro and planck constants for a redefinition of the kilogram and mole. Measurement Technique, 57(2), 125-131. doi:10.1007/s11018-014-0418-z
Kan, M. (2016, November 28). Upgraded mirai botnet disrupts deutsche telekon by infecting routers. Retrieved from www.pcworld.com/article/3145449/security/upgraded-mirai-botnet-disrupts-deutsche-telekom-by-infecting-routers.html
Klonoff, D.C., & Kleidermacher, D.N. (2016). Now is the time for a cybersecrity standard for connected diabetes devices. Journal of Diabetes Science and Technology, 10(3), 623-626. doi:10.1177/1931932296816647516
Krebs, B. (2016, September 16). Krebs on Security hit with records DDoS. Retrieved from https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
Leyden, J. (2016, December 2). Sh...IoT just got real: Mirai botnet attacks to targeting multiple ISPs. Retrieved from http://www.theregister.co.uk/2016/12/02/broadband_Mirai_takedown_analysis/
Madanapalli, S. (2017, January 17). The roof computing. Retrieved from https://www.linkedin.com/pulse/roof-computing-syam-maanapalli
Martinez, M. (2015, March 12). Cyber-security breaches, not if, when. Retrieved from http://kron.com/1015.03/12/cyber-security-braches-not-if-but-when/
Meda, A. (2016, August 31). These ar ethe top IoT companies to watch and stocks to invest in. Retrieved from http://www.businessindisder.com/top-internet-of-things-companies-to-watch-invest-2016-8
Moon, M. (2016, December 28). FDA issues final guidance on medical devices’ cybersecurity. Retrieved from https://www.engadget.com/2016/12/28/fda-medical-devices-cyber-secruity-final-guidance/
NCSL. (2016, December 12). Autonomous: Self-driving vehicles legislation. Retrieved from www.ncsl.org/research/transportation/autonomous-vehicles-legislation.aspx
NHTSA. (2016, December 12). U.S. DOT advances deployment of connected vehicle technology to prevent hundreds of thousands of crashes. Retrieved from https://www.nhtsa.gov/press-releases/us-dot-advances-deployment-connected-vehicle-technology-prevent-hundreds-thousands
NIST. (n.d.). NIST special publications (SP). Retrieved from http://csrc.nist.gov/publications/PubsSPs.html
NIST. (n.d.). Base unit definitions: Kilogram. Retrieved from http://physics.nist.gov/cuu/Units/kilogram.html
O’Neill, M. (2016). Insecurity by design: Today’s IoT device security problem. Engineering, 2(1), 48-49. doi:http://dx.doi.org/10.1016/J.ENG.2016.01.014
Postscapes. (n.d.). Top internet of things companies. Retrieved from www.postscapes.com/companies/
Raven, B. (2016, December 29). Ford ups its self-driving game. The Flint Journal, p. A10.
Rathi, A. (2017, January 2). Einstein’s gravity and nixes dark matter passed its first test. Retrieved from http://qz.com/876531/a-theory-that-challenges-newtons-and-einsteins-gravity-and-nixes-dark-matter-passed-its-first-test/
Reese, H. (2016, August 16). Ford plans to mass produce a ‘no driver required’ autonomous vehicle by 2021. Retrieved from http://www.techrepublic.com/article/ford-pans-to-mass-produce-a-no-driver-require-autonomous-vehicle-by-2021/
Reese, H. (2016b, August 23). How a pair of auto industry giants are fast tracking ‘level 5’ driverless cars by 2019. Retrieved form
Schwartz, S.B. (2016, December 27). Managing medical device cybersecurity in the postmarket: At the crossroads of cyber-safety and advancing technology. Retrieved from http://blogs.fda.gov/fdavoice.index.php/2016/12/managing-medical-device-cybersecurity-in-the-postmarket-at-the-crossroads-of-cyber-safety-and-advancing-technology/
Smith, M. (2016, January 19). The FDA wants improved cybersecurity for medical devices. Retrieved from https://www.engadget.com/2016/01/19/the-fda-wants-improved-cybersecurity-for-medical-devices/
Society for Automotive Engineers (SAE) International. (2016). J3061A (WIP) cybersecurity guidebook for cyber-physical vehicle systems-SAE international. Retrieved from http://standards.sae.org/wip/j3061
Strand, J., & Asadorian, P. (Producer). (2017, January 6). Cyber insurance [Audio podcast]. Retrieved from http://securityweekly.com
Thomson Reuters. (2016, December 2). After deutsche tekekom, talktalk becomes latest victim of mirai botnet attack. Retrieved from http://gadgets.ndtv.com/internet/news/after-deutsche-telekom-talktalk-becomes-latest-victim-of-mirai-botnet-attack-1633012
US DOT, & NHTSA. (2016, December). Preliminary regulatory impact analysis: FMVSS No. 150 vehicle--to-vehicle communication technology for light vehicles. Retrieved from http:icsw.nhtsa.gov/safercar/v2v/pdf/V2V_PRIA_12-12-16_Clean.pdf
Venkatakrishnan, R., & Vouk, M.A. (2016). Using redundancy to detect security anomalies: Towards IoT security attack detection: The internet of things. Ubiquity, 2016 (January), 2-19. doi:10.1145/2822881
Vieland, v.J. (2014). Evidence, temperature, and the laws of thermodynamics. Human Heredity, 2014(78), 153-163. doi:10.1159/000367599
Whalen, M.W., Cofer, D., & Gacek, A. (2017). Requirements and architectures for secure vehicles. Computing Edge, 3(1), 10-13. Retrieved from http://www.computer.org/computingedge
Woolf, N. (2016, October 26). DDoS attack disrupted internet was largest of its kind in history, experts say. Retrieved from https://www.the.guardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
August 2, 2017
A Paper by Viesturs Bambans
Defining Insiders and Outsiders and Threat Levels Associated with Them
Defining Critical Infrastructure US and EU.
There are several sources of the threat to a business entity and individual associates with computer security. Regarding general perception of threats, it will be different according to occupied business niche. Company’s which are related to critical industries will have higher interest from malicious actors. USA Presidential Policy Directive – Critical Infrastructure Security and Resilience defines fallowing (@WhiteHouse, February 12, 2013):
Defense Industrial Base;
Food and Agriculture;
Healthcare and Public Health;
Nuclear Reactors, Materials, and Waste;
Water and Wastewater Systems;
The EU Commission defines following infrastructures as critical infrastructures (Commision, December 11, 2006)
Information, Communication Technologies, ICT;
Insider and Outsider threats makes impact not only on companies as whole, but also on their personnel. Kuheli Roy Sarkar in his article “Assessing insider threats to information security using technical, behavioral and organizational measures “ (Roy, 2010) , defines insider, as Pure Insider, Affiliate Insider, Associate Insider, Outside Affiliate.
See Table 1 PDF at end of document.
Insiders threat can be broadly generalized as:
However, looking closer to the insider threat problem, we can see that common generalization about insider threat can have some deviation towards Outsiders threat spectrum.
Insider can carry out several types of malicious activity against employer. His/her motivation can be based into one or several personal traits, according to Julie Mehan (Dr. Julie E. Mehan, 2016):
Immaturity and/or Impulsiveness;
Inability to form Commitment;
Information Security professional and/or HR without education in Mental Health or Psychiatry cannot make diagnosis towards any human within his/her work duties and make any claims about potential inside threat carrier stemming from Mental Health concern.
Either pure insider, associate insider, affiliate insider, outside affiliate can be led to carry out intentional or unintentional threat by several motivation types and or third party persons/person – enablers. Julie Mehan (Dr. Julie E. Mehan, 2016) distinguished following:
However, according Gary M. Jackson author of the book “Predicting Malicious Behavior” (Jackson, June, 2012), malicious behavior and behavioral changes should be observed multiple times under various conditions. Additionally, observations must include adequate descriptions: must include for identifying the who, what, when, where, and how of past behaviors of insider and/or outsiders.
Weather malicious behavior is done based on deeds done by Insiders and/or Outsiders, the malicious behavior is based on the fallowing pattern. According to Gary M. Jackson:
“If behavior occurring in the presence of specific antecedents is followed by consequences that are favorable to the person, the probability of future occurrence of that behavior in the presence of the same or highly similar antecedents is increased.
Likewise, if behavior occurring in the presence of specific antecedents is followed by consequences that are unfavorable to the person, the probability of future occurrence of that behavior in the presence of the same or highly similar antecendents is decreased.”
If we look through the fore mention statements prism onto threats and malicious behavior, done by insider and outsider, then longer the time malicious behavior is not recognized, the better such behavior enables malicious actor, insider and/or outsider, to continue to do their deads. At some point, malicious actor - whether insider or outsider, will go through rationalization which can be summarize in the Fraud triangle: Perceived Opportunity; Pressure; Rationalization.
Additionally, another aspect is person’s self-radicalization whether alone or in a group.
Either Pure insider or Outsider can migrate to a specific ideology, to support his/her motivation to carry out malicious behavior against particular person, company, government or non-profit organization. He/she will join the organization. Support can be provided during process of joining or after. After joining the organization, he/she can be involved in providing support for other group members or preparing and carrying out malicious attack by self. During execution phase he/she can work alone or receiving support from other group members.
For Pure insider, company’s management might recognize detachment of particular employee, which slowly increases.
Outsider groups are represented in broad spectrum - former employee, former employee from previous company’s employment; Outsiders- company’s Social Network Followers; Activists - Social Justice activists, Environmental activists, Hacktivists, and APT Groups. Each of those entities can display broad spectrum of threat levels (Wrightson, December`, 2014 #652):
UT - Unsophisticated Threat;
UPT – Unsophisticated Persistent Threat;
ST – Smart Threat;
SPT- Smart Persistent Threat;
AT – Advanced Threats;
APT – Advanced Persistent Threat.
Each of the outside group can express from Unsophisticated Threat to Advanced Persistent Threat.
Current market and open source environment can provide plentiful of physical and software tools to do intentional harm for a company at which he/she works or worked. Stephan R. Band et all in his work “Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis” distinct harmful actions associated with espionage cases and sabotage cases. Currently there is thin line due to plentitude of information starting with poorly designated materials to high level information. In some cases, employee who can obtain enough information to carry out high skilled sabotage against his/hers current and former employee. I propose to adopt the “Technical Rule Violations” and “Harmful Technical Actions” however simplify the “Espionage Cases” and “Sabotage Cases” into one category “Sabotage Cases”. The sabotage actions can be carried by Insiders and Outsiders. For example, ransomware/wiper NotPetya was categorized as ransomware. However, latest analysis considers it as wiper – pure sabotage due to encryption algorithm implementation. In theory, both Pure Insider and Outsider Affiliate can infect company’s network with the same outcome using NotPetya.
Outsider groups which could be hostile to a company and its employers and employees can be very broad – from script kiddies to APT groups. If company occupies business niche associated with critical infrastructures, then hostile interest will be higher from fore mention groups.
Insider Threats often are not reported due to several reasons. Those reasons can be represent within organization as standalone exposure or combination of two or more. Kuheli Roy Sarkar categorizes them (Roy, 2010):
“Fear of negative publicity;
Difficulty in identifying culprits;
Ignorance of the attacks;
Insider threats are overlooked.”
Insider’s and outsider’s behavior can change gradually to intensify his/her malicious behavior:
towards particular person or group of people due to their occupation and/or nationality, and/or religious beliefs, and/or political party affiliation;
towards particular company;
towards particular country;
towards particular religious confession.
Prediction of such malicious behavior lies in the framework defined by Garry M. Jackson (Jackson, June, 2012):
“The key to predicting behavior is not studying the behavior itself but identifying antecendets associated with the behavior of interest in the past;
The best predictor of future behavior is not past behavior. The best predictor of future behavior is identifying antecendents and consequences associated with past behavior.
If antecendents of past behavior are identified when those behaviors led to favourable consequences, there is an increased probability that the behavior will occur in the future if the same or highly similar antecedents occur.
To predict future behavior grom antecendents associated with behavior in the past, a form of pattern classification in required to identify predicitive patterns among antecendents and the following behavior.
The accurate prediction of behavior rearely relies on the presence of a single antecent. Complex human behavior typically occurs in association with repeatable constellations of identified antecedents.”
Insiders and Outsiders can be coming from different cultures and subcultures and have different skillsets. However, they have one common – each of them during malicious behavior will be interested in particular information, sabotage technique, fraud pattern. Invasion techniques can be different for each of them or one person, and/or group tries evade using different techniques.
Contract termination. To mitigate risk, that former employee can become hostile Outside Affiliate during termination, employer and/or his representative should implement procedures associated with former employee based on Stephan R. Band et all “Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis” (Stephen R. Band, December`, 2016 #653):
Deactivating computer accounts for all company’s divisions;
Revoking System authorization;
Disabling Remote Access;
Disabling Access to shared accounts;
Requiring all coworkers of the departed employee to change their password if there is the slightest chance they make have shared their passwords;
Terminating physical access;
Notifying other employees;
Enhancing system access monitoring and system audits immediately following the termination or resignation of a disgruntled employee;
Creating forensic sound disk image from all computers which was former employee associated with.
In the business and critical infrastructure environment’s Inside and Outside threat is closely associated with sabotage and industry espionage. Those threats can become evident, for example, when sales engineer at the time of termination of current job have backup copy of sales contacts, gained in a previous workplace or from a person who copies Electronic Medical Record implementation plan, and brings it to the new workplace. In his Report Robert R. Band et al published findings related to espionage cases and sabotage cases:
See Table 2 PDF at end of document.
If we have analyzed recent malware attacks, we could see that borders between behavior observed in sabotage cases and espionage cases is blurred. Some of the malware have implementations of actions which shows both behaviors. For example, NotPetya - at first it was analyzed as pure ransomware, however next analysis done by Matt Suiche showed it is wiper (sabotage) due to deviation of encryption implementation mechanism. The encryption mechanism was built in the way, that is generates random numbers, which cannot be reported to malicious actors. If we look only on to build mechanism of NotPetya, then we can found that builders used specifically SMB port 445, and ports 135,139, and email attachments to move malware attack laterally using WMI (Windows Management Instrumentation) and PSEXEC(PsExec is a command-line tool that lets you execute processes on remote computer systems and redirect particular console applications' output to the local system so that these applications can be running at local computer system) (Ivanov, 2017) .
Both - insiders and outsiders look to utilize several exploit types to implement his/her actions. Mostly, malicious action is carried by utilizing some kind of software which exploits company’s or person’s computer environment’s, focusing either on software, firmware and/or hardware exploits or all of them. U.S Department of Commerce and National Institute of Standards and Technology – NIST maintains Computer Security Resource Center, National Vulnerability Database - https://nvd.nist.gov/vuln/categories which maintains current vulnerability lists of current software vulnerabilities which can be used as exploits by attacks launched either by insider or outsider.
To mitigate the threat, a company can establish strong wetting process for software and hardware which are implemented in their business environment to minimize residual risk by establishing controls and policies to mitigate inside and outside threats.
Additionally, company can establish one of the Insider Threat Prevention Assessment Model to establish baseline for current company. One of the model is created by Delloite and presented at FISSEA’s 25th Annual Conference:"A New Era in Cybersecurity Awareness, Training, and Education, in Gaithersburg, Maryland at premises of NIST, :(Michael G. Gelles, March, 2012):
See Graph 1 PDF at end of document.
Fore mention model provides exccellent guidance to establish a company’s baseline. It will provide gradual guide from creating guidelines, generating awareness, monitoring, intervening, then analyzing and learning:
Perform Enterprise Risk Assessment;
Determine Insider Threat Indikators;
Define Individual Baseline;
Perform Daily Job Function;
Experience Crisis Event
Move from Ideation to Action;
Analyze and Learn.
Threat mitigation within a company, whethear carried out by a insider or outsider group, starts with managing personnel to lower possibility of clique formation and hostile competion between personnel or company divisions.
IT Security professional will be involved into mitigating consequnces of malicioues actions and helping to establish and implement qoverning policies according to company’s management.
Outsiders can be individual hacktivists or their groups, or organized criminal groups, which have penetration capabalities or ability to hire individual hackers to gain penetration capabilities, and APT groups. Each of them provide a little bit different approach to penetration and bring different threat capabilities against a company and it’s personnal, which will result in deviation of residual risk level for particular company.
Outsider group can consist of:
Hacktivists based their actions on religious beliefs;
Organized criminal groups, who consist of hackers or persons who have ability to hire individual hackers via monetory gains or coercion;
APT groups. If company becomes target to APT group it is not an accident but because a company have information (trade secret, patent etc).
Individual hackers. Their skillsets can be observed from script kiddies, to advance skill levels.
Hacktivists. One of definitions of the Hacktivism was published in Kent Anderson, CISM in his work “Hacktivism and Politically Motivated Computer Crime “, (Anderson, 2008): “The Methodology of Hacktivism is being developed and thus subject to change: Hacktivism could be as simple as posting banned or censored material on the Internet. However, the media rarely reports such events and hacktivists have taken to “bending” the law in order to attract attention to particular causes.”
Deloite in their publication “Hacktivism, A defender’s playbook. Threat study” published on August 12, 2016, (Analytics, August 12, 2016), presented “Hactivism Attack Cycle” :
“Day 1: Recruiting and Operation annoucement, for example via own website, Twiter, Facebook and YouTube;
Reconaissance: using for example Social Engineering, Vulnerability Scanning, Human Targets;
Application/ Web/ Mail Server Attacks: using for example XSS, SQL, BF;
Doxing: for example implementing Paste Sites;
DDOS Attacks: Velocity from 5Gps to 250 Gps
Day 14: Social Media Hijacking, and Web Defecament:
[New Communication] – Second Warning;
Application/ Web/ Mail Server Attacks: using for example XSS, SQL,
DDOS Attacks: Velocity from 5Gps to 250 Gps
Third Warning: for example via own website, Twiter, Facebook and YouTube;
Repeat Cycle starting with recon.”
