Cyberlink Security Blog Archives - Cyberlink Security

Ransomware attack on Cork University Hospital computers

admin — Tue, 18 May 2021 07:18:04 +0000

As you have probably read, computers from the HSE were infected with ransomware last week. The HSE was forced to shut down parts of its IT operation to contain the spread of the cyber attack.

Ransomware is a very lucrative business model for cyber criminals and another recent case, the Colonial Pipeline case, shows how a wide-spread ransomware attack can have a serious social impact as well. And if you are a health care organisation, suffering from a ransomware attack during the COVID pandemic may have serious, or even fatal, consequences.

Although it is currently not clear how this attack on the HSE was executed, there is a suspicion that it may have involved a user clicking on a link, and thus opening the internal network to the attackers. If true, this shows you one of the main challenges of Cybersecurity. The scales are tipped against you because anyone defending themselves needs to close ALL vulnerabilities, whereas an attacker just needs ONE vulnerability to breach the secure perimeter.

This also means that organisations need to defend that interest on all levels, with people being one of the most important ones. Sure, you need good technology as well to support your defences, but solely trusting technology and hoping a box with flashing lights will save your bacon is like driving a car blindfolded.

To be able to defend your interests, and those of your customers, you need to make sure your people are trained properly, as they can be your best first line of defence. Support them with the proper technology to defend themselves and don’t assume it will never happen to you. It is better to be prepared, and make sure you can limit the impact of a ransomware attack by segmenting your internal network. In addition, to be able to recover quickly, make sure you have working backups, that are stored offline, just in case.

The best approach is to look beyond technology alone and implement your cybersecurity from a broader perspective.

For more information on how Cyberlink Security could help you, please contact us at info@

The post Ransomware attack on Cork University Hospital computers appeared first on Cyberlink Security.

Will quantum computers break today’s encryption?

admin — Mon, 15 Feb 2021 08:53:31 +0000

Short overview between classical computing and quantum computing.

Classical computers carry out logical operations using the definite position of a physical state. These are usually binary, meaning its operations are based on one of two positions. A single state – such as on or off, up or down, 1 or 0 – is called a bit.

Quantum computers perform calculations based on the probability of an object’s state before it is measured – instead of just 1s or 0s.

This means that quantum computers have the potential to process exponentially more data compared to classical computers.

Quantum computers on cybersecurity.

In cybersecurity, quantum computers are depicted as the breakers of the current encryption running our world, making our data private, guarding it against prying eyes. Should we be afraid? The short answer is no, although the potential for quantum computers to break RSA 2048 (one of today’s most powerful and secure encryption forms) in as little as 8 hours is possible, for it to happen quantum computing technology would have to advance much more.
As it stands right now our state-of-the-art quantum computers can use 70 qubits, to reach the 8-hour cracking time researchers estimate that a 20 million-qubit quantum computer would be required.

NIST predicts that quantum computing regarding the cracking of RSA will take 15 years, while some researchers predict as little as 5 years.

So, should we be worried about the next 5 or 15 years? Thankfully the answer is also no, quantum technology is not exactly new, and a lot of theory is already available, as such security researchers have already developed what are called post-quantum codes that even a quantum computer would not be able to crack. So, it is already possible to safeguard data today against future attacks by quantum computers. But these encryption methods are not yet used as standard.

What about data previosly captured on traffic?.

In 5 or 15 years, whenever or if advanced quantum technology would be plentifully available to the public, there is a risk that data captured by a malicious actor, could then in the future be decrypted. For the average person, this is not worrisome, for example, data decrypted regarding credit card data would be worthless in the future, however for governments and entities that rely on secrecy this could arise to be a very big issue, as disclosure of classified data even if 5, 15 years old could be very impactful.

Conclusion.

Although quantum computing is relatively far away in order to disturb our present ecosystem in the digital world, measures and standards should be implemented in a timely manner(post-quantum codes) in order to safeguard future data.

By Andre Gomes

The post Will quantum computers break today’s encryption? appeared first on Cyberlink Security.

