Revue Stratégique Cyberdéfense de France (III)

This is the last post I write about “Revue Stratégique Cyberdéfense de France”. I wrote about “Les dangers du monde cyber” in the first part, and about “L’État, responsable de la cyberdéfense de la nation” in the second part. Today, I’m going to write about “L’État, garant de la cybersécurité de la société” where I’m going to explain risks into the European Union but I’m also going to speak about Cloud, Intelligence Artificial, cyberweapons, economy and recruitment. There are many interesting things in the third part and I would like to highlight some of them.

The first interesting thing I would like to highlight is the risk of the EU with regard to technology because most IT companies are managed from the U.S. This, although it could seem a little bit silly, it’s important because countries, businesses and citizens shouldn’t depend on IT foreign companies. At least, countries shouldn’t depend on IT foreign companies. Why? Because if we start a trade war, like the war China and U.S. have currently, it will be devastating for the EU countries. What would happen if we stopped receiving U.S. services? What would happen if we start a war with the U.S.? We couldn’t! We would always lose!

Cloud and Intelligence Artificial (IA) are also subjects of the Cyberdefense Strategy of France. These two new emerging technologies are taken into account in the Strategy because, one of them, the IA, should be useful for improving cybersecurity while, the second one, the Cloud, should be regulated for better protection of critical activities. For instance, we can read in the Strategy how Elon Musk highlighted the importance of cybersecurity for autonomous electric cars in a conference, or how the OVH company is a French Cloud Provider who hosts Microsoft services. This kind of references are interesting!

Les domaines de l’intelligence artificielle

It’s “easy” to detect who sells weapons such as tanks, warships or guns to countries which are in the blacklist of the United Nations but it’s very difficult to know who sells cyberweapons to these countries. This kind of trade should be regulated. In fact, we can read in the Strategy about the Italian Hacking Team company or the German-English Gamma company who were hacked, and their zero-days and customer list were published. Some customers of Hacking Team and Gamma are in the blacklist of the United Nations!!

I like this Strategy. They have realised they must support French companies, and EU companies as well, for getting better protection. The government of French has realised that most companies, which work on the technology field, are small with less than 20 people and less than 1 M€ billing. In addition, they know that lots of IT engineers emigrate abroad to look for better job opportunities. Therefore, they want more companies like Gemalto, Thales or Oberthur.

Structure par taille des entreprises de la Confiance Numerique en France en 2016 (% des entreprises)

This is a great Cybersecurity Strategy. I would like to read a Strategy like this written by the government of Spain. I think, we have the same risks of the French government but it’s required to take actions.

Merci mes amis!

Revue Stratégique Cyberdéfense de France (II)

I wrote about the first part of the Cyberdefense Strategy of France last week. Today, I’m going to write about the second part of the strategy. The second part speaks about the cyberdefense responsibility of France. It tells how the government of France is organised to fight against cybercrime and how they want to improve the protection of critical activities such as military activities, health activities or energy activities. In addition, this second part speaks about the international cooperation of France in cybersecurity. We’ll see with more details in next paragraphs.

France is fighting against cyberthreats since 2011 when the government created the first cyberdefence strategy. However, they knew about cyberthreats years before, because they had already been attacked. Therefore, the government created the first white book about defence and security in 2008. This white book, or livre blanc, was actually the first purpose of fighting against cyberthreaths because it was the beginning of the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), which is responsible for proposing rules for the protection of state information systems and it reports to SGDSN to assist the Primer Minister in exercising his responsibilities for defence and national security. Since then, a new white book has been written in 2013 with a military program for 2014 – 2019 to reinforce cybersecurity with more money and people.

It’s interesting how the government of France has many departments to fight against cyberthreats. Firstly, they have completely separated the cyberdefence to the active cybersecurity. Secondly, they want to create a Centre de Coordination des Crises Cyber (C4) with three levels: Strategic (C4 STRAT), technique (C4 TECH) and operational (C4 TECHOPS). In addition, I would like to highlight the COMCYBER, which is responsible for cyber-protection and cyberdefence in the Ministry of the Armed Forces. Maybe, there are some more departments for cybersecurity, I don’t know, but I think these departments are required for the protection of the country.

The review of the Cyberdefence Strategy of France speaks also about improving the protection of critical activities such as the protection of the information systems of the State, the protection of important agencies, the protection of fundamental activities, the protection of local authorities and the protection of the democracy. What’s more, this Strategy mentions the Security Directives for the European Union where there is something like a threshold with minimum security measures to apply in all countries of the EU. The aim of the NIS Directive is to improve the weakest link in the information security chain.

This Cyberdefence Strategy is too long but I like. Maybe, it is one of the best Cyber Strategy I’ve read because it is accurate, concise and detailed. I can’t write about all things are included in this Strategy because it would be too many post, thus I recommend reading the whole Strategy.

On va continuer avec le dernier article la semaine prochaine!! On y va !!