Additionally, Hacktivist groups actively interpret business and social processes and try to correct them. For example, in the article by Mary Ann-Russon “Anonymous takes down Black Lives Matter website to make point that 'All Lives Matter “, (Russon, 2016), was published the following statement from Ghost Squad member @_s1ege: “ "I, s1ege, started this operation after attacking the KKK [because] I realized the individuals in the Black Lives Matter movement were acting no better – some even promote genocide of the Caucasian race. This will not be tolerated. What angered me and the other members of Ghost Squad was that the leaders also do not speak on this topic. This was not the dream of Martin Luther King Jr, and should not be supported or promoted by any movement. All Lives Matter!" “
Flashpoint (Flashpoint, January 11, 2017) in their published yearly report “ Business Risk Intelligence – Decision Report. 2016 Year in Review and 2017 Flashpoints “ categorizes hacktivist as:
Capability – Tier 3 (Actors maintain a moderate degree of technical sophistication and can carry out moderately-damaging attacks on target systems using a combination of custom and publicly-available resources. They may be capable of authoring rudimentary custom malware.);
Potential Impact – Moderate (Attacks have the potential to disrupt some core business functions, although the impact may be intermittent and non-uniform across the user-base. Critical assets and infrastructure remain functional, even if they suffer from moderate disruption. Some non-sensitive data may be exposed. Actors at this level might also expose sensitive data.).”
Hacktivists who base their actions on religious beliefs. Latest wars in Syria, Afganistan and Irag have opened opportunity for people who want to radikilize and use for their own radikalization diffent medium – religy. For companies’s and their personnel, also for goverment and their personnel arose new threat, which involves - hacktivists which choose actions based on their religious beliefs. Such malicious behaviour can be observed in individuals and APT groups. For example, on June 26, 2017 – Associated Press reported that several government websites were defaced by supporters of Islamic State, particularly by “Team System Dz”.
In 2015, Stratford published forecast about examination of Islamic State Cyber Capabilities (Reed, November 30, 2015), which provides good insight on the issue. However, current political situations changes rapidly towards reducing capacity of Islam State Cyber Capabilities and their dereratives. Flashpoint (Flashpoint, January 11, 2017) in their published yearly report “ Business Risk Intelligence – Decision Report
r in Review and 2017,” in their findings they categorizes Jihadi hackers as capable of performing the following:
Capability – Tier 2 ( Attackers can develop rudimentary tools and scripts to achieve desired ends in combination with the use of publicly-available resources. They may make use of known vulnerabilities and exploits.);
Potential Impact – Negliglible (Damages from these attacks are highly unlikely or are unable to adversely affected the targeted systems and infrastructure. Such incidents may result in minor reputational damage. Sensitive systems and data remain intact, confidential, and available.).”
Hacker groups. There are several hacker groups with broad renge of capabilities and potential to impact business entities and society. More publized groups are Anonymous, Ghost Squad, Wiki Leaks, Cult of Dead Cow etc..
Organized criminal groups who hire hackers. Groups are very ellusive. Their lifespan can be 6 months long or more. Roderic Broadhurst, et all in his artcicle “Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime “, made reference to criminal organization classification according to McQuire, (Roderic Broadhurst, 2014):
“Tier 1 – groups operates mostly online. Their posture as malicious actors is establishe via online malicous activities:
“Swarms share many of the features of networks and are described as ‘disorganized organizations [with] common purpose without leadership.’ Typically swarms have minimal chains of command and may operate in viral forms in ways reminiscent of earlier ‘hacktivist’ groups. Swarms seem to be most active in ideologically driven online activities such as hate crimes and political resistance.
Hubs, like swarms, are essentially active online but are more organized with a clear command structure. They involve a focal point (hub) of core criminals around which peripheral associates gather. Their online activities are diverse, including piracy, phishing attacks, botnets and online sexual offending”.
Tier II groups bridges malicious behaviour online with offline. Groups represent hybrid malicoius behaviour with mix attack vectors:
“In a clustered hybrid, offending is articulated around a small group of individuals and focused around specific activities or methods. They are somewhat similar in structure to hubs, but move seamlessly between online and offline offending. A typical group will skim credit cards, then use the data for online purchases or on- sell the data through carding networks.
Groups of the extended hybrid form operate in similar ways to the clustered hybrids but are a lot less centralized. They typically include many associates and subgroups and carry out a variety of criminal activities, but still retain a level of coordination sufficient to ensure the success of their operations.”
Type III – maintain their operations offline - their action online carrys supportive character for offline malicious activities.
“Hierarchies are best described as traditional criminal groups (e.g. crime families), which export some of their activities online. For example, the traditional interest of some mafia groups in prostitution now extends to pornography websites; other examples include online gambling, extortion, and blackmail through threats of shutting down systems or accessing private records via malware attacks or hacking.
Aggregate groups are loosely organized, temporary, and often without clear purpose. They make use of digital technologies in an ad hoc manner, which nevertheless can inflict harm. Examples include the use of Blackberry or mobile phones to coordinate gang activity or public disorder, as occurred during the 2011 UK riots or the Sydney riots in September 2012.”
Rober Broadhurst et all cites Steven R. Chabinsky Deputy Assistant Director, Cyber Division Federal Bureau of Investigation at GovSec/FOSE Conference in Washington, D.C., on March 23, 2010, where Steven Chabisnsky emphasized that cybercriminals tend to specialize their operation, (Steven R. Chabinsky, 2010) :
“First, we have the coders or programmers, who write the malware, exploits, and other tools necessary to commit the crime. Contrary to popular belief, coders are not protected by the First Amendment when they knowingly take part in a criminal enterprise—and they go to jail just like the rest of the enterprise.
Second, we have the distributors or vendors, who trade and sell stolen data, and act as vouchers of the goods provided by the other specialties.
Third, we have the techies, who maintain the criminal infrastructure, including servers, bulletproof ISPs, and encryption; and who often have knowledge of common database languages and SQL servers of course.
Coming in fourth on my list, there are the hackers, who search for and exploit application, system, and network vulnerabilities to gain administrator or payroll access.
Fifth, there are the fraudsters, who create and deploy social engineering schemes, including phishing, spamming, and domain squatting.
Meanwhile, and sixth for those keeping track, there are hosters, who provide “safe” hosting of illicit content servers and sites, often through elaborate botnet and proxy networks.
Seventh, we also have the cashers, who control drop accounts and provide those names and accounts to other criminals for a fee, and who also typically control full rings of our eighth category, money mules.
Ninth, we have the tellers, who help with transferring and laundering illicit proceeds through digital currency services and between different world currencies.
Finally, logging in at number 10 on the specialty list, there are leaders—many of whom don’t have any technical skills at all. They’re the “people-people.” They choose the targets; choose the people they want to work each role; decide who does what, when, and where; and take care of personnel and payment issues.”
Steven R. Chabinsky, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation gave excellent insight about criminal groups structure. Any company which will be endpoint on their attacks will not meet one outsider, but several different people whose goal will be to gain maximum trust, and to exploit it to gain monetary and/or bragging rights. Majority of Security Awareness trainings avoid the fore mention facts and assume it will be one person and/or one’s person’s signature on the attacks pattern. For example, people who trie to convince you that your home or business computer “sends signals to Microsoft about computers virus infection” and due to that someone from Microsoft will be calling you to solve the issue, are malicious actors. During their Social Engineering attack phone numbers, from which calls originated, can be switch and displayed in a different state or it can be 800 numbers. Also, malicious actors might be altering their accents and voice tonality etc. to pursue their plan against you or a company.
Company’ s management will need prepare their employees about diversity of attacks and establish policies and guidelines which support Forensic Readiness and log management. Additionally, companies should implement persistent testing of various software vender patches before installing patches on the company’s network.
APT groups. APT – Advance Persistent Threat – majority of those groups have ties to particular state and have one or several interests in to critcical infrastructure industry and/or business niches which are tied as business associates to them. Some of APT groups are: The Syrian Electroni Army, Tarh Andishan (possible afliation Iran), Drangonfly gang (Energetic Bear), Ajax Security Team (Flying Kitten) (possible afliation Iran), APT 28 (possible afliation Russia), Unit 61389 (possible afliation China), Axiom (possible afliation China), Bureue 121 (possible afliation North Korea), Hidden Lix (possible afliation China), APT 1 (possible afliation China). APT 15 (possible afliation China). There several reports about attack types and targets for each groups. Mandiant published extensive research paper about APT 1 (Mandiant, February, 2013), Mandiantt reaserch paper reports about APT 1:
Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries;
“APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET.
APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.”
To get complete understanding about modus operandi for one particular group is difficult, due to changing patern of behaviour. To prepare a company for APT possible intrussion, information security proffesionals will need to allocate time and resources to gain access to published research materials which are legally and publicly available from government agencies, think tanks, research groups and educational institutions.
