Category Archives: Information Security

Crime-as-a-Service, the new emerging model of a 300+ billion$ business?

| 2015-06-01 | English, Information Security

In its 2014 report on Internet Organized Crime Threat Assessment, Europol highlighted the rising of a new business model in the cybercrime community: Caas, Crime-as-a-Service. More and more hackers provide “services”, available through the darknet (like Tor), allowing to rent thousands of infected computers, undected payload for viruses, list of passwords, and so on. For a few years now, you can even pay anonymously using virtual currencies (like bitcoin). They often provide a very good customer service and sometimes even a cash back warranty.

We often underestimated the size and importance of the Cyber Crime market. In its 2013 report on the economic impact of cybercriminality, McAfee estimate the global revenue of the  cyber crime activities worlwide between 300 billion$ to 1 trillion$.

1.000.000.000.000 $/Year

 

With number as huge, it is dfficult to represent the magnitude of this market. In comparaison, the yearly worlwide drug market generate between 300 and 600 billions$ of revenue or bigger than the PIB of some European countries.

Caas is increasingly proposed and used by more traditionnal crime organizations to suport their activities. The Europol report mention a quite interesting figure on a russian underground forum dedicated to hacking having 13.000 members and 4.000 daily visitors. It is hard to find a security professionnal nowadays but on the dark side, they are legions of hackers (when you see the profit they can make, you may understand why they are so many).

Additionnally, the “dark side” is also offering other services, mirroring the “legit” community, as Iaas (Infrastructure-as-a-Service), Data-as-as service, Hacking, or Money-Laundering. The hacker world has developped its own eco-system. As it is more and more interacting with the other “worlds”, it may be soon possible (if it is not already) for everybody to use and pay anonymously for illegal services.

After online drug dealer like Silk Road on Wikipedia, we might soon see service to remove your speeding ticket or to have a preview of exam’s questions. Nor to say, in a more and more digital worl, with eGovernment and the Internet of Objects growing in size, might we soon be able to ask for a new identity, a true diplome we never studied for, or even worse, the death of our worst ennemy in a car crash (assuming he drives one of the new connected cars).

Some forms of cyber criminality are already well established and cost already a lot of money as well as a huge human cost (even more if we talk about child pornography, one of the big beneficiary of the darknet). We could think about hunting these tools and protocols used to create the darknet but they are also used by thousands of honnest people wanting to protect their anonymity, their privacy or to “speak freely” in oppressing regimes. Even more, should you try to suppress it, new technologies would be quicly invented or developped to create even deeper, even darker, networks. With such a big amount of money at stake, the means to create a dark zone on the Internet would be nearly unlimmited. They could even create a parrallel network hiding in plain sight if they once achieve a higher level of organization at a global level.

As always, eventually, our only weapons are the skills and means of the people fighting them and able to differenciate the right from the wrong, the bad from the good. Unfortunately, we don’t have enough skilled professionnal yet. We sure do have already a lot of very talented security professionnals (coder, hackers, network specialist, governance, auditors) but the fight remains inequal as they have to find only one faillure to succeed and we need to close them all to win. So, we definitely need better trainings, better information exchange, better research, higher standards for IT professionnals and better preparation of our future professionnals.

Clearly, we need also to make security more understandable, more user friendly. As Bruce Schneier was advocating a few years ago, security must become a convenience like any household appliance, easy to use, easy to sell, easy and efficient. It is maybe where the dark side is winning the competition at this stage.

 

Google knows what you did last summer!

| 2015-03-26 | English, Information Security

Maybe did you forgot what you were doing last week? Even if you do, you probably don’t know exactly what you where doing last summer.

