BLOG POST 5 – Protecting DNS Queries

One of the latest trends in network security and ensuring integrity of transmissions is DNS over HTTPS, or DOH for short.  The DNS (Domain Name Service) translates IP addresses into human-readable website addresses which is easier to use when browsing the internet. 

Since being instituted 35 years ago DNS has largely been unprotected.  DNS is subject to two significant areas of risk:  Tracking and Spoofing (Clark, 2018).  With Spoofing, someone the path of the system making the query (ie entering in a URL such as www.bellevue.edu or google.com) has the ability to change the response.  This is typically known as DSN spoofing, or redirecting an IP address to a different (false) website.  This depends on the resolver being used, which isn’t something most people know how to control.  While it is an option, most people use what the network provides for them.  Since the transmission to the DNS server is unencrypted, someone watching the network traffic could learn the sites the user is requesting to go to and track their activity.  This gets into user privacy since many organizations will pay top dollar for this kind of internet activity.  A third vulnerability is that DNS servers themselves could be tracking user activity and be sold on the open market from Internet Service Providers (ISPs).   

DNS over HTTPS allows DNS queries to be encrypted in transit as it passes through the multiple nodes to the DNS server.  Think of it as a VPN from the host system to the destination (DNS Server).  This limits the ISP from tracking website requests and selling them.  It prevents attackers from spoofing domains (malicious websites masquerading as legitimate) and ensures that a trusted resolver is performing the DNS translation.  In the case of Firefox, they’ve selected CloudFlare as their trusted resolver.  Thus, the browser someone uses needs to be capable of DNS over HTTPS, which Mozilla Firefox and Chrome currently are. 

DoH isn’t without controversy.  Internet Service Provider (ISP) Comcast is lobbying the government about restricting DoH so Google and Mozilla doesn’t monopolize and centralize all DNS with one of their resolvers and not one of the ISPs (Hoffman, 2019).  A paper from the SANS Institute seems to indicate DoH can weaken the cybersecurity posture of an organization as it limits the network defense team from analyzing DNS packet requests and says, “the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls.” (Hjelm, 2019).

DoH also bypasses DNS-based blacklists put in place by security organizations and network teams.  This type of encryption is also getting a bad name from federal security organizations (FBI, etc) who are unable to sniff traffic from suspected criminals, which will lead to the same issues they’re having now with unencrypting cell phones and vendors who refuse to comply (with good reason).  The president recently signed legislation repealing ISP Privacy Rules which restricted ISPs from tracking internet activity (https://threatpost.com/trump-signs-repeal-of-isp-privacy-rules/124767/).  This appears to be another win for big business lobbyists who make money from user and location data as well network traffic and then sell it to 3^rd party data aggregators and marketers.  Yet another reason to encrypt DNS queries as well as use a trusted VPN for all internet activity.

Whether DoH is adopted or not, unencrypted DNS requests have been one of the largest unmitigated vulnerability on the internet for decades.  Researchers and vendors are also experimenting with DNS over TLS (https://www.infoblox.com/glossary/dns-over-tls-dot/) and other ways of protecting DNS queries.  There are two different operating modes for DoT, Strict Mode and Opportunistic Privacy Mode (Saez, 2019.)  Strict mode creates a secure TLS connection and the client authenticates using PKIX certificates based on domain names.  If authentication fails the server will respond with an error.  Opportunistic privacy mode will switch to UDP port 53 or TCP port 53 if the initial authentication fails.  Strict mode is safer because it stops after a failed authentication.  But this may limit legitimate traffic which not have traditional authentication methods (Kerberos, or other key-based authentication server)

As with all other conversations about encryption, there needs to be a careful balance between security and privacy and how much government oversight is ethical for their own citizens. 

