blog.mirabellette.eu

A blog about digital independence and autonomy

Important principles in cybersecurity - 2

Written by Mirabellette / / no comments

Introduction

Today, I would like to share the second part of the article about important principles in cybersecurity. You can find the first part of these articles about cybersecurity here.

No usability means no security

Probably one of the most important principles in cybersecurity. When you are a professional of security, you are concerned about the risk of leaks and passwords disclosure. That means you are ready to make to some effort to prevent this. However, even if you are aware of that, it is tiring and exigent.

Let's go with an example most of us know. Imagine you have hundreds of website you need to log in. Nowadays, websites ask for complex passwords with long size. People which are not concerns about security will choose a password and they will write it next to their keyboard or worst, easy thing to remember. That means, even if you force the user to use only very difficult passwords, if it is not easy for him to pass it, he will find a way to do it easily.

Speed is crucial

Each day, there are multiple vulnerabilities which are published and accessible by anybody. In an interview given by the NSA, they claimed to be able to transform a vulnerability into a usable exploit in 24 hours. That means, if you are targeted by them, you should be able to patch your services and systems before the exploit is ready. If an agency can do that in 24 hours, we could presume just another agency can fix and deploys with the same efficiency in 24 hours.

Come back to the real world, where we are just system administrator and developer which are maintaining systems and applications. Patches tend to be created before exploits are spread. It was the case for Petya and not Petya. That means, if you are fast enough, you can update your systems before they are attacking. But what can you do if you cannot?

layer

Multiple layers of Security is the answer to threats

You must admit that each of your security layers could be vulnerable and compromised. It is your responsibility as system administrator, software developer or cybersecurity expert to reduce the vulnerability of the layers you are responsible for to the minimum. An example of the effective layer could be the user management system in all operating system. There is a normal user with reduced right and a superuser or root who has more right. It is a basic advice on security but not everybody really follows it. Even in the cybersecurity field where the famous penetration distribution Kali Linux has only a user with all right by default.

Always be sure about the information before doing something

There is a lot of mythology and approximation in every field. Cybersecurity is not avoided by that. As an important position in a company, your words matter and could have important consequences. That means you must be sure about what you say. Oftenly, people speak without knowing enough. For cybersecurity, that means you should answer these 3 questions:

  • Is the vulnerability real?
  • Could some of our systems or application be threatened by them?
  • Should I or how can I mitigate it?

Most of the time, people will ask you about the vulnerability/threat before you have a clear idea of the situation. It is important not to make a presumption. The more just you will be about what you know, the more you will be able to well react to the situation.

Let's make a try with the shiny vulnerability Efail.

efail

We have a wonderful website, one public communication from EFF about what we should do BEFORE any information was publicly disclosed. The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. EFF recommends to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. They are very listened by all of the people and have a quite good reputation. However, if we do what they recommend, that means changing something based only on the trust we have in them. At this moment, your shiny warning should be ringing a lot and asked you to wait for a little in order to know more about that.

The day later, the vulnerability explanation was published. When we read it carefully, it appears it does not concern OpenPGP but only some products which manage emails. Please to find below the specific conditions which are necessary to let an opponent exploit it.

  • Your email manager must be vulnerable.
  • Your email manager must decrypt encrypted email automatically.
  • You must have the private key of the encrypted email loaded in your email manager.
  • You must have HTML rendering enabled.
  • You must open the email.
  • An attacker must have encrypted contents he wants to decrypt from you.

For me, if we listen to the noises made before the explanation was released, it was a very high critical vulnerability. But after the reading, it was sensitive but not so critical as the noise could let imagine. Mainly because there are a lot of things required to exploit the vulnerability. The NIST quite agrees with me; it gave to the two vulnerabilities behind Efail a complexity grade of high and a global grade of 5.9 (medium).

This was an example to wait and be sure to have enough information before doing something.

Conclusion

I hope you enjoy this second article about cybersecurity. The tone I used was a little bit more engaged than usual.
Feel free to comment if you want to add ideas or discuss it. If you find this article useful, you can subscribe the RSS flux of the blog or follow me on Mastodon. Don't hesitate to share it if you think it could interest someone.

Sources

Write a comment

What is the second letter of the word lryiv?