A look into GDPR and the late Easy Jet Breach

admin — Sat, 05 Sep 2020 09:10:34 +0000

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give control to individuals over their data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of data subjects inside the EEA.

There are several rules and restrictions imposed by GDPR one of these is to ensure that when processing private data, it is done so with integrity and confidentiality in mind, which unfortunately many companies fail to have proper security controls in place to enforce such requirements.

There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

GDPR was designed to unify data privacy laws across all of its member countries as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organizations can handle the information of those that interact with them. Unfortunately through poor security practices many companies still fail to comply with GDPR. One example of such is Easy Jet.

More information on GDRP can be found here.

The Easy Jet data breach

On 19th May 2020, EasyJet confirmed that it had been the target of an attack from a highly sophisticated source, with the email addresses and travel details of about 9 million customers breached. Its investigation also found that about 2,200 passengers had their credit card details stolen. The airline said it took immediate steps to respond to and manage the incident. And it claims to take issues of security extremely seriously.

The ICO(Information Commissioner’s Office), which is the United Kingdom equivalent to GDPR after investigation, issued a record £183m fine over the breach. Compensation pay-outs to customers could see that reach £3bn.

Under GDPR (General Data Protection Regulation), if EasyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover. (256 million pounds).

Unfortunately easy jet is still one of the many companies affected by data breaches. Graph of companies affected by the 30,000+ breach of records.

Conclusion

As hackers became more resourceful and specialized so must companies invest in protecting themselves and their customers, we live in a world where just enough is no longer enough, and upgrading and testing(Internally and externally) a company’s current security controls should always be deemed as a top priority, especially if it handles private information.

By Andre Gomes

The post A look into GDPR and the late Easy Jet Breach appeared first on Cyberlink Security.

What am I protecting my cybers from? (part 2)

admin — Mon, 31 Aug 2020 09:23:57 +0000

This is the second part of the blog post on risk management as part of your cyber security strategy. In the first part I shared my approach to risk management with you, which is primarily to identify your threats by answering the question “What can possibly go wrong?”.

You have several means at your disposal to help you identify the (real!) threats to your systems. First of all, there are a lot of lists available that provide you with all kinds of threats from various threat actors and environments. You ‘only’ have to choose the right ones. And in my opinion, the right ones are threats that you can handle when they materialize and where your organisation has a good chance of survival. Because there are obvious and less obvious threats that will have such a big impact on your organisation, or society at large, that you cannot even think of implementing controls to counter them.

But please note, I am referring to threats with a huge impact here: not threats that are very unlikely to occur, but those with a chance of occurring that is not 0. These so called black swans are extremely difficult to assess as they may occur once in a lifetime, but when that happens they will almost certainly have a serious impact. An example of this is a case where a customer had a twin datacenter, one close to an airport and the other close to a big chemical plant. What are the chances of a plane crashing and a disaster happening at the plant at the same time? So proposing a third completely off-site data center was an expensive option and senior management was not keen on paying for that. But when asked to sign off on accepting the risk, they were not very keen to do that either! So in the end they agreed to have a cold standby with off-site backups as an economical and manageable solution. This may not work for you, so please assess the risks properly, and maybe ask Mr. Murphy for a second opinion.

But I digress. All sorts or threat lists are available on the Internet, and as part of Risk Assessment Tooling like IRAM(2).

However, as you may know, I am not a fan of checklists, and urge you to use your common sense as well. To assist you in identifying threats to your unique scope and situation,

you should at least apply the STRIDE threat model as well. I have used that on a number of occasions and it turns out to be really helpful. You can find a good definition of

the model in Wikipedia ( LINK: https://en.wikipedia.org/wiki/STRIDE_(security) ).

The short and sweet of the STRIDE model is that it defines six threat categories, and you can brainstorm to your heart’s content on threats for each category. The categories are:

Spoofing: stealing a digital identity to break confidentiality and authenticity;
Tampering: manipulating data to break the integrity, with or without breaking confidentiality;
Repudation: is plausible deniability possible or not? (BTW, this should really be non-repudiation, but then the acronym would not roll of the tongue so easily, STNIDE does not have the same ring to it);
Information disclosure: this is really any threat related to breaking confidentiality;
Denial of Service: these are all threats to the availability of your information and system;
Elevation of privileges: This is related to authorization, and can have impact on all 3 basic security aspects (Confidentiality, Integrity and Availability).