Resources:

Clark, L., (May 2018), A Cartoon into to DNS over HTTPS, Mozilla.org.  retrieved on January 19, 2020 from https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

Hjelm, D., (September 2019), A New Needle and Haystack: Detecting DNS over HTTPS Usage.  SANS Reading Room.   Retrieved on January 19, 2020 from https://www.sans.org/reading-room/whitepapers/dns/paper/39160

Hoffman, C., (November 2018), How DNS Over HTTPS (DoH) Will Boost Privacy Online.  How-to-Geek.  Retrieved on January 19, 2020 from https://www.howtogeek.com/448629/how-dns-over-https-doh-will-boost-privacy-online/

Saez, I., (July 2019), Protect your DNS requests with DNS over TLS.  Incibe-cert.  Retrieved on January 19, 2020 from https://www.incibe-cert.es/en/blog/protect-your-dns-requests-dns-over-tls

CYBR 650 - Blog 4 - NIST SP 800-137A DRAFT Released

BLOG 3 – NIST 800-137A DRAFT – Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

The most significant change from the DoD Information Assurance Certification and Accreditation Process or DIACAP to the Risk Management Framework (RMF) is the ability to have the system continually authorized after successfully implementing the Information System Continuous Monitoring or ISCM strategy.  After being approved in RMF Step 2, the ISCM describes the plan of how the system owner intends to continuously implement, monitor and test the security controls approved by the authorizing official (AO).  Successfully demonstrating this should allow for continuous authorization of the system with the expectation that all security-relevant changes have been addressed and a current snapshot of the system is always available by auditors for testing and evaluation. 

The National Institute of Standards and Technology (NIST) has created their Special Publication 800-137A to help meet Federal Information Security Modernization Act of 2014 (FISMA) standards by describing an approach for ISCM evaluations to ensure compliancy with the intentions of the approved strategy.  This publication should not be confused with NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations which details how organizations should develop an ISCM strategy.  As 800-137A, this document details how the assessment of the ISCM should be done to deliver, “organizational leadership with information on the effectiveness and completeness of the organization's ISCM program, to include review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data (NIST, 2020)

From a high level, the NIST SP 800-137A performs five unique functions:

1.      Offers guidance on the development of an ISCM program assessment process for all organizational risk management level as defined in the NIST SP 800-39 Managing Risk from Information Systems: An Organizational Perspective.

2.      Describes how an ISCM program assessment relates to important security concepts and processes, such as the NIST Risk Management Framework (RMF), organization-wide risk management levels, organizational governance, metrics applicable to ISCM, and ongoing authorization.

3.      Describes the properties of an effective ISCM program assessment

4.      Presents a set of ISCM program assessment criteria, with references to the sources from which the criteria are derived, that can be adopted by an organization and used for ISCM program assessments or as a starting point for further development of organization’s assessment criteria

5.      Defines a way to conduct ISCM program assessments by using assessment procedures, defined in the companion document containing the ISCM Program Assessment Element Catalog, designed to produce a repeatable assessment process.

(NIST, 2020)

The assessment of the ISCM helps determine the maturity, effectiveness and consequently the health of the cybersecurity program.  This publication outlines a six-step process for successful implementation of an ISCM strategy:

1.      Define ISCM Strategy

2.      Establish ISCM Program

3.      Implement ISCM Program

4.      Analyze ISCM Data and Report Findings

5.      Respond to ISCM Findings

6.      Review and Update ISCM Program and Strategy

 (NIST, 2020)

The assessment process outlined in this document attempts to rate the overall implementation of these steps to determine if there is residual organizational risk not being addressed by the security controls being reviewed during the ISCM implementation. 

Based on the criteria specified above, this publication then uses a variety of sources to evaluate the programs ISCM strategy.  These sources include publications from NIST, OMB Circulars, FISMA 2014, Executive Directives and even “Practitioner experience based on collective professional experience in ISCM, security engineering, network security, systems engineering and information technology.” (NIST, 2020). 

The publication finishes by helping the reader determine such subjective evaluation topics such as Judgement Values, Evaluation Criteria, Assessment Elements, Evidence Gathering and Analysis and even being so humble as to when to determine when a judgement is Not Applicable.  The document concludes with instruction on Reporting of Assessment Results to convey residual operational program risk and how the assessment was performed.  This is directed to program management with the expectation that the main audience would be the information security personnel. 

