crowmoor.se

I´m working a lot with security architecture and spend quite some time modelling and testing if a security architecture is safe and sound. The biggest struggle in this process is that it is way to slow for my liking. Sure I could test a security architecture in a few day and write a rather nice report but I always have the nagging feeling that there are other things I have not thought of.

This spring I came in contact with a company named Forseeit that are developing a promising application called SecuriCAD that are supposed to help me do this in a bit more automatic way. I was presented with a demo and have to say that even if it´s cumbersome for now it sure is an interesting approach. I´ll give you an update on this in a month or so.

I´m returning to Ashley Madison again. It has turned out that the information has been released and the damage for the company is massive to say the least. Not only is a truckload of customer information put into the wild with extortion, threats and news exposure flaming up everywhere but even worse (if possible) is the exposure of the business model of Ashley Madison. In a global world where your online presence is analysed in all details the way you conduct your business becomes the only way of gaining the upper hand in a fierce competition.

In the case with Ashley Madison it has turned out that their business model was a shady one with fake profiles and taking money without delivering the service they said they should do. Getting this exposed will kill the company and most possible many others that are connected to this site.

I conducted a risk analysis for a client a few years back that are in the manufacturing business and they had an incident where a business partner did a lot of documentation on the layout of the factory. A year later they broke the contract and started a manufacturing plant of their own. Again the business model turned out to be of a lot of value.

If you haven´t started before it sure is time to start taking cybersecurity serious and get help to sort out the problems. Security is hard and requires trained professionals. If you haven´t got them either hire them or buy security as a service. If you are lucky it could even be me. ?

I started out in this field many years ago, more or less 1998 give or take a few years depending on your definition of security. Each year I have found the work to be harder and harder with more and more to learn and rising complexity to manage. Quite a few friends and former colleagues have run into the wall and burned out. I have never been there myself but the stress sure is killing you sometimes. I found this article recently and it do point out quite a number of issues within the field. We need to find better solutions to minimise the workload. My take is to remove the most valuable information all together and work with tokens instead as long as possible and have the most valuable information in as few places as possible, the same thing that happened with PCI DSS.

Even if you are aware of the risk with using the same account name and password on different sites, sometimes you reuse it just because it makes your life easier. The problems arise if a site is hacked and you are unaware of it. Gladly there is a free service that monitors leaked information and looks for account names and email address. If you are interested in finding out if your account is out there register for this service.

It may come as no surprise that Ashley Madison has been hacked again. It is that type of site that some people find offending, hence becomes a target just because it exist. This hack was a lot more severe and they are threatened to close their site completely otherwise a lot of data about their users will be exposed. Quite ironically you have the possibility to pay for a service that deletes all your data but apparently that was lip service only.

It is interesting to look at the costs for Ashley Madison on a larger scale. If data is leaked then there will be a lot of costs for fines but also lost business. Ashley Madison had announced that it would try to raise $200 million in an initial public offering and this opportunity may now be lost. Who said that investing in security is only a fast way to lose money?

A few years back I did an engagement were there was a theoretical possibility that I could have stolen millions of euros. Before conducting that assignment I had to answer the simple question: What is my price? After careful consideration and a lot of calculations I concluded that during that time my price was around €30M. However, that doesn’t seem to be the case for others as this reports concludes. Around 35% are willing to sell out their working place´s information and as many as 25% for as little as €7000.

I have skipped over to London for a few days of vacation and when taking a stroll late in the evening after having a few beers I became witness to the implementation of an ATM-scam. Within 30 seconds I saw two men attach a new front over an ATM and drive away. I waited until they have turned around the corner before calling the policy and within 5 minutes they arrived and could remove the front. Gladly there was a camera that was not immediately visible that had filmed it all, including the plate so they have good hope of finding them.

The last months I have been helping a client to become PCI DSS-compliant again. I have to say that the new standard really emphasising the policy. Everything you do needs to be in a policy. I can appreciate why everything needs to be in a policy but when the QSA asks for strict wording it has gone over the top. Security is not about finding the right words but managing risks.

It has been all over the news recently: It is possible to hack a plane in-flight! I have to say that this is a bold statement in the first place but the sources site a FBI document. I´m a bit reluctant to actually believe it in the first place. Gladly the staff at Wired clarified it a lot here .

A quick answer if you don´t have time to read the article: No, and it is also illegal.

There are times when I wonder why I even started working with security. Today is such a time. I´m currently working at a proposal for Security as a service. Yes, it´s doable but it sure is a struggle to cover everything that’s needed. Gladly it´s not a fixed price offer but only a framework from where they can order services.