tldr; Application Security Trend Report

  • According to the Application Security Trend Report, 81% of surveyed use java as their programming language to add value to their customers.
  • 87% of surveyed respondents develop web applications, while 60% develop enterprise business application
  • 38% of the surveyed respondents are developers or engineers, 22% work as developer team lead, and 22% are architects

Security and Developers

Developers are in the first line of defense when it comes to securing their valuable asset: code. This is called the shift-left movement. In essence, developers need to think more about security before pushing their work to the next stage in the pipeline.

Writing secure code is key. Secure as in not being penetrable from external or internal actors. Another key factor about being secure is that the software works as intended. There are six techniques that developers definitely need to consider when sitting down and planning out the testing phase of this work:

  1. Validating Inputs
  2. Architecting and Designing for Security Policy
  3. Making Permissions Explicit and Denial Default
  4. Using a Secure Coding Standard
  5. Executing All Processes with the Least Set Privileges
  6. Sanitizing Data Before Sending it to Other Systems

One major vulnerability that all software has is the potential to be a candidate for a buffer overflow attack.

“A buffer overflow condition exists when a program when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block memory can corrupt data, crash the program, or cause execution of malicious code”

The most popular ways to mitigate this type of attack are code auditing, bounds checking, use of compiler tools, and only coding in strongly-typed in languages with no direct memory access, including libraries.

I found it fascinating that more companies are doing source code analysis. However, it does sadden me to see that fewer companies are relying on penetration testing as a security defense. I am a big advocate for static and dynamic code analysis. This will help out developers to think about security at the left-side of the pipeline.

Security and Enterprises

I can not stress enough the importance of having a well-defined application development lifecycle. Also, knowing when in the lifecycle to implement security protocols can seriously affect the efficacy. I want this shift-left movement to start spreading into company culture everywhere.

I am not surprised that 29% of survey companies spend most of the time on application security during the design phase. However, I am shocked that 26% of survey companies spend most of the time on application security during the implementation phase. Are companies thinking about security at all?

Luckily, only 12% of respondents reported that 1/5 of deployments contain known security vulnerabilities. But, we should be at a point where deployments do not have any known vulnerabilities. The fact that these vulnerabilities are known to the public is disheartening. I thought we were at a point where deployments would be clean of at least known ones.

The threats that organizations plan on allocating most of their resources for are phishing attacks, distributed denial of service, ransomware, and SQL injection.

Building Security into Application Architecture for Continuous DevOps Protection

  1. Implement a single security solution that reduces dependencies and integrates without DevOps tools, pipeline, and hybrid cloud environments
  2. Reduce disruption of development schedules and workflows, with automated protection for images, containers, and your host
  3.  Implement early detection best practices via application programming interfaces by scanning images at build time and repeatedly for the duration of life in the registry
  4. Maximize threat detection, at both the software build pipeline and runtime, with industry pro and focused threat intelligence feeds
  5. Help meet risk and compliance requirements by implementing comprehensive threat and risk detection that covers malware vulnerabilities, secrets, and policy violation early in the CI/CD pipeline

Automated Full Life Cycle, Full Stack Container & Workload Security

We’re able to protect a container pre-runtime by understanding what’s going on in the environment from a security perspective before it even hits production”

  1. Prevent exploits within the build pipeline
  2. Provide continuous security for unknown security
  3. Expedite deployments with image assertion
  4. Secure workloads and container platforms at runtime
  5. Meet compliance needs with trusted security

Is your system vulnerable to BlueKeep?

bluekeepThere was a critical exploit that was announced about two month ago. The exploit (CVE-2019-0708) is a remote wormable vulnerability in Microsoft’s RDP known as BlueKeep. This means that people with RDP services running need to patch their systems as soon as possible, unless there will be attackers trying to gain access to your networks. For a list of affected products and the security patch needed to remedy this exploit can be found here

Normally, RDP servers are only secured by simply a username and password, which could cracked easily with brute force or password cracking tools like mimikatz. Once cracked, the attacker has the ability to execute arbitrary code on the target system. Also, the attacker would have the ability to install programs; view, change, or delete data; or create new accounts with full user rights. This exploit is giving me nightmares tonight!