Using this model in one or more workshops with business owners can be a very enlightening experience, as much for you as a cyber security specialist as for the business owners. Because when you do a session like this, with different people, you as a cyber security specialist will quickly learn what the business sees as real risk, and that can be quite different

from what you see often from a purely technical viewpoint. So, applying the STRIDE model not only helps you identify new threats, it is also a means of establishing better

communications with the business (which is, in my humble opinion, the biggest problem in cyber security).

This brings us to the conclusion of this second part. In the next one I will look with you at how to further complete your risk management process.

Until next time, and as always, stay safe!

Arthur Donkers

PS, If you like Wikipedia, or use it on a regular basis, please consider a small donation, they do a great job and can use your financial support!

The post What am I protecting my cybers from? (part 2) appeared first on Cyberlink Security.

Are the browser wars over?

admin — Thu, 27 Aug 2020 07:49:29 +0000

Some thoughts on the situation at Mozilla and the impact on Firefox…

As you may have heard, a few weeks ago Mozilla had to reduce their workforce by 250 people. This is the second time this year that they have reduced their workforce. Already some people think that this may mean the end for the Firefox browser, Thunderbird email client and other software that has been, and still is being, developed by the Mozilla Foundation.

The fear now is that FireFox will slowly die off and we will be stuck with just one browser, Chrome/Chromium from Google. From a security perspective this will mean a move towards a monoculture for browsers, and that will mean in turn that any vulnerability discovered in that browser will have far reaching consequences. It is the same in biology: whenever you create a monoculture in your crops, you will suffer a lot of pain when your crops inevitably get infested with disease or bugs.

And although I completely agree with the risks associated with monoculture, and the necessity for a proper browser alternative, we may need to look a little closer at the current situation. When researching global browser market share, we see that there is already a more or less effective monoculture.

Current market share shows the following percentages:
Chrome: 65.89% Safari: 16.65% Firefox: 4.26% Samsung Internet: 3.43% Opera: 2.05% Edge: 1.91%
(Source: https://gs.statcounter.com/browser-market-share)

In addition, Microsoft has recently declared the end-of-life for Internet Explorer 11, forcing everyone to use Edge, and the latest version of Edge is, as some of you may know, based on the Chromium engine.

So effectively, we are already in a monoculture, with all the implications for security that come with that.

So the question remains, can we do anything to turn this around and keep or increase the market share of Firefox to reduce the mono in the culture? Frankly, I don’t know the answer to that. A web browser is one of the most complicated packages of software, even more complicated than some operating systems. Maintenance, backwards compatibility, covering for user and web developer errors, parsing Javascript and supporting multiple platforms does not make the job of developing a browser easy (or cheap). And personally I never quite understood the business model behind a browser. A web browser is such a ubiquitous piece of software for users, expected to come at no cost, that it is very hard to make money off the browser software itself (the core business of the Mozilla Foundation). It is not that the browser manufacturers get a percentage of the advertising that is shown through their browser, or that vendors of systems pay them for their browser software.

So to be quite honest, I think the situation for browser security and mono culturism is already worse than we think and, although I hope they survive, the end of Mozilla and Firefox will do little to change that situation.

As always, stay safe,
Arthur Donkers

Cyberlink Security

The post Are the browser wars over? appeared first on Cyberlink Security.

Why so many bitcoin scams? They are cheap, easy, and efficient to execute.

admin — Thu, 13 Aug 2020 09:57:58 +0000

Introduction

Even though it’s not an old tactic for black hat hackers, Bitcoin scams have begun to be more and more prevalent, especially after the July 2020 hack, where 130 high-profile twitter accounts got compromised by outside parties. According to Wikipedia “more than 320 transactions had already taken place on one of the wallet addresses, and bitcoin to a value of more than US$110,000 had been deposited in one account before the scam messages were removed by Twitter.”

