Ads 468x60px

Featured Posts

12 November 2018

Revue Stratégique Cyberdéfense de France (I)

The CISA and CISM certifications were my first contact with security strategies and since then I’ve read several cyber strategies such as the Cybersecurity Strategy of the EU, the National Security Strategy of Spain, the National Cybersecurity Strategy of Spain, the Department of Defense (DoD) Cyber Strategy of the United States and the National Cyber Strategy of the United States. Today, I want to write about the last Cybersecurity Strategy I’m reading, the review of the Cyberdefense Strategy of France. In fact, I’m only going to write about the first part of the strategy, “Les dangers du monde cyber”, due to the fact that this strategy is too extend for just one post.

The Cybersecurity Strategy of France starts speaking about how threats are moving quickly to cyber spying, cybercrime, destabilization, and cyber sabotage. For instance, the strategy highlights the Operation Aurora and Mandiant reports where United States organizations were attacked from China. It also highlights the darkweb for cybercrime, and social networks for terrorism and political destabilization. The strategy makes also reference other cyber operations such as Stuxnet, NotPetya, DDoS attacks, etc.

Action de sabotage informatique
The main actions and the operation modes of cyber attacks are also discussed into the cyber strategy. In fact, we can read, and see an example, of the four phases of a cyber attack: Reconnaissance, Intrusion, Malware Insertion, and Exploitation. In addition, we can read about the attacker infrastructure needed for a cyber attack such as C&C servers and exploitation toolkit. The threat structure is also commented into the strategy where we can read an overview of lots of cyber attacks (Shamoon, Carbanak, WannaCry, etc)

Exfiltration de données par envoi d'un courriel piégé
This Cybersecurity Strategy has also into account the vulnerabilities. It’s said that the National Security is insufficient because there are increasingly more and more digital services, which could have vulnerabilities, and therefore there is more risk for the State. For instance, a vulnerability into an important system, like the Swift System for worldwide payments, can be able to break the reputation of the system.

Resilience for mitigating risks of cyber attacks is also into this strategy. How can we get resiliency? Integrating cybersecurity into organizations, considering security throughout the information system lifecycle, knowing technologies and threats, and considering active defenses.

Cycle de vie de la sécurité d'un systéme d'information
There are many other sections in this first part of the Cybersecurity Strategy of France such as international regulation, which is not too good, or cybersecurity models for protection. I think the review of dangers of the cyber world in this strategy is very complete with lots of examples, concepts and references. I like it!!

On va continuer comme ça la semaine prochaine!!

5 November 2018

The Art of Intrusion by Kevin Mitnick

I really love reading. It’s the best time of the day. I’m relaxed. I’m quieted. Nobody disturbs me. I’m just reading. I think reading has lots of advantages such as increasing attention capacity, it also helps us to improve the writing skill as well as it helps us to improve the speaking skill. I think it’s a good way to active the mind and, at the same time, we are learning, enjoying and relaxed. This is why I try reading more and more, although it’s increasingly difficult for me to have time for reading. I would like reading more than I read. The last book I’ve been reading these weeks is “The Art of Intrusion” by Kevin D. Mitnick.

Kevin Mitnick is a computer security consultant, author and hacker who was arrested for five years in 1995 because he was charged with wire fraud, possession of unauthorized access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer. What’s more, according to Mitnick, law enforcement officials convinced a judge that he had the ability to “start a nuclear war by whistling into a pay phone”. Amazing!! Today, he runs a security firm and he is the keynote speaker in many security conferences.

The Art of Intrusion book has more than ten stories about hackers. All of them are anonymous because some crimes still hadn’t prescribed when the book was written. The most interesting story for me has been about social engineering because we don’t need technical skills but social skills to get confidential information from companies. However, we have to be able to deceive people which is not easy. This chapter speaks about psychological behaviour of human beings. Maybe, the previous book, “The Art of Deception” by Mitnick, teaches more tricks for social engineering.

Another story that I like is about intrusion into casinos for one million dollars. In fact, it’s the first chapter on the book. Four guys who worked in high technological firms as consultants went to Las Vegas for visiting a trade fair, where they also played in slot machines. However, they wanted to win more and more money, then they were thinking about hack the slot machines, till they got it. They were able to understand how the slot machines worked, I mean, the algorithm, and they developed a system to know when the slot machines were going to give money. At the end, the avarice did they was caught by guards.

There is another story that I would like to highlight. It is about crackers. I’ve always thought that cracking software was full of malware, where malicious developers inserted codes to break into computers of people who don’t want to pay money for genuine software. However, the book says that some crackers research how to crack software and develop the crack just for pride, attribution or revenge.

Actually, I think the book is interesting for newbies because there are lots of stories with some technical details. Maybe a little bit outdated. For instance, I’ve enjoyed much more with Countdown to Zero Day” by Kim Zetter than with this one. However, I’ll try reading “The Art of Deception”. I think, it could be interesting for reinforce my knowledge about social engineering.

Regards my friends. Keep reading. Keep learning!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares