Monthly Archives: September 2016

Is Cybersecurity a good buzzword?

For years now, Information security is a fast growing market. At least for a couple of years, the cyber security market is growing fast. Even in these times of budget cut in many sectors, quite often the cyber security department manages to negotiate an increase of its operational budget. That’s significant, isn’t it? Moreover, nowadays it becomes nearly impossible to ignore the wave of “cyber-“ words: cybercrime, cyberterrorism, cybersex or cyberbullying.

You could not have missed also the news about the CERT.be, the federal cyber emergency team (CERT used to be the Computer Emergency response team, likely less “sexy” than Cyber emergency Team) which is, according to its website, “a neutral specialist in Internet and network security” (So Cyber security is Internet and Network Security?). With the CERT.BE, you probably also read about the Belgian Center for Cyber-security (CCB). Neither could you haven’t noticed the buzz around the new Belgian Cyber Security Coallition or the 1.8 billion € allocated by the European Commission to a private-public partnership made to increase Cyber Security. In the latter, the private sector is being represented by the newly born European Cyber Security Organisation (ECSO). That’s a lot of Cyber-related news, isn’t it? Does Azimov’s vision become a reality? It sure sounds like we are in one of his Robots series book.

But what does Cyber mean? How is Cyber Security different from Information security or IT security? Which one of both is it?

According to the NIST, Cybersecurity is “The process of protecting information by preventing, detecting, and responding to attacks”. So, is it Information Security? But according to the new worldwide reference, Wikipedia, Cyber is “part of the “Internet-related prefixes added to a wide range of existing words to describe new, Internet- or computer-related flavors of existing concepts, often electronic products and services that already have a non-electronic counterpart”. So, Cyber Security should be the Internet or Computer related flavor of information security that we used to call IT security. But is it?

Because lately I’ve heard the “cyber-buzzwords” used in so many different contexts by so many person (including some executive clearly not knowing what they were talking about), I have difficulties to understand what we are talking about exactly.

Understand me well, I like the fact that our country’s leaders finally decided to address the increase of the Internet related threats more seriously. As our risk surface is drastically expanding, it is more than time to address those risks at a more global level (but we are still far from a clearly necessary worldwide cybersecurity agency, for a lot of obvious political reasons). I also like the fact that my clients’ board of directors give more focus to “cybersecurity”, whatever they think it is. At last, it provides us a momentum to raise awareness and improve the governance maturity to the necessary level.

What I don’t like in the “Cyber” fashion, is having a so important subject becoming more and more vague and focused, again, on the technological aspects. With the new buzzword came a lot of new supposed-to-be-panacea products claiming they will solve all the problems overnight (or in a few months, but at our timescale, it is the same). I heard of CISO (Chief Information Security Officer) being rebranded CCSO (Chief Cyber Security Officer).

Is it really a progress? For years we fought to have the CISO positions created at a board level in order to get out of the IT ghetto. The aim was to be also present where information security belongs: in the organizations processes and workforce. In 2016, the latest IBM security survey still attributes 60% of attacks to inside jobs. 1 employee out of 5 is ready to sell his corporate’s network credentials. The biggest weaknesses are still in the business processes and in the human being behind them. Most ethical hackers and red team members know that they don’t need a zero-day exploit to get into a target’s systems, they just need a charming smile and a couple of beer to get what they need to get in. With all the good this new Cyber buzzword brings, there is an evil: we are going back to a computer and technologically focused perception of corporate security issues. Human, processes and facilities are relegated to the second position while they still represent more than 70% of the risks. Does it make sense? Is Cyber Security an evil buzzword after all?

Few will share this article as a lot of cyber security professionnal won’t dare to challenge the marketing machine that is actually feeding them. And as I wrote, there was some good coming out of this, but it is necessary to see all the side impacts and ensure marketing people are not the one deciding where you should put your focus.

Improve and speed up your Firewall Change Requests management for free

Should you be working for a small or a very large organisation, you probably have one or many firewall to manage. If you have half a decent security governance, you probably have someone reviewing and approving any request to update rules on the firewall(s).

If you have a lot of requests to process and a complex network architecture, you might be lucky to use an automated system like Fireflow to process these change requests. if you don’t, you might struggle a bit with this process and with the enforcement of somewhat complex network security rules related to data flows between different subnets.

So, if you don’t have much money to spend in a quite expensive solution, today is your lucky day as we give you one for free (at least if you already have a Microsoft Office license).

These last months, we have developped a set of Visual Basic functions for Microsoft Excel in order to help our customers deal with the management of IP networks, FQDN, URLs, DNS and so on.

Recently, we have used these functions to create an excell sheet meant to be a form to request Firewall Change Requests (FCR) and to provide automaticaly a compliance advice with some rules of data flows exchange between subnet and some IP ports uses.

This form and the VBA functions (or the Excel function library) are available on our public GitHub repository: https://github.com/Apalala-sprl/Excel-Functions

It is quite simple to use, the only thing you need to do is to fill the two sheet with the list of your subnet and the related Network addresses (in CIDR format) and to fill the access matrix defining what is allowed from one subnet to another (see picture below). Once it is done, you can hide these sheets and give the form to any person in your organisation wanting to change or add a firewall rule.

flow-matrix
When the requestor will encode its request in the form by giving the source and destination IP addresses, the field will automatically detrmine to which subnets the addresses belongs. Also, it will provide you the default treatment of such workflow. As the requestor will see the result as he types the request in, he will be rapidly notfied if his request is somewhat unusual or against the rules. it might reduce your workload and speed up the processing of the remaining requests.

If you have some trouble using it, don’t hesitate to contact us. If you improved it in any way, feel free to share your work with us and the rest of the community.

Ooops, they did it again! Was my password compromised, again?

Your probably read that 68 648 009 dropbox accounts have been recently compromised. In the past years, companies like Linkedin, Adobe, Tumblr, Fling or MySpace were hacked and it is likely that your credentials were stolen by hackers if you had an account on one of these sites. It’s even possible that your credentials (Name, email and passwords) have been published on the web.

If you don’t remember if you were one of the victims of any of these breach, there is a very useful website that allows you to check if your email address can be found in one of these leaked list of credentials: haveibeenpwned.com.

You just need to enter your email address and press enter. Then, you’ll know.

But, as you don’t always use the same password on all the sites you use and as you change them quite often, you’re probably safe!