This document provides great value to the information security leadership and authorizing official to help baseline expectations in how ISCMs should be implemented at various organizational and system levels.  While very detailed, it does a great job of detailing a structured approach to evaluating an ISCM with both objective benchmarks and subjective input to provide the organization a realistic picture of the effectiveness of their ISCM strategy.

References:

Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment, (January, 2020), National Institute for Standards and Technology.  Retrieved on January 13, 2020 from https://csrc.nist.gov/publications/detail/sp/800-137a/draft

CYBR 650 - Blog Post 3 - Blogs vs. Scholarly Publications for Cybersecurity

Even ten years ago the majority of post-high school education was done in-person at brick & motor universities across the country. If someone wanted to major in something as specific as computer security and auditing, they would most likely need to be co-located with that university to participate in the education it provided.  

The Internet changed things.

One report by Babson Survey Research Group indicates that 31.6% of all students now take at least one distance learning (ie online) course as part of their education.  (Babson, n.d.) This same report indicates that between 2012 and 2016 the number of students studying on campus has dropped by over a million students, or 6.4%.  Because of this reliance on distance learning, the reliance of physical books and publications used for resources has also dropped.  The use of online resources such as websites, blogs, digitized books has not only expanded, but is now becoming acceptable reference material for white papers, research reports and dissertations. 

I can attest from personal experience that old school professors did not accept online content as acceptable resources and required all references to be physical books, scholarly articles and empirical research.  (I got an F on a paper in 1995 where I referenced a discussion I had with a fellow student in Australia regarding recreation activities in that country when no other resources were available in my library). 

My term paper for CYBR545 on Business Email Compromise had 16 references in the final paper, 14 of which were from the current year (2019).  Because this was a newly-identified threat, no printed material was available on the topic.  But resources from the FBI, DHS and other reputable information sources provided valuable, near-real time details on this emerging threat. 

It could be argued that the curriculum for technology degrees (such as cybersecurity) is evolving faster than books can be printed.  Many of the books we use are from before 2015, which was when I ventured into Cybersecurity as a career, and much has changed since then.  Bellevue professors have been very accepting of online content as acceptable references, and not enforcing printed books and scholarly articles.  I would argue that technology websites, blogs, vendor websites and technical forums provide credible information pertinent to an advanced degree that should be considered an official resource.  While books from PhDs and peer-reviewed scholarly articles may have additional credibility based on the amount of research and vetting that is done for them, the industry-standard is to acquire cyber information from a multitude of online resources and is considered credible.  Just as Zillow transformed real estate and their Zestimate has become the publicly-acceptable standard for property estimates, the use of online resources has become the go-to place for credible information for cybersecurity news, information and intelligence. 

Websites which offer some high-quality facts, intelligence, topics, technology and commentary include:

-         Krebs on Security

-         Naked Security

-         Dark Reading

-         Hackaday Blog

-         The Hacker News

-         Threat Post

-         Security Week

-         CSO

-         IT Security Guru

-         Schneier on Security

-         Daniel Miessler

-         Google Online Security

-         Wombat Security

-         Errata Security

-         Kaspersky Labs

-         Security Bloggers Network

-         Sophos

-         Security Now podcast

-         Graham Cluley

-         The Security Ledger

-         Paul’s Security Weekly

-         AT&T Cybersecurity

-         Internet Storm Center

The truth is that books and peer-reviewed publications are not able to keep up with the speed of technology and the threats being brought upon our systems, networks and software.  I feel it is absolutely justified to continue to use these web-based sources as long as they are deemed credible by the cybersecurity community and are not biased based on foreign input such Kaspersky or vendor-specific technologies (Vaughan-Nichols, 2017).  Reliance on these sources may be the subject of information warfare, so there may be the need for oversight if disinformation begins to interject itself into the open news sources that open-source intelligence aggregators acquire their products from. 