In order to exploit this vulnerability, an attacker will need to send special requests to the target systems Remote Desktop Service via RDP. Here is a link to an example implementation of Microsoft Windows Remote Desktop BlueKeep Denial of Service: click here and here. I am not responsible for what you use this to accomplish and should only be used for education purposes.

Some possible mitigation practices is to disable Remote Desktop Services if they are not required. Disabling unused and unneeded services help reduce exposure to security vulnerabilities. Another option is to enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. The last option is to block or only allow certain host to go through TCP port 3389 (for RDP) at the enterprise perimeter firewall. 




CCNA Security Certified


I am excited to write this post, finally! I passed my CCNA Security Exam – Implementing Cisco Network Security (210-260). I started studying around Summer of 2018 with reading the CCNA Security Official Certified Guide. I read this document for about two or three months getting halfway through that thick lexicon of security terms. If you have read my previous post about me getting my VCP-DCV6.5 certification and keeping up with my new role at Trend Micro. So far, I have not been on track for what I wanted to do originally. However, I am thankful because I am a network professional who demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

You are probably thinking, you just ONLY read the OCG!? The answer to that question is simply no. I used various mediums to get the knowledge needed. To start, purchase the “31 days until the CCNA security exam” and the “CCNA portable commands guide”. I used these two books religiously through my studies. Going through 31 days until the CCNA security exam book was the most helpful in understanding what I needed to know for the exam. Note that this book is not the only thing you need to do.

Another aspect of my studies was actually getting my hands wet with the Cisco Firewall Adaptive Security Appliance 5505. I was able to use the ASDM which was necessary for this exam. Also, I configured different features on firewalls, routers and switched that were outlined in the books I mentioned above. People say that you can use GNS3, but I always have a hard time getting the application to work properly. Doing it with a physical device will work fine.

Make sure to go through all the supplemental resources that are given in 31 days until the CCNA Security exam. I love that this book gives extra resources to go and get more information when confused about something. The key is to get a lot of information from a lot of different places.

The week leading up to the exam, I studied my butt off looking for exam dumps that had sample questions. Luckily, I found this youtube video and it saved me on a couple of questions on the exam. I am glad that I took my time and answered everything within time to leave with around 20 minutes left. I was stressing when I got my results. 870 out of 1000. Ten points away from having to pay another $300 to get this certification. Thank God Almighty!

Overall, this test was stressful since I was reading comments about people barely passing on Reddit and didn’t want to be one of those people. I needed to pass the first time. That is why it took me so long to actually get my confidence up to schedule the exam. So now, I want to continue my quest by getting my CCNP Security certification before the Cert Apocolyse happens on 2/23/2020. I plan on finishing this certification sometime before the end of the year, so stay tuned on my journey to become an Information Security engineer.

Faster Speeds and More Radiation

Overview of 5G technology

As our society continues to grow, more and more people will be consuming more and more data ever than before. With today’s wireless technology, people are crammed on the same band of the radio-frequency causing less bandwidth for the countless number of people. To combat this problem wireless engineers are starting to transmit signals on a new spectrum using Millimeter Waves (MMW). This type of signal uses extremely high frequencies and is used in satellites or radar systems.

Due to the shift to MMWs, this signal will have a hard time traveling through obstacles such as buildings and absorbed by rain and foliage. Combating this problem will force cities to incorporate small cell, which are portable mini base stations that require little power to transmit 250 meters away. These small cells will require a greater infrastructure from cities that want to implement 5G technology. One added benefit is that the size of these antennas is smaller than traditional antennas. Here is a video showing how small cells are installed on light poles:

Even though the time to install a small cell is less than two hours, the number of small cells required to build a 5G network will make it hard for rural areas to receive internet access. In my opinion, isolating rural areas should not be the case as wireless technology improves. Being from Texas, there are many rural areas that would not have the same highspeed experience as a dense city.

Another advancement that 5G introduces is Massive MIMO (multiple in multiple out). Originally, traditional antennas have eight ports to transmit and four ports to receive data, so 12 ports in total which will cause performance issues when more people are joining the network. With Massive MIMO, now the number of ports are close to one hundred ports (22 times capacity increase).

With more ports, there is a higher chance that cellular traffic will cause interference with other cellular traffic. In an effort to stop interference from happening, wireless engineers are using beamforming. Beamforming is a traffic-signaling system for cellular base stations that identifies the most efficient route to the user. In the end, the countless signals that this antenna will experience will need a systematic way of sending and receiving data to reduce interference.

