enicaise, Author at Apalala srl

Blockbusters, a new risk to add to our threats’ list?

enicaise | 2016-07-29 | Information Security

On 20th of July, BBC News announced that “Businesses in southern India have given their employees the day off on Friday so they can attend screenings of a new film starring Tamil cinema superstar Rajinikanth“.

According to BBC News, this decision was made because companies where trying “to avoid people calling in sick, turning off their phones or simply failing to turn up for work“.

“Crazy indians” some might say! But, such behaviour already happened in the US or even, at a lesser scale, in Europe when the latest opus of the Star Wars sequel arrived in theaters. Some people where even sleeping in front of some theater to be sure to have their seats. In some places, the 4th of May, the Star Wars Day (“May The 4th be with you”), is also considered has a holiday. Of course, these are anecdotal but, they are growing in importance and frequences.

Although not frequent, likelihood of blockbusters seems to be higher than earthquake or tornados in some countries and a bit lower than flu epidemics. So, the probability of occurence is non neglectable. But, what could be the impact on your business?

Let’s see what the future will be 🙂

Are Red Team exercises close enough to reality?

enicaise | 2016-06-21 | Red team, Security Governance

A red team is a team of highly skilled professional with extended and varied skills (e.g. think about “Mission: Impossible”) acting has the opponents, challenging your plans, your controls, your security governance, your people. As a red team, we must think and behave as the “bad guys”. The goal is to emulate the critical thinking of your “official” security teams. To achieve that, we challenge all the false assumptions that makes you vulnerable. We spot all the weaknesses and find creative ways to exploit the slightest vulnerability. As will any skilled attacker do. (Luckily, they are not all that good)

The question that came to me while discussing a red team exercise with a customer was this one: Are red team exercise close enough to reality?

For sure, we are not as real as the criminal organization targeting you. We could be, as we have the skills, but we have something that makes a huge difference: ethics, rules. A red team as boundaries. Even if we take it to the most realistic level, a red team exercise will never lead us to threaten someone’s family, or its life or even to kill someone. We won’t blow a building to cover our tracks. We won’t release the ultimate virus to wipe all data. Unfortunately, criminals don’t have such boundaries.

Our client told me that the red team was not supposed to use information that would have been provided in confidence. While red teams exercises are often “black hat” exercises (meaning, we start with just a few information on the target), it is never impossible that attackers have an inside knowledge of your organization. Seriously, in real life, there is no rules. If there is enough return on investment, criminal organizations will spend a lot of money to get your crown jewels, lot of time and means. They will use any technique: blackmailing, kidnapping, bribery, infiltration. The colleague next to you could be working for a criminal organization, posing as a good guy, even as a security specialist. How would you know?

The latest incidents reported in the press involving banks or the SWIFT network mentioned takes in tens of millions: 21, 80 or even 120 millions Euro of booty for these heists. Quite a motivation isn’t it? How much will you be ready to invest to get such reward?

Cyber criminality generate approximately a trillion USD every year. 1000 billions! Law enforcements and security firms around the world reports that group of hackers and criminals are now working together to reach bigger targets with higher stakes. Imagine that an organization that get 1/1.000 of the worldwide revenue might have 1 billion USD of money for its operation. That’s a lot of cash. People get killed for less.

So, no, our red team exercises are not as real as they could be but it is likely close enough to achieve its primary goal: challenge your team and organization to make it better. Red team exercises won’t provide assurance nor will it cover all your weaknesses but it will for sure stimulate your teams to achieve their best.

Security: It’s all about trust!

enicaise | 2016-05-17 | English, Information Security, Perspectives, Security Governance

In the past few days, I had a few discussions and readings that made me think about the importance of the concept of trust in security and in our life more generally speaking.

Think about it. All we do in security management, in training, in penetration testing, in patching or with monitoring is because we don’t trust our employees, our colleagues, our customers, our suppliers or our competitors. That’s why we often have 3 levels of controls, each level controlling the others so we suppose we will always have at least one person who will do the “right” thing. In our line of work, it makes sense.

But how far should we go? When do we start to trust? When do we make this leap of faith in humanity?

I worked with pretty paranoid people (for a reason, not the pathological ones) using their own operating system (Based on reviewed and modified NetBSD source code) on air gap networks. They also had RFID chip in the printer’s paper in order to trigger an alarm if you leave the facility with printed information. Other electromagnetically wiped and physically destroyed (with presses) any hard disk in end-of-life. Some requires 10 months of thorough investigation and background check before letting someone work on their systems. I worked with people having private investigators watching their security guards to ensure they were totally honest (and it wasn’t the case all the time). In the security community, you will easily found people who will not trust any software to handle their very sensitive information as they might always have a backdoor. And it is the same with hardware. And they are right to be suspicious as we found vulnerabilities and backdoors in nearly any system or application. Firmware corrupted by the government of the country manufacturing the processors or motherboards or spyware built-in from the start at the manufacturer’s government request. Routers, operating systems, firewalls, remote access applications, switches, phone equipment, and so on. There is a very long list of known backdoor, Trojan horses, spywares and so on discovered in widely used systems. You can imagine the length of the list of the one we don’t know about (yet).

If we talk about people, it’s even worse. Belgian Secret Services have published a quick card to warn travellers in some specific sensitive industry on how prevent information leakage while being out of the country. The warning is not restricted to the usual suspects (like Korea, Russia, China or USA) but also to our European “friends”. Economic espionage is written in the bylaws of many European country’s intelligence services. According to our States’ Security services, if you belong to the targeted categories of people, the question is not anymore “if” you will be victim of spies but “when”. Humans can be manipulated, blackmailed, bought, threatened, seduced, just pick one. We are no more reliable than the rest.

I know it sounds crazy, even paranoid! Unfortunately it’s just the world as it is.

So, how do we function knowing we can trust nothing and no one?

Obviously, we tend to create redundancies, to multiply the controls and the levels of control. In large organisation you may easily have more than 5 levels of control (Operational control, security, risk management, internal audit, external auditors, compliance, and so on). Even though, we still manage to have incidents. This still doesn’t answer my first question: When do we start to trust?

For me, trusting is part of the risk management process. It also meets the intelligence gathering process of evaluating your information, your sources and how reliable they are. We trust and we verify. We evaluate continuously the level of trust we can grant to our systems and our people. The higher the stakes, the higher our level of paranoia should be. Also, as usual, we must balance between the risk of doing it and the cost of not doing it. If I don’t trust my suppliers, my employees, what will be the cost for my company, my business?

What’s also important is to know that we trust. There is a clear difference between believing without knowing and believing with the consciousness of the fact that we make a leap of faith. The difference resides in the decision. I don’t believe because I do, I believe because I have decided that it is the best choice to make.

Let me take an example: in my car, if I believe that a green light for me means that cars coming from other directions will stop at the red light, without doubting that or even having the conscience it is a belief, I will never pay attention to the other cars. If I understand it is a belief, I can adjust my behaviour and check (monitor, watch) other cars to see if they are compliant with this belief (and obviously hit the brakes if they are not).

On the other hand, I should also give a little trust to my car manufacturer and have confidence in the fact the brakes will stop my car when I hit them. Else, I won’t dare to drive anymore. As always, we need to find the right balance and we need to do it consciously in order to function effectively.

So, question everything and take sound decisions, knowing that you don’t know for sure.