Thursday, January 8, 2015

Security and IT risk: the eternal game of chess

The ouroboros is a symbol used to represent different eternal cycles for more than 300 years. It sometimes does as daily struggle, as a futile effort or as the unity of all things, among many others. Its graphical representation is usually an animal eating its own tail, drawing a circle with its body.

In infosec and IT risk fields it is usual to feel that we live in a continuous cycle, in a digital ouroboros. Security measures increased and new risks emerge in consequence, which leads to lift more protections and the developing of new risks cyber criminals...

Let’s imagine it is lunchtime and you head to the nearest coffee shop. You might go along with some colleagues, and surely all of you carry your corporate ID cards around your necks or in your pockets, what makes you an easy target. It is possible that someone interested in accessing your company’s facilities are able to clone it (most of them use RFID codes to open the doors) or perform social engineering techniques to usurp your identity while you are off campus.

It is not even necessary that the attack targets a specific person. Any reason (economic, hacktivist, political...) could trigger such action. Several German government websites have been hacked to protest against political links between Berlin and the new Ukrainian government. Behind the attack, there is a group named CyberBerkut which is connected to the government of former Ukrainian President Viktor Yanukovick.

It is a never ending story. How many times have you heard that you should not send delicate content through the Internet, even if you use supposedly secure applications, as Snapchat? The case of Jeffrey Sirois is good example of the consequences of such imprudence. A coach ruined his life in just 10 seconds of video.

The TOR network is usually another factor in the world of privacy. It is maybe one of the most mythicized uroboros of the Internet. Is it really so restricted as it seems? How does it work technically? These two questions are answered by the Spanish INCIBE (former INTECO) on a tutorial published a few hours ago. This network promises anonymity... whenever output and input nodes are not corrupted. But according to recent study, corrupting only one of them could neccesary to compromise communications.

In the light of this scenario people at TripWire wonder if retaliating against cybercriminals is good decision. And they conclude that it is not... but yes. It is not because it is very difficult to detect the real source of the attack, and even once it is completely clear, they would be conducting criminal behavior. However it is a good decision when the attack is carried out with supported by law enforcement, as Microsoft did along with the Europol and the FBI last year.

So the issue is still open to debate. But if you feel the call for getting into the infosec field you should take into consideration the advice by Manuel Benet from Security ArtWork: Train yourself and stay in constant beta, because there are always things to learn. Create a blog about a specific subject and participate in online communities. English is necessary. It is also a good spelling, communication skills, the use of office tools and lateral thinking along with patience. Because necessary changes are sometimes take long to be implemented.


Post a Comment