The last advancement that I want to mention is the antenna’s ability to transmit and receive data at the same time, on the same frequency. The circuit design needs route incoming and outgoing signals so they do not collide while an antenna is transmitting and receiving data at the same time. This technology is called Full Duplex and it is about time engineer implemented this in our networks.

These are the major components of building a 5G network. With these antennas placed in your city, users should be able to download a high-definition film in under a second. Also, there will be less than a millisecond of delay and download speeds of 20 gigabits per second. So in other words, this technology will blow your mind away.

However, there are some issues I have with this new wireless technology. One issue is that rural areas will not have the same experience as densely populated areas. Another issue is the extremely high frequencies (30 to 300 gigahertz) being close to schools or any public place.

Are MMWs worth the faster speeds?

Radiofrequency radiation (RFR) is anything emitted in the electromagnetic spectrum, from microwaves to x-rays to radio waves to light from your monitor or light from the sun. The real question here is: under what circumstances will make RFR dangerous for the general public?

A recent study completed by the National Toxicology Program, scientists found that high exposure to 3G RFR led to some cases of cancerous heart tumors, brain tumors, and tumors in the adrenal glands of male rats. The level and duration of the RFR exposure were well in excess of what any actual human would ever be exposed to, and in fact, the irradiated test rats lived longer than the unexposed control rats.

In 2011, the World Health Organization weighed in, classifying RF Radiation as a Group 2B agent, which is defined as “Possibly carcinogenic to humans.” With the rat experiment taking place after WHO declared this statement, people now have a better understanding of the harms of RFR.

In German, researchers studied 1,000 residents who lived in close proximity to two cell phone towers for about 10 years. According to the study, during the last five years of the observation, researchers discovered neighbors living within 400 meters of the cell towers were diagnosed with cancer at a rate that was three times higher than those who lived much further away.

Besides MMW being carcinogenic to people, “The deployment of 5G constitutes a massive experiment on the health of all species… Because MMWs are weaker than microwaves, they are predominantly absorbed by the skin, meaning their distribution is quite focused there. Since Skin contains capillaries and nerve endings, MMW bio-effects may be transmitted through molecular mechanisms by the skin or through the nervous systems,” said Dr. Moskowitz.

Dr. Stein from Jerusalem’s Hebrew University argues the human skin has the ability to absorb more than 90% of microwave radiation and will cause major problem from head to toe, especially for kids, elderly and pregnant women.


According to the picture above, microwaves are considered non-ionizing which means that these type of radiations are too weak to break chemical bonds. However, microwaves are the only exception. MMWs are non-ionizing and able to damage tissue. They’re precisely and intentionally tuned to resonate with water molecules. Last time I heard, our bodies are made of mostly water. Even though microwaves are non-ionizing, the radiation is still able to do damage to species.

Cell towers should not be near schools, hospitals or homes. Those areas are just going to have to deal with the boring 4G technology that does not damage people skin.

Why should I care?

At Senate Commerce hearing, Blumenthal raises concerns on 5G wireless technology’s potential health risks. At the end of the exchange, Blumenthal concluded, ” So there really is no research ongoing. We’re kind of flying blind here, as far as health and safety are concerned.” It’s good to know that the government is thinking about our health and safety, yet I bet there will be no push for more research from them. There will be no stoppage from the federal government when installing these small cells.

Another major issue that 5G will impact our well-being negatively is its ability to mess with the accuracy of weather forecasts. “Unfortunately, today’s spectrum reality could directly impact the future of accurate weather readings,” the association continued. “Spectrum is a finite resource and as the Federal Communications Commission (FCC) looks to free up spectrum for emerging technologies like 5G, the risk of interference with existing users rises, in both the incumbent band and the adjacent bands.”

“I don’t doubt that there may be some issues with the frequencies that close together, but I doubt that this will change the rollout of 5G,” said Phoenix-based Jim McGregor, principal analyst at Tirias Research, high-tech research and advisory firm.

I want to make it clear that I have mixed feelings about this topic. I do not know what will happen to us in the future, but given the previous studies, it does not sound good.


