Cybersecurity Blog

Messiah University’s Computer Science Club and associated Women in Cybersecurity (WiCyS) chapter hosted their Spring CTF Night on February 24th. A CTF (Capture-The-Flag) event is a cybersecurity competition in which participants complete cyber-related challenges to find hidden strings of characters, called flags, that they submit to win points.

Our CTF included 24 challenges designed by our club leadership in areas such as cryptography, steganography, password cracking, web server vulnerabilities, and more. Many cybersecurity students participated and got the chance to learn new skills, hang out with friends, and potentially win Cyber Program hoodies!

We are grateful for our collaboration with the Games Club and Cybersecurity Program to provide pizza/snacks and a large group of students excited about this event. We hope to continue hosting a CTF Night each semester in the future and look forward to the events.

This post was written by Grace, a Cybersecurity student and leader of the WiCyS chapter at Messiah. We appreciate Grace’s hard work in spearheading and overseeing this event.

The local WiCyS (Women in Cybersecurity) chapter, along with support from the Cybersecurity Education Program, hosted a Women in Cyber lunch for female CIS, Cybersecurity, and Business students on February 16 in the Messiah University Cyber Center. It was a time of making connections and learning from one another over a shared meal. Special guest Christina Martin, Cybersecurity and IT specialist at Highmark Health, spoke about the importance of having a healthy support network and of not being afraid to try new things in the industry. The event ended with a time of Q&A, followed by an extended time of fellowship and networking.

We are grateful to Christina for making time in her schedule to speak with our students. We’re also grateful to our students for their leadership of this event. We hope to do more events like this in the future that deal with the crossroads of cybersecurity, tech, and business, as well as women in leadership.

Special thanks to the Gender Concerns Committee for sponsoring this event!

On February 4, students from Messiah University participated in the collegiate cyber defense competition, a six-hour-long cyber security inherit and defend competition. This year’s scenario was to inherit a fictitious shipping company’s infrastructure and harden it before the hackers started attacking it. Students worked as a team to fix problems, harden the infrastructure, update, and ensure service availability all while being given business tasks from the company such as writing newsletters, acceptable use policies, and getting Graylog working.

This was the first year that Messiah University has participated in the competition. Led by coach Dr. Bibighaus and captain Ray Truex, a team was quickly formed and preparation started. The team roster included Luke Anderson, Justin Ayres, Chris Copeland, Ryan Donat, Delainey Gray, Aidan Hubly, Brandon Snook, Michael Stefanchik, Grace Taylor, Ray Truex, Shane Wahlberg, and Xavier Zepiora.  Each team member was assigned a certain machine to work on either apps, core, files, virtual, data, logs, and saas.

During the competition, the team was able to see a scoreboard showing which services were up and running and which were down, in addition to total score and place. After the competition, Xavier Zepiora said “we were not off to a great start, showing up as last place on the scoreboard at the start, but after a few hours of having all of our services up and running we slowly started climbing places passing other teams”. Messiah University went from last place to a high of thirteenth place. By the end of the competition the team was ranked 15th out of 29, which meant the team did not place in the top eight teams which move on to regionals. A few days after the event, the competition director notified the team of our final score, which was 11^th out of 26. 

Ryan Donat, Michael Stefanchik, and Shane Wahlberg are seniors this year and will not be able to compete next year but are still excited for the future of the team. After the competition Shane Wahlberg said “I am so excited for the future of the team, this was the first year and we just wanted to see what the competition was like. I think we did pretty good for it being our first year”. After having one competition under the team’s belt, the team is ready to start recruiting and preparing for next year. The team has a large list of items that they now know they need to work on more in-depth. The main goal in training for the next competition include having a CCDC virtual environment where the team can practice during their meetings. Some team members hope to go to regionals as volunteers to gain more experience and talk to other teams to learn from how they prepare for the event. Just because the competition for this year is over for the team does not mean that practice and training is over, the team will continue training and recruiting until the next event.

*This post was written by Messiah Cybersecurity major Ray Truex. If you are a Messiah Cybersecurity student and you’re interested in joining the CCDC team, reach out to Ray for more information.