Flashpoint report doesn’t include information about separate APT groups in their summary. They categorize generalal approach about states which deploy and/or associate themselves with APT groups, such as China, Russia and North Korea, (Flashpoint, January 11, 2017):
Capability – Risk 6 (Nation-state supported actors possessing the highest levels of technical sophistication reserved for only a select set of countries. The actors can engage in full-spectrum operations, utilizing the full breadth of capabilities available in cyber operations in concert with other elements of state power, including conventional military force and foreign intelligence services with global reach.);
Potential Impact – Catastrophic Catastrophic (Kinetic and cyber-attacks conducted by the threat actor(s) have the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Such attacks have the capacity to result in significant destruction of property and/or loss of life. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods.);
Capability – Risk 6 (Nation-state supported actors possessing the highest levels of technical sophistication reserved for only a select set of countries. The actors can engage in full-spectrum operations, utilizing the full breadth of capabilities available in cyber operations in concert with other elements of state power, including conventional military force and foreign intelligence services with global reach.);
Potential Impact – Catastrophic (Kinetic and cyber-attacks conducted by the threat actor(s) have the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Such attacks have the capacity to result in significant destruction of property and/or loss of life. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods.);
Capability – Tier 4 (Attackers are part of a larger and well-resourced syndicate with a moderate-to-high level of technical sophistication. The actors are capable of writing custom tools and malware and can conduct targeted reconnaissance and staging prior to conducting attack campaigns.)
Potential Impact – Severe (Cyber-attacks emanating from this actor set have the capacity to disrupt regular business operations and governmental functions severely. Such incidents may result in the temporary outage of critical services and the compromise of sensitive data.).”
Each of fore mention entities will be looking for a companys and organizations dynamic of relationships, for example(Wrightson, December, 2014):
“Business policies and procedures;
Ethnic differences and diversity of employees;
Inter-relationships between departments within organizations;
Impact of geological diversity of companies;
Impact of holidays and vacation;
Overall security awareness and importance placed on security;
World events external to organizations”.
Malicious actors will be investing resources to gain the best scope. For example, a person, who uses social networks as base for his/her confessions or attacks on company’s personnel, will be excellent source for fore mention malicious entities. Companies management will need decide how much information can be published on their website and social networks sites. Another example, where pure insider creates unintentional threat to a company - Company’s PR personnel receives acceptance from a company’s management for publishing employee names and their free time activities. Fallowing such request company’s employee unwillingly becomes information source to create phishing attacks on him/her and will increase positive outcome of malicious attacks carried out by a hacker, hacker groups, criminal groups and/or APT.
Both Insider and Outsider individuals and or groups will be using all or some of malicious attack steps:
How much of utilization of those steps will be used by a particular individual or group depends on their goal, time and budget.
Base on intentional and unintential threat mitigation lies in companys’ ability to establish governing policies and follow their guidlines, which support those policies. Additinally, it need to have ability adjust their secure posture according to threat level which is closely tied to their occupied business niche and infrastructure.
Both, attacks based in technical means and attacks based human skillset, have particular signature. Mallicious attacker or group can adopted to particular hardware or software toolset and uses those towards attack on company via network, social engineering, phishing etc. Similarly, person with malicious intent have signature traits which can be recognized in repeated malicious behaviour against a business organization and/or a person. Recognition of those signatures cannot be based mainly on reactive response by business entity towards malicious actor. Exception is when such attack is made against a large group, and the group representitives are joined in some kind mutual information exchange, then the response is proactive. For example, in the US such group is Infragard which provides partnership between FBI and business entities which are tied to critical infrastructures.
Either network anomaly and/or systems behaviour anomaly, cannot be detect without established baseline against which it is compared by IDS, IPS, or firewall with built in in IPS, IDS capacities and log reviews. Such baseline is one of the core steps to minimize threat level carried out by pure insiders and/or outsiders groups.
Aditional information about establishing safeguards against Insider threat can be found in NIST publication - NIST Special Publication 800-53 (Rev. 4) regarding control - https://nvd.nist.gov/800-53/Rev4/control/PM-12 .
(Pre-Draft) NIST Special Publication 800-53 Revision 5 - http://csrc.nist.gov/groups/SMA/fisma/sp800-53r5_pre-draft.html
@WhiteHouse. (February 12, 2013). Presidential Policy Directive -- Critical Infrastructure Security and Resilience. Presidential Policy Directive/PPD-21. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil: @WhiteHouse Retrieved from https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
Analytics, D. T. I. a. (August 12, 2016). Hacktivism A defender’s playbook. Threat study, (August 12, 2016), 17. Retrieved from website: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-hacktivism.pdf
Anderson, K. (2008). Hacktivism and Politically Motivated Computer Crime, 15. Retrieved from website: https://pdfs.semanticscholar.org/da84/036798899142f8d158d31c44c2ec2ed93438.pdf
Commision, T. E. (December 11, 2006). The European Commission - PRESS RELEASES - Press release - The EuropeanProgramme for Critical Infrastructure Protection (EPCIP). http://europa.eu/rapid/press-release_MEMO-06-477_en.htm: The European Commision Retrieved from http://europa.eu/rapid/press-release_MEMO-06-477_en.htm.
Dr. Julie E. Mehan, P. D., CISSP, ISSPCS. (2016). Insider Threat. A Guide to Understanding, Detecting, and Defending Against the Enemy from Within. http://www.itgovernanceusa.com/shop/p-1552-insider-threat-a-guide-to-understanding-detecting-and-defending-against-the-enemy-from-within.aspx: IT Governance Publishing, IT Governance Limited, Unit 3, Clive Court, Barholomew’s Walk, Cambridgeshire Business Park, Ely, Cambridgeshire, CB7 4EA, United Kingdom.
Flashpoint. (January 11, 2017). Business Risk Intelligence – Decision Report. 2016 Year in Review and 2017 Flashpoints. Retrieved from http://go.flashpoint-intel.com/BRI-Decision-Report-2016: http://go.flashpoint-intel.com/BRI-Decision-Report-2016
Ivanov, A. (2017, 06.27.2017.). Petya Ransomware: NSA Exploit Edition, Petna (NotPetya, NonPetya) Ransomware. Retrieved from https://id-ransomware.blogspot.com/2017/06/petya-nsa-ee-ransomware.html
Jackson, G. M. (June, 2012). Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security with DVD: John Wiley & Sons, Inc., Corporate Headquarters, 111 River Street, Hoboken, NJ 07030-5774, Telephone: 201.748.6000, Facsimile: 201.748.6088, Email: firstname.lastname@example.org.
Mandiant. (February, 2013). APT! Exposing One of China' s Cyber Espionage Units (02.18.2013. ed., pp. 76). https://s3.amazonaws.com/assets.sbnation.com/assets/2187805/Mandiant_APT1_Report.pdf: Mandiant.
Michael G. Gelles, P. D., Tara Mahoutchian, MBA. (March, 2012). Mitigating the Insider Threat Building a Secure Workforce. Paper presented at the Welcome to FISSEA’s 25th Annual Conference: "A New Era in Cybersecurity Awareness, Training, and Education", National Institute of Standards and Technology, Gaithersburg, Maryland, USA. http://csrc.nist.gov/organizations/fissea/2012-conference/presentations/fissea-conference-2012_mahoutchian-and-gelles.pdf
Reed, T. (November 30, 2015). Examining the Islamic States Cyber Capabilities. https://worldview.stratfor.com/analysis/examining-islamic-states-cyber-capabilities: Stratfor.
Roderic Broadhurst, P. G., Mamoun Alazab, Steve Chon. (2014). Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime. International Journal of Cyber Criminology, 8(1).
Roy, S. K. (2010). Assessing insider threats to information security using technical, behavioural and organisational measures. Information Security Technical Report, 15(3).
Russon, M.-A. (2016). Anonymous takes down Black Lives Matter website to make point that 'All Lives Matter'. http://www.ibtimes.co.uk. Retrieved from http://www.ibtimes.co.uk website: http://www.ibtimes.co.uk/anonymous-takes-down-black-lives-matter-website-make-point-that-all-lives-matter-1558004
Steven R. Chabinsky, D. A. D., Cyber Division FBI. (2010). he Cyber Threat: Who's Doing What to Whom? Paper presented at the GovSec/FOSE Conference, Washington, D.C. https://archives.fbi.gov/archives/news/speeches/the-cyber-threat-whos-doing-what-to-whom
Wrightson, T. (December, 2014). Advanced Persistent Threat Hacking. The Art and Science of Hacking Any Organizations: McGraw-Hill Education.
August 30, 2017
A Paper by Joseph O. Esin
Imminent Cybersecurity Threats and Vulnerability
of Organizations and Educational System.