Websites such as Purdue University’s OWL provides guidance on how to reference websites and other online content (https://owl.purdue.edu/owl/research_and_citation/apa_style/apa_formatting_and_style_guide/general_format.html)  This indicates that online content is worthy of being referenced, but those in academia are still skeptic about non-official publications and websites which may not be as mainstream as other well-known sites.  After going through the course on Information Warfare, I believe it’s important to review the websites for credibility before deciding to reference them in professional work or scholastic endeavors.  Truth be told, many blogs are purely subjective, even if the rationale is well-received.  Being used as a source in higher level education should be carefully done if the author intends to maintain credibility in the discipline. 

Technology is moving at the speed of light, so the ability to find, use and reference credible online resources is imperative to obtaining the most current information on topics pertaining to cybersecurity and information technology. 

References:

Higher Education Reports, (n.d.) Babson Survey Research Group.  Retrieved on December 21, 2019 from https://www.onlinelearningsurvey.com/highered.html

Top 40 Cyber Security News Websites for Information Security Pros. (Dec. 16, 2019).  Feedspot.  Retrieved on December 21, 2019 from https://blog.feedspot.com/cyber_security_news_websites

Vaughan-Nichols, S., (2017), Claims resurface that Kaspersky helped Russian intelligence.  ZDNet.  Retrieved on December 21, 2019 from https://www.zdnet.com/article/claims-kaspersky-works-with-russian-intelligence-resurface/

CYBR 650 - Blog Post 2

(Me having lunch with congressmen Tom Cole (left) and Mike Rogers (right))

                I was invited to participate in the Reagan National Defense Forum this past Saturday located at the Ronald Reagan Library in Simi Valley, Ca.  (10 miles from my house).  The forum brings together some of the most significant players and contributors in the world of national defense and security in the nation.  Being on the VIP guest list entitled me personal access to many of these individuals both in person as well as to sit in intimate panel discussions.  For those of us in national defense, it’s surreal to hang out at cocktail hour with 4-star generals, members of congress and chit-chat about everything from security policy to football.  In a single day, I personally saw or talked with include:

-          Dr. Mark Esper (Secretary of Defense)

-          Rob O’Neil (National Security Advisor)

-          Jim Mattis (former Secretary of Defense)

-          Jeff Bezos (Founder, CEO of Amazon.com)

-          Brad Smith (President, Microsoft)

-          Leon Panetta (former Director CIA, former Secretary of Defense)

-          Dana Deazey (DoD CIO)

-          Karl Rove (former deputy White House Chief of Staff, Bush 43)

-          ADM Paul Nakasone (Commander US CyberCOM)

-          ADM Michael Gilday (Chief of Naval Operations CNO)

-          Gen. David Goldfein (Chief of Staff, Air Force)

-          Gen David Berger (Commandant, US Marine Corps)

-          Gen James McConville (Chief of Staff, US Army)

-          Congress (Tammy Duckworth, Adam Smith, Mac Thornberry, Liz Cheney, 20 others)

                Promoted as a forum for national security, I’ve observed the panel discussions this year and last year starting with the topic of security, readiness, lethality and quickly meandering into cybersecurity and nation-state sponsored threats.  This was true for every forum.  Discussing national security at the highest levels now includes cybersecurity and the realization that the cyber threat is just as significant as potential kinetic warfare.  China, Russia, Iran and North Korea were popular topics by all the major players and all panels defaulted to discussing how the cyber threat affects the overall wellbeing and way of life for the United States.

                Sitting through 10 hours of panels, fireside chats and personal discussions with a few of these key individuals, it became apparent that the underlying topic for our national security is nation-state sponsored cyber threats.  Below I highlight some of the significant speakers and presentations.

                Lunch keynote speaker Secretary of Defense Dr. Mark Esper showed fluent knowledge and experience in security and highlighted many cyber-relevant situations which the National Defense Strategy supports defending against.  It was refreshing hearing his take on the NDS and emphasized that continuing resolutions (CRs) will negatively affect the military and encouraged congress (30 of which were in attendance) to pass the budget and help meet the goals set forth in the NDS. 

                Amazon founder and CEO Jeff Bezos had some memorable quotes and advice.

