Digital Commons Network^™

Towards Assessing Cybersecurity Posture Of Manufacturing Companies: Review And Recommendations, John Del Vecchio, Yair Levy, Ling Wang, Ajoy Kumar

KSU Proceedings on Cybersecurity Education, Research and Practice

With the continued changes in the way businesses work, cyber-attack targets are in a constant state of flux between organizations, individuals, as well as various aspects of the supply chain of interconnected goods and services. As one of the 16 critical infrastructure sectors, the manufacturing sector is known for complex integrated Information Systems (ISs) that are incorporated heavily into production operations. Many of these ISs are procured and supported by third parties, also referred to as interconnected entities in the supply chain. Disruptions to manufacturing companies would not only have significant financial losses but would also have economic and safety …

Rfid Key Fobs In Vehicles: Unmasking Vulnerabilities & Strengthening Security, Devon Magda, Bryson R. Payne

KSU Proceedings on Cybersecurity Education, Research and Practice

No abstract provided.

Cybercrime In The Developing World, David A. Ghelerter, John E. Wilson, Noah L. Welch, John-David Rusk

KSU Proceedings on Cybersecurity Education, Research and Practice

This paper attempts to discover the reasons behind the increase in cybercrime in developing nations over the past two decades. It discusses many examples and cases of projects to increase internet access in developing countries and how they enabled cybercrime. This paper examines how nations where many cybercrimes occurred, did not have the necessary resources or neglected to react appropriately. The other primary focus is how cybercrimes are not viewed the same as other crimes in many of these countries and how this perception allows cybercriminals to do as they please with no stigma from their neighbors. It concludes that …

Microtransactions And Gambling In The Video Game Industry, Christopher L. Antepenko, Samuel R. Rickey, Angel L. Hibbets, John-David Rusk

KSU Proceedings on Cybersecurity Education, Research and Practice

The beginning of the 21st century has had a drastic effect on the video game industry. The advent of almost universal Internet access, the release of inexpensive broadband-enabled consoles, and the availability of mobile gaming have led to game developers and publishers heavily relying on premium in-game currencies, exclusive paid items, and loot boxes to subsidize or even replace profits from traditional video game business models. By 2020, in-game purchases made up a market of $92.6B worldwide and, in the US, experienced growth of over 30%.[1] In this highly lucrative market, the legal and ethical landscape is constantly bubbling with …

Using Experts For Improving Project Cybersecurity Risk Scenarios, Steven S. Presley, Jeffrey P. Landry, Jordan Shropshire, Philip Menard

KSU Proceedings on Cybersecurity Education, Research and Practice

This study implemented an expert panel to assess the content validity of hypothetical scenarios to be used in a survey of cybersecurity risk across project meta-phases. Six out of 10 experts solicited completed the expert panel exercise. Results indicate that although experts often disagreed with each other and on the expected mapping of scenario to project meta-phase, the experts generally found risk present in the scenarios and across all three project meta-phases, as hypothesized.

Towards Assessing Organizational Cybersecurity Risks Via Remote Workers’ Cyberslacking And Their Computer Security Posture, Ariel Luna, Yair Levy, Gregory Simco, Wei Li

KSU Proceedings on Cybersecurity Education, Research and Practice

Cyberslacking is conducted by employees who are using their companies’ equipment and network for personal purposes instead of performing their work duties during work hours. Cyberslacking has a significant adverse effect on overall employee productivity, however, recently, due to COVID19 pandemic move to remote working also pose a cybersecurity risk to organizations networks and infrastructure. In this work-in-progress research study, we are developing, validating, and will empirically test taxonomy to assess an organization’s remote workers’ risk level of cybersecurity threats. This study includes a three-phased developmental approach in developing the Remote Worker Cyberslacking Security Risk Taxonomy. With feedback from cybersecurity …