With cryptocurrency, scammers can attain more sophistication and longevity with the same ‘scam routine’ at a ‘minimal cost’ (i.e minimal hassle, expense, fears, etc).

The Elon Musk (Impersonation) Cryptocurrency Giveaway Scam

Lately, there have been multiple instances of bitcoin scams in youtube, this scam relies on the popularity of the famous entrepreneur Elon Musk and SpaceX, the channel normally has thousands of subscribers and a very similar name to the companies Elon owns or Nasa. The scammers can create a Youtube channel and raise the number of subscriber and number of view artificially, probably by using botnets, by having a few thousand subscribers and having a decent number of viewers, the scammers manage to trick the Youtube algorithm and consequently, the stream pops up in the recommended list. The stream consists of the following bitcoin scam definitions:

Impersonation

In today’s age, it is quite easy to create social media accounts like Facebook, youtube e.t.c, scammers would use this strategy to for example lie in wait until the person they are trying to impersonate publishes content. The impersonator then replies to it with a follow-up message – with for example a free giveaway. It would be also possible for impersonators to directly message a potential victim. It is a best practice that when you receive an odd request or offer to always double-check a person to confirm the authenticity via multiple mediums of communication.

Free Giveaways

Scammers seek to take advantage of people by offering free giveaways of bitcoin in exchange for sending a small amount to register, or by providing some personal information (which can be turned into profit later on by the perpetrators).

Here are a few of these scams:

Notice that the number of subscribers and viewers is very much unrealistic for a newly created stream and channel. Clear evidence of the use of botnets

Normally on these scams, there is a landing page where more information can be found:

It is also very common to have a live feed of the transactions that have been occurring on the wallet, of course, all of them fake:

Digging a little bit more and after performing a DNS query on the website URL of one the streams we find that server of one of the landing pages is located in Russia:

Since one of the functionalities of digital currency is to have a bitcoin ledger, where it keeps a list of all the transactions done by all the users, we can use we can look that during the 20 min period where the scam was active, the scammers manage to profit 1.55807986 bitcoin which translates to $18136.05 :

Note that there was no sent bitcoin from this bitcoin wallet.

Conclusion

These types of scams are incredibly popular because they are so cheap, easy, and efficient to execute, partly because unfortunately there are a lot of people that are still not informed well enough of this type of social engineering strategy. When stumbling into these kinds of scenarios it is best to keep the adage at mind “If something seems too good to be true, it probably is.”.

By Andre Gomes

The post Why so many bitcoin scams? They are cheap, easy, and efficient to execute. appeared first on Cyberlink Security.

What does it take to build good pentest boxes to test cyber security skills?

admin — Mon, 10 Aug 2020 12:19:14 +0000

Or ‘why we love building boxes’.

If you are a pen tester (penetration tester), hacker or otherwise involved in the technical security of computers, chances are you have played one or more Capture the Flag competitions. Most conferences nowadays offer teams the opportunity to participate in a CTF, and sites like Vulnhub (http://vulnhub.com), TryHackme (http://tryhackme.com) or Hack the Box (http://hackthebox.eu) offer players ample opportunity to play these challenges at their own pace.

Playing CTF’s challenges your creative thinking and forces you to think outside the box. Most of the machines focus on one specific technology or vulnerability and so offer you the opportunity to learn them hands-on. My friend Andreas and I have played a lot of these CTF’s, and learned a lot from them.

However, after a while, playing these CTF’s becomes less challenging. In most cases, getting a foothold (your initial shell access on the system) is still interesting, but the escalation to a high privileged account becomes something that you have seen and done before. And you will also start to notice that most CTF boxes are not modelled on real-life systems (there is no real need for that, but don’t think that a ‘real’ pen test is anything like a CTF).

Andreas was already involved in building the Tempus Fugit boxes for Vulnhub, and I offered my help to build the next one in that series (if I recall correctly, TF3). Now the tables were turned and we (I) was working on the other side, trying to come up with (not so) clever ways to gain access to the box we were building and how to escalate the privileges.