We’ve launched a brand new YouTube channel, where our goal is to showcase the stories of our students – why they’ve chosen cybersecurity as a career, how they ended up at Messiah, and even what cybersecurity is and why it’s important. We’re thrilled to be able to capture some of their experiences in their own words, and to have a platform where students can bring awareness to the importance of cybersecurity for individuals and corporations.

Watch the first videos and subscribe here >> https://www.youtube.com/channel/UCdPfEhuYkF3dtghXwLSWAoA

What is the difference between cybersecurity and data privacy, and how do they work together? Read on for our final post of Data Privacy Week. Thanks again to the National Cybersecurity Alliance for allowing us to partner with them in an effort to resource people with tools to protect their data.

What Is Data Privacy?

The sheer volume of data generated about you and your activities online is staggering, which is why data privacy has become a defining issue of our digital age. Even if you don’t care very much, thousands of businesses across the globe pay top dollar to learn about you through this data.

Your online data can be categorized in certain ways. First, there is personal information like your name, birthdate, and Social Security number. There is also important information about you like your medical records and credit card numbers.

Then there is data about what you do online, like what websites you visit, what products you buy online, and who you communicate with on social media. This data can be extremely granular, like how many seconds you spend looking at a webpage before clicking to something else. Advertisers and other businesses prize this sort of data because they can better target ads and products toward you.

Often, this data is anonymized when sold, meaning an advertiser won’t know the specific name of the person who clicked on a link. But a cross-section of data about you can be added together to try to personalize ads to you. Data privacy, then, is the right to keep your data private. Understand that you cannot keep all of your data private from everyone – the IRS, for example, must know how much money you make, or you will face unpleasant consequences. However, you should know your data privacy rights and, when you can, make choices to only share your data when you feel it is appropriate.

Is Data Privacy the Same as Cybersecurity?

Data privacy and cybersecurity are different fields, but they go together. Data privacy revolves around rules, guidelines, and your own personal choices about who has access to your data, and how much access they have. Cybersecurity is focused on preventing and solving threats like hackings, malware, and online scams.

Bad actors often exploit cybersecurity vulnerabilities, though, to get data – it is that valuable. A lot of cybersecurity is about keeping your data safe. Data privacy, on the other hand, is about your right to keep your data safe, especially from those who aren’t cybercriminals, like websites and businesses.

Why Is Data Privacy Important?

You might be thinking that all your data is already out there, who cares who sees it? Why do I care if an advertiser knows what shoes I just bought through social media?

Think about this: have you ever been creeped out after using a search engine and then suddenly all the ads on the websites you visit are about the thing you searched? Do you want unscrupulous marketers to have your phone number so they can call you constantly?

There is probably some data you really don’t want others to have full access to, like your emails. However, if you don’t pay attention to your data privacy, you might download a program or plug-in that scans your email for data and sells it to advertisers. Even if the plug-in provides a decent service, like easily allowing you to unsubscribe from promotional emails, you might think twice about giving the service total access to your email inbox if you know that they sell your data.

With technology, there is always a trade-off between privacy and convenience. A maps app, for example, needs to know your current location to give you directions. In many cases, though, you can choose how much data you want to share. This is where knowing about data privacy can help you make decisions and form habits.

Finding peace of mind by being more aware of your data privacy is worth it.

January 22-28, 2023 is Data Privacy Week. To celebrate, we are partnering with the National Cybersecurity Alliance to spread awareness and resources about online privacy.

Your data is valuable. Even if you don’t agree, many organizations and groups would pay top dollar for it and they don’t all have your best interests in mind. But you have the power to take charge of your data. This is why we are excited to celebrate the second ever Data Privacy Week!

The goal of Data Privacy Week is to spread awareness about online privacy. We think data privacy should be a priority both for individuals and organizations. Our goal is twofold: we want to help individuals understand that they have the power to manage their data and we want to help organizations understand why it is important that they respect their users’ data.

Data Privacy For Individuals

All your online activity generates a trail of data. Websites, apps, and services collect data on your behaviors, interests, and purchases. Sometimes, this includes personal data, like your Social Security and driver’s license numbers. It can even include data about your physical self, like health data – think about how a smartwatch counts and records how many steps you take. While it’s true that you cannot control how each byte of data about you and your family is shared and processed, you are not helpless.

