Aaron Brock, The Sound of Success

As the nation’s largest minority — comprising almost 50 million individuals — people with disabilities contribute to workplace diversity. They help businesses address challenges through varied perspectives and enhance their competitive edge. At Nolij, we work to ensure people with different skills, abilities and communication styles are integrated into our workforce and customer base.

Aaron Brock, a senior analyst, is a leader in Nolij Consulting’s Development Test and Evaluation team and supports our IT and cybersecurity strategies. Oh yeah, he also happens to be deaf.

Were you born deaf? How did you learn to navigate school and the world without your hearing at an early age?

“I became deaf at two years old from spinal meningitis which damaged my vestibular nerves that impaired my ability to hear sound. I was blessed to learn sign language at a very young age and attended ASL-based schools. I attended the Model Secondary School for the Deaf. I received my Bachelor of Science in Computer Science from Gallaudet University, the only liberal arts institution in the world for the deaf and hard of hearing. After graduating from college, I went into Defense Health Information Management System.”

What are some of the daily challenges you encounter at work, and how do you deal with them?

“As a deaf person, I have never felt disabled. I have gained so much from my deafness, much more than I’ve ‘lost.’ We, as deaf people, call it ‘deaf gain’ or the ability to communicate without sound. Communication is always a challenge in the workplace because of meetings. In a sound-driven culture, people are often talking over each other. In many respects, deaf people are better communicators because we talk one at a time—sequentially. We can stay focused on the interaction without being disconnected. Deaf communication culture allows me to educate others on an alternate form of communication because people often forget the barrier that exists between us – my deafness or their inability to sign.”

How did you become interested in IT?

“My father influenced my interest in Information Technology. He worked as an engineer for AT&T and always brought his work home. I was around computers before it was cool. Along the way, I met a software developer who further drove my interest in computer science and software engineering. My initial work experience in IT was in Video Relay Service that provides ASL interpreting services for the deaf. Eleven years later, Nolij has expanded my technical skills by entrusting me to lead key projects. My colleagues are very accommodating– I’m lucky to be working with such a great group of people.”

What are your interests, hobbies, aspirations?

“I enjoy cycling and playing video games. I am engaged and have two children and four cats. I volunteer at the Metro Washington Association for the DeafBlind doing some web development and IT support.”

What advice would you share with others who also have challenges that most of the population does not?

“Don’t view your disability as a challenge but something you can gain from. I am deaf, but I gained the ability to communicate without sound. You’d be surprised how accommodating people can be when you’re open about challenges you have in any aspect of your life.”

Sim Swapping: It’s Not as Fun as It Sounds

Cybersecurity continues to dominate IT news, with one of the industry’s premier cybersecurity companies, FireEye, getting breached recently by nation-state hackers from a country with “top-tier offensive capabilities.” How can organizations protect themselves from bad actors when security companies struggle to? Having implemented some of the most stringent cybersecurity protocols for the Department of Defense, our experience has proven that a wide range of authentication solutions from short message service (SMS) and two-factor authentication (2FA) to true multifactor authentication (MFA) using hardware tokens can protect your enterprise from cyber criminals. That said, it is important to understand that all authentication, using SMS or not, is ultimately “hackable.” The level of effort required to execute a successful attack, and whether a capable adversary is motivated to execute it, is what determines if your data will be safe.

Despite appearing like simple fixes, 2FA and MFA have proven to be effective methods to prevent breaches while complying with industry and government standards such as CMMC and HIPAA. When choosing an MFA option, there are multiple factors to consider and, as with all cybersecurity options, decisions are based on a risk/benefit analysis. Authentication “factors” are broken down into three types of information the user provides: something they know (username and password), something they are (biometrics) or something they have (a hardware token). If two of these types of factors (2FA) are used, it makes for a strong protocol. If all three factors (MFA) are used, the greatest protection is achieved.

When implementing MFA, SMS based options are very attractive based on their ease of use, simple implementation, and low cost because SMS is standardized across the telecom industry and used by anyone with a smartphone. SMS 2FA sends a one-time password (OTP) to a user’s cellphone, which serves as the “something you have.” The problem with SMS 2FA is that an adversary can easily pretend to have your cell phone using a technique called Subscriber Identity Module (SIM) swapping. In the past, SIM cards were physical hardware that served as the identity of a phone. Today, SIM cards are represented digitally and can be transferred from phone to phone with little more than a phone call to the cellular provider. Using a combination of social engineering and phishing attacks, an adversary can impersonate a target’s SIM card and authenticate using the texted OTP.

It is helpful to look at the types of attacks used to beat SMS 2FA. The most common technical attacks involve session hijacking. An adversary will attempt to steal a session token by intercepting communications from the victim. This is known as a Man-in-the-Middle (MITM) attack. Also, if an attacker has access to an endpoint, known as Man-in-the-Endpoint (MITE), stealing session cookies is insignificant because the attacker has full control to execute any attack at his disposal. Understanding how adversaries will often use the path of least resistance is critical to businesses. In this regard, phishing and social engineering are the greatest risk to SMS 2FA. Simply by learning the target’s cellphone number, email, and some other identifying information, an attacker can call the victim’s service provider and transfer the target’s SIM information to their device.

The key to enterprise security is working with a partner who has the experience necessary to navigate risk-based decisions such as the use of SMS for 2FA. Nolij helps organizations prevent these attacks by explaining how these tactics are used, the precautions needed to mitigate the attacks, and by providing consistent phishing training to staff. For example, the best practice to decreasing any SMS swapping attacks is not to include a cell phone used for authentication messages in the email signature block. If attackers do not know your number, they cannot impersonate you. Additionally, using an authenticator app is a good solution because it requires an attacker to have physical access to a device. In cybersecurity, the goal is not to find a perfect solution, but to make hacking a system more trouble than it is worth. If a high degree of technical knowledge is necessary to conduct an attack, it may deter bad actors from trying at all. As the saying goes, “An ounce of prevention is worth a pound of cure.”