We decided to make our boxes as life-like as possible, based on my experience as a pen tester and new vulnerabilities published on exploit DB ttp://www.exploit-db.com/).

It turned out to be a great learning experience, and building boxes based on real life examples and new vulnerabilities is a great way to acquire new skills that you can use, either for your pen testing jobs or your sysadmin jobs. We have since built boxes for Vulnhub and TryHackme and had some great feedback from people who have played them.

If you’re interested in trying it yourself, here are the steps we followed when building a new box.

Firstly, we had to come up with a scenario and background story. This helps in building a box that is as close to a real life situation as possible. It helps enormously to have a solid background story, especially if you are building a series of boxes. Our current series on TryHackme is based on a story about the Windcorp corporation which keeps getting hacked, fixes the previous vulnerabilities but then makes (real life) mistakes in building a new system.

The second step is to select a platform for the CTF machine. In most cases this is Linux, because it is free, but luckily we can also use Windows if we are building systems for TryHackme. To enhance our own learning experience, the THM Windcorp series is based on the Windows platform.

The third, and often hardest part, is finding a vulnerability that leads to the initial foothold (access) on the system. We consult ExploitDB for new vulnerabilities, or use things I have seen during a pen test, or use software we find interesting. For one of our boxes, we found a 0-day in an interesting piece of software that we had used to create an initial foothold on the system.

Once a player has an initial foothold, you need to think of a way to escalate the privileges. This can be by using another, vulnerable, software package. For Windows we sometimes make deliberate configuration errors that regular sysadmins make, as well as opening the system to SYSTEM access.

So far we have learned a lot when building each of these boxes and will continue to do so.

If you are interested in playing a CTF, please visit one of the sites we mentioned. If you’re interested in building a box yourself, don’t hesitate to give it a try. You will definitely learn a lot and other people will certainly enjoy hacking your CTF box.

Stay safe!

Arthur Donkers Andreas Finstad

The post What does it take to build good pentest boxes to test cyber security skills? appeared first on Cyberlink Security.

What am I protecting my cybers from? (part 1)

admin — Mon, 10 Aug 2020 12:15:59 +0000

This blog post is, at least in my opinion, part of the most important piece of your cyber security strategy puzzle; your risk management. If you look at information security in general, and ISO27001 in particular, you always need to find that sweet spot that gives you the most protection for your money. Blindly following checklists that have been handed down for generations will help you in some way, but it will certainly not provide you with the best solution (protection and moneywise).

So how do you find that sweet spot? By carefully planning and executing your risk management on a regular basis. Your risk management will provide you with the actual threat, vulnerabilities, impacts and mitigations that suit your situation and context. Executing your risk management will enable you to focus on actual security issues and risks that need to be addressed, instead of using fear mongering to try to do it all.

Oh, and why do I say “your” risk management? Because each organisation is unique, and therefore needs to find and adapt their own methodology, criteria and mitigations. This is where ISO27001 really helps you – it requires you to have a risk management process in place and active, but it does not force you to perform it in a predefined way. Just make sure you apply it consistently throughout your organisation and make sure you document the process and the results.

To make sure we’re all on the same page, I would like to share with you the definitions I use for threat, impact, vulnerability and risk. There is some confusion about these terms, and threats and risks in particular are (wrongly) used interchangeably. I stick to the definitions PECB uses in its training material.

And bear in mind that you can use the same process to identify opportunities as well. These are just ‘risks’ with a positive outcome and connotation.

So here it goes…

Threat: an event that can happen and has an impact on your business goals and drivers. In cyber security a threat almost always has a negative impact, e.g. a threat damages your reputation, or encrypts your data, etc. Examples of threats are data theft, ransomware, data breaches etc. Threats will always exist, and can have an internal or external source.

The opposite of a threat would be an advantage, an event that provides a benefit to the organisation, and has a positive impact.

Vulnerability: a weakness in a control, asset, process or organisation that enables a threat to actually have the impact and cause damage. Examples of vulnerabilities are lack of an up to

date virus scanner, lack of awareness training for personnel, etc. And please note that increasing your tolerance to vulnerabilities may help you to seize business opportunities because it can improve your time-to-market or other driving factors. As long as you apply proper risk management, you can make a balanced decision.