                “To earn trust – do hard things well, over and over and over again” This was in regards to things like stating they would do next day shipping with Amazon Prime, or offering AWS or video services.  It wasn’t easy, but he proved to others they were able to do it, and do it over again.  This builds trust in the brand and enterprise.   He also had advice on decisions indicating there were two types:

1.       Highly-consequential, irreversible, one-way decisions

2.       Normal decisions which can be reversed without dire consequences

Bezos mentioned that we use the hard decision-making process for situations such as #2 causing us to over-think and add too many people to the decision-making process when it’s not necessary.  Understand the situation, use critical thinking, keep the quorum small and make fast decisions if not irreversible and highly-consequential. 

                Mr. Bezos also discussed his ”disagree & commit” methodology which he encourages leaders to adopt as a way of progressing in the decision making process.  (see here:  https://www.inc.com/justin-bariso/it-took-jeff-bezos-only-three-words-to-drop-the-best-advice-youll-hear-today.html)  Also, he highlighted the importance of being robust and nimble which somewhat translates to resilience and agility in the form of program acquisition and decision making.

                I was very impressed with Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment.  Unlike some high level officials, Secretary Lord is very familiar with new technologies and recent policy and while responsible for all DoD acquisition, encouraged the group to “fail small, fail fast and move forward”.  She said readiness and modernization should be hardware enabled and software defined and the laborious acquisition process the DoD is stifled by will need to be revamped to compete with our foreign advisories in the 21^st century.  She is also familiar with the Cybersecurity Maturity Model Certification (CMMC) and indicated that 1^st tier contractors (Lockheed, Northrup, GD, Boeing, etc) will need to help support lower tier contractors become compliant with this standard.  We should expect to see more news of it within by March 2020. 

                I had a chance to briefly chat with DoD CIO Dana Deazey and asked him if he noticed that all the panel discussions started off discussing high-level defense readiness and acquisition but ultimately included discussions about cybersecurity.  I asked him if perhaps the next Reagan National Defense Forum could include a panel specific to cyber threats and readiness in the DoD and he said, “that’s a good idea.  I’ll bring it up to them.”  Not sure if that was sincere or not, but since he said it was his first time at the NDF, I indicated this was the case for most of the panel discussions. 

                During the happy hour the night before, I had a chance to speak with General Mattis about how the cyber threat has increased since his time in the military.  He indicated how the DoD has been aware of cyber threats for a while, but only really seeing it posing a national security threat the past decade, and much more in the past few years.  He then reiterated that position later on in the day while discussing a variety of topics with Leon Panetta.  Both very wise.

                There was a panel discussion that filled the house – the Chief of staff of the Air Force and Army along with the Commandant of the Marine Corps and the Chief of Naval Operations held a panel to discuss national security and how each of the forces were supporting it.  All were fluent in how the cybersecurity threat is now a top tier concern for all these leaders and they indicated more support and direct involvement in making sure each service was baking cybersecurity into their acquisition, product line and culture. 

                National Security Adviser Rob O’Neil was also there, but his canned 15-minute speech was a partisan tribute to Donald Trump.  Many of the comments he made pushed republican agenda items and perpetuated the false narrative of a successful presidency, contradicting many of the positions previous speakers took.  Very disappointing and the snickering from the audience was very noticeable and his statement made many people uncomfortable. 

                Overall the 2019 RNDF was very successful and the folks at the Reagan Presidential Library did a fantastic job coordinating the speakers, the guests, security, food and refreshments and media.  I look forward to being there next year. 

Full videos of all panels can be located here:  https://www.youtube.com/playlist?list=PLHNOi2zcxo7tPPwgTEaF421osdMepdJKk

CYBR650 - Blog 1 - Stop Chasing Cyber Buzzwords

BLUF - Buzzwords in the cybersecurity and technical fields attempt to capture innovative concepts which temp leaders to quickly adopt, regardless if the solutions they provide support their mission needs.


