Guest Speaker:

Mike Qaissaunee

Professor Mike Qaissaunee is Chair of the Engineering and Technology Department and Director of Brookdale’s Cyber Center at Brookdale Community College. At Brookdale Community College, Mike has written and been awarded multiple National Science Foundation (NSF) grants and Department of Education (DoE) grants including:

• Collaborative Research: Community College Accelerated CyberCorps® Pilot Program (NSF),
• Building a Virtual Lab Environment to Provide Cybersecurity Students with Improved Hands-on Skills (DoE/FIPSE),
• Building Capacity for Interactive Teaching and Learning (NSF),
• Building a Pipeline of Cyber Warriors Through Education and Competition Offered Through Community Colleges (NSF),
• E-books and Mobile Apps for Technician Education (NSF), and
• Mid-Atlantic Institute for Telecommunications Technologies (NSF).

You can read more about Professor Qaissaunee here!

Professor Qaissaunee has also created interactives. These interactives help teach students and develop their skills in cybersecurity and networking. You can view them here!

Cyber Bytes: Cybersecurity Opening Doors for VR

Technology has only continued to advance and the latest technology that has been released is virtual and augmented reality. VR and AR create the opportunity for users to feel as if they have fully stepped into a virtual world instead of a distance that is felt when using phones, tablets, or computers. First it is important to define the difference between VR and AR since these terms are easily confused.

Virtual reality is where everything in the world around you has been digitally constructed to make a new world. An example of VR in the media can be seen in the movie Ready Player One by Steven Spielberg where all of the players are stepping into a new virtually made world. Augmented reality is where digitally created items can be seen through a device, but those items are placed within our world. An example of this can be seen in the game Pokemon GO where the pokemon will pop up in locations around the world that already exist.

Since VR and AR are new developing technologies it is important to remember that they also have the same security risks as every other piece of technology. A potential risk with the VR headsets is that it blocks the vision of the person who is using the device. This creates potential risk for injuries to take place since the person is not able to see their surroundings. How is this creating opportunities for cybersecurity? So far there is not a standard encryption network for the data that this technology is collecting. Mics and cameras within the headsets are able to record conversations as well as what a person is viewing. Data between a connected computer or server is also able to be collected. Currently these systems use third party encryption services that do not offer the most protection. Since there are no laws that are required to protect these systems, as they are new, it is up to the user to ensure that while using these devices that they are protecting their own data.

Companies and users need to be prepared for DDoS attacks and should have access to the logs of their VR and AR technologies to respond to any attacks. In order to keep these devices safe people should secure the connection between the server, encrypt all connections to and from the device ,and  have a forced authentication for the device and for communication with the main server. Users should also access the device often in order to check for anything abnormal from happening with the system. VR and AR are the new exciting pieces of technology, and it is easy to forget to ensure a user’s safety when caught up in the excitement. Making sure to take the time to properly secure these devices will ensure that users will continue to have fun with them without having to worry about a risk of an attack. 

Technology Corner – Phishing

Follow along this lab in order to understand more about phishing as phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.

Vishing is a type of phishing attack that relies on placing a phone call rather than sending an email. Vishing attacks have taken on various forms, but their goal is the same as most other phishing attacks: to acquire login credentials to be used to steal money. To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID.

Smishing leverages malicious text messages to trick users into clicking on a malicious link or sharing personal information. Like vishers, smishers pose as various entities to get what they want. Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.

Phishers use a whaling attack to try to harpoon an executive and steal their login credentials. Successful attacks can result in phishers engaging in CEO fraud. Phishers may also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.

Angler phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer to trying to lure them into handing over access to their personal data or account credentials. To protect against angler phishing attacks, organizations should identify their social media accounts, ensure they have strong passwords and are regularly changed, use verified accounts, and continually monitor for fraudulent accounts.

In spear phishing, phishers customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they know the sender. The goal is to trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites where attackers can use multiple data sources to craft a targeted attack email.

To protect against spear phishing, organizations should conduct ongoing employee security awareness training that discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments.

As users become wiser to traditional phishing scams, phishers are resorting to pharming. This method of phishing uses cache poisoning of the domain name system called a DNS cache poisoning attack. The pharmer targets a DNS server and changes the IP address associated with a website name, thereby allowing an attacker to redirect users to a spoofed malicious website of their choice, even if the victim enters the correct site name.

To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and update it on a regular basis.

To view this E-mate Interactive, visit:
https://mirrorlearning.org/emate2/phishing
/pub/phishing/Assets/index.html 

Cyber Opportunities

Here is a quick recap of the opportunities we’ve talked about in the past few shows as a reminder for upcoming deadlines.

CyberStart America

First off would be the scholarships that Anusha talked about two weeks ago. You can compete for them in CyberStart America. The prizes that are available in the Nation Cyber Scholarship competition are 2 million dollars of college scholarships, access to a training course which is worth 3,000 dollars, and recognition badges that you can use when applying for colleges and jobs. You can register for notifications about the scholarship here:

Link: https://www.cyberstartamerica.org/#competition. 

US Cyber Challenge

The next opportunity is the US challenge, which is a camp held only for participants in their quest competition. The camp is from June 7th to June 11th on the east coast, and July 12th to July 16th on the west coast. To participate in the camps, you have to compete in the qualifying Cyber Quests. The link, once again, will be posted on the website after the show. 

Link: https://www.uscyberchallenge.org

US Cyber Patriot AFA CyberCamps

And one more thing: the AFA CyberCamps! The final day to have a host register and set up a camp near you is May 1, so you have four more days. Once again, the AFA CyberCamps are cyber camps hosted by CyberPatriot each summer. They’re virtual this year and have two levels: beginner and advanced. The beginner camp’s curriculum encompasses cyber opportunities and careers, and will also have an introduction to Linux and Windows operating systems. For advanced camp, the OS curriculum is more comprehensive, and you’ll be introduced to Cisco as well. Whether it’s a program at your school or a teacher, you have until May 1 to find a host near you. 

Link: https://www.uscyberpatriot.org