diff --git a/content/posts/infosec/infosec-tenets-simply-dont-work.md b/content/posts/infosec/infosec-tenets-simply-dont-work.md new file mode 100644 index 0000000..1984f56 --- /dev/null +++ b/content/posts/infosec/infosec-tenets-simply-dont-work.md @@ -0,0 +1,54 @@ +--- +title: "Telling users to ‘avoid clicking bad links’ isn’t working" +date: 2022-12-28T16:03:00+02:00 +draft: false +tags: ["infosec","data breach","email","encryption"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "" + alt: "" + caption: "" + +--- +**Abstract:** + +> **Telling users to ‘avoid clicking bad links’ still isn’t working** by **David C**. - Technical Director for Platforms Research and Principal Architect - [NCSC](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK) + +*Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing.* + +### Infosec tenets simply don’t work + +Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is **not** their job + +### Mitigating credential theft for organisational services + +- mitigate the threat of credential theft by mandating [strong authentication](https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy) across its services, such as device-based passwordless authentication with a FIDO token. +- set up [multi-factor authentication](https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services) (MFA). + +### Mitigating malicious downloads through defence in depth + +**Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network**. + +**Preventing delivery of phishing email**: +- use email scanning and web proxies to help remove some threats before they arrive +- [DMARC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none) and [SPF policies](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) can significantly reduce delivery of [spoofed emails](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) to users + +**Preventing execution of initial code**: +- put in place *allow-listing* to make sure that executables can't run from any directory to which a user can write, +- for anything not covered in *allow-listing*, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing +- disable the [mounting of .iso files on user endpoints](https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7) +- make sure that macro settings are locked down (see the NCSC's [guidance on macro security](https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office)) and that only users who absolutely need them – and are trained on the risks they present – can use them +- enable [attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide) +- ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files +- keep up to date with current threats with wider reading about any new attack vectors emerging + +**Preventing further harm**: +- *allow-listing* is again a powerful way to prevent further harm once a malicious file is opened +- DNS filtering tools, such as PDNS (for UK public sector and also the [private sector](https://www.ncsc.gov.uk/guidance/protective-dns-for-private-sector)) can block suspicious connections and prevent many early-stage attacks +- organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts + +Source: [National Cyber Security Center](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK) \ No newline at end of file diff --git a/content/posts/infosec/lawyers-suck-at-infosec.md b/content/posts/infosec/lawyers-suck-at-infosec.md new file mode 100644 index 0000000..64a3d47 --- /dev/null +++ b/content/posts/infosec/lawyers-suck-at-infosec.md @@ -0,0 +1,38 @@ +--- +title: "Lawyers suck at infosec" +date: 2017-01-13T10:04:00+06:00 +draft: false +tags: ["infosec","surveillance","data privacy"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "/images/" + alt: "" + caption: "" +--- + +![CCBE guidance on improving the IT security of lawyers against unlawful surveillance](/images/ccbe-guidance-infosec-of-lawyers.jpg) + +Lawyers suck at infosec. +### Expensive lawyers also suck at infosec. + +They're just more expensive. + +The *Surveillance Working Group* of the Council of Bars and Law Societies of Europe ([CCBE](https://www.ccbe.eu/)) apparently want lawyers to suck less (at infosec) hence has issued a *[Guidance](/ccbe-guidance-on-improving-the-it-security-of-lawyers-against-unlawful-surveillance.pdf)* (.pdf - EN)[^1] *on improving the IT security of lawyers against unlawful surveillance* in May 2016. + +> The requirement for lawyers to keep confidential their communications with their clients is an essential component of the rule of law in a free and democratic society. Yet it is a value which is coming under increasing threat, whether