The proliferation of direct Internet connection has increased cyberattacks, identity theft, intellectual property theft, electronic fraud, spoofing, cyberterrorism, hacking, cracking into private and public and higher education cyber centers. Cybersecurity threats are not an isolated occurrence, and must be recognized as global operations that requires collaborative measures in preparing cyber-graduates and organization’s personnel on high-impact of cybercrimes, awareness, the understanding and obligation to secure, manage, control, and protect client vital data and sharing data and information on social media sites. Most members of academic world argue in support of premises that high school students should be exempted from cybersecurity education. On the other hand, some academic populations support the implementation of cybersecurity training sessions across the academic enterprise to include high school, undergraduate, graduate and post-graduate education. Collaborative cyber-education beginning from high school settings will control, if not eradicate proliferation of cybersecurity attacks, cyber-threats, identity theft, electronic fraud and rapid pace and will also support job opportunities for aspirants in field of cybersecurity across the globe. Private and public organizations and higher education institutions must be committed and ready to invest tremendous amount of resources into cybersecurity professional education (CPE) to prepare the new generation on high-impact cybersecurity awareness and understanding. Washington Center of Cybersecurity Research and Development (WCCRD) has established a well-conceived cybersecurity education and research development operation and willing to form alliance with higher education, private and public organizations to equip cybersecurity aspirants with expertise, skills for work and citizenship.
Collaborative education is a credible avenue to prepare the new generation for unrestricted and wide range cybersecurity threats, physical attacks, cyber threats, disruption of connection, and disruption of essential services. The expansion of cybercrimes occasionally involves production and distribution of child pornography, exploitation, cyberterrorism, conspiracies, banking and financial fraud, extensive impact on vulnerable citizens and damaging economic consequences across the globe. Per LeClair (2016) and Esin (2017), social engineering threats (SET) is often overlooked as fundamental segment of security threats. Social engineering threats (SET) are controlling, psychological operations, commercial maneuvering measures on relatives and friends are caused by unrestricted internet use, high-rate activities that tend to cause harm, disrupting services on organization security operations. SET frequently uses psychological moralities and procedures to manage security threats through persuasion and psychological principles, and crafty manipulation and persuading individuals into divulging confidential information, such as, employee’s user names, passwords, bank information, house and offices’ alarm code to take control over organization’s security centers.
To counter and contain these threats, private and public organizations and higher education enterprise are required to invest great amount of human and financial resources into cybersecurity professional education (CPE). Because of detonation of cybersecurity attacks, and cybercrimes, CPE must be designed to eliminate cyber-intimidation and empowerment of learners with dedication to learning and commitment to organizations.
The Internet is a powerful instrument for uploading and downloading of files, data and information, transmission and communication; however, it is also an operational tool for hacking and cracking into organization’s security centers. Hacking and cracking activities into organizations data storage centers is not secluded undertakings and most perpetrators of cybersecurity attacks often involve irritated personnel with direct and unlimited access to the data system and who are able use Internet access to probe against any organization’s security center (Markus 2015 & Rausch 2015). Cybersecurity attacks are emerging rapidly and uncontrollably, affecting local and national entities. In compliance with emerging cybersecurity threats, CPE course outlines must include the empowerment of participants with complete understanding of cyber threats, electronic fraud, illegal hacking and cracking, botnets, malware, phishing, data leakage, spear-phishing attacks, defense of vulnerabilities across global entities.
Minimizing Rates of Cyber Attacks via Professional Alliance
Greater priority must be used to strengthen efforts to stop cybersecurity attacks. Per Marie-Smith (2015) and LeClair & Ramsay (2015), global populations are depending on higher education to produce skilled and capable cybersecurity professionals, to defend institutions of higher education, private and public security centers. Captivating active initiative, Washington Center of Cybersecurity Research and Development (WCCRD) has established a well-conceived cybersecurity education and research development operations and is willing to form alliance with higher education, private and public organizations to find ways to combat these threats through collaboration and partnerships. WCCRD’s aspiration is to make sure those who prepare the current and future cyber-graduates for work and citizenship are fully equipped with required skills and expertise to perform the task. As Heckman (2016) and Rausch (2015) posit, global communities are constantly changing and the evolution of cybersecurity serves as an undeniable window of growth, curiosity, communication and invention of yet-to-be discovered global mystery.
Private and public organizations and higher education systems often seek candidates with cybersecurity and cyber-education skills with ability to detect vulnerabilities and respond to incidents of cyber security breaches. Today, the global community is falling short of security-educated graduates and practitioners to protect and defend our vulnerable global population, precisely, amid rapid and continuous evolution of cybersecurity attacks. Per LeClair (2016) studies on “cyber literacy in the age of attacks”, global education system must be ready and willing to prepare cyber-graduates for promising cyber-profession opportunity with reachable goals, and chances for successful future, respect, dignity and citizenship. My twenty-one years’ membership in higher education curriculum committee review, cybersecurity academic degree program and course offerings is limited and falls short of preparing graduates for real-world cybersecurity professional duties due to inclusion of general education and core courses requirements. It is reasonable to suggest that private and public organizations and higher education institutions need to establish alliances with cybersecurity research organizations such as Washington Center for Cybersecurity Research and Development (WCCRD) that are engrained with wide-ranging cybersecurity real-world training opportunities, workshops and conferences in higher education, private and public organization settings.
Advantage of Cybersecurity Profession Training Session
Most members of the academic world often argue that high school education systems should be exempted from cybersecurity education. I subscribe to the segment of academic community that permits the integration of cybersecurity program in high school, college and university education systems. Because of the proliferation of cybercrimes and Internet direct connect amid parallel increase in cybersecurity threats, identity theft, intellectual property theft, electronic fraud, cyberterrorist, and spoofing, high school graduates, college and university graduates will benefit from integrated training sessions due to following:
1. Growing concern of cyber-attacks on critical infrastructure and malicious actors operating from anywhere across the globe;
2. Expert training sessions, workshops, conferences, expertise and skill education in cyber security profession must remain active to meet increasing needs of private and public organizations and higher education institutions seeking experts in the cyber-field to secure sensitive data and information;
3. Specific training sessions, workshops, and conferences on social engineering with emphasis on psychological manipulation of personnel in attempt to trick them to divulge classified data and information to perpetrators; and
4. Demand for cybersecurity professional is growing at a rapid pace and job opportunities for aspirants in the field of cybersecurity are strong across the globe than ever before.
Cybersecurity threats are a global challenge and can be minimized, if not eliminated through integration of cybersecurity program into high school, college and university systems and curricular. Per Marie-Smith (2015), cybersecurity professionals and practitioners are in high-demand and will take up to 20 years to fulfil the skills gap; hence, high school, undergraduate, graduate and post-graduate schooling course offerings must be designed and customized to fit specific needs of cybersecurity graduates. The instantaneous global challenge is to prepare the next generation with expertise to protect the defenseless global population. Cyber-high school, undergraduate, graduate and post-graduate schooling is a credible instrument to foster intrinsic motivation; however, this new paradigm shift in education requires precise length of time for training, understanding and adjustment. Organization personnel, high schools, college and university students are raw materials or unfurnished instruments ready to be furnished by organizations and educational systems, hence, dedication and commitment is required by organizations and personnel team.
Cyber-technology and mobile-electronic devices connected to the Internet are vulnerable to cybercrimes. Per DeLong (2002), to decrease the strength of cybersecurity attacks, professional alliance must be adopted as promising landscape and completely utilized to protect individuals, public and private organizations and education enterprises from intrusions, illegal access to classified data and information, unlawful use of the Internet, frightening rate of cyber-attacks and security breaches Current and future cyber-graduates will like to live in states and nations where job opportunity is a promising norm with reachable career goals, respect, and dignity upon completion of rigorous horizon of cyber security academic exercise. Most personnel, faculty and student are unaware of how to refrain from risky behavior leading to security breach against organizations’ data and information in an era of Bring Your Own Devices (BYOD) and social media.
The best security and protective measures against cyberwar and cyberattacks is to create professional alliance and to engage in constructive, tailored education in cybersecurity as an acceptable guideline for high school educators, college professors in managing and delivering of instruction and in learning endeavors that are serviceable in cyber operations. This is in no way an attempt to turn academic professors, high school educators and personnel into global bodyguards, but an attempt to solve a problem on the rise through learning, securing, managing, controlling and protecting clients’ data and information and the illegal sharing of data on social media sites.
DeLong, Matt and Winter, Dale (2002) “Learning to Teaching and Teaching to
Learn Mathematics” Resources for Professional Development, Mathematical Association of America.
Esin, Joseph O. (2013) “The Emerging Impact of Information Technology on Education
and the Community.” The Journal of Educational Research and Technology, Volume 2, Number 2.
Esin, Joseph O. (2017) System Overview of Cyber-Technology in a Digitally Connected
Society. Author House. Bloomington, IN.
Esin, Joseph O. (2016). “Overview of Cyber Security: Endangerment of Cybercrime on
Venerable Innocent Global Citizens” The International Journal of Engineering and Science (IJES Volume 5, Issue 4, (2319-1805)
Heckman, Mark R. (2016) Cybersecurity Education’s Cargo Cult.” United States
Cybersecurity Magazine, Volume 4. Number 10
Ken Bain, Ken, (2004). “What the Best College Teachers Do.” Harvard University Press.
LeClair, Jane (2016). “Cyber Literacy in the Age of Attacks.” United States
Cybersecurity Magazine, Volume 4, Number 10
LeClair, Jane and Ramsay, Sherri W. (2015). Protecting Our Future: Educating a
Cybersecurity Workforce. Hudson Whitman, Excelsior College Press. Albany: New York
LeClair, Jane and Ramsay, Rumsfeld, D. (2013). Protecting Our Future: Educating a
Cybersecurity Workforce. Hudson Whitman, Excelsior College Press. Albany: New York
Marie-Smith, Christen (2015). “Building the Cyber-force of the Future.”
United States Cybersecurity Magazine, Volume 3. Number 9.
Markus, Rauschecker (2015). “Why Education in the Law and Policy of Cybersecurity
is a Must.” United States Cybersecurity Magazine, Volume 3. Number 9.
Rausch, Douglas (2015). “Social Engineering: The Root of the Cyber Threat.”
United States Cybersecurity Magazine, Volume 3. Number 9.
About the Author - Joseph O. Esin is the Lead Professor of Computer Information Systems at Jarvis Christian College, Hawkins, Texas USA
October 11, 2017
A Paper by Joseph O. Esin
Escalating Outcome of Cyber-Attacks on Healthcare Organizations
Cyber-attacks are a macro and universal challenge, and prevention of such episodes requires all-inclusive national and global collaborative efforts. Comprehensive activities should involve professional development and education on risk management, warning alarms, mitigating, and vulnerabilities in case of emergency. Healthcare organizations across the globe are threatened with a high volume of cyber-attack incidents, with a slower response time compared to corporate, and higher education systems that are often prepared with measures to protect against cyber-attacks on vital data and records. The number of cyber-attacks on healthcare organizations has doubled in the past 5 years and are viewed as worthwhile events by perpetrators by way of demoralizing impact on healthcare facilities.
Continuous cyber-attacks affect healthcare professionals’ ability to provide up-to-the-minute security measures and demand immediate attention, assessment and response. Cyber-attacks, cybercrimes, hacking, and cracking into organization security centers are large-scale national and global issues that affect patients, healthcare professional’s ability to function effectively. Cyber-attacks activities do not require a college degree; rather, a built-in manipulative and serpentine characteristics. Professional development and education to eradicate untimely breaches on clinical data and medical records must involve wisdom-oriented education. Wisdom includes knowledge; hence, the world community needs experienced thinkers, trainers, educators, and corporations with expertise in cybersecurity and cybercrime operations. Society needs to move away from intimidation, threats of cyber-attacks, and pressures of patients losing trust in healthcare organizations.
The Washington Center for Cybersecurity Research and Development (WCCRD) is designed to educate and prepare corporations, educational systems, and healthcare organizations with wisdom-oriented skills to battle cyber-attacks, breaches of clinical data and medical records. The director of WCCRD has a wide-ranging background and expertise in research and training to increase the wisdom and knowledge related to cyber-attacks and cybersecurity operations. Nation-states and global society must be willing to switch from fears of cyber-attacks, and data breaches, to acquire knowledge and wisdom that can contribute to human progress and eliminating traces of cyber-attacks.
Cyber-attacks are a widespread challenge and protection of healthcare organizations from such treacherous undertakings must include providing personnel within organizations with the ability to anticipate and recognize an attack through professional development and education on risk management, mitigating risk, and vulnerabilities in case of emergency. Healthcare professionals, such as physicians, pharmacies, nurses and administrators, as well as consumers, are at risk of cyber-attacks on organizational data and medical records. Healthcare authorities and administrators often tone down the risks of a data breach, and instead, concentrate on the prolongation of life, patient care, and insurance billings. Such dilution often leads to detrimental consequences. Leaders of healthcare organizations, hospitals, and medical clinics must implement steps to protect against cyber-attacks and data breaches. Suggested remedies must include the creation of a security management policy (SMP) representing a central platform for administrative control and personnel activities to minimize the risk of cyber-attacks.
On August 22, 2017, healthcare organizations around the globe experienced an outbreak of ransomware that encrypted files, resulting in the immobilization of British hospitals and causing outages of Deutsche Bahn display panels, forcing Honda to take production plants offline, and resulting in noncompliance to standard and regulations, hundreds of speeding fines and caused by infected speed cameras. In fulfilment of an SMP, personnel are required to sign a committed non-disclosure agreement permitting full investigation and prosecution for defilement and noncompliance with the agreed upon guidelines. Per Ponemon Institute (2017) findings, more than 10% of U.S. healthcare consumers believe that medical records have been compromised, a number that is increasing and will continue to increase in the coming years. Compliance measures must include an active cybercrimes plan covering clients’ personal health data and information, as well as the designation of skilled personnel to take control of cyber-attack operations and respond to cyber incidents, imminent cybersecurity intrusions, and breaches of data and medical records.
Landscape Cyber-attacks in Healthcare Organizations
Measures related to protection against cyber-attacks inside healthcare organizations are fragile compared to those within corporate and educational systems. Most healthcare organizations are misguided on cyber-attacks, which can create a vehicle for breaches of client data and information. Perpetrators of cyber-attacks are adopting sophisticated measures to expose client data and information to counterparts for illegal activities of the criminal ecosystem. Data breaches in healthcare facilities tend to have financial and reputational effects on clients, healthcare professionals, hospital administrators, and health insurance groups because of the magnitude of vital data disclosed to unauthorized users. Data breaches on medical records in hospital settings, physicians’ clinics, pharmacies and insurance entities are naturally internal operatives. As Metzger (2016) reported, Red-Spin is an established cybersecurity corporation designed to provide corrective measures against critical gaps, protect patient data and medical records. Per a Red-Spin Breach Report in 2013, personal data and healthcare records of approximately 30 million Americans have been breached and revealed to unauthorized users since 2009. The results of investigations conducted on healthcare data breaches from 2009 to 2013 have shown the most common cause of breaches, theft, and loss of data are directly related to the use of portable computing devices, such as laptops, mobile devices, and digital media containing electronic health records (EHRs; ISAC, 2015).
The use of mobile devices at any time and from anywhere, both in and out of the workplace, is often not regulated and tends to increase the risk of a cyber-attack and exacerbating security risks. Most law enforcement units across the globe are aware of the rapid increase in the number of cyber-attacks targeting healthcare organizations and investigating team believes the trend will continue to intensify in the next 5 to 10 years considering the derisory security mechanisms in healthcare operations (ISAC, 2015 & Murphy, 2015). Per a Bit-Sight assessment, most healthcare organizations are threatened with a high volume of cyber-attack incidents and unable to establish sweeping measures against premature cyber-attacks.
Outcome of Cyber-Attacks on Healthcare Organizations
Protected health information (PHI), under the Health Insurance Portability and Accountability Act (HIPPA) of August 21, 1996, refers to any information related to health status, the delivery of healthcare, and payment for healthcare by covered entity. Comprehensive efforts to maintain the integrity of patients’ clinical data and medical records to guarantee public confidence in healthcare organizations have been a nightmare for last 10 years or more decades. Per Metzger (2016), apprehension about continuous data breaches often affects healthcare professionals’ ability to provide up-to-the-minute security measures and demands immediate attention. Applying safeguards originated in PHI via HIPAA Privacy Rule will close hidden security gaps against cyber-attacks and data loss, and restore patient confidence with healthcare organizations. Per a Ponemon Institute report on patient privacy and data security published in March of 2014, the number of cyber-attacks on healthcare organizations doubled in the past 5 years. Cyber-attacks on clinical data and medical records in healthcare organizations are valuable undertakings for culprits with gloomy impact and negative public campaigns against the reputations of healthcare groups. The National Partnership for Women & Families (NPWF), a nonprofit organization established in 1971, aims to reinforce education and outreach on women and families. Per an NPWF September 25, 2017 analysis, 66% of healthcare consumers can no longer guarantee the safety of their clinical data and medical records that are in the custody of healthcare organizations because of the strategies exhibited by cyber criminals.
Most healthcare specialists are using Internet-enabled patient monitoring devices such as laptops, tablets, and smart phones to transmit patient’s readings of vital signs to primary physicians to enable immediate interventions to save lives. Undoubtedly, cyber-attacks on clinical data and medical records are on the rise and will continue at the same pace for the next 10 years (Robinson, 2011). Immediate measures and resources to mitigate the risk of cyber-attacks must be integrated into an organization’s annual budget. Apparently, most healthcare organizations are on the defense, claiming to operate on inadequate financial and human resources to implement security measures against cyber-attacks (Metzger, 2016).
Cloud technology is a logical and imperative operation offering a wide range of services and solutions to minimize the alarming rate of clinical data and medical records. Bit-Sight Insights (2017) operations involve the use of these three principles: benchmark security performance intended to compare security performance against perpetrator of cyber-attacks, objective and communications; third-party risk management designed to provide alerts across an organization’s network; and collaborative organization partnership, merchants and cyber insurance to measure, monitor security performance of insured entities to reduce underwriting risk and negotiation of organization policy and compliance measures.
Result of a Bit-Sight Insights analysis conducted from April 2013 to March 2014 showed healthcare organizations witnessed the largest percentage increase in cyber-attacks on the average duration of 5.3% daily. Today, many organizations rely on cloud technology and storage centers to store client data. Cloud technology providers (CTP) must identify actionable insights to keep cyber criminals out of range of organizations’ data centers. In the process, CTP must allow the information technology (IT) team and authorized users operational access to organizational resources and protection measures against cyber-attacks.