Revue Stratégique Cyberdéfense de France (I)

The CISA and CISM certifications were my first contact with security strategies and since then I’ve read several cyber strategies such as the Cybersecurity Strategy of the EU, the National Security Strategy of Spain, the National Cybersecurity Strategy of Spain, the Department of Defense (DoD) Cyber Strategy of the United States and the National Cyber Strategy of the United States. Today, I want to write about the last Cybersecurity Strategy I’m reading, the review of the Cyberdefense Strategy of France. In fact, I’m only going to write about the first part of the strategy, “Les dangers du monde cyber”, due to the fact that this strategy is too extend for just one post.

The Cybersecurity Strategy of France starts speaking about how threats are moving quickly to cyber spying, cybercrime, destabilization, and cyber sabotage. For instance, the strategy highlights the Operation Aurora and Mandiant reports where United States organizations were attacked from China. It also highlights the darkweb for cybercrime, and social networks for terrorism and political destabilization. The strategy makes also reference other cyber operations such as Stuxnet, NotPetya, DDoS attacks, etc.

Action de sabotage informatique

 

The main actions and the operation modes of cyber attacks are also discussed into the cyber strategy. In fact, we can read, and see an example, of the four phases of a cyber attack: Reconnaissance, Intrusion, Malware Insertion, and Exploitation. In addition, we can read about the attacker infrastructure needed for a cyber attack such as C&C servers and exploitation toolkit. The threat structure is also commented into the strategy where we can read an overview of lots of cyber attacks (Shamoon, Carbanak, WannaCry, etc)

Exfiltration de données par envoi d'un courriel piégé

 

This Cybersecurity Strategy has also into account the vulnerabilities. It’s said that the National Security is insufficient because there are increasingly more and more digital services, which could have vulnerabilities, and therefore there is more risk for the State. For instance, a vulnerability into an important system, like the Swift System for worldwide payments, can be able to break the reputation of the system.

Resilience for mitigating risks of cyber attacks is also into this strategy. How can we get resiliency? Integrating cybersecurity into organizations, considering security throughout the information system lifecycle, knowing technologies and threats, and considering active defenses.

Cycle de vie de la sécurité d'un systéme d'information

 

There are many other sections in this first part of the Cybersecurity Strategy of France such as international regulation, which is not too good, or cybersecurity models for protection. I think the review of dangers of the cyber world in this strategy is very complete with lots of examples, concepts and references. I like it!!

On va continuer comme ça la semaine prochaine!!

The Art of Intrusion by Kevin Mitnick

I really love reading. It’s the best time of the day. I’m relaxed. I’m quieted. Nobody disturbs me. I’m just reading. I think reading has lots of advantages such as increasing attention capacity, it also helps us to improve the writing skill as well as it helps us to improve the speaking skill. I think it’s a good way to active the mind and, at the same time, we are learning, enjoying and relaxed. This is why I try reading more and more, although it’s increasingly difficult for me to have time for reading. I would like reading more than I read. The last book I’ve been reading these weeks is “The Art of Intrusion” by Kevin D. Mitnick.

Kevin Mitnick is a computer security consultant, author and hacker who was arrested for five years in 1995 because he was charged with wire fraud, possession of unauthorized access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer. What’s more, according to Mitnick, law enforcement officials convinced a judge that he had the ability to “start a nuclear war by whistling into a pay phone”. Amazing!! Today, he runs a security firm and he is the keynote speaker in many security conferences.

The Art of Intrusion book has more than ten stories about hackers. All of them are anonymous because some crimes still hadn’t prescribed when the book was written. The most interesting story for me has been about social engineering because we don’t need technical skills but social skills to get confidential information from companies. However, we have to be able to deceive people which is not easy. This chapter speaks about psychological behaviour of human beings. Maybe, the previous book, “The Art of Deception” by Mitnick, teaches more tricks for social engineering.

Another story that I like is about intrusion into casinos for one million dollars. In fact, it’s the first chapter on the book. Four guys who worked in high technological firms as consultants went to Las Vegas for visiting a trade fair, where they also played in slot machines. However, they wanted to win more and more money, then they were thinking about hack the slot machines, till they got it. They were able to understand how the slot machines worked, I mean, the algorithm, and they developed a system to know when the slot machines were going to give money. At the end, the avarice did they was caught by guards.

There is another story that I would like to highlight. It is about crackers. I’ve always thought that cracking software was full of malware, where malicious developers inserted codes to break into computers of people who don’t want to pay money for genuine software. However, the book says that some crackers research how to crack software and develop the crack just for pride, attribution or revenge.

Actually, I think the book is interesting for newbies because there are lots of stories with some technical details. Maybe a little bit outdated. For instance, I’ve enjoyed much more with “Countdown to Zero Day” by Kim Zetter than with this one. However, I’ll try reading “The Art of Deception”. I think, it could be interesting for reinforce my knowledge about social engineering.

Regards my friends. Keep reading. Keep learning!!