Sprint 3 Report - FlameSpyro/Cyber-Security-Survival-Kit GitHub Wiki

Sprint 3 Report

Video Presentation

Deliverable Statement

The goal of this sprint was originally to get security onion up and running, however, after a meeting with my professor I decided to take a step back in the project and rework my toolkit to consist of different topics that would be friendly towards an average computer user with no idea how to defend themselves on the internet. This meeting can be summarized below

(This was taken from a comment under the project board)

Summary

I walked in with a conflict from this sprint. My security Onion centered environment has fully been set up and running but what I didn't realize or did not find during my research was that the amount of space and hardware requirements for it to function didn't work at all for my intended audience.

Furthermore, my environment was still going off of the blueprints from the early concepts of my original project meaning it was more of a simple enterprise environment rather than matching my audience of "Users who know the basic fundamentals of using a computer but have no idea how to defend themselves online". This was the main topic of my meeting.

There was two main routes that I could go with:

  1. Keep the current environment and alter the audience to more enterprise based. This would alter the paperwork and extra material that would come with my environment.
  • Pros: I get to keep the work I started and originated the project on.
  • Cons: Would break away from my original audience and vision I gave the "survival kit" aspect towards
  1. Simplify the environment to keep the audience. Keep the original plan for material and extra pieces.
  • Pros: Keeps the original vision and all my original plans intact
  • Cons: Taking a large step back with the limited amount of time I have left

After breaking these down and with guidance from my professor, I decided to jump on the second option. This will set me back a bit but now I have a much better direction for what I want. Also, he helped me breakdown what to start with. For the remainder of this sprint I will be looking for 3 subjects under 3 different aspects of security. These have been properly planned out and ready to be worked on in sprint 3 which have comments like this.

Finally, my professor is going to help me stay on top of my project to help me ensure this gets finished and that I don't stray too far from my plans. Overall, this was a very important meeting for the project and marks most likely the last major shift in my project. I have a lot of work ahead of me, but as long as work step by step, this project will be completed.

Objectives

  • Find 3 main topics

    • Detection: How can a user/tool sense and detect online threats the moment it appears.
    • Prevention: How can these found threats be safely dealt with.
    • Recovery: If a user has fallen victim to an attack, what could they do to prepare for the worst?

Goal is to find 3 topics in each that can be implemented into a basic windows 10 workstation.

  • Detection Research

"Threat detection and response (TDR) is the process of identifying potential threats and reacting to them before they impact the business." The challenge is to pick topics that are simple for anyone to understand and setup. So common cyber software such as Wireshark is out and cannot be used. This is the most important step before tackling the others as you cant defend what you cant see.

I feel antivirus should be the most common and most obvious topic to cover and install as the function and process should be simple for any computer user. You choose to scan and the software does most of the work for you. The issue is this can be tricky for what you want and if it truly works. There's nothing wrong with having one no matter what but it may require some configuration that I can cover in the eventual guide.

  • Software found
    • AVG AntiVirus: A free open option if you want to work more than just Windows Defender, it doesn't hurt to have multiple options
    • Windows Defender: A feature that is built into the machine yet I feel not too many people used it before. I see it as a first step for setup as it requires no download and little work to get running. It should be set to have a scan run constantly. You never know what it could find.
    • Malwarebytes:* I have mixed feelings about using this as during a cyberattack, Malwarebytes failed to see anything going on even looking directly at the file containing the virus, the program saw absolutely nothing wrong on my computer. I still think that for a no-budget. It's still good to at least consider but it may require some configuration
    • Webroot: I do have this as a family plan. I feel it's good to look into ones that do cost money but lay out the options for a variety of situations and budgets.
  • Prevention Research

"Incident response (IR) is the process by which an organization/user handles a data breach or cyberattack."

So, one of my topics found something suspicious on the user vm. What now? Now we need to properly eradicate the threat off of our system while ensuring there is not a trace latching onto any software or devices. These may end up being apart of the detection phase or have functions built in so weather these are mirrored here or not we will find out.

  • Topic 1: Safe Mode: Safe mode is a simple procedure to activate, whenever a virus or any kind of cyberattack is on a machine, the first thing that should be done is to sever access to the internet as pretty much all attacks require internet connection. I feel that a compete guide as to what safe mode does and how to activate it should be important to cover.

  • Topic 2: Malware Removal Ok so picture this scenario. We find out a trojan is on our computer and we sever the network connection, now what? How can we safely remove the virus from our machine safely. If we try to delete the file either it wont delete by moving it to the recycle bin or it could have spread to other corner of the computer. Its best to find software that does a lot of that searching for you and have it at the ready so that if you go into safe mode, you can start by running software such as the ones below.

  • Software Options:

    • Malwarebytes
    • Norton Power Eraser
    • Spybot - Search & Destroy
  • Recovery Research

Lets say the worst has happened and a virus has completely blocked access to your machine. What measures can you take to reduce all sorts of damage to your computer. While it may be impossible to save everything depending on the variation or severity of an attack, better than starting from 0.

  • Topic 1: Backups!!! The worst has happened, your computer has been attacked and you either lose most access to files, performance slows to unusable levels, or worse. If only there was a way to turn back the clock before clicking that totally legit word document. Luckily you can create backups to roll back to on windows and its simple to use! There's a lot of measures that should be taken and in many different ways:

    • Online Clouds: Some websites such as google drive allow you to already save many files and media with little to no cost and can be accessed from any other device.
    • External media: While having a backup of your machine is excellent, its also important to know where you want to keep this backup. depending on the size of a backup, it may be best to keep this on some other type of storage, speaking of which.
    • Physical backup drives: From my personal experience, my family keeps a lot of important files, photos and media on a external drive device that we only connect to devices when needed, otherwise sits by itself unable to connect to the internet at all. While not free, I feel it a good idea as depending on how big and the amount of files you want to save, that cant be held on a simple usb drive.

  • Topic 2: Password Management Depending on the type of attack that is faced, chances are some important password(s) are now in jeopardy. The amount of damage can depend on the users password management. Its common for users to have their password the exact same between many different accounts as it makes it simple to remember . But if you want to reduce damage to any online accounts, its best to take proper password management tips.

    • Physical > Digital: Its always best to keep your passwords kept/written on physical paper if a user finds it too difficult to keep track of so many passwords. Some users could maybe do that but instead put it on their notes app on their phone or a txt document on their desktop making it easy pickings for an attacker.
    • Proper Passwords: Its important to get a bit complicated with your passwords, it doesn't have to be random letters and numbers to be effective it could also be a phrase! Special characters can be an easy way to jumble passwords. (IloveGithub to 1L0v3_G1tHub243!)
    • Two-Factor Authentication: This thankfully has become pretty mainstream nowadays but its still important to talk about just in case. Most platforms nowadays either require or allow for extra login steps to be added when signing into a service. This could be sending the user a text or email, one time passwords or existing login permission. A simple setup that can increase online security a ton!
  • Trigger a Red Flag

This is the only objective I was unable to accomplish as I have some testing with PowerShell scripting before I do anything else. This has been moved over to sprint four in the board.