(Un)fortunately, your friend Google can help you. You may already know it (or not) but Google keep track of all you movements (if you use their services and clicked “Yes” when they ask for your permission). If you have activated Google now or Google map using your Google account, George Orwell’s 1984 and his Big Brother seems to be an optimistic view of the actual reallity. But, as nothing is always black or white, especially in risk management, this invasion in your privacy might help you remember where you were last summer. Google does not advertise it so much but you can see all your history of location (if you have allowed them to do so) on the location history map on https://maps.google.com/locationhistory/.

You can use it to relive your hollidays using Streetview , find where you were at a specifi date and time, check the number of kilometers you drove on a specific day.

Of course you can imagine the amount of information you can gather if this system start to keep track also of all the network nearby, the blutotth devices visible at a specific time, the NFC payment you or the sound heard by your phone (yes, remember Google Now wait for you “OK Google” and is thus listening continuously when it run).

Get alarmed or don’t, at least, now, you know it.

Screenshot Google Location History

Effective security management: 20 tips to change your audience’s behaviour

| 2013-12-07 | Communication, English, Information Security, Security Governance

How do we implement security efficiently in an organization, small or big?

Although some security officers seems to still believe that having security policies and a plan to implement expensive controls like IPS, IAM or DLP (you’ll notice the common use of nice marketing buzzwords and acronyms to make you believe that you should know what an Intrusion Prevention System, an Identity and Access Management or a Data Leakage Prevention system are, like everyone else is supposed too, and maybe does. But does it mean it’s the solution to your problems?) are the solution, it is not! You can believe me on this, I was thinking the same way years ago, I saw it failing too often and now, I took another approach. And that’s probably one of the reasons why I still have a lot of work as a consultant.

So, what is the first thing we should care for?

When Kevin Mitnick, one of the most famous hackers, was still hacking PABX in order to have the possibility to do war dialling on all available modem in a region for free (yes, it was a long time ago), the weakest point for most computer security systems was already between the chair and the keyboard. Whatever you do, there is always a human involved somewhere and human are harder to control and less predictable than human (even if it might not always be the case). Bottom line, a good security starts with a good communication and training plan, like for any transformation journey, as it is the only good way to change users’ behaviour (depending where you live, you might also think about torture and brain washing but in as I live in Belgium and moreover due to my philosophical convictions, I exclude those from the equation)

Is it really necessary to have a communication and training plan?

The first Palo Alto axioms of communication states that we cannot not communicate (yes, I know, double negation are complicated). Let’s rephrase it: whatever you do or do not, you communicate. So, if you don’t communicate about your security, in fact you just communicate that it is not important or that you don’t care or that you don’t have the budget to communicate. It’s BAD! If you communicate poorly, you might in fact give the same message and even worse as you might give the false impression that security is useless or even boring. Really Bad too! And as you probably know, we just have one occasion to give a good first impression. So, don’t miss it. The basic reason for any communication is to change other’s behaviour. So, if you just want to write policies for yourself and don’t bother about the others behaviour, indeed, you can skip he communication plan.

What makes a communication efficient?

If a communication is intended to change other’s behaviour (or ideas), an efficient communication is the one that will change the highest number of person’s behaviour. How can we assess that efficiency? If you do security and risk management, you should know the PDCA cycle. So, you just use it, like scientists. When you do something you try to measure the effect of your action. Fortunately, there is already a lot of people having tried different paradigms and measure their efficiency. That’s what social psychologist and marketing researcher do. And on the specific risk communication issues, Amos Tversky and Daniel Kahneman, two economy Nobel prize winner psychologists, have developed the theory of perspective, highlighting the numerous biases affecting the human when taking decisions about a risk. Lucky for you, you won’t have to read and understand all those books and articles, I am about to give you a cheat sheet to prepare your next communication.

So, practically, how do you do it?