Leadership loves to lead and management is there to manage, but the one thing they should not be doing is providing solutions to cybersecurity professionals.  On a weekly basis leaders, supervisors, c-suite officers love to chase buzzwords and insist we adopt the latest technology or concept.  "GO TO THE CLOUD!" is a favorite one, or "we need to establish a DevSecOps environment" is yet another.  These are terms passed down from others in pursuit of being on the forefront of technology, but more importantly, bragging to others that they're incorporating the buzzwords they're hearing.j

The spread of buzzwords can be from many origins.  Trade shows, conferences, news and blogs, vendor marketing advertisements, or even casual conversation and emails can all spread these catchy terms that refer to a term or practice that most likely already exists.  But because technology accelerates so quickly, buzzwords are used to capture progress even if nothing new has been created.

According to CSO Magazine, the top buzzwords for Cybersecurity for 2019 are:

Cyber - meaning anything with computers or internet
AI - artificial intelligence, but meaning "robots making decisions"
APT - Advanced Persistent Threat, but meaning any outside attacker
Threat Intelligence - information about threats, but meaning super secret info about threats
Next-generation - anything new
Cloud - someone else's computer or network
Data-driven - making decisions based on data; been doing this for years
Real-time - as opposed to needing extra time to consider a decision or action
Thought Leader - someone with a brain making decisions

(https://www.csoonline.com/article/3258551/10-security-buzzwords-that-need-to-be-put-to-rest.html)

Add to that mix these as well:

Blockchain, Chaos Engineering, BYOD (Bring Your Own Device), Big Data, DevSecOps, Behavior Analytics, Human Firewall, CI/CD, Orchestration, Quantum Computing, NOC/SOC, Zero Trust Security, Automation.

Many of these buzzwords are associated with a technology or concept which can be very useful in an organization's architecture or security enterprise IF it's applicable and of value. But the problem we're seeing is leaders direct teams to implement solutions without knowing if they are required to meet mission goals.

Instead, leaders need to be able to accurately describe the requirements instead of the solution.

"We need to connect this network to this network with these latency requirements"
"Our developers need a collaborative environment with the following tools"
"Our customer needs to transfer data up to 30GB to us in under 10 minutes"
"I need to make a decision on this contract based on previous statistics"
"We need to secure our web server from attacks on unmanaged ports and protocols"
"The requirement is to meet the following standard, policy or guidance"
"I need proof that implementing this widget/upgrade will not affect our production servers"

These are requirements.

With statements like this, IT and cybersecurity professionals can suggest a variety of solutions.  The lead would then create courses of action (COA) based on cost, schedule and performance and the leader will choose based on those factors.

As an example, recently I've been told our program needs to "go to the cloud" in order to collaborate.  So when I started I asked the program manager, "Just what are we being asked to do?  What is the requirement?"  His reply, "That's why we hired you."  It's a simple process of associating a solution with a requirement, but when the requirement is to utilize a solution withing knowing the details of what success looks like, we find ourselves chasing our tail.

A better requirement would be something on the order of, "We need to establish a zero-client environment between office X, Customer Y and end users located at Z by March 2020 so they can share these files and utilize a Git source code repository on Bitbucket and deploying images to a private resource at Customer Y's CM server.  Users will have token cards for 2-factor authentication and limited to specific parts of this environment, but not all of it"  With something specific like this, we are able to determine vendors, specific locations and establish the security and IT requirements.  At this point, we're able to offer solutions such as hybrid clouds, type 1 hypervisors, on-site SANS solution and multi-factor accounts based on a Kerberos authentication server in a RBAC model.

The exception to this is when you have a General or CEO saying for political reasons, "We must do X" or "Implement the following technology'"  While we love to be subject matter experts and make recommendations for technologies, we need to also learn when the boss is making a solution the requirement.

In either case, cybersecurity professionals need to be fluent in these terms and technically competition in their pros and cons and which situations they benefit.  This is a fast moving field and wrong answers can cost jobs, if not lives.

Week 8 - I love my Spouse(ware)

Our nature is to trust our spouse.  We marry them with the expectation they will be truthful and not devious.  BUT, sometimes people do things which reduce our level of trust and we feel the need to ensure their truthfulness. 

