Feed on

A report from ’Trusselsvurderingsenheden ved Center for Cybersikkerhed’ in Denmark shows that the threat level against Denmark’s authorities and private companies are very high. According to Thomas Lund-Sørensen, manager for Center for Cybersikkerhed, this means that hacks are occurring. This comes as no surprise for anyone working in this field but the interesting questions are rather: Why is the threat level high? Why are hacks happening?

The answer is both simple and not. First of all cyber security has not been seen as a real problem. Hacking has been something that only 15-year old kids with pimples have been doing for fun and to create a bit of extra work but nothing more. The shift to organised crime and military operations has been silent but that´s where we are today. Organised cybercrime costs the world about €400 Billion yearly and still many companies and authorities don´t take the threat seriously and still thinks that a simple firewall and antivirus is enough.

Companies that decide to take the threat serious and are taking steps to prevent it finds themselves bogged down with investigations, time consuming configurations and slow processes. It´s not uncommon for a patch process to be allowed to take 30 days giving the hackers 29 days and 20 h to try to hack you with a zero day.

Another shift that´s happened is the mobile and digital. We are now doing a lot of work outside the office and we are moving process after process fully online exposing the organisation´s systems for anyone to hack. The secure office network is dead and security mechanisms need to move to the device instead and information needs to be protected where ever it resides. New systems needs to be security tested as if they are exposed on the internet because that’s where they end up anyway.

It may sound as a large struggle but in fact it´s not. There are several patterns that describes how you should create a secure company but the problem is often that outdated policies and used to implement outdated technology instead of using modern policies that mandates security mechanisms that in turn are implemented with technology and processes.

It is possible to be agile in a secure way but to be able to do that you need to stop protecting against everything and instead be quick to manage incidents and stop the hacker dead in its tracks. Go agile securely.

I´m currently spending no money of getting Wi-Fi on-board as there apparently was a glitch of some kind. My Wi-Fi connection just started without me having to pay. Currently I´m flying over to US and just wanted to say that a CEO is having a phone meeting on route and is discussing a hostile takeover. I will notify my colleagues in US that a company I´m aware of is in dire need of a security training session. Have happy holidays!

What better way is there than to celebrate your birthday doing a social engineering test? Nothing put you more on edge than the possibility to spend you birthday waiting to get released from a holding cell. Gladly that didn´t become the case but my client will get a report on the lax security they have. I was tasked with getting into a building where they have a rather strict security. After poking around for some time I realised that I will not be able to enter there. So I took a walkabout, reached the loading bay and found an open door. I peeked in and saw that no one was monitoring the access. I quickly entered the small office located there. Put my WIFI-dongle in a network jack and went out again. Now my colleagues have to do their magic. :-)

During many years I have been an advocate of never letting go of the control of you security but during my last years I have been forced to revaluate that opinion. As most of you are aware of finding the right resources for employing is hard and paying for the right resources is even worse. A few years back I toyed around with something called Security Office and a few months back I realised it as a security function and I have to say that the results are way above expected (and I expect great things from myself).

In short, by employing strict deliverables and divide them in smaller workpieces, it is possible to get a cost control and still get a perfectly working security department for a fraction of the cost.

Soon I´m doing flight 200 this year, it´s me and George. 😉 Still I wonder why so many fellow travellers don´t protect their computer screens. Sitting in my seat 9D I currently see one person writing a letter of resignation, one is creating a proposal, one is reading a report about their company being compromised in a scandal (it was on the news yesterday) and sadly I see a security consultant writing a security report for a client of mine. I need to report this to my client. And yes, I have a photo. Frightening enough no one even reacted when I leaned forward and took a photo.

The last weeks I have been testing out SecuriCAD and tried to understand if it provides me with some value in my line of work. It´s seldom that I encounter something new under sun but this time I have found a very interesting product. I was asked to conduct a risk analysis recently and decided that I should model the solution first and just see what type of threats it identified. After a bit of struggling understanding how it works I managed to model the solution and it showed me that a simple change in the password policy would actually move the solution to a way more secure setup. It turns out that something as simple as changing the password policy to use 16 characters instead of 10 and combining this with an account lockout for 10 seconds made a brute force attack very hard to conduct.

I would have seen this during the risk analysis of course but still it shows that with correct modelling I would be able to use the tool as an accelerator for me.

For the one that only has a hammer all problems looks like nails. I have met many skilled security experts during my years and count quite a few of them as my friends. Sadly, I have also met quite a number of so called senior security experts that struggles to solve security problems with only a few tools that they refuses to change.

I fully appreciate the use of a firewall on the network and that it needs to be properly configured. I cannot however approve of implementing a firewall on the network as the solution to manage security in the mobiles. That is, forcing the mobiles to only connect to the corporate network and then out in the world. It may be a way of securing the traffic but it makes the phone impossible to work with as soon as you are on a bit slower network.

Security is always a challenge but the biggest challenge is not to be able to secure something, anyone could do that, but to provide the right level of security for what you are trying to protect.

I´m working a lot with security architecture and spend quite some time modelling and testing if a security architecture is safe and sound. The biggest struggle in this process is that it is way to slow for my liking. Sure I could test a security architecture in a few day and write a rather nice report but I always have the nagging feeling that there are other things I have not thought of.

This spring I came in contact with a company named Forseeit that are developing a promising application called SecuriCAD that are supposed to help me do this in a bit more automatic way. I was presented with a demo and have to say that even if it´s cumbersome for now it sure is an interesting approach. I´ll give you an update on this in a month or so.

I´m returning to Ashley Madison again. It has turned out that the information has been released and the damage for the company is massive to say the least. Not only is a truckload of customer information put into the wild with extortion, threats and news exposure flaming up everywhere but even worse (if possible) is the exposure of the business model of Ashley Madison. In a global world where your online presence is analysed in all details the way you conduct your business becomes the only way of gaining the upper hand in a fierce competition.

In the case with Ashley Madison it has turned out that their business model was a shady one with fake profiles and taking money without delivering the service they said they should do. Getting this exposed will kill the company and most possible many others that are connected to this site.

I conducted a risk analysis for a client a few years back that are in the manufacturing business and they had an incident where a business partner did a lot of documentation on the layout of the factory. A year later they broke the contract and started a manufacturing plant of their own. Again the business model turned out to be of a lot of value.

If you haven´t started before it sure is time to start taking cybersecurity serious and get help to sort out the problems. Security is hard and requires trained professionals. If you haven´t got them either hire them or buy security as a service. If you are lucky it could even be me. ?

I started out in this field many years ago, more or less 1998 give or take a few years depending on your definition of security. Each year I have found the work to be harder and harder with more and more to learn and rising complexity to manage. Quite a few friends and former colleagues have run into the wall and burned out. I have never been there myself but the stress sure is killing you sometimes. I found this article recently and it do point out quite a number of issues within the field. We need to find better solutions to minimise the workload. My take is to remove the most valuable information all together and work with tokens instead as long as possible and have the most valuable information in as few places as possible, the same thing that happened with PCI DSS.

Older Posts »