Impact: this is obviously the direct and indirect damage you suffer once a threat has materialized. And again, the impact may also be a positive one, let’s call that a reward.

Likelihood: the chance that a threat (or benefit) will actually materialize. This is based on statistics but often also involves gut instinct.. This is the hardest part of the risk equation to get right. Rare cases (i.e. the black swans), that have a very small (but not 0) chance of occurring but have a huge impact, are often the hardest. Management often don’t want to spend a lot of money on these, but on the other hand, they don’t want to sign off on them either. I might do a special post on this in the near future, we have had enough events recently (Twitter, Garmin) that warrant a new look at these black swans.

Risk: in its simplest form, the risk (or opportunity) is a result of multiplying the likelihood and impact and can often be expressed as a number. This can result in a quantitative value (often money related) or a quantitative value, (critical, high, medium, low).

So the next time you hear someone say that ‘the risk is theft of personal data’, what they actually mean is the ‘threat’.

And on a final note, if you use a quanlitative risk model, please use a scale with an even number of steps (1, 2, 3, 4 or critical, high, medium, low). Most people like to make safe choices and if you use a scale with an uneven number, they tend to go for the middle one. Using a scale with an even number forces them to make a choice.

This brings us to the conclusion of this post. In the next one I will look with you at how to apply the risk model and look at a simple, but very effective, model for identifying threats.

Until next time, as always, stay safe!

Arthur Donkers

The post What am I protecting my cybers from? (part 1) appeared first on Cyberlink Security.

What do I need to protect with cybersecurity?

admin — Fri, 17 Jul 2020 17:46:58 +0000

In the previous posts we looked at why we need a cybersecurity strategy and what the scope of this strategy should be. Answering this question brings us automatically to the next, which is:

What should we protect?

This can be answered relatively easily by identifying your assets within the scope of your cybersecurity strategy. What has value to you, and your stakeholders, within this scope?

To identify these assets, just follow the steps laid out in most ISMS implementations – there is no real difference between an ISMS or your cybersecurity strategy here. The easiest assets to start with are, obviously, all your tangible assets like computer systems, network equipment, licenses, credentials for accessing your cloud provider and many more.

Things get more interesting when you have to identify your intangible assets. To begin with, you should cast the net as wide as possible and then eliminate any non-essential assets from that haul. You will probably find assets like software, reputation and maybe even search engine rankings and industry scores in this list.

But look a little beyond these obvious ones. Most (smaller) companies I know that provide specialized services often have a SPOK (Single Point of Knowledge). This is the person who knows everything about the software or process that is at the core of their business. The SPOK is often one of the first people to start working for the company and as the company grows, so does their involvement and therefore their ‘SPOKness’. Making sure that knowledge and expertise is shared within the company is both better for the company (‘what if the SPOK falls ill?”), and better for the SPOK as well (‘I really could do with a holiday’).

The second area of interest comes into play when you are part of a supply or value chain. You may be ‘just’ a small step in the whole chain, but your organisation handles valuable assets nonetheless. And although these assets are not technically yours, you still need to protect them while you are handling them. You may need to store them, or add some value to them, but in all cases you must be sure that they are properly protected and their confidentiality, integrity and availability can be guaranteed.

To be able to identify how critical an asset is, you should always ask yourself the ‘what if’ questions: ‘What if the asset is no longer available?’, ‘What if I can no longer rely on the

integrity of my asset?’ and ‘What if my asset has been disclosed without my consent?’. If your business is seriously impacted when answering one or more of these questions, you have probably found a critical asset (tangible or intangible) and you need to take measures to protect it.

This brings us to the conclusion of this post, and makes a nice bridge to the next one. In the next post we will look at what we are protecting our assets from. What are threats, vulnerabilities, impacts and risks?

Until next time, as always, stay safe!

Arthur Donkers

The post What do I need to protect with cybersecurity? appeared first on Cyberlink Security.

