Cybersecurity Blog

This week we welcome our friend and colleague Matt Chiodi to the blog. Matt has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. He’s an expert on Zero Trust, and we’re glad to have him as a guest contributor to our blog.

Zero Trust is a set of principles that assumes a breach is likely to occur and that no data, application, asset, or service should be trusted by default. IBM Security found in a 2021 study that when appropriately implemented, Zero Trust can reduce the cost of security breaches by 43%. Zero Trust is a proactive security strategy that helps organizations protect their data and applications by verifying the identity of users, devices, and applications and monitoring their behavior.

The traditional approach to cybersecurity, which assumes that assets and applications inside a network are trusted because they belong to the company, is no longer working. The number of publicly disclosed breaches in 2022 exceeded 4,100, making it clear that the old approach is no longer effective. The problem with the traditional approach is that it focuses on building a wall around the network. This doesn’t work since most employees work in hybrid environments where traditional controls cannot be applied. Today’s attackers are also using sophisticated techniques to bypass these walls and gain access to the network.

One of the critical benefits of Zero Trust is that it can be highly effective when applied correctly. However, there are some situations where it may not be the best approach. For example, with employees, Zero Trust can be counterproductive. Research from cybersecurity company Cerby found in their latest report, State of Employee Trust, that 60% of employees said applications being blocked negatively affected how they felt about their company. To gain employee trust, security and IT teams need to revisit many security tools used in most enterprises.

An overreliance on enforcement-based controls, such as blocking, banning, and denying employee use of employee-preferred applications, can erode employee trust. These measures can negatively impact employee satisfaction and productivity, as they impede their ability to do their job efficiently. Moreover, if employees feel their employer doesn’t trust them, it can negatively affect employee engagement and morale. An interesting finding from the Cerby report found that if empowered to choose the applications they use for work, 39% of employees said they would be willing to take a 20% cut in pay. This finding sheds light on what many employers fail to realize: applications are intimately tied to how people get their work done and their job satisfaction level.

One can use a combination of Zero Trust principles and enrollment-based controls to achieve the best of both worlds. Enrollment-based controls take a different approach and incentivize employees to make security-conscious decisions by providing them with tools and processes that help them work more efficiently and productively. With this approach, security and IT teams can create an environment with something in it for both the employee and employer.

The bottom line is clear for leaders who want to build high-performance organizations for shareholders and employees: Zero Trust is only for applications and data, not employees. Organizational leaders must take tangible steps to build trust daily if they want the highest quality products, continuous improvement, and innovation.

Matt Chiodi has over two decades of security leadership experience and is currently the Chief Trust Officer at Cerby. Prior to Cerby, he was the Chief Security Officer of Cloud at Palo Alto Networks. Chiodi is a frequent blogger, podcaster, and speaker at industry events such as RSA. He is also on faculty at IANS Research.

Merry Christmas and Happy New Year from all of us in the Cybersecurity Education Program!

This holiday season, we’ve partnered with the National Cybersecurity Alliance to let you know about a few online shopping trends and to give you some tips about how to stay safe online while buying gifts for everyone on your list.

Generally, experts seem to believe that the average American is going to spend less this year – though pandemic restrictions have largely lifted, we’ve entered a new season of economic uncertainty. This means every dollar is even more important, which is why we want to help you protect your hard-earned cash from the scammers and hackers that pop up every year. Here is what we think is cheerful and what we think is coal-worthy for shopping online this holiday season:

Cheerful

Keeping an eye on your bank statements
Your first line of defense against identity theft and fraud is to pay close attention to your financial records, like bank statements and credit card transactions. You can usually follow this data up-to-the-minute online. Flag any suspicious activity (like being charged for a purchase you didn’t make) and contact the institution immediately.
Knowing how much items should cost
When shopping online, have a general sense of how much the items you want to buy should cost. Not only will that make you a comparison shopping extraordinaire, but you can also get a sense if an online store has prices that are too good to be true. In these cases, you might pay less, but then you might get an item that doesn’t match the description, is a counterfeit, or you might pay and not get any item at all! A little bit of research can help protect you.
Making a cybersecurity list, checking it twice
1. Protect each account with a unique, complex password that is at least 12 characters long – and use a password manager!
2. Use multi-factor authentication (MFA) for any account that allows it.
3. Turn on automatic software updates, or install updates as soon as they are available.
4. Know how to identify phishing attempts and report phishing to your email provider or work.