  1. Everything you need to know about 5G
  2. 5G Could Mess with Accuracy of Weather Forecasts
  3. How Worried Should You Be About the Health Risks of 5G
  4. Why 5G Cell Towers Are More Dangerous
  5. Senate Commerce Hearing, Blumenthal

VMware Certified Professional – Data Center Virtualization 2019

Update: I tried artificial meat and I can say that it does taste like meat with a weird texture.

My time as a Customer Service Engineer is over, and it is time to move on to bigger and better things, hopefully. Now, I am on my second rotation as a Professional Service Engineer. This role helps bridge the gap between the pre-sales and the post-sales and helps with retention of Customers. The engineers are knowledgeable in various areas in information security and technology such as but not limited to Networking, Penetration Testing, and Virtualization. It is my first week in this role so my judgement is not the best at this moment, but I am loving it! The shift from a CSE to PSE is definitely what I needed because support cases are not my specialty. I am a technical person who needs continual learning in order to feel like I belong, kind of sound like school. This role allows me to work on my certification that was on the back burner: CCNA Security. I am planning on taking the CCNA Security around the end of this month. Overall, I am excited for what the future has stored for me in this role.

Also, I want to share my recent accomplishments in May 2019. My goal was to be VMware Certified. It was a busy month trying to put as much information about ESXi hosts, vSwitches, and the many other features in one head. However, I was able to pull it off and get certified!! I am a VMware Certified Professional for Data Center Virtualization, and now ready to move on to my next goal: Security Professional. If you would like to know more about how I got certified, feel free to post a comment and I will respond in a timely manner.

VMware Certified Professional – Data Center Virtualization 2019

Make to follow me on my journey to becoming a cybersecurity professional. I will try and write more content so that yall can get a better glimpse into my world.

Artificial meat!?

Lets recap what happened in the first 10 weeks as a Technical Rotational Associate:

  • Week 1:  Soft Skills
  • Week 2: Computer Networking
  • Week 3: OfficeScan (OSCE) Certification
  • Week 4: TCAP certification
  • Week 5: TippingPoint (TP) certification
  • Week 6: VMware vSphere certification
  • Week 7: Deep Security (DS) certification
  • Week 8: Deep Discovery (DD) certification
  • Week 9: AWS Solution Architect certification
  • Week 10: Rotation #1

You are probably wondering: how in the world is that possible? It isn’t. The main objective was to pass Trend Micro’s certifications (OSCE, TP, DD, and DS). Luckily, everyone was able to pass the required exams, with a few retakes. The other certs were up to us to get at their expense, of course. Currently, I am working on the VMware vSphere Foundations exam, so I can take the VMware Certified Professional – Data Center Visualization exam. Who knew there was a pre-exam to the real exam. Sounds like the CCENT to me. Anyhow, this month is dedicated to becoming a VMware professional. I will put the CCNA on hold, for now, but I do want to pick that back up once I get VCP-DCV and AWS Solutions Architect Associate certified. As you can see I will be busy studying my ass off these couple of weeks because I want to start AWS next month.

As for the first week of rotations, the team started as Custer Support Engineers or CSEs. This meant dealing with customers’ cases and troubleshooting any issues that would arise in the wild wild corporate world. I am not too fond of this position, although I do like learning how to troubleshoot problem, so I will take this as a way to see how businesses use Trend Micro products to secure their network infrastructure. The team was split between User Protection and Hybrid Cloud solutions. Since I was last in choosing, I got stuck with User Protection, but I didn’t mind. Trend Micro’s OfficeScan product is easier to understand than Deep Security. Overall, the week was dedicated to shadowing a member of the CSE – User Protection team. He has shown me the ropes, invited me to lunch, and we reminisced about the good ol’ days in California. Not a bad guy at all, but he does like artificial meat. Ew! I will give more update as the shadowing phase commences and we move on to actually working.

Wish me luck on my journey



Cisco Catalyst 3550 series

Today, I received my first networking equipment: a Cisco L3 Switch. Here are some pictures of me unboxing.

Figure 1: Well done packaging of Network device

Figure 2: Minor wear on surface but does it work?

I bought this L3 switch through eBay for the low cost of $40. Good price in my opinion for a switch with 48 ports and can do routing protocols. Next set of photos are to show the inputs and outputs.