Nids In Airgapped Lans--Does It Matter?, Winston Messer

KSU Proceedings on Cybersecurity Education, Research and Practice

This paper presents an assessment of the methods and benefits of adding network intrusion detection systems (NIDS) to certain high-security airgapped isolated local area networks. The proposed network architecture was empirically tested via a series of simulated network attacks on a virtualized network. The results show an improvement of double the chances of an analyst receiving a specific, appropriately-severe alert when NIDS is implemented alongside host-based measures when compared to host-based measures alone. Further, the inclusion of NIDS increased the likelihood of the analyst receiving a high-severity alert in response to the simulated attack attempt by four times when compared …

Emotional Analysis Of Learning Cybersecurity With Games Using Iot, Maria Valero, Md Jobair Hossain, Shahriar Sobhan

KSU Proceedings on Cybersecurity Education, Research and Practice

The constant rise of cyber-attacks poses an increasing demand for more qualified people with cybersecurity knowledge. Games have emerged as a well-fitted technology to engage users in learning processes. In this paper, we analyze the emotional parameters of people while learning cybersecurity through computer games. The data are gathered using a non-invasive Brain-Computer Interface (BCI) to study the signals directly from the users’ brains. We analyze six performance metrics (engagement, focus, excitement, stress, relaxation, and interest) of 12 users while playing computer games to measure the effectiveness of the games to attract the attention of the participants. Results show participants …

Resilience Vs. Prevention. Which Is The Better Cybersecurity Practice?, Frank Katz

KSU Proceedings on Cybersecurity Education, Research and Practice

Students in multiple cohorts of our 3000 level Fundamentals of Information Systems Security course were given a discussion question where they had to either agree or disagree with the premise that given all the constant threats to our systems, we should dedicate more of our efforts to quickly repairing the damage of an attack rather than dedicate more of our time and energies to preventing such attacks. They were required to give their reasoning and provide sources to back up their analysis of his comment.

This paper will describe and explain the concept of cyber resiliency. It will then evaluate …

Warshipping: Hacking The Mailroom, Jackson Szwast, Bryson Payne

KSU Proceedings on Cybersecurity Education, Research and Practice

Everyone knows what package shipping is, but not everyone knows what warshipping is. Corporate mailrooms are rarely considered as part of the cybersecurity attack surface of most organizations, but they offer physical access to millions of uninspected packages daily. UPS shipped 5.5 billion items last year, with their daily average being 21.9 million items and operating through 1,800 locations in 2020. FedEx shipped 6.5 million packages daily and operates 2,150 locations. The United States Postal Service delivered 143 billion pieces of mail in 2019. Increasingly the world’s consumers are relying on e-commerce, and during the recent COVID-19 pandemic, package deliveries …

Towards Assessing Password Workarounds And Perceived Risk To Data Breaches For Organizational Cybersecurity Risk Management Taxonomy, Michael J. Rooney, Yair Levy, Wei Li, Ajoy Kumar

KSU Proceedings on Cybersecurity Education, Research and Practice

Cybersecurity involves a broad range of techniques, including cyber-physical, managerial, and technical, while authentication provides a layer of protection for Information Systems (IS) against data breaches. The recent COVID-19 pandemic brought a tsunami of data breach incidents worldwide. Authentication serves as a mechanism for IS against unauthorized access utilizing various defense techniques, with the most popular and frequently used technique being passwords. However, the dramatic increase of user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure high level of IS security; this leaves the end-users holding a critical role in protecting their …

A Taxonomy Of Cyberattacks Against Critical Infrastructure, Miloslava Plachkinova, Ace Vo

KSU Proceedings on Cybersecurity Education, Research and Practice

The current study proposes a taxonomy to organize existing knowledge on cybercrimes against critical infrastructure such as power plants, water treatment facilities, dams, and nuclear facilities. Routine Activity Theory is used to inform a three-dimensional taxonomy with the following dimensions: hacker motivation (likely offender), cyber, physical, and cyber-physical components of any cyber-physical system (suitable target), and security (capable guardian). The focus of the study is to develop and evaluate the classification tool using Design Science Research (DSR) methodology. Publicly available data was used to evaluate the utility and usability of the proposed artifact by exploring three possible scenarios – Stuxnet, …

