1's and 0's on the digital world today
For those who managed to attend the AISA Canberra Cyber Conference in March here is a copy of my slide deck.
Hope to be giving a similar presentation at the AISA Melbourne Conference in November pending Covid lockdowns of course
Every industry needs to train its next generation of people I guess! An interesting report by Terbium Labs (link to the report is in the article) detailing that ‘guides to cyber crime’ are starting to become a hot commodity.
The report does indicate that the efficacy of the information may be a little questionable (is there no integrity in the dark markets anymore?). But an interesting point would be how law enforcement will approach this.
While personal and financial details are clearly identified in various computer crime related laws, information on how to conduct computer crime might be a slightly grey area. Is possession of theoretical knowledge on how to conduct the crime illegal. Certainly it will put an individual on law enforcement radar, but conviction might be more difficult.
https://www.theregister.co.uk/2020/04/16/cybercrimeby_fraud_lessons/
Cyber certainly has reached a new level where it has joined the ranks of nuclear war and climate change as things that can produce doomsday.
To be precise they are specifically talking about cyber-enabled information warfare. This demonstrates the value that the information world now has on society as a whole; and one that I don’t think we necessarily have the right level of protection in place as yet.
An interesting panel discussion from RSA discussing securing the new normal. There are certainly some interesting pieces of information to take away from the panel of experts they have assembled
https://www.rsaconference.com/industry-topics/webcast/44-securing-new-normal
Kudos to Firefox for this one. While on by default in the US, it needs to be turned on manually in other jurisdictions.
The article doesn’t provide any technical analysis so like always the devil is in the details
#security #infosec #privacy
https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/
An interesting paper, What Good Cyber Resilience Looks Like (behind paywal).
I have heard many conversations indicating that compliance is not security. This is evidenced by the massive number of data breaches that we see commonly reported in the media today. However the second part of that conversation usually leads towards technology solutions in place of compliance. This is not the answer either.
This paper describes the basic idea behind cyber resilience and describes it as the following basic concepts:
1. Know your mission. Cyber resilience isn’t just about incident response, it is about keeping business running despite what ever cyber incident is occurring. Each business needs to describe what that looks like for them
2. Cyber is everything. Integrate cyber throughout the organisation. It isn’t just the responsibility of the security practitioners employed by the organisation but something that every business function needs to address
3. People. Invest in your people. Train them and keep them. Technology will be useless without them
All very self evident ideas, but ideas that often get lost in the conversation around cyber in general.
https://www.researchgate.net/publication/282081616_What_good_cyber_resilience_looks_like
Relevant given the recent release of the Australian app. The EU have been generally pro-privacy for some time and the list of safeguards they mandate seem to be fairly reasonable and balanced upon protecting the individual and doing the job it needs to do.
The problem with the conversation at present on the Australian app is that it is using a number of keywords such as encryption and privacy impact assessment; both of which can have significantly varying degrees of efficacy neither of which are explained in any real detail. There is also a high reliance on legislative protections. As we have seen in the recent past with metadata retention, legislative protections are not always the best solution.
https://www.theregister.co.uk/2020/04/17/european_contact_tracing_app_spec/
An interesting coverage of the state of Open Source Software and the vulnerabilities it carries. I do recall a time where the common wisdom was that open source was more secure because you have thousands of eyes looking at the code as opposed to the closed environment of the corporate world that is focused on product releases and the bottom line only.
The irony seems to be that those two views have merged somewhat. The adoption or Open Source Software into the enterprise environment has diluted the religious zeal of the open source coder with a dash of the corporate world bottom line mentality.
I think in today’s world with complex supply chain for code and services used by software, that the simple maxim of all code has vulnerabilities is the only one that rings true. Regardless of source, open or closed, you need to address your application security, coding practices and supply chain.
I can see their point here but there is a little bit of caveat emptor as well I think. Bit of a stretch to introduce the term ‘fleeceware’ but a problem nevertheless. One that I am sure will be solved by simple policy changes in the respective apps stores
https://threatpost.com/apple-app-store-riddled-with-money-sucking-fleeceware-apps/154671/
This is something I believe we will eventually see this become a standard in societies across the world in some for or other moving forward from this point. In my opinion I don’t think it is necessarily a bad thing. We have a technology that can vastly assist in the timely management of otherwise disastrous conditions. This technology has the ability to save lives which is never a bad thing.
That said, speed is the enemy of good practice when it comes to information management. A couple of things that really need to be injected into the conversation around this technology in any country looking at deploying it:
1. Has the process that will make the data collected anonymous been tested? Is the anomyization of the data been mathematically proven?
2. Has the code used in the application been security tested? Data is the new commodity for cyber crime. Anything that produces data will become a target, particularly one that is potentially as widespread as this type of application
3. Has the supply chain of the code been examined? Basically, do you know where the code has come from? Has all third party code used in the application been verified not to contain any malicious code or backdoors?