ISAC, Walter (2015). Security Information Center United States, Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), FBI and the Information Technology ISAC. (URL)
Magee, K. (2017, August 7). Has healthcare misdiagnosed the cybersecurity problem?
Retrieved from Help Net Security website:
Metzger, K. C. (2016). One American Square Suite 2900 Indianapolis, IN 46282-0200
Murphy, S. P. (2015). Healthcare information security and privacy. San Francisco, CA: McGraw Hill Education.
Robinson, R. (2011). Security policies and implementation issues. Burlington, MA: Jones and Bartlett Learning.
About the Author: Joseph O. Esin is the Lead Professor of Computer Information Systems at Jarvis Christian College, Hawkins, Texas
and Visiting Professor of Research, University of Calabar, Calabar, Nigeria.
January 28, 2018
A paper by Joseph O. Esin
From Historic to Present Day Culture of Social Engineering Attack
Social engineering attack (SEA) is an isolated occurrence on private, public, healthcare and higher education organizations where most activities involve direct connection to the Internet for the main and satellite campuses, city, state, national and for global interaction, digital communication and transmission. The preeminent method to mitigate social engineering attack is to equip users with ready-to-act techniques; rather than, training them with theoretical concepts. This article supports the premise that preemptive and protective mechanism to fight against social engineering attacks must include auditing security center (ASC) operation entrenched with independent security file servers to monitor incoming and outgoing email traffic and broadcast to users via organization file servers. Due to the sophistication of our modern-day culprits, over-all reliance on organization’s file server is no longer adequate to combat social engineering attacks and ASC will help to dissipate increasing credo that users are unpredictable factors in the fight against social engineering attacks.
The culture of ingenuity supports the creation of protective measures against vulnerabilities that were not included during the formation of SEA in the 17th, 18th, 19th centuries. SEA perpetrators normally use psychological moralities to circumnavigate security threats through persuasion and crafty manipulation techniques to convince users to disclose confidential information about organization. Prevailing predicaments is narrow effect and weakest linkages in the battle against social engineering attacks, amidst established laws and legislations such as Health Insurance Portability Accountability Acts (HIPPA), Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley Act (GLBA).
Foundation of Social Engineering Attacks
Per LeClair (2016), social engineering attack (SEA) is often overlooked as a vital component of cybersecurity threats and as an integral segment controlling psychological operations, commercial maneuvering measures, unrestricted internet access and high-rate activities that tend to cause harm, disrupting services on organizations’ network security operations. SEA operators often use psychological moralities and procedures to sail around security restrictions through persuasion and psychosomatic principles, and crafty manipulation techniques to sway users into divulging confidential information, such as, user names, passwords, bank information, house and offices’ alarm code to take control over organizations’ security centers (LeClair, 2016 & Esin, 2017). SEA originated from English ingenuity-creativity, engineering-production, and most engineering activities are directly related to creativity and originality. In prehistoric times, soldiers had to be ingenious to win the war; men and women had to be ingenious to survive the drastic, hostile climate changes; and drivers had to be ingenious to survive the tyranny of driving distance, hazardous and unpaved roads. As a result, engineers must be involved in ingenious social invention activities. Social engineering ingenuity, in its broadest sense, involved hunting, farming, fishing, equipment manufacturing, transportation communication, mental creativities, trade and production. Historic channel to social engineering attack is categorized into five overlapping phases, namely pre-scientific revolution, primary industrial revolution, secondary industrial revolution, information technology industrial revolution and computer industrial revolution engineering.
Per Woodbury (1972) and Buchanan (1985), pre-scientific revolution engineering (PSRE) is recognized as most ancient monuments by the founders and building designers inscribed on the wall representing an act of ingenuity or code-name “engine.” The name engine was adopted by ancient draftsmen and draftswomen and renaissance engineers, one of whom was Leonardo da Vinci. Pioneers of engineering operation, including practical artists, architects, craftsmen, designers, and painters proceeded on social engineering careers by way of trial and error along with steady determination and ingenuity to produce exceptional equipment and devices. Prehistoric monuments are often stable, durable and entrenched with the name used by designers of ingenious fortifications. These devices are related to ingenuity capturing original denotation of engine that preceded to steam engines and locomotive devices (Pool, 1983 & Reynolds, 1991) First Industrial revolution engineering (FIRE), designed to support and strengthen social engineering, included structured engineering education integrated with science, engineering, mathematical and cybersecurity curricula, engineering practical training laboratories and industrial social engineering research centers. During the era of the first industrial revolution, research and engineering education were at their zenith in all fields of science and technology and progressed through the World War II. At the time when natural sciences enrichment programs were not incorporated into FIRE training innovation (Whisker, 1997, and Musson, 1969). Later, the incorporation of innovative social engineering training and creative engineering practical research programs were restructured and modernized; thus, resulting in the production of current systematic technological devices such as mainframe and super computers, desktop and laptop computers, satellite and telecommunication systems that are currently in use today.
In the early nineteenth century, the second industrial revolution engineering (SIRE) sponsored the emergence of electrical engineering, civil engineering and mechanical engineering procedures that helped to transform engineers from practical artists to professional scientific innovative operators. The formation of SIRE led to the emergence of two branches of engineering, namely, chemical engineering and electrical engineering that were developed in close alliance with chemistry and physics programs. Integration of these two subject areas; chemistry and physics led to the production of telecommunication equipment, marine engineering, and added devices generating alerts, restraining threats of ocean exploration. Aeronautic engineers turned prehistoric dream of flight into a travel opportunity for global communities (Musson 1969). The advent of SIRE led to the growth and explosion of information technology, participation of intellectual responsibilities and noteworthy mitigation of social burden through invention of social engineering education. The production of telecommunication equipment, marine engineering apparatus and equipment has turned prehistoric dreamers into pioneering engineers for the global communities. Information technology industrial revolution engineering (ITIRE) emerged after the second World War II and progressed to innovative invention of microelectronics, digital connections and communications, networking computing, information technology, the Internet, mobile devices, telecommunications and transmission systems (Calvert 1967 & Buchanan 1985). Indeed, ITIRE era helped to re-strengthen the production of turbojet and rocket engines designed to propel aeronautic manufacturing, atomic and nuclear engineering into unprecedented heights of accomplishment. Above all, ITIRE and SIRE witnessed a universal information technology revolution, that came with full participation of intellectual responsibilities, and the alleviation of collective social liability through structured engineering education needed to support the rise of large-scale future research engineers.
As Pool, (1983), Reynolds (1991), and Moss (1977) noted, Computer Industrial Revolution Engineering (CIRE) was by default, collaborative efforts of PSRE, FIRE, SIRE, ITIRE, leading to the modern technological advances, such as erection of Pyramids in the Nile Valley, facility barricades, roads network systems, canals that originated from the Mediterranean Middle East and Asia Minor. Also, the new revolution led to the development of new water distribution systems, public buildings across the territories by the Romans Empire and development of the wheelbarrow, rotary fan and sternpost rudder by China. Continued growth of these innovations quickly spread throughout most of the world communities ushering an improved standard of living, which could not have been possible without these dynamic innovations.
Formerly, North America, presently known as the United States of America, watched with awe, the European homegrown industrial technology revolution in the 17th century and in early 18th century. Soon, the United States progressed to adopt and implement identical European industrial and military engineering techniques (Woodbury, 1972). This era of information technology (IT) and industrial revolution engineering (IRE) was heavily entrenched with innovative growth in the orbit of IT, aeronautics, hydro and nuclear power, electronics, network system, Internet connections, telecommunications and cyber security operations. The progression in 18th through 19th centuries led to ground-breaking and innovative IT and IRE engineering operations in the United States which ultimately led to the creation of the canal and railway construction, professional technology engineering education and first professional engineering societies in 1887. However, these innovations and rapid growth in social engineering attack education brought with them a correspondingly elevated level of interruption in the smooth running of gadgets and equipment. The new development raised grave concern on social engineering attacks on vulnerable innocent citizens.
Social engineering attack (SEA) is often steered by a stranger who adopts a variety of psychological guiles on a computer to secure access or information required to hack into an organization’s security center, network file server and users’ workstation. Perpetrators of SEA are often strangers and non-tenured employees who meet requirements of headlines newsflashes as hackers. Fortunately, the predominant scheme of social engineering attack is navigated by insiders and organizations’ authorized users. Per Esin (2017), Benvenuto (1991), Musson, and Robinson (1969) assertion, the benchmark designed to protect against social engineering attack support the premises that thirty percent (30%) of hacking operations are directed toward private, public and healthcare organizations, and higher education enterprise are perpetuated by interlopers who are not authorized users of the organizations, while seventy percent (70%) of hackers are often initiated and executed by authorized users inside the organization. The axiom may sound hazy to the public, but, organization users and clients must be trusted until proven not trustworthy. Most chief executive officers, administrators, college and university vice-chancellors, directors and managers are often intolerant and impatient to verify personnel identity, background and establish trust due to time-consuming nature of this initiative. Nonetheless, organizations must learn to support and train employers who are assigned to work and protect the organization security center and resources.