Developing An Ai-Powered Chatbot To Support The Administration Of Middle And High School Cybersecurity Camps, Jonathan He, Chunsheng Xin

KSU Proceedings on Cybersecurity Education, Research and Practice

Throughout the Internet, many chatbots have been deployed by various organizations to answer questions asked by customers. In recent years, we have been running cybersecurity summer camps for youth. Due to COVID-19, our in-person camp has been changed to virtual camps. As a result, we decided to develop a chatbot to reduce the number of emails, phone calls, as well as the human burden for answering the same or similar questions again and again based on questions we received from previous camps. This paper introduces our practical experience to implement an AI-powered chatbot for middle and high school cybersecurity camps …

A Survey Of Serious Games For Cybersecurity Education And Training, Winston Anthony Hill Jr., Mesafint Fanuel, Xiaohong Yuan, Jinghua Zhang, Sajad Sajad

KSU Proceedings on Cybersecurity Education, Research and Practice

Serious games can challenge users in competitive and entertaining ways. Educators have used serious games to increase student engagement in cybersecurity education. Serious games have been developed to teach students various cybersecurity topics such as safe online behavior, threats and attacks, malware, and more. They have been used in cybersecurity training and education at different levels. Serious games have targeted different audiences such as K-12 students, undergraduate and graduate students in academic institutions, and professionals in the cybersecurity workforce. In this paper, we provide a survey of serious games used in cybersecurity education and training. We categorize these games into …

Towards An Assessment Of Pause Periods On User Habituation In Mitigation Of Phishing Attacks, Amy Antonucci, Yair Levy, Martha Snyder, Laurie Dringus

KSU Proceedings on Cybersecurity Education, Research and Practice

Social engineering is the technique in which the attacker sends messages to build a relationship with the victim and convinces the victim to take some actions that lead to significant damages and losses. Industry and law enforcement reports indicate that social engineering incidents costs organizations billions of dollars. Phishing is the most pervasive social engineering attack. While email filtering and warning messages have been implemented for over three decades, organizations are constantly falling for phishing attacks. Prior research indicated that attackers use phishing emails to create an urgency and fear response in their victims causing them to use quick heuristics, …

Automatic Security Bug Detection With Findsecuritybugs Plugin, Hossain Shahriar, Kmarul Riad, Arabin Talukder, Hao Zhang, Zhuolin Li

KSU Proceedings on Cybersecurity Education, Research and Practice

The security threats to mobile application are growing explosively. Mobile app flaws and security defects could open doors for hackers to easily attack mobile apps. Secure software development must be addressed earlier in the development lifecycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of software and mitigate the consequence of damages of data loss caused by potential malicious attacking. In this paper, we present a static security analysis approach with open source FindSecurityBugs plugin for Android StThe security threats to mobile application are growing explosively. Mobile app …

Automated Reverse Engineering Of Automotive Can Bus Controls, Charles Barron Kirby, Bryson Payne

KSU Proceedings on Cybersecurity Education, Research and Practice

This research provides a means of automating the process to reverse engineer an automobile’s CAN Bus to quickly recover CAN IDs and message values to control the various systems in a modern automobile. This approach involved the development of a Python script that uses several open-source tools to interact with the CAN Bus, and it takes advantage of several vulnerabilities associated with the CAN protocol. These vulnerabilities allow the script to conduct replay attacks against the CAN Bus and affect various systems in an automobile without the operator’s knowledge or interaction.

