The Wealth of Knowledge with Ashley J. Oliver: Oliver COM Solutions

Monday, August 30, 2021

The Importance of Understanding Cybersecurity as a Professional and Student - CIA - Integrity

Oftentimes, most of us think of terms like ‘Hacking, and Hacker’ as some sort of nefarious individual that can hack into our Facebook accounts and steal our data. While there are impersonators, imposters, and deceptive individuals active and present on platforms like Facebook, the truth is that these are indeed NOT actual Hackers.

First and Foremost, like any Security Professional will tell you, it is true that you must have the ability to think like a hacker in order to fully secure your system. This is true. However, all of us who work in the Cybersecurity Industry in the USA must uphold ourselves to a
higher standard because of the information and skills that we learn on the job. A true security professional is aware of the implications of misusing and/or abusing their power.

Such as, legal implications. I was once at an ISC2 conference in New Orleans back in 2018 when a round-table conversation sparked a story about a professional who was hired to perform a Penetration Test for a Mid-Size Corporation in the Midwest. This professional was way more advanced professionally than me at that point, he was a Pro Pen Tester, and he knew what he was doing. He was very good at his job.

Long story short, and fast forward to what happened. He was thrown in jail while performing recon on the target. As it turned out, he was hired by a disgruntled janitor posing as a Manager at the company. This Janitor did not have the authority to hire him to perform this work. Therefore, when the Pen Tester called from jail and tried to explain that he was there to perform a sensitive job, it didn’t matter, because all of the signatures were from the Janitor, not management.

From my perspective, this is a high-level pen tester with years of experience, and even he fell victim to impersonation. That being said, be careful who you get your information from. You never know when you could be a target of deception, and not everyone who claims to be a ‘Hacker,’ or ‘Manager’ for that matter, actually is one.

I myself have been questioned many times throughout my cyber career by civilians asking why I don’t just hack people’s phones, or social media platforms. I know the answer, and I know the reason why. Furthermore, I take my responsibility as a Cyber professional very seriously and I’d rather not end up in jail for practicing blue snarfing on someone’s headset. I can, but I won’t.

If you are interested in becoming a Cybersecurity Professional, or more specifically an Offensive Security Pro, I recommend that you do your own research, read the books, articles, join the groups, reach out to other professionals in the field, take the classes, go to meetups, and learn as much as you can before testing/deploying/etc.

About the Author: Ashley Oliver is an experienced Cybersecurity Consultant, Engineer, Mentor and Teacher based in the Central New York area. Ashley has over 11 years of experience. Ashley is a SME in several areas of security including Network Security Engineering, Architecture, Policy, Standards, and Compliance. Ashley's rare and unique experience is based on her love for the Shell, and perfect design. Ashley has knowledge of NIST, and is very proficient in Layered Security, DLP, Encryption, IPSec, and more. She has a highly technical background, which is command-line (CLI) intensive, as well as high-level design and customer interfacing experience. Ashley is always more than willing to share and to teach.

Questions? Email: olivercomsolutions@outlook.com

Interested in Ashley's Cybersecurity Mentorship Program? Book Your Discovery Call Here

Friday, May 15, 2020

The Common Criteria Framework

Do you struggle with Validation? I mean, within yourself, not others? How do you uphold yourself to your own set of standards? Do you have standards? Maybe you are athletic and as such it is required that you run every morning for at least 6.5 Miles. This is your own standard – that you set – and you uphold yourself to, as an athletic professional. When you stick to this criteria, you are then validating yourself – and you probably feel GREAT when you go to bed at night, because you upheld your own vision and values, you went for your run, and you are being your best self. Like my last 500 articles – what does this have to do with Cybersecurity?

First things first, we need to revert to the evaluation requirement. Referring to my former opening statement, ‘How do you uphold yourself to your own set of standards?’ – For me personally, my self evaluation is based on my own criteria- having met or unmet my standards- i.e, did I run my 6.5 or not? This is the basis for the International Framework known as the Common Criteria. The Common Criteria is a Standard for Computer Security Certification – which is globally recognized and was developed with the involvement of 6 different countries.

The CC offers whats considered an Assurance Evaluation, which measures the parts of a computer system that are pertinent to it’s security aspects. InfoSec Pros are familiar with terms such as the TCB (Trusted Computing Base), Reference Monitor, Kernel, and Access Control & Protection Mechanisms. There used to be different processes and techniques to evaluate and assign an assurance level to a system. However, The Common Criteria is as globally known as the Coronavirus.

So, since this framework enables the User to specify security requirements, and the Vendor to exemplify how those requirements are satisfied, not to mention independent labs can be involved which will help to verify said claims, The product in question will be assigned an Evaluation Assurance Level (EAL) prior to having been evaluated. There are seven levels of assurance involved with the Common Criteria Framework, EAL 1-7.

I figured my readers would be less interested in the EAL levels, so I will leave it up to you to examine them if you are interested. Instead, I thought we would take a look at a real time example. Take a look at this list of Common Criteria-Certified Products. Don't be surprised if you see your phone or computer on it =).

About the Author - Ashley Oliver

About the Author - Ashley Oliver is an experienced Cybersecurity Consultant, Engineer, Mentor and Teacher based in the Central New York area. Ashley has over 10 years of experience. Ashley is a SME in several areas of security including Network Security Engineering, Architecture, Policy, Standards, and Compliance. Ashley's rare and unique experience is based on her love for the Shell, and perfect design. Ashley has knowledge of NIST, and is very proficient in Cybersecurity, Network Security, Next-Gen Firewalls, Layered Security, DLP, Encryption, IPSec, and more, and she is always more than willing to share and to teach.

Guest - Ashley Oliver - Cybersecurity, Cash, and You

Even though these are huge advances to the technology community, we still have to be concerned and be aware of the cyber risks that are imposed because if we're not, then we're gonna just make ourselves a target for those types of attacks. Kelly and Karin chat with Ashley Oliver, Syracuse's resident cybersecurity Subject Matter Expert, about her AVR of choice, the upcoming 5G network in Syracuse, and how to get started on a career in cybersecurity. We also discuss ethical hacking, penetration testing, and the difference between antivirus and malware protection. Connect with Ashley LinkedIn | Instagram Read Ashley's latest blog post on polymorphic viruses here Want to learn more about 5G?