  1. First, you have to remember the 3 basic rules of education: repeat, repeat and repeat again.
  2. Then, you have to remember that if you repeat too often a signal, it tend to be ignored by your brain. When you put your socks on your feet, you start ignoring the sensation of the fabric on your skin after a few seconds. The same way, you don’t notice most of the object in your office that are there for so long. But, if you move it or change the color, interrupt the pattern, you will start noticing again. So, the basic education rule might become something like: repeat, explain and do it again differently.
  3. Keep it simple, stupid and sexy (KISSS): use terms and analogies that everybody can understand. Your target is not a group is security experts.
    Ex.: “Security is wearing belt and braces for your first date
  4. Give many concrete short examples: give examples that are relevant for your audience. Use their vocabulary, the process they already know, things they do for a living.
  5. Use examples allowing people to identify themselves to the story
    Ex.: « The new employee walk into the printer room and find a confidential document on the printer, as he remember the security training, he brings the document to the security officer»
  6. Ask questions and mostly questions creating a knowledge gap, meaning your audience won’t have the answer, or at least, not the right answer.
    Ex.: “How long will a 8 characters long password last again hackers attack?
  7. Use positives sentences (people have difficulties with negative form, they tend to forget the negation)
    Ex.: prefer « You will take care » to « You will not jeopardize »
  8. Use emotion and feelings to describe situations, it will make it more memorable (you can also add references to sensations, sounds, colors)
    Ex: “Alice is afraid of loosing her beloved grand-mother gold ring
  9. Explain to your audience as if they were your kids or grandparents
    Ex.: “You may see Risk as the cost resulting from an incident (like having a car crash) multiply by the probability of this incident occurringNB: I know, I Repeat myself, but what we call the knowledge curse, meaning believing the others understand what we are saying, is really killing most security communication
  10. Use precise numbers, it will be perceived as more credible
    Ex.: “You have 2.13 times more chance to die from self-inflicted injuries than from transport accident
  11. Naming your sources will also add credibility? (if they are credible).
    Ex.: « as stated in the Federal Statistic Death Cause report of 2009 »
  12. Link important concepts to images, Preferably known locations and persons. Use unusual associations (incongruence) to increase the remembrance.
    Ex.: “Ghandi walks into a computer shop and ask for a computer bringing serenity
  13. Spot the « victims » of the incident or the persons impacted by an incident. Give a face, a personality, to the victims.
    Ex.: « Alice, Bob’s secretary, is affraid of being fired after she disclosed confidential information »
  14. Provide multiple examples of the same risk. it will create an illusion that the risk is higher, helpful to trigger action & compliance
  15. Use yes sets (A set of affirmation that will be acknowledge by most people (Yes) preceding an affirmation we want them to acknowledge): As they acknowledge the first affirmations (priming), they are more likely to acknowledge the last affirmation.Once acknowledged, not complying with this affirmation will likely trigger a cognitive dissonance (inconsistency) in their mind, increasing the probability of compliance.
    Ex.: “As many, you like to keep your secret secret. You understand the risk of disclosing such information. So, You will probably keep this information secret.
  16. Use double “No” or paradoxical sentences:
    Ex.: « You don’t want us to take such a risk, don’t you? », « As you care about our security, you will classify the document adequately. No? » or « You may give your password to your colleague and be responsible of all his mistakes. No? »
  17. Make it look like normal: Make your expectations appear like something normal, that we should do as part of our normal behaviour
    Ex.: “As most of your colleagues, you take care of your customer’s information…”
  18. Provide a meaning to your expectations (appeal to our inner trends to make things right)
    Ex.: “Keeping our customers’ transaction confidential prevent insider trading…”
  19. In the military, it is known that no plan survives the contact with the enemy. To circonvene this, always think to provide the CI (Commander’s Intent) that will allow people to take judgmental decision.
    Ex.: “The main goal is to ensure our CRM applications remains available between 7 to 20
  20. If you make a presentation, speak slowly, pause for a second after important information, it will be perceived as more charismatic

Ok, I stop here. There is of course more to say but you have already more than enough to make your communication at least 3 time more efficient. Combining all these advices, you may change the odds of behavioural change from 21% to 78%! Can you do better?