These replay attacks can be accomplished by capturing recorded …

A World Of Cyber Attacks (A Survey), Mubarak Banisakher, Marwan Omar

KSU Proceedings on Cybersecurity Education, Research and Practice

The massive global network that connects billions of humans and millions of devices and allow them to communicate with each other is known as the internet. Over the last couple of decades, the internet has grown expeditiously and became easier to use and became a great educational tool. Now it can used as a weapon that can steal someone’s identity, expose someone’s financial information, or can destroy your networking devices. Even in the last decade, there have been more cyber attacks and threats destroying major companies by breaching the databases that have millions of personal information that can be sold …

An Exploratory Analysis Of Mobile Security Tools, Hossain Shahriar, Md Arabin Talukder, Md Saiful Islam

KSU Proceedings on Cybersecurity Education, Research and Practice

The growing market of the mobile application is overtaking the web application. Mobile application development environment is open source, which attracts new inexperienced developers to gain hands on experience with applicationn development. However, the security of data and vulnerable coding practice is an issue. Among all mobile Operating systems such as, iOS (by Apple), Android (by Google) and Blackberry (RIM), Android dominates the market. The majority of malicious mobile attacks take advantage of vulnerabilities in mobile applications, such as sensitive data leakage via the inadvertent or side channel, unsecured sensitive data storage, data transition and many others. Most of these …

Iot: Challenges In Information Security Training, Lech J. Janczewski, Gerard Ward

KSU Proceedings on Cybersecurity Education, Research and Practice

Both consumers and businesses are rapidly adopting IoT premised on convenience and control. Industry and academic literature talk about billions of embedded IoT devices being implemented with use-cases ranging from smart speakers in the home, to autonomous trucks, and trains operating in remote industrial sites. Historically information systems supporting these disparate use-cases have been categorised as Information Technology (IT) or Operational Technology (OT), but IoT represents a fusion between these traditionally distinct information security models.

This paper presents a review of IEEE and Elsevier peer reviewed papers that identifies the direction in IoT education and training around information security. It …

Proposal For A Joint Cybersecurity And Information Technology Management Program, Christopher Simpson, Debra Bowen, William Reid, James Juarez

KSU Proceedings on Cybersecurity Education, Research and Practice

Cybersecurity and Information Technology Management programs have many similarities and many similar knowledge, skills, and abilities are taught across both programs. The skill mappings for the NICE Framework and the knowledge units required to become a National Security Agency and Department of Homeland Security Center of Academic Excellence in Cyber Defense Education contain many information technology management functions. This paper explores one university’s perception on how a joint Cybersecurity and Information Technology Management program could be developed to upskill students to be work force ready.

Adversarial Thinking: Teaching Students To Think Like A Hacker, Frank Katz

KSU Proceedings on Cybersecurity Education, Research and Practice

Today’s college and university cybersecurity programs often contain multiple laboratory activities on various different hardware and software-based cybersecurity tools. These include preventive tools such as firewalls, virtual private networks, and intrusion detection systems. Some of these are tools used in attacking a network, such as packet sniffers and learning how to craft cross-site scripting attacks or man-in-the-middle attacks. All of these are important in learning cybersecurity. However, there is another important component of cybersecurity education – teaching students how to protect a system or network from attackers by learning their motivations, and how they think, developing the students’ “abilities to …

Internet Core Functions: Security Today And Future State, Jeffrey Jones

KSU Proceedings on Cybersecurity Education, Research and Practice

Never in the history of the world has so much trust been given to something that so few understand. Jeff reviews three core functions of the Internet along with recent and upcoming changes that will impact security and the world.

Mapping Knowledge Units Using A Learning Management System (Lms) Course Framework, Casey Rackley

KSU Proceedings on Cybersecurity Education, Research and Practice

ABSTRACT

The purpose of this paper is to examine the outcomes of using a Learning Management System (LMS) course as a framework for mapping the Centers of Academic Excellence in Cyber Defense (CAE-CD) 2019 Knowledge Units (KU) to college courses. The experience shared herein will be useful to faculty who are interested in performing the mapping and applying for CAE-CDE designation.