by means of unlawful interference by third parties or, in some cases, inadequately regulated governmental surveillance. +> +> There is a wide variety of security risks to which data held by lawyers and communications between lawyers and clients are being exposed on a daily basis. + +There goes their conclusion: + +> Absolute protection of IT systems against surveillance, lawful or otherwise, and against other forms of hacking cannot be achieved. IT systems will always be vulnerable, and, as this Guidance demonstrate, there is no such thing as a comprehensive system which will give total protection of data. +> +> Against that background, it is important for lawyers to be able to demonstrate, to their clients, and to the wider public the measures they have taken. + +Armed with this, lawyers won't certainly turn to infosec wizards but they can try at least to suck less (at infosec). They might get even more expensive though. + +[^1]: .pdf also available [in French](https://www.ccbe.eu/fileadmin/speciality_distribution/public/documents/IT_LAW/ITL_Guides_recommendations/FR_ITL_20160520_CCBE_Guidance_on_Improving_the_IT_Security_of_Lawyers_Against_Unlawful_Surveillance.pdf). \ No newline at end of file diff --git a/content/posts/infosec/malaysia-telco-databreach-check-yourself.md b/content/posts/infosec/malaysia-telco-databreach-check-yourself.md new file mode 100644 index 0000000..efb8aa5 --- /dev/null +++ b/content/posts/infosec/malaysia-telco-databreach-check-yourself.md @@ -0,0 +1,20 @@ +--- +title: "Malaysia telco databreach - check yourself" +date: 2017-11-14T04:25:49+06:00 +draft: false +tags: ["asia","infosec","data breach","malaysia"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false + +--- + +![SayaKenaHack](/images/sayakenahack.png) + +Lowyat reported on Oct. 30, 2017 that a total of [46.2 Million Malaysian phone numbers were exposed](https://www.lowyat.net/2017/146339/46-2-million-mobile-phone-numbers-leaked-from-2014-data-breach/), and the dataset included IC numbers, addresses, IMSI, IMEI and SIM numbers as well. + +## Check yourself out + +Head over to [SayaKenaHack.com](https://href.li/?https://sayakenahack.com), the dedicated website created by [Keith Rozario](https://href.li/?https://twitter.com/keithrozario) and check if your details are part of the breach. \ No newline at end of file diff --git a/content/posts/infosec/palantir.md b/content/posts/infosec/palantir.md new file mode 100644 index 0000000..8659b42 --- /dev/null +++ b/content/posts/infosec/palantir.md @@ -0,0 +1,24 @@ +--- +title: "Palantir: the ‘special ops’ tech giant that wields as much real-world power as Google" +date: 2017-08-02T16:54:00+06:00 +draft: false +tags: ["tech","data privacy","surveillance"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: true +ShowPostNavLinks: true +showtoc: false +cover: + image: "" + alt: "" + caption: "" + relative: false # To use relative path for cover image, used in hugo Page-bundles + +--- +*Minority Report is set in 2054, but Palantir is putting pre-crime into operation now.* + +> Peter Thiel’s CIA-backed, data-mining firm honed its ‘crime predicting’ techniques against insurgents in Iraq. The same methods are now being sold to police departments. +> +> Palantir watches everything you do and predicts what you will do next in order to stop it. As of 2013, its client list included the CIA, the FBI, the NSA, the Centre for Disease Control, the Marine Corps, the Air Force, Special Operations Command, West Point and the IRS. Up to 50% of its business is with the public sector. In-Q-Tel, the CIA’s venture arm, was an early investor. + +Full Story in [The Guardian](https://www.theguardian.com/world/2017/jul/30/palantir-peter-thiel-cia-data-crime-police) \ No newline at end of file diff --git a/content/posts/infosec/personal-data-isnt-the-new-oil-its-toxic-waste.md b/content/posts/infosec/personal-data-isnt-the-new-oil-its-toxic-waste.md new file mode 100644 index 0000000..4e9ceb5 --- /dev/null +++ b/content/posts/infosec/personal-data-isnt-the-new-oil-its-toxic-waste.md @@ -0,0 +1,23 @@ +--- +title: "Personal data isn't the 'new oil' - it's toxic waste" +date: 2017-09-22T03:06:00+06:00 +draft: false +tags: ["data privacy","tech"] +author: "Olivier Falcoz" +hidemeta: false +ShowReadingTime: false +ShowPostNavLinks: true +showtoc: false +cover: + image: "" + alt: "" + caption: "" + +--- + +> Personal data isn't the new oil - it is toxic waste. Companies should: +> Create as little as, +> Regularly clean it, +> Store it securely +> +> -- Terence Eden on [Twitter](https://twitter.com/edent/status/906404039059034112) \ No newline at end of file