Cybersecurity Blog

This post is written by Dr. David Bibighaus, Assistant Professor of Cybersecurity and Computer Science at Messiah University.

In many respects, cyber in 2022 has been the year of the dog not barking.  The war in Ukraine has been the most significant story of 2022.  Given Russia previously demonstrated capabilities in cyber and its willingness to use those capabilities, the lack of major cyber events tied to the Ukraine war has been puzzling.  To help think through this issue, we will briefly discuss three questions whose answers could have major implications for the future of Cyber defense.

1. Why has Putin not launched significant cyber-attacks on Ukraine?

There are several possible answers.  The first is that the cyber forces were not included in the operational planning.  Under this hypothesis, cyber-attacks are most effective in the run-up and initial stages of the war.  If the cyber forces were not included in the initial operational planning, there may not have been a good time to insert cyber-attacks when they would be most impactful.  There is some evidence to this hypothesis.  It seems that planning for this “Special Military Operation” was kept to an absolute minimum.  Even most of the front-line Russian soldiers had no idea that they would be fighting until they crossed into Ukraine.

A second possible answer is that the Russians may have inadvertently undermined the effectiveness of their cyber-weapons in Ukraine.  Andy Greenberg, in his book Sandworm, has done an excellent job documenting the Russian development of cyber weapons against critical infrastructure.  Russia has spent the last six years using Ukraine as a trial run for these capabilities.  However, as Russia has tested these weapons on Ukraine, the Ukrainians have had to learn how to operate their critical systems in the face of a cyber-attack.  It is possible that when Russia unleased its Industroyer malware on the Ukrainian power grid in 2016, it unintentionally hardened that system so that future versions of that malware would be less effective.

A final possibility is that Russia’s cyber-forces were needed elsewhere.  Russian military doctrine makes no distinction between influence operations and cyber operations.  One of the stunning outcomes of the invasion was the spontaneous response by hundreds of multi-national corporations.  Suddenly McDonalds and Visa had a foreign policy that impacted the lives of virtually every Russian citizen.  Under this hypothesis, Russian forces that may have been used to conduct cyber-attacks could have been redirected to perform influence operations at home and abroad.   

2. Will Russia give up on cyber?

Many of the best and brightest young people in Russia with technical skills served in Russia cyber forces. For the men, it is a valid way to fulfill their military obligation without the unpleasantries that can accompany military life (women are not required to serve in the Russian Armed Forces). This loophole has impacted the cyber landscape by training more Russian hackers than would normally be expected for a country of its size. But can this continue? The war has revealed a desperate Russian need for military manpower; and especially intelligent and capable young people who can serve as junior officers.

Unless the tide of the war shifts dramatically in Putin’s favor, Russia may decide to dramatically reduce the number of those serving in the cyber forces. If so, it will have major implications for the future of cyber defense, as a significant pool of talented, well-trained nefarious actors could suddenly dry up.

3. Will Putin Use Cyber-Weapons on the West?

As of this writing, the War in Ukraine continues to go against Russia, to the point where the use of tactical nuclear weapons is being actively discussed. Might Russia elect to use a cyber weapon against the West before it elects to use such a weapon? Russia could use the sabotage of the Nord Stream pipeline as a justification to unleash a cyber-attack on the West’s critical infrastructure. But this course of action would present significant risks. A cyber-attack could cause short-term economic damage to the West. However, it is unlikely to have long-term impact on the Ukrainian battlefield other than hardening western resolve and possibly resulting in the West providing more material aid against Russia. 

No matter what happens, this war will be studied by nation-states for decades to come as a case study for when and when not to use cyber-weapons. How Russia chooses to answer the three questions posed here will impact the cyber landscape for a least a generation.

Image by Philipp Katzenberger, via unsplash.com

Dr. David Bibighaus grew up in upstate New York and completed his bachelor’s degree in electrical engineering from the United States Air Force Academy. He served in the Air Force for twenty-one years as a computer systems developmental engineer. Some of his notable assignments in the Air Force include serving as a Systems Engineer with the Military Satellite Communications division in Los Angeles, as a Crew Commander with the 33rd Information Operations Squadron in San Antonio Texas, as the head of the Cyber Defense Branch of the Air Force Research Laboratory in Rome New York, as an Electronic Warfare Officer with Task Force Paladin in Afghanistan, and as the Deputy Head of the Computer Science Department of the United States Air Force Academy. Dr. Bibighaus worked for Booz Allen Hamilton as a Senior Lead Engineer advising the Air and Space Forces on ways to improve the cyber security of their operational systems. Dr. Bibighaus joined the faculty of Messiah in 2022. He is interested mentoring young people and creating sustainable engineering solutions for the developing world. He enjoys spending time with his wife and three daughters, wood working, role playing games, and traveling.

Did you know that cyber criminals, aka the “bad guys”, have more than 15 billion compromised passwords[1] to choose from when trying to break into your system?  And where, you may ask, do these compromised passwords come from? 

One infamous password collection—dubbed “RockYou2021”—is thought to be a compendium of passwords cobbled together from data breaches[2].   It is estimated that this list is comprised of over 8 billion legitimate passwords collected from a series of data breaches that included username/password combinations. 

Given the size and scope of the leak, anyone who does anything online should check if their passwords were compromised. To check whether your password is safe, there are several free and easy options you can use. They include:

• HaveIBeenPwend
• F-Secure’s Identity Theft Checker
• CyberNews’ personal data leak checker and leaked password checker
• Avast’s Hack Check 

Since the databases that each of these resources uses are likely not identical, it would be smart to check as many as possible just to cover all your bases.