Why are we seeing such high profile failures of cybersecurity?

admin — Fri, 17 Jul 2020 17:39:37 +0000

How safe are we when the systems designed to save us fail? In the last few months a number of high impact vulnerabilities have been discovered in security perimeter equipment (i.e. security devices that are supposed to protect your internal network from the evils lurking on the Internet). Remember the vulnerabilities found in Citrix Netscaler, and more recently in F5 and Palo Alto, to name just a few.

Who broke the cybersecurity egg-basket? These publications often had sample code that showed how easy it was to exploit their vulnerabilities and malign elements on the internet did not hesitate to weaponize them to gain access.

A lot of technical analyses followed. Publications, companies and individuals combined forces to find vulnerable devices on the Internet and help secure them. It is of course very important to fix the immediate problem and help secure internal networks again as soon as possible. However, if we look a little beyond that first triage, we may need to start reconsidering the current security models and find a new way of managing our information security.

Most organisations still follow a security model that keeps bad actors out (i.e. external Internet based threats) and fully trusts that their internal network will be safe. But if these bad actors can cross the perimeter, there are no other real defences to stop them once inside. I have seen this model on many occasions and refer to it as the (Kinder) egg model. The goodies are inside, and if you break the outer shell, you have unrestricted access.

The egg shell for information security is built with firewalls, reverse proxies, VPN tunnels and all kinds of other solutions and products. If you can do a scan of your perimeter, you will probably see more ‘doors’ in it than you expect, and some doors are stronger than others. And only one door needs to break for the bad actors to cross the perimeter. Not to mention all the cloud based services being used, third party networks, remote management services and of course, all the work from home solutions that have been implemented.

One can wonder if this egg model of (only) protecting your perimeter is still sufficient. It is still based on the assumption that you can prevent bad things from happening, often by deploying technical solutions.

In my opinion, this model no longer holds. We are slowly seeing a paradigm shift from prevention to “assume breach”, where we need to assume some actor has breached our perimeter and has gained access to (parts of) our internal network. If we work from this assumption, we can see that we need to protect our internal network just as much as our perimeter. Therefore, segregating your internal network into zones, to limit the impact of a breach and give each asset the protection it requires, is a necessary step. By building internal boundaries we will not prevent a breach from happening, but we can limit the impact as much as we can.

And internal segregation is just one piece of the puzzle. If we follow the “assume breach” approach, we also need to be able to detect those breaches as quickly as we can, and respond accordingly. This means that your security budget should be balanced between preventive measures (the boxes with blinking light all vendors want to sell you), detection measures (collect important log data and analyse it automatically, but also train your staff in recognising ‘strange’ behaviour) and responsive and corrective measures (this is mainly a people thing, your staff needs to know what to do in case of an incident).

As is now apparent, handling the “assume breach” paradigm becomes less dependent on technology and more on the people in your organisation. The old cliche that people are your weakest security link no longer holds in my opinion. With proper awareness and training, your people can become your strongest security control, both for detecting bad things that happen and resolving them in a quick and effective manner.

Stay safe!

Arthur Donkers

The post Why are we seeing such high profile failures of cybersecurity? appeared first on Cyberlink Security.

Cyberlink Security Blog Archives - Cyberlink Security

Ransomware attack on Cork University Hospital computers

Will quantum computers break today’s encryption?

Short overview between classical computing and quantum computing.

Quantum computers on cybersecurity.

What about data previosly captured on traffic?.

Conclusion.

A look into GDPR and the late Easy Jet Breach

A brief description of GDPR

The Easy Jet data breach

Conclusion

What am I protecting my cybers from? (part 2)

Are the browser wars over?

Why so many bitcoin scams? They are cheap, easy, and efficient to execute.

Introduction

The Elon Musk (Impersonation) Cryptocurrency Giveaway Scam

Impersonation

Free Giveaways

Conclusion

What does it take to build good pentest boxes to test cyber security skills?

What am I protecting my cybers from? (part 1)

What do I need to protect with cybersecurity?

Why are we seeing such high profile failures of cybersecurity?