Figure 3: Front side

Figure 4: Back side

Now, it’s time to test it out and make sure I got my money’s worth. After powering up the device, I was startled with the sound of a roaring fan. You’d expect these things to be a bit quieter. In my opinion, the device passed the Power-on-Test. Check out the picture below to verify my belief.

Figure 5: Systems are a go!

Next, I will be trying to get into the command line interface of this machine. The method I chose for getting into the CLI is telnet. I had to reset the switch because it already had some configuration rules. With the switch cleared of outdated configurations, I was able to use Express mode to configure the basic requirements to telnet. Here are the commands I used:

Switch# show running-config (To check the IP address)

Switch# config t

Switch(config)# lime vty 0 4

Switch(config-line)# transport input telnet

Switch(config-line)# password $&@!

Switch(config-line)# login

Switch(config-line)# exit

Figure 6: Finally received telnet access

This was just one step toward my journey. I have my other routers, switch, and ASA firewall ready to put on the network.

Phishing Attacks : Too Many Phishers for ISPs to Catch

Privacy for all People

Information security has recently become a thriving and fast-moving discipline by the failure of security systems from technical factors. The purpose of having secure information is to preserve confidentiality, integrity, and availability of information. Confidentiality means that only the right people will have permission to access the information; integrity means that the information system and data are accurate; and availability means that the information system operates reliably. These three key ideas will shape the way organizations create policy.

Phishing attacks have been making their appearance locally and internationally in a big way. The United Kingdom trade association asserted a 726% increase in phishing attacks between 2005 and 2006. This drastic increase in attacks shows that people need to pay close attention to what information they provide to others. Also, organizations need to update and enforce policies that involve privacy of personal data. IBM states that phishing is one of the more prominent attack vectors used to compromise information and communications technology networks. With the growing number of attacks, we must develop better ways to implement information security.

Internet service providers (ISPs) play an important role when it comes to crime committed in the cyber domain. All traffic that goes to the world wide web flows from the source host to provider to target host. This shows that providers are the ones responsible for allowing all malicious payload through their network to reach the victim. Information security is compromised every time the ISP is negligent in securing their massive network. ISPs are at fault and should play a larger role in protecting people from attacks that can cripple their internet wellbeing. 

Phishing attacks are pervasive and can happen at any moment. There are various types of phishing attacks such as smishing and vishing. These types are not as common as the email phishing, but still, raise a real concern for citizens’ privacy. For example, privacy is compromised when people use their mobile devices for actions that require collecting sensitive and personal information. Phishing attacks on mobile devices are three times more vulnerable than desktop users. Since consumers are constantly using their mobile devices, they need to be cautious about the information they input, because there is a distinct possibility phishers are maliciously stealing their information. 

Technical Perspective of Phishing Attacks

Typically, a phisher (person committing the phishing attack) starts by running a web server and building a spoofed website of well known companies such as Facebook or Amazon. The spoofed website will have malicious code to capture the user’s personal information like their credentials or credit card number. Once the website is created and has access to the internet, the phisher will send the spoofed link to a victim, with their intention to trick them into giving up their personal data. The malicious code goes through the phishers internet service provider then  on to the victim. After receiving the link, the victim may open it and input his or her personal information without knowing it is a spoofed website. The malicious code is executed storing the information in a database for the phisher to use at his or her own discretion. One way the user can use the information is by inputting it into the real website to steal more information about the victim. This simple, typical and low-cost phishing scenario is outlined in figure 1.

Simple Phishing Scenrio

Other phishing attacks have most of the same steps as depicted in figure 1. The main differences are the medium to send the spoofed link and the malicious code. Most commonly the medium is email, but recently mobile devices are becoming more vulnerable to phishing attacks. Since the web server hosting the fake site is accessible through the internet, phishers will be able to send text messages to victims’ mailboxes. The most common phishing tactics are spoofing websites, text messages and images; weblink manipulation; malicious scripting languages; javascript popup and fake address bars; and utilizing browser vulnerabilities. Figure 2 gives a graphical representation of the most common tactics used to compromise people’s privacy. Thus, the methods that hackers carry out to exploit their victims are endless.