One of the first evidence of a new app for smart phones to track our loved ones being referred to as Spouseware was from this article in 2007 (http://www.informit.com/articles/article.aspx?p=1077909).  Ironic because the very first iPhone was released in 2007, so not far after that did people start thinking of ways to track people with them.  Spouseware is a type of Spyware which can remotely track an individual.

Spyware is typically done by unknown persons/entities (hackers, foreign actors) compared to Spouseware which is an app that is installed physically and willingly through an authenticated and authenticated account, but by something else masquerading for nefarious reasons. 

Here are a list of tell-tale signs if your phone is compromised:

Your partner frequently asks to see your computer or cell phone, or takes it.

Your partner demands passwords to your computer or cell phone.

Your partner wants login information for your email, banking, shopping, or social media accounts.

Your partner is known to be "good with computers" and handles your computer tasks.

Your partner gives you devices that they've set-up for you.

Your partner spends a significant amount of time on their computer and is unusually secretive about it.

Your partner makes vague references to activities or conversations they were not present for.

Your partner gets unexpectedly angry towards a person you've recently communicated with.

Your partner threatens to reveal embarrassing information about you.

(source - https://hackblossom.org/domestic-violence/threats/monitoring.html)

So if your spouse has this kind of access to your phone, then I'm guessing your relationship is good enough to not worry about hiding photos, texts, etc. 


What I'm more interested in is the ability to remotely install apps without physical access.  Spouseware is obviously a form of spyware which can remotely track communications, location, activity, etc.  The risk to our nation is very low as it pertains to tracking each others spouses, but could be very high if this kind of spyware can be remotely installed to other high-value targets such as senior intelligence officials, leaders of industry, politicians, or perhaps even nation-state spies working covertly.

Spouseware can be installed many different ways, but based on the articles above typically requires physical access to the device.  Malwarebytes also can be disguised as antivirus as reported here:  https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/

Motherboard lists popular Spouseware apps and how to discover if your phone has them installed here:  https://motherboard.vice.com/en_us/article/bjepkm/how-to-tell-if-partner-is-spying-on-your-phone-stalkerware

Probably the best way to identify Spouseware is to backup your data and reinstall your operating system.  But if you are really that suspicious if spouseware is installed on your mobile device, perhaps you should be focusing more on your marriage than defending your privacy against them. 

Week 7 - The Wall of Cybersecurity

The concept of Security has been around for centuries.  One of the oldest concepts of physical denial of access is building a wall.  A physical barrier that acts as a prevention and deterrent for restricting access by those not permitted to gain entry.  Examples include the Great Wall of China, the Berlin Wall, the Israeli West Bank Barrier Wall, and Sacayhuaman in Peru.  The majority of these walls protected against unauthorized entry for that period of time. But a single boundary defense such as a wall is not adequate in modern times because of the advanced tactics and technologies used by those wishing unwarranted entry. 

In a computing environment, a using only a wall for defense would be the equivalent of only using a username/password for complete protection.  Thus a modern physical defense utilizes defense in depth, which too is not a modern concept. 

Even the phrase, "Guards, Gates & Guns" shows how different physical controls can be used to prevent entry.  Again, these are both preventative and deterrent controls which can be used in conjunction with a physical wall to limit access.  Here are a few other security controls which could be added to a wall to add defense in depth to a stationary barrier:

Motion sensors
Electrified fences
Additional patrols
Air Surveillance via plane or satellite

When there is a large threat vector (such as a 500 mile border) then a physical barrier in addition to other natural deterrents provides the best total security solution. 

In reality the use of a wall as a single physical security control is about as ridiculous as expecting to have the enemy pay for it's installation. 

The other option would be to allow entry but then control access once inside.  So not everything inside a network is attractive to the enemy, so knowing how to be selective about how to protect critical data and configurations may be a better defense than a single external boundary defense. 

The moral of this post is that using archaic security controls to deter and protect against external entry is wasteful and ineffective.  A smart approach would be embracing defense in depth by utilizing physical, technical and administrative controls specific to the threat landscape and attack vectors, resulting in a controlled managed risk environment. 

If you're thinking this could be applied to non-IT-related current events, you're right.