Posted on

Cyber Crime School

Every industry needs to train its next generation of people I guess! An interesting report by Terbium Labs (link to the report is in the article) detailing that ‘guides to cyber crime’ are starting to become a hot commodity.

The report does indicate that the efficacy of the information may be a little questionable (is there no integrity in the dark markets anymore?). But an interesting point would be how law enforcement will approach this.

While personal and financial details are clearly identified in various computer crime related laws, information on how to conduct computer crime might be a slightly grey area. Is possession of theoretical knowledge on how to conduct the crime illegal. Certainly it will put an individual on law enforcement radar, but conviction might be more difficult.

https://www.theregister.co.uk/2020/04/16/cybercrimeby_fraud_lessons/

Posted on

Cyber has all grown up!

Cyber certainly has reached a new level where it has joined the ranks of nuclear war and climate change as things that can produce doomsday.
To be precise they are specifically talking about cyber-enabled information warfare. This demonstrates the value that the information world now has on society as a whole; and one that I don’t think we necessarily have the right level of protection in place as yet.


https://www.technewsworld.com/story/86499.html

Posted on

Cyber Resilience

An interesting paper, What Good Cyber Resilience Looks Like (behind paywal).
I have heard many conversations indicating that compliance is not security. This is evidenced by the massive number of data breaches that we see commonly reported in the media today. However the second part of that conversation usually leads towards technology solutions in place of compliance. This is not the answer either.
This paper describes the basic idea behind cyber resilience and describes it as the following basic concepts:


1. Know your mission. Cyber resilience isn’t just about incident response, it is about keeping business running despite what ever cyber incident is occurring. Each business needs to describe what that looks like for them

2. Cyber is everything. Integrate cyber throughout the organisation. It isn’t just the responsibility of the security practitioners employed by the organisation but something that every business function needs to address

3. People. Invest in your people. Train them and keep them. Technology will be useless without them
All very self evident ideas, but ideas that often get lost in the conversation around cyber in general.

https://www.researchgate.net/publication/282081616_What_good_cyber_resilience_looks_like

Posted on

In 2018, you don’t listen to your phone, your phone listens to you!

This article. while probably not much of a surprise – we have seen this type of thing before, does highlight a couple of valuable points to consider.

Your phone is essentially a listening device that permits you to make phone calls. There is a denial by the agency that this took place, but given the research behind this and the fact that if you search for spying/eavesdropping apps in the Google Play store you will find a selection of spying apps that you can purchase today, I think that is reasonable to assume this is more than plausible. If you are a nation state or just needing to conduct sensitive business discussions, phones can pose a risk.

Your users are your weakest link. No matter what sophisticated countermeasures you put in place they will always be undone by a user wanting to see the animated dancing bunny or some other cool thing on the Internet. Security awareness training can help, but it is sometimes not sufficient these days. Analyzing the environment the users are in and adjusting security controls appropriately is sometimes needed.

Don’t trust the app store. Google has had major issues over the years but Apple is not immune either. Both are getting better, but so too are the attackers.

https://www.nytimes.com/2018/01/18/technology/lebanese-intelligence-spy-android-phones.html