So, before you grumble about having to use some form of multi-factor authentication (MFA) you may want to make sure your current password hasn’t been hacked.

And for those of you who don’t know what MFA is, here is a quick overview.  As the name implies, MFA blends at least two separate factors. One is typically your username and password, which is something you know. The other could be:

• Something you have. A cellphone, keycard, or USB could all verify your identity.  Often it is an app on your phone that provides a one-time password, otherwise known as an OTP.
• Something you are. Fingerprints, iris scans, or some other biometric data prove that you are who you say you are.

MFA is a great “hacker turnoff”. So, even though it means that it might take a second longer to sign in, remember your hacked password and thank your IT Security director for that added little bit of protection MFA provides.

---

[1] https://www.okta.com/identity-101/why-mfa-is-everywhere/

[2] https://www.consumeraffairs.com/news/new-84-billion-password-hack-breaks-records-060821.html

Post written by Vinny Sakore, Director of Cybersecurity Education at Messiah University. Vinny spent 20+ years in the information technology and cybersecurity field. His industry experience includes serving as Verizon’s HIPAA Security Officer and stints as Chief Technology Officer for two healthcare technology companies. He continues to remain active in the industry by providing consulting services to a number of organizations including NetDiligence, Inc. (www.netdiligence.com).

Photo credit: George Prentzas via unsplash.com

This is the final post for Cybersecurity Awareness Month from Messiah University’s Information Security Director, Allen Snook. We appreciate him and the Cybersecurity interns lending their expertise this month for the #seeyourselfincyber campaign, giving us tips and resources for safeguarding our information online.

Internet scams are nothing new. Since the 1980’s, hackers have been attempting to gain illegal access to networks and systems in order to obtain sensitive information. They are after your identity, the contents of your email, and your financial data (they don’t need to know how much is in your bank account to want to gain access to it). Phishing emails are one way they attempt to steal this information from you.

If you’ve been following our other blog posts for Cybersecurity Awareness Month, you might recall some of the tips we’ve given for keeping your personal information safe, such as developing strong passwords, updating your apps, and avoiding oversharing on social media. In this post, we wanted to share further measures for safeguarding your information in order to thwart malicious hackers.

1. Think before you click. More than 90% of successful cyber-attacks start with a phishing email. If you receive an email from a person or a company you are not familiar with, do not click any of the links or attachments (no matter what they’re promising in their message). Pay close attention to the details and verify the sources before you click on anything.
2. Create and use strong passwords. See our previous post on this.
3. Try not to connect to public Wi-Fi networks. Although they are convenient, they are often vulnerable to cyber criminals.
4. Secure your devices. Be sure to update security software, operating system software, internet browsers and apps. You could also install an antivirus software to help combat viruses, malware, etc. 
5. Back up your data. Make extra copies of your files so that if something happens to one of the files, you still have your backups. One way to do this is by saving information in the cloud or to an external storage device. 

All of this is to say: Be proactive. You can ensure that you and your organization are a secure place online by taking the initiative to safeguard your information. We hope these tips equip you to do that.

#seeyourselfincyber #messiahcyber

Image by Mikhail Fesenko, via Unsplash.com

Passwords are one of the first lines of defense in keeping your information safe online. When it comes to password protection, think in terms of layers. In this post, we want to outline some ways you can double, even triple, your login protection.

When creating a password, try merging three uncommonly used words (example: staple, sentinel, orangutang). Then, add numbers to your newly merged word. Per NCCIC guidance, we suggest a total of 16-30 characters. Avoid using personal data when creating your password. Doing so will give hackers too much information should your password ever show up in a security breach.

You can add another layer of protection to your passwords by not re-using them. Having different passwords for various accounts can help prevent cyber criminals from gaining access, thereby protecting more of your information in the event of a breach.

We recommend that you do not share your passwords with anyone. Every time you share a password it opens more ways with which it could be misused or stolen.

A few more important layers of protection we recommend implementing are:

• Using multi-factor authentication whenever provided.
• Using fake, non-personal answers to security-questions.
• Managing your passwords by saving them in a list that is not on a cloud or in your google-drive. This allows you to make more diverse, creative passwords.

Creating passwords with these tips in mind is an easy way to improve your cybersecurity. This multi-layered approach to password protection allows you to put cybersecurity first across all your devices.

#seeyourselfincyber #messiahcyber

Post written by Allen Snook, Director of Information Security at Messiah University, and Cybersecurity interns.

Photo Credit: Christina @ wocintechchat.com via unsplash.com

The goal of this year’s “See Yourself in Cyber” campaign is to raise awareness about how each one of us is responsible for our own behavior online.

Today, we wanted to resource you with a few ways to stay safe on social media, since it is such a huge part of our lives. Here are some tips we’ve gathered from CISA, along with a few additions of our own:

• Use discretion when you post on social media. Once your words, hashtags, and photos are on the Internet, they’ll be there forever.
• Limit the information you share online. Do not share personal information (birth dates, anniversaries, neighborhood or street names, etc.).
• Turn your location notifications off.
• If you want to share a picture that has someone else in it, ask for their permission first.
• Connect only with people and networks you know.

These suggestions may seem either too simple (“If I do these things, will it actually help?”) or too complicated (“I don’t have time to think about this”). However, the reality is that when it comes to your cyber presence, you play the main role in securing your personally identifiable information (PII).

In the end, the security you place around your devices is only as strong as you. Our hope is that by providing easy-to-use tools and tips like the ones above, we will all see the value in tightening our security at home and at work.

Stay tuned for more tips and resources all month long. For more information about undergraduate degree in Cybersecurity, get in touch with us!

#seeyourselfincyber #messiahcyber

Photo Credit: dole777 via Unsplash.com