Here are some simple, easy tips that will help you manage your data privacy:

1. KNOW THE TRADEOFF BETWEEN PRIVACY AND CONVENIENCE.

Nowadays, when you download a new app, open a new online account, or join a new social media platform, you will often be asked for access to your personal information before you can even use it. This data might include your geographic location, contacts, and photos.

For these businesses, this personal information about you is tremendously valuable — and you should think about if the service you get in return is worth the data you must hand over, even if the service is free. Make informed decisions about sharing your data with businesses or services. Is the service, app, or game worth the amount or type of personal data they want in return? Is the data requested even relevant for the app or service (that is, “why does a Solitaire game need to know all my contacts”)?

 2. ADJUST THE SETTINGS TO YOUR COMFORT LEVEL

For every app, account, or device, check the privacy and security settings. These should be easy to find in a Settings section and should take a few moments to change. Set them to your comfort level for personal information sharing; generally, we think it’s wise to lean on the side of sharing less data, not more.

3. PROTECT YOUR DATA

Data privacy and data security go hand-in-hand. Along with managing your data privacy settings, follow some simple cybersecurity tips to keep it safe. We recommend following the Core 4:

• Create long (at least 12 characters), unique passwords for each account and device. Use a password manager to store each password – maintaining dozens of passwords securely is now easier than ever.
• Turn on multi-factor authentication (MFA) wherever it is permitted – this keeps your data safe even if your password is compromised.
• Turn on automatic device, software, and browser updates, or make sure you install updates as soon as they are available.
• Learn how to identify phishing messages, which can be sent as emails, texts, or direct messages.

Data Privacy For Organizations

Respecting the privacy of your customers, staff, and all other stakeholders is critical for inspiring trust and enhancing reputation. By being open about how you use data and respecting privacy, you can stand out from your competition. Communicate clearly and concisely to the public what privacy means to your organization, as well as the steps you take to achieve and maintain privacy.

Here are a few steps toward building a culture of respecting data at your organization:

1. CONDUCT AN ASSESSMENT

Assess your data collection practices. Make sure the personal data you collect is processed in a fair manner and only collected for relevant and legitimate purposes. Understand which privacy laws apply to your business, and remember you will have to think about local, national, and global regulations.

2. ADOPT A PRIVACY FRAMEWORK

Research how a privacy framework can work for you. A privacy framework can help you manage risk and create a culture of privacy in your organization. Get started by checking out the following frameworks:
NIST Privacy Framework
AICPA Privacy Management Framework
ISO/IEC 27701 – International Standard for Privacy Information Management

3. EDUCATE EMPLOYEES

Your employees are the frontlines toward protecting all the data your organization collects. Create a culture of privacy in your organization by educating your employees of their and your organization’s obligations to protecting personal information.

January 22-28, 2023 is Data Privacy Week. To celebrate, we are partnering with the National Cybersecurity Alliance to spread awareness and resources about online privacy. Our posts next week will focus on managing online privacy for both individuals and organizations, as well as the differences between cybersecurity and data privacy and how they work together. To get us ready, here are a couple of short videos with interesting statistics on how individuals and organizations approach data privacy!

Do You Know?

Respect Customer Privacy

This week we welcome our friend and colleague Matt Chiodi to the blog. Matt has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. He’s an expert on Zero Trust, and we’re glad to have him as a guest contributor to our blog.

Zero Trust is a set of principles that assumes a breach is likely to occur and that no data, application, asset, or service should be trusted by default. IBM Security found in a 2021 study that when appropriately implemented, Zero Trust can reduce the cost of security breaches by 43%. Zero Trust is a proactive security strategy that helps organizations protect their data and applications by verifying the identity of users, devices, and applications and monitoring their behavior.

The traditional approach to cybersecurity, which assumes that assets and applications inside a network are trusted because they belong to the company, is no longer working. The number of publicly disclosed breaches in 2022 exceeded 4,100, making it clear that the old approach is no longer effective. The problem with the traditional approach is that it focuses on building a wall around the network. This doesn’t work since most employees work in hybrid environments where traditional controls cannot be applied. Today’s attackers are also using sophisticated techniques to bypass these walls and gain access to the network.