Large segments of organizations’ security network users are often lazy, none-aggressive and choose short cuts in discharging assigned services by posting passwords on the screen and leaving confidential documents lying out on the table and uploading same document to associates and competitors (Moss and Hume, 1977 & Reynolds 1991). Authorized users within the organization are often the puniest linkage in any security operation. Based on the manipulative and psychological nature of social engineering operation, otherwise known as “community maneuvering,” perpetrators of social engineering attack often exploit human weakness prior to spending time and effort to crack passwords and gain access to an organization’s security center.
As Esin (2017) and Flond (1976) posit, culprits frequently install sniffers on organizations’ network file server via polite phone calls, gain required user identification and password to access the organization’s security center. SEA is a self-created community maneuvering ingenuity whose objective is to provide effective protective measures, such as the installation and configuration of up-to-date hardware and software and on-going professional training program. Social engineering attacks are classified into six categories, such as human-based, electronic interface, pop-up windows, mail attachments and exploitation of personality trait. The human-based category are individuals who often penetrate the facility pretending to be an employee, visitor, service personnel dressed in appropriate uniform and as active member of the community to gain access to the computer security center; electronic interface is a phishing scam that has been in existence for centuries and recently became a sophisticated hacking tool, the pop-up windows category sponsors alert to appear on the screen warning users that their network security center has been interrupted and the network connection needs to be re-authenticated, mail attachments emergence as hidden in e-mail that naturally arrives seeking information to update holder’s contact information, precisely, after user’s credit card had expired. The process is designed to avoid suspicion, a follow through with the location and exploitation of personality trait, dispersion of characteristic to affirm that a culprit is not solely responsible for the creation of scenarios and factors to dilute personal responsibility for criminal decision making.
Draw Back of industrial revolution
The foundation of social engineering attack from ingenuity-creativity through the first industrial revolution engineering, pre-scientific revolution engineering, second industrial revolution engineering, information technology industrial revolution engineering and computer industrial revolution engineering operated with inadequate protective measures against social engineering attacks. The culture of ingenuity creativity supports the creation of protective measures of social engineering attack against vulnerabilities were absent or nonexistent during the formation of SEA in the 17th, 18th, 19th centuries. SEA perpetrators normally use psychological moralities to circumnavigate security threats through persuasion and crafty manipulation. Culprits often use astute techniques to convince users to disclose confidential information to enable them take control of organization security centers. As a result, public, private, higher education and healthcare organizations are constantly in danger of losing vital data, information, clientele, financial base and reputation without well-conceived security and protective measures. Hence, the incorporation of auditing security center (ASC) will serve as a stable security data recovering center for any organizations. A credible technique to mitigate SEA must include filtering unsolicited email into organizations’ auditing security centers and the best preemptive and defensive mechanism in the process is to install and configure self-regulating security file servers to audit and monitor incoming and outgoing email traffic. The ASC must be configured as self-determining entity, and engage in monitoring, auditing and tracking users’ inbound and outbound communications; then, broadcast improprieties to users of organization network systems. Based on the large scale of undetected everywhere and anyplace social engineering attack, total reliance one network file servers within the organization is insufficient due to extensive internet activities and sophistication of our modern-day social engineering attackers. Integration of ASC file servers in addition to existing organization network file server will help to dissipate increasing myth that users are unpredictable factors in battling social engineering attacks.
Role of Auditing Security Center
The role of auditing security center (ASC) file server is to enforce security standards, unleash alert validation, temporarily disrupt the normal activities and broadcasting anomaly to users of organization file servers. Social engineering attacks are underhanded and often labelled as non-technical threats to any organizations, but require well-structured protective measures to decrease ongoing large scale of SEA operations. Perpetrators often adopt self-assurance tricks, exploiting naivety, lethargy and good nature of users to launch social engineering attacks on organizations’ main file servers. Per Reynolds (1991), LeClair (2016) and Esin (2017), organizations must take active steps against the escalation of social engineering attack, recognizing that fact that perpetrators are not afraid to search external organization dumpsters, internal office bins and discarded electronic media for data and information. Organizations’ network users must be trained on the danger of throwing waste paper and electronic media in a bin within and outside the office building. Social engineering attack is a multiple part operation, and most organizations often ignore to establish and adopt on-board ecological waste management action plans to deal with discarded materials, shredded left-over documents and magnetic media and placing fragments in isolated location. Most SEA operation involves artless observation where culprits watch over the user’s shoulder for user names and passwords to gain access to organization’s security centers. Organizations should question the legitimacy of authorized visitors and professional consultants. User names and passwords of authorized professional consultants and visitors must be set up through auditing security center (ASC) file servers to minimize and possibly eradicate the looming social engineering attacks.
Per Crozet (1985, Calvert (1967), Musson and Robinson (1969), Reynolds (1991) Ngwang (2016), LeClair (2016) and Esin (2017), since 17th, 18th, 19th centuries through millennium generation, the widespread and accelerated growth of scientific revolution, information technology and creative engineering came along with the alarming influx of social engineering attacks that need to be mitigated. As Muhlbaier (2003) and Murphy (2015) posits, most laws and legislations, such as Health Insurance Portability Accountability Acts (HIPPA), Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley Act (GLBA) tend to have a narrow effect and weakest linkages in the battle against social engineering attacks. Most established laws and regulations often have limited impact on the battle against social engineering attacks. Preemptive and protective mechanism to fight against social engineering attacks must involve ASC operation entrenched with independent security file servers to monitor incoming and outgoing email traffics and broadcast to users via organizations’ file servers. Due to the sophistication of the modern-day culprits, over-all reliance on organization file server is no longer adequate to combat social security attacks and ASC operation will help to dissipate increasing credo that users are unpredictable factors in the fight against social engineering attacks.
Benvenuto, E. (1991). An Introduction to the History of Structural Mechanics.
New York: Springer-Verlag.
Booker, Peter J. (1963). A History of Engineering Drawing. London: Northgate.
Buchanan, R. A. (1985). The rise of scientific engineering in Britain. British Journal for
the History of Science, 18: 218-33.
Calvert, M. A. (1967). The Mechanical Engineer in America, 1830-1910. Baltimore,
MD: John Hopkins Press.
Crozet, Francois. (1985). The First Industrialists: The Problems of Origins.
New York: Cambridge University Press.
Esin, Joseph O. (2013) “The Emerging Impact of Information Technology on Education
and the Community.” The Journal of Educational Research and Technology,
Volume 2, Number 2.
Esin, Joseph O. (2017). System Overview of Cyber-Technology in a Digitally
Connected Society. Author House. Bloomington, IN.
Esin, Joseph O. (2016). “Overview of Cyber Security: Endangerment of Cybercrime on
Venerable Innocent Global Citizens” The International Journal of Engineering
and Science (IJES) Volume 5, Issue 4, (2319-1805)
Flond, R. (1976). The British Machine-tool industry: 1850-1914. New York:
Cambridge University Press.
Foster, I. (2002). The Grid: a new infrastructure for 21st century science. Physics Today,
LeClair, Jane and Ramsay, Sherri W. (2015). Protecting Our Future: Educating a
Cybersecurity Workforce. Hudson Whitman, Excelsior College Press. Albany: New York
LeClair, Jane and Ramsay, Rumsfeld, D. (2013). Protecting Our Future: Educating a
Cybersecurity Workforce. Hudson Whitman, Excelsior College Press. Albany: New York
Mayr, O. (1970). The Origins of Feedback Control. Cambridge: MIT Press.
Mayr, O. (1971). Adam Smith and Concepts of Feedback System. Technology and Culture,
Moss, M. S, and Hume, J. R. (1977). Workshop of the British Empire: Engineering and
Shipbuilding in the West of Scotland. London: Heinemann.
Musson, A. E. and Robinson, E. (1969). Science and Technology in the Industrial Revolution.
Toronto: University of Toronto Press.
Ngwang, E. N. (2016). Individual Freedom, Cyber Security and Nuclear Proliferation in a Borderless Land: Innovations and the Trade-offs in Scientific Progress.” The Journal of Educational Research and Technology (JERT). Vol. 5. No. 5, 33-72.
Peters, T. F. (1987). Transitions in Engineering. Basil: Birkhäuser Verlag.
Pool, I de Sola, (1983). Technologies of Freedom: On Free Speech in an
Electronic Age. Cambridge: Harvard University Press.
Rae, J. B. and Volti, R. (1993). The Engineer in History. New York: Peter Lang.
Reynolds, T. S. (Ed.). (1991). The Engineer in America. University of Chicago Press.
(Articles, mostly case studies, from Technology and Culture, preceded by two introductions on the typical characteristics of American engineers).
Whisker, J. B. (1997). The United States Armory at Springfield: 1795-1865. Lewiston,
UK: Edwin Mellen Press.
Woodbury, R. S. (1972). Studies in the History of Machine Tools. Cambridge: MIT Pres
About the Author - Joseph O. Esin is the Lead Professor of Computer Information Systems at Jarvis Christian College, Hawkins, Texas as well as the Visiting Professor of Research at the University of Calabar, Nigeria.