Using Project Management Knowledge And Practice To Address Digital Forensic Investigation Challenges, Steven S. Presley, Jeffrey P. Landry, Michael Black

KSU Proceedings on Cybersecurity Education, Research and Practice

The management of digital forensics investigations represents a unique challenge. The field is relatively new, and combines the technical challenges of Information Systems with the legal challenges of forensics investigations. The challenges for the Digital Forensics Investigators and the organizations they support are many. This research effort examines the characteristics and challenges of Digital Forensics Investigations and compares them with the features and knowledge areas of project management. The goal was to determine if project management knowledge, as defined in a common body of knowledge, would be helpful in addressing digital forensics investigation challenges identified in the literature. The results …

Capturing The Existential Cyber Security Threats From The Sub-Saharan Africa Zone Through Literature Database, Samuel B. Olatunbosun, Nathanial J. Edwards, Cytyra D. Martineau

KSU Proceedings on Cybersecurity Education, Research and Practice

Abstract - The Internet brought about the phenomenon known as Cyber-space which is boundless in nature. It is one of the fastest-growing areas of technical infrastructure development over the past decade. Its growth has afforded everyone the opportunity to carry out one or more transactions for personal benefits. The African continent; often branded as ‘backward’ by the Western press has been able to make substantial inroads into the works of Information and Computer Technology (ICT). This rapid transition by Africans into ICT power has thus opened up the opportunities for Cybercriminal perpetrators to seek and target victims worldwide including America …

Laboratory Exercises To Accompany Industrial Control And Embedded Systems Security Curriculum Modules, Gretchen Richards

KSU Proceedings on Cybersecurity Education, Research and Practice

The daily intrusion attempts and attacks on industrial control systems (ICS) and embedded systems (ES) underscore the criticality of the protection of our Critical Infrastructures (CIs). As recent as mid-July 2018, numerous reports on the infiltration of US utility control rooms by Russian hackers have been published. These successful infiltration and possible manipulation of the utility companies could easily translate to a devastating attack on our nation’s power grid and, consequently, our economy and well-being. Indeed, the need to secure the control and embedded systems which operate our CIs has never been so pronounced. In our attempt to address this …

Study Of Physical Layer Security And Teaching Methods In Wireless Communications, Zhijian Xie, Christopher Horne

KSU Proceedings on Cybersecurity Education, Research and Practice

In most wireless channels, the signals propagate in all directions. For the communication between Alice and Bob, an Eavesdropper can receive the signals from both Alice and Bob as far as the Eavesdropper is in the range determined by the transmitting power. Through phased array antenna with beam tracking circuits or cooperative iteration, the signals are confined near the straight line connecting the positions of Alice and Bob, so it will largely reduce the valid placement of an Eavesdropper. Sometimes, this reduction can be prohibitive for Eavesdropper to wiretap the channel since the reduced space can be readily protected. Two …

Evaluating Two Hands-On Tools For Teaching Local Area Network Vulnerabilities, Ariana Brown, Jinsheng Xu, Xiaohong Yuan

KSU Proceedings on Cybersecurity Education, Research and Practice

According to the Verizon’s Data Breach Investigations Report, Local Area Network (LAN) access is the top vector for insider threats and misuses. It is critical for students to learn these vulnerabilities, understand the mechanisms of exploits, and know the countermeasures. The department of Computer Science at North Carolina A&T State University designed two different educational tools that help students learn ARP Spoofing Attacks, which is the most popular attack on LAN. The first tool, called Hacker’s Graphical User Interface (HGUI), is a visualization tool that demonstrates ARP Spoofing Attack with real time animation. The second tool is a hands-on (HandsOn) …

Towards An Empirical Assessment Of Cybersecurity Readiness And Resilience In Small Businesses, Darrell Eilts, Yair Levy

KSU Proceedings on Cybersecurity Education, Research and Practice

Many small businesses struggle to improve their cybersecurity posture despite the risk to their business. Small businesses lacking adequate protection from cyber threats, or a business continuity strategy to recover from disruptions, have a very high risk of loss due to a cyberattack. These cyberattacks, either deliberate or unintentional, can become costly when a small business is not prepared. This developmental research is focused on the relationship between two constructs that are associated with readiness and resilience of small businesses based on their cybersecurity planning, implementation, as well as response activities. A Cybersecurity Preparedness-Risk Taxonomy (CyPRisT) is proposed using the …