Screen Shot 2018-07-26 at 7.15.57 PM

Spoofing websites, text, and images involve the perpetrator crafting files that are similar to something that the victim is accustomed to seeing. In other words, these files are not real and will mislead you into thinking that you are on the real site. Web link manipulation attacks occur when the user does can see the link explicitly. The user is unaware that if the link is clicked he or she will be brought to a website that will trick them into giving up their credentials. Malicious use of scripting languages has a similar behavior to the spoofed website but is hidden to the victim. On the other hand, there are attacks that will steal information when there is a javascript popup or when someone installs a plugin that actually is a malicious address bar. The last phishing attack is knowing the vulnerability of web applications and exploiting them to get sensitive data. Thus, there are many ways to implement a phishing attack and cyber professionals need to be confident that their systems are secure for any attack.

There are many industries that are susceptible to these types of phishing attacks. Some will need a stronger cybersecurity infrastructure than others. Two examples of phishing attack in different industries and countries are given below to show how widespread the phishing problem is. Above all, industries that collect and store private information need to be cautious at all times of the risks that will arise when conducting operations via the internet.

 Foreign Bank Meltdown

TSB, a bank that is located in the UK, was in a merger with Lloyd Banking Group until September 2013 when the two companies split. Once TSB left, it became an orphaned bank forcing a portion of the customer base to go along with it. The orphaned bank was on its own to protect the information of roughly five million customers. For example, one customer banked with Lloyd Banking before TSB was part of the merger, but had to switch due to TSB being the customer’s local branch. 

A project was underway to migrate TSB customers data from Lloyd Banking Group systems to their own proprietary systems. Proteo4UK was the migration tool that the banking institution chose to help with moving the data securely and efficiently. The project finished with a press release from TSB stating the migration was complete, but the migration did not move the data as expected. When the bank reopened for the public to access their accounts after the system downtime, people began to notice other accountholders’ transactions and that their accounts simply didn’t add up. A writer from the Wired UK states that “Banking systems are almost as low-tech as they are complex.” A technical failure that resulted in bank tellers not being able to access the system occurred at the completion of the data migration. TSB customers struggled to make payments, pay off bills or simply access their account without being confronted with someone else’s transactions. It seems that banking institutions such as TSB use software that compromise their privacy’s confidentiality, integrity, and availability.

As a result of the data migration failure, phishing emails and text messages were sent to TSB customers attempting to steal their banking details. Not only were TSB customers the target, but also other customers at local banks such as Barclay and NatWest. Phishers and scammers are aware of companies with internal scandals due to angry customers on social media posts. Customers were exploited by being encouraged to click a link and input their username and password to process their complaint against TSB. These customers lost control of their bank accounts. There have been ten complaints per day from frustrated customers since April 30th. The frustrated customers were exploited during the technical failure when they did not have access to see their accounts. One customer stated that “it was a vulnerable time, and clearly security behind-the-scenes was not up to scratch.”

When private information is at stake, the correct security measures need to be taken in order to establish confidentiality, integrity, and availability. TSB is at fault for not testing the migration beforehand to know that everything would be error free. Furthermore, there needs to be policy at TSB to ensure that this event never happens again. After creation of such policy, other banks in the area need to adopt similar cyber policy positions. With the spread of policymaking, people will become more aware of cyber attacks and have a way to defend against them.

Education System Attack

Around the same time of the TSB meltdown, there was a phishing attack on teachers at a high school in California called Ygnacio Valley High School. This attack was similar in nature but was not as serious as the attack in the UK. Schools do not collect financial information such as credit card and saving accounts number, but schools do collect grades and other sensitive information like social security numbers. The main differences between what happened in the UK and California are the number of people who were affected and the culprit’s age. 

At the beginning of May, the police department in Concord, California put a teen in handcuffs for sending phishing emails to his teachers. The email contained a link that could take the victims to a spoofed grading system login page. After the victim inputed his or her’s information, the teenager phisher was able to logon to the grading system with real credentials. As a result of gaining access to the confidential and password protected system, the phisher was able to change grades for some students excluding his own.

The student wanted to teach his school how easy it was to trick people into giving him what he wanted. Since a teenager did this act instead of an adult, the police department had to deal with a minor committing serious crime. Apparently, the teen phisher only spent five minutes to create the email. Even surprisingly, an information technology staff found the message two weeks later in the spam folder. The high schooler stated a playful remark that “it was like stealing candy from a baby.” If anything was learned, the administrators know now that they have threats coming from their students.