Coal-worthy

Shopping on public wi-fi
Public wi-fi and computers are convenient, and sometimes necessary to use. However, public wi-fi is not very secure – you shouldn’t ever online shop or access important accounts (like banking) while connected to public wi-fi. If you must buy a few gifts online while away from your home or work network, use a VPN (virtual private network) or mobile hotspot.
Grinch Bots
Last year, a record number of so-called “Grinch Bots” were recorded. These are automated programs that quickly buy up popular toys, sneakers, or other items and then resell the item for a huge mark-up to real people. Of course, buying supposedly new items on a resale market opens you up to an increased risk of fraud and counterfeit goods. The best way to defang Grinch Bots is to refuse to buy from them, and to only buy items from vendors you can verify.
Sharing more than you feel comfortable with
While you need to share data to make a purchase online, you should be wary of any retailer that is requesting more information than you feel comfortable sharing. Oftentimes, you don’t need to fill out every field, and you shouldn’t if you don’t want to. If an online store requires you to share more information than you want, find another retailer on the internet – or in real life!

And here’s a handy infographic that summarizes it all. Have a safe and happy holiday season!

This post was written by Xavier Zepiora, Junior cybersecurity major at Messiah University.

I recently read an article detailing how cloud attacks are becoming more common these days, and that these attacks are a result of misconfigured cloud settings. A team from Cado Security studied three different cloud attacks that have been impacting businesses. In this post, I’ll share a brief synopsis of each attack and how they confirm a need for more education regarding cloud security.

The first piece of malware the team came across is called DoH because it uses DNS queries over HTTPS. This attack is happening on serverless environments provided by AWS. Sending DNS queries over HTTPS means that they are encrypted and can’t be viewed by AWS security services. The malware also sends thousands of HTTPS string requests, so that EDR services do not detect it. This attack is primarily used for cryptomining but could be used in other ways as it uses command and control methods to operate.

The second piece of malware primarily targets cloud providers in Asia and blends into their UNIX-based systems. The malware uses timestamp manipulation to hide from detection. It has primarily been used for cryptojacking which is when someone else’s resources are used to mine cryptocurrency for the attackers.

The third is a group known as Watchdog which has been in operation since 2019. They have been performing cryptojacking attacks and find vulnerable cloud services through mass scans. They are also known for using steganography for avoiding detection.

These attacks are all only being used for crypto development right now but there is nothing stopping attackers from using the same methods to run other kinds of attacks on cloud systems. This shows the need for cyber security professionals to understand cloud security better, as well as IT professionals working at small companies that outsource to the cloud. If all three of the leading attack frameworks right now are a result of poor configuration, it means we need more cloud education.

This post was written by Senior Cybersecurity major, Ryan Donat.

I was recently invited, along with Dr. David Bibighaus, to present a series of workshops at CV YOU day, an event created and hosted by Cumberland Valley High School. The day is designed for high school students to explore various careers, hobbies, wellness strategies, and more. Thirty-minute workshops take place throughout the day for students to attend in order to find out more about their fields of interest, along with a College and Career Fair.

Dr. Bibighaus and I presented six workshop sessions on Cybersecurity as an industry as well as what it looks like in the educational setting at Messiah. Dr. Bibighaus discussed his extensive career in the field. He shared that he started out being an engineer and hated it, but then later discovered what his interests were as his career developed. He told some interesting stories from his journey, such as being part of the first team catching hackers for the Air Force, and how he led military red cell scenarios. He advised students to pursue what they are interested in, but to start with a broad education so that they can specialize later as their interests develop.

I then shared my route to majoring in cybersecurity, then explained my coursework and studies by showing an ethical hacking demonstration. Next, I taught on the Confidentiality, Integrity, and Availability triad by asking students questions about how they would disrupt a company with infinite access to a company’s computers and networks. I finished up by explaining what I would tell my 18-year-old self if I had the chance.

We finished each presentation by giving time for questions, where the students asked a lot of thought-provoking questions. It was a great event and we enjoyed our time with everyone. Special thanks to all the students, as well as to teachers Keith Ensminger, Robert Newara, and Jay Yohe. And thank you for having us, Cumberland Valley High School!