One of the critical benefits of Zero Trust is that it can be highly effective when applied correctly. However, there are some situations where it may not be the best approach. For example, with employees, Zero Trust can be counterproductive. Research from cybersecurity company Cerby found in their latest report, State of Employee Trust, that 60% of employees said applications being blocked negatively affected how they felt about their company. To gain employee trust, security and IT teams need to revisit many security tools used in most enterprises.

An overreliance on enforcement-based controls, such as blocking, banning, and denying employee use of employee-preferred applications, can erode employee trust. These measures can negatively impact employee satisfaction and productivity, as they impede their ability to do their job efficiently. Moreover, if employees feel their employer doesn’t trust them, it can negatively affect employee engagement and morale. An interesting finding from the Cerby report found that if empowered to choose the applications they use for work, 39% of employees said they would be willing to take a 20% cut in pay. This finding sheds light on what many employers fail to realize: applications are intimately tied to how people get their work done and their job satisfaction level.

One can use a combination of Zero Trust principles and enrollment-based controls to achieve the best of both worlds. Enrollment-based controls take a different approach and incentivize employees to make security-conscious decisions by providing them with tools and processes that help them work more efficiently and productively. With this approach, security and IT teams can create an environment with something in it for both the employee and employer.

The bottom line is clear for leaders who want to build high-performance organizations for shareholders and employees: Zero Trust is only for applications and data, not employees. Organizational leaders must take tangible steps to build trust daily if they want the highest quality products, continuous improvement, and innovation.

Matt Chiodi has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. Prior to Cerby, he was the Chief Security Officer of Cloud at Palo Alto Networks. Chiodi is a frequent blogger, podcaster, and speaker at industry events such as RSA. He is also on faculty at IANS Research.

Merry Christmas and Happy New Year from all of us in the Cybersecurity Education Program!

This holiday season, we’ve partnered with the National Cybersecurity Alliance to let you know about a few online shopping trends and to give you some tips about how to stay safe online while buying gifts for everyone on your list.

Generally, experts seem to believe that the average American is going to spend less this year – though pandemic restrictions have largely lifted, we’ve entered a new season of economic uncertainty. This means every dollar is even more important, which is why we want to help you protect your hard-earned cash from the scammers and hackers that pop up every year. Here is what we think is cheerful and what we think is coal-worthy for shopping online this holiday season:

Cheerful

Keeping an eye on your bank statements
Your first line of defense against identity theft and fraud is to pay close attention to your financial records, like bank statements and credit card transactions. You can usually follow this data up-to-the-minute online. Flag any suspicious activity (like being charged for a purchase you didn’t make) and contact the institution immediately.
Knowing how much items should cost
When shopping online, have a general sense of how much the items you want to buy should cost. Not only will that make you a comparison shopping extraordinaire, but you can also get a sense if an online store has prices that are too good to be true. In these cases, you might pay less, but then you might get an item that doesn’t match the description, is a counterfeit, or you might pay and not get any item at all! A little bit of research can help protect you.
Making a cybersecurity list, checking it twice
1. Protect each account with a unique, complex password that is at least 12 characters long – and use a password manager!
2. Use multi-factor authentication (MFA) for any account that allows it.
3. Turn on automatic software updates, or install updates as soon as they are available.
4. Know how to identify phishing attempts and report phishing to your email provider or work.

Coal-worthy

Shopping on public wi-fi
Public wi-fi and computers are convenient, and sometimes necessary to use. However, public wi-fi is not very secure – you shouldn’t ever online shop or access important accounts (like banking) while connected to public wi-fi. If you must buy a few gifts online while away from your home or work network, use a VPN (virtual private network) or mobile hotspot.
Grinch Bots
Last year, a record number of so-called “Grinch Bots” were recorded. These are automated programs that quickly buy up popular toys, sneakers, or other items and then resell the item for a huge mark-up to real people. Of course, buying supposedly new items on a resale market opens you up to an increased risk of fraud and counterfeit goods. The best way to defang Grinch Bots is to refuse to buy from them, and to only buy items from vendors you can verify.
Sharing more than you feel comfortable with
While you need to share data to make a purchase online, you should be wary of any retailer that is requesting more information than you feel comfortable sharing. Oftentimes, you don’t need to fill out every field, and you shouldn’t if you don’t want to. If an online store requires you to share more information than you want, find another retailer on the internet – or in real life!

And here’s a handy infographic that summarizes it all. Have a safe and happy holiday season!