It is important to note that the number of people affected by this phishing attack was relatively small. The people affected included a couple of teachers who received the email and students whose grades were changed. Even though the number is not close to five million like the TSB crisis, it still had a great impact on the high school’s community and its reputation. Now that students see how easy it is to trick teachers into giving them their credential, the number of phishing attacks are most likely to rise. Thus, the community will have to deal with malicious attacks not only from outside but also from within.

Teachers in school systems and universities around the globe are susceptible to malicious phishing attacks. Some students will do similar acts to change their grades if they feel they will not get caught. In this case, the student did not care about his grade, but he wanted to show that social engineering is an easy and effective technique. Just imagine if he did a better job covering up his tracks, what would the school do? As a response, the school district needs to make changes in their cyber operations and policy to ensure that this will not happen again. Hopefully, these changes in policy will spark a conversation with other school districts around the nation, so they can adopt similar upgrades.

The role of ISPs

Since TSB is not a well-known bank to United States citizens, they will not undoubtedly care about the outcome because it did not affect their financial situation. However, citizens need to care so that industries and companies holding their data in the United States understand the risks at hand. The executives in these industries are constantly battling with phishers internally and externally. Phishers are the present day cyber criminals and they will not cease to exist, only increase in numbers. In the financial world, these criminals are similar to a present-day bank robber. Banks will never stop getting harassed; all the money is located there. In the educational world, phishing is not a problem until it becomes one. So in order to deter phishing, public and private sector industries and educational institutions need to practice safe browsing and have updated software and hardware. 

Phishing is everywhere. Also, phishing is only one type of the techniques that cybercriminals can use against public and private sector industries. The examples mentioned are supposed to show that this is a current and prevalent problem that many countries are facing. This problem needs to be resolved collectively by working together to stop cybercriminals. Internet service provider such as AT&T and Comcast need to step there game up when it comes to securing its networks. As we speak, malicious traffic is going unnoticed. There could be a phishing attack on you and the ISP would not know until after the target is exploited. Internet service providers are usually well placed to detect infection because evidence of a user’s infection flows over an ISP’s network. Hosting providers that have control of the malicious hosting can take the phishing pages down. Anderson et. al. proposes fixed statutory damages against an ISP that does not act within a fixed time period after being notified of an infected computer on its network. This proposal was for the European Union, but something similar should be proposed to the United States government. If ISPs are unable to detect infected hosts that are connected to their network then shame on them. They need to understand that they are the middleman in every cyber attack.

When an ISP notices that a host is sending spoofed links, it should immediately take that host offline. The way in which the provider deciphers between the infected hosts and the uninfected hosts is something that service providers need to implement, if not already. This algorithm or firewall of some kind will have the potential to protect people’s privacy around the globe. As a result, there needs to be pressure on small ISPs and large ISPs, so that they can share knowledge about phishing hosts. When there is such teamwork between the ISP there will be better communication which should lead to fewer attacks. In all, it is imperative that ISPs play a vital role in securing the world wide web from attackers.


The internet is vast and is home of phishers that will steal information right from under your fingertips. In order to mitigate phishing attacks, there needs to be a collaborative effort among governments, private and public sector industries, and internet service providers. These are the main actors when coming to implement a policy that will safeguard a citizen’s confidentiality, integrity, and availability. The two recent attacks show that this technique is inevitable and easy to accomplish. So why cannot ISPs detect malicious web traffic before reaching the victim? The traffic could be simply dropped or filtered, but knowing which packet to filter is the issue. This is clearly an issue that ISPs need to resolve in order to make the world wide web safe.

Research Log

Aaron, G. (2010). The state of phishing// Retrieved from

Anderson, R. (2001). “Why Information Security is Hard – an Economic Perspective”.Web.

Anderson, R., Böhme, R., Clayton, R., & Moore, T. (2008). Security economics and the internal market. United Kingdom: European Union Agency for Network and Information Security.

Anti-corruption Digest. (2018, May 23,). TSB phishing scams are surging in the wake of its online banking crisis. Retrieved from

Farivar, C. (2018, May 14,). ‘Like stealing candy from a baby,’ arrested teen says of his phishing efforts. Arstechnica Retrieved from

Gaurav, Varshney, Misra Manoj, and Pradeep K. Atrey. (2016) “A Survey and Classification of Web Phishing Detection Schemes.” Security and Communication Networks 9.18: 6266-84. Web.