The Messiah University Cyber Center welcomed 40 attendees to a Lunch and Learn on November 30. The event gathered cybersecurity industry experts, local businesses, and Messiah cybersecurity students and faculty for a shared meal and a time of connection, along with a lively panel discussion on cyber-related topics. Guest panelists included Matthew Chiodi of Cerby, Christina Martin of Highmark Health, Nate Shea of SecureStrux, and Devin Chwastyk of McNees Wallace & Nurick. The event concluded with a special tour of the Cyber Center SOC, provided by SOC interns and Messiah’s Director of Information Security .

Special thanks to all in attendance for making this event a successful time of networking and learning from one another. The industry leaders in attendance brought encouragement and expert advice regarding careers in the cybersecurity field. Students came away excited about the possibilities for their future.

The Cybersecurity Education Program is planning another Lunch and Learn in the spring of 2023.

Dr. Scott Weaver, Associate Professor of Computer Science at Messiah, presented at the 5th annual International Conference of Education, Research and Innovation (iCERi 2022) in Seville, Spain on November 7-10, 2022. The title of his presentation was “Introducing Project-Based Learning and Real-World Methodologies and Tools Earlier in the Software Development Curriculum”.

Abstract: Software development requires the ability to solve problems, an understanding of how to apply development methodologies within a context, and the ability to select and utilize the tools of the trade. Therefore, graduates entering the software development profession are expected to have a portfolio of development practices and tool experience. Project-Based Learning (PBL) is often used in capstone courses where students focus their attention on a project designed to provide a cumulative experience solving a real-world problem. A critical element of the capstone experience is applying industry standards for software development and utilizing industry tools to execute their project. Preparing students to use industry standards and tools earlier in the curriculum prepares them to focus their learning in the capstone course on fine tuning their skills and delivering a high-quality product versus learning the mechanics of using industry methodologies and tools. The study analyzes student cohorts over six years, tracing their course work through select core curriculum, and the impact of early introduction to Project-Based-Learning on their later course work and overall educational experience. Our results demonstrate that earlier introduction of project-based learning with industry tools have led to improved academic performance in upper-level courses, more sophisticated capstone projects and increased perceptions of professional preparedness.

Bio: Before coming to Messiah University, Dr. Weaver spent seven years in the computer industry as a program analyst and consulting, and nine years teaching mathematics and computer science at Mechanicsburg Area High School. He was pivotal in developing the Cybersecurity Education Program at Messiah, and currently teaches Data Communications & Networking, and Web Development: Client Side.

.

The Cybersecurity Education Program and the Department of Computing, Mathematics, and Physics welcome our newest faculty member, Dr. David Bibighaus, as Assistant Professor of Cybersecurity and Computer Science. Prior to joining the department, Dr. Bibighaus served as Senior Lead Engineer at Booz Allen Hamilton, advising the Air and Space Forces on ways to improve the cyber security of their operational systems.

Dr. Bibighaus grew up in upstate New York and completed his bachelor’s degree in electrical engineering from the United States Air Force Academy. He served in the Air Force for twenty-one years as a computer systems developmental engineer. Some of his notable assignments in the Air Force include serving as a Systems Engineer with the Military Satellite Communications division in Los Angeles, as a Crew Commander with the 33rd Information Operations Squadron in San Antonio Texas, as the head of the Cyber Defense Branch of the Air Force Research Laboratory in Rome New York, as an Electronic Warfare Officer with Task Force Paladin in Afghanistan, and as the Deputy Head of the Computer Science Department of the United States Air Force Academy.

Dr. Bibighaus joined the faculty of Messiah in 2022. He is currently teaching Computer Programming I, Information Systems and Managers, and Network Security. Dr. Bibighaus is interested in mentoring young people and creating sustainable engineering solutions for the developing world. He enjoys spending time with his wife and three daughters, wood working, role playing games, and traveling.

Messiah’s WiCyS (Women in Cybersecurity) student chapter started an exciting new tradition in October! Operating through Messiah’s Computer Science Club, the group held the University’s first CTF event. CTF’s, or Capture-The-Flag events, are cybersecurity competitions that develop participants’ hacking and problem-solving skills. The challenges involve finding a random string of characters, referred to as the flag, hidden inside a computer system. For this event, the competition involved cryptography, breaking password hashes, using basic Kali Linux tools, and more. The event took place in Messiah’s new, state of the art Cyber Center, and the WiCyS club partnered with the Games Club to provide food, a fun atmosphere, and a great community. They hope to continue these events each semester as the club grows.