Gramma, Joanna. (2015). Legal Issues in Information Security. 2nd ed. Massachusetts: Jones & Bartlett Learning. Print.

IBM. (2018). IBM X-Force Threat Intelligence Index 2018. Armonk, New York: IBM Security. Print.

Jones, R. (2018, June 6,). TSB admits 1,300 customers lost money from accounts. Retrieved from

Kollewe, J. (2018, April 30,). TSB online banking meltdown drags into second week. Retrieved from

Megaw, N. (2018, June 5,). FCA to launch formal investigation into TSB’s IT failure. Financial Times Retrieved from

Moore, Tyler, Richard Clayton, and Ross Anderson. (2009) “The Economics of Online Crime.” Journal of Economic Perspectives 23.3: 3-20. Web.

Shahriar, Hossain, Tulin Klintic, and Victor Clincy. (2015). ”Mobile Phishing Attacks and Mitigation Techniques.” Journal of Information Security 6.03: 206. Web.

Stokel-Walker, C. (2018, May 1,). ‘We’re on our knees’: Inside the tally avoidable TSB crisis. Wired UK Retrieved from

CCENT Certification (100-105)

I passed my Cisco Certified Entry Networking Technician exam!

ccent_network_largeThis has been a struggling two months studying for this exam. Fortunately, I gained prior experience configuring and verifying commands on routers and switches through my courses in college. Most of the materials on the exam was review, but I did learn more in detail about routing and switching protocols. In order to fully understand the exam topics, one must mess around on routers and switches to get a feel of what you will be configuring and verifying.

My study materials consisted of the ICDN1 book from Ciscopress and a Youtube video series created by Ryan Beney. It is important to use multiple study aids–do not use only video tutorials or only books to study. The video series I used is very comprehensive and helpful for beginner. Here is the first episode of the video series:

As for my reaction when completing the exam, I was freaking out because I did not want to fail and have to study and take the test all over again. The score to pass was 832 and I got a 846! 14 points or about two questions away from failing. There were 54 question in total with 90 minutes to complete them. Thanks God for helping me through this stressful time because it was well worth the struggle.

My next step in my journey to become a Network Security engineer is to obtain my CCNA Security certification. So I will be studying for the IINS 210-260 (Implementing Cisco Network Security). With that certification, I will be able to continue on to the CCNP Security cert which will show off my skills in securing network infrastructures.

Wafer of chips

5nm Chip

Preparing test wafers

Preparing test wafers with 5nm silicon nanosheet transistors

IBM group of researchers, Global Foundries and Samsung created a new transistor design based on a new inventive process that will lead to more speed and power efficiency at a lower cost. The reason for having a smaller size is to power self-driving cars, on-board AI and 5G sensors. Also, the pressure to keep up with Moore’s Law of 1965 needed to move to a new structure and allow for more transistors on one chip. During the fabrication process, these chips are constructed of horizontal FinFET structured layer with silicon nano sheets to create a fourth gate. Sadly, these chips will not meet the market until after the predecessor 7nm process chips do in 2018.

5nm nanosheet transistors

Silicon nanosheet transistors at 5nm

“As we make progress toward commercializing 7nm in 2018 at our Fab 8 manufacturing facility, we are actively pursuing next-generation technologies at 5nm and beyond to maintain technology leadership and enable our customers to produce a smaller, faster, and more cost efficient generation of semiconductors.” – Gary Patton, CTO and Head of Worldwide R&D at GlobalFoundries


The last major breakthrough came in 2009 with the creation of FinFET. The first manufacturing of FinFET was in 2012 with the 22nm process (now 7-10nm process).

First use of the 3D structure to control electric current, rather than the 2D ‘planar’ system of years past.

Maximizes the amount of current flow in the on state  and minimizes the amount of leakage in the off state which makes it more efficient.

“Fundamentally, FinFET structure is a single rectangle, with the three sides of a structure covered in gates” – Mukesh Khare, VP of Semiconductor  Research for IBM

Wafer of chips

Wafer of chips with 5nm silicon nanosheet transistors

Images courtesy of IBM